Smart Contract Risk Scoring at $0.25/Call: A DeFi Security API That Actually Ships
If you're a DeFi developer, the security tooling on the market right now is roughly: pay CertiK $50,000 for a real audit, pay Quantstamp $20,000 for a smaller one, or run Slither yourself locally and hope you don't miss anything. There is essentially nothing in the middle.
The middle is where most of the work happens. You're integrating a third-party contract you didn't write. You're forking something from GitHub. You're listing a token on a frontend and someone in Discord asks "is this rugged?" None of those moments justify a $50,000 audit. All of them deserve more than vibes.
So we built contract-risk-score. $1.25 for a 5-pack. $0.25 per call. Live as of this week.
What the API actually does
You POST a contract address (Ethereum, Base, Arbitrum, or Optimism) and the API returns a structured risk score covering ten categories. Here's a real response from a contract we scored last week:
{
"address": "0x7a250d5630B4cF539739dF2C5dAcb4c659F2488D",
"chain": "ethereum",
"overall_risk": "low",
"score": 18,
"categories": {
"admin_key_centralization": {"risk": "low", "notes": "no upgradeable proxy"},
"oracle_exposure": {"risk": "n/a", "notes": "no oracle dependency"},
"reentrancy_signatures": {"risk": "low", "notes": "uses checks-effects-interactions"},
"known_exploit_patterns": {"risk": "low", "matches": []},
"honeypot_indicators": {"risk": "low"},
"ownership_concentration": {"risk": "n/a"},
"verified_source": {"risk": "low", "verified_on_etherscan": true},
"permission_creep": {"risk": "low"},
"external_call_depth": {"risk": "medium", "depth": 4},
"flash_loan_compatibility": {"risk": "n/a"}
},
"summary": "Uniswap V2 Router. Battle-tested for 4 years. No notable issues."
}That was Uniswap V2 Router. Boring, well-known, low risk. Now here's a contract a Discord member asked us to score the same day:
{
"address": "0x[redacted]",
"overall_risk": "high",
"score": 78,
"categories": {
"admin_key_centralization": {"risk": "high", "notes": "single EOA owner can mint, pause, blacklist"},
"honeypot_indicators": {"risk": "high", "notes": "transfer function reverts on sells from non-owner"},
"ownership_concentration": {"risk": "high", "notes": "deployer holds 87% of supply"},
"verified_source": {"risk": "medium", "notes": "verified but unusual proxy pattern"},
"known_exploit_patterns": {"risk": "high", "matches": ["GoPlus honeypot signature 4a2e1"]}
},
"summary": "Honeypot. Do not interact."
}Same API. Different answer. The Discord member did not lose money on it. The cost of finding out: $0.25.
How it works under the hood
The endpoint runs a multi-stage pipeline:
- Pulls the verified source from Etherscan / Basescan / Arbiscan / Optimistic Etherscan if available
- Falls back to bytecode disassembly when source isn't verified
- Runs a battery of static-analysis checks: ownership graphs, function selector patterns, external call traces, oracle dependency mapping
- Cross-references against a curated database of known exploit signatures (Cream, Euler, Mango, Curve, Wormhole — the historical hall of fame)
- Scores each category 0-100 and synthesizes an overall risk verdict via Claude 4.7 Sonnet
Total round trip: 8-15 seconds depending on chain congestion (Etherscan rate limits) and whether the contract has verified source.
What this is not
This is not a substitute for a formal audit. If you're deploying a $50M TVL protocol, you still need CertiK or Trail of Bits, full stop. We are not insuring anything.
What this is: a fast triage layer. The same way a doctor uses a quick-blood-pressure-check before deciding whether to order a full cardiac workup, this API tells you in 10 seconds whether the contract you're about to interact with deserves more scrutiny.
Five places we've seen people use it
- Aggregator integration vetting. "We're listing this token. Run the address. Anything red?"
- Wallet UX safety check. Some wallet teams have integrated it as a "before-you-sign" warning when a user is about to interact with an unaudited contract.
- Bot trading filters. A copy-trading bot that won't follow a wallet into any contract scoring above 60.
- Community moderation. Discord/Telegram bots that score contracts on demand when someone shills a token.
- Forked-protocol due diligence. "I'm about to fork this Uniswap variant. Has anyone modified the swap function in a way that introduces risk?"
Pricing and payments
The pack: 5 calls for $1.25 via Stripe Checkout. Pack tokens don't expire. There's no monthly anything.
For agents and integrations, the same endpoint accepts x402 micropayments at $0.25 per call. That's the rate that lets a moderator-bot in a Discord server respond to "score this address" without anyone running up a tab.
curl https://toughlovesec.win/api/contract-risk-score \
-X POST \
-H "Content-Type: application/json" \
-d '{"address":"0x...","chain":"ethereum"}'Why we built this
TLS is a healthcare-pentest practice. Smart contracts are not our usual beat. But the underlying skill — read code, look for exploits, write up a verdict — transfers cleanly. And we kept watching DeFi devs ask each other in Discord "is this safe to interact with?" with no good answer between "free Etherscan glance" and "$50K audit."
The middle was empty. We filled the middle.
What's next
We're adding chain support — Solana, Polygon, BNB Chain — over the next two weeks. We're also adding a "watch" mode: pay $5/month and get a webhook when any contract on your watchlist changes ownership, gets upgraded, or starts matching a new exploit signature. That's the version DeFi treasurers and DAO multisigs have been asking us to build.
For now, the basic risk-score endpoint is live, it's $0.25 per call, and it works.
The other two TLS public APIs we shipped this week, in case you missed them: ImageGen for AI image generation and ClawWork for instant AI labor. All three speak Stripe + x402. All three are designed for the long tail of small payments the AI agent economy actually runs on.
Questions, integrations, weird contracts you want to throw at it: talk to LIA.