Install slither

.github/scripts/slither_pr_comment.js

@@ -0,0 +1,32 @@
+module.exports = async ({ github, context, header, body }) => {
+  const body2 = body
+    .replaceAll("%8D", "\r")
+    .replaceAll("%0A", "\n")
+    .replaceAll("%25", "%");
+  const comment = [header, body2].join("\n");
+
+  const { data: comments } = await github.rest.issues.listComments({
+    owner: context.repo.owner,
+    repo: context.repo.repo,
+    issue_number: context.payload.number,
+  });
+
+  const botComment = comments.find(
+    (comment) =>
+      // github-actions bot user
+      comment.user.id === 41898282 && comment.body.startsWith(header)
+  );
+
+  const requestBody = {
+    owner: context.repo.owner,
+    repo: context.repo.repo,
+    body: comment,
+  };
+  if (botComment) {
+    requestBody.comment_id = botComment.id;
+    await github.rest.issues.updateComment(requestBody);
+  } else {
+    requestBody.issue_number = context.payload.number;
+    await github.rest.issues.createComment(requestBody);
+  }
+};

.github/workflows/slither.yml

@@ -0,0 +1,46 @@
+name: Slither
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  slither:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: recursive
+
+      - name: Run Slither Analysis
+        uses: crytic/slither-action@v0.4.1
+        id: slither
+        with:
+          slither-config: slither.config.json
+          sarif: results.sarif
+          fail-on: none
+          slither-args: --checklist --markdown-root ${{ github.server_url }}/${{ github.repository }}/blob/${{ github.sha }}/
+
+      - name: Format slither output
+        id: formatted_slither
+        run: |
+          value=$(echo "${{ steps.slither.outputs.stdout }}" | sed -e '1d')
+          value="${value//'%'/'%25'}"
+          value="${value//$'\n'/'%0A'}"
+          value="${value//$'\r'/'%0D'}"
+          echo "value=${value}" >> $GITHUB_OUTPUT
+          count=$(jq '[.runs[].results[]] | length' results.sarif 2>/dev/null || echo 0)
+          echo "results_count=${count}" >> $GITHUB_OUTPUT
+
+      - name: Create/update checklist as PR comment
+        if: ${{ github.event_name == 'pull_request' && steps.formatted_slither.outputs.results_count != '0' }}
+        uses: actions/github-script@v6
+        with:
+          script: |
+            const script = require(".github/scripts/slither_pr_comment")
+            const header = '# Slither report'
+            const body = `${{ steps.formatted_slither.outputs.value }}`
+            const comment = [header, body].join("\n");
+            await script({github, context, header, body})

Makefile

@@ -19,3 +19,7 @@ else
 	@echo "'SOURCE={ContractName}' is required, e.g. make abi SOURCE=CrossSimpleModule"
 	@exit 1
 endif
+
+.PHONY: slither
+slither:
+	slither .

README.md

@@ -39,3 +39,10 @@ interface IContractModule {
 To generate encoders and decoders in solidity from proto files, you need to use the code generator [solidity-protobuf](https://github.com/datachainlab/solidity-protobuf).
 
 Currently, [this version](https://github.com/datachainlab/solidity-protobuf/commit/3def6706178e5407497f3d01b8f0ceb17b32108d) is required.
+
+Install Slither and use it for static analysis.
+
+```
+pip3 install slither-analyzer
+make slither
+```

slither.config.json

@@ -0,0 +1,5 @@
+{
+  "exclude_dependencies": true,
+  "exclude_informational": true,
+  "filter_paths": "node_modules|src/proto"
+}

src/core/CrossSimpleModule.sol

@@ -21,8 +21,9 @@ contract CrossSimpleModule is CrossModule, SimpleContractRegistry, TxAtomicSimpl
         pure
         returns (bytes memory acknowledgement)
     {
-        PacketAcknowledgementCall.Data memory ack;
-        ack.status = status;
+        PacketAcknowledgementCall.Data memory ack = PacketAcknowledgementCall.Data({
+            status: status
+        });
         return packPacketAcknowledgementCall(ack);
     }
 }

src/core/IBCKeeper.sol

@@ -5,7 +5,7 @@ import {IIBCHandler} from "@hyperledger-labs/yui-ibc-solidity/contracts/core/25-
 
 // IBCKeeper keeps the contracts of IBC
 abstract contract IBCKeeper {
-    IIBCHandler ibcHandler;
+    IIBCHandler internal immutable ibcHandler;
 
     constructor(IIBCHandler handler_) {
         ibcHandler = handler_;

src/core/TxAtomicSimple.sol

@@ -31,14 +31,18 @@ abstract contract TxAtomicSimple is IBCKeeper, PacketHandler, ContractRegistry {
         );
         PacketDataCall.Data memory pdc = PacketDataCall.decode(anyPayload.value);
 
-        PacketAcknowledgementCall.Data memory ack;
+        PacketAcknowledgementCall.Data memory ack = PacketAcknowledgementCall.Data({
+            status: PacketAcknowledgementCall.CommitStatus.COMMIT_STATUS_UNKNOWN
+        });
         try module.onContractCall(
             CrossContext(pdc.tx_id, txIndexParticipant, pdc.tx.signers), pdc.tx.call_info
         ) returns (bytes memory ret) {
             ack.status = PacketAcknowledgementCall.CommitStatus.COMMIT_STATUS_OK;
+            // slither-disable-next-line reentrancy-events
             emit OnContractCall(pdc.tx_id, txIndexParticipant, true, ret);
         } catch (bytes memory) {
             ack.status = PacketAcknowledgementCall.CommitStatus.COMMIT_STATUS_FAILED;
+            // slither-disable-next-line reentrancy-events
             emit OnContractCall(pdc.tx_id, txIndexParticipant, false, new bytes(0));
         }
 
@@ -72,7 +76,7 @@ abstract contract TxAtomicSimple is IBCKeeper, PacketHandler, ContractRegistry {
         pure
         returns (bytes memory)
     {
-        HeaderField.Data[] memory fields;
+        HeaderField.Data[] memory fields = new HeaderField.Data[](0);
         return Acknowledgement.encode(
             Acknowledgement.Data({
                 is_success: true,