truffle-sca2t (Smart Contract Audit Assistant Tool): A set of utilities for auditing Solidity contracts.
truffle-sca2t is a plugin of Truffle framework and an assistant tool for smart contract auditing. It provides some utilities to help your smart contract auditing and make your smart contract more secure and safe. The plugin is compatible with Truffle 5.0 or higher.
sca2t pronunciation is like skärt
.
Install it via npm:
$ npm install truffle-sca2t
If you want to install it globally, you need to install it with the mocha test framework and the report generator mocha-simple-html-reporter.
$ npm install -g truffle-sca2t mocha mocha-simple-html-reporter
Add "truffle-sca2t"
to the list of plugins in truffle-config.js
in the root directory of your Truffle project. If you don't have any other plugins,
your configuration would get changed to something like:
module.exports = {
plugins: [ "truffle-sca2t" ],
/* truffle by default adds other stuff here below like... */
/**
* Networks define how you connect to your ethereum client and let you set the
* defaults web3 uses to send transactions. If you don't specify one truffle
...
};
If you have other plugins already installed, like my-awesome-plugin
the plugins
line would look like:
plugins: [ "truffle-sca2t", "my-awsome-plugin" ],
This command can be used in 3 ways.
The mythx
command submits contract code to the MythX service. MythX reports back potential vulnerabilities and errors in a MythX log.
After this completes you can check the results using npm run test:security
.
This two-step process can easily be integrated into your CI since it does not depend on specific CI products such as Circle CI, Travis CI or Jenkins. If you'd like to set up for CircleCI CI testing, see this CircleCI configuration file. Here is a failure CircleCI run.
The mythx
command generates a Postman Collection File which can be used in testing.
See Postman Support for more information.
If you just want to use this as a MythX client tool, you can use the command line interface mode. See Command Line Interface Mode for more information.
See Command Line Interface Mode.
To run the examples in this section, do the following first:
$ git clone git@github.com:tagomaru/truffle-sca2t-sample.git
Cloning into 'truffle-sca2t-sample'...
...
Resolving deltas: 100% (1/1), done.
$ cd truffle-sca2t-sample
You can set up an account on the MythX website to get full access.
After setting up an account, set the following environment variables to your ETH address and password (add this to your .bashrc
or .bash_profile
for added convenience):
export MYTHX_ETH_ADDRESS=0x1234567891235678900000000000000000000000
export MYTHX_PASSWORD='Put your password in here!'
$ truffle run mythx A.sol
or you can give multiple contracts:
$ truffle run mythx A.sol C.sol
The below is the same as the above but with explicit paths. Use the "tab" key for autocompletion.
$ truffle run mythx contracts/A.sol contracts/C.sol
Although you can list multiple contracts, the plugin mythx
command will automatically include files that have dependencies. For example,
A.sol
:
pragma solidity ^0.5.0;
import "./C.sol";
contract A is C {}
contract B {}
C.sol
:
pragma solidity ^0.5.0;
contract C {
uint public a;
function add(uint b) public {
a = a + b;
}
}
The command truffle run mythx A.sol
generates test code file test_A.sol_.js
; in doing so it sees that A.sol
imports C.sol
.
The test code file then sends AST and source code for not only A
but also C
to MythX API at the same time. You can see the data sent here.
Therefore in the command-line invocations given above the first command truffle run mythx A.sol
is equivalent to the two other examples below it.
This command automatically generates sca2t configuration file,sca2t-config.js
, in your project root if there is none already. In that nodejs file, you can customize the report format, add SWCs that MythX should not report, and so on.
After test code files are successfully generated from the mythx
command, you can then run mocha test this way:
$ npm run test:security
If you want a beautiful HTML report (recommended), execute the below command.
$ npm run test:security:html
security-report.html
is generated on your project root. The report file of A
looks like this - as you can see, the file reports the vulnerability of C
:
And you can see the report here.
Sometimes MythX takes a long time to analyze contracts, or you might like to see a report for a job that was submitted in the past. When you submit a MythX job you should get a UUID back. With this UUID you can get a report like this:
$ truffle run mythx --uuid='your UUID'
Postman is a tool for working with MythX at the API level. You can set HTTP headers, see HTTP responses for HTTP GET
s, and POST
s and so on. This is great for seeing what goes over the network at the HTTP level. You can also use this for testing instead of using mocha
.
Use the --postman
option to create a Postman Collection which can be used in testing to see that no contracts have vulnerabilities.
For example:
$ truffle run mythx contracts/A.sol --postman
Generating Postman collection file:... done.
Please import ./pm-collection-mythx.json in Postman
Also, you should set an ethAddress and password in Postman environment variables.
As before, you can create a Postman collection with multiple Solidity contracts:
$ truffle run mythx contracts/A.sol contracts/C.sol --postman
As before, if C.sol
is imported by A.sol
then it need not be listed explicitly.
Import the generated file in Postman. You need to set ethAddress
and
password
to the values in your MythX account as Postman environment variables.
Currently, this supports the below requests.
- login
- submit analysis
- get status
- get issues
If you do not want test a code file and just want the results, add the --cli
option.
$ truffle run mythx A.sol --cli
The--markdown
option gives the results in markdown format.
$ truffle run mythx A.sol --cli --markdown
- report image
The sample is here
(the emoji
is optional).
Run truffle run mythx --help
to show advanced configuration options.
$ truffle run mythx --help
Usage: truffle run mythx [*file-name1* [*file-name2*] ...]
e.g.: truffle run mythx contracts/A.sol contracts/sub/C.sol
Options:
--help print help.
--uuid get analysis report with UUID.
--postman generate Postman collection file.
--cli analyze in cli mode.
--markdown generate markdown format report in cli mode.
--emoji insert emoji in markdown format report. (Only support GitHub Flavored Markdown)
The dependencies
command outputs a diagram in HTML to visualize dependencies among contracts. Boxes shown in the report are draggable to allow you to reorganize the display as you like. Information such as contracts, functions, dependencies of inheritance, declarations, and user-definded types are shown. Contracts and functions in EthPM and NPM packages are included in searching for information.
$ truffle run dependencies A.sol
or as before with several contracts:
$ truffle run dependencies A.sol C.sol
The eventgen
can help you track contract and function calls. It changes the Solidity contract file(s). Specifically it wraps tracing instrumentation around functions and contracts, after first prompting if you would like a backup of the Solidity files to be changed. View functions are not wrapped.
$ truffle run eventgen contracts/A.sol contracts/C.sol
or to run eventgen
over all Solidity files:
$ find contracts -name "*.sol" | xargs truffle run eventgen
MIT