A Rust-Powered Security Scanner for Ethereum Smart Contracts

# rust# ethereum# security# blockchain
A Rust-Powered Security Scanner for Ethereum Smart ContractsTeycir Ben Soltane

Why I Built This Smart contract vulnerabilities cost billions in losses. Tools like...

Smart contract security scanner

Why I Built This

Smart contract vulnerabilities cost billions in losses. Tools like Slither and Mythril are excellent for static analysis, but they're fixed in their detection capabilities. I wanted something different: a tool that gets stronger over time as the community adds patterns.

That's SCPF (Smart Contract Pattern Finder).

The key difference: SCPF is extensible by design. Every new exploit, every discovered vulnerability pattern can be added as a YAML template. The more templates you have, the more powerful the scanner becomes.

What It Does

SCPF scans Ethereum smart contracts for security vulnerabilities using customizable YAML templates.

Core features:

  • ✅ Pattern-based detection (reentrancy, delegatecall, unchecked calls)
  • ✅ Local .sol file scanning
  • ✅ Git diff scanning (only changed files)
  • ✅ GitHub Actions integration with SARIF output
  • ✅ Cascade API key system (up to 6 Etherscan keys with automatic failover)

How It Works

1️⃣ Define Patterns in YAML 

id: reentrancy-basic
name: Basic Reentrancy Pattern
severity: high
patterns:
  - id: external-call-with-value
    pattern: '\.call\{value:'
    message: External call with value transfer detected
Enter fullscreen mode Exit fullscreen mode

2️⃣ Scan Contracts 

# Scan deployed contract
scpf scan 0x1234567890abcdef --chains ethereum

# Scan local project
scpf scan

# Scan only changed files
scpf scan --diff main..HEAD
Enter fullscreen mode Exit fullscreen mode

3️⃣ Get Results

Output formats: console, JSON, or SARIF (for CI/CD).

Real-World Use Cases

🔒 Security Auditors: Automate initial vulnerability detection before manual review.

DeFi Developers: Pre-deployment checks in CI/CD pipelines.

🎯 Bug Bounty Hunters: Batch scan multiple contracts quickly.

📚 Educators: Teach common vulnerability patterns with real examples.

Technical Highlights

🦀 Built with Rust

Fast, memory-safe, and concurrent. Handles large contracts efficiently.

🔑 Cascade API Key System

Configure up to 6 Etherscan API keys. If one hits rate limits, SCPF automatically rotates to the next. Zero downtime.

export ETHERSCAN_API_KEY="key-1"
export ETHERSCAN_API_KEY_2="key-2"
# ... up to key-6
Enter fullscreen mode Exit fullscreen mode

Result: 30 calls/sec instead of 5 (with 6 free Etherscan accounts).

🤖 GitHub Actions Integration 

- uses: teycir/smartcontractpatternfinder@v1
  with:
    severity: high
    output-format: sarif
Enter fullscreen mode Exit fullscreen mode

Findings appear directly in GitHub's Security tab.

🏗️ Modular Architecture

  • scpf-types: Core data structures
  • scpf-core: Scanning engine with semantic analysis
  • scpf-cli: Command-line interface
  • scpf-server: Optional web dashboard

Current Limitations

⚠️ Ethereum only: Currently supports Ethereum mainnet via Etherscan API. Multi-chain support (BSC, Polygon, Arbitrum) is planned but not yet implemented.

⚠️ Pattern-based detection: SCPF finds patterns you define. It's not a symbolic execution engine like Mythril. Best used as a first-pass filter before deeper analysis.

⚠️ False positives: Context-aware filtering reduces obvious false positives, but manual review is still needed.

Getting Started

Installation 

git clone https://github.com/Teycir/smartcontractpatternfinder.git
cd smartcontractpatternfinder
cargo build --release
Enter fullscreen mode Exit fullscreen mode

Quick Scan 

scpf init
scpf scan 0xYourContractAddress --chains ethereum
Enter fullscreen mode Exit fullscreen mode

CI/CD Integration

Add to .github/workflows/security.yml:

name: Security Scan
on: [push, pull_request]

jobs:
  scpf:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
      - uses: actions/checkout@v4
      - uses: teycir/smartcontractpatternfinder@v1
Enter fullscreen mode Exit fullscreen mode

Roadmap

  • 🌐 Multi-chain support: BSC, Polygon, Arbitrum, Optimism, Base
  • 📦 Template marketplace: Community-contributed patterns
  • 🤖 AI-assisted pattern generation: Suggest patterns from exploit reports
  • 🧠 Enhanced semantic analysis: Reduce false positives further

Open Source & MIT Licensed

SCPF is fully open source under MIT license. Contributions welcome.

GitHub logo Teycir / smartcontractpatternfinder

High-performance Rust tool for detecting security vulnerabilities in smart contracts. Ethereum mainnet support with YAML-based pattern templates, CI/CD integration, and SARIF output for GitHub Security tab.

Smart Contract Pattern Finder (SCPF)

SCPF Logo
Smart Contract Pattern Finder Banner

🔍 High-performance tool for detecting security vulnerabilities and patterns in Ethereum smart contracts.

How it works: Define patterns in YAML templates → SCPF scans smart contracts → Finds matching patterns → Reports vulnerabilities

Rust License: MIT Crates.io Docs.rs GitHub Workflow Status

Tags: rust smart-contracts security scanner ethereum blockchain vulnerability-detection pattern-matching defi web3 solidity static-analysis open-source mit

📑 Table of Contents

✨ Features

  • 🌐 Ethereum Support - Mainnet contract…
View on GitHub

Documentation: GitHub Docs

Try It Out

If you're working with Ethereum smart contracts, give SCPF a try. It won't replace manual audits, but it can catch common issues early.

Feedback and contributions are welcome. Let's make smart contract security more accessible. 🚀

Connect with me: