Skip links

Auditing with Securify

Introduction

After our articles Smart Contract Auditing: Human vs. Machine and Auditing Solidity code with Slither we decided to test another static analysis tool from ChainSecurity called Securify.

Usage

It is offered in a nice and simple web interface that allows to insert code by either pasting it, uploading a zip file or cloning it from a git repository.

Once you press the “Scan Now” button the analyzer will make all the checks and eventually print the issues it found:

It will also highlight the related lines of code, for easier inspection:

The “Request Audit” button will lead you to a form you can use to request an audit from ChainSecurity.

Testing

We tested this tool using the same contracts we used in the other articles. Sadly, some of the contracts we wanted to test made the analyzer timeout. This made the zip and git options useless so we ended up pasting code individually for each contract.

These are the results:

Fails refers to when it failed to analyze the contracts altogether, not showing any results. Overall these results are within range of what it’s expected from other tools.

Conclusion

These results show once more that auditing tools still need to improve in order to be more consistent and dependable. It’s unlikely they will replace human auditors anytime soon. Even do, they are still useful for auditors as they highlight possible errors which can lead to detect more complex attack vectors.