Releases: crytic/slither
Releases · crytic/slither
0.11.5
This minor release upgrades the minimum Python version to 3.10, adds one new detector reentrancy-balance and various other fixes.
What's Changed
- Fix markdown lint on docs/ by @dguido in #2870
- slither-doctor: paths: follow symlinks by @elopez in #1608
- fixed consistency by @shushaaniik in #2556
- Add paths to inheritance printer by @shargon in #2732
- chore: fix typos by @omahs in #2723
- fix: update snapshots for typo fix in uninitialized detector by @dguido in #2886
- #2688 fix markdown linter by @nsiregar in #2722
- docs: Add comprehensive CLAUDE.md for AI-assisted development by @dguido in #2889
- fix: remove Etherscan API dependency from CI tests by @dguido in #2890
- ci: Harden and optimize GitHub Actions workflows by @dguido in #2891
- chore: modernize pre-commit hooks with prek by @dguido in #2894
- chore: modernize Makefile to use uv-native workflow by @dguido in #2895
- fix: correct ERC conformance JSON key and document evm-cfg-builder dep by @dguido in #2896
- chore: enable 34 additional ruff lint rules by @dguido in #2898
- fix: add fasttext as optional dependency for slither-simil by @dguido in #2899
- feat: upgrade minimum Python version to 3.10, modernize type annotations by @dguido in #2900
- detectors: unindexed-event-address: add source mapping information to detection by @elopez in #2918
- Add reentrancy-balance detector by @smonicas in #2919
New Contributors
- @shushaaniik made their first contribution in #2556
- @omahs made their first contribution in #2723
Full Changelog: 0.11.4...0.11.5
Contributors
dguido, elopez, and 5 other contributors
Assets 10
0.11.4
This release adds support for the CLZ EVM opcode, for solidity custom storage layout, adds 1 new detector unindexed-event-address and various fixes. Additionally it changes the development environment to using uv and ruff for linting.
What's Changed
- Update FUNDING.json by @bsamuels453 in #2713
- FIxed typo of solidity and conditions by @sidarth16 in #2751
- docs: fix typos by @Ahjan1999 in #2726
- chore: fix some typos in comment by @tsinghuacoder in #2703
- Fix Usage.md by @shargon in #2737
- Fix trimmed network string by @DaniPopes in #2775
- tests: mutator: fix test after crytic-compile update by @elopez in #2816
- tests: fix slither_config by @elopez in #2817
- chore: remove redundant word by @tzchenxixi in #2790
- Build: Migrate from setuptools to hatchling with uv by @dguido in #2849
- Lint: Migrate from black/pylint to ruff by @dguido in #2850
- Style: Apply ruff auto-fixes for formatting by @dguido in #2852
- CI: Modernize CI workflows and bump Python to 3.9+ by @dguido in #2851
- Remove codex detector by @smonicas in #2853
- Fix signature of fixed size arrays by @smonicas in #2771
- Fix try-catch parsing by @smonicas in #2730
- Fix cases of echidna printer crashing by @smonicas in #2727
- Clean up GitHub templates and config files by @dguido in #2848
- docs: add CLAUDE.md coding standards for AI assistants by @dguido in #2855
- Test Slither on Python 3.13 and 3.14 by @elopez in #2858
- Add support for CLZ EVM opcode by @smonicas in #2857
- Bump actions/checkout from 4 to 6 by @dependabot[bot] in #2859
- fix: expand add_refers_to assertion to accept TopLevelVariable by @nisedo in #2827
- Mutation cleanup by @bohendo in #2761
- Add storage variables and contract inheritance to
entry-pointsprinter by @nisedo in #2768 - fix: handle Unicode characters correctly in mutator byte offset calculation by @stevennevins in #2832
- feat(mutator): add --target-functions flag to filter mutations by selector by @stevennevins in #2828
- Add detector's name in the output by @smonicas in #2864
- Support custom storage layout by @smonicas in #2863
- Fix aliasing of member access with Vyper's builtins when parsing an expression by @smonicas in #2861
- Fix parsing of modifiers by @smonicas in #2860
- Remove iterating modifiers as they are already present from all_internal_calls() by @smonicas in #2865
- Modernize plugin_example to use pyproject.toml by @dguido in #2869
uv lock --upgradeby @elopez in #2873- Target master branch for development by @smonicas in #2874
- Add unindexed-event-address detector by @smonicas in #2866
- Optimize Dockerfile: migrate to uv, reduce build context by @dguido in #2883
- Fix Docker build for armv7: use curl to install uv with pip fallback by @dguido in #2884
- Fix Docker armv7 build: add build tools for pip wheel compilation by @dguido in #2885
New Contributors
- @Ahjan1999 made their first contribution in #2726
- @tsinghuacoder made their first contribution in #2703
- @shargon made their first contribution in #2737
- @DaniPopes made their first contribution in #2775
- @tzchenxixi made their first contribution in #2790
- @stevennevins made their first contribution in #2832
Full Changelog: 0.11.3...0.11.4
Contributors
dguido, bsamuels453, and 12 other contributors
Assets 10
0.11.3
Contributors
elopez
Assets 10
0.11.2
This minor release fixes a bug in the storage pointer analysis.
What's Changed
Full Changelog: 0.11.1...0.11.2
Contributors
smonicas
Assets 10
0.11.1
This release improves the support of unicode character where previously it would have resulted in erroneous source mapping for tools such as slither-flat and slither-mutate, adds function calls stack information to simplify the understanding of the output for certain detectors (calls-loop, costly-loop, delegatecall-loop, msg-value-loop) and other bug fixes.
What's Changed
- Fix order yul parsing identifiers by @smonicas in #2671
- Fixes issue 2524, Slot Calculation for Variables that Cross 32-Byte by @Jayakumar2812 in #2664
- Fix slither-read-storage crash when a structure has only other structs as fields by @smonicas in #2666
- Improve the support for sstore/sload with simple slot access by @montyly in #2670
- Refactor docs by @montyly in #2685
- Dev update entry points printer by @nisedo in #2668
- Update MyPrettyTable alignment to left-align all fields by default by @nisedo in #2672
- Improved unicode support in mutator, flattener, and more by @bohendo in #2662
- chore: fix some typos in comments by @shenpengfeng in #2678
- slither-mutate: Check if a contract is an interface properly by @smonicas in #2697
- Improve support for storage pointer analysis by @montyly in #2677
- Propagate type aliases from base to derived contracts by @smonicas in #2693
- Add calls stack information to detectors by @smonicas in #2696
New Contributors
- @Jayakumar2812 made their first contribution in #2664
- @shenpengfeng made their first contribution in #2678
Full Changelog: 0.11.0...0.11.1
Contributors
bohendo, montyly, and 4 other contributors
Assets 10
0.11.0
This release adds support for the latest Solidity features like using a custom error in a require statement and transient storage, adds 7 new detectors, 2 new printers and various other improvements.
NOTE: There are breaking changes to some API in particular the variables properties in the Contract class (see #2588) and the *Calls API (see #2555).
The new detectors are:
pyth-deprecated-functions: Detect Pyth deprecated functionspyth-unchecked-confidence: Detect when the confidence level of a Pyth price is not checkedpyth-unchecked-publishtime: Detect when the publishTime of a Pyth price is not checkedchronicle-unchecked-price: Detect when Chronicle price is not checkedgelato-unprotected-randomness: Call to _requestRandomness within an unprotected functionchainlink-feed-registry: Detect when chainlink feed registry is usedoptimism-deprecation: Detect when deprecated Optimism predeploy or function is used
The new printers are:
entry-points: Print all the state-changing entry point functions of the contractscheatcode: Print the usage of (Foundry) cheatcodes in the code
The following is an example of the entry-points printer for Uniswap v4 core.
We thank all of our external contributors for their effort!
What's Changed
- Enable running slither as pre-commit hook by @dbast in #2521
- Add support custom errors in require by @smonicas in #2550
- bugfix: IR generation when parsing Event as left variable by @hamdiallam in #2567
- Fix #2266 by @DarkaMaul in #2412
- Improve performances of offsets references. by @DarkaMaul in #2481
- CI Improvement by @montyly in #2571
- Add Optimism deprecation detector by @smonicas in #2575
- Add Pyth deprecated functions detector by @smonicas in #2580
- Add StateVariable location by @smonicas in #2585
- Add Chainlink feed registry detector by @smonicas in #2576
- Add Pyth unchecked publishTime and confidence detectors by @smonicas in #2581
- Add Chronicle unchecked price detector by @smonicas in #2584
- Add Gelato VRF unprotected request detector by @smonicas in #2582
- Add instruction in README for how to upgrade slither by @CJ42 in #2498
- Improve transient storage support by @smonicas in #2588
- Fix IR conversion when an Event selector is accessed by @smonicas in #2589
- Echidna printer Improve values extraction by @smonicas in #2574
- Printer cheatcode by @DarkaMaul in #2413
- chore: fix some comments by @withbest in #2518
- fix: mapping to type value lookup with top-level constant by @0xalpharush in #2568
- Add assert information for echidna by @smonicas in #2560
- Fix reorder arguments when a function is overridden with diff param names by @smonicas in #2611
- fix: typos in documentation files by @leopardracer in #2607
- Boxes + horizontal flow makes for more readable call graphs by @DanielVF in #2603
- Fix reorder argument edge case by @smonicas in #2614
- Updated slither-mutate logs by @bohendo in #2625
- incorrect-modifier: Fix infinite loop by @smonicas in #2628
- Fix are_variables_written analysis for named return variables by @smonicas in #2631
- Fix detectors wiki links by @smonicas in #2640
- Pyth detectors: Fix assertion error by @smonicas in #2639
- Typo fix README.md by @dedyshkaPexto in #2641
- slither-mutate: fix AOR mutator by @smonicas in #2653
- Add entry-points printer to identify all externally accessible state-changing functions by @nisedo in #2616
- Update README.md by @hexshire in #2656
New Contributors
- @dbast made their first contribution in #2521
- @hamdiallam made their first contribution in #2567
- @withbest made their first contribution in #2518
- @leopardracer made their first contribution in #2607
- @DanielVF made their first contribution in #2603
- @dedyshkaPexto made their first contribution in #2641
- @nisedo made their first contribution in #2616
- @hexshire made their first contribution in #2656
Full Changelog: 0.10.4...0.11.0
Contributors
DanielVF, dbast, and 12 other contributors
Assets 10
0.10.4
This is a minor release that fixes some issues caused by updates to the web3.py library. Also, it contains fixes/improvements for a couple detectors: fix the solc-version detector which was warning on solc versions without bugs, don't report arbitrary-send-eth if the recipient if it's an immutable value, disable unused-import as it was slow and not handling a few edge cases correctly. Finally, slither-check-upgradeability has a new check which identifies the bug that was the cause of the most recent Ronin hack (see #2536).
We thank all of our external contributors for their effort!
What's Changed
- arbitrary-send-eth: Don't report if destination is immutable state var by @smonicas in #2488
- sync dev <> master by @0xalpharush in #2493
- Update WIKI_DESCRIPTION for "dead_code.py" by @ThomasHeim11 in #2492
- Dockerfile: fix
ckzgbuild by @elopez in #2494 - Added length check on
bugs_by_versionfor specificversion_numberby @MukulKolpe in #2499 - Bump docker/build-push-action from 5 to 6 by @dependabot in #2486
- Bump pypa/gh-action-pypi-publish from 1.8.14 to 1.9.0 by @dependabot in #2485
- Improve slither-mutate testing by @DarkaMaul in #2482
- Add a new parameter
max_widthto MyPrettyTable by @DarkaMaul in #2426 - slither-mutate: (AOR) Fix for dynamic array operations by @smonicas in #2484
- Bump sigstore/gh-action-sigstore-python from 2.1.1 to 3.0.0 by @dependabot in #2508
- ci: require web3 with <5 eth_typing deps by @0xalpharush in #2537
- add upper bound by @0xalpharush in #2541
- Revert "Reduce verbosity for InvalidCompilation errors" by @0xalpharush in #2529
- disable unused import by @0xalpharush in #2540
- tool: add detector for multiple new reinitializers by @QiuhaoLi in #2536
- Bump pypa/gh-action-pip-audit from 1.0.8 to 1.1.0 by @dependabot in #2531
- sync master <> dev by @0xalpharush in #2506
New Contributors
- @ThomasHeim11 made their first contribution in #2492
- @MukulKolpe made their first contribution in #2499
- @QiuhaoLi made their first contribution in #2536
Full Changelog: 0.10.3...0.10.4
Contributors
elopez, DarkaMaul, and 6 other contributors
Assets 10
0.10.3
This is a minor release that fixes several bugs, improves performance, and addresses some false positives. There is a new flag, --include-detectors, to override exclusion rules e.g. run a specific low severity detector while excluding others with --exclude-low. The detector, similar-names, has been removed.
We would like to thank our external contributors:
- @careworry
- @xiaoxianBoy
- @vovikhangcdv
- @utx0
What's Changed
- Fix: unused state var detector for abstract/library by @0xalpharush in #2419
- Remove deprecated flags and their migration. by @DarkaMaul in #2410
- Fix #2430 by @DarkaMaul in #2431
- Chore: fix some typos in comments by @careworry in #2433
- Restore plugin example to working state by @elopez in #2436
- Chore: fix some typos in comments by @alwayshang in #2444
- Reduce verbosity for InvalidCompilation errors by @DarkaMaul in #2417
- Configure coderabbit review to also consider PR on dev branch. by @DarkaMaul in #2441
- chore: fix typos and link update by @xiaoxianBoy in #2453
- chore: recommend upgrading in issue template by @0xalpharush in #2457
- Features/perf improvment by @DarkaMaul in #2438
- Fix: use contract declarer's scope for name resolution by @0xalpharush in #2459
- Fix bugs in the EVM printer by @DarkaMaul in #2435
- Add detectors to include override exclude args by @nsiregar in #2440
- Chore/remove unused scripts by @0xalpharush in #2468
- Fix inheritance printer rebase by @0xPhaze in #2153
- Add more academic references by @montyly in #2270
- Update: improve unhandled initializers in unprotected-upgrade detector by @vovikhangcdv in #2203
- Write
slither.db.jsonfile on each save_results_to_hide by @utx0 in #2071 - Remove similar-names bc it's slow by @0xalpharush in #2469
- Improve message error for when Crytic throws a KeyError. by @DarkaMaul in #2418
- Fix regex patterns by @DarkaMaul in #2442
- Fix: do not flag imports from import container as unused by @0xalpharush in #2471
- Fix: filtering of unused-import,incorrect-solc, pragma by @0xalpharush in #2472
- Fix ordering and dead-code detector by @0xalpharush in #2476
New Contributors
- @careworry made their first contribution in #2433
- @alwayshang made their first contribution in #2444
- @xiaoxianBoy made their first contribution in #2453
- @0xPhaze made their first contribution in #2153
- @vovikhangcdv made their first contribution in #2203
- @utx0 made their first contribution in #2071
Full Changelog: 0.10.2...0.10.3
Contributors
utx0, elopez, and 9 other contributors
Assets 10
0.10.2
0.10.2 - 2024-04-08
This minor release contains several enhancements and resolves several bugs, most notably:
- Revamps slither-mutate with first class support for Foundry projects (see quickstart)
- New detector identifies unused imports (
slither . --detect unused-import) - Resolves longstanding issues in import resolution and lack of support for aliases (see #1452)
- Improves the reference/declaration API in order to facilitate LSP integration
- Accurately models implicit returns in the intermediate representation (see #1880)
We would like to thank our external contributors:
New Features
- Slither-mutate: fit and finish by @bohendo in #2302
- Feat: add detector for unused imports by @0xalpharush in #2392
- Add virtual and override attribute in Function by @smonicas in #2333
- Feat/virtual override with refs by @0xalpharush in #2376
Bug Fixes
- Fix CONTINUE node in the cfg by @Tiko7454 in #2047
- Update inheritance graph printer to handle multiple contracts with same names by @dokzai in #2159
- Fix parsing of events by @smonicas in #2365
- Slither-mutate: bugfix when two files have the same name by @DarkaMaul in #2357
- Add support for send builtin by @0xalpharush in #2212
- Fix IR for top level functions with using-for by @smonicas in #2367
- Update PR#2034 by @0xalpharush in #2384
- Fix: preserve empty tuple components during declaration-to-assignment conversion by @kevinclancy in #2034
- Fix: guard literal implicit conversion for arrays by @0xalpharush in #2383
- Fix: add missing references in the source mapping API by @0xalpharush in #2371
- Fix: support aliases for NewContract operation by @0xalpharush in #2370
- Fix: add newline to incorrect-modifier output by @0xalpharush in #2386
- ArrayType: Check the folded length in eq by @smonicas in #2331
- Fix: lookup of type alias as member of contract by @0xalpharush in #2404
- Resolve available definitions from import by reference ID by @0xalpharush in #2403
- Filter name-reused detector to only run on Truffle projects (#2390) by @nsiregar in #2394
Enhancements
- Fix/model named returns by @0xalpharush in #2326
- Ci: linter, pylint: upgrade superlinter to v6 by @elopez in #2303
- Add funding metadata to repository by @elopez in #2346
- Create issue-metrics.yml by @0xalpharush in #2366
- Chore: remove repetitive word by @rustrover in #2363
- Update node.py by @eltociear in #2358
- Support python3.12 by @0xalpharush in #2348
- Chore: remove repetitive words by @majorteach in #2373
- Implement pytest parameterize on test_implicit_returns (#2350) by @nsiregar in #2381
- Wiki/too many digits by @0xalpharush in #2385
- Upgrade slither-mutate readme by @bohendo in #2391
- Add all variables read/written by @smonicas in #2368
- Add test for #2331 by @0xalpharush in #2405
- Prepare for 0.10.2 release by @0xalpharush in #2406
- Removed unused import by @0xalpharush in #2408
New Contributors
- @rustrover made their first contribution in #2363
- @DarkaMaul made their first contribution in #2357
- @eltociear made their first contribution in #2358
- @majorteach made their first contribution in #2373
- @nsiregar made their first contribution in #2381
Full Changelog: 0.10.1...0.10.2
Contributors
kevinclancy, elopez, and 11 other contributors
Assets 10
0.10.1
0.10.1 - 2024-02-29
This is a minor release that adds support for Solidity 0.8.24 and top level events. It includes a new detector, out-of-order-retryable, which detects potential misuse of Arbitrum's retryable transactions. Also, there is a new CLI flag, --include-paths which allows one to only include results from a given path.
We would like to thank all of our external contributors:
What's Changed
New Features
- Add support top level events by @smonicas in #2219
- Add support Solidity 0.8.24 by @smonicas in #2281
- Add
--include-pathsoption by @smonicas in #2330- For example,
slither . --include-paths (src/|contracts/)will only include results from files withinsrcorcontractsdirectory. Note, this is uses python-style regex and cannot be used at the same time as--filter-paths.
- For example,
- Feat: out of order retryable detector by @0xalpharush in #2340
Bug Fixes
- Fix:
is_reentrantfor internal vyper functions by @0xalpharush in #2211 - Fix: iterative update by @0xalpharush in #2206
- Fix: detect selfdestruct in internal calls by @0xalpharush in #2232
- Fix using for when used with "this" by @smonicas in #2224
- Fix: broken doc links by @mds1 in #2299
- Fix: slither: utils: respect colorization state when printing tables by @elopez in #2310
- Fix: support inheritance resolution when contract name is reused by @0xalpharush in #2332
- Fix: support renaming in base inheritance and base constructor calls by @0xalpharush in #2320
- Fix: immediate inheritance by @Tiko7454 in #2306
Enhancements
- Update README.md by @vielite in #2198
- Update installation instrucitons by @0xalpharush in #2189
- Update Dockerfile by @0xalpharush in #2188
- Raise an error when a missing contract is specified to read-storage by @UsmannK in #2235
- Remove unused files by @0xalpharush in #2197
- Substituted the letter
zwithxin pre-declaration by @ATREAY in #2258 - Upgraded Slither-mutate by @vishnuram1999 in #2278
- Divide-before-multiply: Detect also in modifiers by @smonicas in #2280
- Properties, documentation: correct tool descriptions and usage by @elopez in #2311
- Fix example by @0xalpharush in #2312
- Make triage database path customizable by @elopez in #2298
- Create a variable API that filters out constants and immutables by @dokzai in #2323
- Add regression test for #2313 by @0xalpharush in #2321
- Msg-value-loop: Don't report if msg.value is in a conditional expression by @smonicas in #2239
- Incorrect-shift: Detect only assembly blocks by @smonicas in #2315
- Track storage variables read/written in assembly by @smonicas in #2329
New Contributors
- @vielite made their first contribution in #2198
- @UsmannK made their first contribution in #2235
- @ATREAY made their first contribution in #2258
- @vishnuram1999 made their first contribution in #2278
Full Changelog: 0.10.0...0.10.1
Contributors
elopez, UsmannK, and 8 other contributors