Following our Smart Contract Auditing: Human vs. Machine article, we now analyze Slither, which is another static analysis tool from Trail of Bits. It includes aids for contract summaries, which can be helpful for making a mental model of the contract and rechecking assumptions. Considering the ease of use, it’s a good idea to try them out.
Executing it on a contract is simple, since by default all checks are executed:
It can also create files in dot format specifying the call graph for a contract and can also provide a summary of contract functions and inheritance information. An interesting feature it provides is the vars-and-auth printer, which specifies what state variables are written by each function, which in big projects can be a screenful, but is useful information indeed.
Slither also includes a function summary mode that specifies state variables which are read or written, internal calls and what modifiers affect each function:
Another interesting thing is that it has a Python API that allows instrumentation of the static analysis engine. This means that the engine can be used to derive specific information from contracts automatically, and in general can be used to suit the user’s needs.
Now, after familiarizing ourselves with the tool we decided to check the same contracts from our previous article, to see how well it fared against other tools. The results were not the best, but certainly not far from the norm when compared with other tools in the same range of utility:
|100||Function Default Visibility||✔|
|101||Integer Overflow and Underflow||✘|
|106||Unprotected SELFDESTRUCT Instruction||✔|
|108||State Variable Default Visibility||✘|
|109||Uninitialized Storage Pointer||✔|
|112||Delegatecall to Untrusted Callee||✘|
|113||DoS with Failed Call||N/A|
|114||Transaction Order Dependence||N/A|
|119||Shadowing State Variables||✔|
|120||Weak Sources of Randomness from Chain Attributes||N/A|
While Slither provides some information for doing a contract-wide overview, it still shows that contract security tools still have a long way to go before being able to replace a human auditor. What this tool excels at, however, is that it can ease the job for the auditor looking at the code by providing information visually, which inevitably makes it easier to understand. In the same vein, and following the same philosophy of Trail of Bits’ other tool Manticore, having an API for script creation can mean applying different filters to the information presented by the contract, so it can be viewed from different angles.