EVMGuard is an open-source command-line tool that inspects EVM transactions for dangerous effects before you sign them. It decodes calldata, simulates against a JSON-RPC endpoint, walks call traces, and classifies proxy contracts, flagging risks such as unlimited token approvals, Permit2 grants, and blanket NFT approvals. It runs locally, sends no telemetry, and emits text, JSON, or SARIF for CI.
Version 1.3.0 adds batch and multicall decoding. The analyzer unwraps Multicall3, OpenZeppelin multicall, and Gnosis Safe multiSend calls and recursively analyzes each inner call, so a dangerous action hidden inside a batch is caught instead of reported as an unknown selector. It keeps the 1.2.x risk analysis for ERC-20 allowances, EIP-2612, Uniswap Permit2, transfers, and contract-creation traces, on top of case-insensitive selector matching.
EVMGuard will inspect transaction requests and execution traces to identify effects such as token approvals, asset transfers, delegate calls, and proxy usage. It does not sign transactions, broadcast transactions, manage private keys, or provide financial advice.
- Open source and auditable, under the Apache License 2.0.
- Runs locally and sends no telemetry. Transaction data never leaves your machine.
- Offline calldata analysis with
inspect, no RPC endpoint required. - Machine-readable JSON and SARIF output that drops straight into CI and GitHub Code Scanning.
- A single static binary for Linux, Windows, and macOS, with no runtime dependencies.
- Command-line transaction inspection.
- Text, JSON, and SARIF reports.
- Detection of ERC-20
approvecalls. - Critical finding for unlimited ERC-20 approvals.
- Critical findings for NFT operator approvals, privileged contract actions, and zero-address recipients.
- Detection of ERC-20 allowance increases and EIP-2612 permit approvals, including unlimited-allowance findings.
- Detection of ERC-20 transfer and transferFrom calls for transaction context.
- Detection of Uniswap Permit2 approvals, signed permits and transfers, including unlimited uint160 allowances.
- Batch and multicall decoding (Multicall3, OpenZeppelin multicall, Gnosis Safe multiSend) with recursive analysis of each inner call.
- Configurable high-risk recipient detection.
- RPC preflight with endpoint chain ID validation and gas estimation.
- Call trace analysis for delegate calls, internal native transfers, and execution errors.
- EIP-1967 proxy inspection for implementation, administrator, beacon, and UUPS metadata.
- TOML rule configuration and reusable rule pack discovery.
- Compiled rule pack interface for custom transaction, trace, and proxy checks.
- Unit, Anvil integration, and coverage reporting workflows.
cargo install evmguardThis builds and installs the evmguard binary with the stable Rust toolchain.
Linux, Windows, and macOS binaries are attached to each GitHub release. Download the binary for your platform and run it directly, no toolchain required.
git clone https://github.com/zanzarini/EVMGuard.git
cd EVMGuard
cargo build --release -p evmguardThe binary is produced at target/release/evmguard.
The complete command, flag, output, and rule reference is in the user manual.
After installing, inspect a transaction offline (no RPC endpoint required):
evmguard inspect \
--chain-id 8453 \
--from 0x1111111111111111111111111111111111111111 \
--to 0x2222222222222222222222222222222222222222 \
--data 0x095ea7b30000000000000000000000003333333333333333333333333333333333333333ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
--format textUse --format json for automation-friendly output.
Use --format sarif to generate a SARIF 2.1.0 report for security tooling.
Use --config evmguard.toml with any command to disable rules or override their severity:
[rules]
disabled = ["transaction.unknown-selector"]
[rules.severity]
"erc20.unlimited-approval" = "warning"
[targets]
suspicious = ["0x1111111111111111111111111111111111111111"]Supported severities are info, warning, and critical.
Addresses listed under targets.suspicious produce a critical finding when used as a transaction recipient. Use this list for contracts that require explicit review in your environment.
Use include = ["path/to/rules.toml"] at the top level to load reusable rule packs. Local configuration overrides included severities.
The inspect command is fully offline and needs no endpoint. The preflight, trace, and proxy commands need a JSON-RPC endpoint passed with --rpc-url.
Free public endpoints (no signup) work for preflight and proxy. For example, https://ethereum-rpc.publicnode.com (Ethereum, chain ID 1) or https://mainnet.base.org (Base, chain ID 8453). Providers such as Alchemy or Infura give a personal endpoint with higher rate limits. The trace command needs an endpoint that supports debug_traceCall with the callTracer, which most free public endpoints do not offer.
Run a preflight request against a standard EVM JSON-RPC endpoint before submitting a transaction:
evmguard preflight \
--rpc-url https://your-rpc-endpoint.example \
--chain-id 8453 \
--from 0x1111111111111111111111111111111111111111 \
--to 0x2222222222222222222222222222222222222222 \
--data 0x095ea7b3 \
--value 0The preflight verifies the endpoint chain ID and calls eth_estimateGas. It does not broadcast or sign transactions.
Use a trace-capable EVM JSON-RPC endpoint to simulate a call with debug_traceCall and analyze its call tree:
evmguard trace \
--rpc-url https://your-trace-rpc-endpoint.example \
--chain-id 8453 \
--from 0x1111111111111111111111111111111111111111 \
--to 0x2222222222222222222222222222222222222222 \
--data 0x \
--format jsonThe endpoint must support the debug_traceCall method and the callTracer tracer.
Inspect a contract address for EIP-1967 proxy slots:
evmguard proxy \
--rpc-url https://your-rpc-endpoint.example \
--chain-id 8453 \
--address 0x1111111111111111111111111111111111111111 \
--format jsonThe inspection reads implementation, administrator, and beacon storage slots. It identifies UUPS implementations through proxiableUUID when the contract exposes that method.
The EVMGuard SARIF workflow can be started manually from the Actions tab. It runs a transaction preflight with the supplied RPC endpoint and uploads the resulting SARIF report to GitHub Code Scanning.
Supported JSON-RPC methods and endpoint requirements are documented in docs/providers.md.
The initial roadmap is available in docs/roadmap.md. The architecture and rule model are documented in docs/architecture.md and docs/rules.md.
EVMGuard provides analysis, not a safety guarantee. Results must be independently reviewed before acting on a transaction.
Contribution guidelines are available in CONTRIBUTING.md. Security issues must follow SECURITY.md.
Licensed under the Apache License 2.0.
Release notes are maintained in CHANGELOG.md.