Tools for Smart Contract Security Auditing – Part 3 of the Smart Contract Series
In the previous posts in this series, we discussed smart contracts and smart contract security.
Now, let’s take a look at how we can secure our smart contracts with the help of some tools. We’re going to be focusing on smart contracts written in Solidity, as that is the primary language when it comes to smart contract development.
Tool #1 – Slither
Slither is one of the primary tools used for smart contract security auditing. This is a solution that helps you perform a complete static analysis for your smart contract codebase. Let’s get started with this tool:
Step 1 – Installation
Requirements:
- Python 3.6 or greater
- Solc, the solidity compiler
The tool and related documentation can be found at https://github.com/crytic/slither.
The easiest way to install it is to run the following command on a system that has the above prerequisites installed:
pip3 install slither-analyzer
Another option is to download the Github repository and execute the setup script:
git clone <https://github.com/crytic/slither.git> && cd slither
python3 setup.py install
With slither, you have the option of analyzing either single Solidity smart contract or you can run it within a project directory to analyze all of the smart contracts it contains.
Syntax:
- For a single contract:
slither <contract_name.sol>
- For the entire project:
cd project_directory
slither .
Slither will automatically detect all the relevant files within the directory and begin the process of analyzing them.
Once you have to slither installed, you can initiate the scanning process, and slither will display the results, as shown here:
Tool #2 – Mythril
Mythril is another useful tool in our arsenal when it comes to smart contract security. This tool is used to look for security issues in the EVM bytecode for a contract. It works with Ethereum, Tron, Quorum and other blockchains which are EVM-compatible.
You can find Mythril over at https://github.com/ConsenSys/mythril
Requirements:
- Solc solidity compiler
- Python version 3.5 or greater
Installation:
You can install Mythril using python:
pip3 install mythril
A recommended alternative is to create a separate virtual environment for this purpose
Usage
In order to scan a smart contract using Mythril, the syntax is:
myth analyze <contract_filename>
Mythril will then analyze the smart contract for issues and provide the results
pip3 install slither-analyzer
Tool #3 – Manticore
Manticore is a tool that can be utilized for auditing smart contracts, as it explores all the possible states for the given smart contract and displays the results.
It can be found at https://github.com/trailofbits/manticore
Requirements
- Python version 3.7 or greater
Installation
Manticore can also be installed with pip, as follows:
pip install manticore
Usage
To analyze a smart contract using manticore, the syntax is as follows:
manticore <filename.sol> --contract <Name of contract to be analyzed>
Tool #4 – Remix
While Remix is technically an IDE used for smart contract development in Solidity, it has a module which can be utilised to perform static analysis of the smart contract code, thus making it yet another important part of our toolkit.
Remix can be accessed from within the browser or installed locally. For now, we’ll be making use of the online instance.
To access it online, simply go to https://remix.ethereum.org.
In order to use the smart contract static analysis plugin, you need to activate it from the plugins tab:
Once you have finished writing your contract, you need to first compile it, and then you can run the static analysis plugin:
Once the plugin runs, it will display a list of the issues discovered in the left-hand side pane, along with a description of the issues it finds.
Now that we have covered a few of our favorite tools for smart contract auditing, go ahead and try them out on your own!
Worried about attackers targeting your smart contracts? Contact us today to get your smart contracts audited for any security issues!
Anshul
Anshul is a cybersecurity analyst at DeTaSECURE. He has helped multiple organizations secure their digital assets as a security professional. He holds certifications like CEH and AZ-900. You can reach out to him by Clicking Here.