Skip to main content

Static and Dynamic Analysis​

Static Source Code Analysis​

Visualization Tools​

  • Solidity Visual Auditor: This extension contributes security centric syntax and semantic highlighting, a detailed class outline and advanced Solidity code insights to Visual Studio Code
  • Surya: Utility tool for smart contract systems, offering a number of visual outputs and information about the contracts' structure. Also supports querying the function call graph.
  • VSCode Ethereum Security Bundle: A meta-extension bundling vscode marketplace plugins for secure Ethereum smart contract development.

Dynamic Analysis​

  • Mythril: The Swiss army knife for smart contract security. It uses symbolic execution, SMT solving and taint analysis to detect a variety of security vulnerabilities.
  • Certora
  • Echidna: The only available fuzzer for Ethereum software. Uses property testing to generate malicious inputs that break smart contracts.
  • Manticore: Dynamic binary analysis tool with EVM support.
  • Vertigo
  • Octopus: Security Analysis tool for Blockchain Smart Contracts with support of EVM and (e)WASM.
  • sFuzz: Efficient fuzzer inspired from AFL to find common vulnerabilities.
  • EVM lab: Rich tool package to interact with the EVM. Includes a VM, Etherchain API, and a trace-viewer.
  • ethereum-graph-debugger: Graphical EVM debugger.
  • chinfuzz by ant4g0nist: Tezos smart contract fuzzer
  • FuzzyVM


Slither usage:

[email protected]:~/labs/not-so-smart-contracts/denial_of_service$ slither -h
usage: slither target [flag]

target can be:
- file.sol // a Solidity file
- project_directory // a project directory. See for the supported platforms
- 0x.. // a contract on mainet
- NETWORK:0x.. // a contract on a different network. Supported networks: mainet,ropsten,kovan,rinkeby,goerli,tobalaba,bsc,testnet.bsc,arbi,testnet.arbi,poly,avax,testnet.avax,ftm

For usage information, see

optional arguments:
-h, --help show this help message and exit
--version displays the current version

Compile options:
--compile-force-framework COMPILE_FORCE_FRAMEWORK
Force the compile to a given framework (solc,truffle,embark,dapp,etherlime,etherscan,vyper,waffle,brownie,solc-
Remove the metadata from the bytecodes
--compile-custom-build COMPILE_CUSTOM_BUILD
Replace platform specific build command
--ignore-compile Do not run compile of any platform

Solc options:
--solc SOLC solc path
--solc-remaps SOLC_REMAPS
Add remapping
--solc-args SOLC_ARGS
Add custom solc arguments. Example: --solc-args "--allow-path /tmp --evm-version byzantium".
Disable solc warnings
--solc-working-dir SOLC_WORKING_DIR
Change the default working directory
--solc-solcs-select SOLC_SOLCS_SELECT
Specify different solc version to try (env config). Depends on solc-select
--solc-solcs-bin SOLC_SOLCS_BIN
Specify different solc version to try (path config). Example: --solc-solcs-bin solc-0.4.24,solc-0.5.3
--solc-standard-json Compile all specified targets in a single compilation using solc standard json
Force the solc compiler to use the legacy json ast format over the compact json ast format

Truffle options:
Do not run truffle compile
--truffle-build-directory TRUFFLE_BUILD_DIRECTORY
Use an alternative truffle build directory
--truffle-version TRUFFLE_VERSION
Use a local Truffle version (with npx)
Use a simplified version of truffle-config.js for compilation
--truffle-overwrite-version TRUFFLE_OVERWRITE_VERSION
Overwrite solc version in truffle-config.js (only if --truffle-overwrite-config)

Embark options:
Do not run embark build
Install @trailofbits/embark-contract-export and add it to embark.json

Dapp options:
Do not run dapp build

Etherlime options:
Do not run etherlime compile
Add arbitrary arguments to etherlime compile (note: [dir] is the the directory provided to crytic-compile)

Etherscan options:
Only compile if the source code is available.
Only looks for bytecode.
--etherscan-apikey ETHERSCAN_API_KEY
Etherscan API key.
--arbiscan-apikey ARBISCAN_API_KEY
Etherscan API key.
--polygonscan-apikey POLYGONSCAN_API_KEY
Etherscan API key.
--avax-apikey AVAX_API_KEY
Etherscan API key.
--ftmscan-apikey FTMSCAN_API_KEY
Etherscan API key.
--bscan-apikey BSCAN_API_KEY
Etherscan API key.
--etherscan-export-directory ETHERSCAN_EXPORT_DIR
Directory in which to save the analyzed contracts.

Waffle options:
Do not run waffle compile
--waffle-config-file WAFFLE_CONFIG_FILE
Provide a waffle config file

NPX options:
--npx-disable Do not use npx

Buidler options:
Do not run buidler compile
--buidler-cache-directory BUIDLER_CACHE_DIRECTORY
Use an alternative buidler cache directory (default ./cache)
Disable directory name fix (see

hardhat options:
Do not run hardhat compile
--hardhat-cache-directory HARDHAT_CACHE_DIRECTORY
Use an alternative hardhat cache directory (default ./cache)
--hardhat-artifacts-directory HARDHAT_ARTIFACTS_DIRECTORY
Use an alternative hardhat artifacts directory (default ./artifacts)

Comma-separated list of detectors, defaults to all, available detectors: abiencoderv2-array, arbitrary-send, array-by-reference, controlled-
array-length, assembly, assert-state-change, backdoor, weak-prng, boolean-cst, boolean-equal, shadowing-builtin, constable-states, constant-
function-asm, constant-function-state, pragma, controlled-delegatecall, costly-loop, dead-code, delegatecall-loop, deprecated-standards,
divide-before-multiply, enum-conversion, external-function, function-init-state, erc20-interface, erc721-interface, solc-version, incorrect-
equality, incorrect-unary, shadowing-local, locked-ether, low-level-calls, mapping-deletion, events-access, events-maths, missing-
inheritance, missing-zero-check, incorrect-modifier, msg-value-loop, calls-loop, multiple-constructors, name-reused, naming-convention,
variable-scope, protected-vars, public-mappings-nested, redundant-statements, reentrancy-benign, reentrancy-eth, reentrancy-events,
reentrancy-unlimited-gas, reentrancy-no-eth, reused-constructor, rtlo, shadowing-abstract, incorrect-shift, similar-names, shadowing-state,
storage-array, suicidal, timestamp, too-many-digits, tx-origin, tautology, unchecked-lowlevel, unchecked-send, unchecked-transfer,
unimplemented-functions, erc20-indexed, uninitialized-fptr-cst, uninitialized-local, uninitialized-state, uninitialized-storage, unprotected-
upgrade, unused-return, unused-state, void-cst, write-after-write
--list-detectors List available detectors
Comma-separated list of detectors that should be excluded
Exclude results that are only related to dependencies
Exclude optimization analyses
Exclude informational impact analyses
--exclude-low Exclude low impact analyses
--exclude-medium Exclude medium impact analyses
--exclude-high Exclude high impact analyses
Show all the findings

Comma-separated list fo contract information printers, available printers: cfg, constructor-calls, contract-summary, data-dependency,
echidna, function-id, function-summary, modifiers, call-graph, evm, human-summary, inheritance, inheritance-graph, slithir, slithir-ssa,
pausable, vars-and-auth, require, variable-order
--list-printers List available printers

Additional options:
--json JSON Export the results as a JSON file ("--json -" to export to stdout)
--sarif SARIF Export the results as a SARIF JSON file ("--sarif -" to export to stdout)
--json-types JSON_TYPES
Comma-separated list of result types to output to JSON, defaults to detectors,printers. Available types:
--zip ZIP Export the results as a zipped JSON file
--zip-type ZIP_TYPE Zip compression type. One of lzma,stored,deflated,bzip2. Default lzma
--markdown-root MARKDOWN_ROOT
URL for markdown generation
--disable-color Disable output colorization
--filter-paths FILTER_PATHS
Comma-separated list of paths for which results will be excluded
--triage-mode Run triage mode (save results in slither.db.json)
--config-file CONFIG_FILE
Provide a config file (default: slither.config.json)
--solc-ast Provide the contract as a json AST
--generate-patches Generate patches (json output only)

Slither available printers:

NumPrinterWhat it Does
1call-graphExport the call-graph of the contracts to a dot file
2cfgExport the CFG of each functions
3constructor-callsPrint the constructors executed
4contract-summaryPrint a summary of the contracts
5data-dependencyPrint the data dependencies of the variables
6echidnaExport Echidna guiding information
7evmPrint the evm instructions of nodes in functions
8function-idPrint the keccack256 signature of the functions
9function-summaryPrint a summary of the functions
10human-summaryPrint a human-readable summary of the contracts
11inheritancePrint the inheritance relations between contracts
12inheritance-graphExport the inheritance graph of each contract to a dot file
13modifiersPrint the modifiers called by each function
14pausablePrint functions that do not use whenNotPaused
15requirePrint the require and assert calls of each function
16slithirPrint the slithIR representation of the functions
17slithir-ssaPrint the slithIR representation of the functions
18variable-orderPrint the storage order of the state variables
19vars-and-authPrint the state variables written and the authorization of the functions
[email protected]:~/labs/not-so-smart-contracts/denial_of_service$ slither --print contract-summary auction.sol 
Compilation warnings/errors on auction.sol:
auction.sol:51:5: Warning: Failure condition of 'send' ignored. Consider using 'transfer' instead.

+ Contract DosAuction (Most derived contract)
- From DosAuction
- bid() (public)

+ Contract SecureAuction (Most derived contract)
- From SecureAuction
- bid() (external)
- withdraw() (external)

auction.sol analyzed (2 contracts)
[email protected]:~/labs/not-so-smart-contracts/denial_of_service$ slither --print human-summary auction.sol
Compilation warnings/errors on auction.sol:
auction.sol:51:5: Warning: Failure condition of 'send' ignored. Consider using 'transfer' instead.

Compiled with solc
Number of lines: 53 (+ 0 in dependencies, + 0 in tests)
Number of assembly lines: 0
Number of contracts: 2 (+ 0 in dependencies, + 0 tests)

Number of optimization issues: 1
Number of informational issues: 3
Number of low issues: 0
Number of medium issues: 1
Number of high issues: 0

| Name | # functions | ERCS | ERC20 info | Complex code | Features |
| DosAuction | 1 | | | No | Receive ETH |
| | | | | | Send ETH |
| SecureAuction | 2 | | | No | Receive ETH |
| | | | | | Send ETH |
auction.sol analyzed (2 contracts)
[email protected]:~/labs/not-so-smart-contracts/denial_of_service$


Foundry Fuzzing​