slither-analyzer 0.9.0

Slither is a Solidity static analysis framework written in Python 3.

Slither, the Solidity source analyzer

Slither is a Solidity static analysis framework written in Python 3. It runs a suite of vulnerability detectors, prints visual information about contract details, and provides an API to easily write custom analyses. Slither enables developers to find vulnerabilities, enhance their code comprehension, and quickly prototype custom analyses.

• Features
• Bugs and Optimizations Detection
• Printers
• Tools
• How to Install
• Getting Help
• FAQ
• Publications

Features

• Detects vulnerable Solidity code with low false positives (see the list of trophies)
• Identifies where the error condition occurs in the source code
• Easily integrates into continuous integration and Truffle builds
• Built-in 'printers' quickly report crucial contract information
• Detector API to write custom analyses in Python
• Ability to analyze contracts written with Solidity >= 0.4
• Intermediate representation (SlithIR) enables simple, high-precision analyses
• Correctly parses 99.9% of all public Solidity code
• Average execution time of less than 1 second per contract

Bugs and Optimizations Detection

Run Slither on a Truffle/Embark/Dapp/Etherlime/Hardhat application:

slither .

Run Slither on a single file:

slither tests/uninitialized.sol

Integration

• For GitHub action integration, use slither-action.
• To generate a Markdown report, use slither [target] --checklist.
• To generate a Markdown with GitHub source code highlighting, use slither [target] --checklist --markdown-root https://github.com/ORG/REPO/blob/COMMIT/ (replace ORG, REPO, COMMIT)

Use solc-select if your contracts require older versions of solc. For additional configuration, see the usage documentation.

Detectors

Num	Detector	What it Detects	Impact	Confidence
1	abiencoderv2-array	Storage abiencoderv2 array	High	High
2	arbitrary-send-erc20	transferFrom uses arbitrary from	High	High
3	array-by-reference	Modifying storage array by value	High	High
4	incorrect-shift	The order of parameters in a shift instruction is incorrect.	High	High
5	multiple-constructors	Multiple constructor schemes	High	High
6	name-reused	Contract's name reused	High	High
7	protected-vars	Detected unprotected variables	High	High
8	public-mappings-nested	Public mappings with nested variables	High	High
9	rtlo	Right-To-Left-Override control character is used	High	High
10	shadowing-state	State variables shadowing	High	High
11	suicidal	Functions allowing anyone to destruct the contract	High	High
12	uninitialized-state	Uninitialized state variables	High	High
13	uninitialized-storage	Uninitialized storage variables	High	High
14	unprotected-upgrade	Unprotected upgradeable contract	High	High
15	arbitrary-send-erc20-permit	transferFrom uses arbitrary from with permit	High	Medium
16	arbitrary-send-eth	Functions that send Ether to arbitrary destinations	High	Medium
17	controlled-array-length	Tainted array length assignment	High	Medium
18	controlled-delegatecall	Controlled delegatecall destination	High	Medium
19	delegatecall-loop	Payable functions using delegatecall inside a loop	High	Medium
20	msg-value-loop	msg.value inside a loop	High	Medium
21	reentrancy-eth	Reentrancy vulnerabilities (theft of ethers)	High	Medium
22	storage-array	Signed storage integer array compiler bug	High	Medium
23	unchecked-transfer	Unchecked tokens transfer	High	Medium
24	weak-prng	Weak PRNG	High	Medium
25	domain-separator-collision	Detects ERC20 tokens that have a function whose signature collides with EIP-2612's DOMAIN_SEPARATOR()	Medium	High
26	enum-conversion	Detect dangerous enum conversion	Medium	High
27	erc20-interface	Incorrect ERC20 interfaces	Medium	High
28	erc721-interface	Incorrect ERC721 interfaces	Medium	High
29	incorrect-equality	Dangerous strict equalities	Medium	High
30	locked-ether	Contracts that lock ether	Medium	High
31	mapping-deletion	Deletion on mapping containing a structure	Medium	High
32	shadowing-abstract	State variables shadowing from abstract contracts	Medium	High
33	tautology	Tautology or contradiction	Medium	High
34	write-after-write	Unused write	Medium	High
35	boolean-cst	Misuse of Boolean constant	Medium	Medium
36	constant-function-asm	Constant functions using assembly code	Medium	Medium
37	constant-function-state	Constant functions changing the state	Medium	Medium
38	divide-before-multiply	Imprecise arithmetic operations order	Medium	Medium
39	reentrancy-no-eth	Reentrancy vulnerabilities (no theft of ethers)	Medium	Medium
40	reused-constructor	Reused base constructor	Medium	Medium
41	tx-origin	Dangerous usage of tx.origin	Medium	Medium
42	unchecked-lowlevel	Unchecked low-level calls	Medium	Medium
43	unchecked-send	Unchecked send	Medium	Medium
44	uninitialized-local	Uninitialized local variables	Medium	Medium
45	unused-return	Unused return values	Medium	Medium
46	incorrect-modifier	Modifiers that can return the default value	Low	High
47	shadowing-builtin	Built-in symbol shadowing	Low	High
48	shadowing-local	Local variables shadowing	Low	High
49	uninitialized-fptr-cst	Uninitialized function pointer calls in constructors	Low	High
50	variable-scope	Local variables used prior their declaration	Low	High
51	void-cst	Constructor called not implemented	Low	High
52	calls-loop	Multiple calls in a loop	Low	Medium
53	events-access	Missing Events Access Control	Low	Medium
54	events-maths	Missing Events Arithmetic	Low	Medium
55	incorrect-unary	Dangerous unary expressions	Low	Medium
56	missing-zero-check	Missing Zero Address Validation	Low	Medium
57	reentrancy-benign	Benign reentrancy vulnerabilities	Low	Medium
58	reentrancy-events	Reentrancy vulnerabilities leading to out-of-order Events	Low	Medium
59	timestamp	Dangerous usage of block.timestamp	Low	Medium
60	assembly	Assembly usage	Informational	High
61	assert-state-change	Assert state change	Informational	High
62	boolean-equal	Comparison to boolean constant	Informational	High
63	deprecated-standards	Deprecated Solidity Standards	Informational	High
64	erc20-indexed	Un-indexed ERC20 event parameters	Informational	High
65	function-init-state	Function initializing state variables	Informational	High
66	low-level-calls	Low level calls	Informational	High
67	missing-inheritance	Missing inheritance	Informational	High
68	naming-convention	Conformity to Solidity naming conventions	Informational	High
69	pragma	If different pragma directives are used	Informational	High
70	redundant-statements	Redundant statements	Informational	High
71	solc-version	Incorrect Solidity version	Informational	High
72	unimplemented-functions	Unimplemented functions	Informational	High
73	unused-state	Unused state variables	Informational	High
74	costly-loop	Costly operations in a loop	Informational	Medium
75	dead-code	Functions that are not used	Informational	Medium
76	reentrancy-unlimited-gas	Reentrancy vulnerabilities through send and transfer	Informational	Medium
77	similar-names	Variable names are too similar	Informational	Medium
78	too-many-digits	Conformance to numeric notation best practices	Informational	Medium
79	constable-states	State variables that could be declared constant	Optimization	High
80	external-function	Public function that could be declared external	Optimization	High

For more information, see

• The Detector Documentation for details on each detector
• The Detection Selection to run only selected detectors. By default, all the detectors are run.
• The Triage Mode to filter individual results

Printers

Quick Review Printers

• human-summary: Print a human-readable summary of the contracts
• inheritance-graph: Export the inheritance graph of each contract to a dot file
• contract-summary: Print a summary of the contracts

In-Depth Review Printers

• call-graph: Export the call-graph of the contracts to a dot file
• cfg: Export the CFG of each functions
• function-summary: Print a summary of the functions
• vars-and-auth: Print the state variables written and the authorization of the functions
• when-not-paused: Print functions that do not use whenNotPaused modifier.

To run a printer, use --print and a comma-separated list of printers.

See the Printer documentation for the complete lists.

Tools

• slither-check-upgradeability: Review delegatecall-based upgradeability
• slither-prop: Automatic unit test and property generation
• slither-flat: Flatten a codebase
• slither-check-erc: Check the ERC's conformance
• slither-format: Automatic patch generation
• slither-read-storage: Read storage values from contracts

See the Tool documentation for additional tools.

Contact us to get help on building custom tools.

How to install

Slither requires Python 3.8+ and solc, the Solidity compiler.

Using Pip

pip3 install slither-analyzer

Using Git

git clone https://github.com/crytic/slither.git && cd slither
python3 setup.py install

We recommend using a Python virtual environment, as detailed in the Developer Installation Instructions, if you prefer to install Slither via git.

Using Docker

Use the eth-security-toolbox docker image. It includes all of our security tools and every major version of Solidity in a single image. /home/share will be mounted to /share in the container.

docker pull trailofbits/eth-security-toolbox

To share a directory in the container:

docker run -it -v /home/share:/share trailofbits/eth-security-toolbox

Getting Help

Feel free to stop by our Slack channel (#ethereum) for help using or extending Slither.

• The Printer documentation describes the information Slither is capable of visualizing for each contract.

• The Detector documentation describes how to write a new vulnerability analyses.

• The API documentation describes the methods and objects available for custom analyses.

• The SlithIR documentation describes the SlithIR intermediate representation.

FAQ

How do I exclude mocks or tests?

• View our documentation on path filtering.

How do I fix "unknown file" or compilation issues?

• Because slither requires the solc AST, it must have all dependencies available. If a contract has dependencies, slither contract.sol will fail. Instead, use slither . in the parent directory of contracts/ (you should see contracts/ when you run ls). If you have a node_modules/ folder, it must be in the same directory as contracts/. To verify that this issue is related to slither, run the compilation command for the framework you are using e.g npx hardhat compile. That must work successfully; otherwise, slither's compilation engine, crytic-compile, cannot generate the AST.

License

Slither is licensed and distributed under the AGPLv3 license. Contact us if you're looking for an exception to the terms.

Publications

Trail of Bits publication

• Slither: A Static Analysis Framework For Smart Contracts, Josselin Feist, Gustavo Grieco, Alex Groce - WETSEB '19

External publications

Title	Usage	Authors	Venue
ReJection: A AST-Based Reentrancy Vulnerability Detection Method	AST-based analysis built on top of Slither	Rui Ma, Zefeng Jian, Guangyuan Chen, Ke Ma, Yujia Chen	CTCIS 19
MPro: Combining Static and Symbolic Analysis forScalable Testing of Smart Contract	Leverage data dependency through Slither	William Zhang, Sebastian Banescu, Leodardo Pasos, Steven Stewart, Vijay Ganesh	ISSRE 2019
ETHPLOIT: From Fuzzing to Efficient Exploit Generation against Smart Contracts	Leverage data dependency through Slither	Qingzhao Zhang, Yizhuo Wang, Juanru Li, Siqi Ma	SANER 20
Verification of Ethereum Smart Contracts: A Model Checking Approach	Symbolic execution built on top of Slither’s CFG	Tam Bang, Hoang H Nguyen, Dung Nguyen, Toan Trieu, Tho Quan	IJMLC 20
Smart Contract Repair	Rely on Slither’s vulnerabilities detectors	Xiao Liang Yu, Omar Al-Bataineh, David Lo, Abhik Roychoudhury	TOSEM 20
Demystifying Loops in Smart Contracts	Leverage data dependency through Slither	Ben Mariano, Yanju Chen, Yu Feng, Shuvendu Lahiri, Isil Dillig	ASE 20
Trace-Based Dynamic Gas Estimation of Loops in Smart Contracts	Use Slither’s CFG to detect loops	Chunmiao Li, Shijie Nie, Yang Cao, Yijun Yu, Zhenjiang Hu	IEEE Open J. Comput. Soc. 1 (2020)
SAILFISH: Vetting Smart Contract State-Inconsistency Bugs in Seconds	Rely on SlithIR to build a storage dependency graph	Priyanka Bose, Dipanjan Das, Yanju Chen, Yu Feng, Christopher Kruegel, and Giovanni Vigna	S&P 22
SolType: Refinement Types for Arithmetic Overflow in Solidity	Use Slither as frontend to build refinement type system	Bryan Tan, Benjamin Mariano, Shuvendu K. Lahiri, Isil Dillig, Yu Feng	POPL 22
Do Not Rug on Me: Leveraging Machine Learning Techniques for Automated Scam Detection	Use Slither to extract tokens' features (mintable, pausable, ..)	Mazorra, Bruno, Victor Adan, and Vanesa Daza	Mathematics 10.6 (2022)

If you are using Slither on an academic work, consider applying to the Crytic $10k Research Prize.