This project is no longer maintained. Please consider using SmartBugs instead.
SmartBugs is an execution framework aiming at simplifying the execution of analysis tools on datasets of smart contracts.
- A plugin system to easily add new analysis tools, based on Docker images;
- Parallel execution of the tools to speed up the execution time;
- An Output mechanism that normalizes the way the tools are outputting the results, and simplify the process of the output across tools.
- HoneyBadger
- Maian
- Manticore
- Mythril
- Osiris
- Oyente
- Securify
- Slither
- Smartcheck
- Solhint
The first step is to clone SmartBugs Dashboard's repository:
git clone https://github.com/smartbugs/smartbugs-dashboard.git
SmartBugs requires to have installed Python3 and Docker. Docker should be running. To install all the requirements, you can execute:
pip3 install -r smartbugs/requirements.txt
Then run:
npm install
npm run smartbugs
When running a tool the user must be aware of the solc compatibility. Due to the major changes introduced in solidity v0.5.0, we provide the option to pass another docker image to run contracts with solidity version below v0.5.0. However, please note that there may still be problems with the solidity compiler when compiling older versions of solidity code.
We propose two dataset a smart contract dataset with SmartBugs. The first dataset contains 69 annotated contracts to evaluate the accuracy of analysis tools. The second dataset contains 47,518 unique contract from the Ethereum network.
The results of the analysis on 47,587 contracts is available here: https://github.com/smartbugs/smartbugs-wild
SB Curated provides a collection of vulnerable Solidity smart contracts organized according to the DASP taxonomy. It is available in the dataset repository.
| Vulnerability | Description | Level |
|---|---|---|
| Reentrancy | Reentrant function calls make a contract to behave in an unexpected way | Solidity |
| Access Control | Failure to use function modifiers or use of tx.origin | Solidity |
| Arithmetic | Integer over/underflows | Solidity |
| Unchecked Low Level Calls | call(), callcode(), delegatecall() or send() fails and it is not checked | Solidity |
| Denial Of Service | The contract is overwhelmed with time-consuming computations | Solidity |
| Bad Randomness | Malicious miner biases the outcome | Blockchain |
| Front Running | Two dependent transactions that invoke the same contract are included in one block | Blockchain |
| Time Manipulation | The timestamp of the block is manipulated by the miner | Blockchain |
| Short Addresses | EVM itself accepts incorrectly padded arguments | EVM |
| Unknown Unknowns | Vulnerabilities not identified in DASP 10 | N.A |
SB Wild is available in a separated repository due to its size: https://github.com/smartbugs/smartbugs-wild
At present, we officially aim to support the last two versions of the following browsers:
