Public lightweight scanner for Solidity projects that target the Injective EVM profile.
This repository intentionally contains only a standalone worker and a CLI trigger script. It does not include private web applications, queues, databases, LLM orchestration, or internal knowledge base assets.
scripts/
run_injective_worker.py Scan a Solidity file or project directory
run_demo.py Run the bundled sample project
src/injective_worker/
detector.py Injective precompile detection and rules
worker.py Scan orchestration and report rendering
methodology.py Public review methodology included in reports
samples/
injective_exchange_proxy/ Minimal runnable demo input
docs/
ARCHITECTURE.md Public architecture notes
METHODOLOGY.md Public review methodology
- Injective EVM precompile address references:
- Bank:
0x0000000000000000000000000000000000000064 - Exchange:
0x0000000000000000000000000000000000000065 - Staking:
0x0000000000000000000000000000000000000066
- Bank:
- Exchange proxy paths that pass user-like sender arguments into order, deposit, withdraw, or cancel flows.
- Staking delegation lifecycle calls without visible validator and amount validation.
- Bank token movement or supply flows without visible denom, decimal, and accounting guards.
- An Injective Solidity checklist in generated reports.
Run the bundled demo:
python scripts/run_demo.py --out-dir reportsExpected output:
DEMO_JSON_REPORT=reports/injective_demo.json
DEMO_MARKDOWN_REPORT=reports/injective_demo.md
DEMO_FINDINGS=1
Scan your own Solidity project:
python scripts/run_injective_worker.py \
--source /path/to/solidity/project \
--project-name my-injective-app \
--out-dir reports \
--format bothUseful CI mode:
python scripts/run_injective_worker.py \
--source /path/to/solidity/project \
--fail-on mediumThe script prints:
JSON_REPORT=...MARKDOWN_REPORT=...CHAIN_PROFILE=Injective EVMPRECOMPILE_REFERENCES=...INJECTIVE_FINDINGS=...
The report includes a public methodology section:
- Discover Solidity files.
- Identify Injective precompile references.
- Classify Bank, Exchange, and Staking call surfaces.
- Apply deterministic Injective EVM profile checks.
- Map findings to public checklist cards.
- Emit JSON and Markdown evidence for manual review.
This worker is a deterministic pre-screening tool. Findings should be reviewed by an auditor before being treated as confirmed vulnerabilities. General Solidity issues such as reentrancy, access control, integer precision, ERC standard compliance, and DeFi accounting bugs still require normal Solidity security review in addition to this Injective-specific profile.