Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

apegurus/arbitrary-storage-location

Name: arbitrary-storage-location
Author: apegurus

skills/vulnerability-patterns/arbitrary-storage-location/SKILL.md

npx skillsauth add apegurus/solidity-argus arbitrary-storage-location

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Write to Arbitrary Storage Location

Preconditions

Contract has a dynamic array in storage
User input controls the index used for writing to that array
No bounds checking on the index before the write
OR: assembly-level sstore with a user-controlled slot value

Vulnerable Pattern

uint256[] public data;
address public owner;

function write(uint256 index, uint256 value) external {
    // User controls index — can compute an index that maps
    // to any storage slot via the array's storage layout:
    // array elements start at keccak256(slot_of_length)
    // attacker calculates index to target owner's slot
    data[index] = value;
}

// Assembly variant
function writeSlot(uint256 slot, uint256 value) external {
    assembly {
        sstore(slot, value) // Direct arbitrary storage write
    }
}

Detection Heuristics

Search for dynamic array writes where the index comes from user input or function parameters
Check if the index is bounds-checked before the write (e.g., require(index < data.length))
Search for sstore in assembly blocks — check if the slot parameter is user-controlled
Search for .length assignments on dynamic arrays (Solidity <0.6.0 allowed array.length = X, enabling array expansion to reach any slot)
If an unbounded array write exists, verify whether the array's keccak256-based slot layout could collide with other state variable slots

False Positives

Array index is validated against array.length before writing
The array uses push() only (indices are not user-controlled)
Assembly sstore uses a hardcoded or internally computed slot
Modern Solidity (>=0.6.0) prevents direct .length manipulation

Remediation

Always bounds-check array indices: require(index < data.length)
Use push() and pop() instead of direct index assignment for dynamic arrays
Avoid exposing sstore with user-controlled slot values
Use mappings instead of arrays when random-access writes are needed

function safeWrite(uint256 index, uint256 value) external {
    require(index < data.length, "out of bounds");
    data[index] = value;
}

apegurus/arbitrary-storage-location

skills/vulnerability-patterns/arbitrary-storage-location/SKILL.md

- Contract has a dynamic array in storage

data-ai

Updated May 13, 2026

$ install --global

skillsauth

npx skillsauth add apegurus/solidity-argus arbitrary-storage-location

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 13, 2026, 3:24 AM128.1s1 file scanned

SKILL.md

name:: arbitrary-storage-location
description:: Direct storage slot writes require strict slot provenance checks
pattern_category:: logic-error
- regex:: sstore\(
severity:: High
confidence:: Low
swc:: SWC-124

Write to Arbitrary Storage Location

Preconditions

Contract has a dynamic array in storage
User input controls the index used for writing to that array
No bounds checking on the index before the write
OR: assembly-level sstore with a user-controlled slot value

Vulnerable Pattern

uint256[] public data;
address public owner;

function write(uint256 index, uint256 value) external {
    // User controls index — can compute an index that maps
    // to any storage slot via the array's storage layout:
    // array elements start at keccak256(slot_of_length)
    // attacker calculates index to target owner's slot
    data[index] = value;
}

// Assembly variant
function writeSlot(uint256 slot, uint256 value) external {
    assembly {
        sstore(slot, value) // Direct arbitrary storage write
    }
}

Detection Heuristics

Search for dynamic array writes where the index comes from user input or function parameters
Check if the index is bounds-checked before the write (e.g., require(index < data.length))
Search for sstore in assembly blocks — check if the slot parameter is user-controlled
Search for .length assignments on dynamic arrays (Solidity <0.6.0 allowed array.length = X, enabling array expansion to reach any slot)
If an unbounded array write exists, verify whether the array's keccak256-based slot layout could collide with other state variable slots

False Positives

Array index is validated against array.length before writing
The array uses push() only (indices are not user-controlled)
Assembly sstore uses a hardcoded or internally computed slot
Modern Solidity (>=0.6.0) prevents direct .length manipulation

Remediation

Always bounds-check array indices: require(index < data.length)
Use push() and pop() instead of direct index assignment for dynamic arrays
Avoid exposing sstore with user-controlled slot values
Use mappings instead of arrays when random-access writes are needed

function safeWrite(uint256 index, uint256 value) external {
    require(index < data.length, "out of bounds");
    data[index] = value;
}

Related Skills

apegurus/vector-scan

testing

VerifiedTrustedCommunity

Specialist profile for mechanically applying the attack-vector deck and classifying vectors as skip, drop, or investigate.

SKILL.mdUpdated May 30, 2026

apegurus/periphery

tools

VerifiedTrustedCommunity

Specialist profile for libraries, helpers, base contracts, adapters, encoders, wrappers, and integration glue.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

testing

VerifiedTrustedCommunity

Specialist profile for rounding, scale, decimal, downcast, and arithmetic accounting edge cases.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

apegurus/invariant

testing

VerifiedTrustedCommunity

Specialist profile for extracting conservation laws and state couplings, then searching for violating paths.

SKILL.mdUpdated May 30, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/apegurus/solidity-argus.git

# Copy into Claude Code skills folder (global)
cp -r solidity-argus/skills/vulnerability-patterns/arbitrary-storage-location ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

apegurus/solidity-argus

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT