Solidity Vulnerability Scanner
1. Purpose
Systematically scan Solidity contracts for 104 security vulnerabilities using multi-tool detection: Slither + Aderyn + Mythril + manual pattern matching. All findings require evidence with exact file:line citations.
2. When to Use
- •Auditing Solidity contracts (any framework)
- •Pre-launch security assessment
- •Reviewing DeFi protocol security
- •Preparing for professional audit
- •CI/CD security gate
3. Scanning Workflow
Step 1: Framework & Version Check
bash
# Detect framework ls foundry.toml hardhat.config.js hardhat.config.ts truffle-config.js # Check Solidity version rg "pragma solidity" contracts/ # Check for OpenZeppelin rg "@openzeppelin" package.json remappings.txt
Step 2: Run Automated Tools
bash
# Slither (primary static analysis) slither . --json slither-results.json # Aderyn (fast Rust-based) aderyn -s contracts/ -o aderyn-report.md # Mythril (symbolic execution, slower but deeper) myth analyze contracts/MyContract.sol -o json > mythril-results.json
Step 3: Parallel Vulnerability Scan
Reentrancy (CRITICAL)
bash
rg "\.call\{|\.transfer\(|\.send\(" contracts/
rg "nonReentrant|ReentrancyGuard" contracts/
Access Control (CRITICAL)
bash
rg "onlyOwner|onlyRole|_checkRole|require.*msg\.sender" contracts/ rg "tx\.origin" contracts/ rg "selfdestruct" contracts/
External Calls (HIGH)
bash
rg "\.call\(|\.delegatecall\(|\.staticcall\(" contracts/
rg "IERC20\(.*\)\.transfer" contracts/
Arithmetic Safety (HIGH)
bash
rg "unchecked" contracts/ rg "\/.*\*|precision|rounding" contracts/
Oracle & Price (CRITICAL)
bash
rg "oracle|getPrice|latestRoundData|priceFeed" contracts/ rg "flashLoan|flashMint" contracts/
Transient Storage (CRITICAL — EIP-1153)
bash
rg "tstore|tload|TSTORE|TLOAD|transient" contracts/ rg "ReentrancyGuardTransient" contracts/
EIP-7702 / Account Abstraction (CRITICAL)
bash
rg "tx\.origin.*==.*msg\.sender|isContract|extcodesize" contracts/ rg "IPaymaster|validatePaymasterUserOp|UserOperation|validateUserOp" contracts/
Uniswap V4 Hooks (CRITICAL)
bash
rg "IHooks|BaseHook|afterSwap|beforeSwap|hookData|poolManager" contracts/
Step 4: Evidence Collection
For each potential finding:
- •Extract exact file:line location
- •Capture vulnerable code snippet
- •Cross-reference with tool results
- •Calculate confidence score
4. Vulnerability Patterns (97 Total)
CRITICAL Severity
| ID | Name | Detection | SWC |
|---|---|---|---|
| ETH-001 | Single-function Reentrancy | External call before state update | SWC-107 |
| ETH-006 | Missing Access Control | State-changing without modifier | SWC-105 |
| ETH-007 | tx.origin Authentication | tx.origin in require/if | SWC-115 |
| ETH-019 | Delegatecall to Untrusted | delegatecall with user input | SWC-112 |
| ETH-024 | Oracle Manipulation | Single oracle, no TWAP | — |
| ETH-025 | Flash Loan Attack | No same-block protection | — |
| ETH-030 | Storage Collision (Proxy) | Misaligned storage slots | SWC-124 |
| ETH-039 | Signature Replay | Missing nonce/chain ID | SWC-121 |
| ETH-049 | Uninitialized Implementation | Missing initializer | — |
| ETH-057 | Vault Share Inflation | First depositor attack | — |
HIGH Severity
| ID | Name | Detection | SWC |
|---|---|---|---|
| ETH-002 | Cross-function Reentrancy | Shared state + external call | SWC-107 |
| ETH-009 | Default Visibility | Missing visibility specifier | SWC-100 |
| ETH-013 | Integer Overflow/Underflow | Unchecked arithmetic | SWC-101 |
| ETH-018 | Unchecked External Call | .call return not checked | SWC-104 |
| ETH-026 | Sandwich Attack | No slippage protection | — |
| ETH-034 | Strict Equality on Balance | == on ETH/token balance | SWC-132 |
| ETH-037 | Weak Randomness | block.timestamp/blockhash | SWC-120 |
| ETH-041 | ERC-20 Non-standard Return | Missing SafeERC20 | — |
| ETH-044 | ERC-777 Reentrancy | Token hooks without guard | — |
| ETH-066 | Unbounded Loop | Loop without gas bound | SWC-128 |
CRITICAL — New (2025-2026)
| ID | Name | Detection | SWC |
|---|---|---|---|
| ETH-081 | Transient Storage Collision | Same TSTORE slot via delegatecall | — |
| ETH-083 | TSTORE Reentrancy Bypass | TSTORE lock bypassed cross-contract | — |
| ETH-086 | Broken EOA Check (EIP-7702) | tx.origin == msg.sender for EOA | — |
| ETH-088 | EIP-7702 Auth Replay | Cross-chain authorization without chain ID | — |
| ETH-091 | Paymaster Exploitation | ERC-4337 paymaster no limits | — |
| ETH-093 | Validation-Execution Confusion | ERC-4337 phase side effects | — |
| ETH-094 | V4 Hook Auth Bypass | Hook callback without msg.sender check | — |
5. Confidence Scoring
| Score | Meaning | Action |
|---|---|---|
| 0.9-1.0 | Definite vulnerability | Report as confirmed |
| 0.7-0.9 | High likelihood | Report with evidence |
| 0.5-0.7 | Possible issue | Mark as "Review Required" |
| < 0.5 | Low confidence | Do not report |
6. Finding Format
markdown
## [SEVERITY] ETH-XXX: Vulnerability Name **Location**: `contracts/Vault.sol:123` (function_name) **Confidence**: 0.XX **Category**: Reentrancy/Access Control/Arithmetic/DeFi ### Description [What the vulnerability is and why it's dangerous] ### Evidence ```solidity // Vulnerable code from contracts/Vault.sol:123 [exact code snippet]
Attack Scenario
- •[Step-by-step exploit]
Recommendation
solidity
// Fixed code [secure implementation]
code
## 7. Rationalizations to REJECT | Rationalization | Required Action | |-----------------|-----------------| | "This looks vulnerable" | Find exact pattern match | | "Probably missing check" | Verify absent in ALL paths | | "Standard pattern, skip" | Document with evidence | | "Low confidence is fine" | Investigate until >= 0.7 | | "Solidity 0.8 handles it" | Check for unchecked blocks |