v0.9.2

0.9.2 - 2023-01-11

This release integrates codex into Slither via two features:

• slither-documentation, a tool to auto-generate natspec for every function. See the usage on solmate.
• the codex detector, which uses GPT3 to find vulnerabilities. This detector is not run by default and requires an explicit opt-in by using the --codex flag.

For both features, the environment variable OPENAI_API_KEY must be set. These features are experimental, and we recommend reading OpenAI's ToS, in particular, if you are using it on a private codebase. We will be exploring other areas where we can leverage LLM within Slither, and we would love the community's feedback and ideas.

Additionally, this release contains two new detectors, and refinements to existing detectors. This includes a better handling of nonReentrant for reentrancy detection, lowering the number of false alarms. Finally, this release contains several bug fixes and improvements for Solidity features such as "using for" directives and user defined value types.

We would like to thank all of our external contributors:
-@ardislu
-@bart1e
-@devtooligan
-@devtooligan
-@mds1
-@Pavan-Nambi
-@pcaversaccio
-@plotchy

Thanks to the community effort, slither has now reached 100+ contributors.

Added

• Add Codex vulnerability detector by @montyly and @devtooligan in #1498, #1499
• Use Codex to generate solidity documentation by @montyly in #1494
• New detectors:
  • recommend reading variable without this keyword to reduce STATICCALLs by @0xalpharush in #1484
  • recommend making state variables immutable by @0xalpharush in #1455
• Enable ignore comments for sections of code by @mds1 in #1461, #1483
  • // slither-disable-start [detector] ... // slither-disable-end [detector]
• Mark contract as proxy/ upgradeable with custom comments by @webthethird and @montyly in #1517, #1522
  • @custom:security isDelegatecallProxy, @custom:security isUpgradeable, @custom:security version name=[v1]
• Support ternaries in function call options by @0xalpharush in #1501
• Fold binary expressions with constant operands for fuzzing guidance by @0xalpharush in #1508
• Support abi.encodeCall by @plotchy in #1460
• Add VULNERABLE_SOLC_VERSIONS to detectors by @devtooligan and @montyly in #1477, #1485
• Filter upgradeability checks by name/impact by @webthethird in #1532
• Add --no-fail mode for echidna printer by @montyly in #1571
• Create CODEOWNERS by @montyly in #1561
• slither-doctor: check PATH configuration by @elopez in #1550

Changed

• Improve reentrancy detectors by @montyly in #1351
  • Functions with nonReentrant modifiers will be filtered out unless a risk of cross-function reentrancy is detected
• Improve support using for directive by @smonicas in #1378
• Improve support using for with aliasing by @smonicas in #1563
• Replace pysha3 with pycryptodome by @0xalpharush in #1454
• Remove unused PUSH operation from IR by @0xalpharush in #1489
• Sort printer outputs for determinism by @bart1e in #1513
• Use latest setuptools in CI by @montyly in #1542
• Update to the latest crytic-compile source unit API by @montyly in #1528
• Install only necessary solc versions in CI by @Pavan-Nambi in #1546
• Run tests by specific ID by @0xalpharush in #1555

Fixed

• Fix broken links by @pcaversaccio in #1457
• Fix typo in divide before multiply by @0xalpharush in #1449
• Fix dapp CI integration test by @montyly in #1496
• Improve protected variable detector by @montyly in #1497
• Update missing events wiki by @0xalpharush in #1487
• Copy event arguments during ssa conversion by @0xalpharush in #1488
• Fix ExtraVariablesProxy upgradeability check by @webthethird in #1504
• Fix naming-convention to flag single letter O or I variable by @ardislu in #1470
• Fix top level struct parsing by @smonicas in #1545
• Upgradeability: include inherited private variables, ignore immutables by @0xalpharush in #1451
• Fix and re-enable etherscan test by @elopez in #1556
• Fix using for directives in libraries by @smonicas in #1568
• Remove incomplete submodule by @elopez in #1564
• Handle malformed alias solc<0.6.0 by @0xalpharush in #1547
• Improve Yul parsing by @montyly in #1559
• Fix type conversion of user defined value types by @0xalpharush in #1573
• Resolve error referenced as member of contract by @0xalpharush in #1574

New Contributors

• @ardislu made their first contribution in #1470
• @bart1e made their first contribution in #1513
• @devtooligan made their first contribution in #1477
• @mds1 made their first contribution in #1461
• @Pavan-Nambi made their first contribution in #1546
• @webthethird made their first contribution in #1504

Full Changelog: 0.9.1...0.9.2