0.7.0 - 2020-12-18

This release contains 26 new detectors, including a detector for a recent bug in Aave (unprotected-upgrade), deletion of mapping with structures (mapping-deletion), lack of events (events-access, event-maths), a shift-related issue on YUL (incorrect-shift), modifiers that can return the default value (incorrect-modifier), and multiple informational and compiler-related bugs. Additionally, it introduces the triage of results using inline comments. Use // slither-disable-next-line DETECTOR_NAME before a statement to disable the detector. Finally, we added the support for Solidity top-level objects.

We would like to thanks @josh-richardson for his contributions to the inline comment feature.

Added

• 26 detectors (#725, #732, #736)
  • abiencoderv2-array
  • array-by-reference
  • assert-state-change
  • controlled-array-length
  • costly-loop
  • events-access
  • events-math
  • function-init-state
  • incorrect-modifier
  • incorrect-unary
  • incorrect-shift
  • mapping-deletion
  • missing-inheritance
  • missing-zero-check
  • multiple-constructors
  • public-mappings-nested
  • redundant-statements
  • reused-constructor
  • similar-names
  • storage-array
  • unimplemented-functions
  • uninitialized-fptr-cst
  • unprotected-upgrade
  • variable-scope
  • weak-prng
• Inline comment to suppress findings (#724)
• (Partial) support for Solidity top-level objects (#728) API BREAKING CHANGE. All the related objects are now split between ObjectContract and ObjectTopLevel (ex: FunctionContract and FunctionTopLevel)

Changed

• Use crytic-compile@0.1.12

Fixed

• Printers filename related issues (#729, #726)

0.6.15 - 2020-12-07

This release adds several performance optimizations to Slither. From our limited benchmark on codebases where Slither takes more than 1 minute to run, the optimizations lead to 2x improvements on average and up to x14 in certain cases. We also fixed an indeterministic detector output issue that could interact poorly with CIs and improved legacy AST support. Finally, we made improvements to slither-prop.

Thanks to @elenadimitrova for helping us debug the indeterministic detector output issue.

If you want access to additional detectors, try Crytic. It has 96 total vulnerabilities detectors.

Addded

• Hidden --perf flag (debug) (#701)

Changed

• Optimizations
  • Use of get_line_from_offset from crytic-compile (see crytic-compile@0.1.11 release note). It impacts codebase with a large number of files
  • Memoization for properties that are frequently used (#703). It impacts all the codebases
  • Rewrote the immediate dominator (#705). It impacts functions with complex cfg
  • Rewrote the fixpoint on the data dependencies (#707). It impacts functions for which the fixpoint is difficult to reach
• Use of crytic-compile@0.1.11. Among others, this improves hardhat and dapp support.
• Multiple improvements to slither-prop (#693, #713)

Fixed

• Removed recursion in divide-before-multiply (#706)
• Indeterministic output for multiple detectors (#486). This might lead previously triaged results to appear again (the finding IDs can have been affected)
• Parsing of comments in legacy ast for Solidity 0.6.3 - 0.6.10 (#720). This mostly impacts dapp codebases.

0.6.14 - 2020-11-12

This release improves support for Solidity 0.7 and fixes many bugs. We moved all our tests to pytest and significantly improved our parsing test coverage to help support multiple versions of Solidity.

If you'd like to help us improve Slither, please answer our user survey.

Additionally, we recently hosted a community call where we went through Slither's codebase, and showed its different components (see the recording).

Finally, we would like to thank our contributors for reporting issues and helping us improve Slither:

• @sobolev-igor
• @moodysalem
• @mrice32
• @gorgos
• @f97
• @token-joe

Added

• Support for type(X).min/max (#673)
• Extensive parser tests (#635, #659, #682, #660)

Changed

• Refactor existing detectors test suit to use pytest (#656)
• Use crytic-compile@0.1.10. This includes hardhat support, and improvements for waffle and buidler.
• Support for comparison between function pointers (#618)
• Use black 19.10b0 instead of latest for Github's Super Linter (#680)
• IR push conversion (#625)

Fixed

• Multiple solc 0.7 parsing issues (#630, #642, #654)
• Use unique variable names for YUL variables (#648)
• CFG printer filename generation (#633)
• Loop CFG recovery issues (#655)
• Correctly link between nodes in the variables constructor step (#632)
• Wiki link for naming convention (#651)
• Minor Python types issues (#653)

0.6.13 - 2020-09-08

This releases improves support for Solidity 0.6, adds partial support for YUL, and fixes many bugs. Internally, we improved the parsing architecture, easing the addition of a new parser and added type annotations. Additionally, slither now runs GitHub super-linter, and the regression tests were improved (see the new CONTRIBUTING.md guidelines).

We also want to thanks our contributors for reporting issues, and helping to improve Slither:

• @elenadimitrova
• @elopez
• @PriyankaBose
• @Pet3ris

If you want access to additional detectors, try Crytic. It now has 96 detectors, including 2 YUL specific detectors.

Added

• Add partial, experimental YUL support (#502, #575, #617). YUL AST is parsed and converted into slithIR. Raw memory access are not supported. Solidity 0.6 is required to enable YUL support.
• Improve 0.6 support:
  • Add support for C{value:1} syntax (#498)
  • Add support for top level structures and enums (#499, #522)
• Add support for type(I).interfaceId (#497)
• List external publications (#512)
• Github super linter, and lgtm (#614, #620, #626)
• Added new tool: slither-mutator. PoC of fault injection based on Using Fault Injection to Assess Blockchain Systems in Presence of Faulty Smart Contracts

Internal

• Add type annotations (#514)
• Add storage layout information (#507, #540)
• Add --disallow-partial flag (#560). This hidden flag will prevent Slither from catching exceptions, and simplify debugging
• Add support for function pointers in the RETURN operator (#601)

Changed

• Copy editing on detectors (#572)
• Use crytic-compile@0.1.9
• Improve human-summary printer (#477, #478)
• Improve dupplicate name report (#489)
• slither-flat: Improve utf8 support and mapping/array lookup (#494)
• Filter contract to contract_declarer in call graph printer (#491)
• Several improvements in slither-flat, including new strategies, json/zip export (#496). Read the new documentation.
• Add check on public state variables in slither-erc (#528)
• suicidal detector: add detection on external functions (#527)
• Add padding to function id printer (#546)
• Update the recommended Solidity version in the solc-version detector (#577). This might result in disabling triaged solc-version results with Slither < 0.6.13

Internal

• Change the parsing architecture: parser objects are separate objects and do not inherit from the core. This will ease the creation of new parsers (#514)
• Improve support for tuple (#536, #539, #541, #548, #563, #564, #576)
• Improve abi.decode support (#475, #548, #551, #567, #598)
• Temporary array slice support (#550)
• Allow converting library to address (#561)
• Allow total ordering on Constant (#565)
• Improve fixpoint on are_variables_written (#480)
• Improve support for type() (#569)
• Increase the default python stack depth limit (#599)
• Refactor regression tests (#610)

Fixed

• Fix incorrect sons information on loop (#524)
• Fix numpy error on slither-simil (#484)
• Fix infinite loop on try statements (#535)
• Fix incorrect parsing in case of variables name reused (#538)
• Linting issue (#555)
• Issues on this. usage (#600, #623)
• Out of memory on large exponent (#608)
• All pylint issues (#616)
• Incorrect support of using for on functions pointers (#624)

0.6.12 - 2020-04-24

This release fixes a bug that was found in 0.6.11 preventing Slither to work on several codebases. Additional this release contains several minor fixes, and support for buidler.

We would like to thanks @elenadimitrova for quickly reporting issues #456 and #457.

Consider using crytic.io to get access to 48 additional detectors and GitHub integration.

Added

• zip export (#453)

Changed

• Use crytic-compile 0.1.8, which adds buidler support.
• Human summary printer: run the detectors only once, and add their results to the printer's json (#451)
• Echidna printer: export the constant values as string to facilitate Echidna's parsing (#454) [BREAKING CHANGE]

Fixed

• Revert the changes made in (#445) which lead to incorrectly parse functions with a contract used in a parameter (#458)
• Use Decimal instead of float to prevent loss of precision (#454)
• Echidna printer: fix incorrect support of state variable calls (#455)

0.6.11 - 2020-04-17

This release introduces slither-prop, a tool that will automatically generate properties to be tested through unit tests and Echidna. In this release, slither-prop can generate 18 tests for ERC20 contracts; More tests, and support for other ERCs are planned. Additionally, the support for Solidity 0.6 was improved, and the release fixes multiple minor bugs.

Consider using crytic.io to get access to additional detectors and GitHub integration.

Added

• slither-prop (#428). See its documentation.
• New Solidity call syntax support (#424)
• Number of assembly lines in the human summary printer (#438)
• --convert-private in slither-flat, allowing to change private variables to internal (#446)
• API: true/false branch for IF nodes (#433)

Changed

• Echidna printer: several new features are extracted (#431, #437).
• Reentrancy: better support of constant function called with Solidity 0.6 (#441)
• Add support for now in timestamp detector (#447)

Fixed

• Name reused (#423)
• Ternary on unary operator conversion (#439)
• Incorrect slithir_cfg_to_dot function (#432)
• Incorrect function id generated if a parameter is a contract (#445)
• slither-check-upgradeability: --list-detectors-json will use the field check instead of detector [BREAKING CHANGE] (#448)

0.6.10 - 2020-03-23

This release adds 5 new detectors, improves the support of codebase with contract's name duplicate, and the support for Solidity 0.6. Additionally, several internal improvements lead existing detectors to report less false alarms. slither-check-upgradeability was refactored and it has now 17 documented upgradeability checks.

Consider using https://crytic.io/ to get access to additional detectors and GitHub integration.

Added

• 5 new detectors (#396)
  • boolean-cst
  • tautology
  • boolean-equal
  • divide-before-multiply
  • name-reused
• Codebase with contract name dupplicates will not anymore throw an error, slither will do a partial analysis and report the issue as a contract's bug (#413)
• Improve support for Solidity 0.6 (receive() and try/catch) (#415)
• New data dependencies user-API (#409)
• contract.functions_signatures_declared: return the signatures of the function declared in the contract (#391)

Changed

• Refactor slither-check-upgradeability: the checks follow the same coding pattern than the bug detectors (#410)
• Change how modifiers and constructor calls are integrated in the CFG. This removes false positives created because of unreachable nodes (#406)
• Use crytic-compile 0.1.7
• Remove false positives in uninitialized-state (#407)

Fixed

• Incorrect get_dependencies (#400, #409)
• Incorrect lvalue on Delete (#412)
• Incorrect constructor called if the contructor does not exist (#416)

0.6.9 - 2019-12-20

This release fixes minor bugs and updates Slither to crytic-compile 0.1.6. Additionally, we moved from Travis CI to GitHub actions.

Thanks to our external contributors:

• @erib3
• @uivlis
• @yxliang01

Added

• --remove-assert flag to slither-flat. Use this feature to write custom properties for Echidna with assert and have them automatically removed by slither-flat when the code is deployed. (#366)

Changed

• constant-function detector is split into constant-function-asm and constant-function-state and will not raise an issue if solc >= 0.5 is used (#380)
• Use GitHub Actions instead of Travis CI (#381, #385)
• Use upper and lower bounds for the solc-version detector (#378)
• solc-version now recommends solc 0.5.11 over 0.5.3 (#390)

Fixed

• Detector ID generation leading to collisions for pragma objects (#388)
• FPs on event-based reentrancy (#377)
• Non-solidity pragma that were reported as incorrect solidity version by the pragma detector (#387)
• Incorrect field access on the contract-summary printer (#384)

0.6.8 - 2019-11-22

This release introduces two new utilities: slither-check-erc to check ERC conformance, and slither-check-kspec to report the coverage of a K specification. New types of reentrancy are detected (send/transfer and event-based) and several improvements were made to slither-check-upgradeability. Internally, this release introduces a new JSON output API. All printers and most of the utilities now have JSON output.

Thanks to our external contributors:

• @yxliang01
• @enderphan94

Added

• slither-check-erc: check for conformance to the most used ERCs #350
• slither-check-kspec: report K specification coverage #364
• Each detector result has a unique ID, allowing for duplicate removal (#367)
• pop to SlithIR conversion (#359)
• New printer: evm to print the source code that matches EVM bytecode (#281)
• New reentrancy detectors: send/transfer and event-based (#375)

Changed

• The JSON output API was replaced with a simpler and standardized API (#355, #362)
• All the printers have JSON output (#356)
• slither-check-upgradeability: several improvements (#354), including:
  • Check for constant conformance
  • Remove false positive on fallback function
  • Allow the CLI to work without the proxy contract. Note: the CLI flags were changed [BREAKING CHANGE]
  • JSON output
• Contract summary printer: add upgradeability info (#369) and
  remove shadowed function (#353)
• Docker improvements (#244)
• Remove false positive on uninitialized state variable detector due to delegatecall proxy (#370)

Fixed

• slither-flat: handle cycles (#373)

0.6.7 - 2019-10-04

This release introduces slither-format, a tool that automatically generates patches for discovered vulnerabilities, and slither-flat, which flattens the codebase. Thanks to crytic-compile, slither-flat enables contract flattening for nearly all available smart contract development frameworks.

If you like Slither, consider subscribing to crytic.io for access to additional private detectors and GitHub integrations. Follow @CryticCI for more information.

Added

• slither-format: automatic patch generation. Features:
  • Supports issues discovered by the unused-state, solc-version, pragma, naming-convention, external-function, constable-states, and constant-function detectors.
  • Generates git patches
  • JSON integration
• slither-flat: flatten a codebase. Features:
  • --contract contract_name: outputs only the contracts necessary to compile contract_name
  • --convert-external: converts an external function to public. This is meant to help developers use Echidna.
• Echidna printer: Displays information useful for guiding fuzzing.
• IR conversion for constant variables declaration (#333, #338)

Changed:

• Update to crytic-compile 0.1.4 (which adds support for Brownie)
• CLI: print the number of detectors run (#322)
• Dapp test: use cache to seep up travis (#339)
• External function detectors: merge shadowed functions (#334)
• Add optimization detection to human summary printer (#330)
• Silence reports about _echidna or _crytic properties in the naming convention detector (#317)

Fixed

• Incorrect parsing of infinite loops (#329)
• Incorrect inheritance order
• Incorrect abi.decode parsing (#332)

0.6.6 - 2019-08-16

This release changes internal functions and how modifiers are represented, improves the JSON format, removes detectors' false positives, and fixes numerous bugs.

Thanks to our external contributors:

• @ChrisChinchilla
• @Abhimanyu121

Thanks to our users for reporting numerous bugs, in particular @elenadimitrova, @yxliang01, and @sobolev-igor.

Added

• Add exclude-dependencies flag (#269)
• Add Optimization type and --exclude-optimization flag (#265), #269)
• AragonOS detection (#276)
• New printer: constructor calls (#299)

Changed

• [Breaking change] Remove the instance sharing for functions and modifiers. Each function or modifier has now contract and contract_declarer properties, where contract points to the contract's instance and the contract declarer to the contract where the function was originally declared (#213).
• [Breaking change] Use unique JSON element per detector finding (#263)
• [Breaking change] Add type to JSON result and improve the log in console/file (#266)
• Move third parties tools to slither.tools (#313)
• Remove false positive in external function detector in case of parameter written (#257)
• Remove false positive in naming convention in case of unnamed parameters (#260)
• Remove false positive in naming convention for constructor (aec680c)
• Improve ternary operators support (#301)
• Late conversion of the subdenomination value (#305)
• Refactor reentrancy detector and add support for create-based reentrancy (#311)

Fixed

• Incorrect source mapping for if/while/for condition (#245)
• Incorrect variable order in printer (#254)
• Incorrect source mapping due to text conversion (#252)
• Incorrect type for constant with implicit conversion (#283)
• Incorrect arguments to crytic-compile (4cbe048)

Note: 0.6.5 contained a bug in the reentrancy detector. Please avoid this version since it unnecessarily reported false-positives.

0.6.4 - 2019-05-14

This release brings new detectors, several bugfixes, and a new util slither-simil, to perform code similarity. Additionally, the json output was heavily improved.

This release is also the first one compatible with our new Visual Studio Code plugin, try it out!

Thanks to your external contributors, for their work and their suggestions!
@GillesdeB
@sobolev-igor
@yxliang01

Added

• New detectors:
  • ERC721 incorrect interface: erc721-interface (#215)
  • Conformance to numeric notation best practices: too-many-digits (#216)
  • Unchecked low level call: unchecked-lowlevel (#230)
  • Unchecked send: unchecked-send (#230)
• slither-simil: code similarity using machine learning (see the documentation)

Changed

• Improve unused-return results (#230)
• Improve solc-version results #240
• Update to crytic-compile version 0.1.1
• Add crytic-compile options to slither-check-upgradeability and slither-find-paths (#231)
• The json format was heavily changed. See its documentation for more details. Notable changes:
  • At the top level, the json contains information about the success of the Slither's run
  • Each element has 3 required information (type, name, source_mapping), and two optional ones: type_specific_fields and additional_fields
  • The source_mapping has not four types of filename, as well as the column information (see Source mapping documentation
• Improvement of the human summary printer: lines and contracts number, ERCs and standard libraries detection (#228)
• Improve parsing of Literals (fbd1ddb), and type propagation
• Remove FPs on the incorrect erc20 interface dettector (#215)
• Clean exception handling (#229)

Fixed

• Re-add --solc-ast flag (12cdcc2)
• Incorrect function ids printer info (#211)
• Several minor bug fixes, including incorrect type propagation if a variable is accessed through the contract's basename (6834d4c), add bytes.push() support (1d2997b)

0.6.3 - 2019-04-24

This release is the first one based on crytic-compile, the library standardizes smart contracts compilation and allows Slither to work natively on new platforms. Additionally, this release brings one new detector.

Thanks to our external contributor, @shshzi, who worked on the Right-To-Left-Override character detector

For Embark users: make sure to update embark-contract-info to 1.1.0

Added

• Native support to Dapp, Etherlime, and Etherscan (see the documentation)
• New detector: Right-To-Left-Override character #201

Changed

• Json output: source mappings contain now four filenames (absolute/relative/short/used)
• The command line options now match crytic-compile options (ex: --disable-solc-warnings is renamed --solc-disable-warnings). See the crytic-compileDocumentation for more details.

0.6.2 - 2019-03-05

This release brings Embark native support, fixes several bugs, and improves slither-check-upgradeability.

Added

• Embark support (see the documentation) (#196)
• Support for Solidity selector keyword (605ea7f)
• --truffle-build-directory flag to support custom build directory (#187)

Changed

• Rename slither-check-upgradability to slither-check-upgradeability (bffa59f)
• --ignore-truffle-compile flag renamed to --truffle-ignore-compile
• Improve slither-check-upgradeability output and documentation.
• API changed: Add framework detection within Slither object; the caller does not need to check for native/truffle/embark (ee1b4c2)

Fixed

• Incorrect source mapping computation (#194)
• Incorrect data dependency for return values (#193)
• Crash related to the support of abi.decode (#177)

0.6.1 - 2019-03-04

This release brings a new utility: slither-find-paths to review complex codebase, adds a new check to slither-check-upgradability, and fixes minor bugs.

Added

• slither-find-paths: Utility to review complex contracts (see the Finding Paths Utility Documentation)
• slither-check-upgradability: Add checks on correct contract's initialization #182
• Improve Windows support #179

Changed

• Calls in loop detector: remove duplicate results ( 39500c0)
• Call graph printer: export functions individually (833e390)
• API changed: make GENERIC_TAINT optional on is_tainted call #181

Fixed

• Incorrect SlithIR conversion in case of explicit base contract usage (8a94a6e, c6e090e, b992010)
• Use referenced declaration for functions to fix reference not found (AST compact only)
  #177
• Fix typo in callcode 8344c4e

0.6.0 - 2019-02-15

This release adds 3 new detectors, 5 new printers, improves the overall usability of Slither, and introduces a new tool: slither-check-upgradability to help to review upradable contracts. User and developer documentation has dramatically improved. This release brings also several bugfixes, API enhancements and lowers the rate of false positives for several detectors.

Thanks to our external contributors @cty12, @mrice32 and @ptare for their numerous bug reports.

Added

• Detectors:
  • erc20-interface: Incorrect ERC20 interfaces
  • erc20-indexed: Un-indexed ERC20 event parameters
  • deprecated-standards: Deprecated Solidity Standards
• Printers:
  • data-dependency: Print the data dependencies of the variables
  • function-id: Print the keccack256 signature of the functions
  • modifiers: Print the modifiers called by each function
  • require: Print the require and assert calls of each function
  • variable-order: Print the storage order of the state variables
• Command line usage:
  • --ignore-truffle-compile: do not run truffle compile
  • --disable-color: disable output colorization
  • --triage-mode: run slither in its triage mode. For every finding, Slither will ask if the result should be shown for the next run.
  • --filter-paths: exclude all the results that are only related to the given paths.
  • Configuration file: Slither options can be configured through a JSON file. See the documentation
• slither-check-upgradability: Utility to help reviewing upgradable contracts
• Dependency: require pysha3>=1.0.2

Changed:

• Reduce the false alarms rates of:
  • Unused variables: consider expression oustide of the functions' scope #167
  • Reentrancy: check if a call to this is reentrancy-safe + don't consider view/pure calls for Solidity >= 0.5 #127 #126
  • Locked ether: follow libraries calls #163
• Improve Truffle integration: Slither will automatically switch to the truffle version provided in package.json (#154)
• Improve SSA conversion: Use of an interprocedural sensitive analysis (follow parameters) (#156 (comment))
• Improve data dependency: Compute a fix-point on function context (#171)
• Improve inheritance printer output (#162, #166)
• Add support of staticall (#152)

Fixed

• Several minors bugs, including:
  • Incorrect SSA conversion on Return (59af388)
  • is_storage property on StateVariableIR/LocalVariableIR (59af388)
  • Crash when two variables have the same name #151
  • Incorrect location for LocalVariableIR (#143)
  • Add constant folding visitor to avoid crash on expression-based length (#144)

0.5.2 - 2019-01-31

This release improves performance, fixes minor bugs, and simplifies the generation of our documentation.

Added

• Add a vulnerability description to all the detectors, then use that to auto-generate the wiki documentation.

Changed

• Improve the reentrancy heuristics: the reentrancy information is computed only one time, and its information is shared across all the reentrancy variants.
• Use a cache system for the function.all_* properties
• Re-add the Length SlithIR operator (ed7afe0)

Fixed

• Incorrect read information in case of ReferenceVariable (1cdc34e)

0.5.1 - 2019-01-25

This release fixes minor bugs and adds support for a handful of missing operations.

We gave a presentation about Slither during our last office hours. We discussed the framework, how it works and its future evolution. The video is available here.

Added

• Support for constructors declared as a modifier and in the contract's definition (contract B is A(10){ ) (#132)
• Support for gas and value in dynamic function calls (#132)
• Support for ternary conversions in modifiers (#140)
• Support for hexadecimal in subdenominations (#147)
• Support for user-defined types in functions (#136)
• Support for indexed information in events (c032328)

Fixed

• UTF8 file encoding (#146)
• Parsing of empty do-while loop (#133)

0.5.0 - 2019-01-14

This release adds support for static single assignment (SSA) to SlithIR for both local and state variables. The use of SSA facilitates the tracking data dependencies and will enable more precise detectors. There are three new detectors: incorrect-equality, shadowing-builtin, shadowing-local, and one new printer: cfg. Detection of reentrancy was improved and now has three levels of severity. This release also includes bugfixes and lowers the rate of false positives for several detectors.

Thanks to our external contributors @mrice32 and @ptare for their numerous bug reports.

Added

• Detectors:
  • incorrect-equality: Dangerous strict equalities, such as this.balance == 0 ether.
  • shadowing-builtin: Shadowing of builtin symbols
  • shadowing-local: Local variables shadowing the contract's elements
• SSA on SlithIR:
  • Add Phi operator
  • Add LocalIRVariable and StateIRVariable (they contain the SSA index)
  • Follow Cooper, Harvey, Kennedy to compute minimal SSA
  • Add additional Phi operators at function entrance and after external calls to handle state variables
• Alias Analysis to track storage references
• Integrate alias analysis info into the SSA engine for precise SSA construction (note there is a limitation: alias analysis is not yet interprocedural and has no support for functions returning a storage reference)
• Add new printer: cfg, which exports the CFG of each function (8452b32)
• Add dominators information
  • List of dominator nodes
  • Dominator tree
  • Dominance frontier

Changed

• The reentrancy detector is split into three variants to facilitate the triage of results:
  • reentrancy-eth: theft of ether and read before writing (high severity)
  • reentrancy-no-eth: no theft of ether and read before writing (medium severity)
  • reentrancy-benign: no read before writing (low severity)
• The data dependency is now computed using the SSA
• Multiple new contract and function helpers (b549a3e, 57a0918, a704635)
• Improve subdenomination support (ether, wei, days, ..) bdca730
• Lower false positive for several detectors:
  • locked-ether: #114
  • external-function: #118
  • constable-states: fc4ac0c

Bugfixes

• Incorrect return nested array #121,
• Support for empty tuple in return 7813fdf
• Support for implicit uint256->int256 conversion on function matching #120
• Support ternary in return statement #115

0.4.0 - 2018-12-14

This release brings 4 new detectors, improves the support for Solidity >=0.5, and fixes several minor issues.

Thanks to our external contributors!

@adamhos
@mattaereal
@mihairaulea

Added

• New detectors:
  • shadowing-state: Detect state variables shadowed
  • shadowing-abstract: Detect state variables shadowed from abstract contracts
  • timestamp: Detect dangerous usage of block.timestamp
  • calls-loop: Detect dangerous calls inside a loop
• --trufle-version version flag: Allow to install and run a local version of truffle (#105)
  • slither --truffle-version truffle@beta . : Run truffle with Solidity 0.5
  • slither --truffle-version truffle@4.1.14 . : Run truffle with Solidity 0.4

Changed

• Improve Solidity 0.5.0 and 0.5.1 support (#102)
• Json output format (#108)

Fixed

• Variable unpacking issue for the contract printer (#104)
• Multiple minor parsing bugs (#98, #99, #100)
• Incorrect do-while recovery (#97)
• SlithIR: incorrect return tuple conversion (#89)

0.3.1 - 2018-12-03

This release fixes minor bugs and improves the json output.

Changed

• Improve json ouput:
  • Add helpers to abstract_detector
  • Use more detailed output for each detector and more precise source mapping information
  • Document the json: https://github.com/trailofbits/slither/wiki/JSON-output
• Add support for Truffle projects using a truffle-config.js file instead of truffle.js
• Fix incorrect slithIR conversion for mapping of mapping (#83)
• Fix minor bugs (remove duplicate constructors, fix incorrect is_implemented attribute in Modifier)

0.3.0 - 2018-11-20

This release brings 4 new detectors, 1 new printer, improved UX, and several bug fixes.

Thanks to the Ethereum Community Fund for funding Gitcoin bounties!

Thanks also to our external contributors!
@anukul
@benstew
@rmi7
@rluijk
@samparsky

Added

• New detectors:
  • controlled-delegatecall: Detect user-controlled delegatecall destination
  • constant-function : Detect constant functions that change state
  • uninitialized-local : Detect uninitialized local variables
  • unused-return-value : Detect unused return values
• New printer:
  • human-summary: Print a human readable summary of the contracts

Changed

• Refactored the output of the detectors:
  • Bug descriptions are more verbose
  • Add line number information
  • Create vulnerability descriptions with short descriptions, exploit scenarios, and recommendations
• Refactored unit tests to output to JSON
• Simplified integration with Truffle (slither now runs truffle compile automatically when applied to a Truffle directory)

Recommendation

• Use the constant-function detector to ensure correct interactions between contracts compiled with Solidity <0.5 and >=0.5

0.2.0 - 2018-10-30

This release brings 2 new detectors, 2 new printers, integration with Truffle, and enhancements to SlithIR and the detector API.

Thanks to the Ethereum Community Fund for funding many Gitcoin bounties!

Thanks also to our external contributors!
@cryptomental
@evgeniuz
@pvgupta24
@redshark1802
@samparsky

Added

• Truffle integration. Slither can be run on a Truffle directory: truffle compile && slither .
• new detectors:
  • constable-states: Detect state variables that could be declared constant
  • external-function: Detect public functions that could be declared as external
• new printers:
  • call-graph: Export the call-graph of the contracts to a dot file
  • inheritance: Print the inheritance relations between contracts
• Support for solc's compact AST

Changed

• The original inheritance printer is now called inheritance-graph
• Command line arguments are easier to use
• SlithIR bugfixes and improvements
• Internal API changes: #58