# Auditing Tools Report ## Codiumate ### Installation instructions Install the VS Code extension, 'Codiumate'. ### Running Codiumate Codiumate currently offers 5 services through their VS Code extension. Each result is displayed in the extension panel on the left and can be expanded to its own document. The 'enhance' command however does not show in the panel and you will need to click 'show diff' to see the result. 1. quick-test - This offers basic unit testing for the function / code snippet you would like tested. It follows a general testing pattern but can be useful if you need to debug an issue or verify a vulnerability. 2. explain - The explain command can give a basic description and understanding of the function or contract you are currently looking at. 3. docstring - This will generate a NATSPEC for the function you are needing to describe. 4. improve - This will generate improvements to the code you have selected. The improvements can often be false positives so please double check. 5. enhance - While improve helps detect better ways to build your function, enhance provides optimization and readability upgrades. 6. find-on-github - This allows you to find the specified code on any public github if needed. ### Updating settings At the bottom of the extension you can select where the AI must focus on as well as the different modes. ## Olympix ### Installation instructions Install the VS Code extension, 'Olympix'. ### Running Olympix Go to the extension which will appear on your left panel in VS Code and click 'start analysis' It will detect High, Medium and Low vulnerabilities and if you scroll down allow you to view a full explanation of the vulnerability (generally, not specific to the found bug) and show you where the vulnerability is. Read the bugs carefully as some might be false positives but generally the vulnerabilities are useful to know. ### Updating settings If you select the settings at the top of the extension, you are able to select and deselct the detectors and also specifiy exact files you would like the AI to run on. ## Slither ### Installation instructions 1. Requires python >=3.6 to run. Install at https://www.python.org/downloads/ 2. After python has been successfully installed, install slither using the following commands: ``` pip3 install slither-analyzer pip3 install solc-select ``` 3. Running Slither requires the correct solc version to be compatible with the contracts you are auditing. Most likely, you will need to install the version you are needing to use. You can use this command to install a solc version: ``` solc-select install 0.8.13 ``` 4. If you are not entirely sure which versions still need to be installed, run this command to list all the available versions: ``` solc-select install ``` 5. Either of the above two commands could result in a "certificate verify failed: unable to get local issuer certificate (ssl.c:992)" error. To solve this. Locate the Python application on your computer, and select "Install Certificates.command" to fix the error. See below for an example: ![](https://i.imgur.com/ERg92rM.png) 6. Once you have successfully installed your solc version, you need to tell the terminal to use the version of your choice. To do this, follow this command: ``` solc-select use 0.8.13 ``` ### Running Slither 1. To run the auditing tool, you can either download the VS Code extensions called Slither, or run it from the command line. The next section will give a detailed explanation of using the command line to run Slither. 2. Navigate into your IDE and to your chosen project. In the terminal of the IDE, run: ``` slither . ``` 3. This will produce a generic output in the terminal with the results of the audit. At the time of writing, Slither has 83 detectors it uses to find bugs. It can be neccassary to exlude some or maybe you only want to run one type. You are able to customize the Slither audit by simply adding a "slither.config.js" file. The content of the file will look similar to this: ![](https://i.imgur.com/lyHGoHX.png) 4. Another part of the audit is the way the results are printed to the console. There are, at the time of writing, 3 different options for printers. If you would like to specifiy a specific print option, you may add the line: ``` "printers_to_run": "human-summary" ``` 5. You can replace human_summary with any other printer type. To view different detector and printer options, go to https://github.com/crytic/slither#detectors 6. To export the results to a json file, run as usual with the following added on: ``` --json <file_name.json> ``` 7. This will create a file with the provided file name and store the results in a json file. ## Mythril ### Installation instructions 1. Follow the instructions for slither to install python, once complete, run the following in your terminal: ``` pip3 install mythril ``` 2. If this command fails with an error message of "Failed building wheel for blake2b-py", it is because mythril requires a dev version of rust. So install rust for using these two commands: ``` curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh rustup default nightly ``` 3. This should allow you to install mythril. Viewing the mythril version can be done using the following command: ``` myth version ``` 4. This will most likely lead to another error message saying "ImportError: cannot import name 'getargspec' from 'inspect'". This is due to the upgrade in mythril would now imports 'getfullargspec'. To solve this, go to your home directory and follow this path: ``` /library/frameworks/Python.framework/versions/3.11/lib/python3.11/site-packages/parsimonious/expressions.py ``` 5. Inside this file, update line 9 to read: ``` from inspect import getfullargspec ``` 6. You should now be able to check your mythril version. ### Running Mythril 1. When running a contract which contains no import statements, it is as easy as running: ``` myth analyze <file_path> ``` 2. However, running mythril on contracts which contain import statements is imperical and is slightly more complex. To achieve this, create a json file for remappings and update it to look as follows (This example is for the OpenZeppelin library): ``` { "remappings": [ "@openzeppelin/=./lib/openzeppelin-contracts/" ] } ``` 3. Once you have the above json file in place, you may run the following command to execute mythril: ``` myth analyze <file_path> --solc-json <json_file_path> ``` 4. To analyze on-chain contracts, mythril used Infura as its default RPC platform. To run an analysis on a contract already deployed, run: ``` myth analyze -a <address> --infura-id <ID> ```
Last changed by  
Gareth Larkan
428

Read more

Bridge Testing Strategy

Create a company using Company 1

11/3/2023
Linum labs Internship Program

:::info :bulb: Ready for the expereince? You are in the perfect place! ::: 🎉 Welcome :::success Welcome to the Linum Labs internship program. We wish you the most incredible expererience learning from some of the best in the industry. :smile: ::: :book: Employee Information

6/5/2023
Read more from Gareth Larkan
Published on HackMD