ARGUS

Automated Runtime Guard for Unverified Smart contracts

ARGUS is a Rust implementation of the SKANF security analysis system ("Insecurity Through Obscurity: Veiled Vulnerabilities in Closed-Source Contracts", Yang et al., 2025).

It detects asset-management vulnerabilities in closed-source and obfuscated EVM smart contracts, automatically generates exploit calldata, and validates exploits against a local fork of the chain — all without requiring source code or ABI.

---

How it works

ARGUS runs a three-stage pipeline directly on EVM bytecode:

Stage A — Deobfuscation
  Detect indirect JUMP/JUMPI instructions driven by CALLDATA, MLOAD,
  SLOAD, or CALLVALUE.  Insert a branch table at offset 0xe000 that
  converts all indirect jumps to direct ones, making the control flow
  statically analysable.

Stage B — Vulnerability detection
  Lift the deobfuscated bytecode to a Three-Address Code (TAC) IR.
  Run concolic execution guided by historical on-chain transactions
  as seed inputs.  At every reached CALL instruction, perform
  byte-level taint analysis to determine whether an adversary can
  control the target address, function selector, destination, or amount.

Stage C — Exploit generation and validation
  Re-run concolic execution with adversary constraints applied
  (target = ERC-20 token, selector = transfer, destination = attacker).
  Extract a concrete calldata solution from the Z3 model.
  Replay the transaction in a revm fork-state and confirm a Transfer
  or Approval event was emitted.

---

Requirements

Dependency	Notes
Rust 1.75+	rustup update stable
libz3	Bundled via z3 crate (static-link-z3 feature)
Ethereum archive node	Required for live analysis — Erigon, Nethermind, or Reth with --http.api trace

No Python, no Soufflé, no Gigahorse required.

---

Installation

git clone https://github.com/binsta/argus
cd argus
cargo build --release

The binary is at target/release/argus.

---

Usage

Analyse a contract

Baseline mode — fully symbolic calldata

argus analyze \
  --address 0xDEAD...BEEF \
  --block   20000000 \
  --rpc     http://localhost:8545

Concolic mode — seed from a historical transaction

argus analyze \
  --address 0xDEAD...BEEF \
  --block   20000000 \
  --rpc     http://localhost:8545 \
  --tx      0xabc...123

Skip exploit generation (detection only)

argus analyze \
  --address 0xDEAD...BEEF \
  --block   20000000 \
  --rpc     http://localhost:8545 \
  --no-exploit

Output is written to output.json by default (--output <path> to change).

Inspect deobfuscation

argus deobfuscate \
  --address 0xDEAD...BEEF \
  --block   20000000 \
  --rpc     http://localhost:8545

Disassemble

argus disasm \
  --address 0xDEAD...BEEF \
  --block   20000000 \
  --rpc     http://localhost:8545

---

Output format

{
  "verified": [
    {
      "call_pc": 420,
      "block": 20000000,
      "is_sensitive": true,
      "taint_flags": {
        "contract_tainted": false,
        "selector_tainted": false,
        "destination_tainted": true,
        "amount_tainted": true
      },
      "contract_solution": "0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2",
      "selector_solution": "0xa9059cbb",
      "destination_solution": "*",
      "amount_solution": "*"
    }
  ],
  "unverified": [],
  "exploits": [
    {
      "target_address": "0xDEAD...BEEF",
      "calldata": "0xa9059cbb...",
      "token_address": "0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2",
      "amount_drained": "0xde0b6b3a7640000",
      "validated": true
    }
  ],
  "process_time": 38.4
}

A "*" value means the parameter is adversary-controlled. A concrete address or selector means it is fixed but risky.

---

Crate structure

crates/
├── common/          Shared types, error enum, ERC-20 constants
├── bytecode/        Opcode table, disassembler, CBOR metadata stripper
├── cfg/             Basic-block builder, petgraph CFG, call graph
├── ir/              TAC lifter — EVM stack → register-based SSA IR
├── deobfuscation/   Indirect-jump detector, branch table injector
├── symbolic/        Z3 symbolic state, SimManager, DFS/directed/priority
│                    exploration, lambda memory, partial-concrete storage
├── concolic/        Seed extractor (trace_replayTransaction), concolic
│                    driver, branch-table path limiter
├── taint/           CalldataToCallTarget taint analysis
├── detectors/       Vulnerability oracle, VulnerabilityReport types
├── exploit/         AEG calldata synthesis, revm fork-state validator
└── chain/           RPC provider (reqwest), bytecode and trace fetching

---

Tracked ERC-20 tokens

ARGUS targets the seven tokens used in the paper's loss estimation (Table 1): WETH, USDT, USDC, WBTC, DAI, UNI, LINK.

Add more by extending SENSITIVE_TOKENS in crates/common/src/constants.rs.

---

Environment variables

Variable	Default	Description
ARGUS_ADDRESS	—	Contract address
ARGUS_BLOCK	latest	Reference block
ARGUS_RPC	http://127.0.0.1:8545	RPC endpoint
RUST_LOG	—	Log level (info, debug, trace)

---

Running tests

cargo test --workspace

Tests are unit tests only — no live RPC required.

---

Research basis

This tool is a Rust implementation of the techniques described in:

Insecurity Through Obscurity: Veiled Vulnerabilities in Closed-Source Contracts Sen Yang, Kaihua Qin, Aviv Yaish, Fan Zhang arXiv:2504.13398 — September 2025

The original Python implementation (SKANF) is built on Gigahorse and Greed. ARGUS replaces both with a self-contained Rust pipeline.

---

Disclaimer

ARGUS is a security research tool. Only use it to analyse contracts where you have permission to perform testing.

---

License

MIT