# Auditing Tools Report ## Slither ### Installation instructions 1. Requires python >=3.6 to run. Install at https://www.python.org/downloads/ 2. After python has been successfully installed, install slither using the following commands: ``` pip3 install slither-analyzer pip3 install solc-select ``` 3. Running Slither requires the correct solc version to be compatible with the contracts you are auditing. Most likely, you will need to install the version you are needing to use. You can use this command to install a solc version: ``` solc-select install 0.8.13 ``` 4. If you are not entirely sure which versions still need to be installed, run this command to list all the available versions: ``` solc-select install ``` 5. Either of the above two commands could result in a "certificate verify failed: unable to get local issuer certificate (ssl.c:992)" error. To solve this. Locate the Python application on your computer, and select "Install Certificates.command" to fix the error. See below for an example: ![](https://i.imgur.com/ERg92rM.png) 6. Once you have successfully installed your solc version, you need to tell the terminal to use the version of your choice. To do this, follow this command: ``` solc-select use 0.8.13 ``` ### Running Slither 1. To run the auditing tool, you can either download the VS Code extensions called Slither, or run it from the command line. The next section will give a detailed explanation of using the command line to run Slither. 2. Navigate into your IDE and to your chosen project. In the terminal of the IDE, run: ``` slither . ``` 3. This will produce a generic output in the terminal with the results of the audit. At the time of writing, Slither has 83 detectors it uses to find bugs. It can be neccassary to exlude some or maybe you only want to run one type. You are able to customize the Slither audit by simply adding a "slither.config.js" file. The content of the file will look similar to this: ![](https://i.imgur.com/lyHGoHX.png) 4. Another part of the audit is the way the results are printed to the console. There are, at the time of writing, 3 different options for printers. If you would like to specifiy a specific print option, you may add the line: ``` "printers_to_run": "human-summary" ``` 5. You can replace human_summary with any other printer type. To view different detector and printer options, go to https://github.com/crytic/slither#detectors 6. To export the results to a json file, run as usual with the following added on: ``` --json <file_name.json> ``` 7. This will create a file with the provided file name and store the results in a json file. ## Mythril ### Installation instructions 1. Follow the instructions for slither to install python, once complete, run the following in your terminal: ``` pip3 install mythril ``` 2. If this command fails with an error message of "Failed building wheel for blake2b-py", it is because mythril requires a dev version of rust. So install rust for using these two commands: ``` curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh rustup default nightly ``` 3. This should allow you to install mythril. Viewing the mythril version can be done using the following command: ``` myth version ``` 4. This will most likely lead to another error message saying "ImportError: cannot import name 'getargspec' from 'inspect'". This is due to the upgrade in mythril would now imports 'getfullargspec'. To solve this, go to your home directory and follow this path: ``` /library/frameworks/Python.framework/versions/3.11/lib/python3.11/site-packages/parsimonious/expressions.py ``` 5. Inside this file, update line 9 to read: ``` from inspect import getfullargspec ``` 6. You should now be able to check your mythril version. ### Running Mythril 1. When running a contract which contains no import statements, it is as easy as running: ``` myth analyze <file_path> ``` 2. However, running mythril on contracts which contain import statements is imperical and is slightly more complex. To achieve this, create a json file for remappings and update it to look as follows (This example is for the OpenZeppelin library): ``` { "remappings": [ "@openzeppelin/=./lib/openzeppelin-contracts/" ] } ``` 3. Once you have the above json file in place, you may run the following command to execute mythril: ``` myth analyze <file_path> --solc-json <json_file_path> ``` 4. To analyze on-chain contracts, mythril used Infura as its default RPC platform. To run an analysis on a contract already deployed, run: ``` myth analyze -a <address> --infura-id <ID> ``` ## Smart Check ### Installation instructions 1. Install SmartCheck locally by running: ``` npm install @smartdec/smartcheck -g ``` 2. ## Comparisons | | Speed | Ease-of-use | Documentation | | ------- | ----- | ----------- | --- | | Slither | 10/10 | 8/10 | 7/10 | | Mythril | 5/10 | 9/10 | 7/10 |