Skip to main content

SARP - A Static Analysis Tool for Runtime Pallets

  • Team Name: Supercomputing Systems AG (SCS)
  • Payment Address: 0xd24622311a22470353bd21d9bcd9e02ba0cfebbe (USDC)
  • Level: 1

Project Overview πŸ“„β€‹

This application is a response to the RFP Static Analysis for Runtime Pallets


Runtime Pallets are modules for writing the business logic of blockchains in Substrate (a Rust framework for building blockchains). These are usually concise pieces of standalone code with relatively few dependencies and clear specifications, hence tractable targets for performing static analysis and verification. The code quality of a runtime pallet is crucial, as even minor defects can result in major exploits like DoS attacks or the stealing of funds by a malicious party. A static code analysis can help to automate the auditing processes and prevent introduction of defects throughout the software life-cycle.

Therefore we would like to develop a tool - SARP (Static Analysis tool for Runtime Pallets) to perform static analysis with reasonable soundness guarantees. In particular, we would like to target vunerability classes that are detectable using dataflow analysis techniques like tag analysis and taint analysis.

Our team has no prior knowledge in static code analysis, but has a good understanding of substrate and Rust.

Project Details​

We will base our work on MIRAI and extend it with checks on substrate pallets. For details see the Development Roadmap

Ecosystem Fit​

The tool will help any team developing substrate pallets. It can further be integrated in the CI pipelines of the teams, providing a continuous quality check on the pallet code.

In the long term it could be interesting to connect the work done here with the new emerging auditing DAOs (like Fuzzland or QRUCIAL DAO).

Team πŸ‘₯​

Team members​

  • Sabine Proll: Project Lead
  • Bigna HΓ€rdi: Developer
  • Edith Chevrier: Developer
  • Thomas Niederberger: Developer


  • Registered Address: Technoparkstrasse 1, 8005 ZΓΌrich, Switzerland
  • Registered Legal Entity: Supercomputing Systems AG

Team's experience​

Supercomputing Systems AG is a contractor with 130 engineers, working in the fields of software, electronics and system design. Profound know-how, solid methodological competence as well as efficient project management are the foundation of our success. Within the company we have a team of 5 blockchain developers, who have experience in the Polkadot ecosystem.

Our blockchain team has been a contributor to the ecoysystem since 2019. We started with grants from the Web3 Foundation to build the basis for Integritee (see our grants from waves 1, 3 and 5). After that, our team has worked for Integritee and Encointer as a contractor. Recently the team received grants from the Kusama treasury for maintaining and improving the substrate-api-client, see our proposals for Nov 22 - Jan 23 and Feb 23 - Apr 23.

Team Code Repos​

The team has mainly worked on the following repositories

Github accounts of the team members

Team LinkedIn Profiles​

Development Status πŸ“–β€‹

We will base our work on MIRAI and the RFP Static Analysis for Runtime Pallets

We have not started to work on this.

Development Roadmap πŸ”©β€‹


  • Total Estimated Duration: 0,5 months
  • Full-Time Equivalent (FTE): 0,8 FTE
  • Total Costs: 10.000 USD

Vulnerability Classes​

For this project we want to address the following vulnerability classes:

Milestone 1 - Research​

  • Estimated duration: 0,5 months
  • FTE: 0,8 FTE
  • Costs: 10.000 USD

In milestone 1 we want to investigate how the above stated vulnerability classes, can be detected by extending MIRAI.


0b.User DocumentationWe will provide a basic tutorial that explains how to use the tool on a substrate pallet.
0c.Testing and Testing GuideA first set of tests will be provided, together with a testing guide, that describes how to run them.
1.Prototype CodePrototype code to approach the above two stated vulnerability classes.
2.DocumentationTechnical documentation
  • describing the approach we plan to implement in milestone 2, incl. its limitations.
  • with (interesting) examples of the vulnerability classes.
3.EngagementEngage with teams at Web3 Foundation and Parity for prioritization.

Future Plans​

The next steps for the tool would be to:

  1. Implement a first simple version of the tool, together with tests and documentation.
  2. Improve the usability, by providing
    • means to surpress warnings
    • a comprehensive user tutorial, incl. documentation on the risks of each vulnerability
  3. Add more features including checks on the following vulnerability classes:
    • tracking bad randomness: ensure bad randomness does not leak into sensitive functions.
    • detect panics statically to avoid potential DoS attacks: these include unsafe arithmetic operations, access outside bounds, assertion failures, etc.
    • tracking unsanitised input leakage for sensitive functions.

Once we have a tool with a good feature set and basic usability features, we want to promote it to the Polkadot developers. Once the tool is in use, we hope to receive feedback on further features and improvements by the developers.

Additional Information βž•β€‹

How did you hear about the Grants Program? We have previously received grants by the Web3 Foundation for other projects (substratee and substrate-api-client).