@wakeuplabs/segurito
v1.0.19
Published
## Overview
Downloads
62
Keywords
Readme
Smart Contract Vulnerability Detection README
Overview
This project provides a comprehensive checklist and analysis tool to detect vulnerabilities in Ethereum smart contracts. The tool leverages the checklist below to perform static analysis on Solidity contracts and outputs potential vulnerabilities, warnings, and informational notes in a structured JSON format.
Checklist Categories
General Review Approach
- Ensure internal function visibility unless public/external visibility is explicitly required.
- Detect arithmetic overflows/underflows and check for usage of the OpenZeppelin SafeMath library.
- Prevent accidental Ether/token transfers to
0x0
and ensure conditions are checked usingrequire
before operations. - Protect against reentrancy attacks, follow the checks-effects-interactions pattern, and implement the ERC20 interface correctly.
- Ensure no unnecessary initializations in constructors and that all state and gas limit conditions are met.
- Perform complete test coverage, including fuzz testing and different contract states.
- Ensure proper handling of Ether/token units in wei and accurate configuration of crowdsale parameters.
- Test and implement crowdsale functionalities, including vesting logic, fail-safe modes, and fallback functions.
- Verify that all imported libraries are secure and that token transfer statements are safely wrapped in
require
.
Variables
- Check if variables can be internal, constant, or immutable, and ensure visibility is set (SWC-108).
- Document variable purposes using NatSpec and optimize storage packing.
Structs
- Assess the necessity of structs and ensure efficient packing and documentation of fields.
Functions
- Determine if functions can be external or should be internal/payable, and validate all parameters.
- Follow the checks-effects-interactions pattern (SWC-107) and protect against front-running (SWC-114).
- Apply correct modifiers, handle return values properly, and ensure functions are logically named and safe.
Modifiers
- Avoid storage updates and external calls within modifiers and document their purpose.
Code
- Use SafeMath or Solidity 0.8 checked math (SWC-101) and avoid unbounded loops/arrays (SWC-128).
- Prevent reliance on block timestamps or block numbers for time tracking and avoid delegatecall where possible (SWC-112).
- Properly handle arithmetic operations, use logical operators correctly, and document optimizations.
External Calls
- Validate the necessity of external calls, check for DoS risks, and ensure reentrancy protection.
Static Calls
- Confirm the need for external static calls, ensure they are marked as
view
, and check for potential DoS risks.
Events
- Optimize event fields for indexing, avoid indexing dynamic types, and document events thoroughly.
Contract
- Include SPDX license identifiers, emit events for storage-mutating functions, and check inheritance correctness (SWC-125).
- Use
receive()
for ETH transfers, document contract purpose using NatSpec, and avoid over-inheritance.
Project
- Use the appropriate license, ensure thorough unit and fuzz testing, and perform symbolic execution where applicable.
- Run static analysis tools like Slither/Solhint and review findings.
DeFi Considerations
- Check assumptions about external contracts, avoid mixing internal and actual balances, and use oracles safely.
- Watch out for tokens with special behaviors (rebasing, ERC-777, fee-on-transfer) and document these where unsupported.
Usage
To use this tool, provide the Solidity smart contracts as input. The tool will analyze the contracts based on the checklist and output a JSON report with identified vulnerabilities, warnings, and informational notes.
Example Output
{
"status": true,
"05-Distributor.sol": {
"errors": [
{
"type": "Reentrancy Vulnerability",
"issue": "The distribute function makes an external call to transfer tokens before updating the state, making it vulnerable to reentrancy attacks.",
"fix": "Update the state before making the external call.",
"location": "Line 32 in function distribute."
}
],
"warnings": [
{
"type": "Visibility Issue",
"issue": "The distributions variable does not have an explicit visibility keyword.",
"recommendation": "Declare distributions as private or internal for better clarity.",
"location": "Line 10 in the contract."
}
],
"info": [
{
"note": "Solidity 0.8+ includes built-in overflow and underflow checks, so using SafeMath is not necessary.",
"action": "No action required."
}
]
}
}
Resources
Public Smart Contract Audit Reports
- Consensys Diligence
- Peckshield
- OpenZeppelin
- Trail of Bits
- Quillhash
- Hacken
- Beosin
- Iosiro
- Oak Security
- G0 Group
- Hexens
- Sherlock
- Code4rena