Skip to content

Stacy is an extensible open-source tool intended to assist developers and auditors of the Stacks ecosystem detect common issues in Clarity smart contracts.

License

Notifications You must be signed in to change notification settings

CoinFabrik/stacy

Repository files navigation

Tests passing

STACY - Stacks Static Analyzer for Clarity

Stacy is an open-source static analyzer for Clarity smart contracts. It is intended to assist Clarity smart contract developers and auditors detect common security issues and deviations from best practices.

This tool will help developers write secure and more robust smart contracts.

Install

pip install git+https://github.com/xlittlerag/tree-sitter-clarity@6eb27feb
pip install stacy-analyzer

Documentation

Detectors

Severities are based on worst case scenarios and the detector's finding may vary depending on the context.

Detector ID What it Detects Test Cases Severity
assert-block-height Usage of block-height as time tracker. 1 Critical
call-inside-as-contract Calling another contract losing the first contract's context. 1 Critical
divide-before-multiply Performing a division operation before a multiplication, leading to loss of precision. 1 Critical
private-function-not-used Dead code(private functions) inside the smart contract. 1 Enhancement
todo-comment TODO comments left in the smart contract. 1 Enhancement
tx-sender-in-assert Usage of tx-sender in assert is truly intended. 1 High
unwrap-panic-usage Inappropriate usage of the unwrap-panic method, causing unexpected program crashes. 1 Enhancement
var-could-be-constant Code that does not change and could be re-define. 1 Enhancement
updated-functions Old functions. 1 Enhancement
unused-arguments Arguments passed but not used. 1 Enhancement
unused-let-variables Local variables declared but not used. 1 Enhancement

Contribution guidelines

You can find our contribution guidelines here

Testing Stacy

You can run Stacy over all the test contracts by running the following command:

stacy-analyzer lint tests

It will recursively search for all the .clar files in the tests directory and run Stacy over them. With this command, you won't need to specify the path to each smart contract. This should print the errors in the vulnerable examples, and nothing in the remediated ones!

About CoinFabrik

We - CoinFabrik - are a research and development company specialized in Web3, with a strong background in cybersecurity. Founded in 2014, we have worked on over 180 blockchain-related projects, EVM based and also for Solana, Algorand, and Polkadot. Beyond development, we offer security audits through a dedicated in-house team of senior cybersecurity professionals, currently working on code in Substrate, Solidity, Clarity, Rust, and TEAL.

Our team has an academic background in computer science and mathematics, with work experience focused on cybersecurity and software development, including academic publications, patents turned into products, and conference presentations. Furthermore, we have an ongoing collaboration on knowledge transfer and open-source projects with the University of Buenos Aires.

License

Stacy is licensed and distributed under a MIT license. Contact us if you're looking for an exception to the terms.

About

Stacy is an extensible open-source tool intended to assist developers and auditors of the Stacks ecosystem detect common issues in Clarity smart contracts.

Resources

License

Stars

Watchers

Forks

Packages

No packages published