Ensuring the security of smart contracts at the core of many blockchain apps is one of the most important safety requirements for Web3 projects. Security firms like Halborn often rely on a method called static analysis for smart contract security. In this post, we’ll explore the role of static analysis in smart contract security and describe how it helps mitigate potential risks and vulnerabilities.
Static analysis is a method of debugging by examining source code before a program is run - similar in concept to proofreading a book before publishing. While dynamic analysis identifies issues through actual program execution, static analysis does a comprehensive scrutiny of the code without executing it.
Static analysis works by checking source code for certain behaviors using rules and heuristics. It identifies vulnerabilities, bugs, and breaches in coding standards, thus helping to ensure the stability and safety of the software.
When applied to smart contracts, static analysis helps to expose several
specific vulnerabilities. These include reentrancy attacks, where an attacker repeatedly calls a function to drain funds, and
arithmetic overflows, where calculations result in numbers larger than what's available for
Static analysis of a smart contract involves examining the contract's code to identify patterns that could lead to vulnerabilities. It checks all paths of the contract, including those that may not be readily apparent during dynamic analysis or manual review.
Installing and configuring static analysis tools individually can take a lot
ZIION, the world’s first blockchain security-focused VM, solves that. By having
static analysis and more than 100 additional tools pre-installed, you can
directly start testing out the smart contracts and conduct a thorough security
While Mythril and Manticore are primarily symbolic execution tools, they are often employed as automatic analysis tools during the static analysis phase. On the other hand, Slither is purely a static analysis tool. They vary on usability, depth and efficiency but if used correctly they will give you a great initial review.
Take the following "SimpleBank.sol" smart contract for instance:
We’ll analyze through both Manticore and Slither, two of the tools pre-installed in ZIION. We will also discuss the remediation of the vulnerabilities after we see the tutorial of some of the tools used for static analysis.
1. Slither: a Solidity static analysis framework written in Python 3.
Step 1: Go to the directory where the smart contract is and run the following command:
Step 2: Slither will output a list of potential issues, including possible reentrancy attacks. Each issue will have a severity level assigned (from Low to High) and will include a description of the issue, the function in which the issue was found, and the relevant Solidity code.
2. Manticore: Manticore is a symbolic execution tool and not strictly a static analysis tool for analysis of smart contracts and binaries. However we can perform static analysis using it.
Step 1: Once you are in the directory of the smart contract that you want to analyze, run the following command:
Step 2: Manticore will generate a list of potential issues and save it into a directory named mcore_XXXXX. This directory includes a file called _stats.json that summarizes the overall analysis. Additionally, for each discovered issue, Manticore will provide a Solidity source code file and a list of inputs that can reproduce the issue.
After running these tools, a potential reentrancy attack is found. More specifically in the withdraw function, with which an attacker can repeatedly call before it finishes executing.
The solution is to follow the checks-effects-interactions pattern, which is recommended in the Solidity documentation. It involves moving any external calls (interactions) to the end of the function, after the contract's state (effects) has been updated.
Here's how you can revise your withdraw function:
By updating the balance before calling the external contract, you can prevent the contract from being reentered with the same state. This mitigates the reentrancy vulnerability in the contract.
Static analysis is really good at looking at everything a contract might do,
not just the basic functionality. This is great for finding problems that
might not be discovered at first glance. Static analysis is also automatic and
fast, which saves time and money.
But static analysis can't catch everything. One of the major disadvantages of static analysis is that It can't find problems that have to do with what the smart contract is supposed to do (ie. logic problems), or complex problems that only come up in very specific situations. That's why it's important to also use dynamic analysis and have Web3 security experts look over the code too to make sure the smart contract is as safe as possible.
Static analysis is a great way to find common vulnerabilities in a fast and
efficient way. By giving security professionals a head start on findings, it
enables a faster and more efficient process.
When performing security audits, the recommended path is to review with
different methods and tools. So using static analysis in addition to
dynamic analysis and manual code reviews can significantly
reduce the risk of deploying vulnerable code.
Download ZIION today and start using its 100+ pre-installed and pre-configured tools for static analysis and other security auditing and development needs.