evm-analysis
// Deep EVM bytecode analysis and decompilation capabilities for smart contract security, gas optimization, and reverse engineering. Provides tools for analyzing opcodes, storage layouts, proxy patterns, and bytecode verification.
$ git log --oneline --stat
stars:384
forks:73
updated:March 4, 2026
SKILL.mdreadonly
SKILL.md Frontmatter
nameevm-analysis
descriptionDeep EVM bytecode analysis and decompilation capabilities for smart contract security, gas optimization, and reverse engineering. Provides tools for analyzing opcodes, storage layouts, proxy patterns, and bytecode verification.
allowed-toolsRead, Grep, Write, Bash, Edit, Glob, WebFetch
EVM/Bytecode Analysis Skill
Expert-level EVM bytecode analysis and decompilation for smart contract security audits, gas optimization, and reverse engineering.
Capabilities
- Bytecode Analysis: Analyze EVM bytecode and opcodes
- Gas Cost Calculation: Calculate gas costs per operation
- Storage Layout Identification: Identify storage slot layouts and packing
- Decompilation: Decompile bytecode to pseudo-Solidity
- Proxy Analysis: Analyze proxy implementation slots (EIP-1967)
- Pattern Detection: Detect bytecode patterns (CREATE2, selfdestruct)
- Bytecode Verification: Verify contract bytecode against source
MCP Server Integration
This skill can leverage the following MCP servers:
| Server | Purpose | Install |
|---|---|---|
| EVM MCP Tools | Smart contract auditing, security analysis | 0xGval/evm-mcp-tools |
| Solidity Contract Analyzer | Contract code analysis with metadata | Skywork |
Opcode Reference
Common EVM opcodes and gas costs:
| Category | Opcodes | Base Gas |
|---|---|---|
| Arithmetic | ADD, SUB, MUL, DIV | 3-5 |
| Comparison | LT, GT, EQ, ISZERO | 3 |
| Bitwise | AND, OR, XOR, NOT, SHL, SHR | 3 |
| Memory | MLOAD, MSTORE | 3 + memory expansion |
| Storage | SLOAD | 100 (warm) / 2100 (cold) |
| Storage | SSTORE | 100-20000 (varies) |
| Control | JUMP, JUMPI | 8-10 |
| Call | CALL, DELEGATECALL, STATICCALL | 100 + memory + value |
Storage Layout Analysis
Standard Slot Patterns
// Basic types (slot 0, 1, 2...)
uint256 public a; // slot 0
uint256 public b; // slot 1
// Packed storage
uint128 public c; // slot 2, bytes 0-15
uint128 public d; // slot 2, bytes 16-31
// Mappings: keccak256(key . slot)
mapping(address => uint256) public balances; // slot 3
// balances[addr] at keccak256(addr . 3)
// Dynamic arrays: length at slot, data at keccak256(slot)
uint256[] public arr; // length at slot 4, arr[i] at keccak256(4) + i
EIP-1967 Proxy Slots
Implementation: 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc
Admin: 0xb53127684a568b3173ae13b9f8a6016e243e63b6e8ee1178d6a717850b5d6103
Beacon: 0xa3f0ad74e5423aebfd80d3ef4346578335a9a72aeaee59ff6cb3582b35133d50
Bytecode Patterns
Contract Creation
PUSH1 0x80 // Free memory pointer
PUSH1 0x40
MSTORE
...
CODECOPY // Copy runtime code
RETURN // Return runtime code
Selector Dispatch
PUSH4 <selector> // 4-byte function selector
EQ // Compare with calldata[0:4]
PUSH2 <offset> // Jump destination
JUMPI // Jump if match
Common Vulnerability Patterns
// Reentrancy indicator: CALL before SSTORE
CALL
...
SSTORE
// Unchecked return: CALL without ISZERO check
CALL
// Missing: ISZERO, JUMPI for error handling
// Self-destruct (deprecated but detectable)
SELFDESTRUCT
Workflow
1. Fetch Contract Bytecode
# Using cast (Foundry)
cast code <address> --rpc-url <rpc>
# Using curl
curl -X POST <rpc> \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"eth_getCode","params":["<address>","latest"],"id":1}'
2. Analyze Opcodes
# Disassemble with cast
cast disassemble <bytecode>
# Or use online tools
# - evm.codes/playground
# - ethervm.io/decompile
3. Storage Slot Analysis
# Read specific storage slot
cast storage <address> <slot> --rpc-url <rpc>
# Read EIP-1967 implementation slot
cast storage <address> 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc --rpc-url <rpc>
4. Bytecode Comparison
# Get deployed bytecode
cast code <address> --rpc-url <rpc> > deployed.bin
# Compile source and compare
forge build
diff deployed.bin out/Contract.sol/Contract.bin
Process Integration
This skill integrates with the following processes:
gas-optimization.js- Identify gas-heavy opcodessmart-contract-security-audit.js- Bytecode-level vulnerability detectionsmart-contract-upgrade.js- Proxy slot verificationformal-verification.js- Bytecode correctness verification
Tools Reference
| Tool | Purpose | URL |
|---|---|---|
| Foundry Cast | CLI bytecode interaction | foundry-rs/foundry |
| evm.codes | Opcode reference | evm.codes |
| Dedaub | Decompiler | dedaub.com |
| Heimdall | Advanced decompiler | heimdall-rs |
| panoramix | Python decompiler | eveem.org |
Example Analysis
// Analyze proxy contract
const analysis = {
type: 'proxy',
pattern: 'EIP-1967 Transparent',
implementation: '0x...',
admin: '0x...',
// Storage layout
storageSlots: {
0: { name: '_initialized', type: 'uint8' },
1: { name: '_initializing', type: 'bool' },
// ...
},
// Function selectors
selectors: {
'0xa9059cbb': 'transfer(address,uint256)',
'0x23b872dd': 'transferFrom(address,address,uint256)',
// ...
},
// Gas hotspots
gasHotspots: [
{ offset: 0x1a4, opcode: 'SSTORE', context: 'balance update' },
{ offset: 0x2f0, opcode: 'CALL', context: 'external call' }
]
};
See Also
skills/gas-optimization/SKILL.md- Gas optimization techniquesagents/solidity-auditor/AGENT.md- Security audit agentreferences.md- External resources