It seems like hardly a month goes by without news of a major hack of a blockchain or cryptocurrency platform. In the blockchain universe, smart contracts are the software programs that enable transactions or trade between different parties on the blockchain. Writing these programs well requires skill, and producing smart contracts that are secure and trustworthy can be challenging. Automation can help.
A few resources like Security Journey's Top 9 Threats to Smart Contracts help developers learn the common security gotchas to avoid when writing smart contracts. Those resources describe vulnerable code patterns that developers should be aware of.
However, even when equipped with knowledge of vulnerable patterns it's easy to miss things when writing or reviewing code. Automated code analysis techniques - also known as static analysis - can be applied to smart contracts such that specialized tools are used to check for and catch vulnerable code. This is where Slither comes in.
What is Slither?
Slither is an open-source python-based static analysis framework for the solidity programming language. Solidity is used to write smart contracts for the Ethereum blockchain.
According to Trail of Bits, the creators of Slither, it was made to offer thorough, precise security details on solidity-based smart contract code. Slither is most useful for the following 4 things:
Automated Vulnerability Detection: Easily detect vulnerabilities or security bugs in your code with low or no human effort.
Automated optimization detection: Slither can detect code optimizations that the compiler misses while compiling.
Slither can help you understand code better by summarizing and displaying contract information.
Slither also helps with code reviews as its API can be easily interacted with by a user.
How Does Slither Work? 🧐
Slither takes the Solidity Abstract Syntax Tree (AST) generated by the Solidity compiler as its input. It then converts the AST into an intermediary language called “SlithIR” which makes it easier for vulnerability and optimization detection.
Slither has two major operating modes: printer mode and detector mode.
Slither will analyze your smart contract as a detector to look for a set of pre-defined vulnerabilities and optimizations. Utilizing the Slither API, user-written detectors can also be added as plug-ins. In printer mode, Slither shows visual representations of your smart contract, which could be the inheritance relations between contracts.
How to Use Slither 👩💻
First, we have to download and install Slither. However, for Slither to work, Python 3 and solc (solidity compiler) must be installed.
To install Slither and solc, you can run the following commands:
1. pip3 install slither-analyzer
2. pip3 install solc-select
Slither can also be used as a Visual Studio Code extension which can be found here: Visual Studio Code Slither Extension.
Run Slither run 🏃♀️
To run Slither against a particular smart contract, you can execute the command below in a shell:
If you want to only check for some particular detectors, you can run slither with the detect mode as shown below:
slither TestContract.sol --detect pragma,locked-ether
You can check GitHub - crytic/slither: Static Analyzer for Solidity for more detectors.
To run Slither in Printer mode, you’ll need to run Slither with the "print" option added, followed by the list of printers if you want it to return one or more printers as shown below:
slither TestContract.sol --print call-graph
The output format of the command is in dot. Therefore, to visualize the image, run:
You can also check https://github.com/crytic/slither/wiki/Printer-Documentation for more printers.
Finally, by integrating Slither into a CI/CD pipeline using Slither-action on Github, Slither can also be automated to check for vulnerabilities as your developers write and publish code.
Slither has many additional functions that are not covered in this article. And I hope that what we've shown here will convince you to try Slither (or another static analysis tool) on your smart contracts project.
The FREE 5-Minute Security Assessment for Startups ™
What if 5 minutes of your time could help you discover the major software risks for your startup? What if after those 5 minutes, you were guaranteed a software security report with custom solutions tailored to the specific gaps in your startup? The FREE 5-Minute Security Assessment for Startups™ was created to provide custom and relevant security recommendations to software startups. Once you complete the assessment, you are guaranteed to get your security report within 3 business days. Click below to start your assessment...