feat(repo): add slither to lint code (#1)

* feat: add slither 

* fix: resolve bugs checked by slither 

* feat: add mythril

* ci: add scopes

* ci: add lint ci

.github/workflows/lint-pr.yml

@@ -18,4 +18,9 @@ jobs:
         with:
           scopes: |
             repo
+            ci
+            lint
+            doc
+            test
+            script
           requireScope: true

.github/workflows/lint.yml

@@ -6,8 +6,7 @@ on:
   pull_request:
 
 jobs:
-  solidity:
-    name: Lint Solidity Code
+  solhint:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
@@ -17,5 +16,17 @@ jobs:
       - name: Install pnpm dependencies
         uses: ./.github/actions/install-pnpm-dependencies
 
-      - name: lint commit msg
+      - name: lint solidity code
         run: pnpm lint:sol
+
+  commitlint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: wagoid/commitlint-github-action@v5
+
+  slihter:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: crytic/[email protected]

.gitignore

@@ -6,3 +6,4 @@ lib
 out
 cache
 broadcast
+.vscode/slither-results.json

.solhint.json

@@ -7,7 +7,8 @@
     "func-param-name-mixedcase": "warn",
     "modifier-name-mixedcase": "warn",
     "ordering": "warn",
-    "compiler-version": ["error", "^0.8.20"],
-    "func-visibility": ["warn", { "ignoreConstructors": true }]
+    "compiler-version": ["error", "^0.8.18"],
+    "func-visibility": ["warn", { "ignoreConstructors": true }],
+    "immutable-vars-naming": "off"
   }
 }

.vscode/extensions.json

@@ -5,6 +5,7 @@
     "tintinweb.solidity-visual-auditor",
     "foxundermoon.shell-format",
     "timonwong.shellcheck",
-    "remisa.shellman"
+    "remisa.shellman",
+    "trailofbits.slither-vscode"
   ]
 }

.vscode/settings.json

@@ -1,7 +1,10 @@
 {
-  "cSpell.words": ["commitlint", "mixedcase", "solhint"],
-  "solidity.compileUsingRemoteVersion": "v0.8.21+commit.d9974bed",
+  "cSpell.words": ["commitlint", "mixedcase", "remappings", "solhint"],
+
   "[solidity]": {
     "editor.defaultFormatter": "esbenp.prettier-vscode"
-  }
+  },
+  "solidity.compileUsingRemoteVersion": "v0.8.18+commit.87f61d96",
+  "slither.solcPath": "",
+  "slither.hiddenDetectors": []
 }

README.md

@@ -4,3 +4,16 @@
 [![Lint](https://github.com/phenix3443/contract_starter/actions/workflows/lint.yml/badge.svg)](https://github.com/phenix3443/contract_starter/actions/workflows/lint.yml)
 
 solidity contract template repository, configured as [use solidity to develop smart contract](https://blog.panghuli.cn/posts/ethereum/solidity/).
+
+## prepare
+
+you should install following tools:
+
+- pnpm
+- pip3
+- foundry
+
+```shell
+pnpm init
+pnpm install:slither
+```

foundry.toml

@@ -6,7 +6,7 @@ out = 'out'
 libs = ["node_modules", "lib"]
 
 # solc
-solc_version = '0.8.20'
+solc_version = '0.8.18'
 
 # fmt
 [fmt]

init.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+# slither
+pip3 install slither-analyzer
+pip3 install solc-select
+solc-select install 0.8.18
+solc-select use 0.8.18
+
+#mythril
+curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
+rustup default nightly
+pip3 install mythril

mythril.config.json

@@ -0,0 +1,12 @@
+{
+  "remappings": [
+    "ds-test/=lib/ds-test/src/",
+    "forge-std/=lib/forge-std/src/",
+    "@openzeppelin/contracts=node_modules/@openzeppelin/contracts",
+    "@openzeppelin/contracts-upgradeable=node_modules/@openzeppelin/contracts-upgradeable"
+  ],
+  "optimizer": {
+    "enabled": true,
+    "runs": 200
+  }
+}

package.json

@@ -8,7 +8,10 @@
     "build": "forge build",
     "test": "forge test",
     "lint:sol": "solhint src/**/*.sol script/**/*.sol test/**/*.sol",
-    "format:sol": "prettier --write --plugin=prettier-plugin-solidity src/**/*.sol script/**/*.sol test/**/*.sol"
+    "slither": "slither .",
+    "mythril": "myth analyze src/**/*.sol script/**/*.sol",
+    "format:sol": "prettier --write --plugin=prettier-plugin-solidity src/**/*.sol script/**/*.sol test/**/*.sol",
+    "init": "sh init.sh"
   },
   "repository": {
     "type": "git",

script/DeployTPCounterV1.s.sol

@@ -0,0 +1,22 @@
+// SPDX-License-Identifier: MIT
+
+pragma solidity ^0.8.18;
+
+import "forge-std/Script.sol"; // solhint-disable
+import {TPCounterV1} from "../src/TPCounterV1.sol";
+import {DeployTPScript} from "./DeployTPScript.s.sol";
+
+contract DeployTPCounterV1 is DeployTPScript {
+    address private immutable _deployer;
+
+    constructor() DeployTPScript(vm.envUint("PRIVATE_KEY")) {
+        _deployer = vm.envAddress("DEPLOYER");
+    }
+
+    //slither-disable-next-line reentrancy-no-eth
+    function _run() internal override deploy(_deployer) {
+        TPCounterV1 c = new TPCounterV1();
+        implementation = address(c);
+        data = bytes.concat(c.initialize.selector);
+    }
+}

script/DeployTPCounterV2.s.sol

@@ -0,0 +1,21 @@
+// SPDX-License-Identifier: MIT
+
+pragma solidity ^0.8.18;
+
+import "forge-std/Script.sol"; // solhint-disable
+
+import {TPCounterV2} from "../src/TPCounterV2.sol";
+import {DeployTPScript} from "./DeployTPScript.s.sol";
+
+contract DeployTPCounterV2 is DeployTPScript {
+    constructor() DeployTPScript(vm.envUint("PRIVATE_KEY")) {
+        proxyAddress = vm.envAddress("PROXY");
+    }
+
+    //slither-disable-next-line reentrancy-no-eth
+    function _run() internal override upgrade {
+        TPCounterV2 c = new TPCounterV2();
+        implementation = address(c);
+        data = bytes.concat(c.upgradeVersion.selector);
+    }
+}

script/transparent/DeployScript.s.sol → script/DeployTPScript.s.sol

@@ -1,24 +1,24 @@
 // SPDX-License-Identifier: MIT
 
-pragma solidity ^0.8.20;
+pragma solidity ^0.8.18;
 
 import "forge-std/Script.sol"; // solhint-disable-line
 // solhint-disable-next-line
 import {ITransparentUpgradeableProxy, TransparentUpgradeableProxy} from "@openzeppelin/contracts/proxy/transparent/TransparentUpgradeableProxy.sol";
 
-abstract contract DeployScript is Script {
-    uint256 public privateKey;
+abstract contract DeployTPScript is Script {
+    uint256 public immutable privateKey;
     address public implementation;
     bytes public data;
     address public proxyAddress;
 
     error InvalidAddress(string reason);
 
     modifier deploy(address deployer) {
+        _;
         if (deployer == address(0)) {
             revert InvalidAddress("deployer address can not be zero");
         }
-        _;
         if (implementation == address(0)) {
             revert InvalidAddress("implementation address can not be zero");
         }
@@ -28,10 +28,10 @@ abstract contract DeployScript is Script {
     }
 
     modifier upgrade() {
+        _;
         if (proxyAddress == address(0)) {
             revert InvalidAddress("proxy address can not be zero");
         }
-        _;
         ITransparentUpgradeableProxy proxy = ITransparentUpgradeableProxy(
             proxyAddress
         );
@@ -41,6 +41,10 @@ abstract contract DeployScript is Script {
         proxy.upgradeToAndCall(implementation, data);
     }
 
+    constructor(uint256 pkey) {
+        privateKey = pkey;
+    }
+
     function run() external {
         vm.startBroadcast(privateKey);
         _run();

script/DeployUUPSCounterV1.s.sol

@@ -0,0 +1,18 @@
+// SPDX-License-Identifier: MIT
+
+pragma solidity ^0.8.18;
+
+import "forge-std/Script.sol"; // solhint-disable
+import {UUPSCounterV1} from "../src/UUPSCounterV1.sol";
+import {DeployUUPSScript} from "./DeployUUPSScript.s.sol";
+
+contract DeployUUPSCounterV1 is DeployUUPSScript {
+    constructor() DeployUUPSScript(vm.envUint("PRIVATE_KEY")) {}
+
+    //slither-disable-next-line reentrancy-no-eth
+    function _run() internal override deploy {
+        UUPSCounterV1 c = new UUPSCounterV1();
+        implementation = address(c);
+        data = bytes.concat(c.initialize.selector);
+    }
+}

script/DeployUUPSCounterV2.s.sol

@@ -0,0 +1,20 @@
+// SPDX-License-Identifier: MIT
+
+pragma solidity ^0.8.18;
+
+import "forge-std/Script.sol"; // solhint-disable-line
+import {UUPSCounterV2} from "../src/UUPSCounterV2.sol";
+import {DeployUUPSScript} from "./DeployUUPSScript.s.sol";
+
+contract DeployUUPSCounterV2 is DeployUUPSScript {
+    constructor() DeployUUPSScript(vm.envUint("PRIVATE_KEY")) {
+        proxyAddress = vm.envAddress("PROXY");
+    }
+
+    //slither-disable-next-line reentrancy-no-eth
+    function _run() internal override upgrade {
+        UUPSCounterV2 c = new UUPSCounterV2();
+        implementation = address(c);
+        data = bytes.concat(c.upgradeVersion.selector);
+    }
+}

script/uups/DeployScript.s.sol → script/DeployUUPSScript.s.sol

@@ -1,13 +1,13 @@
 // SPDX-License-Identifier: MIT
 
-pragma solidity ^0.8.20;
+pragma solidity ^0.8.18;
 
 import "forge-std/Script.sol"; // solhint-disable
 import {ERC1967Proxy} from "@openzeppelin/contracts/proxy/ERC1967/ERC1967Proxy.sol";
 import {UUPSUpgradeable} from "@openzeppelin/contracts/proxy/utils/UUPSUpgradeable.sol";
 
-abstract contract DeployScript is Script {
-    uint256 public privateKey;
+abstract contract DeployUUPSScript is Script {
+    uint256 public immutable privateKey;
     address public implementation;
     bytes public data;
     address public proxyAddress;
@@ -23,17 +23,21 @@ abstract contract DeployScript is Script {
     }
 
     modifier upgrade() {
+        _;
         if (proxyAddress == address(0)) {
             revert InvalidAddress("proxy address can not be zero");
         }
-        _;
         if (implementation == address(0)) {
             revert InvalidAddress("implementation address can not be zero");
         }
         UUPSUpgradeable proxy = UUPSUpgradeable(proxyAddress);
         proxy.upgradeToAndCall(address(implementation), data);
     }
 
+    constructor(uint256 pkey) {
+        privateKey = pkey;
+    }
+
     function run() external {
         vm.startBroadcast(privateKey);
         _run();

script/deploy_tp_counter_v1.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+source .env && forge script script/transparent/DeployTPCounterV1.s.sol --rpc-url ${RPC_URL} --broadcast -vvvv

script/deploy_tp_counter_v2.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+source .env && forge script script/transparent/DeployTPCounterV2.s.sol --rpc-url ${RPC_URL} --broadcast -vvvv

script/deploy_uups_counter_v1.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+source .env && forge script script/uups/DeployUUPSCounterV1.s.sol --rpc-url ${RPC_URL} --broadcast -vvvv

script/deploy_uups_counter_v2.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+# shellcheck disable=all
+source .env && forge script script/uups/DeployUUPSCounterV2.s.sol --rpc-url ${RPC_URL} --broadcast -vvvv