foreword
In contract development, the most important thing is the security of the contract. During development, I often wonder, besides the unit tests written by myself, is there any other way to detect "bad taste" in solidity like sonar? We do not charge for MythX, you can try the easy-to-use, open source Slither.
Silther installation
Here I personally recommend using the pip3 installation method instead of using docker, firstly because docker pulls the image very slowly, and secondly because it is troublesome to map the workspace outside the image to the image later.
Step1
If there is no pip3 package manager, please install python3.6+ first, which is also a necessary condition for running slither.
brew install python3
After installation, install slither
pip3 install slither-analyzer
git clone https://github.com/crytic/slither.git && cd slither
python3 setup.py install
Step2
Open the Solidity project root directory and run
slither .
You can check all contracts in the project and all dependencies for bad smells. The cmd will print three colors of red, yellow and green. Red is especially recommended to be modified, but the prompt is not necessarily accurate. It is necessary to analyze whether each vulnerable code is really a problem, and then decide whether to modify it.
possible problems
- The contract cannot be found.
The reason may be that the previously used dependent contract is no longer used, resulting in no contract in node_modules, but there is a compiled link file in the artifact.
So clean up the artifact folder in the root directory and delete the previously generated link file.