home / skills / multiversx / mx-ai-skills / variant_analysis

variant_analysis skill

needs review

This skill helps you identify similar vulnerabilities across the codebase by abstracting patterns and locating variants.

npx playbooks add skill multiversx/mx-ai-skills --skill variant_analysis

Review the files below or copy the command above to add this skill to your agents.

Files (1)

SKILL.md

1.0 KB

---
name: variant_analysis
description: Finding "variants" of known bugs in other parts of the codebase.
---

# Variant Analysis

This skill helps you multiply the value of a single finding by locating similar vulnerabilities elsewhere.

## 1. The Pivot
Once you find a bug (e.g., "Missing usage of `checked_add` in function A"):
- **Abstract the Pattern**: "Arithmetic operation on user input without checks".
- **Search**: `grep` for other occurrences of the same pattern.

## 2. Common MultiversX Variants
- **Missing Payable Check**:
    - Found: One endpoint accepts payment but doesn't check `call_value()`.
    - Variant Search: Check ALL `#[payable]` endpoints.
- **Unbounded Iteration**:
    - Found: Iterating a `VecMapper` in `compute_reward`.
    - Variant Search: `grep -r "iter()"` on all mappers.
- **Async Callback Revert**:
    - Found: Callback `X` doesn't revert state on failure.
    - Variant Search: Check ALL `#[callback]` functions.

## 3. Automation
- Use `mvx_static_analysis` (Semgrep) to create a temporary rule for the variant.

Overview

This skill locates variants of a known bug across a codebase to multiply the impact of a single finding. It helps security engineers and developers turn one confirmed issue into a broader sweep for similar patterns, reducing missed vulnerabilities and improving code quality. The goal is fast, repeatable discovery of likely duplicates and near-misses.

How this skill works

Start by abstracting the root cause of the discovered bug into a concise pattern (for example, "arithmetic on user input without bounds checks" or "payable endpoints missing call_value checks"). Then run targeted searches across the repository using simple tools (grep, ripgrep) or create temporary static-analysis rules (Semgrep/mvx_static_analysis) to find other occurrences. Triage results and prioritize variants that match the original failure mode or could lead to similar exploitability.

When to use it

After confirming a single security bug and wanting to find similar issues quickly
During code review cycles to proactively sweep for repeated insecure patterns
When onboarding static analysis by converting a manual finding into an automated rule
Before releases to catch latent variants of known regressions
In audits to expand a single proof-of-concept into a broader remediation plan

Best practices

Abstract the bug into a small set of searchable tokens and semantic descriptions
Start broad, then refine: use wide grep queries, review false positives, tighten rules
Prioritize variants by exposure and ease of exploitation, not just frequency
Automate recurring searches with temporary Semgrep or similar rules and iterate
Document confirmed variants and add permanent checks or tests to prevent regressions

Example use cases

Found missing checked_add in one function — search for other unchecked arithmetic on user input
Discovered a payable endpoint that ignores call_value() — inspect all #[payable] endpoints for similar checks
Observed unbounded iteration over a mapper — grep for other uses of iter() on mappers and review bounds
Noted a callback that fails without reverting state — scan all #[callback] functions for missing rollback behavior
Convert a manual finding into a Semgrep rule to run in CI and catch future variants automatically

FAQ

How specific should the search pattern be?

Start broad to catch more variants, then refine to reduce false positives. Use context (annotations, function names, types) to improve precision.

When should I automate a variant search?

Automate once you confirm multiple variants or when the pattern recurs across modules; add a temporary rule to CI, then evolve it into a permanent check if useful.