Hey,

It would be cool to be able to print inheritance to stdout (to quickly analyze things), examples:

• see what inherits from BaseContract: BaseContract childrens: A, B, C, D, E, ... (it should also list the contracts that derives from A, B, C, D, E)
• see all base classes for given contract: Children inherits from: BaseContract1, BaseContract2, BaseBaseContract, SuperBaseBaseBaseContract

Right now the travis tests only check for the number of results returned:

https://github.com/trailofbits/slither/blob/39f560bf973acbc31c908991f94d4cb57a7e4828/scripts/travis_test.sh#L5-L16

It would make more sense to test the json output.

• Generate pre-defined json for each testcase (used as ground truth)
• Update scripts/travis_test.sh to export the result in a json file (--json)
• For each testcase, compare the generated json with the corresponding pre-defined json
• If if an issue is found, print the difference
• Clean the generated json file(s) (but not the ground true)

If a state variable cannot be changed at runtime, it should be marked as constant, so that it can be optimized by solc

• Severity: Informational

Hints: variables have the attribute is_constant. To be precise the detector should use slithIR and check that:

• the variable is never the lvalue of a OperationWithLvalue
• its initial value is a constant

SlithIR is flexible enough that we should be able to support Vyper with few modifications. This will require investigating how Vyper produces their AST and providing for some translation into SlithIR. SlithIR may need modification in the process to support the unique features of Vyper's AST.

We should have a visual studio plugin

Features:

• Run slither
• Save the results
• List the bugs found (with a checkbox 'Won't fix/False alarm")
• Once you click on a bug, it highlights the code (using the JSON information)

If the return value of a function is never used, it's likely to be bug.

• severity low/medium

SlithIR can be used to track if the value returned by a call is used:

• If the function does not return a value, the lvalue of the operation is None, otherwise its a variable.
• We can check if the lvalue is in the read list of another operation

Example:

contract Target{
    function f() returns(uint);
}

contract Function{

    function test(Target t){
        t.f();
    }

}

SlithIR is flexible enough that we should be able to support LLL with few modifications. This will require investigating how LLL produces their AST and providing for some translation into SlithIR. SlithIR may need modification in the process to support the unique features of LLL's AST.

Would be nice to run batch analyses

$ slither contracts/*.sol
usage: slither.py contract.sol [flag]
slither: error: unrecognized arguments: contracts/B.sol contracts/C.sol ...

The uninitialized state variable detector could be simplified with SlithIR

A state variable is not initialized if its never the lvalue of an OperationWithLValue

Add a detector checking that the variables follow the Solidity naming convention

• Severity Informational

Hey, we came across this during the Trail of Bits workshop with @japesinator. When we are looking for a storage variable to be written to, slither does not find it if we access it under a different name in the solidity code.

We didn't figure out how to catch it with the currently available API. We were thinking about recursively tracking also variables where the storage variable would be read.

It should be possible for slither to identify these cases and report them as "writing to the storage variable with that name".

Minimal Example:

Python

from slither.slither import Slither
from slither.core.declarations.function import Function

slither = Slither('test.sol')

def get_msg_sender_checks(function):
    all_functions = function.all_internal_calls() + \
        [function] + function.modifiers

    all_nodes = [f.nodes for f in all_functions if isinstance(f, Function)]
    all_nodes = [item for sublist in all_nodes for item in sublist]

    all_conditional_nodes = [n for n in all_nodes if
                             n.contains_if() or n.contains_require_or_assert()]
    all_conditional_nodes_on_msg_sender = [str(n.expression) for n in all_conditional_nodes if
                                           'msg.sender' in [v.name for v in n.solidity_variables_read]]
    return all_conditional_nodes_on_msg_sender


for contract in slither.contracts:
    print('Contract: ' + contract.name)

    for function in contract.functions:

        msg_sender_condition = get_msg_sender_checks(function)

        if len(msg_sender_condition) == 0:
            for v in function.state_variables_written:
                if v.name == 'balances':
                    print('Function: {}'.format(function.name))
                    print('\tWriting to balances: {}'.format(v.name))

Solidiy

// test.sol

contract Test
{
    struct Balance {
        uint balance;
    }

    Balance public balances;

    function setBalances(uint _balances)
        public
    {
        require(msg.sender == address(0));
        balances.balance = _balances;
    }

    function setBalancesUnchecked(uint _balances) public {
        // `other` writes to storage `balances` as it is
        // uninitialized.
        Balance storage other;
        // Thus, this writes to storage variable balances,
        // but is not detected:
        other.balance = _balances;
    }
}

We later found out that this is also not found:
Balance storage other = balances;

/cc @pgev @benjaminbollen

Remix integrates now by default a plugin to run slither: https://medium.com/remix-ide/remix-ide-v0-7-5-released-a386ed6faf38

The current plugin is https://github.com/mul1sh/remix-analysis-plugin (it was built from this issue: https://github.com/ethereum/remix-ide/issues/1500)

The plugin does not give a good user experience:

We should either improve the current plugin through PR (see mul1sh/remix-analysis-plugin#1), or create a new plugin

Among others the plugin should:

• Be up to date with the latest slither release
• Don't show compiler warnings
• Use colors
• Prevent the text to be hidden outside the visible windows
• Allow the user to select / disable some of the detectors

it will be error when I use the command, I have try to solve the problem, but it is failure, Can you help me solve the problem? thanks in advance!
my os is ubuntu 16.04
root@biaoy3:~/MetaCoin/contracts# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.5 LTS
Release: 16.04
Codename: xenial

this is the error message.
root@biaoy3:~/MetaCoin/contracts# slither MetaCoin.sol
Traceback (most recent call last):
File "/usr/local/bin/slither", line 9, in
load_entry_point('slither-analyzer==0.2.0', 'console_scripts', 'slither')()
File "/usr/lib/python2.7/dist-packages/pkg_resources/init.py", line 542, in load_entry_point
return get_distribution(dist).load_entry_point(group, name)
File "/usr/lib/python2.7/dist-packages/pkg_resources/init.py", line 2569, in load_entry_point
return ep.load()
File "/usr/lib/python2.7/dist-packages/pkg_resources/init.py", line 2229, in load
return self.resolve()
File "/usr/lib/python2.7/dist-packages/pkg_resources/init.py", line 2235, in resolve
module = import(self.module_name, fromlist=['name'], level=0)
File "build/bdist.linux-x86_64/egg/slither/init.py", line 1, in
File "build/bdist.linux-x86_64/egg/slither/slither.py", line 6, in
ImportError: No module named detectors.abstract_detector

The following loop outputs the wrong CFG

function dowhile() public {
    uint8 i = 0;
    uint8 a;
    do {
        i++;
        a = 1;
        a = 2;
        a = 3;
    } while (i < 10);
}

Correct output would look like this:

slither version: 0.3.1

in /slither/attributes/old_solc.py

old_pragma = [p for p in pragma if self._convert_pragma(p.version) not in ['0.4.23', '0.4.24']]
if old_pragma:
  # detected old pragma

It detects only "0.4.23", "0.4.24" as safe version. (even test solidity uses 0.4.25, it detected as old version)

should it be changed like under 0.4.25 is unsafe version? and also it will be great to support 0.5.X versions :)

We have private documentation for the json output. We need to standardize its format and bring it to the open source repo.

Some of the fields use a different naming convention, such as mixedCase / non_mixed. We need to settle on one naming convention.

I don't think the --high, --medium, --low flags make a ton of sense right now. As a user, it's more common that one or more noisy checks are false positives and I want to disable them specifically. We should add some notion of IDs to each check, then have a single flag like --exclude reentrancy or similar to turn it off for that run.

I'm not sure if we have to do anything special for it, but I've noticed a few projects are using yarn now. Here's a sample: https://github.com/SetProtocol/set-protocol-contracts

Truffle is the most popular development framework for smart contracts, and building this feature would enable the largest possible audience to have instant access to Slither.

At Trail of Bits, we are not experts in the internals of Truffle, and we try to avoid writing anything in JavaScript whenever possible. Our expertise here is limited and we're looking for help to implement this feature the "right" way. A successful implementation should use the lowest number of installation and configuration steps. It should just work.

See https://solidity.readthedocs.io/en/v0.5.1/050-breaking-changes.html

We're writing an Intermediate Representation (IR) for Solidity that enables capturing a greater level of detail about the code. Slither will translate the AST to the IR, and then perform analysis on the IR.

Overview

To support an influx of external contributions (incentivized from Gitcoin and more organic OSS approaches), I propose adding contributor guidelines to this repo to communicate how people should contribute. This will save time for repo owners as well as contributors and help verify that PRs are well-formed and opened issues are useful.

I see two straightforward approaches that could support contributor guidelines:

1. Create a separate CONTRIBUTING file in the root directory
   • advantage: Obvious in the file tree. I've had success doing this for Aragon here
   • disadvantage: New file. Fragments documentation across wiki and elsewhere
2. Create a new wiki Contributor Guidelines wiki entry and link to it from the README
   • advantage: Supports existing use of wiki for this repo. Could move to a more robust developer portal easily.
   • disadvantage: Less popular approach. Can't integrate cool things like PR templates directly.

Open to all feedback and thoughts.

Example Guidelines:

Pull Request process

Code of Conduct

Contact Info (Slack, Email, etc)

1. Clone Slither git repo
2. docker build -t slither
3. docker run slither

tests/uninitialized.sol:1:1: Error: Source file requires different compiler version (current compiler is 0.5.1+commit.c8a2cb62.Linux.g++ - note that nightly builds are considered to be strictly less than the released version
pragma solidity ^0.4.24;
^----------------------^
tests/uninitialized.sol:19:5: Error: No visibility specified. Did you intend to add "public"?
    function init() {
    ^ (Relevant source part starts here and spans across multiple lines).
tests/uninitialized.sol:23:5: Error: No visibility specified. Did you intend to add "public"?
    function use() {
    ^ (Relevant source part starts here and spans across multiple lines).
tests/uninitialized.sol:35:5: Error: No visibility specified. Did you intend to add "public"?
    function set(MyStruct storage st, uint v){
    ^ (Relevant source part starts here and spans across multiple lines).
tests/uninitialized.sol:49:5: Error: No visibility specified. Did you intend to add "public"?
    function init(){
    ^ (Relevant source part starts here and spans across multiple lines).
tests/uninitialized.sol:53:5: Error: No visibility specified. Did you intend to add "public"?
    function use(){
    ^ (Relevant source part starts here and spans across multiple lines).
tests/uninitialized.sol:8:9: Error: Member "transfer" not found or not visible after argument-dependent lookup in address.
        destination.transfer(msg.value);
        ^------------------^

INFO:Slither:tests/uninitialized.sol analyzed (0 contracts), 0 result(s) found

MacOS Mojave
Docker version 18.09.0, build 4d60db4

Yes, I have been use xdot for slither to analyze contract with the for example in the wiki,but the result is

38:Desktop bobby$ xdot wallet.sol.dot 

(xdot:70219): Gtk-WARNING **: 11:24:00.117: Error loading theme icon 'document-open' for stock: 图标“document-open”未在主题 Adwaita 中出现

(xdot:70219): Gtk-WARNING **: 11:24:00.169: Error loading theme icon 'view-refresh' for stock: 图标“view-refresh”未在主题 Adwaita 中出现

(xdot:70219): Gtk-WARNING **: 11:24:00.170: Error loading theme icon 'document-print' for stock: 图标“document-print”未在主题 Adwaita 中出现

(xdot:70219): Gtk-WARNING **: 11:24:00.170: Error loading theme icon 'zoom-in' for stock: 图标“zoom-in”未在主题 Adwaita 中出现

(xdot:70219): Gtk-WARNING **: 11:24:00.170: Error loading theme icon 'zoom-out' for stock: 图标“zoom-out”未在主题 Adwaita 中出现

dot: Not a directory

,and the for example is

dot examples/printers/inheritances.sol.dot -Tsvg -o examples/printers/inheritances.sol.png

the result is -bash: dot: command not found
why? can U help me?

Description

First of all, thanks to Trail of Bits for creating and maintaining this great solidity static analyser!
Slither produces the following error messages when executed against specific solidity contracts:

ERROR:root:Error in Nomin.sol
ERROR:root:Traceback (most recent call last):
  File "/home/mz/.virtualenvs/test_slither/lib/python3.7/site-packages/slither/__main__.py", line 226, in main_impl
    (results, number_contracts) = process(filename, args, detector_classes, printer_classes)
  File "/home/mz/.virtualenvs/test_slither/lib/python3.7/site-packages/slither/__main__.py", line 35, in process
    slither = Slither(filename, args.solc, args.disable_solc_warnings, args.solc_args, ast)
  File "/home/mz/.virtualenvs/test_slither/lib/python3.7/site-packages/slither/slither.py", line 41, in __init__
    self._analyze_contracts()
  File "/home/mz/.virtualenvs/test_slither/lib/python3.7/site-packages/slither/solc_parsing/slitherSolc.py", line 191, in _analyze_contracts
    self._convert_to_slithir()
  File "/home/mz/.virtualenvs/test_slither/lib/python3.7/site-packages/slither/solc_parsing/slitherSolc.py", line 317, in _convert_to_slithir
    func.convert_expression_to_slithir()
  File "/home/mz/.virtualenvs/test_slither/lib/python3.7/site-packages/slither/solc_parsing/declarations/function.py", line 838, in convert_expression_to_slithir
    node.slithir_generation()
  File "/home/mz/.virtualenvs/test_slither/lib/python3.7/site-packages/slither/core/cfg/node.py", line 364, in slithir_generation
    self._find_read_write_call()
  File "/home/mz/.virtualenvs/test_slither/lib/python3.7/site-packages/slither/core/cfg/node.py", line 397, in _find_read_write_call
    self._high_level_calls.append((ir.destination.type.type, ir.function))
AttributeError: 'MappingType' object has no attribute 'type'

Steps to reproduce

• Install slither 0.3 using a new python virtual environment (bug was reproduced using python 3.7.0 and 3.7.1)
• Run slither against the following contract: https://github.com/Havven/havven/tree/b3962e3d025b9087a0bef1814d9f83a69e4ff690/contracts/Nomin.sol (running slither against other contracts in that repository at that specific commit reproduces the same behaviour)
• Observe crash

--ast-compact-json gives a different AST, which is supposed to be more precise.

Additionaly it seems that the solc support for the --ast-json format will be remove in the future.

Finally, it should also help supporting truffle (#18)

The readme says that there is a --low flag, but when I try it I get an error:

$ ./slither.py ../onchain/ProvethVerifier.sol --low
usage: slither.py contract.sol
slither.py: error: unrecognized arguments: --low

Also, it might be nice to change the usage line of the help to

usage: slither.py contract.sol [flags]

I initially assumed that flags go before the file to be analyzed.

When using the vars-and-auth printer there is a bug in the output.

Problem Description

The entire table is written out on each iteration of going through the functions of a contract, instead of printing out once after the for each function loop is done.

Example output currently

INFO:Printers:
Contract MyContract
+----------+-------------------------+---------------------------------------------+
| Function | State variables written |           Conditions on msg.sender          |
+----------+-------------------------+---------------------------------------------+
|  setCEO  |       ['ceoAddress']    | ['require(bool)(msg.sender == ceoAddress)'] |
+----------+-------------------------+---------------------------------------------+
INFO:Printers:
Contract MyContract
+----------+-------------------------+---------------------------------------------+
| Function | State variables written |           Conditions on msg.sender          |
+----------+-------------------------+---------------------------------------------+
|  setCEO  |       ['ceoAddress']    | ['require(bool)(msg.sender == ceoAddress)'] |
|  setCMO  |       ['cmoAddress']    | ['require(bool)(msg.sender == ceoAddress)'] |
+----------+-------------------------+---------------------------------------------+
INFO:Printers:
Contract MyContract
+----------+-------------------------+---------------------------------------------+
| Function | State variables written |           Conditions on msg.sender          |
+----------+-------------------------+---------------------------------------------+
|  setCEO  |       ['ceoAddress']    | ['require(bool)(msg.sender == ceoAddress)'] |
|  setCMO  |       ['cmoAddress']    | ['require(bool)(msg.sender == ceoAddress)'] |
|  setCSO  |       ['csoAddress']    | ['require(bool)(msg.sender == ceoAddress)'] |
+----------+-------------------------+---------------------------------------------+
INFO:Printers:
Contract MyContract
+----------+-------------------------+---------------------------------------------+
| Function | State variables written |           Conditions on msg.sender          |
+----------+-------------------------+---------------------------------------------+
|  setCEO  |       ['ceoAddress']    | ['require(bool)(msg.sender == ceoAddress)'] |
|  setCMO  |       ['cmoAddress']    | ['require(bool)(msg.sender == ceoAddress)'] |
|  setCSO  |       ['csoAddress']    | ['require(bool)(msg.sender == ceoAddress)'] |
|  setCFO  |       ['cfoAddress']    | ['require(bool)(msg.sender == ceoAddress)'] |
+----------+-------------------------+---------------------------------------------+

Expected Output

just the last one..

INFO:Printers:
Contract MyContract
+----------+-------------------------+---------------------------------------------+
| Function | State variables written |           Conditions on msg.sender          |
+----------+-------------------------+---------------------------------------------+
|  setCEO  |       ['ceoAddress']    | ['require(bool)(msg.sender == ceoAddress)'] |
|  setCMO  |       ['cmoAddress']    | ['require(bool)(msg.sender == ceoAddress)'] |
|  setCSO  |       ['csoAddress']    | ['require(bool)(msg.sender == ceoAddress)'] |
|  setCFO  |       ['cfoAddress']    | ['require(bool)(msg.sender == ceoAddress)'] |
+----------+-------------------------+---------------------------------------------+

Slither does not convert correctly return with tuple expression:

contract Test{

    function test(uint a, uint b) returns(uint, uint){
        return(a,b);
    }   

    function test2(uint a) returns(uint){
        return(a);
    }   

    function test3(uint a) returns(uint){
        return a;
    }
}

Only test3 is correctly translated to slithir:

	Function test(uint256,uint256)
		Expression: (a,b)
		IRs:
	Function test2(uint256)
		Expression: (a)
		IRs:
	Function test3(uint256)
		Expression: a
		IRs:
			RETURN a

If a public function is never called, it should be marked as external, so that it can be optimized by solc

• Severity: Informational

Hints:Use slithIR and check:

• the function is never the destination of an InternalCall
• there is no InternalDynamicCall (or ensure that the function is never the destination of an InternalDynamicCall)
• Iterate only over the derived contracts (slither.contracts_derived) to be sure that no inherited contract calls the function

In the printer_human_readable branch we compute the cyclomatic complexity of a function: https://github.com/trailofbits/slither/blob/printer-human-readable/slither/utils/code_complexity.py

We can extend this idea and create a detector that detects complex functions. A complex function could be defined as:

• high cyclomatic complexity (this needs some tests to define what is a high value for a smart contract)
• numerous write to state variables
• numerous external calls

Other metrics are also possible.

• severity: informational

I think it makes more sense to ask, "Hey Slither, can you print vars and auth?" rather than "Hey Slither, can you printer vars and auth?"

It could be useful to show the user how many contracts analyzed in a directory, just to make sure it found the expected files. Right now, slither outputs:

INFO:Slither:somepath/contracts/ analyzed, 0 result(s) found

We could show how many contracts we analyzed:

INFO:Slither:somepath/contracts/ analyzed, 0 result(s) found in XX contracts

1. If I have two contract definitions in a file e.g.

contract C {
function i_am_backdoor(){}
}

contract D {
function i_am_backdoor(){
}
}

The json output doesn't tell me which of the contracts the function in the output belong to
The JSON output looks something like this

{  
      "check":"backdoor",
      "function":{  
         "name":"i_am_a_backdoor",
         "source_mapping":{  
            "start":43,
            "length":74,
            "filename":"/tmp/browser/suicide.sol",
            "lines":[  
               5,
               6,
               7
            ]
         }
      }
   }

it doesn't indicate which contract it belongs to.

2. Add Error Message

It would be great to have the error log messages displayed in the terminal as part of the JSON output.
The current implementation requires having to parse the details and reconstructing the messages.

These two changes are needed for the Slither Remix plugin

In the following example, both contracts have the same outcome, but slither detects an initialized variable in Reference:

contract Reference{
    mapping (uint128 => mapping (uint256 => uint256)) map;

    function init() external{
        mapping(uint256 => uint256) tmp = map[0];
        tmp[0] = 0;
    }
}

contract Direct{
    mapping (uint128 => mapping (uint256 => uint256)) map;
    
    function init() external{
        map[0][0] = 0;
    }
}

The issue is that slither does not track the storage reference created through mapping(uint256 => uint256) tmp = map[0];, while it should.

It is close to the issue #70

I launch program like this:

slither Contract.sol 

and receive an error:
"FileNotFoundError: [Errno 2] No such file or directory: 'solc'"

I have solc installed.

$ solcjs --version
0.4.25+commit.59dbf8f1.Emscripten.clang

But executable is called solcjs, not solc. Or it is something different?

... or via something like (but not exactly) guard.

Low-level calls are more prone to errors

• Severity: Informational

Hint: Use slithIR to detect if an operation is a LowLevelCall

Functions using inline assembly are more prone to errors

• Severity: Informational

hint: Explore the CFG, and check if a node has the ASSEMBLY type

The command line arguments are setup differently than I would expect for Slither. I wonder what people think about changing them? I would have expected some of these changes:

• --detect which takes a comma-separated list indicating the checks to run (default: all)
• --print which takes a comma-separated list of printers to output (default: ???)
• --output which accepts a single parameter of either stdout or json (default: stdout)
• remove exclusion rules entirely
• calling slither with no arguments should print the help
• reorganize the help screen into groups of related parameters for easier reading

• slither version: 0.2.0
• solc version: 0.4.25

In some case slither raises an exception of ternary operation, here is a test file:

pragma solidity ^0.4.24;
contract C{
    function f(uint a)public{
                uint [4][] memory res = new uint[4][]( a>0?1:0);
    }
}

and the trace

  File "/home/zqqz/playground/slither/slither/__main__.py", line 209, in main_impl
    (results, number_contracts) = process(filename, args, detector_classes, printer_classes)
  File "/home/zqqz/playground/slither/slither/__main__.py", line 34, in process
    slither = Slither(filename, args.solc, args.disable_solc_warnings, args.solc_args, ast)
  File "/home/zqqz/playground/slither/slither/slither.py", line 41, in __init__
    self._analyze_contracts()
  File "/home/zqqz/playground/slither/slither/solc_parsing/slitherSolc.py", line 187, in _analyze_contracts
    self._analyze_third_part(contracts_to_be_analyzed, libraries)
  File "/home/zqqz/playground/slither/slither/solc_parsing/slitherSolc.py", line 269, in _analyze_third_part
    self._analyze_variables_modifiers_functions(contract)
  File "/home/zqqz/playground/slither/slither/solc_parsing/slitherSolc.py", line 309, in _analyze_variables_modifiers_functions
    contract.analyze_content_functions()
  File "/home/zqqz/playground/slither/slither/solc_parsing/declarations/contract.py", line 331, in analyze_content_functions
    function.analyze_content()
  File "/home/zqqz/playground/slither/slither/solc_parsing/declarations/function.py", line 850, in analyze_content
    st = SplitTernaryExpression(node.expression)
  File "/home/zqqz/playground/slither/slither/utils/expression_manipulations.py", line 48, in __init__
    self.copy_expression(expression, self.true_expression, self.false_expression)
  File "/home/zqqz/playground/slither/slither/utils/expression_manipulations.py", line 90, in copy_expression
    false_expression.expressions[-1])
  File "/home/zqqz/playground/slither/slither/utils/expression_manipulations.py", line 100, in copy_expression
    false_expression.called)
  File "/home/zqqz/playground/slither/slither/utils/expression_manipulations.py", line 120, in copy_expression
    raise Exception('Ternary operation not handled {}'.format(type(expression)))
Exception: Ternary operation not handled <class 'slither.core.expressions.new_array.NewArray'>

https://github.com/duaraghav8/Solium
https://github.com/protofire/solhint

Right now, most of the travis tests run all the detectors, which can be confusing when a new detector is written.

It would be better to run one detector at the time per testcase

See #34 (comment)

A callgraph printer would show for each function, what are the contracts/functions called.

For example, on

contract ContractA{
    function my_func_a(){}
}

contract ContractB{
    
    ContractA a;
    
    constructor(){
        a = new ContractA();
    }
    
    function my_func_b(){
        a.my_func_a();
        my_second_func_b();
    }
    
    function my_second_func_b(){
    }
}

It should show that ContractB.my_func_b() calls ContractA.my_func_a and ContractB.my_second_func_b()

The printer will output a dot, similar to the inheritance printer.

It's probably more readable to group the functions of a contract into a dot subgraph

https://github.com/trailofbits/manticore/wiki/Ethereum-Detectors

• integer overflows
• invalid instructions
• uninitialized memory
• uninitialized storage
• re-entrancy
• re-entrancy (advanced)
• unused return values
• problematic delegatecalls
• reachable selfdestruct
• reachable externalcall
• potentially unsafe or manipulable instructions
• transaction order dependence