HEXL
Catalog/chain-contract-risk

Chain

Contract security risk read: proxy, backdoor, opcode + verification verdict API

Pre-interaction contract-security read for an EVM address: confirms it is actually a contract (not an EOA), detects upgradeable proxies by reading the EIP-1967 and legacy zeppelinos implementation/admin storage slots (an admin who can swap the code), scans the runtime bytecode with a PUSH-data-aware opcode walk for dangerous opcodes (SELFDESTRUCT, DELEGATECALL), checks Blockscout verification status, and scans verified source for owner/admin/upgrade backdoors, collapsing it into a 0-100 risk score, a low/medium/high/critical verdict, and machine-readable reason codes (NOT_A_CONTRACT, UNVERIFIED, UPGRADEABLE_PROXY, SELFDESTRUCT_PRESENT, DELEGATECALL_PRESENT, OWNER_PRIVILEGES) plus a narrative. Answers 'Is it safe to interact with this contract?', 'Can an admin swap this contract code?', 'Is this contract verified and free of self-destruct backdoors?'.

Price$0.2per request
MethodPOST
Route/v1/chain/contract-risk
StatusLive
MIME typeapplication/json
Rate limit60/minute
Cache3600s public
chaincontractsecurityproxyupgradeabilitybytecodeverificationrisk
API URLhttps://x402.hexl.dev/v1/chain/contract-risk
Integration docs
Example request
{
  "address": "0xa0b86991c6218b36c1d19d4a2e9eb0ce3606eb48",
  "chain": "ethereum"
}
Example response
{
  "address": "0xa0b86991c6218b36c1d19d4a2e9eb0ce3606eb48",
  "chain": "ethereum",
  "isContract": true,
  "riskScore": 50,
  "verdict": "high",
  "reasonCodes": [
    "UPGRADEABLE_PROXY",
    "DELEGATECALL_PRESENT",
    "OWNER_PRIVILEGES"
  ],
  "contractName": "FiatTokenProxy",
  "verified": true,
  "proxy": {
    "isUpgradeableProxy": true,
    "implementation": "0x43506849d7c04f9138d1a2050bbf3a0c054402dd",
    "admin": "0x807a96288a1a408dbc13de2b1d087d10356395d2"
  },
  "dangerousOpcodes": {
    "selfdestruct": false,
    "delegatecall": true
  },
  "narrative": "HIGH risk — FiatTokenProxy is an upgradeable proxy controlled by an admin who can swap the code; verified source exposes privileged controls. Review before interacting (static read only — not a security audit).",
  "disclaimer": "Best-effort STATIC analysis of public on-chain bytecode, proxy storage slots, and explorer verification data. Heuristic; source scan only on verified contracts. NOT a security audit and not a guarantee of safety."
}
Input schema
{
  "type": "object",
  "required": [
    "address"
  ],
  "properties": {
    "address": {
      "type": "string",
      "description": "0x-prefixed 40-hex EVM contract address to assess."
    },
    "chain": {
      "type": "string",
      "enum": [
        "base",
        "ethereum"
      ],
      "default": "base",
      "description": "Chain the contract is deployed on."
    }
  },
  "examples": [
    {
      "address": "0xa0b86991c6218b36c1d19d4a2e9eb0ce3606eb48",
      "chain": "ethereum"
    }
  ]
}
Output schema
{
  "type": "object",
  "additionalProperties": true
}