Chain-Fox

🥈Silver

Chain-Fox automates security detection for blockchains and smart contracts. Operations teams use it to identify vulnerabilities and ensure compliance. It integrates with existing development workflows and supports Python.

49830Updated 4d ago

Intermediate30min to implementautomation

Saves ~360 min per use

Quick InstallView Source

git clone https://github.com/Chain-Fox/Chain-Fox.git

Works with:

Claude

Overview

About This Skill

https://www.chain-fox.com

How to Use

[{"step":"Install Chain-Fox and its dependencies. Run `pip install chain-fox` and ensure you have Python 3.8+ installed. Verify the installation with `chain-fox --version`.","action":"Terminal/Command Line"},{"step":"Prepare your inputs. Gather the blockchain network (e.g., Ethereum Mainnet, Polygon), contract address, and specify the vulnerabilities to scan (e.g., reentrancy, access control). Use a `.env` file to store sensitive data like API keys for blockchain explorers (e.g., Etherscan).","action":"Text Editor/IDE"},{"step":"Run the scan. Use the prompt template to generate a command like: `chain-fox scan --network ethereum --contract 0x742d35Cc6634C0532925a3b844Bc454e4438f44e --vulnerabilities reentrancy,integer-overflow --framework sec-rule-10b-5`. For large contracts, add `--timeout 300` to avoid timeouts.","action":"Terminal/Command Line"},{"step":"Review the report. Chain-Fox outputs a JSON file (e.g., `report_20231115.json`) and a human-readable summary. Focus on critical issues first, then address medium/low findings. Cross-reference with the suggested fixes in the report.","action":"Text Editor/IDE"},{"step":"Integrate into CI/CD. Add Chain-Fox to your GitHub Actions or GitLab CI pipeline. Example workflow:\n```yaml\n- name: Run Chain-Fox Security Scan\n uses: chain-fox/action@v2\n with:\n contract-address: ${{ secrets.CONTRACT_ADDRESS }}\n network: polygon\n vulnerabilities: 'reentrancy,access-control'\n```\nFail the pipeline if critical issues are detected.","action":"CI/CD Platform"}]

Use Cases

Automate security audits for smart contracts to identify vulnerabilities before deployment.

Integrate automated risk checks into CI/CD pipelines to ensure continuous security monitoring.

Utilize multi-language support to analyze code written in Rust, Go, and Solidity for potential bugs.

Implement rug pull detection to safeguard against malicious on-chain behaviors.

Setup & Installation

Quick Install

No install command available. Check the GitHub repository for manual installation instructions.

Alternative Install (Git Clone)

git clone https://github.com/Chain-Fox/Chain-Fox

Requirements

Claude Code or compatible AI agent
Works with: Claude

Quick Start Guide

Install the Skill

Copy the install command above and run it in your terminal.

Open Your AI Agent

Launch Claude Code, Cursor, or your preferred AI coding agent.

Try It Out

Use the prompt template or examples below to test the skill.

Customize

Adapt the skill to your specific use case and workflow.

Usage Examples

Prompt Template

Scan the [BLOCKCHAIN_NETWORK] for security vulnerabilities in the smart contract at [CONTRACT_ADDRESS] using Chain-Fox. Focus on [SPECIFIC_VULNERABILITIES] (e.g., reentrancy, integer overflow, access control). Generate a report with: (1) severity ratings for each issue, (2) suggested fixes, and (3) compliance checks against [REGULATORY_FRAMEWORK]. Prioritize findings that could lead to exploits in production.

Example Output

### Chain-Fox Security Scan Report
**Contract Address:** 0x742d35Cc6634C0532925a3b844Bc454e4438f44e
**Blockchain Network:** Ethereum Mainnet
**Scan Timestamp:** 2023-11-15 14:30:00 UTC

#### **Critical Findings (Severity: High)**
1. **Reentrancy Vulnerability**
   - **Location:** `withdrawFunds()` function (Line 42-48)
   - **Risk:** Allows malicious contracts to drain funds via recursive calls.
   - **Exploit Scenario:** Attacker deploys a contract that re-enters `withdrawFunds()` before the balance is updated.
   - **Suggested Fix:** Add a reentrancy guard (e.g., OpenZeppelin’s `ReentrancyGuard`) or use the Checks-Effects-Interactions pattern.
   - **Compliance Status:** ❌ Fails **CWE-841** (Improper State Management) and **SEC Rule 10b-5** (fraudulent transactions).

2. **Integer Overflow in `stake()`**
   - **Location:** `stake()` function (Line 78-85)
   - **Risk:** Unchecked arithmetic could allow users to stake more tokens than intended, leading to fund loss.
   - **Exploit Scenario:** Attacker crafts a transaction with a `stakeAmount` exceeding `uint256` limits.
   - **Suggested Fix:** Use SafeMath (OpenZeppelin) or Solidity 0.8.0+ built-in checks.
   - **Compliance Status:** ❌ Fails **CWE-190** (Integer Overflow) and **MiCA Regulation (EU) 2023/1114** (crypto-asset safeguards).

#### **Medium Findings (Severity: Medium)**
1. **Access Control Issue in `pause()`**
   - **Location:** `pause()` function (Line 112)
   - **Risk:** Only the contract owner can pause the contract, but there’s no timelock or multi-sig requirement.
   - **Suggested Fix:** Implement a 24-hour timelock or require 2/3 multi-sig approval.
   - **Compliance Status:** ⚠️ Partially compliant with **NIST SP 800-53** (Access Control).

2. **Unchecked External Call in `claimRewards()`**
   - **Location:** `claimRewards()` function (Line 150)
   - **Risk:** Direct call to `IERC20(token).transfer()` without checking return value.
   - **Suggested Fix:** Use `safeTransfer()` from OpenZeppelin or explicitly check the return value.

#### **Low Findings (Severity: Low)**
1. **Lack of Event Emission for `setFee()`**
   - **Location:** `setFee()` function (Line 201)
   - **Risk:** No event emitted when fees are updated, reducing transparency.
   - **Suggested Fix:** Emit a `FeeUpdated` event with the new fee value.

---
**Summary:**
- **Total Issues Found:** 5 (2 Critical, 2 Medium, 1 Low)
- **Estimated Fix Time:** 3-5 days (Critical issues require immediate attention)
- **Compliance Risks:** High (2 critical failures)

**Next Steps:**
1. Prioritize fixes for reentrancy and integer overflow vulnerabilities.
2. Update the contract to use OpenZeppelin’s `ReentrancyGuard` and `SafeMath`.
3. Re-scan after fixes to verify compliance with regulatory frameworks.
4. Schedule a security audit with [AUDIT_FIRM] for formal validation.

**Tools Used:** Chain-Fox v2.1.3, Slither v0.10.0, MythX API.

**Note:** This report is for internal use only. Do not share with external parties without redaction.