stacy-analyzer 0.1.0

Clarity Static Analyzer

STACY - Stacks Static Analyzer for Clarity

Stacy is an open-source static analyzer for Clarity smart contracts. It is intended to assist Clarity smart contract developers and auditors detect common security issues and deviations from best practices.

This tool will help developers write secure and more robust smart contracts.

Install

HTTPS

git clone --recurse-submodules -j8 https://github.com/CoinFabrik/stacy.git
cd stacy
make

SSH

git clone --recurse-submodules -j8 git@github.com:CoinFabrik/stacy.git
cd stacy
make

If you already have an initialized python venv, use make install

If you have a shell other than bash, use make <shell>

Run

stacy-analyzer lint <path/to/.clar>

You can run recursively over all .clar files in a directory. For this, run

stacy-analyzer lint <path/to/contract/folder>

Tests

To run tests, run

make test

Common issues

tree-sitter-clar installation fails

If the installation of tree-sitter-clar fails, go into stacks_analyzer/tree-sitter-clarity and run

tree-sitter generate && tree-sitter-build

Ensure that the submodule is loaded.

Documentation

• Vulnerabilities

Detectors

Severities are based on worst case scenarios and the detector's finding may vary depending on the context.

Detector ID	What it Detects	Test Cases	Severity
assert-block-height	Usage of block-height as time tracker.	1	Critical
call-inside-as-contract	Calling another contract losing the first contract's context.	1	Critical
divide-before-multiply	Performing a division operation before a multiplication, leading to loss of precision.	1	Critical
private-function-not-used	Dead code(private functions) inside the smart contract.	1	Enhancement
todo-comment	TODO comments left in the smart contract.	1	Enhancement
tx-sender-in-assert	Usage of tx-sender in assert is truly intended.	1	High
unwrap-panic-usage	Inappropriate usage of the unwrap-panic method, causing unexpected program crashes.	1	Enhancement
var-could-be-constant	Code that does not change and could be re-define.	1	Enhancement
updated-functions	Old functions.	1	Enhancement
tx-sender-in-assert	Usage of tx-sender in assert is truly intended.	1	High
unwrap-panic-usage	Inappropriate usage of the unwrap-panic method, causing unexpected program crashes.	1	Enhancement
var-could-be-constant	Code that does not change and could be re-define.	1	Enhancement

About CoinFabrik

We - CoinFabrik - are a research and development company specialized in Web3, with a strong background in cybersecurity. Founded in 2014, we have worked on over 180 blockchain-related projects, EVM based and also for Solana, Algorand, and Polkadot. Beyond development, we offer security audits through a dedicated in-house team of senior cybersecurity professionals, currently working on code in Substrate, Solidity, Clarity, Rust, and TEAL.

Our team has an academic background in computer science and mathematics, with work experience focused on cybersecurity and software development, including academic publications, patents turned into products, and conference presentations. Furthermore, we have an ongoing collaboration on knowledge transfer and open-source projects with the University of Buenos Aires.

License

Stacy is licensed and distributed under a MIT license. Contact us if you're looking for an exception to the terms.