Releases: crytic/slither
v0.6.13
0.6.13 - 2020-09-08
This releases improves support for Solidity 0.6, adds partial support for YUL, and fixes many bugs. Internally, we improved the parsing architecture, easing the addition of a new parser and added type annotations. Additionally, slither now runs GitHub super-linter, and the regression tests were improved (see the new CONTRIBUTING.md guidelines).
We also want to thanks our contributors for reporting issues, and helping to improve Slither:
If you want access to additional detectors, try Crytic. It now has 96 detectors, including 2 YUL specific detectors.
Added
- Add partial, experimental YUL support (#502, #575, #617). YUL AST is parsed and converted into slithIR. Raw memory access are not supported. Solidity 0.6 is required to enable YUL support.
- Improve 0.6 support:
- Add support for
type(I).interfaceId
(#497) - List external publications (#512)
- Github super linter, and lgtm (#614, #620, #626)
- Added new tool:
slither-mutator
. PoC of fault injection based on Using Fault Injection to Assess Blockchain Systems in Presence of Faulty Smart Contracts
Internal
- Add type annotations (#514)
- Add storage layout information (#507, #540)
- Add
--disallow-partial
flag (#560). This hidden flag will prevent Slither from catching exceptions, and simplify debugging - Add support for function pointers in the RETURN operator (#601)
Changed
- Copy editing on detectors (#572)
- Use [email protected]
- Improve human-summary printer (#477, #478)
- Improve dupplicate name report (#489)
slither-flat
: Improve utf8 support and mapping/array lookup (#494)- Filter contract to contract_declarer in call graph printer (#491)
- Several improvements in
slither-flat
, including new strategies, json/zip export (#496). Read the new documentation. - Add check on public state variables in
slither-erc
(#528) suicidal
detector: add detection on external functions (#527)- Add padding to function id printer (#546)
- Update the recommended Solidity version in the
solc-version
detector (#577). This might result in disabling triagedsolc-version
results with Slither < 0.6.13
Internal
- Change the parsing architecture: parser objects are separate objects and do not inherit from the
core
. This will ease the creation of new parsers (#514) - Improve support for tuple (#536, #539, #541, #548, #563, #564, #576)
- Improve
abi.decode
support (#475, #548, #551, #567, #598) - Temporary array slice support (#550)
- Allow converting library to address (#561)
- Allow total ordering on
Constant
(#565) - Improve fixpoint on
are_variables_written
(#480) - Improve support for
type()
(#569) - Increase the default python stack depth limit (#599)
- Refactor regression tests (#610)
Fixed
- Fix incorrect sons information on loop (#524)
- Fix numpy error on
slither-simil
(#484) - Fix infinite loop on try statements (#535)
- Fix incorrect parsing in case of variables name reused (#538)
- Linting issue (#555)
- Issues on
this.
usage (#600, #623) - Out of memory on large exponent (#608)
- All pylint issues (#616)
- Incorrect support of
using for
on functions pointers (#624)
v0.6.12
0.6.12 - 2020-04-24
This release fixes a bug that was found in 0.6.11 preventing Slither to work on several codebases. Additional this release contains several minor fixes, and support for buidler.
We would like to thanks @elenadimitrova for quickly reporting issues #456 and #457.
Consider using crytic.io to get access to 48 additional detectors and GitHub integration.
Added
- zip export (#453)
Changed
- Use crytic-compile 0.1.8, which adds buidler support.
- Human summary printer: run the detectors only once, and add their results to the printer's json (#451)
- Echidna printer: export the constant values as string to facilitate Echidna's parsing (#454) [BREAKING CHANGE]
Fixed
v0.6.11
0.6.11 - 2020-04-17
This release introduces slither-prop
, a tool that will automatically generate properties to be tested through unit tests and Echidna. In this release, slither-prop
can generate 18 tests for ERC20 contracts; More tests, and support for other ERCs are planned. Additionally, the support for Solidity 0.6 was improved, and the release fixes multiple minor bugs.
Consider using crytic.io to get access to additional detectors and GitHub integration.
Added
slither-prop
(#428). See its documentation.- New Solidity call syntax support (#424)
- Number of assembly lines in the human summary printer (#438)
--convert-private
inslither-flat
, allowing to change private variables to internal (#446)- API: true/false branch for IF nodes (#433)
Changed
- Echidna printer: several new features are extracted (#431, #437).
- Reentrancy: better support of constant function called with Solidity 0.6 (#441)
- Add support for
now
in timestamp detector (#447)
Fixed
v0.6.10
0.6.10 - 2020-03-23
This release adds 5 new detectors, improves the support of codebase with contract's name duplicate, and the support for Solidity 0.6. Additionally, several internal improvements lead existing detectors to report less false alarms. slither-check-upgradeability
was refactored and it has now 17 documented upgradeability checks.
Consider using https://crytic.io/ to get access to additional detectors and GitHub integration.
Added
- 5 new detectors (#396)
boolean-cst
tautology
boolean-equal
divide-before-multiply
name-reused
- Codebase with contract name dupplicates will not anymore throw an error, slither will do a partial analysis and report the issue as a contract's bug (#413)
- Improve support for Solidity 0.6 (
receive()
andtry/catch
) (#415) - New data dependencies user-API (#409)
contract.functions_signatures_declared
: return the signatures of the function declared in the contract (#391)
Changed
- Refactor slither-check-upgradeability: the checks follow the same coding pattern than the bug detectors (#410)
- Change how modifiers and constructor calls are integrated in the CFG. This removes false positives created because of unreachable nodes (#406)
- Use
crytic-compile
0.1.7 - Remove false positives in
uninitialized-state
(#407)
Fixed
v0.6.9
0.6.9 - 2019-12-20
This release fixes minor bugs and updates Slither to crytic-compile 0.1.6
. Additionally, we moved from Travis CI to GitHub actions.
Thanks to our external contributors:
Added
--remove-assert
flag toslither-flat
. Use this feature to write custom properties for Echidna withassert
and have them automatically removed byslither-flat
when the code is deployed. (#366)
Changed
constant-function
detector is split intoconstant-function-asm
andconstant-function-state
and will not raise an issue if solc >= 0.5 is used (#380)- Use GitHub Actions instead of Travis CI (#381, #385)
- Use upper and lower bounds for the
solc-version
detector (#378) solc-version
now recommends solc 0.5.11 over 0.5.3 (#390)
Fixed
v0.6.8
0.6.8 - 2019-11-22
This release introduces two new utilities: slither-check-erc
to check ERC conformance, and slither-check-kspec
to report the coverage of a K specification. New types of reentrancy are detected (send
/transfer
and event-based) and several improvements were made to slither-check-upgradeability
. Internally, this release introduces a new JSON output API. All printers and most of the utilities now have JSON output.
Thanks to our external contributors:
Added
slither-check-erc
: check for conformance to the most used ERCs #350slither-check-kspec
: report K specification coverage #364- Each detector result has a unique ID, allowing for duplicate removal (#367)
- pop to SlithIR conversion (#359)
- New printer:
evm
to print the source code that matches EVM bytecode (#281) - New reentrancy detectors:
send
/transfer
and event-based (#375)
Changed
- The JSON output API was replaced with a simpler and standardized API (#355, #362)
- All the printers have JSON output (#356)
slither-check-upgradeability
: several improvements (#354), including:- Check for constant conformance
- Remove false positive on fallback function
- Allow the CLI to work without the proxy contract. Note: the CLI flags were changed [BREAKING CHANGE]
- JSON output
- Contract summary printer: add upgradeability info (#369) and
remove shadowed function (#353) - Docker improvements (#244)
- Remove false positive on uninitialized state variable detector due to
delegatecall
proxy (#370)
Fixed
slither-flat
: handle cycles (#373)
v0.6.7
0.6.7 - 2019-10-04
This release introduces slither-format
, a tool that automatically generates patches for discovered vulnerabilities, and slither-flat
, which flattens the codebase. Thanks to crytic-compile, slither-flat
enables contract flattening for nearly all available smart contract development frameworks.
If you like Slither, consider subscribing to crytic.io for access to additional private detectors and GitHub integrations. Follow @CryticCI for more information.
Added
slither-format
: automatic patch generation. Features:- Supports issues discovered by the
unused-state
,solc-version
,pragma
,naming-convention
,external-function
,constable-states
, andconstant-function
detectors. - Generates
git
patches - JSON integration
- Supports issues discovered by the
slither-flat
: flatten a codebase. Features:--contract contract_name
: outputs only the contracts necessary to compilecontract_name
--convert-external
: converts an external function to public. This is meant to help developers use Echidna.
- Echidna printer: Displays information useful for guiding fuzzing.
- IR conversion for constant variables declaration (#333, #338)
Changed:
- Update to crytic-compile 0.1.4 (which adds support for Brownie)
- CLI: print the number of detectors run (#322)
- Dapp test: use cache to seep up travis (#339)
- External function detectors: merge shadowed functions (#334)
- Add optimization detection to human summary printer (#330)
- Silence reports about
_echidna
or_crytic
properties in the naming convention detector (#317)
Fixed
v0.6.6
0.6.6 - 2019-08-16
This release changes internal functions and how modifiers are represented, improves the JSON format, removes detectors' false positives, and fixes numerous bugs.
Thanks to our external contributors:
Thanks to our users for reporting numerous bugs, in particular @elenadimitrova, @yxliang01, and @sobolev-igor.
Added
- Add
exclude-dependencies
flag (#269) - Add Optimization type and
--exclude-optimization
flag (#265), #269) - AragonOS detection (#276)
- New printer: constructor calls (#299)
Changed
- [Breaking change] Remove the instance sharing for functions and modifiers. Each function or modifier has now
contract
andcontract_declarer
properties, where contract points to the contract's instance and the contract declarer to the contract where the function was originally declared (#213). - [Breaking change] Use unique JSON element per detector finding (#263)
- [Breaking change] Add type to JSON result and improve the log in console/file (#266)
- Move third parties tools to
slither.tools
(#313) - Remove false positive in external function detector in case of parameter written (#257)
- Remove false positive in naming convention in case of unnamed parameters (#260)
- Remove false positive in naming convention for constructor (aec680c)
- Improve ternary operators support (#301)
- Late conversion of the subdenomination value (#305)
- Refactor reentrancy detector and add support for create-based reentrancy (#311)
Fixed
- Incorrect source mapping for if/while/for condition (#245)
- Incorrect variable order in printer (#254)
- Incorrect source mapping due to text conversion (#252)
- Incorrect type for constant with implicit conversion (#283)
- Incorrect arguments to crytic-compile (4cbe048)
Note: 0.6.5 contained a bug in the reentrancy detector. Please avoid this version since it unnecessarily reported false-positives.
v0.6.4
0.6.4 - 2019-05-14
This release brings new detectors, several bugfixes, and a new util slither-simil
, to perform code similarity. Additionally, the json output was heavily improved.
This release is also the first one compatible with our new Visual Studio Code plugin, try it out!
Thanks to your external contributors, for their work and their suggestions!
@GillesdeB
@sobolev-igor
@yxliang01
Added
- New detectors:
slither-simil
: code similarity using machine learning (see the documentation)
Changed
- Improve
unused-return
results (#230) - Improve
solc-version
results #240 - Update to
crytic-compile
version0.1.1
- Add
crytic-compile
options toslither-check-upgradeability
andslither-find-paths
(#231) - The json format was heavily changed. See its documentation for more details. Notable changes:
- At the top level, the json contains information about the success of the Slither's run
- Each element has 3 required information (
type
,name
,source_mapping
), and two optional ones:type_specific_fields
andadditional_fields
- The
source_mapping
has not four types of filename, as well as the column information (see Source mapping documentation
- Improvement of the human summary printer: lines and contracts number, ERCs and standard libraries detection (#228)
- Improve parsing of Literals (fbd1ddb), and type propagation
- Remove FPs on the incorrect erc20 interface dettector (#215)
- Clean exception handling (#229)
Fixed
v0.6.3
0.6.3 - 2019-04-24
This release is the first one based on crytic-compile
, the library standardizes smart contracts compilation and allows Slither to work natively on new platforms. Additionally, this release brings one new detector.
Thanks to our external contributor, @shshzi, who worked on the Right-To-Left-Override character
detector
For Embark users: make sure to update embark-contract-info to 1.1.0
Added
- Native support to Dapp, Etherlime, and Etherscan (see the documentation)
- New detector:
Right-To-Left-Override character
#201
Changed
- Json output: source mappings contain now four filenames (absolute/relative/short/used)
- The command line options now match
crytic-compile
options (ex:--disable-solc-warnings
is renamed--solc-disable-warnings
). See thecrytic-compile
Documentation for more details.