EVM/Bytecode Analysis Skill
Expert-level EVM bytecode analysis and decompilation for smart contract security audits, gas optimization, and reverse engineering.
Capabilities
- •Bytecode Analysis: Analyze EVM bytecode and opcodes
- •Gas Cost Calculation: Calculate gas costs per operation
- •Storage Layout Identification: Identify storage slot layouts and packing
- •Decompilation: Decompile bytecode to pseudo-Solidity
- •Proxy Analysis: Analyze proxy implementation slots (EIP-1967)
- •Pattern Detection: Detect bytecode patterns (CREATE2, selfdestruct)
- •Bytecode Verification: Verify contract bytecode against source
MCP Server Integration
This skill can leverage the following MCP servers:
| Server | Purpose | Install |
|---|---|---|
| EVM MCP Tools | Smart contract auditing, security analysis | 0xGval/evm-mcp-tools |
| Solidity Contract Analyzer | Contract code analysis with metadata | Skywork |
Opcode Reference
Common EVM opcodes and gas costs:
| Category | Opcodes | Base Gas |
|---|---|---|
| Arithmetic | ADD, SUB, MUL, DIV | 3-5 |
| Comparison | LT, GT, EQ, ISZERO | 3 |
| Bitwise | AND, OR, XOR, NOT, SHL, SHR | 3 |
| Memory | MLOAD, MSTORE | 3 + memory expansion |
| Storage | SLOAD | 100 (warm) / 2100 (cold) |
| Storage | SSTORE | 100-20000 (varies) |
| Control | JUMP, JUMPI | 8-10 |
| Call | CALL, DELEGATECALL, STATICCALL | 100 + memory + value |
Storage Layout Analysis
Standard Slot Patterns
solidity
// Basic types (slot 0, 1, 2...) uint256 public a; // slot 0 uint256 public b; // slot 1 // Packed storage uint128 public c; // slot 2, bytes 0-15 uint128 public d; // slot 2, bytes 16-31 // Mappings: keccak256(key . slot) mapping(address => uint256) public balances; // slot 3 // balances[addr] at keccak256(addr . 3) // Dynamic arrays: length at slot, data at keccak256(slot) uint256[] public arr; // length at slot 4, arr[i] at keccak256(4) + i
EIP-1967 Proxy Slots
code
Implementation: 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc Admin: 0xb53127684a568b3173ae13b9f8a6016e243e63b6e8ee1178d6a717850b5d6103 Beacon: 0xa3f0ad74e5423aebfd80d3ef4346578335a9a72aeaee59ff6cb3582b35133d50
Bytecode Patterns
Contract Creation
code
PUSH1 0x80 // Free memory pointer PUSH1 0x40 MSTORE ... CODECOPY // Copy runtime code RETURN // Return runtime code
Selector Dispatch
code
PUSH4 <selector> // 4-byte function selector EQ // Compare with calldata[0:4] PUSH2 <offset> // Jump destination JUMPI // Jump if match
Common Vulnerability Patterns
code
// Reentrancy indicator: CALL before SSTORE CALL ... SSTORE // Unchecked return: CALL without ISZERO check CALL // Missing: ISZERO, JUMPI for error handling // Self-destruct (deprecated but detectable) SELFDESTRUCT
Workflow
1. Fetch Contract Bytecode
bash
# Using cast (Foundry)
cast code <address> --rpc-url <rpc>
# Using curl
curl -X POST <rpc> \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"eth_getCode","params":["<address>","latest"],"id":1}'
2. Analyze Opcodes
bash
# Disassemble with cast cast disassemble <bytecode> # Or use online tools # - evm.codes/playground # - ethervm.io/decompile
3. Storage Slot Analysis
bash
# Read specific storage slot cast storage <address> <slot> --rpc-url <rpc> # Read EIP-1967 implementation slot cast storage <address> 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc --rpc-url <rpc>
4. Bytecode Comparison
bash
# Get deployed bytecode cast code <address> --rpc-url <rpc> > deployed.bin # Compile source and compare forge build diff deployed.bin out/Contract.sol/Contract.bin
Process Integration
This skill integrates with the following processes:
- •
gas-optimization.js- Identify gas-heavy opcodes - •
smart-contract-security-audit.js- Bytecode-level vulnerability detection - •
smart-contract-upgrade.js- Proxy slot verification - •
formal-verification.js- Bytecode correctness verification
Tools Reference
| Tool | Purpose | URL |
|---|---|---|
| Foundry Cast | CLI bytecode interaction | foundry-rs/foundry |
| evm.codes | Opcode reference | evm.codes |
| Dedaub | Decompiler | dedaub.com |
| Heimdall | Advanced decompiler | heimdall-rs |
| panoramix | Python decompiler | eveem.org |
Example Analysis
javascript
// Analyze proxy contract
const analysis = {
type: 'proxy',
pattern: 'EIP-1967 Transparent',
implementation: '0x...',
admin: '0x...',
// Storage layout
storageSlots: {
0: { name: '_initialized', type: 'uint8' },
1: { name: '_initializing', type: 'bool' },
// ...
},
// Function selectors
selectors: {
'0xa9059cbb': 'transfer(address,uint256)',
'0x23b872dd': 'transferFrom(address,address,uint256)',
// ...
},
// Gas hotspots
gasHotspots: [
{ offset: 0x1a4, opcode: 'SSTORE', context: 'balance update' },
{ offset: 0x2f0, opcode: 'CALL', context: 'external call' }
]
};
See Also
- •
skills/gas-optimization/SKILL.md- Gas optimization techniques - •
agents/solidity-auditor/AGENT.md- Security audit agent - •
references.md- External resources