Merge branch 'dev' into dev-fix-user-defined-type

.github/workflows/ci.yml

@@ -45,11 +45,9 @@ jobs:
         # Used by ci_test.sh
         pip install deepdiff
 
-        git clone https://github.com/crytic/solc-select.git
-        ./solc-select/scripts/install.sh
-        export PATH=/home/runner/.solc-select:$PATH
-        echo "export PATH=/home/runner/.solc-select:$PATH" >> ~/.bashrc
-        solc use 0.5.1
+        pip install solc-select
+        solc-select install all
+        solc-select use 0.5.1
 
     - name: Run Tests
       env:

.github/workflows/detectors.yml

@@ -33,11 +33,9 @@ jobs:
           pip install deepdiff
           pip install pytest
 
-          git clone https://github.com/crytic/solc-select.git
-          ./solc-select/scripts/install.sh
-          export PATH=/home/runner/.solc-select:$PATH
-          echo "export PATH=/home/runner/.solc-select:$PATH" >> ~/.bashrc
-
+          pip install solc-select
+          solc-select install all
+          solc-select use 0.7.3
       - name: Test with pytest
         run: |
           pytest tests/test_detectors.py

.github/workflows/linter.yml

@@ -80,4 +80,5 @@ jobs:
           VALIDATE_DOCKERFILE: false
           VALIDATE_DOCKERFILE_HADOLINT: false
           VALIDATE_EDITORCONFIG: false
+          VALIDATE_JSCPD: false
           SHELLCHECK_OPTS: "-e SC1090"

.github/workflows/parser.yml

@@ -34,9 +34,13 @@ jobs:
           pip install pytest
 
           git clone https://github.com/crytic/solc-select.git
+          cd solc-select
+          git checkout 857d6fa883d9283454be1cb2d869a8f9962b27b8
+          cd ..
           ./solc-select/scripts/install.sh
           export PATH=/home/runner/.solc-select:$PATH
           echo "export PATH=/home/runner/.solc-select:$PATH" >> ~/.bashrc
+          solc use 0.7.3
 
       - name: Test with pytest
         run: |

README.md

@@ -17,7 +17,7 @@ Slither is a Solidity static analysis framework written in Python 3. It runs a s
 
 ## Features
 
-* Detects vulnerable Solidity code with low false positives
+* Detects vulnerable Solidity code with low false positives (see the list of [trophies](./trophies.md))
 * Identifies where the error condition occurs in the source code
 * Easily integrates into continuous integration and Truffle builds
 * Built-in 'printers' quickly report crucial contract information
@@ -30,7 +30,7 @@ Slither is a Solidity static analysis framework written in Python 3. It runs a s
 
 ## Bugs and Optimizations Detection
 
-Run Slither on a Truffle/Embark/Dapp/Etherlime application:
+Run Slither on a Truffle/Embark/Dapp/Etherlime/Hardhat application:
 ```bash
 slither .
 ```
@@ -217,5 +217,6 @@ Slither is licensed and distributed under the AGPLv3 license. [Contact us](mailt
 - [ETHPLOIT: From Fuzzing to Efficient Exploit Generation against Smart Contracts](https://wcventure.github.io/FuzzingPaper/Paper/SANER20_ETHPLOIT.pdf), Qingzhao Zhang, Yizhuo Wang, Juanru Li, Siqi Ma - SANER 20
 - [Verification of Ethereum Smart Contracts: A Model Checking Approach](http://www.ijmlc.org/vol10/977-AM0059.pdf), Tam Bang, Hoang H Nguyen, Dung Nguyen, Toan Trieu, Tho Quan - IJMLC 20
 - [Smart Contract Repair](https://arxiv.org/pdf/1912.05823.pdf), Xiao Liang Yu, Omar Al-Bataineh, David Lo, Abhik Roychoudhury - TOSEM 20
+- [Demystifying Loops in Smart Contracts](https://www.microsoft.com/en-us/research/uploads/prod/2020/08/loops_solidity__camera_ready-5f3fec3f15c69.pdf), Ben Mariano, Yanju Chen, Yu Feng, Shuvendu Lahiri, Isil Dillig - ASE 20
 
 If you are using Slither on an academic work, consider applying to the [Crytic $10k Research Prize](https://blog.trailofbits.com/2019/11/13/announcing-the-crytic-10k-research-prize/).

scripts/ci_test_cli.sh

@@ -2,7 +2,7 @@
 
 ### Test
 
-solc use 0.7.0
+solc-select use 0.7.0
 
 if ! slither "tests/config/test.sol" --solc-ast --ignore-return-value; then
     echo "--solc-ast failed"

scripts/ci_test_erc.sh

@@ -4,7 +4,7 @@
 
 DIR_TESTS="tests/check-erc"
 
-solc use 0.5.0
+solc-select use 0.5.0
 slither-check-erc "$DIR_TESTS/erc20.sol" ERC20 > test_1.txt 2>&1
 DIFF=$(diff test_1.txt "$DIR_TESTS/test_1.txt")
 if [  "$DIFF" != "" ]

scripts/ci_test_find_paths.sh

@@ -4,7 +4,7 @@
 
 DIR_TESTS="tests/possible_paths"
 
-solc use "0.5.0"
+solc-select use "0.5.0"
 slither-find-paths "$DIR_TESTS/paths.sol"  A.destination  > test_possible_paths.txt 2>&1
 DIFF=$(diff test_possible_paths.txt "$DIR_TESTS/paths.txt")
 if [  "$DIFF" != "" ]

scripts/ci_test_kspec.sh

@@ -2,7 +2,7 @@
 
 DIR_TESTS="tests/check-kspec"
 
-solc use "0.5.0"
+solc-select use "0.5.0"
 slither-check-kspec "$DIR_TESTS/safeAdd/safeAdd.sol" "$DIR_TESTS/safeAdd/spec.md" > test_1.txt 2>&1
 DIFF=$(diff test_1.txt "$DIR_TESTS/test_1.txt")
 if [  "$DIFF" != "" ]

scripts/ci_test_printers.sh

@@ -10,6 +10,6 @@ if ! slither "tests/*.json" --print all --json -; then
     exit 1
 fi
 
-solc use "0.5.1"
+solc-select use "0.5.1"
 
 slither examples/scripts/test_evm_api.sol --print evm 

scripts/ci_test_simil.sh

@@ -7,7 +7,7 @@ pip3.6 install https://github.com/facebookresearch/fastText/archive/0.2.0.zip
 
 ### Test slither-simil
 
-solc use "0.4.25"
+solc-select use "0.4.25"
 
 DIR_TESTS="tests/simil"
 slither-simil info "" --filename $DIR_TESTS/../complex_func.sol --fname Complex.complexExternalWrites  > test_1.txt 2>&1

scripts/ci_test_upgradability.sh

@@ -3,7 +3,7 @@
 ### Test slither-check-upgradeability
 
 DIR_TESTS="tests/check-upgradeability"
-solc use "0.5.0"
+solc-select use "0.5.0"
 
 slither-check-upgradeability  "$DIR_TESTS/contractV1.sol" ContractV1 --proxy-filename "$DIR_TESTS/proxy.sol" --proxy-name Proxy  > test_1.txt 2>&1
 DIFF=$(diff test_1.txt "$DIR_TESTS/test_1.txt")

trophies.md

@@ -0,0 +1,45 @@
+# Slither Trophies
+
+The following lists security vulnerabilities that were found by Slither.
+If you found a security vulnerability using Slither,
+please submit a PR with the relevant information.
+
+| Project | Vulnerability | Date |
+|--|--|--|
+[Parity](https://github.com/trailofbits/publications/blob/master/reviews/parity.pdf) | Incorrect constructor name | July 2018
+[Parity](https://github.com/trailofbits/publications/blob/master/reviews/parity.pdf) | Deletion of a mapping with structure | July 2018
+[Parity](https://github.com/trailofbits/publications/blob/master/reviews/parity.pdf) | Uninitialized state variables | July 2018
+[Basis](https://github.com/trailofbits/publications/blob/master/reviews/basis.pdf) | Missing return value check | Oct 2018
+[Origin protocol](https://github.com/trailofbits/publications/blob/master/reviews/origin.pdf) | Reentrancy | Nov 2018
+[Numerai](https://github.com/trailofbits/publications/blob/master/reviews/numerai.pdf) | Deletion of a mapping with structure | Jul 2019
+[Numerai](https://github.com/trailofbits/publications/blob/master/reviews/numerai.pdf) | Missing return value | Jul 2019
+[Flexa](https://github.com/trailofbits/publications/blob/master/reviews/Flexa.pdf) | Reentrancy (events out of order) | Sep 2019
+[0x](https://github.com/trailofbits/publications/blob/master/reviews/0x-protocol.pdf) | Missing return value | Oct 2019
+[Token mint](https://certificate.quantstamp.com/full/token-mint) | Reentrancies | Dec 2019
+[Airswap](https://certificate.quantstamp.com/full/airswap) | Missing return value check | Feb 2020
+[Stake Technologies Lockdrop](https://certificate.quantstamp.com/full/stake-technologies-lockdrop) | Dangerous strict equality | Mar 2020
+[E&Y’s Nightfall](https://blog.trailofbits.com/2020/05/15/bug-hunting-with-crytic/) | Missing return value | May 2020
+[E&Y’s Nightfall](https://blog.trailofbits.com/2020/05/15/bug-hunting-with-crytic/) | Empty return value | May 2020
+[DefiStrategies](https://blog.trailofbits.com/2020/05/15/bug-hunting-with-crytic/) | Modifier can return the default value | May 2020
+[DefiStrategies](https://blog.trailofbits.com/2020/05/15/bug-hunting-with-crytic/) | Dangerous strict equality allows the contract to be trapped | May 2020
+[DOSnetwork](https://blog.trailofbits.com/2020/05/15/bug-hunting-with-crytic/) | Abi `encodedPacked` collision | May 2020
+[EthKids](https://blog.trailofbits.com/2020/05/15/bug-hunting-with-crytic/) | `msg.value` is used two times to compute a price | May 2020
+[HQ20](https://blog.trailofbits.com/2020/05/15/bug-hunting-with-crytic/) | Reentrancy | May 2020
+[Dloop](https://certificate.quantstamp.com/full/dloop-art-registry-smart-contract) | Dangerous `block.timestamp` usage | Jun 2020
+[Atomic Loans](https://certificate.quantstamp.com/full/atomic-loans) | Uninitialized state variable | Jul 2020
+[Atomic Loans](https://certificate.quantstamp.com/full/atomic-loans) | State variable shadowing | Jul 2020
+[Atomic Loans](https://certificate.quantstamp.com/full/atomic-loans) | Reentrancy | Jul 2020
+[Amp](https://github.com/trailofbits/publications/blob/master/reviews/amp.pdf) | Duplicate contract name | Aug 2020
+[PerlinXRewards](https://certificate.quantstamp.com/full/perlin-x-rewards-sol) | Multiple reentrancies | Aug 2020
+[Linkswap](https://certificate.quantstamp.com/full/linkswap) | Lack of return value check | Nov 2020
+[Linkswap](https://certificate.quantstamp.com/full/linkswap) | Uninitialized state variable | Nov 2020
+[Cryptex](https://certificate.quantstamp.com/full/cryptex) | Lack of return value check | Nov 2020
+[Hermez](https://github.com/trailofbits/publications/blob/master/reviews/hermez.pdf) | Reentrancy | Nov 2020
+[Unoswap](https://www.unos.finance/wp-content/uploads/2020/11/block-audit.pdf) | Contract locking ethers | Nov 2020
+[Idle](https://certificate.quantstamp.com/full/idle-finance) | Dangerous divide before multiply operations | Dec 2020
+[RariCapital](https://certificate.quantstamp.com/full/rari-capital) | Lack of return value check | Dec 2020
+[RariCapital](https://certificate.quantstamp.com/full/rari-capital) | Uninitialized state variable | Dec 2020
+[wfil-factory](https://github.com/wfil/wfil-factory/commit/a43c1ddf52cf1191ccf1e71a637df02d78b98cc0) | Reentrancy | Dec 2020
+[Origin Dollar](https://github.com/trailofbits/publications/blob/master/reviews/OriginDollar.pdf) | Reentrancy | Jan 2021
+[Origin Dollar](https://github.com/trailofbits/publications/blob/master/reviews/OriginDollar.pdf) | Variable shadowing | Jan 2021
+[OriginTrait](https://github.com/OriginTrail/starfleet-boarding-contract/commit/6481b12abc3cfd0d782abd0e32eabd103d8f6953) | Reentrancy | Jan 2021