Getting started

Bandit is an AI security desk for onchain. This is everything from connecting your wallet to running your first audit.

What you can do

Audit a contract

Paste Solidity, or give a verified address on ~60 EVM chains. Slither + Opus 4.8 review it against a hack knowledge base.

Scan a dapp

Point at a website URL. It reads the page and inline scripts for drainer and scam red flags.

Ask questions

Chat with the assistant about security, free.

Get a clear report

Severity, location, description, and a concrete fix for each finding, plus an overall risk badge.

Step by step

Connect your wallet

Open the app and click Connect Wallet. You sign a message to prove ownership. It is gasless and never moves your funds. Your wallet is your account, so your usage and credit follow you on any device.

Start free

Once connected you get a free tier: chat and light use, no deposit needed. Free runs on a fast model with a message cap. Good for trying it out and quick questions.

Add credit for full audits

Deep contract and dapp audits run on the most capable model and need credit. Each connected wallet gets its own deposit address shown in your profile. Send Bankr (BNKR) token to it and your balance is auto-credited in USD at the live token price, usually within a minute.

Run your audit

In the app, paste a contract, drop an address, or paste a dapp URL. Bandit runs the engine and returns the report in the chat. Credit is metered by real usage, shown as a percentage of your balance.

Important about deposits. Credit is custodial and prepaid: deposits are one-way and non-refundable, used only to pay for audits. Send only BNKR, only to your own deposit address.

How it works under the hood

Every audit combines three things so you are not trusting a single black box:

Slither static analysis flags known vulnerability classes (reentrancy, unchecked calls, access control, and more).
Claude (Opus 4.8) reasons over the full source against a curated exploit and scam knowledge base, catching logic and economic issues that static tools miss.
Structured output merges both into one report: each finding has a severity, the exact location, why it matters, and how to fix it.

For dapp scans, Bandit fetches the page and its scripts and looks for drainer patterns: unlimited approvals, setApprovalForAll traps, permit harvesting, and seed-phrase prompts.

Plans

Free

Chat and light use on a fast model, with a message cap. No deposit. Cannot run full paid audits.

Paid (credit)

Full contract and dapp audits on Opus 4.8. Pay with BNKR deposits, metered by real cost. Top up anytime.

FAQ

Which chains are supported?

Any verified contract across ~60 EVM chains by address, or paste raw Solidity from anywhere.

Can I get a refund?

No. Credit is prepaid and one-way, spent only on audits you run.

Do you hold my keys?

Your login wallet stays in your control. The deposit address is custodial (we hold it to settle audit costs); only send what you intend to spend.

Is an audit a guarantee?

No tool catches everything. Bandit surfaces risks and red flags to help you decide; always do your own review before trusting funds.