In the previous posts in this series, we discussed smart contracts and smart contract security.
Now, let’s take a look at how we can secure our smart contracts with the help of some tools. We’re going to be focusing on smart contracts written in Solidity, as that is the primary language when it comes to smart contract development.
Tool #1 – Slither
Slither is one of the primary tools used for smart contract security auditing. This is a solution which helps you perform a complete static analysis for your smart contract codebase. Let’s get started with this tool:
Step 1 – Installation
- Python 3.6 or greater
- Solc, the solidity compiler
The tool and related documentation can be found at https://github.com/crytic/slither.
The easiest way to install it is to run the following command on a system which has the above prerequisites installed:
pip3 install slither-analyzer
Another option is to download the github repository and execute the setup script:
git clone <https://github.com/crytic/slither.git> && cd slither python3 setup.py install
With slither, you have the option of analyzing either single Solidity smart contract or you can run it within a project directory to analyze all of the smart contracts it contains.
- For single contract:
- For entire project:
cd project_directory slither .
Slither will automatically detect all the relevant files within the directory and begin the process of analyzing them.
Once you have slither installed, you can initiate the scanning process and slither will display the results, as shown here:
Tool #2 – Mythril
Mythril is another useful tool in our arsenal when it comes to smart contract security. This tool is used to look for security issues in the EVM bytecode for a contract. It works with Ethereum, Tron, Quorum and other blockchains which are EVM-compatible.
You can find Mythril over at https://github.com/ConsenSys/mythril
- Solc solidity compiler
- Python version 3.5 or greater
You can install mythril using python:
pip3 install mythril
A recommended alternative is to create a separate virtual environment for this purpose:
In order to scan a smart contract using mythril, the syntax is:
myth analyze <contract_filename>
Mythril will then analyze the smart contract for issues and provide the results, as depicted here:
Tool #3 – Manticore
Manticore is a tool that can be utilised for auditing smart contracts, as it explores all the possible states for the given smart contract and displays the results.
It can be found at https://github.com/trailofbits/manticore
- Python version 3.7 or greater
Manticore can also be installed with pip, as follows:
pip install manticore
To analyze a smart contract using manticore, the syntax is as follows:
manticore <filename.sol> --contract <Name of contract to be analyzed>
Tool #4 – Remix
While Remix is technically an IDE used for smart contract development in Solidity, it has a module which can be utilised to perform static analysis of the smart contract code, thus making it yet another important part of our toolkit.
Remix can be accessed from within the browser or installed locally. For now, we’ll be making use of the online instance.
To access it online, simply go to https://remix.ethereum.org.
In order to use the smart contract static analysis plugin, you need to activate it from the plugins tab:
Once you have finished writing your contract, you need to first compile it, and then you can run the static analysis plugin:
Once the plugin runs, it will display a list of the issues discovered in the left hand side pane, along with a description of the issues it finds.
Now that we have covered a few of our favourite tools for smart contract auditing, go ahead and try them out on your own!
Worried about attackers targeting your smart contracts? Contact us today to get your smart contracts audited for any security issues!