Static Analysis
Odin Scan includes deterministic static analysis rules that complement the AI-based detection. These rules provide precise, reproducible checks for known vulnerability patterns with zero ambiguity.
How Static Analysis Complements AI
AI-based analysis excels at detecting complex, context-dependent vulnerabilities that require understanding intent and business logic. Static analysis excels at catching well-defined patterns with zero false positives in common cases.
| Aspect | AI Analysis | Static Analysis |
|---|---|---|
| Pattern detection | Complex, contextual | Well-defined, deterministic |
| False positive rate | Higher (reduced by verification) | Very low |
| Novel vulnerabilities | Can detect previously unseen patterns | Limited to known patterns |
| Reproducibility | May vary between runs | Identical results every run |
By running both in parallel, Odin Scan achieves broad coverage (AI) with high precision (static analysis).
Cosmos SDK Rules (Gosec)
Odin Scan includes static analysis for Cosmos SDK Go modules using Gosec, providing deterministic checks for common Go security vulnerabilities.
CosmWasm Rules
The following rules are currently available for CosmWasm contracts:
| Rule | Severity | Description |
|---|---|---|
missing_access_control | Critical | Detects execute handlers and privileged operations that lack authorization checks. Looks for functions that modify state or transfer funds without verifying the caller’s identity or role. |
unsafe_math | High | Identifies arithmetic operations that could overflow or underflow. Flags direct use of +, -, *, / operators on integer types instead of checked or saturating alternatives. |
unchecked_addr | High | Finds usage of Addr::unchecked() where user-supplied strings are converted to addresses without validation via deps.api.addr_validate(). |
input_validation | Medium | Detects missing validation on message fields and function parameters. Checks for unbounded strings, missing range checks on numeric inputs, and unvalidated enum variants. |
storage_key_collisions | Medium | Identifies storage items that use identical or overlapping keys, which can cause silent data corruption when two state items write to the same storage slot. |
predictable_randomness | Medium | Detects use of predictable sources for randomness such as block height, block time, or transaction hashes. These values can be manipulated or predicted by validators. |
unsaved_storage | Low | Finds state modifications that are computed but never persisted to storage. Catches cases where a value is loaded, modified in memory, but the save() call is missing. |
unbounded_loops | Low | Identifies loops that iterate over collections without pagination or upper bounds. In a smart contract context, unbounded iteration can exceed gas limits and cause transaction failures. |
Rule Details
Each rule provides:
- Exact code location – file path and line number of the flagged pattern
- Explanation – why the pattern is problematic
- Remediation – suggested code change to resolve the issue
- Code examples – demonstrating both the vulnerable and secure pattern
Platform Coverage
Static analysis rules are organized by platform. Each platform has its own set of rules tailored to its specific vulnerability landscape:
| Platform | Status | Notes |
|---|---|---|
| Cosmos SDK | Active | Gosec static analysis |
| CosmWasm | Active | 8+ Rust-specific security rules |
| EVM | Active | Slither and custom detectors |
| Solana | Active | Rust-specific security rules |
Total: 38+ security rules across all supported platforms
Integration With AI Analysis
Static analysis runs in parallel with AI analysis. When a static analysis rule and an AI model both flag the same code location for the same category, the aggregated finding receives a confidence boost. This cross-validation between deterministic and probabilistic detection methods produces high-confidence results.