Releases: crytic/slither
Releases · crytic/slither
0.11.3
Contributors
elopez
Assets 10
0.11.2
This minor release fixes a bug in the storage pointer analysis.
What's Changed
Full Changelog: 0.11.1...0.11.2
Contributors
smonicas
Assets 10
0.11.1
This release improves the support of unicode character where previously it would have resulted in erroneous source mapping for tools such as slither-flat and slither-mutate, adds function calls stack information to simplify the understanding of the output for certain detectors (calls-loop, costly-loop, delegatecall-loop, msg-value-loop) and other bug fixes.
What's Changed
- Fix order yul parsing identifiers by @smonicas in #2671
- Fixes issue 2524, Slot Calculation for Variables that Cross 32-Byte by @Jayakumar2812 in #2664
- Fix slither-read-storage crash when a structure has only other structs as fields by @smonicas in #2666
- Improve the support for sstore/sload with simple slot access by @montyly in #2670
- Refactor docs by @montyly in #2685
- Dev update entry points printer by @nisedo in #2668
- Update MyPrettyTable alignment to left-align all fields by default by @nisedo in #2672
- Improved unicode support in mutator, flattener, and more by @bohendo in #2662
- chore: fix some typos in comments by @shenpengfeng in #2678
- slither-mutate: Check if a contract is an interface properly by @smonicas in #2697
- Improve support for storage pointer analysis by @montyly in #2677
- Propagate type aliases from base to derived contracts by @smonicas in #2693
- Add calls stack information to detectors by @smonicas in #2696
New Contributors
- @Jayakumar2812 made their first contribution in #2664
- @shenpengfeng made their first contribution in #2678
Full Changelog: 0.11.0...0.11.1
Contributors
bohendo, montyly, and 4 other contributors
Assets 10
0.11.0
This release adds support for the latest Solidity features like using a custom error in a require statement and transient storage, adds 7 new detectors, 2 new printers and various other improvements.
NOTE: There are breaking changes to some API in particular the variables properties in the Contract class (see #2588) and the *Calls API (see #2555).
The new detectors are:
pyth-deprecated-functions: Detect Pyth deprecated functionspyth-unchecked-confidence: Detect when the confidence level of a Pyth price is not checkedpyth-unchecked-publishtime: Detect when the publishTime of a Pyth price is not checkedchronicle-unchecked-price: Detect when Chronicle price is not checkedgelato-unprotected-randomness: Call to _requestRandomness within an unprotected functionchainlink-feed-registry: Detect when chainlink feed registry is usedoptimism-deprecation: Detect when deprecated Optimism predeploy or function is used
The new printers are:
entry-points: Print all the state-changing entry point functions of the contractscheatcode: Print the usage of (Foundry) cheatcodes in the code
The following is an example of the entry-points printer for Uniswap v4 core.
We thank all of our external contributors for their effort!
What's Changed
- Enable running slither as pre-commit hook by @dbast in #2521
- Add support custom errors in require by @smonicas in #2550
- bugfix: IR generation when parsing Event as left variable by @hamdiallam in #2567
- Fix #2266 by @DarkaMaul in #2412
- Improve performances of offsets references. by @DarkaMaul in #2481
- CI Improvement by @montyly in #2571
- Add Optimism deprecation detector by @smonicas in #2575
- Add Pyth deprecated functions detector by @smonicas in #2580
- Add StateVariable location by @smonicas in #2585
- Add Chainlink feed registry detector by @smonicas in #2576
- Add Pyth unchecked publishTime and confidence detectors by @smonicas in #2581
- Add Chronicle unchecked price detector by @smonicas in #2584
- Add Gelato VRF unprotected request detector by @smonicas in #2582
- Add instruction in README for how to upgrade slither by @CJ42 in #2498
- Improve transient storage support by @smonicas in #2588
- Fix IR conversion when an Event selector is accessed by @smonicas in #2589
- Echidna printer Improve values extraction by @smonicas in #2574
- Printer cheatcode by @DarkaMaul in #2413
- chore: fix some comments by @withbest in #2518
- fix: mapping to type value lookup with top-level constant by @0xalpharush in #2568
- Add assert information for echidna by @smonicas in #2560
- Fix reorder arguments when a function is overridden with diff param names by @smonicas in #2611
- fix: typos in documentation files by @leopardracer in #2607
- Boxes + horizontal flow makes for more readable call graphs by @DanielVF in #2603
- Fix reorder argument edge case by @smonicas in #2614
- Updated slither-mutate logs by @bohendo in #2625
- incorrect-modifier: Fix infinite loop by @smonicas in #2628
- Fix are_variables_written analysis for named return variables by @smonicas in #2631
- Fix detectors wiki links by @smonicas in #2640
- Pyth detectors: Fix assertion error by @smonicas in #2639
- Typo fix README.md by @dedyshkaPexto in #2641
- slither-mutate: fix AOR mutator by @smonicas in #2653
- Add entry-points printer to identify all externally accessible state-changing functions by @nisedo in #2616
- Update README.md by @hexshire in #2656
New Contributors
- @dbast made their first contribution in #2521
- @hamdiallam made their first contribution in #2567
- @withbest made their first contribution in #2518
- @leopardracer made their first contribution in #2607
- @DanielVF made their first contribution in #2603
- @dedyshkaPexto made their first contribution in #2641
- @nisedo made their first contribution in #2616
- @hexshire made their first contribution in #2656
Full Changelog: 0.10.4...0.11.0
Contributors
DanielVF, dbast, and 12 other contributors
Assets 10
0.10.4
This is a minor release that fixes some issues caused by updates to the web3.py library. Also, it contains fixes/improvements for a couple detectors: fix the solc-version detector which was warning on solc versions without bugs, don't report arbitrary-send-eth if the recipient if it's an immutable value, disable unused-import as it was slow and not handling a few edge cases correctly. Finally, slither-check-upgradeability has a new check which identifies the bug that was the cause of the most recent Ronin hack (see #2536).
We thank all of our external contributors for their effort!
What's Changed
- arbitrary-send-eth: Don't report if destination is immutable state var by @smonicas in #2488
- sync dev <> master by @0xalpharush in #2493
- Update WIKI_DESCRIPTION for "dead_code.py" by @ThomasHeim11 in #2492
- Dockerfile: fix
ckzgbuild by @elopez in #2494 - Added length check on
bugs_by_versionfor specificversion_numberby @MukulKolpe in #2499 - Bump docker/build-push-action from 5 to 6 by @dependabot in #2486
- Bump pypa/gh-action-pypi-publish from 1.8.14 to 1.9.0 by @dependabot in #2485
- Improve slither-mutate testing by @DarkaMaul in #2482
- Add a new parameter
max_widthto MyPrettyTable by @DarkaMaul in #2426 - slither-mutate: (AOR) Fix for dynamic array operations by @smonicas in #2484
- Bump sigstore/gh-action-sigstore-python from 2.1.1 to 3.0.0 by @dependabot in #2508
- ci: require web3 with <5 eth_typing deps by @0xalpharush in #2537
- add upper bound by @0xalpharush in #2541
- Revert "Reduce verbosity for InvalidCompilation errors" by @0xalpharush in #2529
- disable unused import by @0xalpharush in #2540
- tool: add detector for multiple new reinitializers by @QiuhaoLi in #2536
- Bump pypa/gh-action-pip-audit from 1.0.8 to 1.1.0 by @dependabot in #2531
- sync master <> dev by @0xalpharush in #2506
New Contributors
- @ThomasHeim11 made their first contribution in #2492
- @MukulKolpe made their first contribution in #2499
- @QiuhaoLi made their first contribution in #2536
Full Changelog: 0.10.3...0.10.4
Contributors
elopez, DarkaMaul, and 6 other contributors
Assets 10
0.10.3
This is a minor release that fixes several bugs, improves performance, and addresses some false positives. There is a new flag, --include-detectors, to override exclusion rules e.g. run a specific low severity detector while excluding others with --exclude-low. The detector, similar-names, has been removed.
We would like to thank our external contributors:
What's Changed
- Fix: unused state var detector for abstract/library by @0xalpharush in #2419
- Remove deprecated flags and their migration. by @DarkaMaul in #2410
- Fix #2430 by @DarkaMaul in #2431
- Chore: fix some typos in comments by @careworry in #2433
- Restore plugin example to working state by @elopez in #2436
- Chore: fix some typos in comments by @alwayshang in #2444
- Reduce verbosity for InvalidCompilation errors by @DarkaMaul in #2417
- Configure coderabbit review to also consider PR on dev branch. by @DarkaMaul in #2441
- chore: fix typos and link update by @xiaoxianBoy in #2453
- chore: recommend upgrading in issue template by @0xalpharush in #2457
- Features/perf improvment by @DarkaMaul in #2438
- Fix: use contract declarer's scope for name resolution by @0xalpharush in #2459
- Fix bugs in the EVM printer by @DarkaMaul in #2435
- Add detectors to include override exclude args by @nsiregar in #2440
- Chore/remove unused scripts by @0xalpharush in #2468
- Fix inheritance printer rebase by @0xPhaze in #2153
- Add more academic references by @montyly in #2270
- Update: improve unhandled initializers in unprotected-upgrade detector by @vovikhangcdv in #2203
- Write
slither.db.jsonfile on each save_results_to_hide by @utx0 in #2071 - Remove similar-names bc it's slow by @0xalpharush in #2469
- Improve message error for when Crytic throws a KeyError. by @DarkaMaul in #2418
- Fix regex patterns by @DarkaMaul in #2442
- Fix: do not flag imports from import container as unused by @0xalpharush in #2471
- Fix: filtering of unused-import,incorrect-solc, pragma by @0xalpharush in #2472
- Fix ordering and dead-code detector by @0xalpharush in #2476
New Contributors
- @careworry made their first contribution in #2433
- @alwayshang made their first contribution in #2444
- @xiaoxianBoy made their first contribution in #2453
- @0xPhaze made their first contribution in #2153
- @vovikhangcdv made their first contribution in #2203
- @utx0 made their first contribution in #2071
Full Changelog: 0.10.2...0.10.3
Contributors
utx0, elopez, and 9 other contributors
Assets 10
0.10.2
0.10.2 - 2024-04-08
This minor release contains several enhancements and resolves several bugs, most notably:
- Revamps slither-mutate with first class support for Foundry projects (see quickstart)
- New detector identifies unused imports (
slither . --detect unused-import) - Resolves longstanding issues in import resolution and lack of support for aliases (see #1452)
- Improves the reference/declaration API in order to facilitate LSP integration
- Accurately models implicit returns in the intermediate representation (see #1880)
We would like to thank our external contributors:
New Features
- Slither-mutate: fit and finish by @bohendo in #2302
- Feat: add detector for unused imports by @0xalpharush in #2392
- Add virtual and override attribute in Function by @smonicas in #2333
- Feat/virtual override with refs by @0xalpharush in #2376
Bug Fixes
- Fix CONTINUE node in the cfg by @Tiko7454 in #2047
- Update inheritance graph printer to handle multiple contracts with same names by @dokzai in #2159
- Fix parsing of events by @smonicas in #2365
- Slither-mutate: bugfix when two files have the same name by @DarkaMaul in #2357
- Add support for send builtin by @0xalpharush in #2212
- Fix IR for top level functions with using-for by @smonicas in #2367
- Update PR#2034 by @0xalpharush in #2384
- Fix: preserve empty tuple components during declaration-to-assignment conversion by @kevinclancy in #2034
- Fix: guard literal implicit conversion for arrays by @0xalpharush in #2383
- Fix: add missing references in the source mapping API by @0xalpharush in #2371
- Fix: support aliases for NewContract operation by @0xalpharush in #2370
- Fix: add newline to incorrect-modifier output by @0xalpharush in #2386
- ArrayType: Check the folded length in eq by @smonicas in #2331
- Fix: lookup of type alias as member of contract by @0xalpharush in #2404
- Resolve available definitions from import by reference ID by @0xalpharush in #2403
- Filter name-reused detector to only run on Truffle projects (#2390) by @nsiregar in #2394
Enhancements
- Fix/model named returns by @0xalpharush in #2326
- Ci: linter, pylint: upgrade superlinter to v6 by @elopez in #2303
- Add funding metadata to repository by @elopez in #2346
- Create issue-metrics.yml by @0xalpharush in #2366
- Chore: remove repetitive word by @rustrover in #2363
- Update node.py by @eltociear in #2358
- Support python3.12 by @0xalpharush in #2348
- Chore: remove repetitive words by @majorteach in #2373
- Implement pytest parameterize on test_implicit_returns (#2350) by @nsiregar in #2381
- Wiki/too many digits by @0xalpharush in #2385
- Upgrade slither-mutate readme by @bohendo in #2391
- Add all variables read/written by @smonicas in #2368
- Add test for #2331 by @0xalpharush in #2405
- Prepare for 0.10.2 release by @0xalpharush in #2406
- Removed unused import by @0xalpharush in #2408
New Contributors
- @rustrover made their first contribution in #2363
- @DarkaMaul made their first contribution in #2357
- @eltociear made their first contribution in #2358
- @majorteach made their first contribution in #2373
- @nsiregar made their first contribution in #2381
Full Changelog: 0.10.1...0.10.2
Contributors
kevinclancy, elopez, and 11 other contributors
Assets 10
0.10.1
0.10.1 - 2024-02-29
This is a minor release that adds support for Solidity 0.8.24 and top level events. It includes a new detector, out-of-order-retryable, which detects potential misuse of Arbitrum's retryable transactions. Also, there is a new CLI flag, --include-paths which allows one to only include results from a given path.
We would like to thank all of our external contributors:
What's Changed
New Features
- Add support top level events by @smonicas in #2219
- Add support Solidity 0.8.24 by @smonicas in #2281
- Add
--include-pathsoption by @smonicas in #2330- For example,
slither . --include-paths (src/|contracts/)will only include results from files withinsrcorcontractsdirectory. Note, this is uses python-style regex and cannot be used at the same time as--filter-paths.
- For example,
- Feat: out of order retryable detector by @0xalpharush in #2340
Bug Fixes
- Fix:
is_reentrantfor internal vyper functions by @0xalpharush in #2211 - Fix: iterative update by @0xalpharush in #2206
- Fix: detect selfdestruct in internal calls by @0xalpharush in #2232
- Fix using for when used with "this" by @smonicas in #2224
- Fix: broken doc links by @mds1 in #2299
- Fix: slither: utils: respect colorization state when printing tables by @elopez in #2310
- Fix: support inheritance resolution when contract name is reused by @0xalpharush in #2332
- Fix: support renaming in base inheritance and base constructor calls by @0xalpharush in #2320
- Fix: immediate inheritance by @Tiko7454 in #2306
Enhancements
- Update README.md by @vielite in #2198
- Update installation instrucitons by @0xalpharush in #2189
- Update Dockerfile by @0xalpharush in #2188
- Raise an error when a missing contract is specified to read-storage by @UsmannK in #2235
- Remove unused files by @0xalpharush in #2197
- Substituted the letter
zwithxin pre-declaration by @ATREAY in #2258 - Upgraded Slither-mutate by @vishnuram1999 in #2278
- Divide-before-multiply: Detect also in modifiers by @smonicas in #2280
- Properties, documentation: correct tool descriptions and usage by @elopez in #2311
- Fix example by @0xalpharush in #2312
- Make triage database path customizable by @elopez in #2298
- Create a variable API that filters out constants and immutables by @dokzai in #2323
- Add regression test for #2313 by @0xalpharush in #2321
- Msg-value-loop: Don't report if msg.value is in a conditional expression by @smonicas in #2239
- Incorrect-shift: Detect only assembly blocks by @smonicas in #2315
- Track storage variables read/written in assembly by @smonicas in #2329
New Contributors
- @vielite made their first contribution in #2198
- @UsmannK made their first contribution in #2235
- @ATREAY made their first contribution in #2258
- @vishnuram1999 made their first contribution in #2278
Full Changelog: 0.10.0...0.10.1
Contributors
elopez, UsmannK, and 8 other contributors
Assets 10
0.10.0
0.10.0 - 2023-10-18
This release adds support for Vyper 0.3.7 (thanks to the funding from VyperLang)! Currently, Vyper frameworks such as Ape are not supported. To run slither on Vyper codebases, target the source directory e.g. run slither ./contracts if the Vyper contracts are in the contracts/ directory.
Additionally, this release includes 5 new detectors, 3 new printers, and several bugs fixes related to recent solidity features. The echidna/medusa integration was sped up and provides more information to the fuzzers.
With the release of crytic-compile 0.3.5, support for foundry projects is significantly improved: Slither can now be run on a single file from a foundry project and detect the necessary imports automatically (ex: run slither contracts/some_file.sol instead of slither . ).
We would like to thank all of our external contributors:
- @dokzai
- @kevinclancy
- @SEJeff
- @SheldonHolmgren
- @yisun92
- @Tiko7454
What's Changed
New Features:
- Vyper support by @0xalpharush in PR #2099
- 5 new detectors by @montyly in PR #2156
incorrect-return/return-leave/incorrect-exp/tautological-compare/return-bomb
- Printers
- ck by @devtooligan in PR #1895
- halstead by @devtooligan in PR #1878
- martin by @devtooligan in PR #1889
Breaking Changes:
- Improve name resolution of type aliases by @smonicas in PR #2061
- Change return type to UnaryType instead of UnaryOperationType by @dokzai in PR #2124
Enhancements:
- Add CustomError as printable output by @smonicas in PR #2063
- Improve mapping-deletion detector for nested mappings by @smonicas in PR #2084
- Improve constants extraction of ReferenceVariable by @smonicas in PR #2098
- Better struct handling in code generation util by @webthethird in PR #2068
- Add end assembly node in the cfg by @smonicas in PR #2078
- Use crytic-compile 0.3.5
Bug Fixes:
- Fix CONTRIBUTING.md by @smonicas in PR #2052
- Fix ternary rewrite test and make assertion more strict by @0xalpharush in PR #2067
- UnaryOperation: -variable and +variable doesn't make variable an lvalue by @SheldonHolmgren in PR #2027
- Fix assertion failure in dominator computation for dead code by @Tiko7454 in PR #1984
- Fix typo in Contract.get_state_variable_from_canonical_name() by @yisun92 in PR #1983
- Fix divide before multiply detector non deterministic results by @smonicas in PR #2114
- Detectors: cache_array_length: include source mapping in finding by @elopez in PR #2076
- Fix a typo in the help text by @SEJeff in PR #2155
- Fix abi.decode tuple result with udt by @smonicas in PR #2048
- Fix parsing super call expression by @smonicas in PR #2151
- Fix(convert): do not convert array type to elementary for
InitArrayby @0xalpharush in PR #2018 - Fix: reorder named arguments to match declaration order by @kevinclancy in PR #1949
- Fix enum.max/min when enum in other contract by @smonicas in PR #2051
Continuous Integration and Dependencies:
- Bump pypa/gh-action-pypi-publish from 1.8.7 to 1.8.10 by @dependabot in PR #2049, PR #2086
- ci: add problem matchers for yamllint and pylint by @0xalpharush in PR #2070
- Bump sigstore to 2.1.0 by @0xalpharush in PR #2081, PR #2154
- Fix CI by @montyly in PR #2170
- chore: bump sigstore to 2.0.0 by @0xalpharush in PR #2081
- Bump actions/upload-pages-artifact, actions/checkout, cachix/install-nix-action, docker/setup-buildx-action, docker/build-push-action, docker/setup-qemu-action, docker/login-action by @dependabot in PR #2044, PR #2112, PR #2111, PR #2132, PR #2133, PR #2134, PR #2135
New Contributors
- @SheldonHolmgren made their first contribution in #2027
- @yisun92 made their first contribution in #1983
- @dokzai made their first contribution in #2110
- @SEJeff made their first contribution in #2155
Full Changelog: 0.9.6...0.10.0
Contributors
SEJeff, kevinclancy, and 11 other contributors
Assets 10
v0.9.6
0.9.6 - 2023-07-06
This release fixes a regression in the unchecked-lowlevel call detector and a crash in the cache-array-length detector.
What's Changed
- fix(cache-array-length): handle when
HighLevelCallis aStateVariableby @0xalpharush in #2019 - fix regression that caused retdata to be flagged by @0xalpharush in #2029
- docs(readme): add new docs link by @sambacha in #2010
New Contributors
- @dependabot made their first contribution in #1992
- @sambacha made their first contribution in #2010
Full Changelog: 0.9.5...0.9.6
Contributors
dependabot, sambacha, and 0xalpharush