🧮 How to use slither to audit smart contracts

Learn how to find smart contract vulnerabilities easily with slither

Jan 4

Slither is a Solidity static analysis framework written in Python 3. It runs a suite of vulnerability detectors, prints visual information about contract details, and provides an API to easily write custom analyses. Slither enables developers to find vulnerabilities, enhance their code comprehension, and quickly prototype custom analyses.

Prerequisites:

You will need solc from Ethereum as explained here:

Learn Pentesting like a Pro

🧮 How to install solc in Linux and compile smart contracts

To install the latest version, the best option is to compile directly from the official Github repository: https://github.com/ethereum/solidity.git There are two requirements prior to build solc, we need to install cmake and the development libraries of Boost…

3 months ago · pentesting.academy

Now we can install slither directly using pip:

# pip3 install slither-analyzer

Let’s see how it works, the syntax in very easy, just point to the directory where the smart contracts are:

~/simple-auction$ slither . 
Compilation warnings/errors on ./simple-auction.sol:
Warning: This is a pre-release compiler version, please do not use it in production.



SimpleAuction.constructor(uint256,address).beneficiaryAddress (simple-auction.sol#46) lacks a zero-check on :
        - beneficiary = beneficiaryAddress (simple-auction.sol#48)
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#missing-zero-address-validation

SimpleAuction.bid() (simple-auction.sol#56-87) uses timestamp for comparisons
    Dangerous comparisons:
    - block.timestamp > auctionEndTime (simple-auction.sol#65)
SimpleAuction.auctionEnd() (simple-auction.sol#112-138) uses timestamp for comparisons
    Dangerous comparisons:
    - block.timestamp < auctionEndTime (simple-auction.sol#127)
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#block-timestamp

solc-0.8.14 is not recommended for deployment
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#incorrect-versions-of-solidity
. analyzed (1 contracts with 77 detectors), 4 result(s) found

Pros:

Good recommendations using an automatic tool

Cons:

Difficult setup (relies on underlying solc version), tons of incompatibilities
Very bad UI: Critical in red, otherwise default color. No formatting.

Bonus track: Dirty hack to avoid @openzeppelin import errors:

slither contract.sol --solc-remaps @=../node_modules/@

Learn Pentesting like a Pro!

🧮 How to use slither to audit smart contracts

Learn how to find smart contract vulnerabilities easily with slither

Bonus track: Dirty hack to avoid @openzeppelin import errors: