Releases: crytic/slither
v0.6.2
0.6.2 - 2019-03-05
This release brings Embark native support, fixes several bugs, and improves slither-check-upgradeability
.
Added
- Embark support (see the documentation) (#196)
- Support for Solidity
selector
keyword (605ea7f) --truffle-build-directory
flag to support custom build directory (#187)
Changed
- Rename
slither-check-upgradability
toslither-check-upgradeability
(bffa59f) --ignore-truffle-compile
flag renamed to--truffle-ignore-compile
- Improve
slither-check-upgradeability
output and documentation. - API changed: Add framework detection within
Slither
object; the caller does not need to check for native/truffle/embark (ee1b4c2)
Fixed
v0.6.1
0.6.1 - 2019-03-04
This release brings a new utility: slither-find-paths
to review complex codebase, adds a new check to slither-check-upgradability
, and fixes minor bugs.
Added
slither-find-paths
: Utility to review complex contracts (see the Finding Paths Utility Documentation)slither-check-upgradability
: Add checks on correct contract's initialization #182- Improve Windows support #179
Changed
- Calls in loop detector: remove duplicate results ( 39500c0)
- Call graph printer: export functions individually (833e390)
- API changed: make GENERIC_TAINT optional on
is_tainted
call #181
Fixed
v0.6.0
0.6.0 - 2019-02-15
This release adds 3 new detectors, 5 new printers, improves the overall usability of Slither, and introduces a new tool: slither-check-upgradability
to help to review upradable contracts. User and developer documentation has dramatically improved. This release brings also several bugfixes, API enhancements and lowers the rate of false positives for several detectors.
Thanks to our external contributors @cty12, @mrice32 and @ptare for their numerous bug reports.
Added
- Detectors:
erc20-interface
: Incorrect ERC20 interfaceserc20-indexed
: Un-indexed ERC20 event parametersdeprecated-standards
: Deprecated Solidity Standards
- Printers:
data-dependency
: Print the data dependencies of the variablesfunction-id
: Print the keccack256 signature of the functionsmodifiers
: Print the modifiers called by each functionrequire
: Print the require and assert calls of each functionvariable-order
: Print the storage order of the state variables
- Command line usage:
--ignore-truffle-compile
: do not runtruffle compile
--disable-color
: disable output colorization--triage-mode
: run slither in its triage mode. For every finding, Slither will ask if the result should be shown for the next run.--filter-paths
: exclude all the results that are only related to the given paths.- Configuration file: Slither options can be configured through a JSON file. See the documentation
slither-check-upgradability
: Utility to help reviewing upgradable contracts- Dependency: require
pysha3>=1.0.2
Changed:
- Reduce the false alarms rates of:
- Improve Truffle integration: Slither will automatically switch to the truffle version provided in
package.json
(#154) - Improve SSA conversion: Use of an interprocedural sensitive analysis (follow parameters) (#156 (comment))
- Improve data dependency: Compute a fix-point on function context (#171)
- Improve inheritance printer output (#162, #166)
- Add support of
staticall
(#152)
Fixed
- Several minors bugs, including:
v0.5.2
0.5.2 - 2019-01-31
This release improves performance, fixes minor bugs, and simplifies the generation of our documentation.
Added
- Add a vulnerability description to all the detectors, then use that to auto-generate the wiki documentation.
Changed
- Improve the reentrancy heuristics: the reentrancy information is computed only one time, and its information is shared across all the reentrancy variants.
- Use a cache system for the
function.all_*
properties - Re-add the
Length
SlithIR operator (ed7afe0)
Fixed
- Incorrect read information in case of ReferenceVariable (1cdc34e)
v0.5.1
0.5.1 - 2019-01-25
This release fixes minor bugs and adds support for a handful of missing operations.
We gave a presentation about Slither during our last office hours. We discussed the framework, how it works and its future evolution. The video is available here.
Added
- Support for constructors declared as a modifier and in the contract's definition (
contract B is A(10){
) (#132) - Support for
gas
andvalue
in dynamic function calls (#132) - Support for ternary conversions in modifiers (#140)
- Support for hexadecimal in subdenominations (#147)
- Support for user-defined types in functions (#136)
- Support for indexed information in events (c032328)
Fixed
v0.5.0
0.5.0 - 2019-01-14
This release adds support for static single assignment (SSA) to SlithIR for both local and state variables. The use of SSA facilitates the tracking data dependencies and will enable more precise detectors. There are three new detectors: incorrect-equality
, shadowing-builtin
, shadowing-local
, and one new printer: cfg
. Detection of reentrancy was improved and now has three levels of severity. This release also includes bugfixes and lowers the rate of false positives for several detectors.
Thanks to our external contributors @mrice32 and @ptare for their numerous bug reports.
Added
- Detectors:
incorrect-equality
: Dangerous strict equalities, such asthis.balance == 0 ether
.shadowing-builtin
: Shadowing of builtin symbolsshadowing-local
: Local variables shadowing the contract's elements
- SSA on SlithIR:
- Add
Phi
operator - Add
LocalIRVariable
andStateIRVariable
(they contain the SSA index) - Follow Cooper, Harvey, Kennedy to compute minimal SSA
- Add additional
Phi
operators at function entrance and after external calls to handle state variables
- Add
- Alias Analysis to track storage references
- Integrate alias analysis info into the SSA engine for precise SSA construction (note there is a limitation: alias analysis is not yet interprocedural and has no support for functions returning a storage reference)
- Add new printer:
cfg
, which exports the CFG of each function (8452b32) - Add dominators information
- List of dominator nodes
- Dominator tree
- Dominance frontier
Changed
- The
reentrancy
detector is split into three variants to facilitate the triage of results:reentrancy-eth
: theft of ether and read before writing (high severity)reentrancy-no-eth
: no theft of ether and read before writing (medium severity)reentrancy-benign
: no read before writing (low severity)
- The data dependency is now computed using the SSA
- Multiple new contract and function helpers (b549a3e, 57a0918, a704635)
- Improve subdenomination support (
ether
,wei
,days
, ..) bdca730 - Lower false positive for several detectors:
Bugfixes
v0.4.0
0.4.0 - 2018-12-14
This release brings 4 new detectors, improves the support for Solidity >=0.5, and fixes several minor issues.
Thanks to our external contributors!
@adamhos
@mattaereal
@mihairaulea
Added
- New detectors:
shadowing-state
: Detect state variables shadowedshadowing-abstrac
t: Detect state variables shadowed from abstract contractstimestamp
: Detect dangerous usage ofblock.timestamp
calls-loop
: Detect dangerous calls inside a loop
--trufle-version version
flag: Allow to install and run a local version of truffle (#105)slither --truffle-version truffle@beta .
: Run truffle with Solidity 0.5slither --truffle-version truffle@4.1.14 .
: Run truffle with Solidity 0.4
Changed
Fixed
v0.3.1
0.3.1 - 2018-12-03
This release fixes minor bugs and improves the json output.
Changed
- Improve json ouput:
- Add helpers to
abstract_detector
- Use more detailed output for each detector and more precise source mapping information
- Document the json: https://github.com/trailofbits/slither/wiki/JSON-output
- Add helpers to
- Add support for Truffle projects using a
truffle-config.js
file instead oftruffle.js
- Fix incorrect slithIR conversion for mapping of mapping (#83)
- Fix minor bugs (remove duplicate constructors, fix incorrect
is_implemented
attribute inModifier
)
v0.3.0
0.3.0 - 2018-11-20
This release brings 4 new detectors, 1 new printer, improved UX, and several bug fixes.
Thanks to the Ethereum Community Fund for funding Gitcoin bounties!
Thanks also to our external contributors!
@anukul
@benstew
@rmi7
@rluijk
@samparsky
Added
- New detectors:
controlled-delegatecall
: Detect user-controlled delegatecall destinationconstant-function
: Detect constant functions that change stateuninitialized-local
: Detect uninitialized local variablesunused-return-value
: Detect unused return values
- New printer:
human-summary
: Print a human readable summary of the contracts
Changed
- Refactored the output of the detectors:
- Bug descriptions are more verbose
- Add line number information
- Create vulnerability descriptions with short descriptions, exploit scenarios, and recommendations
- Refactored unit tests to output to JSON
- Simplified integration with Truffle (slither now runs
truffle compile
automatically when applied to a Truffle directory)
Recommendation
- Use the
constant-function
detector to ensure correct interactions between contracts compiled with Solidity <0.5 and >=0.5
v0.2.0
0.2.0 - 2018-10-30
This release brings 2 new detectors, 2 new printers, integration with Truffle, and enhancements to SlithIR and the detector API.
Thanks to the Ethereum Community Fund for funding many Gitcoin bounties!
Thanks also to our external contributors!
@cryptomental
@evgeniuz
@pvgupta24
@redshark1802
@samparsky
Added
- Truffle integration. Slither can be run on a Truffle directory:
truffle compile && slither .
- new detectors:
constable-states
: Detect state variables that could be declared constantexternal-function
: Detect public functions that could be declared as external
- new printers:
call-graph
: Export the call-graph of the contracts to a dot fileinheritance
: Print the inheritance relations between contracts
- Support for solc's compact AST
Changed
- The original
inheritance
printer is now calledinheritance-graph
- Command line arguments are easier to use
- SlithIR bugfixes and improvements
- Internal API changes: #58