Project: slither-analyzer

Slither is a Solidity and Vyper static analysis framework written in Python 3.

Project Details

Latest version: 0.10.0
Home Page: https://github.com/crytic/slither
PyPI Page: https://pypi.org/project/slither-analyzer/

Project Popularity

PageRank: 0.006785064933962158
Number of downloads: 50606

Slither, the smart contract static analyzer

Join the Empire Hacking Slack

_{- Discussions and Support}

Slither is a Solidity & Vyper static analysis framework written in Python3. It runs a suite of vulnerability detectors, prints visual information about contract details, and provides an API to easily write custom analyses. Slither enables developers to find vulnerabilities, enhance their code comprehension, and quickly prototype custom analyses.

Features
Usage
How to install
Detectors
Printers
- Quick Review Printers
- In-Depth Review Printers
Tools
API Documentation
Getting Help
FAQ
License
Publications
- Trail of Bits publication
- External publications

Features

Detects vulnerable Solidity code with low false positives (see the list of trophies)
Identifies where the error condition occurs in the source code
Easily integrates into continuous integration and Hardhat/Foundry builds
Built-in 'printers' quickly report crucial contract information
Detector API to write custom analyses in Python
Ability to analyze contracts written with Solidity >= 0.4
Intermediate representation (SlithIR) enables simple, high-precision analyses
Correctly parses 99.9% of all public Solidity code
Average execution time of less than 1 second per contract
Integrates with Github's code scanning in CI
Support for Vyper

Usage

Run Slither on a Hardhat/Foundry/Dapp/Brownie application:

slither .

This is the preferred option if your project has dependencies as Slither relies on the underlying compilation framework to compile source code.

However, you can run Slither on a single file that does not import dependencies:

slither tests/uninitialized.sol

How to install

Note
Slither requires Python 3.8+. If you're not going to use one of the supported compilation frameworks, you need solc, the Solidity compiler; we recommend using solc-select to conveniently switch between solc versions.

Using Pip

pip3 install slither-analyzer

Using Git

git clone https://github.com/crytic/slither.git && cd slither
python3 setup.py install

We recommend using a Python virtual environment, as detailed in the Developer Installation Instructions, if you prefer to install Slither via git.

Using Docker

Use the eth-security-toolbox docker image. It includes all of our security tools and every major version of Solidity in a single image. /home/share will be mounted to /share in the container.

docker pull trailofbits/eth-security-toolbox

To share a directory in the container:

docker run -it -v /home/share:/share trailofbits/eth-security-toolbox

Integration

For GitHub action integration, use slither-action.
To generate a Markdown report, use slither [target] --checklist.
To generate a Markdown with GitHub source code highlighting, use slither [target] --checklist --markdown-root https://github.com/ORG/REPO/blob/COMMIT/ (replace ORG, REPO, COMMIT)

Detectors

Num	Detector	What it Detects	Impact	Confidence
1	`abiencoderv2-array`	Storage abiencoderv2 array	High	High
2	`arbitrary-send-erc20`	transferFrom uses arbitrary `from`	High	High
3	`array-by-reference`	Modifying storage array by value	High	High
4	`encode-packed-collision`	ABI encodePacked Collision	High	High
5	`incorrect-shift`	The order of parameters in a shift instruction is incorrect.	High	High
6	`multiple-constructors`	Multiple constructor schemes	High	High
7	`name-reused`	Contract's name reused	High	High
8	`protected-vars`	Detected unprotected variables	High	High
9	`public-mappings-nested`	Public mappings with nested variables	High	High
10	`rtlo`	Right-To-Left-Override control character is used	High	High
11	`shadowing-state`	State variables shadowing	High	High
12	`suicidal`	Functions allowing anyone to destruct the contract	High	High
13	`uninitialized-state`	Uninitialized state variables	High	High
14	`uninitialized-storage`	Uninitialized storage variables	High	High
15	`unprotected-upgrade`	Unprotected upgradeable contract	High	High
16	`codex`	Use Codex to find vulnerabilities.	High	Low
17	`arbitrary-send-erc20-permit`	transferFrom uses arbitrary from with permit	High	Medium
18	`arbitrary-send-eth`	Functions that send Ether to arbitrary destinations	High	Medium
19	`controlled-array-length`	Tainted array length assignment	High	Medium
20	`controlled-delegatecall`	Controlled delegatecall destination	High	Medium
21	`delegatecall-loop`	Payable functions using `delegatecall` inside a loop	High	Medium
22	`incorrect-exp`	Incorrect exponentiation	High	Medium
23	`incorrect-return`	If a `return` is incorrectly used in assembly mode.	High	Medium
24	`msg-value-loop`	msg.value inside a loop	High	Medium
25	`reentrancy-eth`	Reentrancy vulnerabilities (theft of ethers)	High	Medium
26	`return-leave`	If a `return` is used instead of a `leave`.	High	Medium
27	`storage-array`	Signed storage integer array compiler bug	High	Medium
28	`unchecked-transfer`	Unchecked tokens transfer	High	Medium
29	`weak-prng`	Weak PRNG	High	Medium
30	`domain-separator-collision`	Detects ERC20 tokens that have a function whose signature collides with EIP-2612's DOMAIN_SEPARATOR()	Medium	High
31	`enum-conversion`	Detect dangerous enum conversion	Medium	High
32	`erc20-interface`	Incorrect ERC20 interfaces	Medium	High
33	`erc721-interface`	Incorrect ERC721 interfaces	Medium	High
34	`incorrect-equality`	Dangerous strict equalities	Medium	High
35	`locked-ether`	Contracts that lock ether	Medium	High
36	`mapping-deletion`	Deletion on mapping containing a structure	Medium	High
37	`shadowing-abstract`	State variables shadowing from abstract contracts	Medium	High
38	`tautological-compare`	Comparing a variable to itself always returns true or false, depending on comparison	Medium	High
39	`tautology`	Tautology or contradiction	Medium	High
40	`write-after-write`	Unused write	Medium	High
41	`boolean-cst`	Misuse of Boolean constant	Medium	Medium
42	`constant-function-asm`	Constant functions using assembly code	Medium	Medium
43	`constant-function-state`	Constant functions changing the state	Medium	Medium
44	`divide-before-multiply`	Imprecise arithmetic operations order	Medium	Medium
45	`reentrancy-no-eth`	Reentrancy vulnerabilities (no theft of ethers)	Medium	Medium
46	`reused-constructor`	Reused base constructor	Medium	Medium
47	`tx-origin`	Dangerous usage of `tx.origin`	Medium	Medium
48	`unchecked-lowlevel`	Unchecked low-level calls	Medium	Medium
49	`unchecked-send`	Unchecked send	Medium	Medium
50	`uninitialized-local`	Uninitialized local variables	Medium	Medium
51	`unused-return`	Unused return values	Medium	Medium
52	`incorrect-modifier`	Modifiers that can return the default value	Low	High
53	`shadowing-builtin`	Built-in symbol shadowing	Low	High
54	`shadowing-local`	Local variables shadowing	Low	High
55	`uninitialized-fptr-cst`	Uninitialized function pointer calls in constructors	Low	High
56	`variable-scope`	Local variables used prior their declaration	Low	High
57	`void-cst`	Constructor called not implemented	Low	High
58	`calls-loop`	Multiple calls in a loop	Low	Medium
59	`events-access`	Missing Events Access Control	Low	Medium
60	`events-maths`	Missing Events Arithmetic	Low	Medium
61	`incorrect-unary`	Dangerous unary expressions	Low	Medium
62	`missing-zero-check`	Missing Zero Address Validation	Low	Medium
63	`reentrancy-benign`	Benign reentrancy vulnerabilities	Low	Medium
64	`reentrancy-events`	Reentrancy vulnerabilities leading to out-of-order Events	Low	Medium
65	`return-bomb`	A low level callee may consume all callers gas unexpectedly.	Low	Medium
66	`timestamp`	Dangerous usage of `block.timestamp`	Low	Medium
67	`assembly`	Assembly usage	Informational	High
68	`assert-state-change`	Assert state change	Informational	High
69	`boolean-equal`	Comparison to boolean constant	Informational	High
70	`cyclomatic-complexity`	Detects functions with high (> 11) cyclomatic complexity	Informational	High
71	`deprecated-standards`	Deprecated Solidity Standards	Informational	High
72	`erc20-indexed`	Un-indexed ERC20 event parameters	Informational	High
73	`function-init-state`	Function initializing state variables	Informational	High
74	`incorrect-using-for`	Detects using-for statement usage when no function from a given library matches a given type	Informational	High
75	`low-level-calls`	Low level calls	Informational	High
76	`missing-inheritance`	Missing inheritance	Informational	High
77	`naming-convention`	Conformity to Solidity naming conventions	Informational	High
78	`pragma`	If different pragma directives are used	Informational	High
79	`redundant-statements`	Redundant statements	Informational	High
80	`solc-version`	Incorrect Solidity version	Informational	High
81	`unimplemented-functions`	Unimplemented functions	Informational	High
82	`unused-state`	Unused state variables	Informational	High
83	`costly-loop`	Costly operations in a loop	Informational	Medium
84	`dead-code`	Functions that are not used	Informational	Medium
85	`reentrancy-unlimited-gas`	Reentrancy vulnerabilities through send and transfer	Informational	Medium
86	`similar-names`	Variable names are too similar	Informational	Medium
87	`too-many-digits`	Conformance to numeric notation best practices	Informational	Medium
88	`cache-array-length`	Detects `for` loops that use `length` member of some storage array in their loop condition and don't modify it.	Optimization	High
89	`constable-states`	State variables that could be declared constant	Optimization	High
90	`external-function`	Public function that could be declared external	Optimization	High
91	`immutable-states`	State variables that could be declared immutable	Optimization	High
92	`var-read-using-this`	Contract reads its own variable using `this`	Optimization	High

For more information, see

The Detector Documentation for details on each detector
The Detection Selection to run only selected detectors. By default, all the detectors are run.
The Triage Mode to filter individual results

Printers

Quick Review Printers

human-summary: Print a human-readable summary of the contracts
inheritance-graph: Export the inheritance graph of each contract to a dot file
contract-summary: Print a summary of the contracts
loc: Count the total number lines of code (LOC), source lines of code (SLOC), and comment lines of code (CLOC) found in source files (SRC), dependencies (DEP), and test files (TEST).

In-Depth Review Printers

call-graph: Export the call-graph of the contracts to a dot file
cfg: Export the CFG of each functions
function-summary: Print a summary of the functions
vars-and-auth: Print the state variables written and the authorization of the functions
not-pausable: Print functions that do not use whenNotPaused modifier.

To run a printer, use --print and a comma-separated list of printers.

See the Printer documentation for the complete lists.

Tools

slither-check-upgradeability: Review delegatecall-based upgradeability
slither-prop: Automatic unit test and property generation
slither-flat: Flatten a codebase
slither-check-erc: Check the ERC's conformance
slither-format: Automatic patch generation
slither-read-storage: Read storage values from contracts
slither-interface: Generate an interface for a contract

See the Tool documentation for additional tools.

API Documentation

Documentation on Slither's internals is available here.

Getting Help

Feel free to stop by our Slack channel (#ethereum) for help using or extending Slither.

The Printer documentation describes the information Slither is capable of visualizing for each contract.
The Detector documentation describes how to write a new vulnerability analyses.
The API documentation describes the methods and objects available for custom analyses.
The SlithIR documentation describes the SlithIR intermediate representation.

FAQ

How do I exclude mocks or tests?

View our documentation on path filtering.

How do I fix "unknown file" or compilation issues?

Because slither requires the solc AST, it must have all dependencies available. If a contract has dependencies, slither contract.sol will fail. Instead, use slither . in the parent directory of contracts/ (you should see contracts/ when you run ls). If you have a node_modules/ folder, it must be in the same directory as contracts/. To verify that this issue is related to slither, run the compilation command for the framework you are using e.g npx hardhat compile. That must work successfully; otherwise, slither's compilation engine, crytic-compile, cannot generate the AST.

License

Slither is licensed and distributed under the AGPLv3 license. Contact us if you're looking for an exception to the terms.

Publications

Trail of Bits publication

Slither: A Static Analysis Framework For Smart Contracts, Josselin Feist, Gustavo Grieco, Alex Groce - WETSEB '19

External publications

Title	Usage	Authors	Venue	Code
ReJection: A AST-Based Reentrancy Vulnerability Detection Method	AST-based analysis built on top of Slither	Rui Ma, Zefeng Jian, Guangyuan Chen, Ke Ma, Yujia Chen	CTCIS 19
MPro: Combining Static and Symbolic Analysis forScalable Testing of Smart Contract	Leverage data dependency through Slither	William Zhang, Sebastian Banescu, Leodardo Pasos, Steven Stewart, Vijay Ganesh	ISSRE 2019	MPro
ETHPLOIT: From Fuzzing to Efficient Exploit Generation against Smart Contracts	Leverage data dependency through Slither	Qingzhao Zhang, Yizhuo Wang, Juanru Li, Siqi Ma	SANER 20
Verification of Ethereum Smart Contracts: A Model Checking Approach	Symbolic execution built on top of Slither’s CFG	Tam Bang, Hoang H Nguyen, Dung Nguyen, Toan Trieu, Tho Quan	IJMLC 20
Smart Contract Repair	Rely on Slither’s vulnerabilities detectors	Xiao Liang Yu, Omar Al-Bataineh, David Lo, Abhik Roychoudhury	TOSEM 20	SCRepair
Demystifying Loops in Smart Contracts	Leverage data dependency through Slither	Ben Mariano, Yanju Chen, Yu Feng, Shuvendu Lahiri, Isil Dillig	ASE 20
Trace-Based Dynamic Gas Estimation of Loops in Smart Contracts	Use Slither’s CFG to detect loops	Chunmiao Li, Shijie Nie, Yang Cao, Yijun Yu, Zhenjiang Hu	IEEE Open J. Comput. Soc. 1 (2020)
SAILFISH: Vetting Smart Contract State-Inconsistency Bugs in Seconds	Rely on SlithIR to build a storage dependency graph	Priyanka Bose, Dipanjan Das, Yanju Chen, Yu Feng, Christopher Kruegel, and Giovanni Vigna	S&P 22	Sailfish
SolType: Refinement Types for Arithmetic Overflow in Solidity	Use Slither as frontend to build refinement type system	Bryan Tan, Benjamin Mariano, Shuvendu K. Lahiri, Isil Dillig, Yu Feng	POPL 22
Do Not Rug on Me: Leveraging Machine Learning Techniques for Automated Scam Detection	Use Slither to extract tokens' features (mintable, pausable, ..)	Mazorra, Bruno, Victor Adan, and Vanesa Daza	Mathematics 10.6 (2022)
MANDO: Multi-Level Heterogeneous Graph Embeddings for Fine-Grained Detection of Smart Contract Vulnerabilities	Use Slither to extract the CFG and call graph	Hoang Nguyen, Nhat-Minh Nguyen, Chunyao Xie, Zahra Ahmadi, Daniel Kudendo, Thanh-Nam Doan and Lingxiao Jiang	IEEE 9th International Conference on Data Science and Advanced Analytics (DSAA, 2022)	ge-sc
Automated Auditing of Price Gouging TOD Vulnerabilities in Smart Contracts	Use Slither to extract the CFG and data dependencies	Sidi Mohamed Beillahi, Eric Keilty, Keerthi Nelaturu, Andreas Veneris, and Fan Long	2022 IEEE International Conference on Blockchain and Cryptocurrency (ICBC)	Smart-Contract-Repair

If you are using Slither on an academic work, consider applying to the Crytic $10k Research Prize.