Static Analyzer for Solidity and Vyper
This minor release contains several enhancements and resolves several bugs, most notably:
slither . --detect unused-import
)We would like to thank our external contributors:
Full Changelog: https://github.com/crytic/slither/compare/0.10.1...0.10.2
This is a minor release that adds support for Solidity 0.8.24 and top level events. It includes a new detector, out-of-order-retryable
, which detects potential misuse of Arbitrum's retryable transactions. Also, there is a new CLI flag, --include-paths
which allows one to only include results from a given path.
We would like to thank all of our external contributors:
--include-paths
option by @smonicas in https://github.com/crytic/slither/pull/2330
slither . --include-paths (src/|contracts/)
will only include results from files within src
or contracts
directory. Note, this is uses python-style regex and cannot be used at the same time as --filter-paths
.is_reentrant
for internal vyper functions by @0xalpharush in https://github.com/crytic/slither/pull/2211
z
with x
in pre-declaration by @ATREAY in https://github.com/crytic/slither/pull/2258
Full Changelog: https://github.com/crytic/slither/compare/0.10.0...0.10.1
This release adds support for Vyper 0.3.7 (thanks to the funding from VyperLang)! Currently, Vyper frameworks such as Ape are not supported. To run slither on Vyper codebases, target the source directory e.g. run slither ./contracts
if the Vyper contracts are in the contracts/
directory.
Additionally, this release includes 5 new detectors, 3 new printers, and several bugs fixes related to recent solidity features. The echidna/medusa integration was sped up and provides more information to the fuzzers.
With the release of crytic-compile 0.3.5, support for foundry projects is significantly improved: Slither can now be run on a single file from a foundry project and detect the necessary imports automatically (ex: run slither contracts/some_file.sol
instead of slither .
).
We would like to thank all of our external contributors:
incorrect-return
/ return-leave
/ incorrect-exp
/ tautological-compare
/ return-bomb
InitArray
by @0xalpharush in PR #2018
Full Changelog: https://github.com/crytic/slither/compare/0.9.6...0.10.0
This release fixes a regression in the unchecked-lowlevel
call detector and a crash in the cache-array-length
detector.
HighLevelCall
is a StateVariable
by @0xalpharush in https://github.com/crytic/slither/pull/2019
Full Changelog: https://github.com/crytic/slither/compare/0.9.5...0.9.6
This is a patch release that fixes forward compatibility with Python 3.11.
Full Changelog: https://github.com/crytic/slither/compare/0.9.4...0.9.5
This release adds initial support of user defined operators, improves support for try catch, reduces false positives, and fixes numerous bugs. Finally three new detectors, one new printer, and one new tool were added.
We would like to thank all of our external contributors:
For CI integration: If you were using the
fail-high
,fail-medium
,fail-low
,fail-pedantic
inslither.conf.json
, Slither will warn these configurations are deprecated and recommend migrating to the respectivefail-on
config e.g.fail-high
becomesfail-on: high
. These flags are now decoupled from excluding which detectors run, meaning the flags--exclude-informational
and--exclude-optimization
will be honored without also passing--no-fail-pedantic
. Consider using slither-action for CI integration
cache-array-length
: Detects for loops that use length member of some storage array in their loop condition and don't modify it by @bart1e in https://github.com/crytic/slither/pull/1694
encode-packed-collision
: Detects collisions caused by use of encode packed on dynamic types by @0xalpharush in https://github.com/crytic/slither/pull/1845
incorrect-using-for
: Detects using-for statement usage when no function from a given library matches a given type by @bart1e in https://github.com/crytic/slither/pull/1653
loc
- Count the total number lines of code (LOC), source lines of code (SLOC), and comment lines of code (CLOC) found in source files (SRC), dependencies (DEP), and test files (TEST) - by @devtooligan in https://github.com/crytic/slither/pull/1882
slither-interface
generates a Solidity interface for a given contract. by @0xGusMcCrae in https://github.com/crytic/slither/pull/1898
slither-read-storage
can know retrieve custom storage layouts e.g. proxy with the --unstructured
flag by @webthethird and @0xalpharush in https://github.com/crytic/slither/pull/1963
slither-read-storage
native POA support by @webthethird in https://github.com/crytic/slither/pull/1843
slither.utils.code_generation
by @webthethird in https://github.com/crytic/slither/pull/1730
can_be_checked_for_overflow
by @0xalpharush in https://github.com/crytic/slither/pull/1894
slither.utils.code_generation
by @webthethird in https://github.com/crytic/slither/pull/1802
type
field by @kevinclancy in https://github.com/crytic/slither/pull/1935
is_function_modified
in upgradeability util by @webthethird in https://github.com/crytic/slither/pull/1938
Full Changelog: https://github.com/crytic/slither/compare/0.9.3...0.9.4
This release adds a new detector for high complexity functions, improves Echidna's performance (on enums), adds support for less common and new Solidity features (ternary operations, using for
, and yul support), and improves slither-read-storage
and existing detectors.
Additionally, we're so excited that Slither has been nominated in the latest round of @optimismFND 's RetroPGF's program! If you vote for these projects, please select Slither as one of your favorite tools from now until March 23!
We have also opened a GitHub discussion page for Slither to more easily communicate with our community of users and developers.
Finally, we would like to thank all of our external contributors:
NewContract
, reads by @0xalpharush in https://github.com/crytic/slither/pull/1762
Full Changelog: https://github.com/crytic/slither/compare/0.9.2...0.9.3
This release integrates codex into Slither via two features:
slither-documentation
, a tool to auto-generate natspec for every function. See the usage on solmate
.codex
detector, which uses GPT3 to find vulnerabilities. This detector is not run by default and requires an explicit opt-in by using the --codex
flag.For both features, the environment variable OPENAI_API_KEY
must be set. These features are experimental, and we recommend reading OpenAI's ToS, in particular, if you are using it on a private codebase. We will be exploring other areas where we can leverage LLM within Slither, and we would love the community's feedback and ideas.
Additionally, this release contains two new detectors, and refinements to existing detectors. This includes a better handling of nonReentrant
for reentrancy detection, lowering the number of false alarms. Finally, this release contains several bug fixes and improvements for Solidity features such as "using for" directives and user defined value types.
We would like to thank all of our external contributors: -@ardislu -@bart1e -@devtooligan -@devtooligan -@mds1 -@Pavan-Nambi -@pcaversaccio -@plotchy
Thanks to the community effort, slither has now reached 100+ contributors.
this
keyword to reduce STATICCALLs by @0xalpharush in https://github.com/crytic/slither/pull/1484
// slither-disable-start [detector] ... // slither-disable-end [detector]
@custom:security isDelegatecallProxy
, @custom:security isUpgradeable
, @custom:security version name=[v1]
abi.encodeCall
by @plotchy in https://github.com/crytic/slither/pull/1460
VULNERABLE_SOLC_VERSIONS
to detectors by @devtooligan and @montyly in https://github.com/crytic/slither/pull/1477, https://github.com/crytic/slither/pull/1485
--no-fail
mode for echidna printer by @montyly in https://github.com/crytic/slither/pull/1571
nonReentrant
modifiers will be filtered out unless a risk of cross-function reentrancy is detectedExtraVariablesProxy
upgradeability check by @webthethird in https://github.com/crytic/slither/pull/1504
naming-convention
to flag single letter O
or I
variable by @ardislu in https://github.com/crytic/slither/pull/1470
Full Changelog: https://github.com/crytic/slither/compare/0.9.1...0.9.2
This release contains several bug fixes, and a new tool - slither-doctor
- to help debugging slither.
We would like to thank all our external contributors:
slither-doctor
: a new tool to help diagnose issues with Slither (https://github.com/crytic/slither/pull/1384)slither-flat
support for top level objects (#1441 )slither-read-storage
(https://github.com/crytic/slither/pull/1444)This release contains:
This release moves the Python requirement to 3.8.
We would like to thank all our external contributors:
For Foundry users: we do not support multiple compiler versions at the moment (see https://github.com/foundry-rs/foundry/issues/3450).
slither-read-storage
to make it easier to maintain (https://github.com/crytic/slither/pull/1311)arbitrary-send-erc20
(https://github.com/crytic/slither/pull/1025)arbitrary-send-erc20-permit
(https://github.com/crytic/slither/pull/1025)domain-separator-collision
(https://github.com/crytic/slither/pull/1334)--checklist
, to produce a markdown containing slither's results (https://github.com/crytic/slither/pull/1190)--convert-library-to-internal
in slither-flat
(https://github.com/crytic/slither/issues/1298)slither-check-erc
(https://github.com/crytic/slither/pull/1274)IdentifierPath
(https://github.com/crytic/slither/pull/1227)pip-audit
in the CI (https://github.com/crytic/slither/pull/1243)setup.py
with dev deps (https://github.com/crytic/slither/pull/1178)Type.is_dynamic
(https://github.com/crytic/slither/pull/1175)--fail-pedantic
/--fail-high
/--fail-medium
/ ... and --no-fail-pedantic
. The default behavior is --fail-pedantic
, but this will be updated to be --no-fail-pedantic
in a future releaseexternal-functions
detectors (https://github.com/crytic/slither/pull/1318)unprotected_upgradeable
detector (https://github.com/crytic/slither/pull/1344)too-many-digits
detector: ignore checksummed address (https://github.com/crytic/slither/pull/1193)exclude-dependencies
flag (https://github.com/crytic/slither/pull/1317)function-id printer
(https://github.com/crytic/slither/pull/886)slither-check-erc
output (https://github.com/crytic/slither/pull/1277)function.entry_point
(https://github.com/crytic/slither/pull/1307)contract_kind
assignment (https://github.com/crytic/slither/pull/1308)