🧮 How to use slither to audit smart contracts
Learn how to find smart contract vulnerabilities easily with slither
Slither is a Solidity static analysis framework written in Python 3. It runs a suite of vulnerability detectors, prints visual information about contract details, and provides an API to easily write custom analyses. Slither enables developers to find vulnerabilities, enhance their code comprehension, and quickly prototype custom analyses.
You will need solc from Ethereum as explained here:
Now we can install slither directly using pip:
# pip3 install slither-analyzer
Let’s see how it works, the syntax in very easy, just point to the directory where the smart contracts are:
~/simple-auction$ slither . Compilation warnings/errors on ./simple-auction.sol: Warning: This is a pre-release compiler version, please do not use it in production. SimpleAuction.constructor(uint256,address).beneficiaryAddress (simple-auction.sol#46) lacks a zero-check on : - beneficiary = beneficiaryAddress (simple-auction.sol#48) Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#missing-zero-address-validation SimpleAuction.bid() (simple-auction.sol#56-87) uses timestamp for comparisons Dangerous comparisons: - block.timestamp > auctionEndTime (simple-auction.sol#65) SimpleAuction.auctionEnd() (simple-auction.sol#112-138) uses timestamp for comparisons Dangerous comparisons: - block.timestamp < auctionEndTime (simple-auction.sol#127) Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#block-timestamp solc-0.8.14 is not recommended for deployment Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#incorrect-versions-of-solidity . analyzed (1 contracts with 77 detectors), 4 result(s) found
Good recommendations using an automatic tool
Difficult setup (relies on underlying solc version), tons of incompatibilities
Very bad UI: Critical in red, otherwise default color. No formatting.
Bonus track: Dirty hack to avoid @openzeppelin import errors:
slither contract.sol --solc-remaps @=../node_modules/@
Like this stuff?! Subscribe for free to receive new posts and updates.