Security / Audit·EVM · Multi-chain
De.Fi Shield
Crypto antivirus for wallets and contracts: scans every token/contract a wallet touches against the De.Fi Audit + REKT databases and surfaces high-risk approvals, drainer contracts, and known-exploited code. Powered by the De.Fi Scanner API (REST + Node SDK) which exposes per-contract issue lists, security scores, similar-contract clusters, and onchain governance metadata.
- 01wallet portfolio risk scans
- 02approval revocation flows
- 03REKT-database lookups
- 04audit-aware token gating
- 05smart-contract risk surfacing in dashboards
- pnpm add @defiyield/sdk
| Variable | Scope | Description |
|---|---|---|
| DEFI_SHIELD_API_KEY | Server | De.Fi API key from the De.Fi developer portal, sent in the `X-Api-Key` header. |
Use De.Fi Shield to scan tokens/contracts before display or interaction. Project scan: `POST https://public-api.de.fi/v1/scanner/scannerProject` with `X-Api-Key: ${DEFI_SHIELD_API_KEY}` and body `{ chainId, address }` returns `{ securityScore (0–100), issues: [{ severity: 'Low'|'Medium'|'High'|'Critical', category, description }], similarContracts, governance, isVerified, audits[] }`. REKT database lookup: `GET /v1/rekt-database?project={slug}` returns historical exploit data. Wallet shield flow: enumerate ERC-20 + ERC-721 approvals via The Graph or Etherscan, then batch-scan each `spender` contract; render any `Critical`/`High` issue as a 'Revoke now' CTA. Node SDK: `import { Sdk } from '@defiyield/sdk'; const sdk = new Sdk({ apiKey: process.env.DEFI_SHIELD_API_KEY }); const r = await sdk.scanner.getContract({ chain: 'ethereum', address }).
- ⚑Security scores are weighted heuristics, not authoritative audits — a score of 80+ does not certify the contract is safe; always render the underlying `issues[]` so power users can judge severity themselves.
- ⚑REKT-database coverage is stronger on EVM majors (Ethereum, BSC, Polygon, Arbitrum, Optimism, Base) than on long-tail L2s and non-EVM chains; check chain support per endpoint before assuming parity.
- ⚑False positives happen on proxy contracts where the implementation differs from the address scanned — use the `proxy.implementation` field if present and re-scan, otherwise the score reflects the proxy stub, not the logic.
- ⚑Latency on cold contracts (never previously scanned) can be several seconds while the scanner runs; show a spinner with a 5–10s timeout and fall back to a 'scan pending' state rather than blocking the user.
- ⚑API key auth is server-side only — do NOT ship `X-Api-Key` to the browser. Proxy requests through your backend and cache by `(chainId,address)` for 1–24h to control usage.
- ⚑Wallet UX integration requires you to enumerate approvals yourself (the API does not crawl wallets) — combine with an allowance indexer (Etherscan / The Graph) before scanning.