Add analyze bytecode cursor command

[0xDEnYO]

Why did I implement it this way?

Checklist before requesting a review

• I have performed a self-review of my code
• This pull request is as small as possible and only tackles one problem
• I have added tests that cover the functionality / test the bug
• For new facets: I have checked all points from this list: https://www.notion.so/lifi/New-Facet-Contract-Checklist-157f0ff14ac78095a2b8f999d655622e
• I have updated any required documentation

Checklist for reviewer (DO NOT DEPLOY and contracts BEFORE CHECKING THIS!!!)

• I have checked that any arbitrary calls to external contracts are validated and or restricted
• I have checked that any privileged calls (i.e. storage modifications) are validated and or restricted
• I have ensured that any new contracts have had AT A MINIMUM 1 preliminary audit conducted on by <company/auditor>

[coderabbitai]

Walkthrough

This PR adds documentation for the analyze-unverified-contract command workflow and introduces two new bash utility functions for 4byte selector decoding. The documentation outlines contract analysis steps including RPC resolution, disassembly, and report generation. The utilities validate selectors and batch-query the 4byte.directory API with configurable delays.

Changes

Cohort / File(s)	Summary
Documentation .cursor/commands/analyze-unverified-contract.md	New comprehensive guide for analyzing unverified contracts, covering input validation, RPC resolution, bytecode handling, disassembly/decompilation, selector extraction, signature enrichment, and structured report generation.
Shell Utilities script/playgroundHelpers.sh	Added two new exported functions: decodeSelector4byte (validates selector and queries 4byte.directory) and decodeSelectors4byte (batch processes multiple selectors with dependency checks and request throttling).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is largely incomplete. The 'Why did I implement it this way?' section is empty, and the Jira task field is missing entirely. While checklists are present, critical context about the implementation is absent.	Add the missing 'Which Jira task belongs to this PR?' section and provide substantive details explaining the implementation approach and design decisions.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Add analyze bytecode cursor command' directly aligns with the primary changes: adding documentation for a new analyze-unverified-contract cursor command and supporting shell script utilities.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch add-analyze-bytecode-command

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

• JIRA integration encountered authorization issues. Please disconnect and reconnect the integration in the CodeRabbit UI.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In @.cursor/commands/analyze-unverified-contract.md:
- Line 62: The comment incorrectly labels selector 0x4e487b71 as Error(string) —
update the text to correctly map selectors: change the exclusion list to
`0xffffffff` (sentinel), `0x4e487b71` (Panic(uint256)) and, if intending to
exclude Error(string), add `0x08c379a0` (Error(string)); edit the line
containing those selectors so it explicitly lists the correct
selector-to-signature mappings (`0x4e487b71` → Panic(uint256), `0x08c379a0` →
Error(string)) to avoid misleading users of the analyze-unverified-contract
command.
- Line 44: Update the install command string that currently reads "curl -L
http://get.heimdall.rs | bash" to use HTTPS ("curl -L https://get.heimdall.rs |
bash") in the analyze-unverified-contract instruction text so the installer is
fetched securely; keep the rest of the message unchanged and ensure any prompt
that offers to continue after install references the updated HTTPS URL.

In `@script/playgroundHelpers.sh`:
- Around line 2076-2084: The RESPONSE variable may contain non-JSON which makes
COUNT empty when parsing with jq, so update the selector-resolving logic (around
FOURBYTE_URL, RESPONSE, SELECTOR, COUNT) to detect jq parse failure and treat
that as "no match": after capturing RESPONSE, attempt to parse .count with jq
but check jq's exit status or whether COUNT is empty/null, and if jq fails or
COUNT is empty/null, print the "(no match)" line and return; this prevents
falling through into signature extraction on invalid API responses and keeps the
existing behavior for valid JSON.

🧹 Nitpick comments (2)

.cursor/commands/analyze-unverified-contract.md (1)

74-83: Section 7 sub-labels are non-sequential (D, B, C, A) — consider relabeling for clarity.

The labels jump around (D → B → C → A) which is confusing even though the ordering by speed is intentional. Consider using numbered sub-steps (7.1, 7.2, 7.3, 7.4) or sequential letters (A, B, C, D) reordered to match the intended priority.

script/playgroundHelpers.sh (1)

2122-2128: Invalid selectors passed as arguments are silently discarded.

When selectors are provided as positional arguments, invalid ones are skipped without any warning. A typo like 0x1234567g would be silently ignored, which could confuse users who expect results for every argument.

Proposed fix — emit a warning for skipped selectors

     local ARG
     for ARG in "$@"; do
       if isValidSelector "$ARG"; then
         SELECTORS+=("$ARG")
+      else
+        warning "decodeSelectors4byte: skipping invalid selector '$ARG'"
       fi
     done

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

heimdall-rs install https get.heimdall.rs

💡 Result:

To install heimdall-rs via the get.heimdall.rs installer (installs bifrost, then you run bifrost to build/install Heimdall):

curl -L https://get.heimdall.rs | bash

Then open a new terminal and run:

bifrost

[1] [2]

---

Change HTTP to HTTPS in the Heimdall install URL.

The install command should use https://get.heimdall.rs instead of http://get.heimdall.rs to avoid MITM attacks when piping the script into bash.

🤖 Prompt for AI Agents

In @.cursor/commands/analyze-unverified-contract.md at line 44, Update the
install command string that currently reads "curl -L http://get.heimdall.rs |
bash" to use HTTPS ("curl -L https://get.heimdall.rs | bash") in the
analyze-unverified-contract instruction text so the installer is fetched
securely; keep the rest of the message unchanged and ensure any prompt that
offers to continue after install references the updated HTTPS URL.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Incorrect selector comment: 0x4e487b71 is Panic(uint256), not Error(string).

Error(string) is 0x08c379a0. The selector 0x4e487b71 corresponds to Panic(uint256). This would mislead anyone using this command to analyze contracts.

Proposed fix

-- **Exclude**: `0xffffffff` (sentinel), `0x4e487b71` (Error(string)).
+- **Exclude**: `0xffffffff` (sentinel), `0x4e487b71` (Panic(uint256)).

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- **Exclude**: `0xffffffff` (sentinel), `0x4e487b71` (Error(string)).
	- **Exclude**: `0xffffffff` (sentinel), `0x4e487b71` (Panic(uint256)).

🤖 Prompt for AI Agents

In @.cursor/commands/analyze-unverified-contract.md at line 62, The comment
incorrectly labels selector 0x4e487b71 as Error(string) — update the text to
correctly map selectors: change the exclusion list to `0xffffffff` (sentinel),
`0x4e487b71` (Panic(uint256)) and, if intending to exclude Error(string), add
`0x08c379a0` (Error(string)); edit the line containing those selectors so it
explicitly lists the correct selector-to-signature mappings (`0x4e487b71` →
Panic(uint256), `0x08c379a0` → Error(string)) to avoid misleading users of the
analyze-unverified-contract command.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Empty COUNT from jq parse failure falls through incorrectly.

If the API returns non-JSON (e.g., rate-limit HTML or server error), jq -r '.count // 0' will fail and COUNT will be empty. The check on line 2081 doesn't cover that case, causing the function to fall through to the signatures extraction which will also produce garbage output.

Proposed fix

   local RESPONSE
   RESPONSE=$(curl -sS -L "${FOURBYTE_URL}/?hex_signature=${SELECTOR}" 2>/dev/null || echo '{"count":0}')
   local COUNT
   COUNT=$(echo "$RESPONSE" | jq -r '.count // 0')
-  if [[ "$COUNT" == "0" || "$COUNT" == "null" ]]; then
+  if [[ -z "$COUNT" || "$COUNT" == "0" || "$COUNT" == "null" ]]; then
     printf "%s\t%s\n" "$SELECTOR" "(no match)"
     return 0
   fi

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	local FOURBYTE_URL="${FOURBYTE_URL:-https://www.4byte.directory/api/v1/signatures}"
	local RESPONSE
	RESPONSE=$(curl -sS -L "${FOURBYTE_URL}/?hex_signature=${SELECTOR}" 2>/dev/null || echo '{"count":0}')
	local COUNT
	COUNT=$(echo "$RESPONSE" | jq -r '.count // 0')
	if [[ "$COUNT" == "0" || "$COUNT" == "null" ]]; then
	printf "%s\t%s\n" "$SELECTOR" "(no match)"
	return 0
	fi
	local FOURBYTE_URL="${FOURBYTE_URL:-https://www.4byte.directory/api/v1/signatures}"
	local RESPONSE
	RESPONSE=$(curl -sS -L "${FOURBYTE_URL}/?hex_signature=${SELECTOR}" 2>/dev/null || echo '{"count":0}')
	local COUNT
	COUNT=$(echo "$RESPONSE" | jq -r '.count // 0')
	if [[ -z "$COUNT" || "$COUNT" == "0" || "$COUNT" == "null" ]]; then
	printf "%s\t%s\n" "$SELECTOR" "(no match)"
	return 0
	fi

🤖 Prompt for AI Agents

In `@script/playgroundHelpers.sh` around lines 2076 - 2084, The RESPONSE variable
may contain non-JSON which makes COUNT empty when parsing with jq, so update the
selector-resolving logic (around FOURBYTE_URL, RESPONSE, SELECTOR, COUNT) to
detect jq parse failure and treat that as "no match": after capturing RESPONSE,
attempt to parse .count with jq but check jq's exit status or whether COUNT is
empty/null, and if jq fails or COUNT is empty/null, print the "(no match)" line
and return; this prevents falling through into signature extraction on invalid
API responses and keeps the existing behavior for valid JSON.