EVM

Assembly

Assembly is inline Yul or EVM-level code inside Solidity that can directly manipulate memory, storage, calldata, and calls.

Assembly is low-level code that bypasses many Solidity safety checks.

Assembly Explained in Detail

Assembly lets Solidity code use lower-level Yul or EVM operations. It can be useful for performance or custom encoding, but it bypasses many compiler checks.

Assembly can directly read calldata, write memory, write storage, make calls, and return or revert raw data.

Smart contract example

assembly {
    let ptr := mload(0x40)
    mstore(ptr, 0x1234)
}

Small mistakes in pointer or offset logic can corrupt memory.

Assembly in Auditing

Assembly is a high-risk review area because the compiler cannot protect as much. Bugs can hide in manual ABI encoding, storage-slot math, return-data handling, and low-level calls.

Auditors review assembly line by line.

Red flags in code

  • Manual calldata parsing lacks length checks.

  • Free memory pointer is corrupted.

  • sstore writes to computed slots without clear proof.

  • Return or revert data is copied with unchecked sizes.

  • Assembly calls use user-controlled targets or calldata.

How to test or review it

  • Fuzz lengths, offsets, and boundary values.

  • Compare assembly behavior against a simple Solidity reference.

  • Check memory pointer and scratch-space usage.

  • Review storage slot calculations.

  • Test malformed calldata and revert bubbling.

Sources