Mastering Sway-Analyzer: Your Guide to Auditing Sway Smart Contracts 🌴

A security-focused static analyzer for Sway written in Rust…

Introduction

Imagine you are a smart contract auditor or developer aiming to uncover significant vulnerabilities within the Fuel ecosystem. You begin by selecting a project aligned with your expertise from the Fuel Ecosystem Search Portal. After acquiring the project’s whitepaper and Sway source code, you are ready to begin the audit. However, manual analysis can be tedious and might distract you from your main goal of identifying meaningful bugs. This is where static code analysis becomes invaluable. Wouldn’t it be great if there was a tool that could automatically generate a report highlighting a bunch of findings? Enter sway-analyzer!

Prerequisites

Before you can use sway-analyzer, you need to have the Rust programming language installed on your system. For installation instructions, visit the Rust Installation Page.

How to install

Let’s install the tool. Run the following command:

Using Cargo

cargo install sway-analyzer

Using GitHub

git clone https://github.com/ourovoros-io/sway-analyzer.git
cd sway-analyzer
cargo build --release
export PATH=$PATH:/path/to/sway-analyzer/target/release/

Vanity Check

Great! Now that sway-analyzer is installed, let’s verify the installation by analyzing a default smart contract from the Sway playground. You can substitute this with any Sway smart contract:

git clone https://github.com/FuelLabs/sway-playground.git
sway-analyzer --files sway-playground/projects/swaypad/src/main.sw

The tool should display all potential issues found in the contract, including the path to the analyzed smart contracts, their line numbers, and a brief description of each, color-coded by one of the three severity levels.

How it works

Sounds like this tool can be very handy! Let’s try diving a little bit deeper into its inner workings. As per the README:

… The tool makes use of the existing sway-ast and sway-parse crates in order to parse Sway source code into its abstract syntax tree (AST). A recursive AST visitor is implemented on top of this, which will walk the AST structures top-down in a context-sensitive manner. Detectors leverage the AST visitor in order to implement their logic by inspecting the values contained in certain parts of the AST structures.

Yikes! This sounds like something very difficult to comprehend. Let’s try reading this paragraph again, only this time we will break it down to its essential components.

Simplifying the above expression:

… The tool parses the input Sway source code, algorithmically runs through that parsed code and builds a vulnerability report based on the user’s desired detector list.

Now that’s better. But we can do more! Let’s add more arguments to produce an output that suits our needs. Flag help to the rescue:

sway-analyzer --help

• detectors: Specify the detectors you wish to use. For a comprehensive report, it is recommended not to modify this.
• directory: Specify a directory to analyze multiple Sway files collectively. This should be your go-to flag.
• display-format: Specify the report’s format. Use the default value unless integrating with other tools.
• files: Specify individual Sway files to analyze. A great option when trying to get information for a specific smart contract.
• exclude/include: Specify the severity of the detectors you wish to use. This should be your flag when targeting specific bugs.
• sorting: Specify the order of the detected entries in the report. I always sort by severity.

Now that severity is mentioned, here is a rule of thumb for their coloring, akin to a traffic light system. In the green, you pass without issues. In the yellow, you may proceed but with strong consideration and caution. In the red, you should stop and likely revise that particular part of the code.

Luckily for us, the testing suite of the sway-analyzer is full of (vulnerable) Sway code, one vulnerable contract per detector to be exact!

Now that we have a good grasp on the tool’s customization features, we can make good use of them and begin bug hunting.

Examples

Let’s install some Fuel’s repository with some example applications to play around with:

git clone https://github.com/FuelLabs/sway-applications.git
cd sway-applications

Now that we have a lot of Sway code available, let’s play around with the tool’s flags:

sway-analyzer --directory sway-applications/NFT/ --detectors non_zero_identity_validation

sway-analyzer --directory sway-applications/airdrop/ --include medium

What’s Next

Looking ahead, sway-analyzer will introduce an array of new features, detectors, and flags, further enhancing its functionality. We are also exploring various innovative tooling ideas. Additionally, I will be writing a detailed article on smart contract vulnerabilities within the Fuel ecosystem, along with a comprehensive guide on creating your own detector for sway-analyzer using Rust. Stay tuned for these exciting updates!

Useful Links

• Ourovoros GitHub
• Sway Book
• Fuel Documentation
• Fuel Forum

Disclaimer

sway-analyzer still in beta version, so use it with a grain of salt. As with all static code analysis tools, it is important to manually review the output to identify and disregard any false positives.