Smart Contract Security Analyzer
FreeNot checkedAn MCP server that statically audits Solidity smart contracts for common vulnerabilities like reentrancy and access control, enabling developers to identify and
About
An MCP server that statically audits Solidity smart contracts for common vulnerabilities like reentrancy and access control, enabling developers to identify and fix security issues via natural language.
README
A production-ready Model-Context-Protocol (MCP) server that statically audits Solidity contracts for the seven classes of vulnerability most likely to drain your contract — reentrancy, access control, integer overflow, unchecked low-level calls, timestamp dependence, tx.origin authorization, and unprotected selfdestruct.
The server is built on Next.js 14 (App Router) and Vercel's mcp-handler, ships a marketing landing page, an interactive /demo playground, and a direct REST POST /api/analyze endpoint.
Features
- Four MCP tools:
analyze_contract,check_vulnerability,generate_audit_report,suggest_fix. - Seven AST-based detectors: pure TypeScript walking the
@solidity-parser/parserAST — no Python, no subprocess, no slither on Vercel. - Pragma-aware arithmetic detection: only flags overflow on
< 0.8.0contracts (or insideunchecked {}blocks on 0.8+). - Risk scoring with cap table: critical 25/cap 50, high 15/cap 30, medium 10/cap 20, low 5/cap 10; clamped 0–100.
- Markdown audit report generator: executive summary, findings table, detailed findings, recommendations.
- Interactive demo at
/demo: paste a contract, click "Analyze", see a liveRiskScoreand per-findingVulnerabilityCards. - Dark theme + purple accent (Tailwind) and copy-to-clipboard install instructions.
Vulnerability coverage
| ID | SWC | Detector | Severity | Reference |
|---|---|---|---|---|
| reentrancy | SWC-107 | External call before state write | critical | https://swcregistry.io/docs/SWC-107 |
| access_control | SWC-105 | Public state-mutating function with no msg.sender check |
high | https://swcregistry.io/docs/SWC-105 |
| integer_overflow | SWC-101 | Unsigned arithmetic in pre-0.8 or unchecked {} |
high | https://swcregistry.io/docs/SWC-101 |
| unchecked_calls | SWC-104 | Unwrapped low-level call return value | medium | https://swcregistry.io/docs/SWC-104 |
| timestamp_dependence | SWC-116 | block.timestamp in comparison or randomness |
low | https://swcregistry.io/docs/SWC-116 |
| tx_origin | SWC-115 | tx.origin used for authorization |
high | https://swcregistry.io/docs/SWC-115 |
| selfdestruct | SWC-106 | selfdestruct/suicide without access control |
critical | https://swcregistry.io/docs/SWC-106 |
Quick start (local development)
git clone https://github.com/your-org/smart-contract-mcp.git
cd smart-contract-mcp
npm install
npm run dev
Then open http://localhost:3000 for the landing page or http://localhost:3000/demo for the interactive playground.
Build & verify
npm run build # type-check + Next.js production build
npm run typecheck # tsc --noEmit
npm run lint # next lint
npm run validate-schemas # exercise the four MCP tool schemas
Install in Claude Desktop
Add the following to your Claude Desktop config (~/Library/Application Support/Claude/claude_desktop_config.json on macOS, %APPDATA%\Claude\claude_desktop_config.json on Windows):
{
"mcpServers": {
"smart-contract-mcp": {
"url": "https://smart-contract-mcp.vercel.app/api/mcp"
}
}
}
Restart Claude Desktop. You can now ask Claude to "audit this contract" or "check this function for reentrancy" and the four tools will be available.
Deploy to Vercel
- Push the repo to GitHub.
- Import it in Vercel — the default Next.js build command is correct.
- No environment variables are required.
The vercel.json in the repo pins the framework to nextjs; @solidity-parser/parser is declared in next.config.ts as an external server-component package so it is not bundled into the client.
API surface
MCP endpoint
GET /api/mcp— list tools + server info.POST /api/mcp— JSON-RPCtools/callinvocations.DELETE /api/mcp— session teardown.
Direct REST
POST /api/analyze—{ source_code, contract_name? }→AnalysisResultJSON.
Source layout
app/ # Next.js App Router (landing, /demo, /api/mcp, /api/analyze)
components/ # Hand-authored UI primitives (Button, Card, Badge, ...)
lib/ # Types, scoring, analyzers/*
scripts/ # smoke-mcp.mjs, validate-schemas.mjs, vulnerable-bank-payload.json
public/og.png # 1200x630 social card
License
MIT.
Installing Smart Contract Security Analyzer
This server has no published package — it is built from source. Open the repository and follow its README.
▸ github.com/uitkhoanna/smart-contract-mcpFAQ
Is Smart Contract Security Analyzer MCP free?
Yes, Smart Contract Security Analyzer MCP is free — one-click install via Unyly at no cost.
Does Smart Contract Security Analyzer need an API key?
No, Smart Contract Security Analyzer runs without API keys or environment variables.
Is Smart Contract Security Analyzer hosted or self-hosted?
A hosted option is available: Unyly runs the server in the cloud, no local setup required.
How do I install Smart Contract Security Analyzer in Claude Desktop, Claude Code or Cursor?
Open Smart Contract Security Analyzer on unyly.org, pick your client tab (Claude Desktop, Claude Code, Cursor) and press Install — the config is generated automatically, no JSON editing.
Related MCPs
GitHub
PRs, issues, code search, CI status
by GitHubFilesystem
Secure file operations with configurable access controls.
Memory
Knowledge graph-based persistent memory system.
Template MCP Server
A CLI tool to create a new Model Context Protocol server project with TypeScript support, dual transport options, and an extensible structure
by mcpdotdirectCompare Smart Contract Security Analyzer with
Not sure what to pick?
Find your stack in 60 seconds
Author?
Embed badge for your README
Browse similar
All development MCPs
