caracal v0.2.2 releases: Static Analyzer for Starknet smart contracts
Caracal
Caracal is a static analyzer tool over the SIERRA representation for Starknet smart contracts.
Features
- Detectors to detect vulnerable Cairo code
- Printers to report information
- Taint analysis
- Data flow analysis framework
- Easy to run in Scarb projects
Detectors
| Num | Detector | What it Detects | Impact | Confidence |
|---|---|---|---|---|
| 1 | controlled-library-call |
Library calls with a user-controlled class hash | High | Medium |
| 2 | unchecked-l1-handler-from |
Detect L1 handlers without from address check | High | Medium |
| 3 | reentrancy |
Detect when a storage variable is read before an external call and written after | Medium | Medium |
| 4 | unused-events |
Events defined but not emitted | Medium | Medium |
| 5 | unused-return |
Unused return values | Medium | Medium |
| 6 | unenforced-view |
Function has view decorator but modifies state | Medium | Medium |
| 7 | unused-arguments |
Unused arguments | Low | Medium |
| 8 | reentrancy-benign |
Detect when a storage variable is written after an external call but not read before | Low | Medium |
| 9 | reentrancy-events |
Detect when an event is emitted after an external call leading to out-of-order events | Low | Medium |
| 10 | dead-code |
Private functions never used | Low | Medium |
Printers
- cfg: Export the CFG of each function in a .dot file
- callgraph: Export function call graph to a .dot file
Changelog v0.2.2
- chore: update sierra file stem by @tserg in #45
- Update felt252 by @technovision99 in #44
- Fix callgraph bugs by @technovision99 in #43
- Support cairo project by @smonicas in #47
- Fix function type inside impl block by @smonicas in #49
- Handle calls to self declared external functions by @smonicas in #50
- Use local compiler if available by @smonicas in #48
- Cairo project allow multiple contracts at once by @smonicas in #51
- Array use after pop front detector by @tarunbhm in #41
- Avoid duplicates in detectors results by @smonicas in #52
Install & Use
Copyright (C) 2023 crytic
