CryptoSecure

CryptoSecure is an AI Auditor for TON smart contracts, catching critical bugs in seconds so devs ship safer code without slow, expensive audits.

Comment

Inspiration

We kept seeing the same headline over and over: millions lost to one smart contract bug. Then we dug into TON specifically and found that nearly 15,000 vulnerabilities had been reported across a relatively small number of contracts. At the same time, audits cost tens of thousands of dollars and take weeks, a timeline that kills momentum for hackathon builders and startups.

That combination of billions at risk, a fast growing ecosystem integrated with Telegram, and a lack of accessible security tooling for TON made the problem feel too loud to ignore. CryptoSecure started as a simple question: what if every TON developer could get an audit style security check in under a minute, for free?

What it does

CryptoSecure is an AI powered security scanner and auto fixer for TON smart contracts.

You paste or upload a FunC or Tact contract, click Analyze, and in seconds you get:

  • Security Score & Grade: An immediate A to F rating based on industry baselines.
  • Vulnerability Detection: A prioritized list of issues (Critical to Informational) covering re entrancy, access control, and TON specific edge cases.
  • Auto Fix Engine: We do not just find bugs, we generate a fully patched version of your contract.
  • Interactive Diff Viewer: A side by side comparison tool that lets you visualize exactly what lines need to change and why.
  • Professional Reports: One click export of a comprehensive PDF audit report.

In short, it takes you from “I hope this is safe” to “I know where the risks are and how to fix them” without needing a security PhD.

How we built it

We built an analysis pipeline that combines fast code preprocessing with the reasoning depth of LLMs.

  1. Code Parsing & Normalization We built a custom engine that parses FunC and Tact code structure using lightweight heuristics. It extracts functions, variables, and message handling logic into a structured view so the AI sees the contract as a well organized program, not just a wall of text.

  2. AI Powered Reasoning For complex logic flaws, we pass the structured code to a Large Language Model. We architected a flexible provider system that supports Claude Sonnet, OpenAI GPT 4o, and Google Gemini. We currently default to Claude Sonnet 4 (via Anthropic) for its strong ability to reason about code context and control flow.

  3. Frontend Visuals The UI is built with Next.js 15 and Tailwind CSS. The crown jewel is our custom CodeDiffViewer component, which parses the raw code and the engine generated patch to render a git style difference view, making it trivial for developers to verify fixes.

Challenges we ran into

  • Balancing Hallucinations vs. Insight Early AI prompts would sometimes "invent" vulnerabilities in perfectly safe code. We reduced this by tightening the prompt, validating outputs against the original source, and adding sanity checks so only grounded, reproducible issues make it into the final report.

  • The "Patched Code" Consistency Getting an LLM to rewrite a contract without breaking indentation or deleting unrelated comments was difficult. We had to refine our prompting strategy to ensure the model returns the entire fixed contract, which we then diff against the original to highlight changes accurately.

  • TON Specifics Generic security rules do not apply here. We had to deep dive into TON documentation to reason about things like bounced messages (flags & 1) and cell parsing limits, which do not exist in EVM chains.

Accomplishments that we are proud of

  • The "Magic Fix" Experience: Seeing the Diff Viewer light up with green (added security checks) and red (removed vulnerabilities) side by side is incredibly satisfying.
  • Multi Language Support: Successfully parsing and analyzing both FunC and Tact contracts in the same pipeline.
  • Real Time Feedback: Optimizing the API route (/api/analyze) to handle the analysis pipeline, preprocessing, AI request, and response processing fast enough to feel interactive.
  • Zero Config Audit: Building a tool that requires no setup, no config files, and no CLI knowledge. Just paste and scan.

What we learned

  • Context is King: AI shines when you give it structure. By pre processing the contract to extract function maps and variable definitions before sending it to the LLM, we got significantly better results than just dumping raw text.
  • Visuals Matter: Security findings are dense. Presenting them as a Diff rather than a text list completely changed how users perceived the value of the tool. It turned a report into a solution.
  • TON is Unique: The asynchronous nature of TON actors requires a completely different mindset for security than Ethereum's synchronous calls. We learned that secure on other chains often means broken on TON, and vice versa.

What is next for CryptoSecure

  • IDE Extension: Bringing this engine directly into VS Code so checks happen on save.
  • Custom Rule Engine: Allowing teams to define their own organizational security policies (for example, always require multi sig for withdrawals).
  • CI/CD Integration: A GitHub Action to block PRs that introduce Critical vulnerabilities.
  • Deeper Formal Verification: Integrating a true formal verification backend for mathematically proving safety properties beyond heuristic analysis.

Built With

Share this project:

Updates