Tools for Smart Contract Security Auditing – Part 3 of the Smart Contract Series

In the previous posts in this series, we discussed smart contracts and smart contract security.

Now, let’s take a look at how we can secure our smart contracts with the help of some tools. We’re going to be focusing on smart contracts written in Solidity, as that is the primary language when it comes to smart contract development.

Tool #1 – Slither

Slither is one of the primary tools used for smart contract security auditing. This is a solution which helps you perform a complete static analysis for your smart contract codebase. Let’s get started with this tool:

Step 1 – Installation

Requirements:

  • Python 3.6 or greater
  • Solc, the solidity compiler

The tool and related documentation can be found at https://github.com/crytic/slither.

The easiest way to install it is to run the following command on a system which has the above prerequisites installed:

pip3 install slither-analyzer

Another option is to download the github repository and execute the setup script:

git clone <https://github.com/crytic/slither.git> && cd slither
python3 setup.py install

With slither, you have the option of analyzing either single Solidity smart contract or you can run it within a project directory to analyze all of the smart contracts it contains.

Syntax:

  • For single contract:
slither <contract_name.sol>
  • For entire project:
cd project_directory
slither .

Slither will automatically detect all the relevant files within the directory and begin the process of analyzing them.

Once you have slither installed, you can initiate the scanning process and slither will display the results, as shown here:

Tool #2 – Mythril

Mythril is another useful tool in our arsenal when it comes to smart contract security. This tool is used to look for security issues in the EVM bytecode for a contract. It works with Ethereum, Tron, Quorum and other blockchains which are EVM-compatible.

You can find Mythril over at https://github.com/ConsenSys/mythril

Requirements:

  • Solc solidity compiler
  • Python version 3.5 or greater

Installation:

You can install mythril using python:

pip3 install mythril

A recommended alternative is to create a separate virtual environment for this purpose:

Usage

In order to scan a smart contract using mythril, the syntax is:

myth analyze <contract_filename>

Mythril will then analyze the smart contract for issues and provide the results, as depicted here:

Tool #3 – Manticore

Manticore is a tool that can be utilised for auditing smart contracts, as it explores all the possible states for the given smart contract and displays the results.

It can be found at https://github.com/trailofbits/manticore

Requirements

  • Python version 3.7 or greater

Installation

Manticore can also be installed with pip, as follows:

pip install manticore

Usage

To analyze a smart contract using manticore, the syntax is as follows:

manticore <filename.sol> --contract <Name of contract to be analyzed>

Tool #4 – Remix

While Remix is technically an IDE used for smart contract development in Solidity, it has a module which can be utilised to perform static analysis of the smart contract code, thus making it yet another important part of our toolkit.

Remix can be accessed from within the browser or installed locally. For now, we’ll be making use of the online instance.

To access it online, simply go to https://remix.ethereum.org.

In order to use the smart contract static analysis plugin, you need to activate it from the plugins tab:

Once you have finished writing your contract, you need to first compile it, and then you can run the static analysis plugin:

Once the plugin runs, it will display a list of the issues discovered in the left hand side pane, along with a description of the issues it finds.

Now that we have covered a few of our favourite tools for smart contract auditing, go ahead and try them out on your own!

Worried about attackers targeting your smart contracts? Contact us today to get your smart contracts audited for any security issues!

Anshul

Anshul is a cybersecurity analyst at DeTaSECURE. He has helped multiple organizations secure their digital assets as a security professional. He holds certifications like CEH and AZ-900. You can reach out to him on LinkedIn.

Leave a Reply