{"id":20450953,"url":"https://github.com/danhper/evm-analyzer","last_synced_at":"2026-03-02T22:10:41.902Z","repository":{"id":130251503,"uuid":"162846675","full_name":"danhper/evm-analyzer","owner":"danhper","description":"Code for Smart Contract Vulnerabilities: Vulnerable Does Not Imply Exploited","archived":false,"fork":false,"pushed_at":"2020-10-31T16:58:40.000Z","size":293,"stargazers_count":24,"open_issues_count":0,"forks_count":3,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-03-26T20:04:12.229Z","etag":null,"topics":["blockchain","ethereum","program-analysis","smart-contracts"],"latest_commit_sha":null,"homepage":"https://arxiv.org/abs/1902.06710","language":"OCaml","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/danhper.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-12-22T22:27:39.000Z","updated_at":"2025-01-26T01:06:51.000Z","dependencies_parsed_at":"2023-04-09T03:16:02.449Z","dependency_job_id":null,"html_url":"https://github.com/danhper/evm-analyzer","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/danhper%2Fevm-analyzer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/danhper%2Fevm-analyzer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/danhper%2Fevm-analyzer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/danhper%2Fevm-analyzer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/danhper","download_url":"https://codeload.github.com/danhper/evm-analyzer/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248657837,"owners_count":21140842,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["blockchain","ethereum","program-analysis","smart-contracts"],"created_at":"2024-11-15T10:55:45.723Z","updated_at":"2026-03-02T22:10:36.831Z","avatar_url":"https://github.com/danhper.png","language":"OCaml","funding_links":[],"categories":[],"sub_categories":[],"readme":"# evm-analyzer\n\nSet of analysis tools for EVM bytecode and in particular, for EVM execution traces.\n\n## Build \u0026 Installation\n\nThe tool is written in OCaml and will therefore requires an OCaml compiler.\nThe software is tested using OCaml 4.09, which we recommend.\n\nInstallation steps\n\n```\ngit clone https://github.com/danhper/evm-analyzer.git\ncd evm-analyzer\nopam switch create ./ 4.09.1\neval $(opam config env) # activate the switch if needed\n```\n\nIf everything succeeded, the command `evm-analyzer` should be available.\n\n## Usage\n\nThe available commands can be displayed using `evm-analyzer help`\n\n\n### `opcodes` command\n\nOpcodes can be shown from raw bytecode.\nAn improvement over some other decompilers is that this accepts `solc` combined JSON format and can output where the instruction comes from using the compiler sourcemap.\nThe file needs to be compiled with: `solc --combined-json bin-runtime,srcmap-runtime Contract.sol \u003e contract.json`. The format outputted by Truffle is also supported.\nOpcodes can then been viewed with\n\n```\nevm-analyzer opcodes -contract-name Contract contract.json -show-sourcemap\n```\n\nNote that the `-contract-name` option is only needed when multiple contracts are defined in the same file.\n`-show-pc` option can also be passed to view the program counter next to the bytecode.\n\nThe output should look similar to the following:\n\n```\n0 PUSH1 0x80 contracts/Treasury.sol:7:1-23:0\n2 PUSH1 0x40 contracts/Treasury.sol:7:1-23:0\n4 MSTORE contracts/Treasury.sol:7:1-23:0\n5 CALLVALUE contracts/Treasury.sol:7:1-23:0\n6 DUP1 contracts/Treasury.sol:7:1-23:0\n7 ISZERO contracts/Treasury.sol:7:1-23:0\n8 PUSH2 0x10 contracts/Treasury.sol:7:1-23:0\n11 JUMPI contracts/Treasury.sol:7:1-23:0\n12 PUSH1 0x0 contracts/Treasury.sol:7:1-23:0\n14 DUP1 contracts/Treasury.sol:7:1-23:0\n15 REVERT contracts/Treasury.sol:7:1-23:0\n16 JUMPDEST contracts/Treasury.sol:7:1-23:0\n```\n\n### `analyze-traces` command\n\n`analyze-traces` allows to analyze traces returned by `debug.traceTransaction`.\nA couple of sample traces are available in [`test/fixtures`](./test/fixtures).\nTraces for a particular transaction can be generated using the following command.\n\n```\ngeth attach GETH_URL --exec 'console.log(JSON.stringify(debug.traceTransaction(\"TX_ID\")))' | head -n-1 \u003e traces.json\n```\n\nNote that GETH_URL must point to a node with archive data.\n\nThe traces can then be analyzed using the following command:\n\n```\nevm-analyzer analyze-traces traces.json 'QUERY'\n```\n\nThe query must be either the name of a vulnerability or a Datalog query.\nThe available vulnerabilities are:\n\n* integer-overflow\n* unhandled-exception\n* locked-ether\n* reentrancy\n* tod\n* unrestricted-action\n\nThe different Datalog queries available can be found in [`datalog/clauses.pl`](./datalog/clauses.pl).\n\nFor example, to show the reentrancy issues in The DAO logs, the following command can be used:\n\n```\nevm-analyzer analyze-traces test/fixtures/0xb717a196ef8a20dd1cd91835fd2287704b5edbea7f15483d95f8a231c050118d-dao.json.gz reentrancy -contract-address 0x969837498944ae1dc0dcac2d0c65634c88729b2d \u003e results.json\n```\n\nNote that for reentrancy, the contract address should be passed explicitly as it is not present in the traces.\n\n\n### `analyze-results` command\n\nThis command is used to analyze the output of `analyze-traces`, as it can sometimes be quite verbose.\nFor example, to get an aggregate value of the analysis run with `analyze-traces`, the following command can be used:\n\n```\nevm-analyzer analyze-result reentrancy results.json -min-value 1\n```\n\nNote that this is currently only available for `reentrancy` and `unhandled-exception`.\n\n\nThe other commands are mostly wrappers around `analyze-traces`.\n\n## Academic work\n\nThis has been developed as part of the paper [Smart Contract Vulnerabilities: Vulnerable Does Not Imply Exploited](https://arxiv.org/abs/1902.06710), to appear at [USENIX Security'21](https://www.usenix.org/conference/usenixsecurity21).\nIf you find this work is useful, we would be grateful if you could cite it:\n\n```\n@article{DBLP:journals/corr/abs-1902-06710,\n  author    = {Daniel Perez and\n               Benjamin Livshits},\n  title     = {Smart Contract Vulnerabilities: Does Anyone Care?},\n  journal   = {CoRR},\n  volume    = {abs/1902.06710},\n  year      = {2019},\n  url       = {http://arxiv.org/abs/1902.06710},\n  archivePrefix = {arXiv},\n  eprint    = {1902.06710},\n  timestamp = {Thu, 18 Jun 2020 10:16:16 +0200},\n  biburl    = {https://dblp.org/rec/journals/corr/abs-1902-06710.bib},\n  bibsource = {dblp computer science bibliography, https://dblp.org}\n}\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdanhper%2Fevm-analyzer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdanhper%2Fevm-analyzer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdanhper%2Fevm-analyzer/lists"}