Slither, the Solidity source analyzer

Slither is a Solidity static analysis framework written in Python 3. It runs a suite of vulnerability detectors, prints visual information about contract details, and provides an API to easily write custom analyses. Slither enables developers to find vulnerabilities, enhance their code comprehension, and quickly prototype custom analyses.

Features

• Detects vulnerable Solidity code with low false positives
• Identifies where the error condition occurs in the source code
• Easy integration into continuous integration and Truffle builds
• Built-in ‘printers’ quickly report crucial contract information
• Detector API to write custom analyses in Python
• Ability to analyze contracts written with Solidity >= 0.4
• Intermediate representation (SlithIR) enables simple, high-precision analyses

Changelog v0.10

New Features:

• Vyper support by @0xalpharush in PR #2099
• 5 new detectors by @montyly in PR #2156
  • incorrect-return / return-leave / incorrect-exp / tautological-compare / return-bomb
• Printers
  • ck by @devtooligan in PR #1895
  • halstead by @devtooligan in PR #1878
  • martin by @devtooligan in PR #1889

Breaking Changes:

• Improve name resolution of type aliases by @smonicas in PR #2061
• Change return type to UnaryType instead of UnaryOperationType by @dokzai in PR #2124

Enhancements:

• Add CustomError as printable output by @smonicas in PR #2063
• Improve mapping-deletion detector for nested mappings by @smonicas in PR #2084
• Improve constants extraction of ReferenceVariable by @smonicas in PR #2098
• Better struct handling in code generation util by @webthethird in PR #2068
• Add end assembly node in the cfg by @smonicas in PR #2078
• Use crytic-compile 0.3.5

Bug Fixes:

• Fix CONTRIBUTING.md by @smonicas in PR #2052
• Fix ternary rewrite test and make assertion more strict by @0xalpharush in PR #2067
• UnaryOperation: -variable and +variable doesn’t make variable an lvalue by @SheldonHolmgren in PR #2027
• Fix assertion failure in dominator computation for dead code by @Tiko7454 in PR #1984
• Fix typo in Contract.get_state_variable_from_canonical_name() by @yisun92 in PR #1983
• Fix divide before multiply detector non deterministic results by @smonicas in PR #2114
• Detectors: cache_array_length: include source mapping in finding by @elopez in PR #2076
• Fix a typo in the help text by @SEJeff in PR #2155
• Fix abi.decode tuple result with udt by @smonicas in PR #2048
• Fix parsing super call expression by @smonicas in PR #2151
• Fix(convert): do not convert array type to elementary for InitArray by @0xalpharush in PR #2018
• Fix: reorder named arguments to match declaration order by @kevinclancy in PR #1949
• Fix enum.max/min when enum in other contract by @smonicas in PR #2051

Continuous Integration and Dependencies:

• Bump pypa/gh-action-pypi-publish from 1.8.7 to 1.8.10 by @dependabot in PR #2049, PR #2086
• ci: add problem matchers for yamllint and pylint by @0xalpharush in PR #2070
• Bump sigstore to 2.1.0 by @0xalpharush in PR #2081, PR #2154
• Fix CI by @montyly in PR #2170
• chore: bump sigstore to 2.0.0 by @0xalpharush in PR #2081
• Bump actions/upload-pages-artifact, actions/checkout, cachix/install-nix-action, docker/setup-buildx-action, docker/build-push-action, docker/setup-qemu-action, docker/login-action by @dependabot in PR #2044, PR #2112, PR #2111, PR #2132, PR #2133, PR #2134, PR #2135

Install

Slither requires Python 3.6+ and solc, the Solidity compiler.

Using Pip

$ pip install slither-analyzer

Using Git

Use

Run Slither on a Truffle application:

slither .

Run Slither on a single file:

$ slither tests/uninitialized.sol 

[..]

INFO:Detectors:

Uninitialized.destination (tests/uninitialized.sol#5) is never initialized. It is used in:

	- transfer (tests/uninitialized.sol#7-9)

Reference: https://github.com/trailofbits/slither/wiki/Vulnerabilities-Description#uninitialized-state-variables

[..]

Slither can be run on:

• A .sol file
• A Truffle directory
• A directory containing *.sol files (all the *.sol files will be analyzed)
• A glob (be sure to quote the argument when using a glob)

Configuration

• --solc SOLC: Path to solc (default ‘solc’)
• --solc-args SOLC_ARGS: Add custom solc arguments. SOLC_ARGS can contain multiple arguments
• --disable-solc-warnings: Do not print solc warnings
• --solc-ast: Use the solc AST file as input (solc file.sol --ast-json > file.ast.json)
• --json FILE: Export results as JSON

Detectors

By default, all the detectors are run.

Printers

To run a printer, use –print and a comma-separated list of printers.

Tutorial

Copyright (C) 2018 trailofbits