CardanoScout will be a static analysis tool designed to detect vulnerabilities and security issues in Cardano smart contracts written in Plutus. Inspired by our successful experience developing Scout—used in Polkadot’s Substrate/Ink! and Stellar’s Soroban—this tool will automate contract audits, highlight security risks early in the development cycle, and promote best practices. It will integrate with existing Cardano development environments to ensure seamless use for developers and auditors. CoinFabrik’s team of security auditors, blockchain researchers, and developers will build CardanoScout from scratch using insights gained from auditing and tooling for smart contract ecosystems. It will integrate with existing Cardano development environments to ensure seamless use for developers and auditors.

Cardano lacks a dedicated static analysis tool to help developers identify vulnerabilities and security risks in Plutus and Marlowe smart contracts before deployment. This gap increases the likelihood of undetected bugs, inefficient code, or critical vulnerabilities reaching production. As the ecosystem grows, the need for scalable and automated security tooling becomes urgent to ensure safe and reliable dApps.

Empower Cardano developers, security auditors and QA engineers with an automated static analysis tool tailored to Cardano smart contracts, enabling automated issues and vulnerability detection during development. It will help developers, auditors, and projects proactively secure their code, reduce manual review costs, and elevate overall contract quality. We will leverage our proven experience building Scout Audit, a successful open-source static analysis tool for Polkadot’s Substrate and Ink as well as Stellar’s Soroban. Our team includes security auditors, researchers, and developers with extensive experience in Web3. By improving smart contract security and reliability, this tool will directly benefit the Cardano developer community, security professionals, and end-users, supporting Cardano's mission of building secure, scalable, and decentralized infrastructure. We will leverage our proven experience building Scout Audit (https://github.com/CoinFabrik/scout-audit), a successful open-source static analysis tool for Polkadot’s Substrate and Ink as well as Stellar’s Soroban. Our team includes experienced security auditors, blockchain researchers, and developers who specialize in building static analyzers for smart contract platforms.

By improving smart contract security and reliability, this tool will directly benefit the Cardano developer community, security professionals, and end-users, supporting Cardano's mission of building secure, scalable, and decentralized infrastructure.

• Milestone 1: Research & Specification of static checks for Plutus.
• Milestone 2: Build initial analysis engine and CLI tool.
• Milestone 3: Implement vulnerability detectors coverage.
• Milestone 4: Integration with Visual Studio Code and GitHub CI/CD.
• Milestone 5: Public beta release, developer feedback round.
• Milestone 6: Stable release and full documentation.

Milestone 1: Research & Specification of static checks for Plutus
USD: $95,200
ADA: 136,000
Time: 8 weeks

Milestone 2: Build initial analysis engine and CLI tool
USD: $54,600
ADA: 78,000
Time: 4 weeks

Milestone 3: Implement vulnerability coverage
USD: $109,200
ADA: 156,000
Time: 8 weeks

Milestone 4: Integration with Visual Studio Code and GitHub CI/CD
USD: $18,900
ADA: 27,000
Time: 2 weeks

Milestone 5: Public beta release, developer feedback round
USD: $28,350
ADA: 40,500
Time: 3 weeks

Milestone 6: Stable release and full documentation
USD: $18,900
ADA: 27,000
Time: 2 weeks

Team

• 1 Project Lead
• 3 Developers
• 1 Security Auditor
• 1 Researcher

Duration: 6 months.

CoinFabrik is a research and development company specialized in Web3, with a strong background in cybersecurity. Founded in 2014, we have worked on over 350 blockchain-related projects, EVM based and also for Solana, Algorand, and Polkadot. Beyond development, we offer security audits through a dedicated in-house team of senior cybersecurity professionals, currently working on code in Substrate, Solidity, Clarity, Rust, Soroban and TEAL. Our team has an academic background in computer science and mathematics, with work experience focused on cybersecurity and software development, including academic publications, patents turned into products, and conference presentations. Furthermore, we have an ongoing collaboration on knowledge transfer and open-source projects with the University of Buenos Aires.

Once the first version of CardanoScout is delivered, we plan to prepare a follow-up funding proposal to support a minimal team dedicated to ongoing maintenance and user support. This team will be responsible for:

• Ensuring compatibility with future versions of Plutus and Marlowe.
• Fixing bugs and addressing issues reported by the community.
• Incorporating feedback from users to improve the tool's usability and effectiveness.
• Updating vulnerability detectors as new attack vectors and best practices emerge.
• Supporting developers through documentation updates, GitHub discussions, and workshops.

This follow-up proposal will ensure CardanoScout remains a relevant and valuable tool for the Cardano developer and auditing communities over time.

• Access to Cardano smart contract security audits.
• Access to reliable documentation and specifications of Plutus and Marlowe smart contracts.
• Support from the Cardano developer community to validate real-world use cases.
• Early feedback from developers and security professionals.