slither-analyzer

Slither, the smart contract static analyzer

Join the Empire Hacking Slack

_{- Discussions and Support}

Slither is a Solidity & Vyper static analysis framework written in Python3. It runs a suite of vulnerability detectors, prints visual information about contract details, and provides an API to easily write custom analyses. Slither enables developers to find vulnerabilities, enhance their code comprehension, and quickly prototype custom analyses.

• Features
• Usage
• How to install
  • Using Pip
  • Using Git
  • Using Docker
  • Integration
• Detectors
• Printers
  • Quick Review Printers
  • In-Depth Review Printers
• Tools
• API Documentation
• Getting Help
• FAQ
• License
• Publications
  • Trail of Bits publication
  • External publications

Features

• Detects vulnerable Solidity code with low false positives (see the list of trophies)
• Identifies where the error condition occurs in the source code
• Easily integrates into continuous integration and Hardhat/Foundry builds
• Built-in 'printers' quickly report crucial contract information
• Detector API to write custom analyses in Python
• Ability to analyze contracts written with Solidity >= 0.4
• Intermediate representation (SlithIR) enables simple, high-precision analyses
• Correctly parses 99.9% of all public Solidity code
• Average execution time of less than 1 second per contract
• Integrates with Github's code scanning in CI
• Support for Vyper smart contracts

Usage

Run Slither on a Hardhat/Foundry/Dapp/Brownie application:

slither .

This is the preferred option if your project has dependencies as Slither relies on the underlying compilation framework to compile source code.

However, you can run Slither on a single file that does not import dependencies:

slither tests/uninitialized.sol

How to install

Note
Slither requires Python 3.8+. If you're not going to use one of the supported compilation frameworks, you need solc, the Solidity compiler; we recommend using solc-select to conveniently switch between solc versions.

Using Pip

python3 -m pip install slither-analyzer

How to upgrade

python3 -m pip install --upgrade slither-analyzer

Using Brew

brew install slither-analyzer

Using Git

git clone https://github.com/crytic/slither.git && cd slither
python3 -m pip install .

We recommend using a Python virtual environment, as detailed in the Developer Installation Instructions, if you prefer to install Slither via git.

Using Docker

Use the eth-security-toolbox docker image. It includes all of our security tools and every major version of Solidity in a single image. /home/share will be mounted to /share in the container.

docker pull trailofbits/eth-security-toolbox

To share a directory in the container:

docker run -it -v /home/share:/share trailofbits/eth-security-toolbox

Integration

• For GitHub action integration, use slither-action.
• For pre-commit integration, use (replace $GIT_TAG with real tag)

  - repo: https://github.com/crytic/slither
    rev: $GIT_TAG
    hooks:
      - id: slither
  

• To generate a Markdown report, use slither [target] --checklist.
• To generate a Markdown with GitHub source code highlighting, use slither [target] --checklist --markdown-root https://github.com/ORG/REPO/blob/COMMIT/ (replace ORG, REPO, COMMIT)

Detectors

Num	Detector	What it Detects	Impact	Confidence
1	abiencoderv2-array	Storage abiencoderv2 array	High	High
2	arbitrary-send-erc20	transferFrom uses arbitrary from	High	High
3	array-by-reference	Modifying storage array by value	High	High
4	encode-packed-collision	ABI encodePacked Collision	High	High
5	incorrect-shift	The order of parameters in a shift instruction is incorrect.	High	High
6	multiple-constructors	Multiple constructor schemes	High	High
7	name-reused	Contract's name reused	High	High
8	protected-vars	Detected unprotected variables	High	High
9	public-mappings-nested	Public mappings with nested variables	High	High
10	rtlo	Right-To-Left-Override control character is used	High	High
11	shadowing-state	State variables shadowing	High	High
12	suicidal	Functions allowing anyone to destruct the contract	High	High
13	uninitialized-state	Uninitialized state variables	High	High
14	uninitialized-storage	Uninitialized storage variables	High	High
15	unprotected-upgrade	Unprotected upgradeable contract	High	High
16	codex	Use Codex to find vulnerabilities.	High	Low
17	arbitrary-send-erc20-permit	transferFrom uses arbitrary from with permit	High	Medium
18	arbitrary-send-eth	Functions that send Ether to arbitrary destinations	High	Medium
19	controlled-array-length	Tainted array length assignment	High	Medium
20	controlled-delegatecall	Controlled delegatecall destination	High	Medium
21	delegatecall-loop	Payable functions using delegatecall inside a loop	High	Medium
22	incorrect-exp	Incorrect exponentiation	High	Medium
23	incorrect-return	If a return is incorrectly used in assembly mode.	High	Medium
24	msg-value-loop	msg.value inside a loop	High	Medium
25	reentrancy-eth	Reentrancy vulnerabilities (theft of ethers)	High	Medium
26	return-leave	If a return is used instead of a leave.	High	Medium
27	storage-array	Signed storage integer array compiler bug	High	Medium
28	unchecked-transfer	Unchecked tokens transfer	High	Medium
29	weak-prng	Weak PRNG	High	Medium
30	domain-separator-collision	Detects ERC20 tokens that have a function whose signature collides with EIP-2612's DOMAIN_SEPARATOR()	Medium	High
31	enum-conversion	Detect dangerous enum conversion	Medium	High
32	erc20-interface	Incorrect ERC20 interfaces	Medium	High
33	erc721-interface	Incorrect ERC721 interfaces	Medium	High
34	incorrect-equality	Dangerous strict equalities	Medium	High
35	locked-ether	Contracts that lock ether	Medium	High
36	mapping-deletion	Deletion on mapping containing a structure	Medium	High
37	pyth-deprecated-functions	Detect Pyth deprecated functions	Medium	High
38	pyth-unchecked-confidence	Detect when the confidence level of a Pyth price is not checked	Medium	High
39	pyth-unchecked-publishtime	Detect when the publishTime of a Pyth price is not checked	Medium	High
40	shadowing-abstract	State variables shadowing from abstract contracts	Medium	High
41	tautological-compare	Comparing a variable to itself always returns true or false, depending on comparison	Medium	High
42	tautology	Tautology or contradiction	Medium	High
43	write-after-write	Unused write	Medium	High
44	boolean-cst	Misuse of Boolean constant	Medium	Medium
45	chronicle-unchecked-price	Detect when Chronicle price is not checked.	Medium	Medium
46	constant-function-asm	Constant functions using assembly code	Medium	Medium
47	constant-function-state	Constant functions changing the state	Medium	Medium
48	divide-before-multiply	Imprecise arithmetic operations order	Medium	Medium
49	gelato-unprotected-randomness	Call to _requestRandomness within an unprotected function	Medium	Medium
50	out-of-order-retryable	Out-of-order retryable transactions	Medium	Medium
51	reentrancy-no-eth	Reentrancy vulnerabilities (no theft of ethers)	Medium	Medium
52	reused-constructor	Reused base constructor	Medium	Medium
53	tx-origin	Dangerous usage of tx.origin	Medium	Medium
54	unchecked-lowlevel	Unchecked low-level calls	Medium	Medium
55	unchecked-send	Unchecked send	Medium	Medium
56	uninitialized-local	Uninitialized local variables	Medium	Medium
57	unused-return	Unused return values	Medium	Medium
58	chainlink-feed-registry	Detect when chainlink feed registry is used	Low	High
59	incorrect-modifier	Modifiers that can return the default value	Low	High
60	optimism-deprecation	Detect when deprecated Optimism predeploy or function is used.	Low	High
61	shadowing-builtin	Built-in symbol shadowing	Low	High
62	shadowing-local	Local variables shadowing	Low	High
63	uninitialized-fptr-cst	Uninitialized function pointer calls in constructors	Low	High
64	variable-scope	Local variables used prior their declaration	Low	High
65	void-cst	Constructor called not implemented	Low	High
66	calls-loop	Multiple calls in a loop	Low	Medium
67	events-access	Missing Events Access Control	Low	Medium
68	events-maths	Missing Events Arithmetic	Low	Medium
69	incorrect-unary	Dangerous unary expressions	Low	Medium
70	missing-zero-check	Missing Zero Address Validation	Low	Medium
71	reentrancy-benign	Benign reentrancy vulnerabilities	Low	Medium
72	reentrancy-events	Reentrancy vulnerabilities leading to out-of-order Events	Low	Medium
73	return-bomb	A low level callee may consume all callers gas unexpectedly.	Low	Medium
74	timestamp	Dangerous usage of block.timestamp	Low	Medium
75	assembly	Assembly usage	Informational	High
76	assert-state-change	Assert state change	Informational	High
77	boolean-equal	Comparison to boolean constant	Informational	High
78	cyclomatic-complexity	Detects functions with high (> 11) cyclomatic complexity	Informational	High
79	deprecated-standards	Deprecated Solidity Standards	Informational	High
80	erc20-indexed	Un-indexed ERC20 event parameters	Informational	High
81	function-init-state	Function initializing state variables	Informational	High
82	incorrect-using-for	Detects using-for statement usage when no function from a given library matches a given type	Informational	High
83	low-level-calls	Low level calls	Informational	High
84	missing-inheritance	Missing inheritance	Informational	High
85	naming-convention	Conformity to Solidity naming conventions	Informational	High
86	pragma	If different pragma directives are used	Informational	High
87	redundant-statements	Redundant statements	Informational	High
88	solc-version	Incorrect Solidity version	Informational	High
89	unimplemented-functions	Unimplemented functions	Informational	High
90	unused-state	Unused state variables	Informational	High
91	costly-loop	Costly operations in a loop	Informational	Medium
92	dead-code	Functions that are not used	Informational	Medium
93	reentrancy-unlimited-gas	Reentrancy vulnerabilities through send and transfer	Informational	Medium
94	too-many-digits	Conformance to numeric notation best practices	Informational	Medium
95	cache-array-length	Detects for loops that use length member of some storage array in their loop condition and don't modify it.	Optimization	High
96	constable-states	State variables that could be declared constant	Optimization	High
97	external-function	Public function that could be declared external	Optimization	High
98	immutable-states	State variables that could be declared immutable	Optimization	High
99	var-read-using-this	Contract reads its own variable using this	Optimization	High

For more information, see

• The Detector Documentation for details on each detector
• The Detection Selection to run only selected detectors. By default, all the detectors are run.
• The Triage Mode to filter individual results

Printers

Quick Review Printers

• human-summary: Print a human-readable summary of the contracts
• inheritance-graph: Export the inheritance graph of each contract to a dot file
• contract-summary: Print a summary of the contracts
• loc: Count the total number lines of code (LOC), source lines of code (SLOC), and comment lines of code (CLOC) found in source files (SRC), dependencies (DEP), and test files (TEST).
• entry-points: Print all the state-changing entry point functions of the contracts

In-Depth Review Printers

• call-graph: Export the call-graph of the contracts to a dot file
• cfg: Export the CFG of each functions
• function-summary: Print a summary of the functions
• vars-and-auth: Print the state variables written and the authorization of the functions
• not-pausable: Print functions that do not use whenNotPaused modifier.

To run a printer, use --print and a comma-separated list of printers.

See the Printer documentation for the complete lists.

Tools

• slither-check-upgradeability: Review delegatecall-based upgradeability
• slither-prop: Automatic unit test and property generation
• slither-flat: Flatten a codebase
• slither-check-erc: Check the ERC's conformance
• slither-format: Automatic patch generation
• slither-read-storage: Read storage values from contracts
• slither-interface: Generate an interface for a contract

See the Tool documentation for additional tools.

Contact us to get help on building custom tools.

API Documentation

Documentation on Slither's internals is available here.

Getting Help

Feel free to stop by our Slack channel (#ethereum) for help using or extending Slither.

• The Printer documentation describes the information Slither is capable of visualizing for each contract.

• The Detector documentation describes how to write a new vulnerability analyses.

• The API documentation describes the methods and objects available for custom analyses.

• The SlithIR documentation describes the SlithIR intermediate representation.

FAQ

How do I exclude mocks or tests?

• View our documentation on path filtering.

How do I fix "unknown file" or compilation issues?

• Because slither requires the solc AST, it must have all dependencies available. If a contract has dependencies, slither contract.sol will fail. Instead, use slither . in the parent directory of contracts/ (you should see contracts/ when you run ls). If you have a node_modules/ folder, it must be in the same directory as contracts/. To verify that this issue is related to slither, run the compilation command for the framework you are using e.g npx hardhat compile. That must work successfully; otherwise, slither's compilation engine, crytic-compile, cannot generate the AST.

License

Slither is licensed and distributed under the AGPLv3 license. Contact us if you're looking for an exception to the terms.

Publications

Trail of Bits publication

• Slither: A Static Analysis Framework For Smart Contracts, Josselin Feist, Gustavo Grieco, Alex Groce - WETSEB '19

External publications

Title	Usage	Authors	Venue	Code
ReJection: A AST-Based Reentrancy Vulnerability Detection Method	AST-based analysis built on top of Slither	Rui Ma, Zefeng Jian, Guangyuan Chen, Ke Ma, Yujia Chen	CTCIS 19	-
MPro: Combining Static and Symbolic Analysis for Scalable Testing of Smart Contract	Leverage data dependency through Slither	William Zhang, Sebastian Banescu, Leodardo Pasos, Steven Stewart, Vijay Ganesh	ISSRE 2019	MPro
ETHPLOIT: From Fuzzing to Efficient Exploit Generation against Smart Contracts	Leverage data dependency through Slither	Qingzhao Zhang, Yizhuo Wang, Juanru Li, Siqi Ma	SANER 20	-
Verification of Ethereum Smart Contracts: A Model Checking Approach	Symbolic execution built on top of Slither’s CFG	Tam Bang, Hoang H Nguyen, Dung Nguyen, Toan Trieu, Tho Quan	IJMLC 20	-
Smart Contract Repair	Rely on Slither’s vulnerabilities detectors	Xiao Liang Yu, Omar Al-Bataineh, David Lo, Abhik Roychoudhury	TOSEM 20	SCRepair
Demystifying Loops in Smart Contracts	Leverage data dependency through Slither	Ben Mariano, Yanju Chen, Yu Feng, Shuvendu Lahiri, Isil Dillig	ASE 20	-
Trace-Based Dynamic Gas Estimation of Loops in Smart Contracts	Use Slither’s CFG to detect loops	Chunmiao Li, Shijie Nie, Yang Cao, Yijun Yu, Zhenjiang Hu	IEEE Open J. Comput. Soc. 1 (2020)	-
SAILFISH: Vetting Smart Contract State-Inconsistency Bugs in Seconds	Rely on SlithIR to build a storage dependency graph	Priyanka Bose, Dipanjan Das, Yanju Chen, Yu Feng, Christopher Kruegel, and Giovanni Vigna	S&P 22	Sailfish
SolType: Refinement Types for Arithmetic Overflow in Solidity	Use Slither as frontend to build refinement type system	Bryan Tan, Benjamin Mariano, Shuvendu K. Lahiri, Isil Dillig, Yu Feng	POPL 22	-
Do Not Rug on Me: Leveraging Machine Learning Techniques for Automated Scam Detection	Use Slither to extract tokens' features (mintable, pausable, ..)	Mazorra, Bruno, Victor Adan, and Vanesa Daza	Mathematics 10.6 (2022)	-
MANDO: Multi-Level Heterogeneous Graph Embeddings for Fine-Grained Detection of Smart Contract Vulnerabilities	Use Slither to extract the CFG and call graph	Hoang Nguyen, Nhat-Minh Nguyen, Chunyao Xie, Zahra Ahmadi, Daniel Kudendo, Thanh-Nam Doan and Lingxiao Jiang	IEEE 9th International Conference on Data Science and Advanced Analytics (DSAA, 2022)	ge-sc
Automated Auditing of Price Gouging TOD Vulnerabilities in Smart Contracts	Use Slither to extract the CFG and data dependencies	Sidi Mohamed Beillahi, Eric Keilty, Keerthi Nelaturu, Andreas Veneris, and Fan Long	2022 IEEE International Conference on Blockchain and Cryptocurrency (ICBC)	Smart-Contract-Repair
Modeling and Enforcing Access Control Policies for Smart Contracts	Extend Slither's data dependencies	Jan-Philipp Toberg, Jonas Schiffl, Frederik Reiche, Bernhard Beckert, Robert Heinrich, Ralf Reussner	IEEE International Conference on Decentralized Applications and Infrastructures (DAPPS), 2022	SolidityAccessControlEnforcement
Smart Contract Vulnerability Detection Based on Deep Learning and Multimodal Decision Fusion	Use Slither to extract the CFG	Weichu Deng, Huanchun Wei, Teng Huang, Cong Cao, Yun Peng, and Xuan Hu	Sensors 2023, 23, 7246	-
Semantic-enriched Code Knowledge Graph to Reveal Unknowns in Smart Contract Code Reuse	Use Slither to extract the code features (CFG, function, parameters types, ..)	Qing Huang, Dianshu Liao, Zhenchang Xing, Zhengkang Zuo, Changjing Wang, Xin Xia	ACM Transactions on Software Engineering and Methodology, 2023	-
Smart Contract Parallel Execution with Fine-Grained State Accesses	Use Slither to build state access graphs	Xiaodong Qi, Jiao Jiao, Yi Li	International Conference on Distributed Computing Systems (ICDCS), 2023	-
Bad Apples: Understanding the Centralized Security Risks in Decentralized Ecosystems	Implement an internal analysis on top of Slither	Kailun Yan , Jilian Zhang , Xiangyu Liu , Wenrui Diao , Shanqing Guo	ACM Web Conference April 2023	-
Identifying Vulnerabilities in Smart Contracts using Interval Analysis	Create 4 detectors on top of Slither	Ştefan-Claudiu Susan, Andrei Arusoaie	FROM 2023	-
Storage State Analysis and Extraction of Ethereum Blockchain Smart Contracts (no PDF in open access)	Rely on Slither's CFG and AST	Maha Ayub , Tania Saleem , Muhammad Janjua , Talha Ahmad	TOSEM 2023	SmartMuv

If you are using Slither on an academic work, consider applying to the Crytic $10k Research Prize.