This tool analyzes Solidity contracts for known vulnerabilities or bad practices.
This is still a work in progress though. In the end it will be provided as both a CLI tool and a Sonar plugin for CI pipelines.
A command-line tool is provided and can simply be run like this:
java -jar solidity-analyzer.jar -f <MyContract>.sol
Example of the output:
> java -jar solidity-analyzer.jar -f ThrowDeprecationContract.sol
Running Solidity Analyzer on 'ThrowDeprecationContract.sol'...
1 error(s) found!
[MAJOR] throw-deprecated error ('Throw is deprecated. Use require(), revert() or assert() instead') L9:C9 -> L11:C9
A Sonar plugin is also available and will be soon released officially for installation.
Sample screenshot:
-
You'll get an
CRITICALerror if you comparetx.origintomsg.senderhas this is usually not a safe thing to do!This analysis is smart enough to figure out such a comparison even if
tx.originand/ormsg.senderare assigned to variables.
-
throwshould not be used anymore. Prefer insteadrequire()orrevert()orassert().