Setting Up ENV

Install Docker on OS (debian based)

DOCKER

Security Audits for Solidity

• Solgraph : docker pull devopstestlab/solgraph
• Surya: npm install -g surya
• Slither : docker pull trailofbits/eth-security-toolbox
• Mythril : docker pull mythril/myth

Solgraph Steps

• Create a directory mkdir data
• Create a sol file MyContract.sol
• Run solgraph :

docker run -it --rm -v $PWD:/data devopstestlab/solgraph

• After running it wioth success
• Go to data direc and see the image generated to see untrusted elements

Slither Steps reference

• Pull Docker Image for slither : docker pull trailofbits/eth-security-toolbox
• Run it : docker run -it --rm -v $PWD:/data trailofbits/eth-security-toolbox

• Now open another terminal
• Go to the root directory of the contract file (in my case data)
• use cmd : sudo docker container ls to find container id
• This will basically provide you the container ID, image, and other relevant details of the container. We will require the container ID in the next command.
• Now to copy sol file in the container:

sudo docker cp < path to solidity(flatten) file > “put-containner-id”:/<container file path>

Or

sudo docker cp $(pwd)/filename.sol “put-containner-id”:/home/ethsec

• It has basically three components

i. solidity contract file path

ii. container id (which we received from last command)

iii. container file path (go to the first terminal and write ‘pwd’ to get present directory of container)

• So what this command basically does is it will copy the contract file and paste it inside the container environment so that we can run slither commands on it.

• Go to the first terminal where the container environment is running. And, write the command:

slither filename.sol

• The second command we will run is:

slither-check-erc filename.sol <contract name in code>

• So this command is for those smart contracts that are inheriting ERC features. And this command checks all the ‘must-have’ elements that an ERC token should have.

Mythril

• reference

• Pull the latest release of mythril/myth

docker pull mythril/myth

docker run mythril/myth disassemble -c "0x6060"

• Make a dir to contain Solidity Contact
• cd <dir name>
• To pass a file from your host machine to the dockerized Mythril, you must mount its containing folder to the container properly. For contract.sol in the current working directory, do:

docker run -v $(pwd):/tmp mythril/myth analyze /tmp/contract.sol

Surya Steps

• github

• Dependecies :

  1. npm
  2. gaphviz (for gaph) : sudo apt install graphviz

• Install Surya : npm install -g surya

• mkdir "contacts"

• Write a simple solidity Contract

graph : The graph command outputs a DOT-formatted graph of the control flow.

surya graph contracts/**/*.sol | dot -Tpng > MyContract.png

flatten : The flatten command outputs a flattened version of the source code, with all import statements replaced by the corresponding source code. Import statements that reference a file that has already been imported, will simply be commented out.

surya flatten MyContract.sol

Parse : The parse command outputs a treefied AST object coming from the parser.

• -j/--json - Return a JSON object instead of a treefied object.

surya parse MyContract.sol

mdreport : The mdreport command creates a Markdown description report with tables comprising information about the system's files, contracts and their functions. Much like describe but outputting to a nicely formatted Markdown file.

• SEE IN SURYA FOLDER

surya mdreport report_outfile.md MyContract.sol