Skip to main content
Glama

Server Configuration

Describes the environment variables required to run the server.

NameRequiredDescriptionDefault

No arguments

Capabilities

Features and capabilities supported by this server

CapabilityDetails
tools
{
  "listChanged": true
}
prompts
{
  "listChanged": true
}
resources
{
  "listChanged": true
}

Tools

Functions exposed to the LLM to take actions

NameDescription
evm_scan_vulnerabilitiesA

Run Slither static analysis on a Solidity contract and return schema-validated vulnerability findings.

Each finding includes the detector name, severity, description, source file, line numbers, and the actual code snippet extracted from the file system.

Args:

  • contractPath (string): Absolute path to the Solidity file or Foundry project root

  • severityFilter (string[], optional): Only return findings at these severities ("High" | "Medium" | "Low" | "Informational")

  • maxFindings (number, optional): Cap the number of findings returned (default: all)

  • detectors (string[], optional): Run only these Slither detector ids (e.g. ["reentrancy-eth", "arbitrary-send-eth"]) for a focused scan

Returns: JSON object: { "findings": [ { "check": string, // Slither detector id (e.g. "reentrancy-eth") "severity": string, // "High" | "Medium" | "Low" | "Informational" "description": string, // Human-readable explanation "file": string, // Relative path to the source file "lines": number[], // Affected line numbers (1-indexed) "code_snippet": string // Extracted source code from the file } ], "totalFindings": number, // Total before truncation/capping "truncated": boolean // true if findings were dropped to fit the response limit }

Examples:

  • "Audit src/Vault.sol for reentrancy" → contractPath = "/path/to/src/Vault.sol"

  • "Run security scan on my Foundry project" → contractPath = "/path/to/project"

  • "Only high-severity issues" → severityFilter = ["High"]

  • Do NOT use for gas analysis (use evm_analyze_gas_profile instead)

Error Handling:

  • Returns isError=true if the path does not exist or Slither is not installed/crashes

  • Returns empty findings array if no vulnerabilities found

evm_analyze_gas_profileA

Run forge test --gas-report and return structured gas consumption data per contract and function.

Args:

  • projectPath (string): Absolute path to a Foundry project (must contain foundry.toml)

Returns: JSON object: { "contracts": [ { "name": string, // e.g. "src/Token.sol:Token" "deploymentCost": number, // Gas used for deployment "deploymentSize": number, // Bytecode size in bytes "functions": [ { "name": string, // Function name "min": number, // Minimum gas "avg": number, // Average gas "median": number, // Median gas "max": number, // Maximum gas "calls": number // Number of calls in tests } ] } ] }

Examples:

  • "Show gas usage for my project" → projectPath = "/path/to/foundry-project"

  • Do NOT use for security auditing (use evm_scan_vulnerabilities instead)

Error Handling:

  • Returns isError=true if Foundry is not installed or tests fail to compile

evm_compile_and_diagnoseA

Run forge build and return structured compiler diagnostics.

If compilation succeeds, returns { "success": true, "diagnostics": [] }. If compilation fails, parses the error output into a JSON array of diagnostics.

Args:

  • projectPath (string): Absolute path to the Foundry project

Returns: { "success": boolean, // true if the project compiled cleanly "diagnostics": [ { "file": string, // e.g. "src/Token.sol" "line": number, // Line number (1-indexed) "column": number, // Column number (1-indexed) "message": string, // Compiler error message "snippet": string // Code snippet around the error } ] }

Examples:

  • "Check if my contracts compile" → projectPath = "/path/to/project"

  • "Fix the compilation error" → call this tool, read the diagnostics, fix the file

Error Handling:

  • Returns isError=true if forge is not installed

evm_simulate_transactionA

Execute a read-only call against an EVM node using Foundry cast and return decoded results or revert reasons.

This tool does NOT submit a real transaction; it simulates via eth_call.

Args:

  • target (string): Target contract address (0x-prefixed, 42 chars)

  • signature (string): Function signature, e.g. "balanceOf(address)"

  • args (string, optional): Space-separated arguments for the function call

  • rpcUrl (string): JSON-RPC endpoint URL (e.g. http://localhost:8545)

Returns: { "success": boolean, "returnData": string, // Hex-encoded return data (on success) "revertReason": string, // Decoded revert string (on failure) "error": string // Raw error message (on execution failure) }

Examples:

  • "Check the balance of 0xabc..." → target=contract, signature="balanceOf(address)", args="0xabc..."

  • "Call the owner() function" → target=contract, signature="owner()", rpcUrl="http://localhost:8545"

Error Handling:

  • Returns { success: false, revertReason } if the call reverts

  • Returns { success: false, error } if cast is not installed or RPC is unreachable

evm_inspect_storage_layoutA

Run forge inspect storage-layout and return the resolved storage slot assignment for every state variable.

Essential for proxy-upgrade safety checks (storage-layout collisions) and storage-packing gas analysis.

Args:

  • projectPath (string): Absolute path to the Foundry project root

  • contractName (string): Contract name (e.g. "Token") or fully qualified name (e.g. "src/Token.sol:Token")

Returns: JSON object: { "entries": [ { "label": string, // State variable name "slot": number, // Storage slot index "offset": number, // Byte offset within the slot "type": string, // Human-readable type (e.g. "address", "mapping(address => uint256)") "bytes": number // Size of the variable in bytes } ] }

Examples:

  • "Check storage layout of my proxy implementation" → contractName = "TokenV2"

  • "Will upgrading V1 to V2 corrupt storage?" → call once per contract, compare entries

Error Handling:

  • Returns isError=true if forge is not installed, the project path is invalid, or the contract is not found

evm_trace_callA

Execute a read-only call with cast call --trace and return the structured call tree: every internal call, its gas cost, call type, return values, emitted events, and revert frames.

Use this to verify exploit reachability, inspect cross-contract call flows, or debug unexpected reverts. This tool does NOT submit a real transaction.

Args:

  • target (string): Target contract address (0x-prefixed, 42 chars)

  • signature (string): Function signature, e.g. "withdraw(uint256)"

  • args (string, optional): Space-separated arguments for the function call

  • rpcUrl (string): JSON-RPC endpoint URL (e.g. http://localhost:8545)

Returns: JSON object: { "reverted": boolean, // true if any frame reverted "gasUsed": number, // Total gas used (when reported) "events": [ { "depth": number, // Nesting depth in the call tree (0 = top frame) "kind": string, // "call" | "return" | "stop" | "revert" | "emit" "gas": number, // Gas for call frames "target": string, // Callee address or label "call": string, // Function + arguments "callType": string, // "staticcall" | "delegatecall" | undefined (regular call) "value": string // Return data, revert reason, or event payload } ] }

Examples:

  • "Why does withdraw() revert?" → trace it, read the deepest revert frame

  • "Does transfer() call an external contract?" → look for depth > 0 call events

Error Handling:

  • Returns isError=true if cast is not installed, the RPC is unreachable, or no trace was produced

evm_decode_calldataA

Decode hex calldata into a function signature and typed argument values using Foundry cast.

If you know the function signature, pass it for a fully offline, deterministic decode (cast calldata-decode). Without a signature, the 4-byte selector is resolved via the openchain.xyz signature database (cast 4byte-decode) — requires network access.

Args:

  • calldata (string): Hex-encoded calldata (0x-prefixed, at least the 4-byte selector)

  • signature (string, optional): Known function signature, e.g. "transfer(address,uint256)"

Returns: JSON object: { "success": boolean, "signature": string, // Resolved or provided function signature "values": string[] // Decoded argument values, one per parameter }

Examples:

  • "What does this pending tx do?" → calldata = "0xa9059cbb000...", no signature

  • "Decode this transfer call" → calldata + signature = "transfer(address,uint256)"

Error Handling:

  • Returns isError=true if cast is not installed, the calldata is malformed, or the selector is unknown

evm_run_testsA

Run forge test and return structured per-suite, per-test results — including fuzz runs and the exact counterexample calldata for failing fuzz/invariant tests.

Use this to verify behavior equivalence after a rewrite, run invariant suites, or drive a Generate-Repair-Execute proof-of-concept loop.

Args:

  • projectPath (string): Absolute path to the Foundry project root

  • matchTest (string, optional): Only run test functions matching this regex (forge --match-test)

  • matchPath (string, optional): Only run test files matching this glob (forge --match-path)

Returns: JSON object: { "allPassed": boolean, "totalPassed": number, "totalFailed": number, "totalSkipped": number, "suites": [ { "name": string, // e.g. "test/Vault.t.sol:VaultTest" "passed": number, "failed": number, "skipped": number, "tests": [ { "name": string, // e.g. "testFuzz_withdraw(uint256)" "status": string, // "pass" | "fail" | "skip" "reason": string, // Failure reason (on fail) "counterexample": string, // Fuzz counterexample calldata + args (on fuzz fail) "gas": number, // Gas for unit tests "fuzzRuns": number, // Runs for fuzz/invariant tests "medianGas": number // Median gas for fuzz tests } ] } ] }

Examples:

  • "Do my invariant tests still hold?" → matchTest = "invariant"

  • "Verify the refactor didn't break Vault" → matchPath = "test/Vault.t.sol"

Error Handling:

  • Returns isError=true if forge is not installed, the path is invalid, or compilation fails (use evm_compile_and_diagnose for compiler errors)

evm_toolchain_versionsA

Report which host toolchain binaries (slither, forge, cast) are installed and their exact versions.

Call this once before an analysis session to (a) verify prerequisites and (b) record versions so findings are reproducible — Slither detector sets and forge gas accounting change between releases.

Args: none

Returns: JSON object: { "tools": [ { "tool": string, // "slither" | "forge" | "cast" "installed": boolean, "version": string // First line of --version output (when installed) } ] }

Error Handling:

  • Never errors; missing binaries are reported as installed: false

Prompts

Interactive templates invoked by user choice

NameDescription
audit_contractSeverity-rated security audit of a Solidity contract following the vulnerability-scanning workflow (pattern seek → confirm reachability → report). Uses evm_scan_vulnerabilities, evm_trace_call, and evm_inspect_storage_layout.
optimize_gasMeasured gas-optimization pass following the gas-optimization workflow (one rewrite at a time, security + equivalence + measurement proofs). Uses evm_analyze_gas_profile, evm_scan_vulnerabilities, and evm_inspect_storage_layout.
analyze_arbitrageQuantify a DeFi price dislocation net of fees, gas, slippage, and bribes following the arbitrage-analysis workflow. Analysis only — no trade execution. Uses evm_simulate_transaction, evm_trace_call, and evm_decode_calldata.

Resources

Contextual data attached and managed by the client

NameDescription
vulnerabilitiesEVM Security Vulnerability Patterns — reentrancy, access control, integer overflow, and more
gas_optimizationsEVM Gas Optimization Patterns — storage packing, calldata vs memory, unchecked math
arbitrage_patternsEVM Arbitrage Strategies — AMM math, sandwich detection, flash-loan routes

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/0xendale/evm-agent-toolkit'

If you have feedback or need assistance with the MCP directory API, please join our Discord server