𝕃 Blaster.lean
λ PluStan.hs
README.md
LendingValidator.hs
{-# ANN module "onchain-contract" #-}
module LendingValidator where
import PlutusTx qualified as Tx
-- Validate a loan repayment
validator :: ScriptContext -> Bool
validator ctx =
PROBLEMS
scroll to explore

Catch Plinth bugs
before mainnet does.

Plu-Stan analyzes Plinth smart contracts for security vulnerabilities and performance anti-patterns, using GHC's own type-annotated AST.

how it works

Analysis without touching source

Plu-Stan reads .hie files: GHC's rich AST with full type information. No source parsing, no false positives from macros or generated code.

Plinth source
{-# ANN module "onchain-contract" #-}
annotate on-chain modules
GHC .hie files
-fwrite-ide-info
full AST + type info
Plu-Stan
cabal run plustan
14+ Plinth-specific rules
On-chain only
filter onchain
off-chain code ignored
Report
⚠ 3 warnings 🔴 1 critical
HTML + fix suggestions
inspections

14+ Plinth-specific rules

Click any rule to see the vulnerable pattern, why it matters, and what Plu-Stan reports.

PLU-STAN-04 click to run →
-- staking component not checked pkh1 == pkh2 -- ← fund theft risk
⚠ Warning·credential security
PLU-STAN-10 click to run →
-- invalid hash → loan locked forever Tx.unsafeFromBuiltinData datum
🔴 Critical·unvalidated hash
PLU-STAN-06 click to run →
-- two passes, double the cost map (+100) $ filter (>0) xs
◆ Performance·list traversal
PLU-STAN-08 click to run →
-- recomputed on every use let tup = expensiveComputation
◆ Performance·non-strict let
PLU-STAN-12 click to run →
-- no finite upper bound txInfoValidRange (scriptContextTxInfo ctx)
⚠ Warning·time bounds
PLU-STAN-02 click to run →
-- no structural integrity check unsafeFromBuiltinData datum
⚠ Warning·datum spam
getting started

Add Plu-Stan to your project

cabal.project
source-repository-package type: git location: https://github.com/input-output-hk/plu-stan tag: main
annotate on-chain code
{-# ANN module "onchain-contract" #-} module MyValidator where -- Plu-Stan will analyze only this module
run analysis
# Build with HIE file generation cabal build --ghc-options -fwrite-ide-info # Run Plu-Stan and open HTML report cabal run plustan -- --report --browse
View on GitHub All Rules
editor integration

VS Code + Cursor extension

A dedicated extension wraps the plustan CLI. On-chain modules appear in a sidebar tree; findings land in the Problems panel.

LendingValidator.hs
1lendingValidator :: ScriptContext -> Bool
2lendingValidator ctx =
3 let ownOutput = head $ txInfoOutputs info
4 LoanDatum { repaymentPkh } = Tx.unsafeFromBuiltinData (getDatum ownOutput)
PLU-STAN-10 Unvalidated hash in comparison. Use fromBuiltinData and handle Nothing.
5 in repaymentPkh == getOutputPkh (txOutAddress ownOutput)
# package and install as VSIX
cd vscode-plustan
npm install && npm run package:vsix
# Extensions: Install from VSIX...

# settings.json
"plustan.binaryPath": "/path/to/plustan"
collaboration

Built by three teams

Plu-Stan is a joint effort between Cardano ecosystem teams who share a stake in better on-chain security.

Anastasia Labs
+
TxPipe
+
IOG