Slitherin by Pessimistic.io

Welcome! We are the pessimistic.io team, and in recent months we have been actively developing our own Slither detectors to help with code review and audit process. This repository contains everything you may require to work with them!

We increased the sensitivity of our detectors since they are quite straightforward and not written in the "original style." As a result, they produce FPs (False Positives) more frequently than original ones. So that, our detectors are a kind of automation of the checks implemented in the checklist, their main purpose is to look for issues and assist the code auditor.

Please let us know if you have discovered an issue/bug/vulnerability via our custom Slither detectors. You may contact us via opening a PR/Issue or directly, whichever is more convenient for you. If you have any further questions or suggestions, please join our Discord Server or Telegram chat! We hope to see you there, and we intend to support the community and its initiatives!

Repository Navigation

Table of Contents:

Section	Link
Docs	Docs for each detector
Slitherin	Detectors code
Tests	Test contracts for detectors
Utils	Auxiliary files
Issues	Suggest an idea
Installation Process	Step-by-Step guide
Detectors	Detectors table
Enhancements & New Detectors	Project Improvements

Installation Process

Using Git

To install Pessimistic Detectors:

1. Install the original Slither;
2. Clone our repository;
3. Run the following command in our repository folder to add new detectors to Slither:

python3 setup.py develop

Keep in mind that you don't have to reinstall the plugin after changes in the repository!

4. Dependencies must be installed in order to test the detectors on our test contracts:

npm install

Using Pip

1. Install the original Slither;
2. Install the pip package:

pip install slitherin

Using Pipx

1. Install the pip package:

pipx install slitherin

2. Add slitherin's bin to path:

echo -e "# Slitherin with pipx\nexport PATH=\"\$PATH:/home/$USER/.local/pipx/venvs/slitherin/bin\"\n" >> ~/.bashrc \
&& source ~/.bashrc

Usage

Slitherin-cli (Recommended)

Use Slitherin-cli to run detectors on a Hardhat/Foundry/Dapp/Brownie application. You have the following options:

• Run ONLY Slitherin detectors:

slitherin . --pess

• Run ONLY Slither detectors:

slitherin . --slither

• Run Slither detectors, then Slitherin detectors:

slitherin . --separated

• Run Arbitrum-specific Slitherin detectors:

slitherin . --arbitrum

Keep in mind that Slitherin-cli supports all Slither run options.

Slither

Slitherin detectors are included into original Slither after the installation. You can use Slither as usual.

Detectors Table

Detector Link	Docs & Setup	Test Contract	Valid* Issues
Unprotected Setter	Explore	Test	1
Unprotected Initialize	Explore	Test	0
TX Gasprice Warning	Explore	Test	0
UniswapV2 Integration	Explore	Test	0
Token Fallback	Explore	Test	0
Timelock Controller	Explore	Test	1
Strange Setter	Explore	Test	0
Read-only Reentrancy	Explore	Test	0
NFT Approve Warning	Explore	Test	0
Multiple Storage Read	Explore	Test	9
Magic Number	Explore	Test	3
Inconsistent Non-Reentrant	Explore	Test	0
Falsy Only EOA Modifier	Explore	Test	0
Missing Event Setter	Explore	Test	1
Dubious Typecast	Explore	Test	0
Double Entry Token Possibility	Explore	Test	0
Call Forward To Protected	Explore	Test	0
Before Token Transfer	Explore	Test	2
For Continue Increment	Explore	Test	0
AAVE Flasloan Callback	Explore	Test	0
Arbitrary Call	Explore	Test	0
Elliptic Curve Recover	Explore	Test	0
Public vs External	Explore	Test	0
Balancer Read-only Reentrancy	Explore	Test	0

Please note:

• *Valid - issues included in reports and fixed by developers (January 2023 - June 2023).

• There are two detectors which have several checks inside: pess-uni-v2 and arbitrary-call.

Enhancements & New Detectors

Here we indicate our updates, workflows and mark completed tasks and improvements!

You can add your own detector/idea/enhancement by opening the Issue at the following link.

Prior to adding a custom detector, ensure that:

1. In a documentation file, your detector is comprehensively described;
2. The detector test contract is presented and correctly compiles;
3. The detector code is presented and works properly.

Prior to adding an idea, ensure that:

1. Your concept or idea is well articulated;
2. A vulnerability example (or PoC) is provided;

Prior to adding an enhancement, ensure that:

1. Your enhancement does not make the base code worse;
2. Your enhancement is commented.

Detectors Backlog:

Acknowledgements

Our team would like to express our deepest gratitude to the Slither tool creators: Josselin Feist, Gustavo Grieco, and Alex Groce, as well as Crytic, Trail of Bits' blockchain security division, and all the people who believe in the original tool and its evolution!

Slitherin in mass media

• Week in Ethereum News
• Blockthreat
• Release article by officercia.eth
• Arbitrary Calls & New Slitherin Detector Release
• What’s up Slitherin?
• Defillama
• Essential Tools for Auditing Smart Contracts by Hexens
• ETH Belgrade talk
• Integrated into AuditWizard

Thank you!

It would be fantastic if you could bookmark, share, star, or fork this repository. Any attention will help us achieve our common goal of making Web3 a little bit safer than it was before: therefore, we require your support!

For our part, we'll do everything in our power to ensure that this project continues to grow successfully in terms of both code and technology as well as community and professional interaction! We sincerely hope you find our work useful and appreciate any feedback, so please do not hesitate to contact us!

---

Pessimistic delivers trusted security audits since 2017.
Require expert oversight of your safety?
Explore our services at pessimistic.io.