DEV Community

Cover image for 5 Tools for Analysing the Security of Solidity Smart Contracts In 2022
0xFedev
0xFedev

Posted on

5 Tools for Analysing the Security of Solidity Smart Contracts In 2022

In recent years we have seen the expansion of Blockchain and an increase in job offers. Many programmers have ventured into this new field, learning these new technologies, especially Solidity.
According to Google Trends, Solidity has reported significant growth especially in the last period and there are a lot of courses and tutorial to learn the fundamentals of this high-level language but, rarely, any in-depth study of security.

Image description

What tools can we use to analyse Smart Contracts and check that they aren't subject to the most common bugs?

Let's look at the best open source tools that help us to analyse and secure our Smart Contracts.


Manticore

Manticore is a multi-purpose tool written in Python that has more than 2.8k stars on GitHub and the last release was published on 17 February '22 (this shows that it is still an active project).
With Manticore, we can:

  • execute a program with symbolic inputs and explore all the possible states it can reach;
  • automatically produce concrete inputs that result in a given program state;
  • detect crashes and other failure cases in binaries and smart contracts;
  • provides fine-grained control of state exploration via event callbacks and instruction hooks.

Mythril

Mythril is an open-source component of MythX written in Python that has more than 2.3k stars on GitHub and the last release was published on 23 March '20.
With this tools it's possible to performs several types of analysis on smart contracts built for Ethereum, Hedera, Quorum, Vechain, Roostock, Tron and other EVM-compatible blockchains.

Slither

Slither is framework written in Python that has more than 2.2k stars on GitHub and the last release was published on 21 April '22 (this shows that it is still an active project).

The main features of this tools are:

  • Detects vulnerable Solidity code with low false positives
  • Identifies where the error condition occurs in the source code
  • Easily integrates into continuous integration and Truffle builds
  • Built-in 'printers' quickly report crucial contract information
  • Detector API to write custom analyses in Python
  • Ability to analyze contracts written with Solidity >= 0.4
  • Intermediate representation (SlithIR) enables simple, high-precision analyses
  • Correctly parses 99.9% of all public Solidity code
  • Average execution time of less than 1 second per contract

Echidna

Echidna is a fast Smart Contract Fuzzer written in Haskell that has more than 1.2k stars on GitHub and the last release was published on 4 April '22.

The main features of this tools are:

  • Generates inputs tailored to your actual code
  • Optional corpus collection, mutation and coverage guidance to find deeper bugs
  • Powered by Slither to extract useful information before the fuzzing campaign
  • Source code integration to identify which lines are covered after the fuzzing campaign
  • Curses-based retro UI, text-only or JSON output
  • Automatic testcase minimization for quick triage
  • Seamless integration into the development workflow
  • Maximum gas usage reporting of the fuzzing campaign
  • Support for a complex contract initialization with Etheno and Truffle

Oyente

Oyente is an analysis tool for Smart Contract written in Python that has more than 1k stars on GitHub but the last release was published on October '17 (so it isn't an active project today).

Conclusion

All these tools are supposed to help developers in the creation of smart contracts, but how do they actually perform?
We will find out in the next articles!

Thanks so much for reading and if you have any suggestions or just want to connect, feel free to contact/follow me on Twitter!

Discussion (1)

Collapse
metapunk profile image
MetaPunk 🦙

Good info, the thought of getting a smart contract comprised is bloody awful, the consequences can be company ending