安全使用 Remix

Remix is widely used by developers at every level, from first-time smart contract writers to experienced auditors. That accessibility also makes it a target for scams and phishing. This page covers how to verify you are using the real Remix, how to develop safely, and which built-in tools can help you catch vulnerabilities before deployment.

Verifying the Remix URL

Remix is hosted at remix.ethereum.org (a subdomain of ethereum.org) and at remix.live. The only valid Remix URLs are:

• Stable: remix.ethereum.org

• Alpha: alpha.remix.live

• Beta: beta.remix.live

If you are directed to some site that looks like Remix but has a similar but different URL - it is NOT Remix and is likely a phishing scam.

Always check that you are loading Remix over https unless you have a specific reason for accessing it with http (e.g. for using Remix locally or for a connection you trust).

Our only social profiles include:

• X (formerly Twitter): Remix on X

• LinkedIn: Remix on LinkedIn

警告

Team members will never DM you on Discord claiming to be support, or ask for your private keys, or ask you to click shady links. Always use the #community channel to ask your questions.

Safe development practices

• 请确保所有导入都包含版本号，否则您将不知道获取的文件版本，并且构建不能复现。

  So do not use an import like this:

  import "@openzeppelin/contracts/token/ERC20/ERC20.sol";
  

  Rather, use one like this:

  import "@openzeppelin/contracts@5.0.0/token/ERC20/ERC20.sol";
  

• 合约连接到链上部署的时候，请确保您连接的对象是正确的，并且是正确版本。

• 始终确保处理或理解每一个警告。

• Never deploy or send transactions on contracts you don't fully understand, even if it's a get rich quick scheme that you've copied & pasted from a Discord DM or a YouTube video and you really really want to get rich.

• If you have pasted code you are unsure about, ask the RemixAI Assistant to review it before deploying. Remix already prompts you to do this every time you paste code in the IDE.

Scam awareness

• Check our article on a known scam promoting "liquidity front runner bots".

当潜在受害者了解诈骗及如何阅读和理解代码时，诈骗的效力就会减弱。学习Solidity并且要学好！

Solidity tutorials in Remix

These interactive tutorials by WTF Academy are available in the LearnEth plugin. Each one walks through a real vulnerability class with hands-on exercises.

Reentrancy Attack

The classic Ethereum exploit. Learn how recursive external calls can drain contract balances.

https://remix.ethereum.org/?#activate=solidityUnitTesting,LearnEth&call=LearnEth//startTutorial//ethereum/remix-workshops//master//reentrancy-attack

Access Control

Identify missing or misconfigured access controls that expose privileged functions.

https://remix.ethereum.org/?#activate=solidityUnitTesting,LearnEth&call=LearnEth//startTutorial//ethereum/remix-workshops//master//access-control-exploit

Integer Overflow

Understand how arithmetic overflows can wrap values unexpectedly and how to prevent them.

https://remix.ethereum.org/?#activate=solidityUnitTesting,LearnEth&call=LearnEth//startTutorial//ethereum/remix-workshops//master//integer-overflow

tx.origin Phishing

Understand why using tx.origin for authorization is dangerous and how attackers exploit it.

https://remix.ethereum.org/?#activate=solidityUnitTesting,LearnEth&call=LearnEth//startTutorial//ethereum/remix-workshops//master//tx-origin-phishing-attack

Front-Running

Learn how transaction ordering can be exploited by miners or bots to extract value.

https://remix.ethereum.org/?#activate=solidityUnitTesting,LearnEth&call=LearnEth//startTutorial//ethereum/remix-workshops//master//front-running

Oracle Manipulation

Understand how price oracles can be manipulated within a single transaction to exploit DeFi protocols.

https://remix.ethereum.org/?#activate=solidityUnitTesting,LearnEth&call=LearnEth//startTutorial//ethereum/remix-workshops//master//oracle-manipulation

These are not exhaustive. LearnEth includes additional tutorials covering more vulnerability classes. Open the LearnEth plugin in the Plugin Manager to browse the full list.

Static analysis

Remix includes a Static Analysis plugin that runs security and quality checks on your Solidity code before deployment. It integrates three tools:

• Remix Analysis — built-in checks that flag common issues such as reentrancy risks, unused variables, and dangerous low-level calls.

• Slither — a widely-used Solidity static analyzer that detects a broad range of vulnerabilities. You can also prompt the RemixAI Assistant to run a Slither scan directly.

• Solhint — a linter that enforces Solidity style and security best practices.

See Static Analysis for usage details.

Contract verification

Verifying a contract publishes its source code and makes it auditable by anyone. Remix integrates with Sourcify to make this as frictionless as possible:

• A verify on deployment checkbox is enabled by default in the Deploy panel — verified source is submitted automatically when you deploy.

• For contracts already on-chain, use the Contract Verification plugin to verify after the fact.

See Contract Verification for details.

AI privacy

When using the RemixAI Assistant, any code you share is sent to the configured LLM. If your code contains sensitive logic or proprietary algorithms, consider using a private LLM instead:

• Ollama — run a local LLM entirely on your own machine, with no data leaving your environment.

• Cloud-hosted private LLM — run Ollama in a private cloud instance for teams that need more compute.

See Running Ollama in the cloud with Remix and Using a local LLM for privacy for setup instructions.