CSC101- Slither

By akohad Oct21,2022

[ad_1]

we have talked about smart contract auditing and common vulnerability in the previous tutorials. in this practical tutorial we want to audit our smart contract using slither.

Slither

Slither is a Solidity static analysis framework written in Python 3. It runs a suite of vulnerability detectors, prints visual information about contract details, and provides an API to easily write custom analyses. Slither enables developers to find vulnerabilities, enhance their code comprehension, and quickly prototype custom analyses.

  • Detects vulnerable Solidity code with low false positives (see the list of trophies)
  • Identifies where the error condition occurs in the source code
  • Easily integrates into continuous integration and Truffle builds
  • Built-in ‘printers’ quickly report crucial contract information
  • Detector API to write custom analyses in Python
  • Ability to analyze contracts written with Solidity >= 0.4
  • Intermediate representation (SlithIR) enables simple, high-precision analyses
  • Correctly parses 99.9% of all public Solidity code
  • Average execution time of less than 1 second per contract

Installation

to install Slither in terminal type:

pip3 install slither-analyzer

also you can install it from github repository:

git clone https://github.com/crytic/slither.git && cd slither
python3 setup.py install

Note: Slither development team recommend using a Python virtual environment, as detailed in the Developer Installation Instructions, if you prefer to install Slither via git.

also you can install slither using Docker:

Use the eth-security-toolbox docker image. It includes all of our security tools and every major version of Solidity in a single image. /home/share will be mounted to /share in the container.

docker pull trailofbits/eth-security-toolbox

To share a directory in the container:

docker run -it -v /home/share:/share trailofbits/eth-security-toolbox

Usage

Run Slither on a Truffle/Embark/Dapp/Etherlime/Hardhat application:

slither .

Run Slither on a single file:

slither tests/uninitialized.sol

Integration

  • For GitHub action integration, use slither-action.
  • To generate a Markdown report, use slither [target] --checklist.
  • To generate a Markdown with GitHub source code highlighting, use slither [target] --checklist --markdown-root https://github.com/ORG/REPO/blob/COMMIT/ (replace ORG, REPO, COMMIT)

Use solc-select if your contracts require older versions of solc. For additional configuration, see the usage documentation.

We can use Slither on Hardhat. let’s do that!

npx hardhat compile

Analyze / Audit

to analyze smart contracts simply type in terminal:

slither .

Fix the highest severity bugs as a priority by using google to find the problem flagged by slither and research and test possible fixes.

Remember every time you change a solidity file you will have to clean and recompile again before scanning.

This stage can be quite involved and in order to fully understand, test and model the control flow you will need to have a good level of development knowledge in order to truly test the logic and ensure it works as intended.

The best way to achieve this is through automated testing scripts a great article on this can be found here.

New to trading? Try crypto trading bots or copy trading

[ad_2]

Source link

By akohad

Related Post

Leave a Reply

Your email address will not be published. Required fields are marked *