Slither, the Solidity source analyzer

Slither is a Solidity static analysis framework written in Python 3. It runs a suite of vulnerability detectors, prints visual information about contract details, and provides an API to easily write custom analyses. Slither enables developers to find vulnerabilities, enhance their code comprehension, and quickly prototype custom analyses.

Features

• Detects vulnerable Solidity code with low false positives
• Identifies where the error condition occurs in the source code
• Easy integration into continuous integration and Truffle builds
• Built-in ‘printers’ quickly report crucial contract information
• Detector API to write custom analyses in Python
• Ability to analyze contracts written with Solidity >= 0.4
• Intermediate representation (SlithIR) enables simple, high-precision analyses

Changelog v0.6.13

This releases improves support for Solidity 0.6, adds partial support for YUL, and fixes many bugs. Internally, we improved the parsing architecture, easing the addition of a new parser and added type annotations. Additionally, slither now runs GitHub super-linter, and the regression tests were improved (see the new CONTRIBUTING.md guidelines).

Added

• Add partial, experimental YUL support (#502, #575, #617). YUL AST is parsed and converted into slithIR. Raw memory access are not supported. Solidity 0.6 is required to enable YUL support.
• Improve 0.6 support:
  • Add support for C{value:1} syntax (#498)
  • Add support for top level structures and enums (#499, #522)
• Add support for type(I).interfaceId (#497)
• List external publications (#512)
• Github super linter, and lgtm (#614, #620, #626)
• Added new tool: slither-mutator. PoC of fault injection based on Using Fault Injection to Assess Blockchain Systems in Presence of Faulty Smart Contracts

Internal

• Add type annotations (#514)
• Add storage layout information (#507, #540)
• Add --disallow-partial flag (#560). This hidden flag will prevent Slither from catching exceptions, and simplify debugging
• Add support for function pointers in the RETURN operator (#601)

Changed

• Copy editing on detectors (#572)
• Use crytic-compile@0.1.9
• Improve human-summary printer (#477, #478)
• Improve dupplicate name report (#489)
• slither-flat: Improve utf8 support and mapping/array lookup (#494)
• Filter contract to contract_declarer in call graph printer (#491)
• Several improvements in slither-flat, including new strategies, json/zip export (#496). Read the new documentation.
• Add check on public state variables in slither-erc (#528)
• suicidal detector: add detection on external functions (#527)
• Add padding to function id printer (#546)
• Update the recommended Solidity version in the solc-version detector (#577). This might result in disabling triaged solc-version results with Slither < 0.6.13

Internal

• Change the parsing architecture: parser objects are separate objects and do not inherit from the core. This will ease the creation of new parsers (#514)
• Improve support for tuple (#536, #539, #541, #548, #563, #564, #576)
• Improve abi.decode support (#475, #548, #551, #567, #598)
• Temporary array slice support (#550)
• Allow converting library to address (#561)
• Allow total ordering on Constant (#565)
• Improve fixpoint on are_variables_written (#480)
• Improve support for type() (#569)
• Increase the default python stack depth limit (#599)
• Refactor regression tests (#610)

Fixed

• Fix incorrect sons information on loop (#524)
• Fix numpy error on slither-simil (#484)
• Fix infinite loop on try statements (#535)
• Fix incorrect parsing in case of variables name reused (#538)
• Linting issue (#555)
• Issues on this. usage (#600, #623)
• Out of memory on large exponent (#608)
• All pylint issues (#616)
• Incorrect support of using for on functions pointers (#624)

Install

Slither requires Python 3.6+ and solc, the Solidity compiler.

Using Pip

$ pip install slither-analyzer

Using Git

Use

Run Slither on a Truffle application:

slither .

Run Slither on a single file:

$ slither tests/uninitialized.sol 
[..]
INFO:Detectors:
Uninitialized.destination (tests/uninitialized.sol#5) is never initialized. It is used in:
	- transfer (tests/uninitialized.sol#7-9)
Reference: https://github.com/trailofbits/slither/wiki/Vulnerabilities-Description#uninitialized-state-variables
[..]

Slither can be run on:

• A .sol file
• A Truffle directory
• A directory containing *.sol files (all the *.sol files will be analyzed)
• A glob (be sure to quote the argument when using a glob)

Configuration

• --solc SOLC: Path to solc (default ‘solc’)
• --solc-args SOLC_ARGS: Add custom solc arguments. SOLC_ARGS can contain multiple arguments
• --disable-solc-warnings: Do not print solc warnings
• --solc-ast: Use the solc AST file as input (solc file.sol --ast-json > file.ast.json)
• --json FILE: Export results as JSON

Detectors

By default, all the detectors are run.

Printers

To run a printer, use –print and a comma-separated list of printers.

Tutorial

Copyright (C) 2018 trailofbits