A Rust-Powered Security Scanner for Ethereum Smart Contracts

Why I Built This

Smart contract vulnerabilities cost billions in losses. Tools like Slither and Mythril are excellent for static analysis, but they're fixed in their detection capabilities. I wanted something different: a tool that gets stronger over time as the community adds patterns.

That's SCPF (Smart Contract Pattern Finder).

The key difference: SCPF is extensible by design. Every new exploit, every discovered vulnerability pattern can be added as a YAML template. The more templates you have, the more powerful the scanner becomes.

---

What It Does

SCPF scans Ethereum smart contracts for security vulnerabilities using customizable YAML templates.

Core features:

• ✅ Pattern-based detection (reentrancy, delegatecall, unchecked calls)
• ✅ Local .sol file scanning
• ✅ Git diff scanning (only changed files)
• ✅ GitHub Actions integration with SARIF output
• ✅ Cascade API key system (up to 6 Etherscan keys with automatic failover)

---

How It Works

1️⃣ Define Patterns in YAML

id: reentrancy-basic
name: Basic Reentrancy Pattern
severity: high
patterns:
  - id: external-call-with-value
    pattern: '\.call\{value:'
    message: External call with value transfer detected

2️⃣ Scan Contracts

# Scan deployed contract
scpf scan 0x1234567890abcdef --chains ethereum

# Scan local project
scpf scan

# Scan only changed files
scpf scan --diff main..HEAD

3️⃣ Get Results

Output formats: console, JSON, or SARIF (for CI/CD).

---

Real-World Use Cases

🔒 Security Auditors: Automate initial vulnerability detection before manual review.

⚡ DeFi Developers: Pre-deployment checks in CI/CD pipelines.

🎯 Bug Bounty Hunters: Batch scan multiple contracts quickly.

📚 Educators: Teach common vulnerability patterns with real examples.

---

Technical Highlights

🦀 Built with Rust

Fast, memory-safe, and concurrent. Handles large contracts efficiently.

🔑 Cascade API Key System

Configure up to 6 Etherscan API keys. If one hits rate limits, SCPF automatically rotates to the next. Zero downtime.

export ETHERSCAN_API_KEY="key-1"
export ETHERSCAN_API_KEY_2="key-2"
# ... up to key-6

Result: 30 calls/sec instead of 5 (with 6 free Etherscan accounts).

🤖 GitHub Actions Integration

- uses: teycir/smartcontractpatternfinder@v1
  with:
    severity: high
    output-format: sarif

Findings appear directly in GitHub's Security tab.

🏗️ Modular Architecture

• scpf-types: Core data structures
• scpf-core: Scanning engine with semantic analysis
• scpf-cli: Command-line interface
• scpf-server: Optional web dashboard

---

Current Limitations

⚠️ Ethereum only: Currently supports Ethereum mainnet via Etherscan API. Multi-chain support (BSC, Polygon, Arbitrum) is planned but not yet implemented.

⚠️ Pattern-based detection: SCPF finds patterns you define. It's not a symbolic execution engine like Mythril. Best used as a first-pass filter before deeper analysis.

⚠️ False positives: Context-aware filtering reduces obvious false positives, but manual review is still needed.

---

Getting Started

Installation

git clone https://github.com/Teycir/smartcontractpatternfinder.git
cd smartcontractpatternfinder
cargo build --release

Quick Scan

scpf init
scpf scan 0xYourContractAddress --chains ethereum

CI/CD Integration

Add to .github/workflows/security.yml:

name: Security Scan
on: [push, pull_request]

jobs:
  scpf:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
      - uses: actions/checkout@v4
      - uses: teycir/smartcontractpatternfinder@v1

---

Roadmap

• 🌐 Multi-chain support: BSC, Polygon, Arbitrum, Optimism, Base
• 📦 Template marketplace: Community-contributed patterns
• 🤖 AI-assisted pattern generation: Suggest patterns from exploit reports
• 🧠 Enhanced semantic analysis: Reduce false positives further

---

Open Source & MIT Licensed

SCPF is fully open source under MIT license. Contributions welcome.

Teycir / smartcontractpatternfinder

High-performance Rust tool for detecting security vulnerabilities in smart contracts. Ethereum mainnet support with YAML-based pattern templates, CI/CD integration, and SARIF output for GitHub Security tab.

Smart Contract Pattern Finder (SCPF)

🔍 High-performance tool for detecting security vulnerabilities and patterns in Ethereum smart contracts.

How it works: Define patterns in YAML templates → SCPF scans smart contracts → Finds matching patterns → Reports vulnerabilities

Tags: rust smart-contracts security scanner ethereum blockchain vulnerability-detection pattern-matching defi web3 solidity static-analysis open-source mit

---

📑 Table of Contents

• Smart Contract Pattern Finder (SCPF)
  • 📑 Table of Contents
  • ✨ Features
  • 💡 Use Cases
    • Security Auditing
    • DeFi Research
    • Bug Bounty Hunting
    • Development & CI/CD
    • Education & Training
  • 🚀 Quick Start
    • How It Works
    • Installation
    • Initialize Project
    • Scan a Contract
  • 📋 Template Example
  • 🏗️ Architecture
    • Module Overview
  • 🛠️ CLI Commands
    • scpf scan
    • scpf init
  • 🎯 Supported Chains
  • 🔧 Configuration
    • Getting API Keys
  • 📊 Output Formats
  • 🧪 Development
  • 📝 Creating Templates
    • How Templates Work
    • Creating a Template
  • 🤝 Contributing
    • Contribution Guidelines
  • 📄 License
  • 👤 Author
  • 🔗 Links

---

✨ Features

• 🌐 Ethereum Support - Mainnet contract…

View on GitHub

Documentation: GitHub Docs

---

Try It Out

If you're working with Ethereum smart contracts, give SCPF a try. It won't replace manual audits, but it can catch common issues early.

Feedback and contributions are welcome. Let's make smart contract security more accessible. 🚀

---

Connect with me:

• 🌐 Website
• 💻 GitHub