npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@wakeuplabs/segurito

v1.0.19

Published

## Overview

Downloads

62

Readme

Smart Contract Vulnerability Detection README

Overview

This project provides a comprehensive checklist and analysis tool to detect vulnerabilities in Ethereum smart contracts. The tool leverages the checklist below to perform static analysis on Solidity contracts and outputs potential vulnerabilities, warnings, and informational notes in a structured JSON format.

Checklist Categories

General Review Approach

  • Ensure internal function visibility unless public/external visibility is explicitly required.
  • Detect arithmetic overflows/underflows and check for usage of the OpenZeppelin SafeMath library.
  • Prevent accidental Ether/token transfers to 0x0 and ensure conditions are checked using require before operations.
  • Protect against reentrancy attacks, follow the checks-effects-interactions pattern, and implement the ERC20 interface correctly.
  • Ensure no unnecessary initializations in constructors and that all state and gas limit conditions are met.
  • Perform complete test coverage, including fuzz testing and different contract states.
  • Ensure proper handling of Ether/token units in wei and accurate configuration of crowdsale parameters.
  • Test and implement crowdsale functionalities, including vesting logic, fail-safe modes, and fallback functions.
  • Verify that all imported libraries are secure and that token transfer statements are safely wrapped in require.

Variables

  • Check if variables can be internal, constant, or immutable, and ensure visibility is set (SWC-108).
  • Document variable purposes using NatSpec and optimize storage packing.

Structs

  • Assess the necessity of structs and ensure efficient packing and documentation of fields.

Functions

  • Determine if functions can be external or should be internal/payable, and validate all parameters.
  • Follow the checks-effects-interactions pattern (SWC-107) and protect against front-running (SWC-114).
  • Apply correct modifiers, handle return values properly, and ensure functions are logically named and safe.

Modifiers

  • Avoid storage updates and external calls within modifiers and document their purpose.

Code

  • Use SafeMath or Solidity 0.8 checked math (SWC-101) and avoid unbounded loops/arrays (SWC-128).
  • Prevent reliance on block timestamps or block numbers for time tracking and avoid delegatecall where possible (SWC-112).
  • Properly handle arithmetic operations, use logical operators correctly, and document optimizations.

External Calls

  • Validate the necessity of external calls, check for DoS risks, and ensure reentrancy protection.

Static Calls

  • Confirm the need for external static calls, ensure they are marked as view, and check for potential DoS risks.

Events

  • Optimize event fields for indexing, avoid indexing dynamic types, and document events thoroughly.

Contract

  • Include SPDX license identifiers, emit events for storage-mutating functions, and check inheritance correctness (SWC-125).
  • Use receive() for ETH transfers, document contract purpose using NatSpec, and avoid over-inheritance.

Project

  • Use the appropriate license, ensure thorough unit and fuzz testing, and perform symbolic execution where applicable.
  • Run static analysis tools like Slither/Solhint and review findings.

DeFi Considerations

  • Check assumptions about external contracts, avoid mixing internal and actual balances, and use oracles safely.
  • Watch out for tokens with special behaviors (rebasing, ERC-777, fee-on-transfer) and document these where unsupported.

Usage

To use this tool, provide the Solidity smart contracts as input. The tool will analyze the contracts based on the checklist and output a JSON report with identified vulnerabilities, warnings, and informational notes.

Example Output

{
  "status": true,
  "05-Distributor.sol": {
    "errors": [
      {
        "type": "Reentrancy Vulnerability",
        "issue": "The distribute function makes an external call to transfer tokens before updating the state, making it vulnerable to reentrancy attacks.",
        "fix": "Update the state before making the external call.",
        "location": "Line 32 in function distribute."
      }
    ],
    "warnings": [
      {
        "type": "Visibility Issue",
        "issue": "The distributions variable does not have an explicit visibility keyword.",
        "recommendation": "Declare distributions as private or internal for better clarity.",
        "location": "Line 10 in the contract."
      }
    ],
    "info": [
      {
        "note": "Solidity 0.8+ includes built-in overflow and underflow checks, so using SafeMath is not necessary.",
        "action": "No action required."
      }
    ]
  }
}

Resources

Public Smart Contract Audit Reports

Additional Resources