API Documentation
API Domain: https://data1.hexens.io
Supported Blockchains
Endpoint: GET /api/v1/chain/list
Description:
Retrieve a list of all supported blockchains for contract analysis. Use the chainid value from the response when analyzing contracts.
Sample Response:
{
"chains": [
{"tag": "ethereum", "chainid": "1"},
{"tag": "bsc", "chainid": "56"},
{"tag": "optimism", "chainid": "10"},
// ....
]
}Analyze Contract Risk
Endpoint: GET /api/v1/contract/analyze-risk
Description: Run a comprehensive risk analysis on a smart contract by specifying its address and chain ID.
Request Parameters:
address(string): The smart contract address to analyze.chain_id(string): The blockchain chain ID (use /api/v1/chain/list).token(string): Your authentication token in the format {public_token}-{private_token}.
Result Parameters:
address– Contract address to be analyzed.chain_id– chain ID.info– General information about the address.is_proxy–true/false. Indicates whether the provided address is a proxy contract. If it is a proxy, we scan the implementation contract instead of the proxy itself. In the results, we show both the original address provided by the user (proxy_address) and the actual implementation address that was scanned (implementation_address).implementation_address– Seeis_proxy.proxy_address– Seeis_proxy.is_verified–true/false. Indicates whether the contract provided by the user is verified. If false, it means the deployer intentionally hid the code, leaving no way for users to check its functionality.
results– Array of risks. Each element of the array contains:key: Risk namevalue:true/false— whether the risk existstitle: Risk titlesub_title: Risk subtitledescription: Risk descriptionseverity: Risk severitymarket-endorsed: Property complements the technical and code-analysis-based trust score by indicating whether a token has been broadly adopted, integrated, and trusted by traders, platforms, and end-users over time
Example Request:
curl "https://data1.hexens.io/api/v1/contract/analyze-risk?address=0xc5f0f7b66764F6ec8C8Dff7BA683102295E16409&chain_id=1&token=publictoken-privatetoken"Sample Response:
{
"address": "0xa700b4eb416be35b2911fd5dee80678ff64ff6c9",
"chain_id": "1",
"results": [
{
"key": "risk_excessive_token_withdrawal",
"value": "false",
"title": "Asset Withdrawal",
"sub_title": "An external authority can Sweep (transfer out) tokens from the contract",
"description": "The token contract has asset sweeping (transferring out) functionality for the assets on its balance. While generally, the token contract itself should not hold any assets on its balance, this may impose a risk for users in case the contract is designed to receive tokens or native assets directly.",
"severity": "info"
},
{
"key": "risk_blockable_transfer",
"value": "true",
"title": "Blockable Transfer",
"sub_title": "Transfers can be blocked for specific senders using various checks",
"description": "The token contract's transfer functionality includes checks such as transfer pausing, cooldown period checks, big transfer amounts checks etc. This may cause a transfer freeze for certain holders.",
"severity": "medium"
},
{
"key": "risk_pausable",
"value": "false",
"title": "Pausable",
"sub_title": "Token operations can be Paused by an external authority",
"description": "The token contract has a pausing mechanism implemented and controlled by an external authority. This may mean token operations, such as transfers, can be paused.",
"severity": "medium"
},
{
"key": "risk_proxy",
"value": "false",
"title": "Proxy",
"sub_title": "Token contract is a Proxy (upgradable contract)",
"description": "The token contract does not directly implement the logic but instead uses the proxy pattern to be upgradable. This means that the contract actual code can be changed at any time, which may impose various risks.",
"severity": "high"
},
{
"key": "risk_balance_manipulation_in_non_standard_functions",
"value": "true",
"title": "Balance Manipulation",
"sub_title": "Balance of the token can be manipulated in non-standard functions",
"description": "The token contract has callable functions that manipulate the balance and are not standard token functions like transfer/transferFrom or burn/mint functionality.",
"severity": "medium"
},
{
"key": "risk_whitelist",
"value": "false",
"title": "Whitelist",
"sub_title": "Whitelist-based functionality implemented in transfers",
"description": "The token contract's transfer functions have implemented whitelist functionality. This generally means that some token holders have privileges over others; a whitelist can also be used to block transfers for many token holders.",
"severity": "low"
},
{
"key": "risk_transfer_time_constraints",
"value": "false",
"title": "Cooldown checks",
"sub_title": "Transfers can be Time-Constrained (cooldown periods)",
"description": "The transfer functions in the token contract have time-based checks. This can implement transfer cooldowns or even fully block token transfers.",
"severity": "medium"
},
{
"key": "risk_blacklist",
"value": "false",
"title": "Blacklist",
"sub_title": "Transfers can be blocked for specific senders using Blocklist",
"description": "The token contract's transfer functionality includes checking the token sender address against a controlled blocklist, which may cause a transfer freeze for certain holders.",
"severity": "high"
},
{
"key": "risk_selfdestruct",
"value": "false",
"title": "Selfdestruct",
"sub_title": "Self-destructing token contract",
"description": "The token contract has self-destruct functionality. This means the storage values, including balances, will be wiped after the contract self-destructs.",
"severity": "high"
},
{
"key": "risk_centralized_mint",
"value": "true",
"title": "Centralized Mint",
"sub_title": "An external authority can Mint tokens",
"description": "The token contract has a token minting functionality that can be called only by an external authority and can affect the actual price of the token, diluting the holders.",
"severity": "high"
},
{
"key": "risk_external_call_in_transfer",
"value": "true",
"title": "External call in transfer",
"sub_title": "Transfer functionality is dependent on other contracts",
"description": "The token contract has at least one external call in its transfer functions. There is a possibility that these external calls may be used to alter the transfer flow, e.g. blocking the transfers or manipulating the amount of tokens being sent.",
"severity": "medium"
},
{
"key": "risk_centralized_burn",
"value": "true",
"title": "Centralized Burn",
"sub_title": "An external authority can Burn holders' tokens",
"description": "The token contract has a token burning functionality which can be called only by an external authority and can affect the balances of token holders.",
"severity": "high"
},
{
"key": "risk_hidden_fees",
"value": "false",
"title": "Hidden fees",
"sub_title": "Hidden fee functionality included in transfers",
"description": "The token contract's transfer or transferFrom functions have a hidden fee functionality that can be turned on. This may mean that the receiver address can get fewer or a different amount of tokens than passed within the transfer functions.",
"severity": "high"
},
{
"key": "risk_upgradeable",
"value": "false",
"title": "Upgradeable",
"sub_title": "Token contract can be used by other proxies as delegated implementation",
"description": "The token contract is designed to also be used as an implementation for proxy contracts to delegate their implementations to.",
"severity": "info"
},
{
"key": "risk_basic_transfer_fee",
"value": "false",
"title": "Basic Transfer Fee",
"sub_title": "Basic Fee functionality included in transfers",
"description": "The token contract's transfer or transferFrom functions have a basic fee functionality that can be turned on. This may mean that the receiver address can get fewer or a different amount of tokens than passed within the transfer functions.",
"severity": "medium"
},
{
"key": "risk_eth_balance_sweep",
"value": "false",
"title": "ETH Balance Sweep",
"sub_title": "An external authority can Sweep (transfer out) native currency from the contract",
"description": "The token contract has asset sweeping (transferring out) functionality for the assets on its balance. While generally, the token contract itself should not hold any assets on its balance, this may impose a risk for users in case the contract is designed to receive tokens or native assets directly.",
"severity": "info"
},
{
"key": "risk_unauthorized_token_approvals",
"value": "false",
"title": "Unauthorized Token Approvals",
"sub_title": "An external authority can Approve tokens for holders",
"description": "The token contract has approve functionality, using which an external authority can manipulate the allowances of the token holders.",
"severity": "high"
}
],
"info": {
"implementation_address": "0x366ae337897223aea70e3ebe1862219386f20593",
"is_proxy": true,
"proxy_address": "0xa700b4eb416be35b2911fd5dee80678ff64ff6c9",
"is_verified": true
},
"execution_time": 0.000861069,
"score": 0,
"market_endorsed": false
}Errors
400
The address could not be parsed due to an invalid or unrecognized format
Empty address, chain_id, or token
Invalid token format (not X-Y)
Invalid chain_id
Address parse error
429
Rate limit exceeded
Token does not exist.
Too many requests in a short time
Last updated