Built and maintained by David Cooper — CCIE #14019, U.S. Air Force veteran, and network security engineer with 20+ years of infrastructure and protocol experience — with contributions from the security community.
In March 2023, Euler Finance lost $197 million to a flash loan attack. The vulnerability — a missing health check in a donation function — was detectable with static analysis. Every tool in the standard auditor toolkit had been run on that codebase. None of them caught it.
That's not a failure of effort. It's a failure of tooling. Slither doesn't understand cross-contract flash loan paths. Semgrep doesn't know the historical context of similar exploits. Aderyn doesn't generate a PoC you can hand to a developer and say "this is what an attacker would do."
Counterscarp was built to close those gaps — not by replacing existing tools, but by orchestrating all of them together, adding AI-powered intelligence on top, and delivering output that's actually useful to both auditors and developers.
Professional-grade smart contract security should not cost $50,000 and take 6 weeks. We're changing that.
We surface everything and give you the tools to suppress noise. Configurable exclusions, per-rule suppression, and transparent severity scoring.
Security tools must be transparent. Our MIT license means anyone can inspect, audit, and improve the code. We believe the security community is stronger when we build in the open.
A finding without context is noise. Every vulnerability Counterscarp detects comes with severity scoring, historical exploit context, and concrete remediation code — not just a line number.
The threat landscape evolves daily. We actively incorporate findings from Code4rena, Immunefi, and Solodit into our knowledge base, and welcome community contributions to detection patterns.
Security tools should be fast, clear, and integrate seamlessly into existing workflows. One command. Readable output. CI/CD ready. No configuration hell. If it's painful to use, it won't get used.
A solo developer building a DeFi protocol deserves the same security analysis as a $100M protocol with a dedicated audit budget. Counterscarp is free, and that's intentional.
Counterscarp is built on a carefully chosen stack of best-in-class open source tools, AI models, and custom-built analyzers.
The AI Copilot's RAG framework draws from authoritative sources in smart contract security. The curated knowledge base is actively growing.
Audit contest findings, severity classifications, and judge decisions from the leading competitive audit platform. Target source for ongoing RAG index expansion.
Bug bounty reports and post-mortems from the largest Web3 security platform. Key reference source for real-world vulnerability patterns.
Aggregated smart contract audit findings with semantic search, enabling cross-reference of similar vulnerabilities across protocols.
Peer-reviewed papers on EVM security, formal verification, and smart contract vulnerability classification from IEEE, ACM, and arXiv.
Counterscarp is open source and community-driven. Contribute detection patterns, report bugs, or just use it on your next audit.