Reference
Rule Engine
The rule engine is the core of OpenAudit AI. It runs deterministic, pattern-based checks against the Solidity AST and emits structured findings.
How rules work
When you run openaudit-ai analyze, the tool:
- Parses each
.solfile into an Abstract Syntax Tree (AST) - Loads all enabled rules from the rule registry
- Runs each rule against every relevant AST node
- Collects and deduplicates findings
- Emits findings sorted by severity
Each rule is an independent check. Rules do not share state. A rule either matches a pattern at a given location or it doesn't. This is what makes the output deterministic.
Rule structure
Each rule is defined with metadata that describes what it checks and why it matters:
rule definitionjson
{
"id": "reentrancy-guard",
"severity": "CRITICAL",
"title": "External call before state update",
"description": "Detects functions that make external calls before updating contract state, enabling reentrancy attacks.",
"tags": ["reentrancy", "external-call", "state"],
"references": [
"https://swcregistry.io/docs/SWC-107",
"https://solidity-by-example.org/hacks/re-entrancy/"
]
}Available rules
The current rule set covers common Solidity vulnerability classes:
| Rule ID | Severity | Description |
|---|---|---|
| reentrancy-guard | CRITICAL | External call before state update |
| unchecked-return | HIGH | Return value of external call not checked |
| tx-origin-auth | MEDIUM | tx.origin used for authorization |
| integer-overflow | HIGH | Unchecked arithmetic (pre-Solidity 0.8.x) |
| selfdestruct-usage | HIGH | Use of selfdestruct opcode |
| delegatecall-unsafe | CRITICAL | Delegatecall to user-supplied address |
| storage-collision | HIGH | Potential storage slot collision in proxy pattern |
| hardcoded-address | LOW | Hardcoded contract address |
| floating-pragma | LOW | Floating pragma version constraint |
| visibility-missing | LOW | Function visibility not explicitly declared |
Note: The rule set is actively expanding. See the Roadmap for planned additions.
Working with rules
List all rules
$openaudit-ai rules list
ID SEVERITY DESCRIPTION
reentrancy-guard CRITICAL External call before state update
unchecked-return HIGH Unchecked external call return value
tx-origin-auth MEDIUM tx.origin used for authorization
Show rule details
$openaudit-ai rules show reentrancy-guard
Rule: reentrancy-guard
Severity: CRITICAL
Tags: reentrancy, external-call, state
Run a specific rule only
# Run only the reentrancy rule
$openaudit-ai analyze ./contracts --rule reentrancy-guard
Extensibility
Custom rules and plugin-based extensibility are on the roadmap. The goal is to allow teams to define project-specific checks in the same format as built-in rules, with full access to the AST visitor API.
Tip: Community rule contributions are welcome. See the GitHub repository for the contributing guide.