methodology
Every finding we report is a deterministic rule firing on a specific, verifiable piece of on-chain data. No ML, no opinion, no magic.
what we collect
For each scanned address, we pull:
- eth_getCode (Alchemy) — bytecode, size, SHA-256 hash.
- contract.getsourcecode (Etherscan) — source verification status, contract name, compiler version.
- contract.getcontractcreation (Etherscan) — deployer address, deploy tx.
- account.txlist (Etherscan) — deployer's first tx (for funding source) and recent activity (for deploys_count and activity_count).
Scan results are cached in our D1 database for 3600 seconds (1 hour).
rule table
| rule_id | points | severity | triggers when |
|---|---|---|---|
| deployer_funded_by_mixer | +35 | high | Deployer's first funding came from a known mixer address. |
| deployer_fresh_wallet | +15 | med | Deployer's first-ever tx was less than 30 days before scan time. |
| deployer_low_activity | +10 | med | Deployer has fewer than 10 transactions on record. |
| unverified_source | +20 | med | Contract is deployed but source isn't verified on Etherscan. |
| bytecode_high_similarity | +30 | high | MinHash Jaccard ≥ 0.85 to a known-exploit corpus entry. |
| bytecode_med_similarity | +15 | med | MinHash Jaccard between 0.70 and 0.85 to a known-exploit corpus entry. |
verdict thresholds
| risk_score | verdict |
|---|---|
| 0 – 19 | clean |
| 20 – 49 | caution |
| 50 – 74 | high_risk |
| 75 – 100 | do_not_interact |
bytecode similarity
We use MinHash with 128 permutations over 4-byte overlapping shingles of the raw bytecode. The hash family is h_i(x) = (a_i · x + b_i) mod (2³¹ − 1) with (a_i, b_i) pairs derived from a fixed seed, so signatures are reproducible across runs and across machines.
Our exploit corpus is seeded from the DeFiHackLabs repository — each entry's bytecode is fingerprinted at seed time. Contracts you scan are compared against every corpus entry; the highest Jaccard wins.
what we don't do
- We don't audit Solidity source code. Source-pattern scanning is a future feature.
- We don't score governance, economic design, or admin key distribution.
- We don't flag contracts for being "scammy-looking". Every point requires a specific rule firing on specific data.
- We don't score non-Ethereum chains yet.
open source
The scoring engine is an MIT-licensed package (endropy-scoring) inside our repo. Rule weights, bytecode hashing, and verdict thresholds live in that one package. If you disagree with a rule, open an issue or read SCORING.md.
disclaimers
endropy is data, not advice. A clean verdict is not a recommendation to use a contract; a do-not-interact verdict is not a claim that the contract is malicious. Do your own research.
for developers
The /v1/scan/:address endpoint is free and
open for programmatic use. Anonymous calls are rate-limited
to 50 per IP per day. Sign in for 100 per day per user.
The full scan JSON schema is public. Integrate endropy into wallets, bots, dashboards, browser extensions — anywhere explainable contract risk scoring is useful.
Example:
curl https://api.endropy.xyz/v1/scan/0xebc29199c817dc47ba12e3f86102564d640cbf99