Slither: A Static Analysis Framework For Smart Contracts

Abstract: This paper describes Slither, a static analysis framework designed to provide rich information about Ethereum smart contracts. It works by converting Solidity smart contracts into an intermediate representation called SlithIR. SlithIR uses Static Single Assignment (SSA) form and a reduced instruction set to ease implementation of analyses while preserving semantic information that would be lost in transforming Solidity to bytecode. Slither allows for the application of commonly used program analysis techniques like dataflow and taint tracking. Our framework has four main use cases: (1) automated detection of vulnerabilities, (2) automated detection of code optimization opportunities, (3) improvement of the user's understanding of the contracts, and (4) assistance with code review. In this paper, we present an overview of Slither, detail the design of its intermediate representation, and evaluate its capabilities on real-world contracts. We show that Slither's bug detection is fast, accurate, and outperforms other static analysis tools at finding issues in Ethereum smart contracts in terms of speed, robustness, and balance of detection and false positives. We compared tools using a large dataset of smart contracts and manually reviewed results for 1000 of the most used contracts.

• The paper presents a static analysis framework using SlithIR’s SSA form to efficiently detect vulnerabilities such as reentrancy.
• It employs a multi-stage process—parsing with AST, generating intermediate representation, and applying taint tracking—to outperform comparable tools.
• It also enhances code understanding and optimization by providing graphical summaries and identifying gas cost reduction opportunities.

Slither: A Static Analysis Framework For Smart Contracts

Introduction

Slither is a static analysis framework developed to address the need for reliable and efficient tools for analyzing Ethereum smart contracts, specifically those written in Solidity. The framework aims to identify vulnerabilities and optimization opportunities through a sophisticated intermediate representation called SlithIR. This paper outlines the framework's design, evaluation, and performance compared with existing state-of-the-art tools.

Design and Architecture

Slither is built on a multi-stage analysis process that starts by generating an Abstract Syntax Tree (AST) from the Solidity source code. It then creates an intermediate representation, SlithIR, using Static Single Assignment (SSA) form to maintain semantic integrity and facilitate efficient analysis. The framework applies techniques such as dataflow and taint tracking to extract critical information about code structure and behavior.

SlithIR Intermediate Representation

SlithIR is designed to simplify static analysis by adopting an SSA-based approach with a reduced instruction set. Key instructions include operations for arithmetic, storage reference management, and various call types, including high-level, low-level, and library calls. The SSA form allows for straightforward computation of data dependencies and optimizes the detection of vulnerabilities like reentrancy.

Core Features and Applications

Slither serves multiple purposes:

1. Vulnerability Detection: It includes detectors for common Solidity vulnerabilities such as variable shadowing, uninitialized variables, and reentrancy.
2. Optimization Detection: Offers insights into inefficient code patterns and identifies variables that can be declared as constants for gas optimization.
3. Code Understanding: Provides graphical and textual summaries of contract structures, inheritance graphs, and call graphs to enhance developer comprehension.
4. Assisted Code Review: Through a Python API, users can create custom scripts leveraging Slither's detailed analysis capabilities for more in-depth code auditing.

Evaluation and Performance

In comprehensive evaluations, Slither was tested against other static analysis tools including Securify, SmartCheck, and Solhint. The framework demonstrated superior performance, accuracy, and robustness:

Vulnerability Detection

Slither is particularly effective at detecting reentrancy vulnerabilities, outperforming other tools by capturing real-world bugs with a low false positive rate of 10.9%. The analysis showed that while some tools were fast, they frequently failed to capture genuine vulnerabilities or produced many false positives.

Optimization Detection

Slither efficiently identifies code optimization opportunities, finding that a significant portion of smart contracts (~56%) could benefit from constant variable declarations, which reduce deployment and transaction costs.

Code Understanding

Compared to Surya, another tool for code structure visualization, Slither provided more detailed insights due to its deeper semantic analysis capabilities, making it indispensable for complex codebases.

Conclusion

Slither represents a significant advancement in the static analysis of Ethereum smart contracts by combining speed, accuracy, and comprehensive insight into Solidity code. Its extensibility and potential for integration into various development environments make it a valuable tool for developers and security auditors. Future work could enhance its capabilities by adding more issue detectors, optimizing SlithIR further, and extending the framework to support other contract languages like Vyper.

The study concludes by encouraging the expansion of Slither beyond Solidity by exploring its application to other contract languages and the possibility of transforming SlithIR into executable bytecode, opening new avenues for both analysis and compilation within the Ethereum ecosystem.