Solhydra is a cli tool to run solidity smart contract(s) through several analysis tools and generating a html report.
sample report of cryptokitties-bounty
There are a number of smart contract analysis tools which can give you valuable information about your smart contracts. Just installing all these tools on your machine is quite the challenge. If you manage to install all these tools next challenge will be finding out how to execute each of these tools. After execution you are left with a number of files per tool, which you can then open and inspect one-by-one. Wouldn't it be nice if there was a tool which takes care of installing (in Docker containers) and executing all the analysis tools on a given directory with smart contracts + transforming the output of each tool (per smart contract) into 1 HTML report which you can open in the browser so you can easily inspect all output per tool, per smart contract. That's what this tool tries to accomplish ๐.
Analysis tools included:
mythril
Docker imageoyente
Docker imagesolgraph
Docker imagesolhint
Docker imagesolidity-analyzer
Docker imagesolidity-coverage
(only works ontruffle
projects) Docker imagesolium
Docker image
docker
(tested on17.12.0-ce
)
node version >= 8.0.0
npm install -g solhydra
NAME
solhydra cli tool to run solidity smart contract(s) through several analysis
tools and generating a html report
SYNOPSIS
solhydra --contract-dir=dirPath --dest-dir=dirPath [--dep-dir=dirPath] [tool1, tool2, ..]
solhydra --truffle=dirPath --dest-dir=dirPath [tool1, tool2, ..]
TOOLS
mythril, oyente, solhint, solidity-coverage, solidity-analyzer, solgraph, solium
REQUIRED ARGUMENTS
--contract-dir path of contracts directory (only when not specifying --truffle)
--truffle path of truffle project (only when not specifying --contract-dir)
--dest-dir path of the directory to write the result HTML report to,
will be named solhydra_report.html
OPTIONAL ARGUMENTS
--dep-dir path of directory with dependencies (node_modules),
only used with --contract-dir
tool you can optionally specify a subset of tools to run, if you don't
specify any tools, all tools will be executed
NOTES
solidity-coverage only works on truffle projects, so only when using --truffle,
it will be skipped automatically for non-truffle runs
EXAMPLES
solhydra --contract-dir=./contracts --dep-dir=./node_modules --dest-dir=./out
solhydra --contract-dir=./contracts --dep-dir=./node_modules --dest-dir=./out mythril oyente
solhydra --truffle=./mytruffleproject --dest-dir=./out
solhydra --truffle=./mytruffleproject --dest-dir=./out solidity-coverage solium
To display help (the above shown excerpt) type: solhydra
.
The smart contracts are run through soljitsu flatten
,
since some analysis tools don't work with node_modules dependencies. So to keep reports consistent all tools are
executed on the flatten
version of the smart contracts.
- the generated HTML report has all it's internal js/css inlined, therefore it can be moved to any folder/machine and still work
- the generated HTML report fetches some external js/css from a cdn so an internet connection is required
-
oyente
reports usage of an untested z3 + solc + evm, fix this - add
slither
when it becomes available - add
rattle
if/when it becomes available (blogpost) - enable
maian
when issue is resolved - enable
echidna
with a special option since it requires manually adding tests to solidity files - add
manticore
as described here - fix
highlightjs-solidity
highlighting, doesn't seem to work, it uses php highlighting?!
MIT