v0.0.13

aderyn:

• FIX: Windows contract path issue (#153 )
• DevEx:
  • More readable detector imports.
  • Name change: ContextLoader -> WorkspaceContext.
• New Features:
  • aderyn.config.json.
  • default ROOT option is now ., so aderyn can be run by itself without args.
  • Detectors are split into two types: IssueDetectors and ReusableDetectors.

nyth:

• FIX: Extractors now available in nyth projects.
• Commands:
  • nyth init to create a new nyth bot
  • nyth new <DETECTOR_TYPE> <DETECTOR_NAME> to create a detector.
    • DETECTOR_TYPE options: issue and reusable
    • DETECTOR_NAME no longer needs the path, it only needs the name.
    • This command must be run from inside the bot now.

v0.0.12

Fixes:

• Length of a TypeName can be any Expression - fixing #104
• Line number issues - fixing #118

New Features:

• capture macro to make detectors more readable
• Ability to run external detectors
• Detector development framework (nyth)

v0.0.11

• UX Features:
  • --no-snippets flag to prevent code snippets being printed in the report.
  • --scope option to only include paths that contain any of the input strings.
  • --exclude option to exclude paths that contain any of the input strings.
  • Remove different_storage_conditionals detector due to non-determinism.
• DevEx Features:
  • Extractor Pattern - Enable detectors to extract any node type at any depth from a node. For example, extract all VariableDeclarations inside a ContractDefinition. This will extract every instance of VariableDefinition, whether defined as state variables, local function variables, parameter definitions, and in any other location.
  • GetParent Pattern - Enables detectors to find the parent SourceUnit, ContractDefinition, FunctionDefinition and ModifierDefinition of any node. This makes traversing up the tree possible (albeit not as feature-complete as the Extractor pattern.
  • capture macro reduces the cognitive load to writing detectors by providing a simple issue-capturing function.
• Bug Fixes:
  • AST TypeName length can be an Expression.
  • Incorrect line numbers and snippets when non-ASCII chars are present in the source file.

v0.0.10

• New ContextBrowser, injected into the detect function, makes building detectors easier.
• Detectors:
  • New Detector: Arbitrary from passed to transferFrom
  • Fix push0 Solidity version detector accuracy on ranges.
• Yul visitor support
• Bug fixes:
  • Read all available foundry output files when more than a single compiler is used
  • Correct nSLOC count on contracts with unconventional comment structures

v0.0.9

Detectors:

• New: Arbitrary from passed to transferFrom Detector.
• Fix: Overzealous solmate detector now only catches the import directives.
• Fix: push0 opcode for versions 0.8.20 and above fixed to be more precise in various pragma formats.

v0.0.8

• Python bindings generator.
• JSON report file when -o <FILE_NAME> has a .json suffix.
• Markdown report features:
  • Code snippets in the report, display the code that is detected by a detector.
  • ctrl+click links in the report to open up the exact file and line where the issue occurs.
• Bug fix: Handle multiple build-info files in hardhat mode.
• Detector: Low: Solc v0.8.20 introduces PUSH0 opcode, which not all EVM chains support.

v0.0.7

• Speed up report generation by sorting detector instances on the fly, instead of post-processing.
• Bug fix: hard coded foundry src replaced with foundry.toml definition.
• Custom report output file with arg: -o <output_file>.
• Process foundry output files in parallel & other io speed improvements.
• Single Solidity files can be analyzed without a framework so long as Foundry is installed on the machine.

Big thanks to @TilakMaddy for his contribution to many of the features listed here.

v0.0.6

• Readme updates and logo
• AST Fix: Modifier blocks were not being visited, they are now. Fixes #35
• Detectors:
  • Inconsistent conditional checks on storage variables. Fixes #12
• Output:
  • Markdown links are now pure markdown instead of a combination of Markdown and HTML. Fixes #25
  • Issue instances are printed in alphabetical and line number order. Fixes #14

v0.0.5

• New Detectors:
  • Using block.timestamp for token swap deadlines.
  • Use ERC721::_safeMint instead of _mint.
• Fix: useless_public_function detector no longer counts constructors.
• Tech debt:
  • loader.rs more generic, domain-specific getters moved to relevant one-time detector calls.
  • Detectors don't use unnecessary visitors.
• Report:
  • Contract Summary includes nSLOC.
  • Disclaimer.

v0.0.4

• Contract summary (which contracts have been analyzed) added to report
• Centralization detector no longer reports "unknown" source
• Print line numbers instead of file source
• Remove --root flag arg requirement