-
-
AuditScope live on Vercel — paste any Solidity contract, get a structured audit scope report in seconds.
-
Light mode ready. AuditScope works beautifully in both themes — small detail, real polish.
-
151 lines, 4725 chars — AuditScope handles full production contracts, not just toy examples.
-
-
Color-coded findings with exact attack paths, function names, and fixes. Plus a Modifier Map auditors actually use.
-
Full report — Key Variables, Audit Focus, Vulnerability Patterns. Specific reasoning, not boilerplate.
-
novus.pendo - previous interaction 2days after project deployment
-
Novus.Pendo - this shows full user interaction and novus integration
The Problem That Started This
Every time I enter a smart contract audit contest on Sherlock or Code4rena, the first 30–60 minutes are the same: manually reading through the contract, mapping every external function, listing modifiers, identifying state variables, and building a mental model of the attack surface — before I've even started looking for bugs.
That work is necessary. But it's repetitive, time-consuming, and doesn't require creativity. It's exactly the kind of work AI should handle.
AuditScope was born from that frustration.
What It Does
Paste any Solidity smart contract. AuditScope returns a structured audit scope report in seconds:
- Contract Summary — what the contract does, who the key actors are
- Attack Surface — every external/public function with its exact modifiers
- Modifier Map — a side-by-side comparison that makes missing guards instantly visible
- Risk Areas — specific findings with attack paths and recommendations
- Key Variables — critical state to watch during the audit
- Suggested Audit Focus — top priorities for a human auditor
- Vulnerability Pattern Checklist — 13 known patterns checked against the actual logic
How I Built It
- Frontend: Next.js + Tailwind CSS — dark theme, clean, professional
- AI Backend: Gemini 2.0 Flash (Google AI Studio) — 1M token context, handles any contract size
- Analytics: Novus.ai — auto-instrumented from the codebase, zero manual tagging
- Deploy: Vercel — public URL, live from day one
The core innovation isn't the UI — it's the reasoning prompt. I engineered a multi-step internal reasoning process that forces the model to:
- Build a modifier map for every function
- Trace the state machine for desync bugs
- Verify CEI pattern before flagging reentrancy
- Follow asset flows end to end
- Check boundary conditions on all inputs
- Compare modifiers across functionally similar functions
This catches real bugs — not generic security advice.
The Hardest Challenge
Getting the AI to reason specifically rather than generically.
Early versions would say things like "reentrancy is possible because external calls exist" — which is useless. The contract might follow CEI perfectly and have zero reentrancy risk. Generic output wastes an auditor's time and destroys trust in the tool.
The breakthrough was forcing the model to check CEI before flagging reentrancy, and
to compare modifier lists across similar functions before writing findings. That
single change went from boilerplate output to catching a real medium-severity bug in
a test Escrow contract: refundBuyer() missing the noDispute modifier that
releaseFunds() correctly had.
What I Learned
- Prompt engineering for security reasoning is a discipline of its own
- The modifier map is more valuable than the risk list — it gives auditors the raw data to think with
- Shipping a stateless, single-purpose tool is the right scope for a hackathon
- Novus auto-instrumented my entire product from the GitHub repo with zero setup — that's genuinely impressive
What's Next
- Cairo/Starknet contract support
- Rust/Soroban support for Stellar ecosystem
- Side-by-side diff view for comparing two contract versions
- Export to PDF for contest submission prep
Built With
- gemini-2.0-flash
- google-ai-studio
- next.js
- novus.ai
- tailwind-css
- typescript
- vercel
Log in or sign up for Devpost to join the conversation.