This is a collection of slither custom plugins developed by Inspex team. The plugins also come with utilities that should help the detection and reporting easier.
The plugins are built from official Slither's plugin template. The installer will attempt to install the plugin into current python environment, which could have an error about the installer trying to write files without the permission. We strongly suggest you installing the plugins in a virtual environment.
The official Slither's repository has already come with a virtual environment. You can use it to create a virtual environment solely for plugin-installed slither.
Use Slither's env
git clone https://github.com/crytic/slither.git
cd slither
make dev
source env/bin/activate
Install the plugins
cd inspex-plugins
python setup.py develop
You can use Dockerfile
to build a docker image for running slither with our plugins.
# Create a new image from the Dockerfile file
docker build -t {image tag name} .
# Example
docker build -t inspexplugins .
When the image has been built, you can use the tag name that you've used to run a new container from the image. You can use the -v
flag to let container to access file from the host.
# Create a new container from the image
docker run -it -v {local path to be mounted}:/home/slither/mnt --name {new name of the container} {tag name of the image}
# Example
docker run -it -v ~/myDefiProject:/home/slither/mnt --name inspex-slither inspexplugins
If you have specified the name of the container, you can use that name to easily access to the container again by using the docker exec
commmand.
# Access to the started container
docker exec -it {the container name} /bin/bash
# Example
docker exec -it inspex-slither /bin/bash
If the container has stopped, you can start it again by using the docker start
command.
# Start the container
docker start -ia {the container name}
# Example
docker start -ia inspex-slither
You can test the installed plugins by rurnning the --list-detectors
or --list-printers
flags to list the installed plugin. If the plugins have been installed successfully, we should see the new plugins in the result.
List all registered detectors
slither --list-detectors
List all registered printers
slither --list-printers
If there is an error about the mismatch version of solidity. You can use solc-select
to change the current version of solidity.
# you need to run the install first
solc-select install 0.8.17
# select the version by using the `use` sub-command
solc-select use 0.8.17
- InsufficientLogging
insufficient-logging
- Detect privilege functions that does not emit events
- AssertStatement
assert-statement
- Detect usage of
assert
statement in contracts
- FloatingPragmaVersion
floating-pragma-version
- Detect usage of floating pragma version
- ModifiableOwnership
modifiable-ownership
- Detect functions that can modify the contract ownership
- AssignMemoryArray
assign-memory-array
- Detect the assigning of value into a memory array, which could be unintended
- InvokeUnknownExternalFunctions
unknown-external-functions
- Detect an external call to user controllable addresses
- ApproveUnknownAddress
approve-unknown-address
- Detect an approve to user controllable addresses
- StateChangingLoop
state-changing-loop
- Detect loops that change states
- LoopReverted
loop-reverted
- Detect loops that contain
require
,assert
, orrevert
statements
- ExplicitTypeConversion
explicit-type-conversion
- Detect an explicit type conversion, which could found a down-casting
- CentralizedState
centralized-state
- Detect function that has access control that can change contract's states
- InexplicitVariableVisibility
inexplicit-variable-visibility
- Detect states that does not explicitly decalre the visibility
- StrictEqualities
strict-equalities
- Detect the usage of strict-equalities on a sensitive value, e.g.,
balanceOf
.
- InspexExternalFunction
inspex-external-function
- The overrided version of
external-function
for extending the printing function
- InspexIncorrectSolc
inspex-solc-version
- The overrided version of
solc-version
for extending the printing function
- SelfInvocation
this-usage
- Detect the usage of
this
to call itself
- LoopSkip
loop-skip
- Detect loops that contains
return
,break
, orcontinue
.
- DirtyIterators
dirty-iterators
- Detect loops the iterator can be modified in multiple places
- UnsafeInitiate
unsafe-initiate
- Detect the
initialize()
function that does not safe
- StandardTokenCheck
common-standard-token
- Try guessing the standard that the contract trying to implement. If imple ment correctly, it should guess correctly.
- InspexTestingGuideChecklist
inspex-checklist
- Mapping the detector into our testing guide. And show the results according to the standard checklist.
- Please noted that the printer does not use every detector on Slither. For the best result, please use the printer with the results from every detectors.
- InspexTestingGuideChecklistCSV
inspex-checklist-csv
- Format the result from
inspex-checklist
into the CSV format.
- InspexTestingGuideChecklistXLS
inspex-checklist-xls
- Format the result from
inspex-checklist-csv
into the xlxs format.