Slither: Static Analysis for Ethereum Contracts

• Slither is a static analysis framework that converts Solidity contracts into a concise SSA-based intermediate representation for precise and scalable vulnerability analysis.
• It employs robust techniques such as dataflow and taint tracking to detect issues like reentrancy, tx.origin misuse, and other advanced threat patterns.
• The framework’s modular design supports large-scale batch analysis, code optimization, and risk scoring, as demonstrated by empirical evaluations on high-profile contracts.

Slither is a static analysis framework developed for the high-fidelity analysis of Ethereum smart contracts written in Solidity. Designed with large-scale, automated vulnerability detection in mind, Slither operates by converting contract source to a Static Single Assignment (SSA)–based intermediate representation (SlithIR) to facilitate a spectrum of program analyses. The framework combines support for rapid, robust batch analysis with modular extensibility, enabling research and audit tasks ranging from bug finding to code optimization, review assistance, and the large-scale paper of contract ecosystems—including the detection of advanced threat patterns such as rug pulls and hidden backdoors.

1. Architecture and Intermediate Representation

Slither parses Solidity source files, receiving an Abstract Syntax Tree (AST) from the compiler. It then transforms this into SlithIR, an SSA-style, reduced-instruction intermediate representation comprising fewer than 40 instructions. This IR design explicitly preserves type information, control and data dependencies, variable scopes, and storage reference aliasing—crucial for semantically accurate analysis of contracts.

• SSA Transformation: SlithIR ensures variable assignments are unique via SSA indexing, with phi ($\phi$) nodes inserted for state variables at function entries and after external calls to accommodate re-entrancy and non-local definitions:

$x_1 = 3; \quad y_1 = x_1; \quad x_2 = x_1 + 1$

• Instruction Set: The IR models statements such as arithmetic, member accesses, mapping dereferences, and categorizes calls (library, internal, external), facilitating targeted analyses.

2. Fundamental Analysis Techniques

Slither employs a combination of static analysis methods, leveraging its IR for precision:

• Dataflow Analysis: SSA-based explicit def-use chains enable precise propagation of value and control dependencies, critical for identifying data races, state mismanagement, and determining uninitialized variables.
• Taint Tracking: User-controlled input sources are traced through data dependencies to sinks, with fixpoint computation across function boundaries. This enables deep bug finding for issues like unchecked writes, reentrancy, and unprotected state mutation.
• Read/Write Set Analysis: Tracks accesses to state and local variables, supporting enforced heuristics (e.g., ownership protections via msg.sender checks).
• Control-Flow and Inheritance Graphs: Construction as auxiliary artifacts for higher-level analyses (e.g., function reachability, access privilege audits).

3. Automated Vulnerability and Optimization Detection

Slither includes over twenty built-in detectors, each implemented as modular rules or analysis passes:

• Vulnerability Detection: Reentrancy, suicidal contracts, locked ether, ill-formed selfdestructs, misuse of tx.origin, shadowed variables, dangerous external calls, and others. These often combine data dependency, call graph traversal, and pattern heuristics for precise context.
• Optimization Opportunities: Functions and variables eligible for externality or constness, irrelevant code paths, or gas-inefficient constructs.
• Practical Evaluation: In a controlled evaluation on 1,000 high-profile contracts, Slither demonstrated near–linter speed, zero timeouts, and outperformance over Securify/SmartCheck in execution time. Notably, in reentrancy detection, its false positive rate remained at 10.9%, compared to competitors’ 25%–90%.

4. Large-Scale and Custom Analyses

Slither’s modular Python API enables its use in large-scale, automated contract screening and researcher-driven extensions.

• Ecosystem-Scale Auditing: As in (Pathade et al., 9 Jun 2025), Slither was employed to analyze 49,940 NFT contracts, extracting over 49,000 ASTs/CFGs for vulnerability mining. A custom pipeline—leveraging contract import resolution, pragma filtering, and batch-JSON extraction—enabled scalable risk profiling of ERC-721/1155–like contracts.
• Heuristic Risk Scoring: Detected patterns (e.g., selfdestruct, delegatecall, owner-only mint/withdrawal, tx.origin for access control) are mapped to a risk score, classified by:

$$\text{Risk Tier} = \begin{cases} \text{High Risk} & \text{if score} \geq 5 \ \text{Medium Risk} & 3 \leq \text{score} \leq 4 \ \text{Low Risk} & 1 \leq \text{score} \leq 2 \ \end{cases}$$

High-risk clusters, determined via heatmap co-occurrence of red-flag patterns, can be visualized for systemic and per-contract insight.

5. Extension with Advanced Analyses

Recent research demonstrates Slither’s extensibility with advanced static analysis techniques:

• Interval Analysis Integration: Interval analysis, layered atop Slither’s IR and CFG, propagates interval abstractions ($[a,b]$) for variables through the program, updating via transfer functions and accumulating constraints. The worklist algorithm iterates to fixpoint:

$$S = (Lab, Ext, Flw, (D, \sqsubseteq), \varepsilon, \varphi)$$

With $D$ extended to $AI = (Val, Con)$ for both value intervals and boolean expression constraints (e.g., from require/assert), and an SMT solver (Z3) used to check feasibility of constraint sets and detect unreachable code, domain mismatches, division-by-zero, and locked ether (Susan et al., 2023, Susan, 31 Oct 2024).

• Combined Static/Symbolic Analysis: Hybrid tools like MPro use Slither to extract data dependency information, which then guides the pruning of symbolic execution trees, reducing path explosion and improving scalability/accuracy for depth-$n$ vulnerability detection (Zhang et al., 2019).

6. Empirical Impact and Known Limitations

Rigorous comparative studies show that Slither’s approach leads to high bug detection coverage, especially for sophisticated patterns (e.g., reentrancy, tx.origin), but not uniformly across all vulnerability types:

• In bug injection campaigns (Ghaleb et al., 2020), Slither achieved near-perfect detection of reentrancy and tx.origin misuse but underperformed on timestamp dependency and unhandled exception bugs.
• The framework’s comprehensive detection comes at the cost of some over-reporting, requiring further refinement for true positive/false positive tradeoff.
• High performance and robustness (minimal analysis timeouts and crashes) are empirically demonstrated on large datasets.

7. Practical Implications and Future Directions

Slither establishes itself as a foundational framework for both practical auditing and research:

• Developer/Auditor Benefits: Integration into review workflows, rapid feedback on code optimizations, and generation of function/call/inheritance diagrams.
• Ecosystem Security: Enables NFT marketplaces, custodians, and platforms to vet contracts en masse, applying risk-based onboarding.
• Framework Evolution: Research continues to extend Slither with domain-specific static rules, combinations with dynamic analysis (fuzzing), interval/constraint analyses, and user-customizable rule languages (e.g., StarLang (Hayoun et al., 19 Apr 2024)) to address blind spots and tailor scans for new exploit patterns.
• Mitigation Guidance: Research leveraging Slither recommends explicit restriction/removal of constructs (selfdestruct, delegatecall), decentralization of privileges (multi-sig, renouncing ownership), and automated metadata verification to preempt the activation of malicious backdoors (Pathade et al., 9 Jun 2025).

Slither’s core design—centered on SSA-based intermediate representation, modular analyses, and extensibility—has rendered it a practical and research-enabling platform for the static verification and vulnerability analysis of Ethereum smart contracts, with demonstrable impact on the detection of both conventional and advanced threat patterns at scale.