A Rust-Powered Security Scanner for Ethereum Smart Contracts

Why I Built This

Smart contract vulnerabilities cost billions in losses. Tools like Slither and Mythril are excellent for static analysis, but they're fixed in their detection capabilities. I wanted something different: a tool that gets stronger over time as the community adds patterns.

That's SCPF (Smart Contract Pattern Finder).

The key difference: SCPF is extensible by design. Every new exploit, every discovered vulnerability pattern can be added as a YAML template. The more templates you have, the more powerful the scanner becomes.

---

What It Does

SCPF scans Ethereum smart contracts for security vulnerabilities using customizable YAML templates.

Core features:

• ✅ Pattern-based detection (reentrancy, delegatecall, unchecked calls)
• ✅ Local .sol file scanning
• ✅ Git diff scanning (only changed files)
• ✅ GitHub Actions integration with SARIF output
• ✅ Cascade API key system (up to 6 Etherscan keys with automatic failover)

---

How It Works

1️⃣ Define Patterns in YAML

id: reentrancy-basic
name: Basic Reentrancy Pattern
severity: high
patterns:
  - id: external-call-with-value
    pattern: '\.call\{value:'
    message: External call with value transfer detected

2️⃣ Scan Contracts

# Scan deployed contract
scpf scan 0x1234567890abcdef --chains ethereum

# Scan local project
scpf scan

# Scan only changed files
scpf scan --diff main..HEAD

3️⃣ Get Results

Output formats: console, JSON, or SARIF (for CI/CD).

---

Real-World Use Cases

🔒 Security Auditors: Automate initial vulnerability detection before manual review.

⚡ DeFi Developers: Pre-deployment checks in CI/CD pipelines.

🎯 Bug Bounty Hunters: Batch scan multiple contracts quickly.

📚 Educators: Teach common vulnerability patterns with real examples.

---

Technical Highlights

🦀 Built with Rust

Fast, memory-safe, and concurrent. Handles large contracts efficiently.

🔑 Cascade API Key System

Configure up to 6 Etherscan API keys. If one hits rate limits, SCPF automatically rotates to the next. Zero downtime.

export ETHERSCAN_API_KEY="key-1"
export ETHERSCAN_API_KEY_2="key-2"
# ... up to key-6

Result: 30 calls/sec instead of 5 (with 6 free Etherscan accounts).

🤖 GitHub Actions Integration

- uses: teycir/smartcontractpatternfinder@v1
  with:
    severity: high
    output-format: sarif

Findings appear directly in GitHub's Security tab.

🏗️ Modular Architecture

• scpf-types: Core data structures
• scpf-core: Scanning engine with semantic analysis
• scpf-cli: Command-line interface
• scpf-server: Optional web dashboard

---

Current Limitations

⚠️ Ethereum only: Currently supports Ethereum mainnet via Etherscan API. Multi-chain support (BSC, Polygon, Arbitrum) is planned but not yet implemented.

⚠️ Pattern-based detection: SCPF finds patterns you define. It's not a symbolic execution engine like Mythril. Best used as a first-pass filter before deeper analysis.

⚠️ False positives: Context-aware filtering reduces obvious false positives, but manual review is still needed.

---

Getting Started

Installation

git clone https://github.com/Teycir/smartcontractpatternfinder.git
cd smartcontractpatternfinder
cargo build --release

Quick Scan

scpf init
scpf scan 0xYourContractAddress --chains ethereum

CI/CD Integration

Add to .github/workflows/security.yml:

name: Security Scan
on: [push, pull_request]

jobs:
  scpf:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
      - uses: actions/checkout@v4
      - uses: teycir/smartcontractpatternfinder@v1

---

Roadmap

• 🌐 Multi-chain support: BSC, Polygon, Arbitrum, Optimism, Base
• 📦 Template marketplace: Community-contributed patterns
• 🤖 AI-assisted pattern generation: Suggest patterns from exploit reports
• 🧠 Enhanced semantic analysis: Reduce false positives further

---

Open Source & MIT Licensed

SCPF is fully open source under MIT license. Contributions welcome.

Teycir / smartcontractpatternfinder

High-performance Rust tool for detecting security vulnerabilities in smart contracts. Ethereum mainnet support with YAML-based pattern templates, CI/CD integration, and SARIF output for GitHub Security tab.

Support Development

If this project helps your work, support ongoing maintenance and new features.

ETH Donation Wallet
0x11282eE5726B3370c8B480e321b3B2aA13686582

Scan the QR code or copy the wallet address above.

Smart Contract Pattern Finder (SCPF)

🔍 High-performance tool for detecting security vulnerabilities and patterns in Ethereum smart contracts.

How it works: Define patterns in YAML templates → SCPF scans smart contracts → Finds matching patterns → Reports vulnerabilities

Tags: rust smart-contracts security scanner ethereum blockchain vulnerability-detection pattern-matching defi web3 solidity static-analysis open-source mit

---

📑 Table of Contents

• Smart Contract Pattern Finder (SCPF)
  • 📑 Table of Contents
  • ✨ Features
  • 💡 Use Cases
    • Security Auditing
    • DeFi Research
    • Bug Bounty Hunting
    • Development & CI/CD
    • Education & Training
  • 🚀 Quick Start
    • How It Works
    • Installation
    • Initialize Project
    • Scan a Contract
  • 📋 Template Example
  • 🏗️ Architecture
    • Module Overview
  • 🛠️ CLI Commands
    • scpf scan
    • scpf init
  • 🎯 Supported Chains
  • 🔧 Configuration
    • Getting API Keys
  • 📊 Output Formats
  • 🧪…

View on GitHub

Documentation: GitHub Docs

---

Try It Out

If you're working with Ethereum smart contracts, give SCPF a try. It won't replace manual audits, but it can catch common issues early.

Feedback and contributions are welcome. Let's make smart contract security more accessible. 🚀

---

Connect with me:

• 🌐 Website
• 💻 GitHub