What is Slither
Slither is a Solidity static analysis framework based on Python 3. It is one of the most popular tools for smart contracts auditing. Slither has a wide range of vulnerability detectors, printers for visualization of the contract details, and API for custom analyses. It supports Solidity 0.4+ contracts and the audit time is fewer than 1 second per contract.
How to install Slither
Begin with installing solc – Solidity compiler:
sudo apt install software-properties-common
sudo add-apt-repository ppa:ethereum/ethereum
sudo apt install solc
You should also install the solc-select. It is used for quick installation and switching between Solidity compiler versions.
Simply run pip3 install solc-select
After the solc and solc-select are installed with no errors, we can proceed to the Slither installation. It can be done in three ways:
Using Pip:
pip3 install slither-analyzer
Using GitHub:
git clone <https://github.com/crytic/slither.git> && cd slither
python3 setup.py install
Using Docker
docker pull trailofbits/eth-security-toolbox
We can check the installation by running slither - -version
in your terminal. If the tool is installed properly, you’ll see the latest version – 0.9.2.
How to check a smart contract using Slither
After you defined a contract that you want to check, the easiest way is just to run slither [target]. The target can be specified in several ways:
- Local copy of a contract file. Example: slither SecureContract.sol
- Project directory. Example: slither /path/to/the/project/SecureProject
- Mainnet contract address. Example: slither 0xf34960d9d60be18cC1D5Afc1A6F012A723a28811
Slither supports 15 networks:
- Ethereum
- Optim
- Ropsten
- Kovan
- Rinkeby
- Goerli
- Tobalaba
- BSC
- BSC Testnet
- Arbi
- Arbi Testnet
- Poly
- Mumbai
- Avax
- Avax testnet
- FTM
Let’s explore a smart contract that’s vulnerable to re-entrancy attacks. The tutorial contracts can be found in this GitHub repo.
The easiest way to scan the local copy of a smart contract is to run slither with a contract name. Within seconds you will receive the results:
The colorized output highlights the most valuable audit findings. Slither also provides a detailed description of the vulnerability:
- how it works
- which functions are in use
- useful references
How to filter Slither output results
The output results can be filtered. Here are some examples how to filter the results:
dependencies: –exclude-dependencies
optimization: –exclude-optimization
informational: –exclude-informational
low findings: –exclude-low
Technically, you can even exclude medium and high-impact issues. But who’d be really interested in it?
How to use detectors in Slither
Detectors are used when you search for a specific type of vulnerability. There are 83 vulnerability detectors. You can find a full list of the detectors in this GitHub repo or by typing slither -h. To use a detector of your choice, run slither –detect [detector_name].
How to use printers in Slither
Instead of automatic analysis, printers can help you quickly extract crucial contract information. This may be helpful in manual analysis, audit reports, etc.
You can check the full list of the available printers by running slither –list-printers.
Here are a few examples of printers’ usage:
Running slither SecureContract.sol –print contract-summary, function-summary, modifiers will give us information about each function of the contract, its visibility, modifiers, internal and external calls.
Also, there’s a printer to build graphs to visualize the functions interactions inside the contract. Just run slither SecureContract.sol –print call-graph and the tool will generate a dot file that can be opened with any online dot viewer. Here’s an example of the mentioned graphs:
That’s it! Now we can run some basic checks of the smart contract, scan for the most popular vulnerabilities and extract important information for manual audits. You can try your new skills on our public smart contract programs to find valid bugs with a high bounty for them. But keep in mind that reports without a detailed Proof of Concept are out of scope, so do not forget to attach the PoC to your report.