Gianluca Brigandi
Traverse Tool Released

Traverse Tool Released


Smart Contracts
traverse solidity smart-contracts rust security-research defi ethereum call-graphs gas-optimization

Traverse: Call Graph-Based Solidity Analysis, Now Open Source

Noah Marconi (@NoahMarconi), Head of Security at Monad Foundation, and I are excited to announce that Traverse is now open source - the output of our collaboration on building an opinionated call graph-based analysis tool that aims to improve how security researchers and developers understand Solidity code. Check out Noah’s release announcement for his perspective on why we built this.

The Security Researcher’s Challenge

Contract auditing presents a familiar challenge to anyone who has done serious security research. You start with a function and trace its execution path - following internal calls to library functions, tracking external interactions, and mapping how control flows back through the system. As the complexity grows, the mental overhead becomes crushing.

Security researchers have developed coping strategies: sketching diagrams on whiteboards, taking detailed notes about state changes, creating sequence diagrams to visualize complex interactions. But these manual processes are time-consuming and error-prone. The recognition that this cognitive burden was a fundamental limitation in smart contract analysis sparked the idea for Traverse.

The Core Insight: Call Graph as Foundation

The breakthrough that enabled Traverse was recognizing that the call graph could serve as an ubiquitous intermediate representation for multiple analysis tools. Instead of building separate parsers for different use cases, we could create one robust call graph generator and use it as the foundation for code generation, visualization, testing, and analysis tools.

This architectural decision proved transformative. Rather than manually creating sequence diagrams for every audit, tooling could automatically generate these visualizations directly from source code. The call graph becomes a universal primitive that enables multiple specialized workflows. For a deeper dive into the technical architecture and design philosophy, see the DESIGN.md document in the repository.

Solving Real Problems in Security Research

Working with Noah, I focused on addressing several critical gaps in existing tooling:

Interface Resolution Failures: Every developer knows the frustration of cmd-clicking in VS Code only to land on an interface file instead of the actual implementation. This wastes precious time during security reviews when you need to understand what code actually executes.

Mental Overhead in Complex Systems: Following execution paths across multiple contracts, libraries, and external calls becomes cognitively overwhelming. Security researchers were already creating call graphs manually - automation was the obvious solution.

Inadequate Analysis Tools: Existing tools treat each analysis task separately, leading to duplicated effort and inconsistent results.

The Traverse Toolkit

From the call graph foundation, we built five specialized tools that address these problems:

sol2cg - Automated Diagram Generation

Generates call graphs in DOT format and sequence diagrams in Mermaid syntax. These are the exact visualizations that security researchers create manually, but generated automatically and kept in sync with code changes.

# Generate call graphs for security review
sol2cg contracts/*.sol -o callgraph.dot
dot -Tpng callgraph.dot -o callgraph.png

# Create sequence diagrams for documentation
sol2cg -f mermaid contracts/*.sol -o security-review.mmd

sol2test - Foundry Test Generation

Automatically generates comprehensive test suites with proper setup functions, deployment scripts, and test stubs for every public function. This addresses the testing gaps commonly found in security audits.

sol-storage-analyzer - Storage Pattern Analysis

Provides detailed reports on storage read/write patterns. Critical for understanding state changes, identifying potential vulnerabilities related to storage manipulation, and discovering gas optimization opportunities through redundant storage access detection.

storage-trace - Execution Comparison

Compares storage access patterns between different functions, helping identify subtle differences that could indicate bugs or security issues.

sol2bnd - Interface Resolution

Creates proper mappings between interfaces and implementations, solving the cmd-click problem that wastes time during code review.

Impact on Security Research and Development Workflows

The tools have proven their value in both security research and optimization workflows:

  • Faster issue detection - automated call graphs reveal patterns that are easy to miss in manual review, from vulnerabilities to gas inefficiencies
  • Better audit documentation - sequence diagrams generated directly from code stay synchronized with implementation changes
  • Reduced cognitive overhead - researchers and developers can focus on logic and optimization rather than mapping execution flows
  • Comprehensive test coverage - automated test generation catches edge cases that manual testing often misses
  • Gas optimization insights - storage access patterns and execution path analysis identify costly operations and redundant state changes

The Open Source Decision

There’s so much work to do, bugs to uncover, and use cases to tackle. We’re open-sourcing Traverse because the vision extends beyond individual security research. The call graph IR primitive has potential applications we haven’t even explored yet, and the security research community needs tools that can keep pace with increasingly complex DeFi protocols.

Open sourcing also enables the broader community to contribute security patterns, detection rules, and workflow improvements based on their own audit experiences.

Getting Started

Traverse is available now at github.com/calltrace/traverse and integrates seamlessly with existing security research workflows:

# Install from source (crates.io release coming soon)
git clone --recursive https://github.com/calltrace/traverse.git
cd traverse
cargo build --release

# Generate security review diagrams
./target/release/sol2cg contracts/*.sol -f mermaid -o audit-diagrams.mmd

# Analyze storage patterns for potential vulnerabilities
./target/release/sol-storage-analyzer contracts/*.sol -o storage-analysis.md

# Generate comprehensive test coverage
./target/release/sol2test --project ./protocol --use-foundry

Traverse generates standard formats you already know - DOT files for Graphviz, Mermaid diagrams, and Foundry-compatible test files.

If you’re doing security research on Ethereum, or any EVM-compatible chain, Traverse will change how you approach contract analysis. The learning curve is minimal - if you can read Solidity, you can use Traverse.

Smart contract analysis shouldn’t be bottlenecked by tooling limitations. Traverse aims to remove those bottlenecks so researchers and developers can focus on finding the issues that matter - whether they’re security vulnerabilities, gas inefficiencies, or architectural improvements.

Roadmap: Behavior-Driven Development for Smart Contracts

Our next major initiative will extend Traverse with a custom BDD framework designed specifically for Solidity. Traditional BDD tools struggle with smart contract complexity - they weren’t built to handle intricate state transitions, execution paths, and the unique behavioral patterns of blockchain systems.

We plan to develop an extended Gherkin syntax that will natively understand Control Flow Graphs, eliminate glue code between specifications and test execution, and leverage Natspec documentation as first-class context. The framework will combine a Rust-based BDD runtime with deep Solidity integration through ether-rs, enabling behavioral specifications that directly translate to executable tests.

This approach will bridge the gap between high-level behavioral requirements and low-level contract verification. Security researchers will be able to express complex invariants and state mutation patterns as readable specifications that serve both as documentation and automated verification. The BDD framework will integrate seamlessly with Traverse’s call graph analysis, creating a unified platform for understanding, specifying, and testing smart contract behavior.

Join the Effort

There’s more work to do and use cases to explore. If you’re interested in contributing to smart contract analysis tooling:

  • Security researchers can share patterns and detection rules
  • Protocol teams can integrate Traverse into development workflows
  • Tool builders can explore the call graph IR primitive
  • Organizations can support open source security infrastructure

The project is designed to be flexible and evolve as new needs emerge across the Solidity development ecosystem.

Questions? Issues? Feature requests? Open an issue on GitHub or reach out to @NoahMarconi or me on Twitter. If you’re interested in collaborating or sponsoring Traverse development, we’re excited to connect.