Systematic code maturity assessment using Trail of Bits' 9-category framework. Analyzes codebase for arithmetic safety, auditing practices, access controls, complexity, decentralization, documentation, MEV risks, low-level code, and testing. Produces professional scorecard with evidence-based ratings and actionable recommendations.
Systematically assesses codebase maturity using Trail of Bits' 9-category framework. Provides evidence-based ratings and actionable recommendations.
Framework: Building Secure Contracts - Code Maturity Evaluation v0.1.0
Explores the codebase to understand:
For each of 9 categories, I'll:
Generates:
Rating Logic:
I assess 9 comprehensive categories covering all aspects of code maturity. For detailed criteria, analysis approaches, and rating thresholds, see ASSESSMENT_CRITERIA.md.
1. ARITHMETIC
2. AUDITING
3. AUTHENTICATION / ACCESS CONTROLS
4. COMPLEXITY MANAGEMENT
5. DECENTRALIZATION
6. DOCUMENTATION
7. TRANSACTION ORDERING RISKS
8. LOW-LEVEL MANIPULATION
9. TESTING & VERIFICATION
For complete assessment criteria including what I'll analyze, what I'll ask you, and detailed rating thresholds (WEAK/MODERATE/SATISFACTORY/STRONG), see ASSESSMENT_CRITERIA.md.
When the assessment is complete, you'll receive a comprehensive maturity report including:
For a complete example assessment report, see EXAMPLE_REPORT.md.
When invoked, I will:
Explore codebase
Analyze each category
Interactive assessment
Generate report
| Rationalization | Why It's Wrong | Required Action |
|---|---|---|
| "Found some findings, assessment complete" | Assessment requires evaluating ALL 9 categories | Complete assessment of all 9 categories with evidence for each |
| "I see events, auditing category looks good" | Events alone don't equal auditing maturity | Check logging comprehensiveness, testing, incident response processes |
| "Code looks simple, complexity is low" | Visual simplicity masks composition complexity | Analyze cyclomatic complexity, dependency depth, state machine transitions |
| "Not a DeFi protocol, MEV category doesn't apply" | MEV extends beyond DeFi (governance, NFTs, games) | Verify with transaction ordering analysis before declaring N/A |
| "No assembly found, low-level category is N/A" | Low-level risks include external calls, delegatecall, inline assembly | Search for all low-level patterns before skipping category |
| "This is taking too long" | Thorough assessment requires time per category | Complete all 9 categories, ask clarifying questions about off-chain processes |
| "I can rate this without evidence" | Ratings without file:line references = unsubstantiated claims | Collect concrete code evidence for every category assessment |
| "User will know what to improve" | Vague guidance = no action | Provide priority-ordered roadmap with specific improvements and effort estimates |
For detailed report structure and templates, see REPORT_FORMAT.md.
Executive Summary
Maturity Scorecard
Detailed Analysis
Improvement Roadmap
Estimated Time: 30-40 minutes
I'll need:
Let's assess this codebase!