Run any Skill in Manus with one click

substrate-vulnerability-scanner

Name: Substrate Vulnerability Scanner
Author: trailofbits

Scans Substrate/Polkadot pallets for 7 critical vulnerabilities including arithmetic overflow, panic DoS, incorrect weights, and bad origin checks. Use when auditing Substrate runtimes or FRAME pallets.

Run Skill in Manus

Skill metadata

Stars5,537

Forks484

UpdatedJanuary 29, 2026 at 19:37

File Explorer

2 files

SKILL.md

readonly

More from this repository

same repository

let-fate-decide

trailofbits/skills

Draws the 12 Houses of the Zodiac Tarot spread to inject entropy into planning when prompts are vague, ambiguous, or casually delegated. Interprets the spread to guide next steps. Use when the user says 'let fate decide', 'YOLO', 'whatever', 'idk', or other nonchalant phrases, makes Yu-Gi-Oh references, or when you are about to arbitrarily pick between multiple reasonable approaches. Prefer over ask-questions-if-underspecified when the user's tone is casual or playful rather than precision-seeking.

2026-05-275.5k

solana-vulnerability-scanner

trailofbits/skills

Scans Solana programs for 6 critical vulnerabilities including arbitrary CPI, improper PDA validation, missing signer/ownership checks, and sysvar spoofing. Use when auditing Solana/Anchor programs.

2026-05-055.5k

c-review

trailofbits/skills

Performs comprehensive C/C++ security review for memory corruption, integer overflows, race conditions, and platform-specific vulnerabilities. Use when auditing native C/C++ applications, reviewing daemons or services for memory safety, or hunting integer overflow / use-after-free / race conditions in userspace code.

2026-05-035.5k

differential-review

trailofbits/skills

Performs security-focused differential review of code changes (PRs, commits, diffs). Adapts analysis depth to codebase size, uses git history for context, calculates blast radius, checks test coverage, and generates comprehensive markdown reports. Automatically detects and prevents security regressions.

2026-04-295.5k

sharp-edges

trailofbits/skills

Identifies error-prone APIs, dangerous configurations, and footgun designs that enable security mistakes. Use when reviewing API designs, configuration schemas, cryptographic library ergonomics, or evaluating whether code follows 'secure by default' and 'pit of success' principles. Triggers: footgun, misuse-resistant, secure defaults, API usability, dangerous configuration.

2026-04-295.5k

audit-augmentation

trailofbits/skills

Augments Trailmark code graphs with external audit findings from SARIF static analysis results and weAudit annotation files. Maps findings to graph nodes by file and line overlap, creates severity-based subgraphs, and enables cross-referencing findings with pre-analysis data (blast radius, taint, etc.). Use when projecting SARIF results onto a code graph, overlaying weAudit annotations, cross-referencing Semgrep or CodeQL findings with call graph data, or visualizing audit findings in the context of code structure.

2026-04-295.5k

Source

trailofbits

trailofbits/skills

View GitHub Repository View Creator Repositories

Install

Download

Run Skill in Manus

Useful forSOC

Information Security AnalystsComputer and Mathematical Occupations15-1212L4

Software DevelopersL4

name	substrate-vulnerability-scanner
description	Scans Substrate/Polkadot pallets for 7 critical vulnerabilities including arithmetic overflow, panic DoS, incorrect weights, and bad origin checks. Use when auditing Substrate runtimes or FRAME pallets.

Substrate Vulnerability Scanner

1. Purpose

Systematically scan Substrate runtime modules (pallets) for platform-specific security vulnerabilities that can cause node crashes, DoS attacks, or unauthorized access. This skill encodes 7 critical vulnerability patterns unique to Substrate/FRAME-based chains.

2. When to Use This Skill

Auditing custom Substrate pallets
Reviewing FRAME runtime code
Pre-launch security assessment of Substrate chains (Polkadot parachains, standalone chains)
Validating dispatchable extrinsic functions
Reviewing weight calculation functions
Assessing unsigned transaction validation logic

3. Platform Detection

File Extensions & Indicators

Rust files: .rs

Language/Framework Markers

// Substrate/FRAME indicators
#[pallet]
pub mod pallet {
    use frame_support::pallet_prelude::*;
    use frame_system::pallet_prelude::*;

    #[pallet::config]
    pub trait Config: frame_system::Config { }

    #[pallet::call]
    impl<T: Config> Pallet<T> {
        #[pallet::weight(10_000)]
        pub fn example_function(origin: OriginFor<T>) -> DispatchResult { }
    }
}

// Common patterns
DispatchResult, DispatchError
ensure!, ensure_signed, ensure_root
StorageValue, StorageMap, StorageDoubleMap
#[pallet::storage]
#[pallet::call]
#[pallet::weight]
#[pallet::validate_unsigned]

Project Structure

pallets/*/lib.rs - Pallet implementations
runtime/lib.rs - Runtime configuration
benchmarking.rs - Weight benchmarks
Cargo.toml with frame-* dependencies

Tool Support

cargo-fuzz: Fuzz testing for Rust
test-fuzz: Property-based testing framework
benchmarking framework: Built-in weight calculation
try-runtime: Runtime migration testing

4. How This Skill Works

When invoked, I will:

Search your codebase for Substrate pallets
Analyze each pallet for the 7 vulnerability patterns
Report findings with file references and severity
Provide fixes for each identified issue
Check weight calculations and origin validation

5. Vulnerability Patterns (7 Critical Patterns)

I check for 7 critical vulnerability patterns unique to Substrate/FRAME. For detailed detection patterns, code examples, mitigations, and testing strategies, see VULNERABILITY_PATTERNS.md.

Pattern Summary:

Arithmetic Overflow ⚠️ CRITICAL
- Direct +, -, *, / operators wrap in release mode
- Must use checked_* or saturating_* methods
- Affects balance/token calculations, reward/fee math
Don't Panic ⚠️ CRITICAL - DoS
- Panics cause node to stop processing blocks
- No unwrap(), expect(), array indexing without bounds check
- All user input must be validated with ensure!
Weights and Fees ⚠️ CRITICAL - DoS
- Incorrect weights allow spam attacks
- Fixed weights for variable-cost operations enable DoS
- Must use benchmarking framework, bound all input parameters
Verify First, Write Last ⚠️ HIGH (Pre-v0.9.25)
- Storage writes before validation persist on error (pre-v0.9.25)
- Pattern: validate → write → emit event
- Upgrade to v0.9.25+ or use manual #[transactional]
Unsigned Transaction Validation ⚠️ HIGH
- Insufficient validation allows spam/replay attacks
- Prefer signed transactions
- If unsigned: validate parameters, replay protection, authenticate source
Bad Randomness ⚠️ MEDIUM
- pallet_randomness_collective_flip vulnerable to collusion
- Must use BABE randomness (pallet_babe::RandomnessFromOneEpochAgo)
- Use random(subject) not random_seed()
Bad Origin ⚠️ CRITICAL
- ensure_signed allows any user for privileged operations
- Must use ensure_root or custom origins (ForceOrigin, AdminOrigin)
- Origin types must be properly configured in runtime

For complete vulnerability patterns with code examples, see VULNERABILITY_PATTERNS.md.

6. Scanning Workflow

Step 1: Platform Identification

Verify Substrate/FRAME framework usage
Check Substrate version (v0.9.25+ has transactional storage)
Locate pallet implementations (pallets/*/lib.rs)
Identify runtime configuration (runtime/lib.rs)

Step 2: Dispatchable Analysis

For each #[pallet::call] function:

Arithmetic: Uses checked/saturating operations?
Panics: No unwrap/expect/indexing?
Weights: Proportional to cost, bounded inputs?
Origin: Appropriate validation level?
Validation: All checks before storage writes?

Step 3: Panic Sweep

# Search for panic-prone patterns
rg "unwrap\(\)" pallets/
rg "expect\(" pallets/
rg "\[.*\]" pallets/  # Array indexing
rg " as u\d+" pallets/  # Type casts
rg "\.unwrap_or" pallets/

Step 4: Arithmetic Safety Check

# Find direct arithmetic
rg " \+ |\+=| - |-=| \* |\*=| / |/=" pallets/

# Should find checked/saturating alternatives instead
rg "checked_add|checked_sub|checked_mul|checked_div" pallets/
rg "saturating_add|saturating_sub|saturating_mul" pallets/

Step 5: Weight Analysis

Run benchmarking: cargo test --features runtime-benchmarks
Verify weights match computational cost
Check for bounded input parameters
Review weight calculation functions

Step 6: Origin & Privilege Review

# Find privileged operations
rg "ensure_signed" pallets/ | grep -E "pause|emergency|admin|force|sudo"

# Should use ensure_root or custom origins
rg "ensure_root|ForceOrigin|AdminOrigin" pallets/

Step 7: Testing Review

Unit tests cover all dispatchables
Fuzz tests for panic conditions
Benchmarks for weight calculation
try-runtime tests for migrations

7. Priority Guidelines

Critical (Immediate Fix Required)

Arithmetic overflow (token creation, balance manipulation)
Panic DoS (node crash risk)
Bad origin (unauthorized privileged operations)

High (Fix Before Launch)

Incorrect weights (DoS via spam)
Verify-first violations (state corruption, pre-v0.9.25)
Unsigned validation issues (spam, replay attacks)

Medium (Address in Audit)

Bad randomness (manipulation possible but limited impact)

8. Testing Recommendations

Fuzz Testing

// Use test-fuzz for property-based testing
#[cfg(test)]
mod tests {
    use test_fuzz::test_fuzz;

    #[test_fuzz]
    fn fuzz_transfer(from: AccountId, to: AccountId, amount: u128) {
        // Should never panic
        let _ = Pallet::transfer(from, to, amount);
    }

    #[test_fuzz]
    fn fuzz_no_panics(call: Call) {
        // No dispatchable should panic
        let _ = call.dispatch(origin);
    }
}

Benchmarking

# Run benchmarks to generate weights
cargo build --release --features runtime-benchmarks
./target/release/node benchmark pallet \
    --chain dev \
    --pallet pallet_example \
    --extrinsic "*" \
    --steps 50 \
    --repeat 20

try-runtime

# Test runtime upgrades
cargo build --release --features try-runtime
try-runtime --runtime ./target/release/wbuild/runtime.wasm \
    on-runtime-upgrade live --uri wss://rpc.polkadot.io

9. Additional Resources

Building Secure Contracts: building-secure-contracts/not-so-smart-contracts/substrate/
Substrate Documentation: https://docs.substrate.io/
FRAME Documentation: https://paritytech.github.io/substrate/master/frame_support/
test-fuzz: https://github.com/trailofbits/test-fuzz
Substrate StackExchange: https://substrate.stackexchange.com/

10. Quick Reference Checklist

Before completing Substrate pallet audit:

Arithmetic Safety (CRITICAL):

No direct +, -, *, / operators in dispatchables
All arithmetic uses checked_* or saturating_*
Type conversions use try_into() with error handling

Panic Prevention (CRITICAL):

No unwrap() or expect() in dispatchables
No direct array/slice indexing without bounds check
All user inputs validated with ensure!
Division operations check for zero divisor

Weights & DoS (CRITICAL):

Weights proportional to computational cost
Input parameters have maximum bounds
Benchmarking used to determine weights
No free (zero-weight) expensive operations

Access Control (CRITICAL):

Privileged operations use ensure_root or custom origins
ensure_signed only for user-level operations
Origin types properly configured in runtime
Sudo pallet removed before production

Storage Safety (HIGH):

Using Substrate v0.9.25+ OR manual #[transactional]
Validation before storage writes
Events emitted after successful operations

Other (MEDIUM):

Unsigned transactions use signed alternative if possible
If unsigned: proper validation, replay protection, authentication
BABE randomness used (not RandomnessCollectiveFlip)
Randomness uses random(subject) not random_seed()

Testing:

Unit tests for all dispatchables
Fuzz tests to find panics
Benchmarks generated and verified
try-runtime tests for migrations