substrate-vulnerability-scanner
- Repo stars 5,723
- Forks 499
- Author updated Jun 15, 2026, 04:05 PM
- Author repo skills
- Domain
- Other
- Compatible agents
-
- Claude Code
- Cursor
- Cline
- Codex
- Windsurf
- Gemini CLI
- +20
- Trust score
- 88 / 100 · community maintained
- Author / version / license
- @trailofbits · no license declared
- Token usage
- Lean
- Setup complexity
- Plug-and-play
- External API key
- Not required
- Operating systems
- macOS · Linux · Windows
- Runtime requirements
- Node.js
- Permissions
-
- Read-only
- Write / modify
- Network behavior
- Local-only
- Install commands
- 26 variants
Profile is derived at build time from SKILL.md and install vectors. Subject to drift from author intent.
Heads up: 未限定 allowed-tools,默认拥有全部工具权限。
---
name: substrate-vulnerability-scanner
description: Scans Substrate/Polkadot pallets for 7 critical vulnerabilities including arithmetic overflow, p…
category: other
runtime: Node.js
---
# substrate-vulnerability-scanner output preview
## PART A: Task fit
- Use case: Scans Substrate/Polkadot pallets for 7 critical vulnerabilities including arithmetic overflow, panic DoS, incorrect weights, and bad origin checks. Use when auditing Substrate runtimes or FRAME pallets..
- Inputs: target material, constraints, expected output, and acceptance criteria.
- Evidence boundary: follow “1. Purpose / 2. When to Use This Skill / 3. Platform Detection” and do not present inference as author intent.
## PART B: Execution result
- **01** The card summarizes the use case; runtime output centers on “Scans Substrate/Polkadot pallets for 7 critical vulnerabilities including arithmetic overflow, panic DoS, incorrect weights, and bad origin checks. Use when auditing Substrate runtimes or FRAME pallets.”.
- **02** When the source has headings, the agent prioritizes “1. Purpose / 2. When to Use This Skill / 3. Platform Detection” so the result follows the author’s structure.
- **03** Typical output includes task judgment, concrete steps, required commands or file edits, validation, and follow-up options.
- **04** Risk context follows the fingerprint: read files, write/modify files; mostly runs locally; usually needs no extra API key.
## Running Rules
- read files, write/modify files; mostly runs locally; usually needs no extra API key.
- Validate with a small sample before expanding scope.
- Return the result, validation criteria, and next iteration options. The source does not require a stable slash command. After installation, invoke the skill by name and describe the task.
Name target files or source material, expected output, forbidden changes, and whether network or shell access is allowed. Permission fingerprint: read files, write/modify files.
Start with a small task and check whether the result follows “1. Purpose / 2. When to Use This Skill / 3. Platform Detection”. Inspect diffs, logs, previews, or tests before expanding scope.
Confirm the final output includes a concrete result, evidence, and next action. If it stays generic, tighten inputs, boundaries, and acceptance criteria.
---
name: substrate-vulnerability-scanner
description: Scans Substrate/Polkadot pallets for 7 critical vulnerabilities including arithmetic overflow, p…
category: other
source: trailofbits/skills
---
# substrate-vulnerability-scanner
## When to use
- Scans Substrate/Polkadot pallets for 7 critical vulnerabilities including arithmetic overflow, panic DoS, incorrect we…
- Use it when the task has clear inputs, repeatable steps, and validation criteria.
## What to provide
- Target material, scope, expected result, and forbidden changes.
- Whether network, commands, file writes, or external services are allowed.
## Execution rules
- Organize steps around “1. Purpose / 2. When to Use This Skill / 3. Platform Detection” and keep inference separate from source facts.
- read files, write/modify files; mostly runs locally; usually needs no extra API key.
- Validate with a small sample before expanding the task.
## Output requirements
- Return the deliverable, key evidence, validation method, and next action.
- Mark missing information as unknown; do not invent commands, platforms, or dependencies. The author source anchors workflow facts; repository files anchor sources and commands; Fluxly only adds fit, limitations, and quality judgment.
skill "substrate-vulnerability-scanner" {
input -> user goal + target files + boundaries + acceptance criteria
context -> 1. Purpose / 2. When to Use This Skill / 3. Platform Detection
rules -> SKILL.md triggers / order / output contract
runtime -> Node.js | read files, write/modify files | mostly runs locally
guardrails -> usually needs no extra API key + small-sample validation + diff/log review
output -> copyable result + checklist + next iteration
} Substrate Vulnerability Scanner
1. Purpose
Systematically scan Substrate runtime modules (pallets) for platform-specific security vulnerabilities that can cause node crashes, DoS attacks, or unauthorized access. This skill encodes 7 critical vulnerability patterns unique to Substrate/FRAME-based chains.
2. When to Use This Skill
- Auditing custom Substrate pallets
- Reviewing FRAME runtime code
- Pre-launch security assessment of Substrate chains (Polkadot parachains, standalone chains)
- Validating dispatchable extrinsic functions
- Reviewing weight calculation functions
- Assessing unsigned transaction validation logic
3. Platform Detection
File Extensions & Indicators
- Rust files:
.rs
Language/Framework Markers
// Substrate/FRAME indicators
#[pallet]
pub mod pallet {
use frame_support::pallet_prelude::*;
use frame_system::pallet_prelude::*;
#[pallet::config]
pub trait Config: frame_system::Config { }
#[pallet::call]
impl<T: Config> Pallet<T> {
#[pallet::weight(10_000)]
pub fn example_function(origin: OriginFor<T>) -> DispatchResult { }
}
}
// Common patterns
DispatchResult, DispatchError
ensure!, ensure_signed, ensure_root
StorageValue, StorageMap, StorageDoubleMap
#[pallet::storage]
#[pallet::call]
#[pallet::weight]
#[pallet::validate_unsigned]
Project Structure
pallets/*/lib.rs- Pallet implementationsruntime/lib.rs- Runtime configurationbenchmarking.rs- Weight benchmarksCargo.tomlwithframe-*dependencies
Tool Support
- cargo-fuzz: Fuzz testing for Rust
- test-fuzz: Property-based testing framework
- benchmarking framework: Built-in weight calculation
- try-runtime: Runtime migration testing
4. How This Skill Works
When invoked, I will:
- Search your codebase for Substrate pallets
- Analyze each pallet for the 7 vulnerability patterns
- Report findings with file references and severity
- Provide fixes for each identified issue
- Check weight calculations and origin validation
5. Vulnerability Patterns (7 Critical Patterns)
I check for 7 critical vulnerability patterns unique to Substrate/FRAME. For detailed detection patterns, code examples, mitigations, and testing strategies, see VULNERABILITY_PATTERNS.md.
Pattern Summary:
Arithmetic Overflow ⚠️ CRITICAL
- Direct
+,-,*,/operators wrap in release mode - Must use
checked_*orsaturating_*methods - Affects balance/token calculations, reward/fee math
- Direct
Don't Panic ⚠️ CRITICAL - DoS
- Panics cause node to stop processing blocks
- No
unwrap(),expect(), array indexing without bounds check - All user input must be validated with
ensure!
Weights and Fees ⚠️ CRITICAL - DoS
- Incorrect weights allow spam attacks
- Fixed weights for variable-cost operations enable DoS
- Must use benchmarking framework, bound all input parameters
Verify First, Write Last ⚠️ HIGH (Pre-v0.9.25)
- Storage writes before validation persist on error (pre-v0.9.25)
- Pattern: validate → write → emit event
- Upgrade to v0.9.25+ or use manual
#[transactional]
Unsigned Transaction Validation ⚠️ HIGH
- Insufficient validation allows spam/replay attacks
- Prefer signed transactions
- If unsigned: validate parameters, replay protection, authenticate source
Bad Randomness ⚠️ MEDIUM
pallet_randomness_collective_flipvulnerable to collusion- Must use BABE randomness (
pallet_babe::RandomnessFromOneEpochAgo) - Use
random(subject)notrandom_seed()
Bad Origin ⚠️ CRITICAL
ensure_signedallows any user for privileged operations- Must use
ensure_rootor custom origins (ForceOrigin, AdminOrigin) - Origin types must be properly configured in runtime
For complete vulnerability patterns with code examples, see VULNERABILITY_PATTERNS.md.
6. Scanning Workflow
Step 1: Platform Identification
- Verify Substrate/FRAME framework usage
- Check Substrate version (v0.9.25+ has transactional storage)
- Locate pallet implementations (
pallets/*/lib.rs) - Identify runtime configuration (
runtime/lib.rs)
Step 2: Dispatchable Analysis
For each #[pallet::call] function:
- Arithmetic: Uses checked/saturating operations?
- Panics: No unwrap/expect/indexing?
- Weights: Proportional to cost, bounded inputs?
- Origin: Appropriate validation level?
- Validation: All checks before storage writes?
Step 3: Panic Sweep
# Search for panic-prone patterns
rg "unwrap\(\)" pallets/
rg "expect\(" pallets/
rg "\[.*\]" pallets/ # Array indexing
rg " as u\d+" pallets/ # Type casts
rg "\.unwrap_or" pallets/
Step 4: Arithmetic Safety Check
# Find direct arithmetic
rg " \+ |\+=| - |-=| \* |\*=| / |/=" pallets/
# Should find checked/saturating alternatives instead
rg "checked_add|checked_sub|checked_mul|checked_div" pallets/
rg "saturating_add|saturating_sub|saturating_mul" pallets/
Step 5: Weight Analysis
- Run benchmarking:
cargo test --features runtime-benchmarks - Verify weights match computational cost
- Check for bounded input parameters
- Review weight calculation functions
Step 6: Origin & Privilege Review
# Find privileged operations
rg "ensure_signed" pallets/ | grep -E "pause|emergency|admin|force|sudo"
# Should use ensure_root or custom origins
rg "ensure_root|ForceOrigin|AdminOrigin" pallets/
Step 7: Testing Review
- Unit tests cover all dispatchables
- Fuzz tests for panic conditions
- Benchmarks for weight calculation
- try-runtime tests for migrations
7. Priority Guidelines
Critical (Immediate Fix Required)
- Arithmetic overflow (token creation, balance manipulation)
- Panic DoS (node crash risk)
- Bad origin (unauthorized privileged operations)
High (Fix Before Launch)
- Incorrect weights (DoS via spam)
- Verify-first violations (state corruption, pre-v0.9.25)
- Unsigned validation issues (spam, replay attacks)
Medium (Address in Audit)
- Bad randomness (manipulation possible but limited impact)
8. Testing Recommendations
Fuzz Testing
// Use test-fuzz for property-based testing
#[cfg(test)]
mod tests {
use test_fuzz::test_fuzz;
#[test_fuzz]
fn fuzz_transfer(from: AccountId, to: AccountId, amount: u128) {
// Should never panic
let _ = Pallet::transfer(from, to, amount);
}
#[test_fuzz]
fn fuzz_no_panics(call: Call) {
// No dispatchable should panic
let _ = call.dispatch(origin);
}
}
Benchmarking
# Run benchmarks to generate weights
cargo build --release --features runtime-benchmarks
./target/release/node benchmark pallet \
--chain dev \
--pallet pallet_example \
--extrinsic "*" \
--steps 50 \
--repeat 20
try-runtime
# Test runtime upgrades
cargo build --release --features try-runtime
try-runtime --runtime ./target/release/wbuild/runtime.wasm \
on-runtime-upgrade live --uri wss://rpc.polkadot.io
9. Additional Resources
- Building Secure Contracts:
building-secure-contracts/not-so-smart-contracts/substrate/ - Substrate Documentation: https://docs.substrate.io/
- FRAME Documentation: https://paritytech.github.io/substrate/master/frame_support/
- test-fuzz: https://github.com/trailofbits/test-fuzz
- Substrate StackExchange: https://substrate.stackexchange.com/
10. Quick Reference Checklist
Before completing Substrate pallet audit:
Arithmetic Safety (CRITICAL):
- No direct
+,-,*,/operators in dispatchables - All arithmetic uses
checked_*orsaturating_* - Type conversions use
try_into()with error handling
Panic Prevention (CRITICAL):
- No
unwrap()orexpect()in dispatchables - No direct array/slice indexing without bounds check
- All user inputs validated with
ensure! - Division operations check for zero divisor
Weights & DoS (CRITICAL):
- Weights proportional to computational cost
- Input parameters have maximum bounds
- Benchmarking used to determine weights
- No free (zero-weight) expensive operations
Access Control (CRITICAL):
- Privileged operations use
ensure_rootor custom origins -
ensure_signedonly for user-level operations - Origin types properly configured in runtime
- Sudo pallet removed before production
Storage Safety (HIGH):
- Using Substrate v0.9.25+ OR manual
#[transactional] - Validation before storage writes
- Events emitted after successful operations
Other (MEDIUM):
- Unsigned transactions use signed alternative if possible
- If unsigned: proper validation, replay protection, authentication
- BABE randomness used (not RandomnessCollectiveFlip)
- Randomness uses
random(subject)notrandom_seed()
Testing:
- Unit tests for all dispatchables
- Fuzz tests to find panics
- Benchmarks generated and verified
- try-runtime tests for migrations
Decide Fit First
Design Intent
How To Use It
Boundaries And Review