Skip to content

Dervoo/SolidityAuditToolsSecurity

Repository files navigation

Security commands:

Run Slither -> npm run slither

Run Smartcheck -> npx smartcheck -p ./contracts

https://github.com/smartdec/smartcheck/tree/master/rule_descriptions

Verifying on Etherscan:

-> Fill env/secret.json with private data
-> Deploy contract: npx hardhat run --network <network_name> scripts/<file_name>.js
-> Verify deployed contract: npx hardhat verify --network <network_name> <contract_address> <constructor_arguments>

https://goerli.etherscan.io/address/0x00d8b563854d24BCD2f03164b6Fe8d5eBEb24026#code

Mainnet Fork:

-> Create script within scripts folder with functionalities
-> Run node with fork mainnet: npx hardhat node --fork <mainnet_url>
-> Run script: node scripts/<name_of_script>.js (in new terminal, DO NOT CLOSE node)

fork mainnet

Gas Reporter:

-> Create tests for your contract functions that you are interested in
-> Use setup for marketcap API key from hardhat.config.js and run npx hardhat test
-> Get your report inside the repository called gas-report.txt

Solidity Coverage:

-> Create tests to cover their %% amount
-> Run npm run coverage to get outputs and results

coverage

Mythril:

-> pip3 install mythril
-> myth analyze (by default Mythril analyses for 24 hours, to make it faster add --execution-timeout )
-> if you are trying to use @openzepplin library you have to create file.json with the path, the example of that is remapping.json in home directory path and then you have to run command < myth analyze contracts/<contract_name>.sol --solc-json remapping.json --execution-timeout >
-> In the end it prints issues, if not then "No issues were detected."

Solidity Visual Developer:

-> Install Solidity Visual Developer extension
-> ctrl + shift + p -> type Surya and choose option

surya

Can be used via Remix IDE -> Sourcify, MythX

Solhint: (you can set parameters in solhint.json and control the contract's format and behaviour)

-> npx solhint 'contracts/**/*.sol' -> checks all files
-> npx solhint contracts/File_Name.sol -> checks specific file

Manticore: (it takes a lot of time to produce the report)

-> pip install manticore
-> manticore . --contract <contract_name>

https://github.com/trailofbits/manticore/issues/1382
https://github.com/trailofbits/manticore/issues/705
https://github.com/trailofbits/manticore/pull/712

Vertigo: (few minutes)

-> pip3 install --user eth-vertigo
-> vertigo run --hardhat-parallel <number_of_networks_to_check>
!!! IMPORTANT !!! -> before running vertigo comment nearly all of the requires in hardhat config instead of hardhat waffle and hardhat ethers !!!

Octopus:

-> pip3 install octopus
-> WIP
https://github.com/FuzzingLabs/octopus

Example raports you can find in example_raports file

In addition create Forta listener on openzeppelin defender including media of your choice to get all information about suspicious behaviour.