If you discover a security vulnerability in diffyscan, please report it responsibly.

Do not open a public GitHub issue.

Instead use GitHub's private vulnerability reporting.

diffyscan verifies smart contract source code and bytecode against on-chain deployments. Security-relevant areas include:

• Integrity of source fetched from GitHub and blockchain explorers
• Correctness of bytecode comparison (false negatives could hide malicious changes)
• Handling of API tokens and RPC URLs
• Supply chain integrity of dependencies and CI pipeline

Only the latest release on main is actively maintained.