Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Regarding the issues during the slither detection process #2437

Closed
zhangzone opened this issue Apr 22, 2024 · 1 comment
Closed

Regarding the issues during the slither detection process #2437

zhangzone opened this issue Apr 22, 2024 · 1 comment
Labels
question Further information is requested

Comments

@zhangzone
Copy link

When conducting detection and analysis of contracts, does Slither convert contract code into a graph structure for analysis?

@0xalpharush
Copy link
Contributor

0xalpharush commented Apr 23, 2024

This is somewhat related to a previous question #2364 for background. Some detectors explore the control flow graph to gather information and visit all of their successors e.g.:

def call_in_loop(
node: Optional[Node], in_loop_counter: int, visited: List[Node], ret: List[Node]
) -> None:
if node is None:
return
if node in visited:
return
# shared visited
visited.append(node)
if node.type == NodeType.STARTLOOP:
in_loop_counter += 1
elif node.type == NodeType.ENDLOOP:
in_loop_counter -= 1
if in_loop_counter > 0:
for ir in node.all_slithir_operations():
if isinstance(ir, (LowLevelCall, HighLevelCall, Send, Transfer)):
if isinstance(ir, LibraryCall):
continue
ret.append(ir.node)
if isinstance(ir, (InternalCall)):
assert ir.function
call_in_loop(ir.function.entry_point, in_loop_counter, visited, ret)
for son in node.sons:
call_in_loop(son, in_loop_counter, visited, ret)

It really depends on what you're trying to accomplish. Slither doesn't have a graph of data dependencies but you could think of each operation's result as creating an edge i.e. result = expression creates an edge (result, operation) and the taint analysis is asking "is their a path in the graph from the source to the variable in question" (a reachability query). That is, a variable's dependencies are the transitive closure of its parents.

This recording explains some of how to write an analysis/detector
https://www.youtube.com/watch?v=sC7CHMSP3Dg&t=526s

@0xalpharush 0xalpharush added the question Further information is requested label Apr 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Further information is requested
Projects
None yet
Development

No branches or pull requests

2 participants