{"id":50834340,"url":"https://github.com/friendlygeorge/base-scanner","last_synced_at":"2026-06-14T02:11:11.747Z","repository":{"id":362882613,"uuid":"1261118380","full_name":"friendlygeorge/base-scanner","owner":"friendlygeorge","description":"Lightweight on-chain security scanner for Base chain smart contracts — 15 pattern-based checks, no API key required","archived":false,"fork":false,"pushed_at":"2026-06-06T10:12:29.000Z","size":11,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-06T12:09:48.660Z","etag":null,"topics":["audit","base","ethereum","python","scanner","security","smart-contracts","solidity","web3"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/friendlygeorge.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-06-06T09:01:42.000Z","updated_at":"2026-06-06T11:04:48.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/friendlygeorge/base-scanner","commit_stats":null,"previous_names":["friendlygeorge/base-scanner"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/friendlygeorge/base-scanner","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/friendlygeorge%2Fbase-scanner","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/friendlygeorge%2Fbase-scanner/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/friendlygeorge%2Fbase-scanner/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/friendlygeorge%2Fbase-scanner/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/friendlygeorge","download_url":"https://codeload.github.com/friendlygeorge/base-scanner/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/friendlygeorge%2Fbase-scanner/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34306816,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-14T02:00:07.365Z","response_time":62,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["audit","base","ethereum","python","scanner","security","smart-contracts","solidity","web3"],"created_at":"2026-06-14T02:11:10.509Z","updated_at":"2026-06-14T02:11:11.733Z","avatar_url":"https://github.com/friendlygeorge.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# base-scanner\n\nA lightweight on-chain security scanner for Base chain smart contracts. Fetches verified source code from Sourcify, runs pattern-based security analysis, and generates human-readable reports.\n\n![Python 3.9+](https://img.shields.io/badge/python-3.9+-blue.svg)\n![License: MIT](https://img.shields.io/badge/license-MIT-green.svg)\n\n## Features\n\n- **No API key required** — uses Sourcify (free) for source code verification\n- **15 security checks** covering the most common vulnerability patterns\n- **Clean markdown reports** with severity ratings and evidence\n- **JSON output** for programmatic use\n- **Multi-chain ready** — works on Base (default) and any EVM chain supported by Sourcify\n\n## GitHub Actions\n\nUse base-scanner as a GitHub Action to automatically scan contracts in your CI pipeline.\n\n### Manual trigger (scan a specific contract)\n\n```yaml\n- uses: friendlygeorge/base-scanner@main\n  with:\n    contract_address: '0xA238Dd80C259a72e81d7e4664a9801593F98d1c5'\n    chain: 'base'\n    min_severity: 'low'\n    output_format: 'markdown'\n```\n\n### In your workflow\n\n```yaml\nname: Security Scan\non:\n  workflow_dispatch:\n    inputs:\n      contract_address:\n        description: 'Contract to scan'\n        required: true\n\njobs:\n  scan:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n      - uses: friendlygeorge/base-scanner@main\n        with:\n          contract_address: ${{ github.event.inputs.contract_address }}\n          chain: 'base'\n          min_severity: 'low'\n      - uses: actions/upload-artifact@v4\n        with:\n          name: scan-report\n          path: scan-report.*\n```\n\n### Available inputs\n\n| Input | Required | Default | Description |\n|-------|----------|---------|-------------|\n| `contract_address` | Yes | — | Contract address to scan |\n| `chain` | No | `base` | Chain (base, ethereum, optimism, arbitrum, polygon) |\n| `min_severity` | No | `low` | Minimum severity to report (info, low, medium, high) |\n| `output_format` | No | `markdown` | Output format (markdown, json) |\n\n## Security Checks\n\n| Check | Severity | What it detects |\n|-------|----------|-----------------|\n| Reentrancy | MEDIUM | External calls followed by state changes without guards |\n| Access Control | HIGH | Admin functions without access control patterns |\n| Unchecked Calls | LOW | Low-level calls without return value checks |\n| tx.origin | MEDIUM | Use of tx.origin for authorization |\n| Selfdestruct | MEDIUM | Contract can be destroyed |\n| Delegatecall | HIGH/INFO | Delegatecall usage (high if user-controlled) |\n| Timestamp Dependence | LOW | Heavy block.timestamp usage |\n| Integer Overflow | MEDIUM | Missing SafeMath on pre-0.8.0 compilers |\n| Flash Loan | INFO | Oracles used with deposit/swap functions |\n| Oracle Manipulation | INFO | Single-block price reads |\n| Upgradeable | MEDIUM/INFO | Proxy patterns (medium without timelock) |\n| Centralization | LOW | Single owner without multisig |\n| Missing Events | INFO | State changes without event emissions |\n| Gas Griefing | MEDIUM | Unbounded loops over dynamic arrays |\n| First Deposit | MEDIUM | ERC-4626 vault without inflation protection |\n\n## Installation\n\n```bash\npip install .\n```\n\nOr install from source:\n\n```bash\ngit clone https://github.com/friendlygeorge/base-scanner\ncd base-scanner\npip install -e .\n```\n\n## Usage\n\n### CLI\n\n```bash\n# Scan a contract on Base (default)\nbase-scanner 0xA238Dd80C259a72e81d7e4664a9801593F98d1c5\n\n# Output as JSON\nbase-scanner 0xA238Dd80C259a72e81d7e4664a9801593F98d1c5 --json\n\n# Save report to file\nbase-scanner 0xA238Dd80C259a72e81d7e4664a9801593F98d1c5 -o report.md\n\n# Scan on a different chain\nbase-scanner 0x... --chain-id 1  # Ethereum mainnet\n```\n\n### Python\n\n```python\nfrom base_scanner import SecurityScanner\n\nscanner = SecurityScanner(\"0xA238Dd80C259a72e81d7e4664a9801593F98d1c5\")\nresult = scanner.scan()\n\nprint(f\"Found {result['summary']['total']} findings\")\nprint(f\"  High: {result['summary']['high']}\")\nprint(f\"  Medium: {result['summary']['medium']}\")\nprint(f\"  Low: {result['summary']['low']}\")\n```\n\n## Output Format\n\n### Markdown (default)\n\n```markdown\n# Security Scan Report\n\n**Contract:** USDC (0xA238Dd80C259a72e81d7e4664a9801593F98d1c5)\n**Compiler:** ^0.8.17\n**Scan Time:** 2026-06-06T12:00:00+00:00\n\n## Summary\n\n| Severity | Count |\n|----------|-------|\n| 🔴 Critical | 0 |\n| 🟠 High | 0 |\n| 🟡 Medium | 1 |\n| 🔵 Low | 2 |\n| ⚪ Info | 3 |\n| **Total** | **6** |\n```\n\n### JSON\n\n```json\n{\n  \"address\": \"0xa238dd80c259a72e81d7e4664a9801593f98d1c5\",\n  \"contract_name\": \"USDC\",\n  \"compiler\": \"^0.8.17\",\n  \"chain_id\": 8453,\n  \"summary\": {\n    \"total\": 6,\n    \"critical\": 0,\n    \"high\": 0,\n    \"medium\": 1,\n    \"low\": 2,\n    \"info\": 3\n  },\n  \"findings\": [...]\n}\n```\n\n## How It Works\n\n1. **Bytecode check** — Verifies the address has deployed code\n2. **Source fetch** — Pulls verified source from Sourcify (free, no API key)\n3. **Pattern analysis** — Runs 15 regex-based security checks against the source\n4. **Report generation** — Outputs findings sorted by severity\n\n## Limitations\n\n- **Pattern-based only** — This is not a formal verification tool or a substitute for manual audit\n- **Source-dependent** — Only works on verified contracts\n- **No economic analysis** — Does not check for MEV, oracle manipulation economics, or complex DeFi attack vectors\n- **Regex false positives** — Some findings may be false positives; always review manually\n\nFor comprehensive security analysis, use tools like [Slither](https://github.com/crytic/slither), [Mythril](https://github.com/ConsenSys/mythril), or hire a professional auditor.\n\n## Requirements\n\n- Python 3.9+\n- `requests`\n- `web3`\n\n## License\n\nMIT\n\n## Contributing\n\nContributions welcome! Open an issue or PR at [github.com/friendlygeorge/base-scanner](https://github.com/friendlygeorge/base-scanner).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffriendlygeorge%2Fbase-scanner","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffriendlygeorge%2Fbase-scanner","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffriendlygeorge%2Fbase-scanner/lists"}