// the find
Decurity/semgrep-smart-contracts
Semgrep rules for smart contracts based on DeFi exploits
A collection of Semgrep rules for catching known DeFi vulnerability patterns in Solidity, Rust (Solana), and Cairo smart contracts. Each rule is grounded in a real exploit — Compound reentrancy, Balancer read-only reentrancy, Curve price manipulation, and so on — and ships with the actual vulnerable code as a test fixture. For teams doing static analysis in CI on smart contract codebases, this is a starting point, not a complete audit.
Rules trace back to named real-world exploits (Hundred Finance, Superfluid, OlympusDAO forks), so each one has a concrete threat model rather than being theoretical. Test fixtures are the actual vulnerable source code with ruleid annotations, which means you can run `semgrep --test` and know immediately if a rule regressed. Coverage spans Solidity, Solana/Rust, and Cairo, which is rare — most rule sets stop at EVM. The repo is in the official Semgrep registry (`p/smart-contracts`), so you can pull it without cloning.
Solidity support in Semgrep is still experimental, and the README flags this openly — some rules are marked `todoruleid` because the engine can't match them yet, which means CI passes silently on unfired rules. Intra-procedural taint analysis (the rules that matter most for reentrancy and data flow) requires `--pro`, i.e. a paid Semgrep license; the free tier gives you pattern matching only. The gas optimization rules are mostly outdated post-Shanghai/Cancun — several are irrelevant against modern Solidity compiler optimizations. No coverage of access control patterns beyond a handful of specific protocols, so anything not matching a known exploit shape will slip through.