xsaher/evm-analyzer

# EVM Bytecode Security Analyzer A static security analysis tool for Ethereum smart contracts. Works directly on deployed bytecode — no source code needed. Built as a personal project to understand EVM internals and smart contract security. ## What makes this different Most tools like Slither and MythX require Solidity source code. This tool analyzes the compiled EVM bytecode of any deployed contract, even unverified ones. It also goes beyond simple pattern matching with inter-block taint analysis that tracks user-controlled values across the entire Control Flow Graph. ## Tested on Real Exploited Contracts | Contract | Stolen | Tool Result | Key Finding | |---|---|---|---| | The DAO (2016) | $60M | CRITICAL | Reentrancy + Integer Overflow → Storage Corruption | | Rubixi (2014) | $2M | CRITICAL | Reentrancy + Integer Overflow → Storage Corruption | | Bancor (2018) | $23M | HIGH | SELFDESTRUCT + User-Controlled Storage Write | The tool detected the exact vulnerabilities that were exploited in each attack. ## Detected Vulnerabilities **Via Pattern Analysis:** - Reentrancy (CALL before SSTORE) - DELEGATECALL to untrusted address - SELFDESTRUCT without access control - tx.origin authentication - Timestamp dependence - Weak randomness - Unchecked external call return value - Integer overflow **Via Taint Analysis (inter-block):** - User-controlled storage write - User-controlled call target - User-controlled ETH transfer amount - User-controlled DELEGATECALL target - User-controlled SELFDESTRUCT beneficiary **Severity Escalation:** - Integer overflow that flows into SSTORE → escalates to **CRITICAL** - Integer overflow that flows into CALL value → escalates to **CRITICAL** ## Installation git clone https://github.com/xsaher/evm-analyzer cd evm-analyzer pip install -r requirements.txt cp .env.example .env Add your free Etherscan API key to `.env`. Get one at etherscan.io/myapikey ## Usage # Single contract python main.py 0xdAC17F958D2ee523a2206206994597C13D831ec7 # Multiple contracts python main.py 0xdAC17F958D2ee523a2206206994597C13D831ec7 0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48 Each analysis produces: - Terminal summary with color-coded severity levels - `report_

.html` — visual audit report - `report_

.json` — structured output for integration ## Architecture evm-analyzer/ ├── fetcher/ │ └── etherscan.py # Bytecode, ABI, metadata from Etherscan API ├── decoder/ │ └── opcode_decoder.py # Raw hex → decoded instruction list ├── analyzer/ │ ├── cfg_builder.py # Basic block decomposition → Control Flow Graph │ ├── vulnerability_patterns.py # Pattern-based checks on the CFG │ └── taint_analysis.py # Inter-block taint propagation + severity escalation ├── reporter/ │ ├── html_report.py # Self-contained HTML report │ └── json_report.py # JSON output └── main.py # CLI entry point ## How It Works Contract Address │ ▼ Etherscan API → Raw Bytecode │ ▼ Opcode Decoder → Instruction list │ ▼ CFG Builder → Basic blocks + edges │ ├──→ Pattern Matching → Reentrancy, SELFDESTRUCT, tx.origin... │ └──→ Taint Analysis → Tracks user input across all blocks Escalates severity when overflow hits a sink │ ▼ HTML + JSON Reports ## Tech Stack - Python - NetworkX — CFG construction and traversal - pycryptodome — keccak256 for function selector resolution - Requests — Etherscan API - Rich — terminal output ## References - [Ethereum Yellow Paper](https://ethereum.github.io/yellowpaper/paper.pdf) - [EVM Opcodes Reference](https://www.evm.codes/) - [The DAO Hack Analysis](https://hackingdistributed.com/2016/06/18/analysis-of-the-dao-exploit/) - [Consensys Smart Contract Best Practices](https://consensys.github.io/smart-contract-best-practices/) *This tool performs automated static analysis. It does not replace a full manual security audit.*