v0.1.0 · open source · MIT

Rugproof
your code
before
someone else does.

A Claude Code plugin that turns your editor into a full-stack smart contract security auditor — vulnerability detection, working exploit PoCs, mainnet-fork simulation, shareable audit cards, on-chain certificates.

install view source
v0.1.0 shipped · 38 commands · 33 detection skills · 9 MCP servers · 5 demo contracts · 4/4 tests passing
~/MyProtocol — claude code
0
Slash commands
0
Specialist agents
0
Detection skills
0
MCP servers
0
EVM chains

What makes it
unforgettable.

Not another linter. A full-stack auditor that produces working PoCs, explains the exploit, drafts the patch, and renders a shareable card — all from your editor.

/01 — exploit

Working PoCs, not theory.

/exploit <finding> writes a Foundry test that proves the bug — and re-runs forge test until it passes. Every Critical comes with a smoking gun.

/02 — audit-live

Audit a deployed contract.

Pulls verified source from Etherscan family, optionally forks the chain via Anvil, and demonstrates the exploit against actual mainnet state. Catches false positives that theoretical audits miss.

/03 — replay-incident

Replay historical hacks.

Pull any tx hash, fork just before it, replay it, and walk through what the attacker did. Curve, Beanstalk, Nomad, Wormhole — pick your lesson.

/04 — invariant

Property-based fuzz tests.

Generates Foundry invariant tests with realistic handlers. Solvency, K-monotonicity, vote-weight snapshots — proven across 5,000+ random call sequences.

/05 — card

Shareable audit cards.

1200×1200 PNGs with grade, severity counts, and top finding. Built for tweets and PR comments. The viral hook every audit produces.

/06 — slither + mythril

Triages existing tools.

Run Slither or Mythril, then let Rugproof separate true positives from false positives and turn symbolic counter-examples into Foundry tests that compile.

/07 — mint-cert

Soulbound on-chain certificate.

Optional: mint your audit grade as a soulbound NFT on Berachain. Permanent on-chain proof, signed by an EIP-712 issuer key. nft/AuditCertificate.sol — 3 passing tests.

/08 — github action

CI on every PR.

Drop uses: omermaksutii/RugProof-action@v1 into a workflow. Audits the diff, posts findings as a sticky PR comment, blocks merge on Critical.

/09 — community rules

Bring your own detectors.

Pack your team's protocol-specific bug patterns as a Rugproof rule pack. Distribute via the Claude Code marketplace. rules/community-pack-example/ shows the shape.

The full stack.

Real implementations, not slideware. 9 MCP servers compile clean and pass JSON-RPC list+invoke smoke test. 4/4 Foundry tests passing. Pages workflow green.

layer 1

Detection skills.

33 auto-invoked patterns. Reentrancy, oracle, flash-loan, MEV, signature-replay, ERC-4337 AA, cross-chain msg, ERC-7683 intents, EigenLayer restaking, ERC-4626 inflation, plus 23 more.

layer 2

Specialist agents.

19 sub-agents. Functional: attacker, defender, exploit-poc-writer. Protocol-specific: AMM, lending, staking, bridge, governance, vault, NFT. Hot-topic: AA, restaking, intents.

layer 3

MCP servers.

9 servers in TypeScript. Block-explorer (Etherscan family), forge-runner, hardhat-runner, anvil, tenderly, c4-history, sherlock-history, gas-tracker, token-metadata.

layer 4

Hooks +
workflows.

Pre-commit quick-scan. Pre-push full audit. Pre-deploy build-artifact check. Post-test coverage analyzer. GitHub Action for PR comments. All wired in plugin.json.

layer 5

Output pipeline.

Markdown · HTML · PDF · JSON · 1200×1200 PNG card. All rendered via templates in templates/ — Handlebars + sharp + wkhtmltopdf. No browser binary needed.

layer 6

On-chain cert.

Soulbound ERC-721 (AuditCertificate.sol). EIP-712 issuer signature, S-malleability guard, no-transfer modifier. Designed for Berachain. Local signer CLI included.

What it produces.

Five intentionally-vulnerable demo contracts in examples/. Each gets a full audit report, severity breakdown, and a shareable card.

VulnerableVault — F
VulnerableVaultF
 SpotOracleLending — F
SpotOracleLendingF
 FlashLoanGovernance — F
FlashLoanGovernanceF
 Inflatable4626 — F
Inflatable4626F
 ReplayableBridge — F
ReplayableBridgeF

Install in
90 seconds.

Two flavors. Add the GitHub source as a marketplace, or — if approved — install from the official Anthropic marketplace.

Option A — GitHub source

In Claude Code, run:
# add the marketplace
/plugin marketplace add omermaksutii/RugProof

# install the plugin
/plugin install rugproof@omermaksutii-RugProof

# 60-second onboarding
/rugproof-init

Option B — official marketplace

Pending Anthropic review.
# once listed at claude.com/plugins:
/plugin install rugproof

# try it on the bundled demo
/audit examples/VulnerableVault.sol

# get a working PoC for the worst finding
/exploit REENT-001

Option C — GitHub Action

Audit every PR automatically.
# .github/workflows/audit.yml
on: pull_request
jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: omermaksutii/RugProof-action@v1
        with:
          anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
          threshold: high

Option D — local dev

Hack on the plugin itself.
git clone https://github.com/omermaksutii/RugProof
cd RugProof
make build           # MCP servers + scripts
make test            # forge + nft + MCP smoke
make audit-demo      # run the bundled exploit