Securify is Now on GitHub

Securify “riding” the 3rd wave of the Ethereum Foundation Grants.

Securify, the security scanner for smart contracts funded by the Ethereum foundation, is now available on GitHub: https://github.com/eth-sri/securify. Since its launch in 2017, Securify has scanned over 22,000 Ethereum smart contracts and has helped developers to prevent numerous critical security vulnerabilities. The goal of the open-source project is to maintain Securify as the most comprehensive static security scanner for Ethereum smart contracts and to further improve it in terms of extensibility, usability, and performance. As an open-source project, the Securify team welcomes the community to extend Securify with additional security patterns and to provide helpful feedback.

To contribute, check out the code on GitHub and join our Discord channel.

Below, we address relevant frequently asked questions:

What is Securify?

Securify is a tool that scans Ethereum smart contracts for critical security vulnerabilities. Securify is also publicly available as a web service at https://securify.chainsecurity.com, which has scanned over 22,000 smart contracts.

How does Securify work?

Securify statically analyzes the EVM code of the smart contract to infer important semantic information (including control-flow and data-flow facts) about the contract. This step is fully automated using Souffle, a scalable Datalog solver. Then, Securify checks the inferred facts to discover security violations or prove the compliance of security-relevant instructions. The full technical details are published as a peer-reviewed article at ACM Conference on Computer and Communications Security 2018 (ACM CCS).

How does Securify differ from other security tools (Oyente, Mythril, etc.)?

Securify statically analyzes all paths of the smart contract. In contrast, other tools such as Oyente and Mythril symbolically enumerate individual paths of the contract (using a technique called symbolic execution) and check these for security vulnerabilities. Due to the unbounded number of paths in contracts, these tools inspect a subset of all possible paths and results indicate that they can miss up to two-thirds of vulnerabilities (see technical report for comparison).

What security vulnerabilities does Securify support?

Securify supports the following vulnerabilities:

  • Storage changes after calls (prevent the DAO bug, known as reentrancy)
  • Locked ether
  • Missing input validation
  • Transaction ordering-dependent amount, receiver and transfer
  • Unhandled exceptions
  • Unrestricted ether flow

The web front-end of Securify (https://securify.chainsecurity.com) includes a total of 18 security patterns.

Where can I find more information about Securify?

The Securify team has given many talks and issued a number of articles about how the tool works:

How can I help?

To help the project, you can:

Work in progress / what’s next?

Research is ongoing at the ICE center at ETH Zurich to improve the backend of Securify, which includes a custom Datalog-based data-flow and control-flow analysis. Development will focus on:

  • Supporting the continuous integration with GitHub and CI frameworks like Travis
  • Providing a security query engine for easy addition of new security patterns
  • Adding more security patterns based on community feedback
  • Improving the precision of the Securify backend
  • Fixing known limitations

Attribution

The Securify team would like to thank the Ethereum Foundation for the generous grant to the ICE center which will fund the next six months of Securify development.

About the ICE center

ICE is an interdisciplinary and inter-department R&D center at ETH Zurich, Switzerland. Its mission is to facilitate research-industrial interaction in the areas of AI, blockchain, security, and networks. The ICE center has 10+ researchers (including 2 Professors, 2 Research Scientists, and 7+ PhD and master students) working in the area of security and reliability of Ethereum. For more details visit http://ice.ethz.ch.

About ChainSecurity

ChainSecurity is an ICE start-up founded by the creators of Securify. It works at the heart of blockchain technology as an audit platform for secure smart contracts. Since its launch in 2017, ChainSecurity has helped secure some of the most complex blockchain projects worldwide with valuations exceeding 300 Million USD. Learn more about ChainSecurity at https://chainsecurity.com.