Security Analysis

Before you can deploy a contract on FlowNodes, it must pass a security scan. The platform integrates Slither v0.10, the industry-standard static analyser for Solidity, running in an isolated E2B sandbox.

Slither Integration

Slither analyses the compiled Solidity AST and detects hundreds of vulnerability patterns — reentrancy, integer overflow, unchecked return values, access control flaws, price oracle manipulation, and more.

How it runs

When you click Scan in the top bar:

1Your compiled Solidity source is sent to the FlowNodes API server.
2The API spins up an E2B sandbox (a microVM with Python + Slither pre-installed).
3Slither runs against your source and returns a JSON report of findings.
4Findings appear in the Problems tab. The security status indicator updates in the top bar.

Scan cost

A Slither scan costs 10 credits (~$0.10). The first scan on any project is free.

Note

The E2B sandbox is fully isolated and destroyed after each scan. Your source code is never persisted outside your FlowNodes project.

Understanding findings

Each finding has a severity level, a description, and a remediation suggestion.

Severity levels

Severity	Colour	Blocks Deploy?	Description
critical	Red	Yes — always	Directly exploitable vulnerability (e.g. reentrancy draining funds)
high	Red/Amber	Yes — requires ack	Likely vulnerability with significant impact
medium	Amber	No	Potential issue, should review before deploying to production
low	Yellow	No	Best practice violation, unlikely to be exploited
info	Blue	No	Style or informational note, no security impact

Common Slither findings and what they mean

criticalreentrancy-eth

A function sends ETH and then updates state. An attacker can re-enter before the state update.

Fix: Move all state updates before any external calls or ETH transfers. Add the ReentrancyGuard block.

higharbitrary-send-eth

ETH can be sent to an arbitrary address controlled by user input.

Fix: Restrict recipient to a known address or require additional authorization.

mediumtx-origin

tx.origin is used for access control. Vulnerable to phishing attacks.

Fix: Replace tx.origin with msg.sender for all access control checks.

mediumdivide-before-multiply

Integer division before multiplication causes precision loss.

Fix: Reorder operations: multiply first, divide last.

mediumincorrect-equality

Dangerous use of == on a balance that can be manipulated (e.g. address(this).balance == X).

Fix: Use >= instead of == for balance comparisons.

AI-assisted fixes

Each finding in the Problems tab has an AI Fix button. This opens the AI panel with the finding pre-loaded. The AI will suggest a block modification to address the vulnerability — usually adding a security block (ReentrancyGuard, Pausable) or changing a property value.

Pre-deploy requirements

The Deploy button is only enabled when all of these checks pass:

Check	Required	Notes
compiled	Yes	Contract must compile without errors
contractSizeOk	Yes	Bytecode must be ≤ 24,576 bytes (EIP-170)
securityScanCritical = 0	Yes	No critical Slither findings allowed
securityScanHigh = 0	No — user ack required	High findings require you to check a confirmation box
creditsAvailable ≥ 200	Yes	Must have sufficient credits for the 200cr deploy fee
hasSecurityScan	No — but recommended	Deploy is allowed without scan, but strongly discouraged

Important

Contracts with critical security findings cannot be deployed. This is a hard block. FlowNodes will not process the transaction. Fix the vulnerability first.

Bypassing warnings

High-severity findings can be acknowledged. In the Deploy Modal, ifsecurityScanHigh > 0, a confirmation checkbox appears:

I have reviewed the {n} high-severity security finding(s) and accept responsibility for deploying with unresolved warnings.

This ack is stored in your deployment record. It does not affect the on-chain transaction.

Compilation Deployment