Agent skill

evm-analysis

Deep EVM bytecode analysis and decompilation capabilities for smart contract security, gas optimization, and reverse engineering. Provides tools for analyzing opcodes, storage layouts, proxy patterns, and bytecode verification.

View SKILL.md on GitHub Repository
Stars 514
Forks 31

Install this agent skill to your Project

npx add-skill https://github.com/a5c-ai/babysitter/tree/main/library/specializations/cryptography-blockchain/skills/evm-analysis

SKILL.md

EVM/Bytecode Analysis Skill

Expert-level EVM bytecode analysis and decompilation for smart contract security audits, gas optimization, and reverse engineering.

Capabilities

  • Bytecode Analysis: Analyze EVM bytecode and opcodes
  • Gas Cost Calculation: Calculate gas costs per operation
  • Storage Layout Identification: Identify storage slot layouts and packing
  • Decompilation: Decompile bytecode to pseudo-Solidity
  • Proxy Analysis: Analyze proxy implementation slots (EIP-1967)
  • Pattern Detection: Detect bytecode patterns (CREATE2, selfdestruct)
  • Bytecode Verification: Verify contract bytecode against source

MCP Server Integration

This skill can leverage the following MCP servers:

Server Purpose Install
EVM MCP Tools Smart contract auditing, security analysis 0xGval/evm-mcp-tools
Solidity Contract Analyzer Contract code analysis with metadata Skywork

Opcode Reference

Common EVM opcodes and gas costs:

Category Opcodes Base Gas
Arithmetic ADD, SUB, MUL, DIV 3-5
Comparison LT, GT, EQ, ISZERO 3
Bitwise AND, OR, XOR, NOT, SHL, SHR 3
Memory MLOAD, MSTORE 3 + memory expansion
Storage SLOAD 100 (warm) / 2100 (cold)
Storage SSTORE 100-20000 (varies)
Control JUMP, JUMPI 8-10
Call CALL, DELEGATECALL, STATICCALL 100 + memory + value

Storage Layout Analysis

Standard Slot Patterns

solidity
// Basic types (slot 0, 1, 2...)
uint256 public a;     // slot 0
uint256 public b;     // slot 1

// Packed storage
uint128 public c;     // slot 2, bytes 0-15
uint128 public d;     // slot 2, bytes 16-31

// Mappings: keccak256(key . slot)
mapping(address => uint256) public balances;  // slot 3
// balances[addr] at keccak256(addr . 3)

// Dynamic arrays: length at slot, data at keccak256(slot)
uint256[] public arr; // length at slot 4, arr[i] at keccak256(4) + i

EIP-1967 Proxy Slots

Implementation: 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc
Admin:          0xb53127684a568b3173ae13b9f8a6016e243e63b6e8ee1178d6a717850b5d6103
Beacon:         0xa3f0ad74e5423aebfd80d3ef4346578335a9a72aeaee59ff6cb3582b35133d50

Bytecode Patterns

Contract Creation

PUSH1 0x80          // Free memory pointer
PUSH1 0x40
MSTORE
...
CODECOPY            // Copy runtime code
RETURN              // Return runtime code

Selector Dispatch

PUSH4 <selector>    // 4-byte function selector
EQ                  // Compare with calldata[0:4]
PUSH2 <offset>      // Jump destination
JUMPI               // Jump if match

Common Vulnerability Patterns

// Reentrancy indicator: CALL before SSTORE
CALL
...
SSTORE

// Unchecked return: CALL without ISZERO check
CALL
// Missing: ISZERO, JUMPI for error handling

// Self-destruct (deprecated but detectable)
SELFDESTRUCT

Workflow

1. Fetch Contract Bytecode

bash
# Using cast (Foundry)
cast code <address> --rpc-url <rpc>

# Using curl
curl -X POST <rpc> \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"eth_getCode","params":["<address>","latest"],"id":1}'

2. Analyze Opcodes

bash
# Disassemble with cast
cast disassemble <bytecode>

# Or use online tools
# - evm.codes/playground
# - ethervm.io/decompile

3. Storage Slot Analysis

bash
# Read specific storage slot
cast storage <address> <slot> --rpc-url <rpc>

# Read EIP-1967 implementation slot
cast storage <address> 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc --rpc-url <rpc>

4. Bytecode Comparison

bash
# Get deployed bytecode
cast code <address> --rpc-url <rpc> > deployed.bin

# Compile source and compare
forge build
diff deployed.bin out/Contract.sol/Contract.bin

Process Integration

This skill integrates with the following processes:

  • gas-optimization.js - Identify gas-heavy opcodes
  • smart-contract-security-audit.js - Bytecode-level vulnerability detection
  • smart-contract-upgrade.js - Proxy slot verification
  • formal-verification.js - Bytecode correctness verification

Tools Reference

Tool Purpose URL
Foundry Cast CLI bytecode interaction foundry-rs/foundry
evm.codes Opcode reference evm.codes
Dedaub Decompiler dedaub.com
Heimdall Advanced decompiler heimdall-rs
panoramix Python decompiler eveem.org

Example Analysis

javascript
// Analyze proxy contract
const analysis = {
  type: 'proxy',
  pattern: 'EIP-1967 Transparent',
  implementation: '0x...',
  admin: '0x...',

  // Storage layout
  storageSlots: {
    0: { name: '_initialized', type: 'uint8' },
    1: { name: '_initializing', type: 'bool' },
    // ...
  },

  // Function selectors
  selectors: {
    '0xa9059cbb': 'transfer(address,uint256)',
    '0x23b872dd': 'transferFrom(address,address,uint256)',
    // ...
  },

  // Gas hotspots
  gasHotspots: [
    { offset: 0x1a4, opcode: 'SSTORE', context: 'balance update' },
    { offset: 0x2f0, opcode: 'CALL', context: 'external call' }
  ]
};

See Also

  • skills/gas-optimization/SKILL.md - Gas optimization techniques
  • agents/solidity-auditor/AGENT.md - Security audit agent
  • references.md - External resources

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

a5c-ai/babysitter

gsd-tools

Central utility skill for GSD operations. Provides config parsing, slug generation, timestamps, path operations, and orchestrates calls to other specialized skills. Acts as the unified entry point that the original gsd-tools.cjs provided via its lib/ modules (commands, config, core, init).

514 31
Explore
a5c-ai/babysitter

model-profile-resolution

Resolve model profile (quality/balanced/budget) at orchestration start and map agents to specific models. Enables cost/quality tradeoffs by selecting appropriate AI models for each agent role.

514 31
Explore
a5c-ai/babysitter

verification-suite

Plan structure validation, phase completeness checks, reference integrity verification, and artifact existence confirmation. Provides the structured verification layer ensuring GSD artifacts are well-formed and complete.

514 31
Explore
a5c-ai/babysitter

state-management

STATE.md reading, writing, and field-level updates. Provides cross-session state persistence via .planning/STATE.md with structured fields for current task, completed phases, blockers, decisions, and quick tasks.

514 31
Explore
a5c-ai/babysitter

git-integration

Git commit patterns, formats, and conventions for GSD methodology. Provides atomic commits per task, structured commit messages, planning file commits, branch management, and milestone tag operations.

514 31
Explore
a5c-ai/babysitter

frontmatter-parsing

YAML frontmatter parsing and manipulation for .planning/ documents. Provides read, write, update, query, and validation operations on frontmatter blocks in GSD markdown artifacts.

514 31
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results