Algorand Vulnerability Scanner

Algorand Vulnerability Scanner automation and integration

Source: trailofbits/skills

Algorand Vulnerability Scanner is a community skill for detecting security vulnerabilities in Algorand smart contracts, covering TEAL bytecode analysis, common vulnerability patterns, transaction validation checks, state manipulation detection, and automated security auditing for Algorand applications.

What Is This?

Overview

Algorand Vulnerability Scanner provides patterns for analyzing Algorand smart contracts for security weaknesses. It covers TEAL bytecode analysis that inspects approval and clear state programs for logical errors, common vulnerability detection for unchecked group sizes, missing rekey-to validation, and unprotected asset close-to fields, transaction validation that verifies expected fields are properly constrained, state manipulation detection for unsafe global and local state read-write patterns, and automated auditing against known vulnerability patterns. The skill enables Algorand developers to identify and fix security issues before deploying contracts to mainnet.

Who Should Use This

This skill serves Algorand smart contract developers auditing applications before mainnet deployment, security researchers analyzing Algorand DeFi protocols for vulnerabilities, and teams building automated security review pipelines for Algorand dApps.

Why Use It?

Problems It Solves

Unchecked group transaction sizes allow attackers to inject additional transactions. Missing rekey-to validation enables account takeover by changing the authorization address. Unprotected close-remainder-to and asset-close-to fields allow draining of account balances during legitimate transactions. Logic errors in state transitions create exploitable conditions when state is modified unexpectedly.

Core Highlights

TEAL analyzer inspects bytecode for missing transaction field checks. Group size validator ensures atomic groups contain exactly the expected number of transactions. Rekey detection flags contracts that do not verify the RekeyTo field is set to zero address. State flow analyzer traces read-write patterns for unsafe manipulation sequences.

How to Use It?

Basic Usage

from algosdk.v2client\
  import algod
import base64

VULN_PATTERNS = {
  'missing_group_size': {
    'description':
      'No group size check',
    'check': lambda ops:
      'global GroupSize'
      not in ops,
  },
  'missing_rekey': {
    'description':
      'No RekeyTo validation',
    'check': lambda ops:
      'txn RekeyTo'
      not in ops
      and 'gtxn'
      not in ''.join(
        l for l in
        ops.split('\n')
        if 'RekeyTo' in l),
  },
  'missing_close_to': {
    'description':
      'No CloseRemainderTo'
      + ' check',
    'check': lambda ops:
      'CloseRemainderTo'
      not in ops,
  },
}

def scan_contract(
  client: algod.AlgodClient,
  app_id: int
) -> list[dict]:
  info = client\
    .application_info(app_id)
  program = base64.b64decode(
    info['params']\
      ['approval-program'])
  source = client.disassemble(
    program)['result']

  findings = []
  for name, pattern\
      in VULN_PATTERNS.items():
    if pattern['check'](
        source):
      findings.append({
        'vulnerability': name,
        'severity': 'high',
        'description':
          pattern[
            'description'],
      })
  return findings

Real-World Examples

def validate_group(
  source: str,
  expected_size: int
) -> list[dict]:
  findings = []
  lines = source.split('\n')

  has_group_check = False
  for i, line in\
      enumerate(lines):
    stripped = line.strip()
    if stripped ==\
        'global GroupSize':
      has_group_check = True
      # Verify exact size
      if i + 1 < len(lines):
        next_l =\
          lines[i+1].strip()
        if not next_l\
            .startswith('int '):
          findings.append({
            'issue':
              'group_size_'
              + 'not_exact',
            'line': i + 1,
            'detail':
              'GroupSize checked'
              + ' but not '
              + 'compared to '
              + 'exact value',
          })

  if not has_group_check:
    findings.append({
      'issue':
        'no_group_size',
      'line': 0,
      'detail':
        'Contract does not'
        + ' check GroupSize',
    })

  # Check each gtxn index
  for idx in range(
      expected_size):
    prefix = f'gtxn {idx}'
    if prefix not in source:
      findings.append({
        'issue':
          f'missing_gtxn_{idx}',
        'detail':
          f'No validation for'
          + f' group txn {idx}',
      })
  return findings

Advanced Tips

Scan for inner transaction vulnerabilities in AVM 5+ contracts where inner transactions can be constructed with unchecked parameters. Verify that application opt-in logic validates the sender to prevent unauthorized local state allocation. Check that OnCompletion routing covers all cases including UpdateApplication and DeleteApplication to prevent unauthorized contract modifications.

When to Use It?

Use Cases

Audit an Algorand DeFi protocol before mainnet deployment to catch missing transaction field validations. Build an automated scanner that checks new contract versions against known vulnerability patterns. Review atomic group logic to verify all transaction indices are properly constrained.

Related Topics

Algorand security, TEAL analysis, smart contract auditing, blockchain vulnerability scanning, and DeFi security.

Important Notes

Requirements

Algorand SDK with algod client for contract disassembly. Access to an Algorand node or API service for reading deployed application state. Knowledge of TEAL opcodes and Algorand transaction model.

Usage Recommendations

Do: check all transaction types in atomic groups including payment, asset transfer, and application call fields. Verify RekeyTo, CloseRemainderTo, and AssetCloseTo are set to zero address in every transaction. Run the scanner on both approval and clear state programs.

Don't: rely solely on automated scanning as logic vulnerabilities require manual review of business logic. Deploy contracts without auditing even if the scanner reports zero findings. Assume that PyTEAL or Beaker source code is safe without inspecting the compiled TEAL output.

Limitations

Pattern-based scanning cannot detect all logic vulnerabilities that depend on application-specific business rules. Highly optimized TEAL bytecode may not match expected patterns. Findings require manual verification to distinguish true vulnerabilities from false positives.

More Skills You Might Like

Explore similar skills to enhance your workflow

Here Automation

Automate Here operations through Composio's Here toolkit via Rube MCP

Gosquared Automation

Automate Gosquared operations through Composio's Gosquared toolkit via

Encodian Automation

Automate Encodian operations through Composio's Encodian toolkit via

Transcribe

Automate audio transcription services and integrate high-accuracy speech-to-text into your applications

Dailybot Automation

Automate Dailybot operations through Composio's Dailybot toolkit via

Flexisign Automation

Automate Flexisign operations through Composio's Flexisign toolkit via