Slither: Smart Contract security tools

Writing secure smart contracts can be a very challenging task. There are multiple well-known and well-documented vulnerabilities like those indicated in the following blog:

Smart Contracts common vulnerabilities (solidity) | by Alberto Molina | May, 2022 | Medium

However, when working on projects that involve many smart contracts, multiple dependencies and short deadlines, keeping track of all the potential risks and vulnerabilities can be almost impossible.

Hopefully there are some open-source tools that can help us with that like “Slither”. Slither is a tool that offers plenty of functionality and you should add it to your toolkit in order to use it from very early on in your project.

I will present Slither from an overall point of view, you will see how it works and how to use it so that you can decide if it can be useful for you or not.

Introduction

Slither is a solidity static analysis framework written in Python 3. It was implemented by “Trail Of Bits” and was designed to provide fine-grained information about smart contract code. The framework is currently used for the following:

• Automated vulnerability detection. A large variety of smart contract bugs can be detected without user intervention or additional specification effort.
• Automated optimization detection. Slither detects code optimizations that the compiler misses.
• Code understanding. Slither summarizes and displays contracts’ information to aid your study of the codebase.
• Assisted code review. A user can interact with Slither through its API.

Slither is compatible with Truffle and Hardhat among others. It is fast, it takes less than 1 second to analyze a contract according to the official documentation, plus it has a very low rate of false positives and you can easily integrate it into your CI/CD pipeline. It works with solidity versions equal or higher than 0.4 and they are currently planning on extending it to other languages like Vyper.

How it works

Slither works in combination with the solidity compiler, its input is the Abstract Syntax Tree (AST) generated by the compiler. Slither converts the AST into an intermediary language called SlithIR, which makes the code analysis much easier, then runs the vulnerability and optimization detection.

The below schema shows the different steps involved in the Slither analysis.

For more information you can visit this page:

Slither: The Leading Static Analyzer for Smart Contracts | Trail of Bits Blog

Slither can run the following objects when analyzing a solidity smart contract:

• Detector : slither has a predefined list of “detectors” which are vulnerabilities and optimizations slither will look for into your smart contracts. By default slither will check all of them, but you can execute slither so that it checks only those that you want. You can implement your own detectors and add them as plug-ins using the slither API.
• Printer : slither has a predefined list of “printers” which are visual representations of your smart contracts. A printer could be the inheritance relations between contracts, another one could be the keccack256 signature of the contract’s functions and so on... By default slither does not run any printer but you can ask it to run those that you wish. Printers can be very useful to have a solid and comprehensive grasp of your smart contracts.

Download & install

In order to download Slither you must have Python 3.6+ and solc (solidity compiler) already installed on your machine.

Once you have all the dependencies, slither can be installed running the following command :

pip3 install slither-analyzer

Visual Studio Code Extension

Slither offers a Visual Studio Code (VS) extension too, you can find it here :

Slither — Visual Studio Marketplace

The extension will give you the possibility to run slither commands manually using the Slither tab added to VS.

For the rest of this blog we will present slither commands run from the command shell.

Execute

Simple run

You can run slither against all your smart contracts with the following command (for a Truffle or Hardhat project) :

slither .

If you prefer to run slither on a single file instead you will do it like:

slither tests/uninitialized.sol

Choose detectors

If you want slither to run only some detectors (and not all of them like it does by default) you will have to use the “detect” option followed by the list of detectors:

slither file.sol --detect arbitrary-send,pragma

You can find the list of available detectors here :

GitHub — crytic/slither: Static Analyzer for Solidity

Filter results

Slither might return some results that in your case may not be very useful because you know that your smart contracts are actually protected against those vulnerabilities, for instance re-entrancy detections for functions that only a single account can invoke… In that case you can exclude those results when running slither by using the “triage” mode.

In order to run the triage mode you will first run the following command:

slither . --triage-mode

This will turn the console into interactive mode, result messages will be displayed one after the other and you will be asked if you wish to remove the result from future executions. Once you are done, a “slither.db.json” file will be generated with the list of excluded results. If later on you want to remove all the exclusions in order to add all the results again, you will simply remove the slither.db.json file.

Choose printers

If you want slither to return one or many printers you will run it adding the “print” option followed by the list of printers:

slither file.sol --print inheritance-graph

You can find the list of available printers here :

Printer documentation · crytic/slither Wiki · GitHub

Conclusion

There are plenty of other functionalities and possibilities in Slither that I did not cover in this blog since my intention was just to give you an overall idea of what this tool can do, but even if we limit ourselves to what I presented it can still be considered a very useful tool. I do believe that adding such a tool from the beginning of your project’s implementation phase will make you save time and energy.

Using slither does not exclude carrying out an audit at the end of your project, it will simply help you prepare for it by reducing the amount of bugs.

Join Coinmonks Telegram Channel and Youtube Channel learn about crypto trading and investing

Also, Read

• Bookmap Review | 5 Best Crypto Exchanges in the USA
• Crypto Trading bots | CoinGate Review
• The Best Crypto Hardware wallet | Bitbns Review
• 10 Best Crypto Exchange in Singapore | Buy AXS
• Red Dog Casino Review | Swyftx Review
• Best Crypto to Invest in India | WazirX P2P | Hi Dollar Review