Slither is a Solidity static analysis framework written in Python 3. It runs a suite of vulnerability detectors, prints visual information about contract details, and provides an API to easily write custom analyses. Slither enables developers to find vulnerabilities, enhance their code comprehension, and quickly prototype custom analyses.

Prerequisites:

You will need solc from Ethereum:

Now we can install slither directly using pip:

# pip3 install slither-analyzer

Let’s see how it works, the syntax in very easy, just point to the directory where the smart contracts are:

~/simple-auction$ slither . 
Compilation warnings/errors on ./simple-auction.sol:
Warning: This is a pre-release compiler version, please do not use it in production.



SimpleAuction.constructor(uint256,address).beneficiaryAddress (simple-auction.sol#46) lacks a zero-check on :
		- beneficiary = beneficiaryAddress (simple-auction.sol#48)
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#missing-zero-address-validation

SimpleAuction.bid() (simple-auction.sol#56-87) uses timestamp for comparisons
	Dangerous comparisons:
	- block.timestamp > auctionEndTime (simple-auction.sol#65)
SimpleAuction.auctionEnd() (simple-auction.sol#112-138) uses timestamp for comparisons
	Dangerous comparisons:
	- block.timestamp < auctionEndTime (simple-auction.sol#127)
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#block-timestamp

solc-0.8.14 is not recommended for deployment
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#incorrect-versions-of-solidity
. analyzed (1 contracts with 77 detectors), 4 result(s) found

Pros:

  • Good recommendations using an automatic tool

Cons:

  • Difficult setup (relies on underlying solc version), tons of incompatibilities
  • Very bad UI: Critical in red, otherwise default color. No formatting.

Extended usage:

$ slither --help 
usage: slither target [flag]

target can be:
	- file.sol // a Solidity file
	- project_directory // a project directory. See https://github.com/crytic/crytic-compile/#crytic-compile for the supported platforms
	- 0x.. // a contract on mainet
	- NETWORK:0x.. // a contract on a different network. Supported networks: mainet,ropsten,kovan,rinkeby,goerli,tobalaba,bsc,testnet.bsc,arbi,testnet.arbi,poly,avax,testnet.avax,ftm

For usage information, see https://github.com/crytic/slither/wiki/Usage

optional arguments:
  -h, --help            show this help message and exit
  --version             displays the current version

Compile options:
  --compile-force-framework COMPILE_FORCE_FRAMEWORK
                        Force the compile to a given framework (solc,truffle,embark,dapp,etherlime,etherscan,vyper,waffle,brownie,solc-
                        json,buidler,hardhat,standard,archive)
  --compile-remove-metadata
                        Remove the metadata from the bytecodes
  --compile-custom-build COMPILE_CUSTOM_BUILD
                        Replace platform specific build command
  --ignore-compile      Do not run compile of any platform

Solc options:
  --solc SOLC           solc path
  --solc-remaps SOLC_REMAPS
                        Add remapping
  --solc-args SOLC_ARGS
                        Add custom solc arguments. Example: --solc-args "--allow-path /tmp --evm-version byzantium".
  --solc-disable-warnings
                        Disable solc warnings
  --solc-working-dir SOLC_WORKING_DIR
                        Change the default working directory
  --solc-solcs-select SOLC_SOLCS_SELECT
                        Specify different solc version to try (env config). Depends on solc-select
  --solc-solcs-bin SOLC_SOLCS_BIN
                        Specify different solc version to try (path config). Example: --solc-solcs-bin solc-0.4.24,solc-0.5.3
  --solc-standard-json  Compile all specified targets in a single compilation using solc standard json
  --solc-force-legacy-json
                        Force the solc compiler to use the legacy json ast format over the compact json ast format

Truffle options:
  --truffle-ignore-compile
                        Do not run truffle compile
  --truffle-build-directory TRUFFLE_BUILD_DIRECTORY
                        Use an alternative truffle build directory
  --truffle-version TRUFFLE_VERSION
                        Use a local Truffle version (with npx)
  --truffle-overwrite-config
                        Use a simplified version of truffle-config.js for compilation
  --truffle-overwrite-version TRUFFLE_OVERWRITE_VERSION
                        Overwrite solc version in truffle-config.js (only if --truffle-overwrite-config)

Embark options:
  --embark-ignore-compile
                        Do not run embark build
  --embark-overwrite-config
                        Install @trailofbits/embark-contract-export and add it to embark.json

Dapp options:
  --dapp-ignore-compile
                        Do not run dapp build

Etherlime options:
  --etherlime-ignore-compile
                        Do not run etherlime compile
  --etherlime-compile-arguments
                        Add arbitrary arguments to etherlime compile (note: [dir] is the the directory provided to crytic-compile)

Etherscan options:
  --etherscan-only-source-code
                        Only compile if the source code is available.
  --etherscan-only-bytecode
                        Only looks for bytecode.
  --etherscan-apikey ETHERSCAN_API_KEY
                        Etherscan API key.
  --arbiscan-apikey ARBISCAN_API_KEY
                        Etherscan API key.
  --polygonscan-apikey POLYGONSCAN_API_KEY
                        Etherscan API key.
  --avax-apikey AVAX_API_KEY
                        Etherscan API key.
  --ftmscan-apikey FTMSCAN_API_KEY
                        Etherscan API key.
  --bscan-apikey BSCAN_API_KEY
                        Etherscan API key.
  --etherscan-export-directory ETHERSCAN_EXPORT_DIR
                        Directory in which to save the analyzed contracts.

Waffle options:
  --waffle-ignore-compile
                        Do not run waffle compile
  --waffle-config-file WAFFLE_CONFIG_FILE
                        Provide a waffle config file

NPX options:
  --npx-disable         Do not use npx

Buidler options:
  --buidler-ignore-compile
                        Do not run buidler compile
  --buidler-cache-directory BUIDLER_CACHE_DIRECTORY
                        Use an alternative buidler cache directory (default ./cache)
  --buidler-skip-directory-name-fix
                        Disable directory name fix (see https://github.com/crytic/crytic-compile/issues/116)

hardhat options:
  --hardhat-ignore-compile
                        Do not run hardhat compile
  --hardhat-cache-directory HARDHAT_CACHE_DIRECTORY
                        Use an alternative hardhat cache directory (default ./cache)
  --hardhat-artifacts-directory HARDHAT_ARTIFACTS_DIRECTORY
                        Use an alternative hardhat artifacts directory (default ./artifacts)

Detectors:
  --detect DETECTORS_TO_RUN
                        Comma-separated list of detectors, defaults to all, available detectors: abiencoderv2-array, arbitrary-send, array-by-reference,
                        controlled-array-length, assembly, assert-state-change, backdoor, weak-prng, boolean-cst, boolean-equal, shadowing-builtin, constable-
                        states, constant-function-asm, constant-function-state, pragma, controlled-delegatecall, costly-loop, dead-code, delegatecall-loop,
                        deprecated-standards, divide-before-multiply, enum-conversion, external-function, function-init-state, erc20-interface,
                        erc721-interface, solc-version, incorrect-equality, incorrect-unary, shadowing-local, locked-ether, low-level-calls, mapping-deletion,
                        events-access, events-maths, missing-inheritance, missing-zero-check, incorrect-modifier, msg-value-loop, calls-loop, multiple-
                        constructors, name-reused, naming-convention, variable-scope, public-mappings-nested, redundant-statements, reentrancy-benign,
                        reentrancy-eth, reentrancy-events, reentrancy-unlimited-gas, reentrancy-no-eth, reused-constructor, rtlo, shadowing-abstract, incorrect-
                        shift, similar-names, shadowing-state, storage-array, suicidal, timestamp, too-many-digits, tx-origin, tautology, unchecked-lowlevel,
                        unchecked-send, unchecked-transfer, unimplemented-functions, erc20-indexed, uninitialized-fptr-cst, uninitialized-local, uninitialized-
                        state, uninitialized-storage, unprotected-upgrade, unused-return, unused-state, void-cst, write-after-write
  --list-detectors      List available detectors
  --exclude DETECTORS_TO_EXCLUDE
                        Comma-separated list of detectors that should be excluded
  --exclude-dependencies
                        Exclude results that are only related to dependencies
  --exclude-optimization
                        Exclude optimization analyses
  --exclude-informational
                        Exclude informational impact analyses
  --exclude-low         Exclude low impact analyses
  --exclude-medium      Exclude medium impact analyses
  --exclude-high        Exclude high impact analyses
  --show-ignored-findings
                        Show all the findings

Printers:
  --print PRINTERS_TO_RUN
                        Comma-separated list fo contract information printers, available printers: cfg, constructor-calls, contract-summary, data-dependency,
                        echidna, function-id, function-summary, modifiers, call-graph, evm, human-summary, inheritance, inheritance-graph, slithir, slithir-ssa,
                        vars-and-auth, require, variable-order
  --list-printers       List available printers

Additional options:
  --json JSON           Export the results as a JSON file ("--json -" to export to stdout)
  --sarif SARIF         Export the results as a SARIF JSON file ("--sarif -" to export to stdout)
  --json-types JSON_TYPES
                        Comma-separated list of result types to output to JSON, defaults to detectors,printers. Available types:
                        compilations,console,detectors,printers,list-detectors,list-printers
  --zip ZIP             Export the results as a zipped JSON file
  --zip-type ZIP_TYPE   Zip compression type. One of lzma,stored,deflated,bzip2. Default lzma
  --markdown-root MARKDOWN_ROOT
                        URL for markdown generation
  --disable-color       Disable output colorization
  --filter-paths FILTER_PATHS
                        Comma-separated list of paths for which results will be excluded
  --triage-mode         Run triage mode (save results in slither.db.json)
  --config-file CONFIG_FILE
                        Provide a config file (default: slither.config.json)
  --solc-ast            Provide the contract as a json AST
  --generate-patches    Generate patches (json output only)

Dirty hack to avoid @openzeppelin import errors:

slither contract.sol --solc-remaps @=../node_modules/@

How useful was this post?

Click on a star to rate it!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Leave a Reply