we have talked about smart contract auditing and common vulnerability in the previous tutorials. in this practical tutorial we want to audit our smart contract using slither.
Slither
Slither is a Solidity static analysis framework written in Python 3. It runs a suite of vulnerability detectors, prints visual information about contract details, and provides an API to easily write custom analyses. Slither enables developers to find vulnerabilities, enhance their code comprehension, and quickly prototype custom analyses.
- Detects vulnerable Solidity code with low false positives (see the list of trophies)
- Identifies where the error condition occurs in the source code
- Easily integrates into continuous integration and Truffle builds
- Built-in ‘printers’ quickly report crucial contract information
- Detector API to write custom analyses in Python
- Ability to analyze contracts written with Solidity >= 0.4
- Intermediate representation (SlithIR) enables simple, high-precision analyses
- Correctly parses 99.9% of all public Solidity code
- Average execution time of less than 1 second per contract
Installation
to install Slither in terminal type:
pip3 install slither-analyzer
also you can install it from github repository:
git clone https://github.com/crytic/slither.git && cd slither
python3 setup.py install
Note: Slither development team recommend using a Python virtual environment, as detailed in the Developer Installation Instructions, if you prefer to install Slither via git.
also you can install slither using Docker:
Use the eth-security-toolbox docker image. It includes all of our security tools and every major version of Solidity in a single image. /home/share will be mounted to /share in the container.
docker pull trailofbits/eth-security-toolbox
To share a directory in the container:
docker run -it -v /home/share:/share trailofbits/eth-security-toolbox
Usage
Run Slither on a Truffle/Embark/Dapp/Etherlime/Hardhat application:
slither .
Run Slither on a single file:
slither tests/uninitialized.sol
Integration
- For GitHub action integration, use slither-action.
- To generate a Markdown report, use
slither [target] --checklist. - To generate a Markdown with GitHub source code highlighting, use
slither [target] --checklist --markdown-root https://github.com/ORG/REPO/blob/COMMIT/(replaceORG,REPO,COMMIT)
Use solc-select if your contracts require older versions of solc. For additional configuration, see the usage documentation.
We can use Slither on Hardhat. let’s do that!
npx hardhat compile
Analyze / Audit
to analyze smart contracts simply type in terminal:
slither .
Fix the highest severity bugs as a priority by using google to find the problem flagged by slither and research and test possible fixes.
Remember every time you change a solidity file you will have to clean and recompile again before scanning.
This stage can be quite involved and in order to fully understand, test and model the control flow you will need to have a good level of development knowledge in order to truly test the logic and ensure it works as intended.
The best way to achieve this is through automated testing scripts a great article on this can be found here.
New to trading? Try crypto trading bots or copy trading
