Slither is an open-source static analysis framework designed to detect and prevent security vulnerabilities in smart contracts written in Ethereum’s solidity. The main goal of slither is to help the developers and auditors to identify potential security flaws, vulnerabilities and design issues in their smart contract before the deployment process of blockchain.
Key Features:
1. Security and vulnerability Detection: Slither is designed to detect a wide range of security vulnerabilities and potential bugs in solidity smart contracts. IT can identify common issues such as reentrance vulnerability, unchecked calls, uninitialized variables and many more.
2. Comprehensive Ruleset: Slither comes with a comprehensive set of pre-built rules that cover a wide range of security risks and coding best practices. These rules help to catch various types of vulnerabilities and issues commonly found in smart contracts.
3. Custom Rules Development: Besides the in-built rules, Slither allows users to create custom rules to detect specific patterns or issues unique to their smart contract development needs.
4. Graph-Based Visualization: Slither uses a graph-based approach to visualize the control flow and data flow of the smart contract, making it easier for developers to understand the potential impact of detected issues and trace their origin. It is built with performance in mind and can handle large and complex smart contracts efficiently.
5. Integration with Build System: Slither can be easily integrated into various build systems and CI (continuous Integration) pipeline, enabling developers to automatically analyze their smart contracts whenever code changes are made or before deployment. The slither developers actively maintain and update the tool to address new security and to keep up with the evolving ecosystem Of smart contract development.
6. Multiple smart contract language: Slither also provides some support for Vyper, a Python-based language for writing contracts on Ethereum platform.
7. Detector API: Slither provides a Detector API that allow user to create custom analyses in Python, endowing developers to extend the tool’s capabilities to detect specific patterns or vulnerabilities.
8. Built-in printers: Slither comers with built-in “printers” that offer concise and essentials contract information, allowing developers to quickly review and understand the key aspects of their smart contract.
How to install Slither?
There are many ways for you to install slither
1. Using Git (we recommend you to use python virtual environment )
clone https://github.com/crytic/slither.git && cd slitherpython3 setup.py install
2. Using Pip (we recommend to use python 3.8+ else you can use solc-select)
pip3 install slither-analyzer3. Use docker image(eth-security-toolbox).
pull trailofbits/eth-security-toolbox
docker run -it -v /home/share:/share trailofbits/eth-security-toolbox4. You can check their extension’s source code here.
You can also refer to this tutorial for installation:
How Slither works
Slither combines core features with a novel vulnerability discovery system for its distinctiveness. Not getting into important detail about what it's made of, but then to give you an overview!.
-
It takes as original input the reliability Abstract Syntax Tree (AST) generated by the reliability compiler. Slither works out of the box with the most common frame including Truffle, Embark, and Dapps.
-
Slither provides essential data: contract's inheritance graph, Control Flow Graph (CFG), and comprehensive expression lists.
-
Slither then translates the code of the contract into SlithIR, an internal representation language that makes precise and accurate analysis easier to write.
-
Eventually, slither runs a set of predefined analyses that give enhanced information to other modules (e.g., calculating data inflow, defended function calls, etc.).
1. Running Slither:
On a hardhat or truffle operation, open the terminal and run Slither. In the design directory, on a Reliability train, run slither filepath/file.sol.
Let’s run slither on the contract below
solidity ^0.8.0; contract SlitherDemo{ address public king; uint public balance; function claimThrone() external payable { require(msg.value > balance, "Need to pay more to become the king"); (bool sent, ) = king.call{value: balance}(""); require(sent, "Failed to send Ether"); balance = msg.value; king = msg.sender; } }
As you can see in the image, slither detected a re-entrancy security vulnerability in our smart contract code and highlighted it in red, and we also got some suggestions in green.
2. Contract summary printer:
Give a quick summary of the contract, showing the function and their visibility.
3. Function summary printer:
Shows useful information for each function, such as the state variables read and written, or the function called
4. Inheritance Printer:
Outputs a graph highlighting the inheritance dependencies of all the contracts.
5. Authorization Printer:
Show what a user with privilege can do on the contract.
See Slither official documentation for more information about adding your own printer
Conclusion
Slither empowers us to take control of smart contracts securely, reducing potential risks, and ensuring that our decentralised applications (Dapps) stand as beacons of reliability and safety.
Additional Reference
Here are some other docs that would help you to go forward with the Slither:
Frequently Asked Questions
Q1. What type of vulnerability does Slither detect?
Slither is capable of detecting a wide range of security vulnerabilities and potential bugs in solidity smart contracts. Some examples include reentrance vulnerability, unchecked call, and more. Its comprehensive rules cover various security risks and coding best practices commonly found in smart contracts.
Q2. Does Slither support any other language than solidity?
While solidity is the prime focus, slither also provides support for Vyper, a Python-based language for writing smart contracts on the Ethereum platform.
Q3. How efficient is Slither in terms of execution time?
Slither is built with performance in mind and offers an average execution time of less than 1 second per contract analysis. Making it more suitable for analyzing large and complex smart contracts efficiently.
Q4. Is Slither only applicable to Ethereum’s mainnet?
No, Slither can be used to analyze smart contracts deployed on any Ethereum network, including testnets and private networks.
Q5. What is the advantage of using Slither over manual code review?
Slither automates the process of security analysis, enabling developers to quickly identify a potential vulnerability without manually inspecting every line of code. This automation significantly speeds up the security review process and helps catch issues that might be overlooked in manual review.