slither-analyzer 0.9.3

Slither is a Solidity static analysis framework written in Python 3.

Slither, the Solidity source analyzer

Slither is a Solidity static analysis framework written in Python3. It runs a suite of vulnerability detectors, prints visual information about contract details, and provides an API to easily write custom analyses. Slither enables developers to find vulnerabilities, enhance their code comprehension, and quickly prototype custom analyses.

• Features
• Usage
• How to Install
• Detectors
• Printers
• Tools
• API Documentation
• Getting Help
• FAQ
• Publications

Features

• Detects vulnerable Solidity code with low false positives (see the list of trophies)
• Identifies where the error condition occurs in the source code
• Easily integrates into continuous integration and Hardhat/Foundry builds
• Built-in 'printers' quickly report crucial contract information
• Detector API to write custom analyses in Python
• Ability to analyze contracts written with Solidity >= 0.4
• Intermediate representation (SlithIR) enables simple, high-precision analyses
• Correctly parses 99.9% of all public Solidity code
• Average execution time of less than 1 second per contract
• Integrates with Github's code scanning in CI

Usage

Run Slither on a Hardhat/Foundry/Dapp/Brownie application:

slither .

This is the preferred option if your project has dependencies as Slither relies on the underlying compilation framework to compile source code.

However, you can run Slither on a single file that does not import dependencies:

slither tests/uninitialized.sol

How to install

Slither requires Python 3.8+. If you're not going to use one of the supported compilation frameworks, you need solc, the Solidity compiler; we recommend using solc-select to conveniently switch between solc versions.

Using Pip

pip3 install slither-analyzer

Using Git

git clone https://github.com/crytic/slither.git && cd slither
python3 setup.py install

We recommend using a Python virtual environment, as detailed in the Developer Installation Instructions, if you prefer to install Slither via git.

Using Docker

Use the eth-security-toolbox docker image. It includes all of our security tools and every major version of Solidity in a single image. /home/share will be mounted to /share in the container.

docker pull trailofbits/eth-security-toolbox

To share a directory in the container:

docker run -it -v /home/share:/share trailofbits/eth-security-toolbox

Integration

• For GitHub action integration, use slither-action.
• To generate a Markdown report, use slither [target] --checklist.
• To generate a Markdown with GitHub source code highlighting, use slither [target] --checklist --markdown-root https://github.com/ORG/REPO/blob/COMMIT/ (replace ORG, REPO, COMMIT)

Detectors

Num	Detector	What it Detects	Impact	Confidence
1	abiencoderv2-array	Storage abiencoderv2 array	High	High
2	arbitrary-send-erc20	transferFrom uses arbitrary from	High	High
3	array-by-reference	Modifying storage array by value	High	High
4	incorrect-shift	The order of parameters in a shift instruction is incorrect.	High	High
5	multiple-constructors	Multiple constructor schemes	High	High
6	name-reused	Contract's name reused	High	High
7	protected-vars	Detected unprotected variables	High	High
8	public-mappings-nested	Public mappings with nested variables	High	High
9	rtlo	Right-To-Left-Override control character is used	High	High
10	shadowing-state	State variables shadowing	High	High
11	suicidal	Functions allowing anyone to destruct the contract	High	High
12	uninitialized-state	Uninitialized state variables	High	High
13	uninitialized-storage	Uninitialized storage variables	High	High
14	unprotected-upgrade	Unprotected upgradeable contract	High	High
15	codex	Use Codex to find vulnerabilities.	High	Low
16	arbitrary-send-erc20-permit	transferFrom uses arbitrary from with permit	High	Medium
17	arbitrary-send-eth	Functions that send Ether to arbitrary destinations	High	Medium
18	controlled-array-length	Tainted array length assignment	High	Medium
19	controlled-delegatecall	Controlled delegatecall destination	High	Medium
20	delegatecall-loop	Payable functions using delegatecall inside a loop	High	Medium
21	msg-value-loop	msg.value inside a loop	High	Medium
22	reentrancy-eth	Reentrancy vulnerabilities (theft of ethers)	High	Medium
23	storage-array	Signed storage integer array compiler bug	High	Medium
24	unchecked-transfer	Unchecked tokens transfer	High	Medium
25	weak-prng	Weak PRNG	High	Medium
26	domain-separator-collision	Detects ERC20 tokens that have a function whose signature collides with EIP-2612's DOMAIN_SEPARATOR()	Medium	High
27	enum-conversion	Detect dangerous enum conversion	Medium	High
28	erc20-interface	Incorrect ERC20 interfaces	Medium	High
29	erc721-interface	Incorrect ERC721 interfaces	Medium	High
30	incorrect-equality	Dangerous strict equalities	Medium	High
31	locked-ether	Contracts that lock ether	Medium	High
32	mapping-deletion	Deletion on mapping containing a structure	Medium	High
33	shadowing-abstract	State variables shadowing from abstract contracts	Medium	High
34	tautology	Tautology or contradiction	Medium	High
35	write-after-write	Unused write	Medium	High
36	boolean-cst	Misuse of Boolean constant	Medium	Medium
37	constant-function-asm	Constant functions using assembly code	Medium	Medium
38	constant-function-state	Constant functions changing the state	Medium	Medium
39	divide-before-multiply	Imprecise arithmetic operations order	Medium	Medium
40	reentrancy-no-eth	Reentrancy vulnerabilities (no theft of ethers)	Medium	Medium
41	reused-constructor	Reused base constructor	Medium	Medium
42	tx-origin	Dangerous usage of tx.origin	Medium	Medium
43	unchecked-lowlevel	Unchecked low-level calls	Medium	Medium
44	unchecked-send	Unchecked send	Medium	Medium
45	uninitialized-local	Uninitialized local variables	Medium	Medium
46	unused-return	Unused return values	Medium	Medium
47	incorrect-modifier	Modifiers that can return the default value	Low	High
48	shadowing-builtin	Built-in symbol shadowing	Low	High
49	shadowing-local	Local variables shadowing	Low	High
50	uninitialized-fptr-cst	Uninitialized function pointer calls in constructors	Low	High
51	variable-scope	Local variables used prior their declaration	Low	High
52	void-cst	Constructor called not implemented	Low	High
53	calls-loop	Multiple calls in a loop	Low	Medium
54	events-access	Missing Events Access Control	Low	Medium
55	events-maths	Missing Events Arithmetic	Low	Medium
56	incorrect-unary	Dangerous unary expressions	Low	Medium
57	missing-zero-check	Missing Zero Address Validation	Low	Medium
58	reentrancy-benign	Benign reentrancy vulnerabilities	Low	Medium
59	reentrancy-events	Reentrancy vulnerabilities leading to out-of-order Events	Low	Medium
60	timestamp	Dangerous usage of block.timestamp	Low	Medium
61	assembly	Assembly usage	Informational	High
62	assert-state-change	Assert state change	Informational	High
63	boolean-equal	Comparison to boolean constant	Informational	High
64	cyclomatic-complexity	Detects functions with high (> 11) cyclomatic complexity	Informational	High
65	deprecated-standards	Deprecated Solidity Standards	Informational	High
66	erc20-indexed	Un-indexed ERC20 event parameters	Informational	High
67	function-init-state	Function initializing state variables	Informational	High
68	low-level-calls	Low level calls	Informational	High
69	missing-inheritance	Missing inheritance	Informational	High
70	naming-convention	Conformity to Solidity naming conventions	Informational	High
71	pragma	If different pragma directives are used	Informational	High
72	redundant-statements	Redundant statements	Informational	High
73	solc-version	Incorrect Solidity version	Informational	High
74	unimplemented-functions	Unimplemented functions	Informational	High
75	unused-state	Unused state variables	Informational	High
76	costly-loop	Costly operations in a loop	Informational	Medium
77	dead-code	Functions that are not used	Informational	Medium
78	reentrancy-unlimited-gas	Reentrancy vulnerabilities through send and transfer	Informational	Medium
79	similar-names	Variable names are too similar	Informational	Medium
80	too-many-digits	Conformance to numeric notation best practices	Informational	Medium
81	constable-states	State variables that could be declared constant	Optimization	High
82	external-function	Public function that could be declared external	Optimization	High
83	immutable-states	State variables that could be declared immutable	Optimization	High
84	var-read-using-this	Contract reads its own variable using this	Optimization	High

For more information, see

• The Detector Documentation for details on each detector
• The Detection Selection to run only selected detectors. By default, all the detectors are run.
• The Triage Mode to filter individual results

Printers

Quick Review Printers

• human-summary: Print a human-readable summary of the contracts
• inheritance-graph: Export the inheritance graph of each contract to a dot file
• contract-summary: Print a summary of the contracts

In-Depth Review Printers

• call-graph: Export the call-graph of the contracts to a dot file
• cfg: Export the CFG of each functions
• function-summary: Print a summary of the functions
• vars-and-auth: Print the state variables written and the authorization of the functions
• when-not-paused: Print functions that do not use whenNotPaused modifier.

To run a printer, use --print and a comma-separated list of printers.

See the Printer documentation for the complete lists.

Tools

• slither-check-upgradeability: Review delegatecall-based upgradeability
• slither-prop: Automatic unit test and property generation
• slither-flat: Flatten a codebase
• slither-check-erc: Check the ERC's conformance
• slither-format: Automatic patch generation
• slither-read-storage: Read storage values from contracts

See the Tool documentation for additional tools.

Contact us to get help on building custom tools.

API Documentation

Documentation on Slither's internals is available here.

Getting Help

Feel free to stop by our Slack channel (#ethereum) for help using or extending Slither.

• The Printer documentation describes the information Slither is capable of visualizing for each contract.

• The Detector documentation describes how to write a new vulnerability analyses.

• The API documentation describes the methods and objects available for custom analyses.

• The SlithIR documentation describes the SlithIR intermediate representation.

FAQ

How do I exclude mocks or tests?

• View our documentation on path filtering.

How do I fix "unknown file" or compilation issues?

• Because slither requires the solc AST, it must have all dependencies available. If a contract has dependencies, slither contract.sol will fail. Instead, use slither . in the parent directory of contracts/ (you should see contracts/ when you run ls). If you have a node_modules/ folder, it must be in the same directory as contracts/. To verify that this issue is related to slither, run the compilation command for the framework you are using e.g npx hardhat compile. That must work successfully; otherwise, slither's compilation engine, crytic-compile, cannot generate the AST.

License

Slither is licensed and distributed under the AGPLv3 license. Contact us if you're looking for an exception to the terms.

Publications

Trail of Bits publication

• Slither: A Static Analysis Framework For Smart Contracts, Josselin Feist, Gustavo Grieco, Alex Groce - WETSEB '19

External publications

Title	Usage	Authors	Venue	Code
ReJection: A AST-Based Reentrancy Vulnerability Detection Method	AST-based analysis built on top of Slither	Rui Ma, Zefeng Jian, Guangyuan Chen, Ke Ma, Yujia Chen	CTCIS 19
MPro: Combining Static and Symbolic Analysis forScalable Testing of Smart Contract	Leverage data dependency through Slither	William Zhang, Sebastian Banescu, Leodardo Pasos, Steven Stewart, Vijay Ganesh	ISSRE 2019	MPro
ETHPLOIT: From Fuzzing to Efficient Exploit Generation against Smart Contracts	Leverage data dependency through Slither	Qingzhao Zhang, Yizhuo Wang, Juanru Li, Siqi Ma	SANER 20
Verification of Ethereum Smart Contracts: A Model Checking Approach	Symbolic execution built on top of Slither’s CFG	Tam Bang, Hoang H Nguyen, Dung Nguyen, Toan Trieu, Tho Quan	IJMLC 20
Smart Contract Repair	Rely on Slither’s vulnerabilities detectors	Xiao Liang Yu, Omar Al-Bataineh, David Lo, Abhik Roychoudhury	TOSEM 20	SCRepair
Demystifying Loops in Smart Contracts	Leverage data dependency through Slither	Ben Mariano, Yanju Chen, Yu Feng, Shuvendu Lahiri, Isil Dillig	ASE 20
Trace-Based Dynamic Gas Estimation of Loops in Smart Contracts	Use Slither’s CFG to detect loops	Chunmiao Li, Shijie Nie, Yang Cao, Yijun Yu, Zhenjiang Hu	IEEE Open J. Comput. Soc. 1 (2020)
SAILFISH: Vetting Smart Contract State-Inconsistency Bugs in Seconds	Rely on SlithIR to build a storage dependency graph	Priyanka Bose, Dipanjan Das, Yanju Chen, Yu Feng, Christopher Kruegel, and Giovanni Vigna	S&P 22	Sailfish
SolType: Refinement Types for Arithmetic Overflow in Solidity	Use Slither as frontend to build refinement type system	Bryan Tan, Benjamin Mariano, Shuvendu K. Lahiri, Isil Dillig, Yu Feng	POPL 22
Do Not Rug on Me: Leveraging Machine Learning Techniques for Automated Scam Detection	Use Slither to extract tokens' features (mintable, pausable, ..)	Mazorra, Bruno, Victor Adan, and Vanesa Daza	Mathematics 10.6 (2022)
MANDO: Multi-Level Heterogeneous Graph Embeddings for Fine-Grained Detection of Smart Contract Vulnerabilities	Use Slither to extract the CFG and call graph	Hoang Nguyen, Nhat-Minh Nguyen, Chunyao Xie, Zahra Ahmadi, Daniel Kudendo, Thanh-Nam Doan and Lingxiao Jiang	IEEE 9th International Conference on Data Science and Advanced Analytics (DSAA, 2022)	ge-sc
Automated Auditing of Price Gouging TOD Vulnerabilities in Smart Contracts	Use Slither to extract the CFG and data dependencies	Sidi Mohamed Beillahi, Eric Keilty, Keerthi Nelaturu, Andreas Veneris, and Fan Long	2022 IEEE International Conference on Blockchain and Cryptocurrency (ICBC)	Smart-Contract-Repair

If you are using Slither on an academic work, consider applying to the Crytic $10k Research Prize.