Features
Last updated
Last updated
The dashboard lives at . It enables to:
browse the risk scores of known contracts and protocols
ask for computing the risk score of any contract
The Basic Smart Contract Risk Assessment from mab.xyz is designed to offer a quick and understandable measure of the risk associated with a smart contract. It achieves this by assigning a mab.xyz Rating, which is analogous to credit ratings in traditional finance. This rating helps users, from investors to developers, gauge the security and reliability of a contract at a glance.
The system is divided into two main categories, each containing several specific ratings:
This category signifies contracts that are generally considered to be of higher quality and lower risk. These are contracts where the likelihood of financial loss due to vulnerabilities or exploits is perceived to be minimal to moderate.
AAA (Prime)
Description: This is the highest possible rating. Contracts rated AAA are considered to be of the utmost quality from a security perspective.
Implication: The risk of loss due to a hack or exploit is minimal. These contracts have likely undergone rigorous auditing, formal verification (where applicable), and possess strong security practices. They are seen as the most trustworthy and secure.
AA (High Grade)
Description: Contracts with an AA rating are of very high quality.
Implication: They present a very low risk of loss. While not at the absolute pinnacle of AAA, AA-rated contracts are still exceptionally secure and reliable, likely featuring robust security measures and a strong track record.
A (Upper-Medium Grade)
Description: These contracts are considered upper-medium grade.
Implication: The risk of loss is low. Contracts in this category are generally secure and have demonstrated good security practices, though they might not meet the extremely high standards of AA or AAA ratings. They are still considered a relatively safe option.
BAA (Lower-Medium Grade)
Description: This rating represents the lower end of the investment-grade spectrum.
Implication: There is a moderate risk of loss. While still considered "investment grade," BAA-rated contracts may have some identifiable risk factors or a less extensive history of security validation compared to higher-rated contracts. Caution is advised, but they are not yet in the speculative territory.
This category includes contracts with a higher degree of uncertainty and risk. Users interacting with these contracts should be aware of the increased potential for loss.
BA (Speculative)
Description: This is the first tier within the speculative grade.
Implication: There is some tangible risk of loss. Contracts rated BA may have known vulnerabilities, a lack of comprehensive audits, or other factors that increase their risk profile. Users should exercise greater caution.
B (Highly Speculative)
Description: Contracts with a B rating are considered highly speculative.
Implication: The risk of loss is high. These contracts likely have significant security concerns, a history of minor issues, or insufficient transparency regarding their security. Interacting with these contracts carries a substantial chance of encountering problems.
CAA (Very High Risk)
Description: This rating indicates a very high level of risk.
Implication: There is a substantial risk of loss. CAA-rated contracts are likely to have critical vulnerabilities, a poor security track record, or other red flags that make them extremely risky.
CA (Near Hacked)
Description: This is a critical warning.
Implication: The contract is likely in or very near a state of being hacked or exploited. This rating suggests that an exploit is imminent or already underway. Extreme caution is warranted, and interaction is generally not advised.
C (Default)
Description: This is the lowest possible rating.
Implication: The contract has been hacked or has defaulted in some critical way. This means a significant security breach has occurred, leading to loss of funds or critical malfunction. These contracts are compromised.
The mab.xyz Basic Smart Contract Risk Assessment provides a tiered system to quickly evaluate the security posture of a smart contract. By categorizing contracts from "Prime" (AAA) to "Default" (C), it offers users a simplified yet informative tool to understand the potential risks involved before interacting with or investing in protocols built upon these contracts. The distinction between "Investment Grade" and "Speculative Grade" further helps users align their risk tolerance with the contracts they choose to engage with.
The advanced risk gives the details of the risk score, in both machine and human readable format.
Offchain attestations, as provided by mab.xyz, refer to a formal document -- specifically a PDF -- that certifies the risk assessment of a smart contract or protocol.
What is an Offchain Attestation?
An offchain attestation is a formal PDF document generated by our system. This PDF serves as a certified record of the risk score assigned to a particular dApp or protocol at a given date, based on mab.xyz's comprehensive analysis. It essentially translates the complex on-chain security analysis into a digestible, official document for risk, compliance or legal departments.
Key Characteristics and How it Works:
Formal PDF Delivery: The attestation is provided in a standard, shareable format (PDF), together with a cryptographic signature. This makes it easy to distribute, store, and present to third parties, such as auditors, regulators, or potential investors.
Dynamic Updates based on Onchain Events: A crucial feature is its responsiveness. The PDF attestation is not static; it isupdated as soon as an onchain event happens that could impact the protocol's risk profile. This ensures that the attestation always reflects the most current security posture.
Subscription-Based Updates: dApp/protocol teams and users who subscribe to the mab.xyz service can also request an update of the PDF at any time.
Purpose for Different Stakeholders:
For dApp/Protocol Developers: This attestation acts as aproof of security and compliance. Developers can use it to demonstrate the diligence applied to their protocol's security, helping build trust with users, investors, and regulatory bodies. It's a tangible asset for their compliance processes.
For dApp/Protocol Users: For users, especially those making significant investments in a protocol, the PDF attestation offers an independent, verifiable assessment of risk. It allows them to have an official document reflecting the security level of the protocol they are engaging with, which can be crucial for their personal risk management or for reporting due diligence.
MAB.XYZ Offchain attestations are:
Readabile and Accessible: A PDF is universally understood and easily readable by humans, unlike raw blockchain data. This makes it accessible to a wide audience, including non-technical stakeholders, compliance officers, and legal teams.
Formal Documentation: For many traditional finance and regulatory contexts, a formal document like a PDF with clear ratings and explanations is often required. It bridges the gap between the decentralized world of smart contracts and the established requirements of traditional finance and legal frameworks.
Cost-Effectiveness: Storing complex, human-readable documents directly on-chain can be prohibitively expensive and inefficient. Generating them off-chain and providing them as a service is a more practical approach.
Privacy (Selective Sharing): Users and developers can choose who they share the PDF attestation with, maintaining a degree of privacy over their risk assessment data, unlike public on-chain records.
In essence, mab.xyz's offchain attestation service provides a critical bridge between the technical security analysis of smart contracts and the practical, formal documentation needs of both developers and users in the evolving Web3 ecosystem.
An on-chain per-transaction attestation is essentially a digital certificate or record minted directly onto the blockchain for every single transaction a user makes within a given protocol. This means that for every interaction (e.g., a token swap, a liquidity provision, a loan repayment, or any other smart contract call), a corresponding, unique attestation is created and stored on the decentralized ledger. It contains the following info:
Transaction Identifier (Hash):
Purpose: This is the most crucial piece of information, serving as a unique fingerprint for the transaction itself. It directly links the attestation to the specific event on the blockchain.
Example: 0xabc123...def456 (the hash of the original
transaction).
User Address:
Purpose: Identifies the blockchain address of the user who initiated or was the primary participant in the transaction. Essential for tracing activity back to an individual or entity.
Example: 0xUserWalletAddress789...
Protocol/Contract Address:
Purpose: Specifies the smart contract and decentralized protocol that the transaction interacted with. This helps identify the specific dApp or service involved.
Example: 0xDeFiProtocolContract...
Timestamp/Block Number:
Purpose: Records precisely when the risk score was computed. This is vital for chronological record-keeping and auditing.
Example: Block Number 12345678, Timestamp2025-05-22T14:30:00Z.
Event Type/Description:
Purpose: A clear, concise categorization of the transaction's nature. This provides immediate context without needing to decode raw transaction data.
Examples: "Token Swap," "Liquidity Pool Deposit," "NFT Mint," "Loan Origination," "Governance Vote."
Relevant Transaction Parameters:
Purpose: Details about the assessed transaction.
Examples:
Counterparty Address (if applicable): Another address directly involved in a peer-to-peer transaction within the protocol.
Simulaton Status: Whether the transaction simulation was successful, failed, or reverted, and potentially a reason for failure.
mab.xyz Risk Rating (at time of transaction):
Purpose: Crucially, this links the specific transaction to the protocol's assessed risk profile at that moment. This is highly valuable for compliance, demonstrating that the user was aware of or considered the risk level when performing the action.
Example: "BAA (Lower-Medium Grade)" or a specific numerical risk score. This might also include a reference (e.g., a content hash or IPFS link) to the full off-chain attestation PDF for more detailed risk analysis.
Attestor Information:
Purpose: Cryptographically identifies mab.xyz as the issuer of the attestation. This could be their designated attestation smart contract address or a unique identifier.
Example: 0xmabxyzAttestorContract...
Attestation Version:
Purpose: Allows for future updates or changes to the attestation standard or methodology without invalidating older records.
Example: v1.0
Key Characteristics and How it Works:
Minted On-Chain: The core characteristic is that these attestations reside directly on the blockchain. This leverages the inherent properties of blockchain technology.
Tamper-Proof: Once an attestation is minted on the blockchain, it becomes immutable and tamper-proof. This is due to the cryptographic security and distributed nature of blockchain. No single entity, including mab.xyz or the protocol itself, can alter or delete this record once it's on the chain. This provides an unparalleled level of integrity for the transaction history.
Verifiable: Because the attestations are on-chain, their existence and content can be independently verified by anyone with access to the blockchain explorer. This transparency ensures that the record is legitimate and accurately reflects the transaction it attests to.
Per-Transaction Granularity: The service provides an attestation for each transaction. This granular level of detail is crucial for comprehensive record-keeping and auditing, offering a complete historical log of a user's interactions with a protocol.
Material for Regulation/Compliance Departments: This is the primary purpose and benefit of on-chain per-transaction attestations. For individuals or institutions involved in decentralized finance (DeFi) or other blockchain activities, navigating regulatory landscapes and meeting compliance requirements can be challenging. These on-chain attestations serve as concrete, verifiable evidence*of specific actions taken on the blockchain.
Why is this important for users?
In the rapidly evolving world of Web3 and DeFi, regulatory scrutiny is increasing. Financial institutions, large investors, and even individual users are becoming more aware of the need for robust record-keeping and compliance. On-chain per-transaction attestations address this need by:
Simplifying Compliance: Automating the creation of verifiable transaction records reduces the manual effort and potential for errors in compliance reporting.
Building Trust: For institutional players, having such verifiable records can be a prerequisite for engaging with DeFi protocols, as it helps them meet their fiduciary duties and regulatory obligations.
Enhancing Transparency: While the transactions themselves are on-chain, the explicit attestation of each transaction adds another layer of verifiable transparency, particularly useful when interacting with external regulatory bodies.
In essence, mab.xyz on-chain per-transaction attestations transform raw blockchain transaction data into structured, verifiable, and compliance-ready records, empowering users to confidently navigate the regulatory demands of the decentralized world.
mab.xyz provides different frequencies for security analysis updates based on user subscription status:
Subscribers: These users receive access to the latest pre-computed risk scores for all major protocols on a daily basis. This ensures they have the most up-to-date security intelligence for their operations.
Free Users: Users without a subscription get access to this new data on a biweekly basis. While still providing valuable insights, there is a delay compared to the daily updates for subscribers.
This tiered approach allows mab.xyz to offer a basic level of security awareness to all users while providing more frequent and timely updates to those who subscribe to their service, which is crucial for staying ahead of rapidly evolving on-chain security events.
mab.xyz offers a service for situations where we do not have pre-computed risk scores for a particular contract. This feature ensures that users, particularly subscribers, can get a risk assessment for virtually any smart contract they are interested in, even if it's not one of the "major protocols" for which scores are pre-computed. It fills the gap for ad-hoc or novel contract evaluations. Here's how it works:
Triggering Analysis: When a user requests a risk score for a smart contract for which mab.xyz currently lacks data, their analysis system is triggered to compute it. The user is asked to come back later. The user can be notified of the analysis completion.
Expedited for Subscribers: For subscribers to the mab.xyz service, this on-demand analysis is performed on a very powerful machine, which means the results are generated and delivered quickly. This prioritizes their access to immediate risk assessments for new or less common contracts.
mab.xyz computes a ledger of security-related event on chain. Subscribers get access to one year of such events. Free users only have one week of history.
mab.xyz offers a security alert service designed to warn users in case of security-related events on-chain for a protocol. This feature is particularly valuable for staying informed about potential threats or compromises in real-time.
Here's how the security alerts work:
Trigger: The alerts are triggered by security-related event on chain for a monitored protocol. This implies that mab.xyz's system continuously monitors blockchain activity for signs of changed contract infrastructure.
Integration for Subscribers: For subscribers, these alerts can be integrated into their existing systems through various channels, ensuring they receive timely notifications in a format that suits their workflow. The available integration methods include:
HTTP webhooks: Allowing automated systems to receive and process alerts.
Emails: For direct notification to individuals or teams.
Telegram: For instant messaging alerts.
Discord: For alerts within community or team communication channels.
This service is crucial for users, especially those with significant investments or operational dependencies on specific protocols, as it enables them to react quickly to security incidents and potentially mitigate losses.
Our API is rate limited. Subscribers have an order of magnitude more API budgetthan free users.