Add support for Vyper

[dguido]

SlithIR is flexible enough that we should be able to support Vyper with few modifications. This will require investigating how Vyper produces their AST and providing for some translation into SlithIR. SlithIR may need modification in the process to support the unique features of Vyper's AST.

[montyly]

https://github.com/trailofbits/slither/tree/dev-vyper

(not usable for now)

[gitcoinbot]

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

---

This issue now has a funding of 9.3 ETH (1042.09 USD @ $112.05/ETH) attached to it as part of the Trail of Bits fund.

• If you would like to work on this issue you can 'start work' on the Gitcoin Issue Details page.
• Want to chip in? Add your own contribution here.
• Questions? Checkout Gitcoin Help or the Gitcoin Slack
• $37,468.46 more funded OSS Work available on the Gitcoin Issue Explorer

[dguido]

Hey @mestorlx, thanks for applying to work on this bounty! Can you provide a little bit more detail before you start? Thanks!

[mestorlx]

Hi @dguido As I understand vyper is intended to be "simpler" than solidity and since its made by the same team I guess both AST should be really similar. Comparing the structures of both AST it will be possible to analyze the required changes in the code that generates the SlithIR to deal with the differences. But the idea would be to use vyper tools to get the AST and pass it to slither current tools (with minor modifications hopefully) to get the vyper SlithIR. Then the analysis would have to take into account vyper simplifications in the analysis for instance no inheritance, etc.
Hope that clarifies my approach

[montyly]

Some comments/recommendations:

On the branch dev-vyper I created https://github.com/trailofbits/slither/blob/dev-vyper/slither/vyper_parsing/slither_vyper.py

So you can directly give a vyper contract from the command line:

$ slither examples/printers/vyper_erc20.py 
INFO:VyperParsing:Vyper parsing is not working yet examples/printers/vyper_erc20.py

I think we can directly import the python ast module to parse the file, I would recommend to not mix the ast from Solidity and the one from Vyper.

SlitherVyper inherits from https://github.com/trailofbits/slither/blob/dev-vyper/slither/core/slither_core.py. I think the first steps that need to be done are:

• Translate the vyper contract to a core.Contract instance
• Translate the vyper functions to core.Function instead
• Recover the nodes of the CFG of each function (see core.cfg.Node)

Once this is done and we can list the contract/functions/nodes from a contract, we can start looking at how to represent vyper expressions in slither, and then convert the vyper expressions to slithIR

This work may require to change some attributes in the core modules, @evgeniuz feel free to ask here or contact me on empire hacking slack if you have any questions.

[gitcoinbot]

@evgeniuz Hello from Gitcoin Core - are you still working on this issue? Please submit a WIP PR or comment back within the next 3 days or you will be removed from this ticket and it will be returned to an ‘Open’ status. Please let us know if you have questions!

• reminder (3 days)
• escalation to mods (6 days)

Funders only: Snooze warnings for 1 day | 3 days | 5 days | 10 days | 100 days

[gitcoinbot]

@evgeniuz Hello from Gitcoin Core - are you still working on this issue? Please submit a WIP PR or comment back within the next 3 days or you will be removed from this ticket and it will be returned to an ‘Open’ status. Please let us know if you have questions!

• reminder (3 days)
• escalation to mods (6 days)

Funders only: Snooze warnings for 1 day | 3 days | 5 days | 10 days | 100 days

[gitcoinbot]

@evgeniuz Hello from Gitcoin Core - are you still working on this issue? Please submit a WIP PR or comment back within the next 3 days or you will be removed from this ticket and it will be returned to an ‘Open’ status. Please let us know if you have questions!

• reminder (3 days)
• escalation to mods (6 days)

Funders only: Snooze warnings for 1 day | 3 days | 5 days | 10 days | 100 days

[evgeniuz]

I've started implementation using plan from #39 (comment), i. e. start by filling structure (contract/functions) and then proceed with transforming vyper expressions to slithIR expressions. Will submit PR when some basic contract/function parsing is in place.

[gitcoinbot]

@evgeniuz Hello from Gitcoin Core - are you still working on this issue? Please submit a WIP PR or comment back within the next 3 days or you will be removed from this ticket and it will be returned to an ‘Open’ status. Please let us know if you have questions!

• reminder (3 days)
• escalation to mods (6 days)

Funders only: Snooze warnings for 1 day | 3 days | 5 days | 10 days | 100 days

[gitcoinbot]

@evgeniuz Hello from Gitcoin Core - are you still working on this issue? Please submit a WIP PR or comment back within the next 3 days or you will be removed from this ticket and it will be returned to an ‘Open’ status. Please let us know if you have questions!

• reminder (3 days)
• escalation to mods (6 days)

Funders only: Snooze warnings for 1 day | 3 days | 5 days | 10 days | 100 days

[gitcoinbot]

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

---

@evgeniuz due to inactivity, we have escalated this issue to Gitcoin's moderation team. Let us know if you believe this has been done in error!

• reminder (3 days)
• escalation to mods (6 days)

Funders only: Snooze warnings for 1 day | 3 days | 5 days | 10 days | 100 days

[gitcoinbot]

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

---

@evgeniuz due to inactivity, we have escalated this issue to Gitcoin's moderation team. Let us know if you believe this has been done in error!

• reminder (3 days)
• escalation to mods (6 days)

Funders only: Snooze warnings for 1 day | 3 days | 5 days | 10 days | 100 days

[evgeniuz]

I'm going to take myself off this bounty, as I have quite a bit of work at the end of the year. I probably won't be able to spend time on this for about two weeks or so. If no one else handles this till then I can continue. Sorry for not doing it earlier :(

[mihairaulea]

Hey @montyly , i am going to write some unit tests for the final implementation. If we agree on them, i can start working on this. Happy New Year!

[mihairaulea]

@dguido @montyly do you still want this? should i start work on it? i would like to start by building a scaffold for this, using abstract classes and interfaces, and write the unit tests that the final implementation should pass. i have worked with ASTs in both Java and Javascript, and i have a contribution to Slither, so i understand what the project does.

[gitcoinbot]

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

---

Work has been started.

These users each claimed they can complete the work by 5 days, 17 hours ago.
Please review their action plans below:

1) mihairaulea has applied to start work (Funders only: approve worker | reject worker).

Placeholder, wrote in a previous message

Learn more on the Gitcoin Issue Details page.

2) sriharikapu has applied to start work (Funders only: approve worker | reject worker).

Hi Team,

This is interesting. I would like to help you with AST part.
Can I know more details so that I can plan my deliverables?

Best regards
Srihari Kapu

Learn more on the Gitcoin Issue Details page.

3) leonprou has been approved to start work.

Would like to apply for the bounty. My plan is stated here: #39 (comment)

Learn more on the Gitcoin Issue Details page.

[montyly]

Yes @mihairaulea, we are still interested to integrate Vyper into slither, and the bounty is still valide!

I have update the dev-vyper branch to be up to date with dev.
Feel free to contact me on empire hacking slack if you have any question

[mihairaulea]

Cool, @montyly, thanks for the update! If you would approve me, i will start right away. Won't bother you until i have the scaffolding in place :D

[montyly]

Hi @mihairaulea, thanks for your interest!

I just had a discussion with the Vyper devs team; they are going to create a specific AST output, containing enhanced information than the classic python ast module will not provide (ex: with the vyper type information). See vyperlang/vyper#1179 (comment)

I am putting this work on hold until we have a first poc of their new AST

[mihairaulea]

@montyly i have offered to help the Vyper team, as well. I think we should start outlining the structure of how this would work in Slither, regardless. How long do you think it will take for the Vyper team to finish this?

[montyly]

Great @mihairaulea!

I am trying to see how we could best help the vyper team to export their code in a standard format, that would be usable by Slither (see the discussion)

In term of Slither integration, we could follow the steps outlined in #39 (comment), but using the vyper_to_json output instead of the ast module.

[leonprou]

Any updates with that bounty? Would like to take a part.

[montyly]

Unfortunately, I haven't heard from @mihairaulea for several weeks and he does not seem to have started on it.

The bounty is still open.

@leonprou can you apply and detail your plan? Do you have any experience with similar work? Thanks!

Feel free to join our slack (#ethereum) if you have any question.

[leonprou]

@montyly Hey. I'm a Dapp/Solidity Developer that mostly I'm doing web3 work and smart contracts sometimes. Interested in security, fluent with python. I Want to take this bounty to learn more about Vyper and language processing techniques 😏.

I'm reading the code of slither to understand the job better. For now I see two objectives:

• Separate slither from Solidity to work with other languages/AST's. I guess there should be a module vyper_parsing like solc_parsing. I see that what you did in vyper_dev branch)
• Make a contribution to Vyper so Vyper can produce an AST that Slither can use.

The best way to proceed for me is by making some code backbone and adding features to it. So I suggest a process of work that looks like:

• Create a Vyper parser for Slither that works for a small part of the language.
• Make Vyper to produce this sub language (you had some ideas in the vyper task).
• Make some analyzers work
• Go to step 1 by extending the current work).

[montyly]

Sounds good @leonprou! Can you apply to gitcoin, so we can approve you?

I would recommend following the steps highlighted in #39 (comment) and joining our slack for any questions.

Please also update your progress here, even if it's partially working, so we can help you as best as possible.

[gitcoinbot]

@leonprou Hello from Gitcoin Core - are you still working on this issue? Please submit a WIP PR or comment back within the next 3 days or you will be removed from this ticket and it will be returned to an ‘Open’ status. Please let us know if you have questions!

• reminder (3 days)
• escalation to mods (6 days)

Funders only: Snooze warnings for 1 day | 3 days | 5 days | 10 days | 100 days

[leonprou]

I'm on that. For now I did a basic AST output to JSON for vyper contracts. My fork is here.

Now figuring out how to feed it to slither.

[gitcoinbot]

@leonprou Hello from Gitcoin Core - are you still working on this issue? Please submit a WIP PR or comment back within the next 3 days or you will be removed from this ticket and it will be returned to an ‘Open’ status. Please let us know if you have questions!

• reminder (3 days)
• escalation to mods (6 days)

Funders only: Snooze warnings for 1 day | 3 days | 5 days | 10 days | 100 days

[leonprou]

@gitcoinbot @montyly As gitcoin bot asking I created a WIP #191.

I did a basic parsing of functions, variables and events and even getting some warnings from the detectors, it's still a WIP so many stuff is ad-hoc. I'm using my local Vyper version so if I want to test this please coordinate with me.

During the work I've found that many needed functionality is already exists in the GlobalContext of vyper. Because both the projects are written in Python it was really easy to use the vyper modules in my code. I'm not sure how good this is approach cause this makes slither vulnerable vyper's code changes. Bot for now this approach allows to go fast with the develoment.

[gitcoinbot]

@leonprou Hello from Gitcoin Core - are you still working on this issue? Please submit a WIP PR or comment back within the next 3 days or you will be removed from this ticket and it will be returned to an ‘Open’ status. Please let us know if you have questions!

• reminder (3 days)
• escalation to mods (6 days)

Funders only: Snooze warnings for 1 day | 3 days | 5 days | 10 days | 100 days

[gitcoinbot]

@leonprou Hello from Gitcoin Core - are you still working on this issue? Please submit a WIP PR or comment back within the next 3 days or you will be removed from this ticket and it will be returned to an ‘Open’ status. Please let us know if you have questions!

• reminder (3 days)
• escalation to mods (6 days)

Funders only: Snooze warnings for 1 day | 3 days | 5 days | 10 days | 100 days

[gitcoinbot]

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

---

@leonprou due to inactivity, we have escalated this issue to Gitcoin's moderation team. Let us know if you believe this has been done in error!

• reminder (3 days)
• escalation to mods (6 days)

Funders only: Snooze warnings for 1 day | 3 days | 5 days | 10 days | 100 days

[montyly]

For gitcoin moderators: @leonprou is working on the issue (#191).

[gitcoinbot]

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

---

@leonprou due to inactivity, we have escalated this issue to Gitcoin's moderation team. Let us know if you believe this has been done in error!

• reminder (3 days)
• escalation to mods (6 days)

Funders only: Snooze warnings for 1 day | 3 days | 5 days | 10 days | 100 days

[0xalpharush]

Vyper support has been added