DeFiGuard AI is an advanced AI-powered smart contract security auditor that leverages Gemini 2.5 Flash and Model Context Protocol (MCP) architecture to identify vulnerabilities in Solidity contracts within seconds.
- π€ AI-Powered Analysis - Gemini 2.5 Flash with 2M token context window
- β‘ Lightning Fast - Complete audits in under 30 seconds
- π EVM-Compatible Analysis - Analyze contracts from any EVM-compatible chain. On-chain registration on Base Sepolia
- π§ Automated Fixes - AI-generated secure code patches
- π Risk Scoring - Comprehensive security analysis with severity levels
- π NFT Certification - On-chain verification badges for audited contracts
- π‘ Real-Time Monitoring - Continuous surveillance of deployed contracts
- π§ MCP Architecture - Model Context Protocol for enhanced security analysis
- π Decentralized Minting - Contract owners mint badges directly from their wallets
- Next.js 14 - React framework with App Router
- TypeScript - Type-safe development
- Tailwind CSS - Utility-first styling with glassmorphism
- Framer Motion - Advanced animations
- Thirdweb - Wallet connection and blockchain infrastructure
- Gemini 2.5 Flash - Google's latest AI model
- MCP Architecture - Model Context Protocol implementation
- Custom MCP Servers - Slither, Blockchain Data, DeFi Analytics
- AI Agents - AdvancedAuditorAgent, RiskAgent, RemediationAgent
- Thirdweb SDK - Multi-chain infrastructure
- Thirdweb React - Wallet connection and blockchain hooks
- Viem - TypeScript Ethereum library
- Base Sepolia - Primary deployment network
- Solidity 0.8.20 - Smart contract language
- OpenZeppelin - Secure contract libraries
- Hardhat - Development environment
- Node.js 18+ and pnpm
- Gemini API Key from Google AI Studio
- Thirdweb Client ID from Thirdweb Dashboard
# Clone repository
git clone https://github.com/yourusername/defiguard-ai.git
cd defiguard-ai
# Install dependencies with pnpm
pnpm install
# Copy environment variables
cp .env.example .env.local
# Edit .env.local with your API keys
nano .env.local
# Run development server
pnpm devVisit http://localhost:3000 to see the application.
Create .env.local file with:
# AI Model
GEMINI_API_KEY=your_gemini_api_key
GEMINI_MODEL=gemini-2.5-flash-latest
# Blockchain
NEXT_PUBLIC_THIRDWEB_CLIENT_ID=your_thirdweb_client_id
THIRDWEB_SECRET_KEY=your_secret_key
# Contract Addresses (Updated December 2025)
NEXT_PUBLIC_AUDIT_REGISTRY_ADDRESS=0x6D3d5487c41E1759b5457f5C29f8d41caC51a8eF
NEXT_PUBLIC_GUARD_NFT_ADDRESS=0xE429b1AFD7BDd12ceDB69777538f5925CB6CeF52
NEXT_PUBLIC_GUARD_TOKEN_ADDRESS=0xBc3035ed036B280AdB9A6Ad19a46089E39e2eDED
# RPC Endpoints
NEXT_PUBLIC_BASE_SEPOLIA_RPC=https://sepolia.base.org
NEXT_PUBLIC_ARBITRUM_SEPOLIA_RPC=https://sepolia-rollup.arbitrum.io/rpc
# Explorer APIs (for contract verification)
BASESCAN_API_KEY=your_basescan_key
ARBISCAN_API_KEY=your_arbiscan_key
ETHERSCAN_API_KEY=your_etherscan_key
# Deployment (only needed for deploying contracts)
DEPLOYER_PRIVATE_KEY=0xyour_deployer_private_key_here
# Note: GUARD_NFT_OWNER_PRIVATE_KEY is NO LONGER NEEDED
# Users now mint badges directly from their wallets!# Login to Vercel
pnpm vercel login
# Deploy to production
pnpm deployDeploy your application to your preferred hosting platform (Vercel, Netlify, etc.) for production use.
# Ensure you have testnet ETH and DEPLOYER_PRIVATE_KEY in .env.local
# Deploy all contracts to Base Sepolia
pnpm deploy:contracts
# Redeploy only updated contracts (AuditRegistry & GuardNFT)
pnpm redeploy:updated
# Verify contracts (after deployment)
# Requires BASESCAN_API_KEY in .env.local
pnpm verify:updatedβ Latest Deployed and Verified Contracts (Updated December 2025):
- AuditRegistry:
0x6D3d5487c41E1759b5457f5C29f8d41caC51a8eF- View on Basescan - GuardNFT:
0xE429b1AFD7BDd12ceDB69777538f5925CB6CeF52- View on Basescan - GuardToken:
0xBc3035ed036B280AdB9A6Ad19a46089E39e2eDED- View on Basescan
π Key Updates (December 2025):
- Decentralized Badge Minting: Contract owners can now mint certification badges directly from their wallets
- No Server Required: Users no longer need server-side private keys to mint badges
- contractOwner Mapping: AuditRegistry now tracks who registered each audit for ownership verification
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β CLIENT LAYER β
β (Browser / Next.js Frontend) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ β
β β Home Page β β Audit Page β β Dashboard β β Monitoring β β
β β (Landing) β β (Analysis) β β (Stats) β β (Alerts) β β
β ββββββββ¬ββββββββ ββββββββ¬ββββββββ ββββββββ¬ββββββββ ββββββββ¬ββββββββ β
β β β β β β
β ββββββββββββββββββββ΄βββββββββββββββββββ΄βββββββββββββββββββ β
β β β
β βββββββββββΌββββββββββ β
β β Shared Components β β
β β - Navbar/Footer β β
β β - UI Components β β
β β - Chatbot β β
β βββββββββββ¬ββββββββββ β
β β β
ββββββββββββββββββββββββββββββββΌββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
β HTTP Requests
β
ββββββββββββββββββββββββββββββββΌββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β API ROUTES LAYER β
β (Next.js API Routes) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β ββββββββββββββββββββ ββββββββββββββββββββ ββββββββββββββββββββ β
β β /api/analyze β β /api/record-auditβ β /api/mint-badge β β
β β (POST) β β (POST) β β (POST) β β
β β β β β β β β
β β - Validates β β - Prepares β β - Checks β β
β β contract code β β transaction β β certification β β
β β - Calls β β - Uses β β - Mints NFT β β
β β AdvancedAgent β β Thirdweb SDK β β badge β β
β ββββββββββ¬ββββββββββ ββββββββββ¬ββββββββββ ββββββββββ¬ββββββββββ β
β β β β β
β β β β β
β ββββββββββΌβββββββββββββββββββββββΌβββββββββββββββββββββββΌβββββββββ β
β β /api/chat (Chatbot API) β β
β β /api/gemini (Gemini Proxy) β β
β β /api/transactions (TX History) β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
ββββββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
β Function Calls
β
ββββββββββββββββββββββββββββββββΌββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β AI AGENTS LAYER β
β (MCP Architecture) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β AdvancedAuditorAgent (Main Agent) β β
β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β
β β β analyzeContract(code, contractAddress?) β β β
β β β 1. Calls MCP Servers in parallel β β β
β β β 2. Builds enriched context β β β
β β β 3. Sends to Gemini 2.5 Flash via AI SDK β β β
β β β 4. Returns VulnerabilityAnalysis β β β
β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β
β ββββββββββββββββββββββΌβββββββββββββββββββββ β
β β β β β
β ββββββββΌβββββββ βββββββββΌβββββββ βββββββββΌβββββββ β
β β RiskAgent β β Remediation β β AuditorAgent β β
β β β β Agent β β (Legacy) β β
β β - Calculatesβ β β β β β
β β risk scoreβ β - Generates β β - Basic β β
β β - Classifiesβ β secure fixesβ β analysis β β
β β risk levelβ β - Code patchesβ β β β
β βββββββββββββββ ββββββββββββββββ ββββββββββββββββ β
β β
ββββββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
β MCP Protocol Calls
β
ββββββββββββββββββββββββββββββββΌββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β MCP SERVERS LAYER β
β (Model Context Protocol) β
β Configured via mcp.json β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β ββββββββββββββββββββββββ ββββββββββββββββββββββββ ββββββββββββββββββββββββ β
β β SlitherMCP β β BlockchainMCP β β DeFiDataMCP β β
β β (slither-analyzer) β β (blockchain-data) β β (defi-data) β β
β β β β β β β β
β β Methods: β β Methods: β β Methods: β β
β β - analyze() β β - getContractInfo() β β - getExploitHistory()β β
β β - getVulnerability β β - getTransaction β β - getHistorical β β
β β Patterns() β β History() β β Exploits() β β
β β β β β β - getProtocolTVL() β β
β β Output: β β Output: β β - getSecurityRating β β
β β - Static analysis β β - Contract info β β () β β
β β - Vulnerability β β - TX history β β β β
β β patterns β β - On-chain data β β Output: β β
β β β β β β - Historical β β
β β β β Integrates: β β exploits β β
β β β β - Thirdweb SDK β β - DeFi protocol β β
β β β β - Basescan API β β data β β
β ββββββββββββββββββββββββ ββββββββββββββββββββββββ ββββββββββββββββββββββββ β
β β
β All MCP servers called in parallel via Promise.allSettled() β
β Context aggregated and injected into Gemini prompt β
β β
ββββββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
β API Calls
β
ββββββββββββββββββββββββββββββββΌββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β AI/ML LAYER β
β (Google Gemini 2.5 Flash) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Gemini API Client β β
β β (lib/gemini/client.ts) β β
β β β β
β β - analyzeContractWithGemini() β β
β β - generateRemediationCode() β β
β β - Multi-model fallback system: β β
β β 1. gemini-2.5-flash (primary) β β
β β 2. gemini-2.5-pro (fallback) β β
β β 3. gemini-2.0-flash (fallback) β β
β β 4. gemini-1.5-flash (fallback) β β
β β 5. gemini-1.5-pro (fallback) β β
β β β β
β β Input: Contract code + MCP context β β
β β Output: VulnerabilityAnalysis JSON β β
β β - vulnerabilities[] (type, severity, line, description, fix) β β
β β - riskScore (0-100) β β
β β - gasOptimizations[] β β
β β - bestPractices[] β β
β β - summary β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
ββββββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
β Blockchain Calls
β
ββββββββββββββββββββββββββββββββΌββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β BLOCKCHAIN LAYER β
β (Base Sepolia Network) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Thirdweb SDK β β
β β - Wallet connection (ConnectButton) β β
β β - Contract interaction β β
β β - Transaction preparation β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β
β ββββββββββββββββββββββΌβββββββββββββββββββββ β
β β β β β
β ββββββββΌβββββββ βββββββββΌβββββββ βββββββββΌβββββββ β
β β AuditRegistryβ β GuardNFT β β GuardToken β β
β β β β (ERC-721) β β (ERC-20) β β
β β β β β β β β
β β Functions: β β Functions: β β Functions: β β
β β - recordAuditβ β - mintBadge() β β - claimAirdropβ β
β β - getAllAuditsβ β - getBadgeInfoβ β - mintReward β β
β β - checkCert β β - isCertified β β - batchMint β β
β β - contractOwnerβ β β β β β
β β β β β β β β
β β Address: β β Address: β β Address: β β
β β 0x6D3d...8eF β β 0xE429...F52 β β 0xBc30...DED β β
β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ β
β β
β All contracts verified on Basescan & Sourcify β
β β
ββββββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
β External API Calls
β
ββββββββββββββββββββββββββββββββΌββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β EXTERNAL SERVICES β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ β
β β Basescan API β β DefiLlama API β β Google Geminiβ β Thirdweb β β
β β β β β β API β β Infrastructureβ β
β β - Contract β β - Protocol TVL β β - AI Analysis β β - RPC Nodes β β
β β verificationβ β - DeFi data β β - Code gen β β - Indexing β β
β β - TX history β β β β β β β β
β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β DATA FLOW EXAMPLE β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β 1. User uploads contract code β Frontend (Audit Page) β
β 2. Frontend β POST /api/analyze { code, contractAddress? } β
β 3. API Route β AdvancedAuditorAgent.analyzeContract() β
β 4. AdvancedAuditorAgent calls MCP servers in parallel: β
β ββ SlitherMCP.analyze() β Static analysis β
β ββ DeFiDataMCP.getHistoricalExploits() β Exploit correlation β
β ββ BlockchainMCP.getContractInfo() β On-chain data (if address provided) β
β 5. MCP context aggregated β buildAnalysisPrompt() β
β 6. Prompt sent to Gemini 2.5 Flash via AI SDK β
β 7. Gemini returns VulnerabilityAnalysis JSON β
β 8. Response sent back to Frontend β
β 9. User clicks "Record Audit" β POST /api/record-audit β
β 10. API prepares transaction β Thirdweb SDK β AuditRegistry.recordAudit() β
β 11. If riskScore < 40 β Contract certified β User can mint NFT badge β
β 12. User clicks "Mint Badge" β POST /api/mint-badge β
β 13. API checks certification β GuardNFT.mintBadge() β NFT minted β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
- Framework: Next.js 14 with App Router
- Pages: Home, Audit, Dashboard, Monitoring
- Components: Modular React components with Tailwind CSS
- State Management: React hooks (useState, useEffect, custom hooks)
- Wallet Integration: Thirdweb ConnectButton
- Framework: Next.js API Routes (Node.js runtime)
- Endpoints:
/api/analyze- Contract analysis with MCP integration/api/record-audit- On-chain audit registration/api/mint-badge- NFT badge minting/api/chat- AI chatbot for security questions/api/gemini- Direct Gemini API proxy/api/transactions- Transaction history
- AdvancedAuditorAgent: Main agent orchestrating MCP servers and AI analysis
- RiskAgent: Calculates risk scores (0-100) and classifies risk levels
- RemediationAgent: Generates secure code fixes for vulnerabilities
- AuditorAgent: Legacy agent for basic analysis
- Configuration:
mcp.jsonfollowing Model Context Protocol specification - SlitherMCP: Static code analysis, vulnerability pattern detection
- BlockchainMCP: On-chain data fetching via Thirdweb SDK and Basescan API
- DeFiDataMCP: Historical exploit correlation and DeFi protocol data
- Execution: Parallel execution via
Promise.allSettled()for fault tolerance
The Model Context Protocol (MCP) architecture is the core innovation that makes DeFiGuard AI's analysis so powerful. Here's how it works:
1. Parallel MCP Server Execution
When analyzing a contract, the AdvancedAuditorAgent simultaneously calls three specialized MCP servers:
-
SlitherMCP Server (
lib/mcp/slither-mcp.ts):- Performs static code analysis on the Solidity contract
- Detects known vulnerability patterns (reentrancy, overflow, access control issues)
- Analyzes code structure and identifies potential security weaknesses
- Returns structured vulnerability data with line numbers and severity levels
-
BlockchainMCP Server (
lib/mcp/blockchain-mcp.ts):- Fetches on-chain data when a contract address is provided
- Retrieves transaction history and contract verification status
- Analyzes contract interactions and token holder information
- Provides real-world context about the contract's deployment and usage
-
DeFiDataMCP Server (
lib/mcp/defi-data-mcp.ts):- Correlates contract patterns with historical exploits
- Matches vulnerabilities to real-world hacks (DAO Hack 2016, Parity Wallet, etc.)
- Provides exploit scenarios based on similar contracts that were compromised
- Enhances AI understanding with DeFi protocol security data
2. Context Aggregation All MCP server responses are aggregated into a rich context string that includes:
- Static analysis results from Slither
- On-chain data and transaction patterns
- Historical exploit correlations
- Vulnerability pattern matches
3. Enhanced AI Analysis The aggregated MCP context is injected into the Gemini AI prompt, providing the model with:
- Multi-dimensional analysis: Not just code review, but real-world context
- Historical knowledge: Understanding of how similar vulnerabilities were exploited
- On-chain validation: Verification of contract behavior in production
- Pattern recognition: Detection of vulnerabilities that static analysis alone might miss
4. Fault Tolerance
The system uses Promise.allSettled() to ensure that if one MCP server fails, the analysis continues with data from the other servers. This makes the system resilient and ensures partial failures don't break the entire analysis.
Example Flow:
User submits contract β AdvancedAuditorAgent.analyzeContract()
β
Parallel execution:
ββ SlitherMCP.analyze() β Static analysis results
ββ DeFiDataMCP.getHistoricalExploits() β Exploit correlations
ββ BlockchainMCP.getContractInfo() β On-chain data (if address provided)
β
Context aggregation β buildMCPContext()
β
Enhanced prompt with MCP data β Gemini AI
β
Comprehensive vulnerability analysis with real-world context
This architecture combines the best of:
- Static Analysis (Slither) for pattern detection
- On-Chain Intelligence (Blockchain) for real-world validation
- Historical Knowledge (DeFi) for exploit correlation
- AI Reasoning (Gemini) for comprehensive understanding
The result is a security analysis that's not just code review, but a comprehensive security assessment that understands both the code and its real-world implications.
- Provider: Google Gemini 2.5 Flash (primary)
- Fallback Chain: Multi-model fallback system for reliability
- Integration: AI SDK (
@ai-sdk/google) for streaming and error handling - Context Window: 2M tokens for large contract analysis
- Output Format: Structured JSON (VulnerabilityAnalysis)
- Network: Base Sepolia (Chain ID: 84532)
- SDK: Thirdweb SDK v5 for contract interaction
- Smart Contracts:
- AuditRegistry: On-chain audit registry with
contractOwnermapping - GuardNFT: ERC-721 certification badges (decentralized minting)
- GuardToken: ERC-20 rewards token (1B supply)
- AuditRegistry: On-chain audit registry with
- Verification: All contracts verified on Basescan & Sourcify
- Basescan API: Contract verification and transaction history
- DefiLlama API: DeFi protocol TVL and data
- Google Gemini API: AI model inference
- Thirdweb Infrastructure: RPC nodes and blockchain indexing
- MCP Architecture: Model Context Protocol for agent-server communication
- Parallel Processing: MCP servers called in parallel for performance
- Fault Tolerance:
Promise.allSettled()ensures partial failures don't break analysis - Multi-Model Fallback: Automatic fallback to alternative Gemini models
- Decentralized Minting: Users mint badges directly from wallets (no server dependency)
- On-Chain Registry: Immutable audit records stored on blockchain
- Type Safety: Full TypeScript coverage across all layers
defiguard-ai/
βββ app/ # Next.js App Router pages
β βββ audit/ # Contract auditing interface
β βββ dashboard/ # User dashboard
β βββ monitoring/ # Real-time monitoring
β βββ api/ # API routes
βββ components/ # React components
β βββ ui/ # Base UI components
β βββ layout/ # Layout components
β βββ home/ # Landing page sections
β βββ audit/ # Audit-specific components
β βββ dashboard/ # Dashboard widgets
βββ lib/ # Core logic
β βββ agents/ # AI agents
β βββ mcp/ # MCP server implementations
β βββ gemini/ # Gemini API client
β βββ thirdweb/ # Blockchain utilities
βββ contracts/ # Solidity smart contracts
βββ public/ # Static assets
βββ .env.local # Environment variables
The project includes comprehensive test suites for all smart contracts:
# Run all contract tests
pnpm test:contractsTest Coverage:
- β AuditRegistry.test.ts - Tests for audit recording, certification, circular buffer DoS protection
- β GuardNFT.test.ts - Tests for badge minting, query functions, URI updates
- β GuardToken.test.ts - Tests for airdrop claims, reward minting, batch operations
Run real transactions on Base Sepolia testnet to verify contract functionality:
# Execute test transactions for all contracts (requires DEPLOYER_PRIVATE_KEY in .env.local)
pnpm test:transactions
# Execute test transactions for updated contracts only (AuditRegistry & GuardNFT)
pnpm test:updatedWhat it does:
- Executes 4 transactions per contract (AuditRegistry, GuardNFT, GuardToken)
- Records audits with different risk scores (15, 25, 30, 35)
- Mints NFT badges for certified contracts using decentralized minting
- Tests reward minting (single and batch operations)
- All transactions are verifiable on Basescan
Transaction Results:
- β AuditRegistry: 4 audits recorded successfully (~236,331 gas each)
- β GuardToken: 4 reward transactions successful (~57,458-88,639 gas)
- β GuardNFT: Badge minting works with owner-based verification (~251,974 gas)
Gas Usage Statistics:
AuditRegistry.recordAudit: ~236,331 gas per transactionGuardToken.mintReward: ~57,458 gas per transactionGuardToken.batchMintRewards(2 recipients): ~88,639 gasGuardToken.batchMintRewards(4 recipients): ~78,181 gasGuardNFT.mintBadge: ~251,974 gas per transaction
Updated Contracts Test Results (December 2025):
AuditRegistry Tests:
- β 4 audit recordings successful
- β All contracts certified automatically (risk score < 40)
- β
contractOwnermapping working correctly - β Gas usage: ~236,331 gas per audit
GuardNFT Tests:
- β Decentralized badge minting working correctly
- β Owner verification working (only contract owner can mint)
- β Certification verification working
- β Gas usage: ~251,974 gas per badge mint
Sample Test Transactions:
AuditRegistry:
-
Contract 1 (Gold) - Risk Score: 15
- TX:
0xd662fec0ca4a3c3ed525cc0a0437cdec1c4c926978a9935eb35d47a500703333 - Gas: 236,331 | Block: 34573355
- TX:
-
Contract 2 (Bronze) - Risk Score: 25
- TX:
0xdeced6ea47fbd49fafa7098fee3def9f7c616b3488a729fd2bdf883bd97bf221 - Gas: 236,331 | Block: 34573358
- TX:
-
Contract 3 (Bronze) - Risk Score: 30
- TX:
0x19e1937ab7c10ea61609dac99e1f04bfd9e08dcef1d9c8d406bd19d6082c945a - Gas: 236,331 | Block: 34573360
- TX:
-
Contract 4 (Bronze) - Risk Score: 35
- TX:
0x7e14f27f1a195b3fd1dbbeaccb53b338e37631e354ffb4585237721a0c5e17bb - Gas: 236,331 | Block: 34573363
- TX:
GuardNFT:
- Badge #4, #5, #7 minted successfully
- Sample TX:
0x6d46e2e2863386ab0f4f2159628a742e9ad3b19ee5adcc48f76f3694dc8ae70d - Gas: 251,974 | Block: 34573367
View Transactions on Basescan:
- AuditRegistry Transactions
- GuardNFT Transactions
- GuardToken Transactions
- Deployer Address (All Transactions)
Verify the executed test transactions on Base Sepolia:
# Verify transactions using Basescan API
pnpm verify:transactions
# Verify updated contracts on Basescan
pnpm verify:updatedVerification Status: β All transactions verified successfully
- β
AuditRegistry
recordAudittransactions confirmed - β GuardToken transactions confirmed (single mints + batch mints)
- β GuardNFT badge minting transactions confirmed (decentralized minting working)
- β All transactions visible and verifiable on Basescan
- β Contracts verified on Basescan and Sourcify
For detailed verification report, see TRANSACTION_VERIFICATION.md.
import { auditorAgent } from "@/lib/agents/auditor-agent";
const code = `pragma solidity ^0.8.0; contract MyContract { // Your code here }`;
const analysis = await auditorAgent.analyzeContract(code);
console.log(`Risk Score: ${analysis.riskScore}`);
console.log(`Vulnerabilities: ${analysis.vulnerabilities.length}`);import { analyzeContractWithGemini } from "@/lib/gemini/client";
const result = await analyzeContractWithGemini(contractCode);import { mintBadgeForContract } from "@/lib/contracts/mint-badge";
// User mints badge directly from their wallet
const txHash = await mintBadgeForContract(
contractAddress,
userAddress,
riskScore,
userAccount
);- AdvancedAuditorAgent - Analyzes smart contracts for vulnerabilities using Gemini AI with MCP integration
- RiskAgent - Calculates comprehensive risk scores
- RemediationAgent - Generates secure code fixes
DeFiGuard AI leverages the Model Context Protocol (MCP) architecture to provide multi-dimensional security analysis. The system integrates three specialized MCP servers that work in parallel to enhance AI-powered contract analysis:
- Purpose: Static code analysis and vulnerability pattern detection
- Capabilities:
- Analyzes Solidity code structure and syntax
- Detects known vulnerability patterns (reentrancy, overflow, access control)
- Identifies code quality issues and gas optimization opportunities
- Provides line-by-line vulnerability mapping
- Integration: Called automatically for every contract analysis
- Output: Structured vulnerability data with severity levels and recommendations
- Purpose: On-chain data fetching and transaction analysis
- Capabilities:
- Retrieves contract verification status from blockchain explorers
- Fetches transaction history and interaction patterns
- Analyzes token holder distribution and contract usage
- Validates contract behavior in production environment
- Integration: Called when a contract address is provided (optional)
- Output: Real-world contract usage data and on-chain validation
- Purpose: Historical exploit correlation and DeFi security intelligence
- Capabilities:
- Correlates contract patterns with historical exploits
- Matches vulnerabilities to real-world hacks (DAO Hack 2016, Parity Wallet, etc.)
- Provides exploit scenarios based on similar compromised contracts
- Enhances AI understanding with DeFi protocol security data
- Integration: Called automatically for every contract analysis
- Output: Historical exploit correlations and real-world attack scenarios
The power of DeFiGuard AI comes from the seamless integration of MCP servers with Gemini AI:
Step 1: Parallel Data Collection
Contract Code Submitted
β
AdvancedAuditorAgent triggers parallel MCP calls:
ββ SlitherMCP β Static analysis results
ββ DeFiDataMCP β Historical exploit data
ββ BlockchainMCP β On-chain data (if address provided)
Step 2: Context Enrichment All MCP server responses are aggregated into a comprehensive context that includes:
- Static analysis findings (vulnerability patterns, code quality)
- Historical exploit correlations (similar vulnerabilities that were exploited)
- On-chain validation (real-world contract behavior and usage)
Step 3: Enhanced AI Prompt The enriched context is injected into the Gemini AI prompt, providing:
- Multi-dimensional understanding: Not just code review, but real-world context
- Historical knowledge: Understanding of how similar vulnerabilities were exploited
- Pattern recognition: Detection of vulnerabilities that static analysis alone might miss
- Contextual recommendations: Fixes based on proven solutions from similar cases
Step 4: Comprehensive Analysis Gemini AI processes the enriched context and generates:
- Detailed vulnerability reports with exploit scenarios
- Risk scores based on both code analysis and historical data
- Secure code fixes informed by real-world exploit patterns
- Best practices recommendations validated by on-chain data
Benefits of MCP Architecture:
- β
Fault Tolerance: Uses
Promise.allSettled()- partial failures don't break analysis - β Performance: Parallel execution reduces analysis time
- β Accuracy: Multi-dimensional analysis catches more vulnerabilities
- β Context: Real-world data enhances AI understanding
- β Scalability: Easy to add new MCP servers for additional capabilities
β
MCP Configuration: This project implements Model Context Protocol (MCP) with mcp.json configuration file for seamless MCP server integration.
- AuditRegistry.sol - On-chain audit registry with contractOwner mapping
- GuardNFT.sol - Certification NFTs for audited contracts (decentralized minting)
- GuardToken.sol - ERC-20 token for rewards
- Network - Currently deployed on Base Sepolia (EVM-compatible contract analysis supported)
- Wallet Integration - Thirdweb ConnectButton
| Contract | Address | Basescan | Sourcify |
|---|---|---|---|
| AuditRegistry | 0x6D3d5487c41E1759b5457f5C29f8d41caC51a8eF |
β Verified | β Verified |
| GuardNFT | 0xE429b1AFD7BDd12ceDB69777538f5925CB6CeF52 |
β Verified | β Verified |
| GuardToken | 0xBc3035ed036B280AdB9A6Ad19a46089E39e2eDED |
β Verified | β Verified |
Network: Base Sepolia (Chain ID: 84532)
Deployer: 0xF93F07b1b35b9DF13e2d53DbAd49396f0A9538D9
π‘ Note: β All contracts are verified on Basescan and Sourcify, available for public inspection. Contracts use OpenZeppelin v5.0.2 and follow security best practices as of December 2025.
π December 2025 Updates:
- Decentralized Badge Minting: Contract owners can now mint certification badges directly from their wallets
- No Server Required: Users mint badges without needing server-side private keys
- contractOwner Mapping: AuditRegistry tracks who registered each audit for ownership verification
AuditRegistry:
- β Circular buffer O(1) to prevent DoS in write operations
- β Explicit limit on read functions (50 active audits)
- β Custom errors for gas optimization
- β Complete protection against DoS attacks
- β contractOwner mapping for decentralized badge minting
GuardNFT:
- β CEI pattern (Checks-Effects-Interactions) implemented
- β Reentrancy protection
- β Enhanced security documentation
- β Decentralized minting: Only contract owners can mint their certification badges
- β Ownership verification: Uses AuditRegistry's contractOwner mapping
GuardToken:
- β Batch size limit (100 recipients) to prevent DoS
- β Custom errors implemented
- β Protection in batch operations
- User Registers Audit: When a user records an audit for their contract, their wallet address is stored as
contractOwnerin AuditRegistry - Contract Gets Certified: If risk score < 40, the contract is automatically certified
- User Mints Badge: The same user (contract owner) can now mint the certification badge directly from their wallet
- Verification: GuardNFT contract verifies:
- The caller is the
contractOwnerof the audited contract - The contract is certified (risk score < 40)
- No badge already exists for this contract
- The caller is the
Benefits:
- β Fully decentralized - no server dependency
- β Users control their own badges
- β More secure - no single point of failure
- β True Web3 experience
Unit Tests:
- β Comprehensive test suites for all three contracts
- β Tests cover deployment, core functionality, edge cases, and security features
- β Tests use Hardhat and Chai for assertions
Integration Tests:
- β Real transactions executed on Base Sepolia testnet
- β 4 transactions per contract for verification
- β All transactions verifiable on Basescan
- β Gas usage tracked and documented
Test Files:
test/AuditRegistry.test.ts- 15+ test casestest/GuardNFT.test.ts- 12+ test casestest/GuardToken.test.ts- 18+ test cases
Transaction Verification:
- β All test transactions verified on Base Sepolia
- β
Script available:
pnpm verify:transactions - β Detailed report: TRANSACTION_VERIFICATION.md
- β Total gas used: ~1,037,000 gas across all transactions
- Vercel: defiguard-ai.vercel.app
- GitHub: github.com/yourusername/defiguard-ai
- Reentrancy attacks
- Integer overflow/underflow
- Unchecked external calls
- Access control issues
- Denial of service vectors
- Front-running risks
- Timestamp manipulation
- Uninitialized storage
- Delegatecall vulnerabilities
- tx.origin authentication
Gemini 2.5 Flash provides:
- Pattern recognition across 2M token context
- Historical exploit correlation
- Natural language vulnerability explanations
- Automated remediation code generation
- Core auditing functionality
- EVM-compatible contract analysis (on-chain registration on Base Sepolia)
- AI-powered analysis with Gemini
- MCP server architecture
- Decentralized badge minting (December 2025)
- Solana contract support
- Automated GitHub integration
- Real-time monitoring alerts
- DAO governance for security ratings
- Insurance integration for audited contracts
- Mobile app (React Native)
Contributions are welcome! Please:
- Fork the repository
- Create feature branch (
git checkout -b feature/amazing-feature) - Commit changes (
git commit -m 'Add amazing feature') - Push to branch (
git push origin feature/amazing-feature) - Open Pull Request
MIT License - see LICENSE file for details
- Thirdweb for blockchain infrastructure
- Google for Gemini 2.5 Flash API access
- OpenZeppelin for secure contract libraries
- Model Context Protocol for MCP architecture specification
- Twitter: @defiguard_ai
- Email: security@defiguard.ai
Made with β€οΈ by Vaiosx & M0nsxx