OpenSkillIndex← back to search
claude-codesecurity

Babysitter evm-analysis

Deep EVM bytecode analysis and decompilation capabilities for smart contract security, gas optimization, and reverse engineering. Provides tools for analyzing opcodes, storage layouts, proxy patterns, and bytecode verification.

install
source · Clone the upstream repo
git clone https://github.com/a5c-ai/babysitter
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/a5c-ai/babysitter "$T" && mkdir -p ~/.claude/skills && cp -r "$T/library/specializations/cryptography-blockchain/skills/evm-analysis" ~/.claude/skills/a5c-ai-babysitter-evm-analysis && rm -rf "$T"
manifest: library/specializations/cryptography-blockchain/skills/evm-analysis/SKILL.md
tags
#evm-analysis#bytecode-decompilation#smart-contract-audit#opcode-analysis#storage-layout#gas-optimization
source content

EVM/Bytecode Analysis Skill

Expert-level EVM bytecode analysis and decompilation for smart contract security audits, gas optimization, and reverse engineering.

Capabilities

  • Bytecode Analysis: Analyze EVM bytecode and opcodes
  • Gas Cost Calculation: Calculate gas costs per operation
  • Storage Layout Identification: Identify storage slot layouts and packing
  • Decompilation: Decompile bytecode to pseudo-Solidity
  • Proxy Analysis: Analyze proxy implementation slots (EIP-1967)
  • Pattern Detection: Detect bytecode patterns (CREATE2, selfdestruct)
  • Bytecode Verification: Verify contract bytecode against source

MCP Server Integration

This skill can leverage the following MCP servers:

ServerPurposeInstall
EVM MCP ToolsSmart contract auditing, security analysis0xGval/evm-mcp-tools
Solidity Contract AnalyzerContract code analysis with metadataSkywork

Opcode Reference

Common EVM opcodes and gas costs:

CategoryOpcodesBase Gas
ArithmeticADD, SUB, MUL, DIV3-5
ComparisonLT, GT, EQ, ISZERO3
BitwiseAND, OR, XOR, NOT, SHL, SHR3
MemoryMLOAD, MSTORE3 + memory expansion
StorageSLOAD100 (warm) / 2100 (cold)
StorageSSTORE100-20000 (varies)
ControlJUMP, JUMPI8-10
CallCALL, DELEGATECALL, STATICCALL100 + memory + value

Storage Layout Analysis

Standard Slot Patterns

// Basic types (slot 0, 1, 2...)
uint256 public a;     // slot 0
uint256 public b;     // slot 1

// Packed storage
uint128 public c;     // slot 2, bytes 0-15
uint128 public d;     // slot 2, bytes 16-31

// Mappings: keccak256(key . slot)
mapping(address => uint256) public balances;  // slot 3
// balances[addr] at keccak256(addr . 3)

// Dynamic arrays: length at slot, data at keccak256(slot)
uint256[] public arr; // length at slot 4, arr[i] at keccak256(4) + i

EIP-1967 Proxy Slots

Implementation: 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc
Admin:          0xb53127684a568b3173ae13b9f8a6016e243e63b6e8ee1178d6a717850b5d6103
Beacon:         0xa3f0ad74e5423aebfd80d3ef4346578335a9a72aeaee59ff6cb3582b35133d50

Bytecode Patterns

Contract Creation

PUSH1 0x80          // Free memory pointer
PUSH1 0x40
MSTORE
...
CODECOPY            // Copy runtime code
RETURN              // Return runtime code

Selector Dispatch

PUSH4 <selector>    // 4-byte function selector
EQ                  // Compare with calldata[0:4]
PUSH2 <offset>      // Jump destination
JUMPI               // Jump if match

Common Vulnerability Patterns

// Reentrancy indicator: CALL before SSTORE
CALL
...
SSTORE

// Unchecked return: CALL without ISZERO check
CALL
// Missing: ISZERO, JUMPI for error handling

// Self-destruct (deprecated but detectable)
SELFDESTRUCT

Workflow

1. Fetch Contract Bytecode

# Using cast (Foundry)
cast code <address> --rpc-url <rpc>

# Using curl
curl -X POST <rpc> \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"eth_getCode","params":["<address>","latest"],"id":1}'

2. Analyze Opcodes

# Disassemble with cast
cast disassemble <bytecode>

# Or use online tools
# - evm.codes/playground
# - ethervm.io/decompile

3. Storage Slot Analysis

# Read specific storage slot
cast storage <address> <slot> --rpc-url <rpc>

# Read EIP-1967 implementation slot
cast storage <address> 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc --rpc-url <rpc>

4. Bytecode Comparison

# Get deployed bytecode
cast code <address> --rpc-url <rpc> > deployed.bin

# Compile source and compare
forge build
diff deployed.bin out/Contract.sol/Contract.bin

Process Integration

This skill integrates with the following processes:

  • gas-optimization.js
    - Identify gas-heavy opcodes
  • smart-contract-security-audit.js
    - Bytecode-level vulnerability detection
  • smart-contract-upgrade.js
    - Proxy slot verification
  • formal-verification.js
    - Bytecode correctness verification

Tools Reference

ToolPurposeURL
Foundry CastCLI bytecode interactionfoundry-rs/foundry
evm.codesOpcode referenceevm.codes
DedaubDecompilerdedaub.com
HeimdallAdvanced decompilerheimdall-rs
panoramixPython decompilereveem.org

Example Analysis

// Analyze proxy contract
const analysis = {
  type: 'proxy',
  pattern: 'EIP-1967 Transparent',
  implementation: '0x...',
  admin: '0x...',

  // Storage layout
  storageSlots: {
    0: { name: '_initialized', type: 'uint8' },
    1: { name: '_initializing', type: 'bool' },
    // ...
  },

  // Function selectors
  selectors: {
    '0xa9059cbb': 'transfer(address,uint256)',
    '0x23b872dd': 'transferFrom(address,address,uint256)',
    // ...
  },

  // Gas hotspots
  gasHotspots: [
    { offset: 0x1a4, opcode: 'SSTORE', context: 'balance update' },
    { offset: 0x2f0, opcode: 'CALL', context: 'external call' }
  ]
};

See Also

  • skills/gas-optimization/SKILL.md
    - Gas optimization techniques
  • agents/solidity-auditor/AGENT.md
    - Security audit agent
  • references.md
    - External resources