Don’t Gamble on Your Smart Contract Security — Use Slither’s Real-Time Static Analysis for Peace of Mind!
Smart contracts can be tested in various ways, such as unit testing, integration testing, fuzzing, and invariant testing, among others. However, for the purpose of this discussion, we will be focusing on static analysis.
Static Analysis
Static analysis is the process of analysing code without actually executing it.
In the context of smart contracts, static analysis tools can be used to identify potential security issues and vulnerabilities in the code before it is deployed on the blockchain. This is important because once a smart contract is deployed, it becomes immutable and cannot be changed.
Static analysis tools for smart contracts typically work by analysing the code for patterns and behaviours that may indicate security issues or vulnerabilities. For example, a tool might look for instances of unchecked user input, which can lead to a smart contract being exploited by attackers.
Other types of analysis include detection of reentrancy vulnerabilities, which allow an attacker to repeatedly call a contract function before it completes, and identification of code clones, which can indicate the presence of copy-pasted code that may contain vulnerabilities.
Several static analysis tools are available for smart contracts, such as Slither, Mythril, and Oyente. In this tutorial, our focus will be on Slither, as we delve into the powerful capabilities and features of this robust tool!
Slither is an open-source static analysis which was developed by Trail of Bits, a cybersecurity company that specialises in blockchain security.
Installation
In order to use Slither, it’s important to note that it requires Python 3.8 or higher. Fortunately, it can be easily added to your Hardhat or Foundry project. To install Slither, simply follow these steps:
pip3 install slither-analyzer
If you face Slither not found error refer to this article.
Running Slither
In a hardhat/foundry project we can use slither . ,to run single file that does not import dependencies use slither path-to-folder/Contract.sol .
We’ll be analysing the following smart contract. While it may seem like a typical contract at first glance, it actually includes a very well-known vulnerability.
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.9;
contract NewContract {
mapping(address => uint) public balances;
function donate(address _to) public payable {
balances[_to] += msg.value;
}
function balanceOf(address _who) public view returns (uint balance) {
return balances[_who];
}
function withdraw(uint _amount) public {
if(balances[msg.sender] >= _amount) {
(bool result,) = msg.sender.call{value:_amount}("");
if(result) {
_amount;
}
balances[msg.sender] -= _amount;
}
}
receive() external payable {}
}After running slither . this is what shows up on the terminal :
It downloads the required compiler and compiles the file.
Slither displays two types of issues: those highlighted in red and those in green. When a result is displayed in red, it indicates a critical issue or vulnerability that requires immediate attention. This could include serious security threats such as reentrancy bugs or integer overflows/underflows that could potentially be exploited by attackers.
In the case of the contract being analysed, Slither has identified a reentrancy bug, which is highlighted in red.It is also able to point out that the state variables are written after external call.
You can try out other commands too :
slither . --print human-summaryslither . --print function-summaryslither . --print call-graph
Slither can be integrated into your development workflow to provide ongoing analysis of your smart contracts. For example, you can set up Slither to run automatically as part of your continuous integration (CI) pipeline.
I really hope this post was informative and helped you understand the use of Slither, as covered by these questions. Thank you so much for taking the time to read it! If you found this post useful, please consider sharing it with your friends and colleagues and give me a follow. Your support means a lot to me 🥳.
