Analysis Methods¶
Good security work layers methods. No scanner, fuzzer, formal spec, AI model, or manual review is enough alone. Use each method for what it is good at, then tie the evidence back to protocol invariants and realistic impact.
Static Analysis¶
Static analysis is the fastest way to build code understanding, catch common patterns, and generate review leads. Treat findings as hypotheses until a human confirms exploitability.
| Resource | Tier | Best use |
|---|---|---|
| Slither | Use in real audits | Solidity static analysis, inheritance graphs, printers, and custom detectors. |
| Aderyn | Use in real audits | Auditor-friendly reports and Solidity issue triage. |
| Semgrep | Use in real audits | Custom rules for Solidity, TypeScript, APIs, CI, and offchain code. |
| Solhint | Use in real audits | Solidity linting and lightweight policy checks. |
| Mythril | Situational / advanced | Bytecode-level symbolic analysis and bug hunting. |
| Wake | Watchlist | Python-based Solidity testing and analysis framework. |
Dynamic Analysis and Debugging¶
Dynamic analysis shows what actually happens under realistic state, forked chains, malicious inputs, and transaction traces.
| Resource | Tier | Best use |
|---|---|---|
| Foundry Fork Testing | Must learn | Reproduce mainnet incidents and validate exploit paths against live state. |
| Tenderly | Use in real audits | Transaction simulation, forks, trace debugging, and alerting. |
| Etherscan | Use in real audits | Contract, tx, event, proxy, and verification inspection. |
| Dune | Situational / advanced | On-chain data analysis, incident queries, and dashboards. |
| DeFiHackLabs | Must learn | Historical exploit reproduction with runnable tests. |
Fuzzing and Invariants¶
Fuzzing is strongest when the team can state what must always be true: conserved assets, bounded debt, correct accounting, role restrictions, and safe state transitions.
| Resource | Tier | Best use |
|---|---|---|
| Foundry Invariant Testing | Must learn | Fast invariant tests inside the normal EVM workflow. |
| Echidna | Use in real audits | Property-based Solidity fuzzing. |
| Medusa | Use in real audits | High-performance stateful EVM fuzzing. |
| ItyFuzz | Situational / advanced | Snapshot-based smart contract fuzzing and exploit generation research. |
| Wake | Watchlist | Python-driven tests, fuzzing, and Solidity analysis. |
Symbolic Execution and Formal Verification¶
Use symbolic and formal methods when assets are high value, invariants are precise, and implementation risk justifies the extra modeling effort.
| Resource | Tier | Best use |
|---|---|---|
| Halmos | Use in real audits | Symbolic execution over Foundry tests. |
| hevm | Situational / advanced | EVM symbolic execution and low-level debugging. |
| Certora Prover | Paid / certification | Specification-driven verification for critical protocols. |
| Kontrol | Situational / advanced | Foundry-integrated formal verification using K semantics. |
| K Framework | Situational / advanced | Semantics framework used for rigorous execution models. |
| Move Prover | Situational / advanced | Specification and verification for Move modules. |
AI-Assisted Analysis¶
AI can speed up code reading, invariant discovery, test scaffolding, and report drafting. It must not be trusted as the source of truth. Always verify with code, tests, traces, and manual reasoning.
| Resource | Tier | Best use |
|---|---|---|
| Pashov AI Web3 Security | Must learn | Curated list of AI Web3 security tools and skills. |
| Pashov Skills | Use in real audits | Solidity auditor and x-ray skills for AI-assisted review. |
| Octane Security | Paid / certification | Commercial AI-assisted review tool to evaluate carefully. |
| Nethermind AuditAgent | Watchlist | Nethermind-backed AI audit agent; verify outputs manually. |
| TestMachine EVMbench | Watchlist | Benchmark context for AI EVM security performance. |
| Paradigm EVMbench | Watchlist | Research framing for EVM exploit-generation benchmarks. |
| OpenAI EVMbench | Watchlist | Benchmark framing for evaluating EVM exploit reasoning. |
| Re-Evaluating EVMBench | Watchlist | Cautionary paper for interpreting EVMbench-style results. |
Pentesting and Offchain Review¶
Most production incidents are not purely contract bugs. Dapps also have auth, APIs, admin panels, DNS, CI/CD, secrets, support tooling, and wallet UX.
| Resource | Tier | Best use |
|---|---|---|
| Burp Suite | Must learn | Web/API testing, authz checks, and request tampering. |
| OWASP ZAP | Use in real audits | Open-source web app scanning and proxy testing. |
| OWASP WSTG | Must learn | Structured web testing methodology. |
| OWASP ASVS | Must learn | Application security control baseline. |
| Socket | Use in real audits | JavaScript package and install-time risk visibility. |
| VANTAGE by DigiBastion | Watchlist | External domain, DNS, frontend, phishing, and Web3 trust-risk monitoring. |