pallet-verifier
is a tool for detecting common security vulnerabilities and insecure patterns in
FRAME pallets using static program analysis techniques like data-flow analysis,
abstract interpretation and symbolic execution.
FRAME pallets are modules used to build/compose Substrate-based blockchains.
NOTE: 🚧 This project is still work in progress, check back over the next few weeks for regular updates.
NOTE: pallet-verifier
requires a Clang
binary that supports WebAssembly
.
On macOS
, the Clang
binary from Xcode
doesn't support WebAssembly
, so you'll need to install
clang/llvm
via homebrew
and add it to your PATH
.
NOTE: On platforms where gcc
is the default C
compiler (e.g. Debian and Ubuntu),
make sure the gcc-multilib
package is also installed.
git clone https://github.com/davidsemakula/pallet-verifier.git
cd pallet-verifier
cargo install --locked --path ./
Run the following command from the crate root of a FRAME pallet
(i.e. the directory that contains the Cargo.toml
file for the FRAME pallet).
cargo verify-pallet
NOTE: pallet-verifier
compiles the target FRAME pallet code in "test mode" (i.e. the equivalent of running
cargo test
or rustc --test
), so you'll need to ensure that all prerequisites for test compilation
are installed and/or configured properly, otherwise compilation will fail.
cargo verfiy-pallet
subcommand help text.
A tool for detecting common security vulnerabilities and insecure patterns in FRAME pallets using static program analysis techniques.
Usage: cargo verify-pallet
Options:
-h, --help Print help
-V, --version Print version
--pointer-width <32|64> The pointer width for the target execution environment
You can access library documentation locally by running the following command from the project root
cargo doc --no-deps --open
To learn more about how pallet-verifier
works under the hood, check out ARCHITECTURE.md (see also).
You can run UI tests by running the following command from the project root
cargo test
Check out TESTING.md for more details.
Licensed under either MIT or Apache-2.0 license at your option.
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.
🌱 Funded by: the Web3 Foundation.