Over 1 billion dollars were lost in 2023 due to smart contract vulnerabilities. Web3 security is crucial for blockchain adoption. Using appropriate security tools is essential for identifying vulnerabilities in the Smart Contracts.

This article presents a compilation of the most popular and widely utilized tools in Web3 security.

Contract Fuzzer

Fuzzing is a proven effective technique for detecting vulnerabilities in smart contracts by testing them with various inputs to uncover abnormal behavior indicative of vulnerabilities.

ContractFuzzer can identify several vulnerabilities, including Gasless Send, Exception Disorder, Reentrancy, Timestamp and Block Number Dependencies, Dangerous delegateCall, and Freezing Ether contract issues.

Echidna

Echidna is used for fuzzing and property-based security testing of smart contracts. It verifies if contracts adhere to specific rules and aims to pinpoint issues within them.

What Echidna good at:

• Finding issues in smart contracts.

• Testing contracts made with different tools like Truffle or Hardhat.

What Echidna not so good at:

• Can be slow with big contracts.

• May not work well with contracts that use a lot of external libraries.

• Doesn’t work well with the Vyper programming language.

Foundry Fuzz

Forge enables efficient property-based testing, focusing on general behaviors rather than specific cases.

What Forge good at:

• Fast testing with Forge.

• Customizations, like adjusting test frequency, enhance efficiency.

• Handler-based testing for cross-contract interaction invariants.

What Forge not so good at:

• Manual input range adjustments may be needed in some cases as Forge may not always select the correct values automatically.

Other Useful Tools: ChainFuzz & sFuzz

Dynamics & Static Analysis:

Slither

• Slither is excellent at spotting vulnerabilities with minimal false alarms and speedy execution, typically under 1 second per contract (duration varies with complexity).

• Slither supports Solidity versions from 0.4 onwards, making it versatile for auditing various smart contracts.

• Slither easily integrates into CI/CD setups, streamlining automation and aiding developers.

• Slither can uncover vulnerabilities like suicidal functions, uninitialized state/storage variables, transactions sending ether to unknown destinations, reentrancy threats, ether-locking contracts, and improper usage of tx.origin.

Mythril

• Developed by CONSENSYS in Python, Mythril is a leading smart contract auditing tool.

• Simple installation via pip, with advanced analysis techniques such as symbolic execution and taint analysis.

• Compatible with multiple blockchains utilizing EVM bytecode, not limited to Ethereum.

• Mythril initiates analysis by specifying the deployed contract’s address, excelling in detecting vulnerabilities like transaction order dependency, random number issues, and reentrancy threats.

SolidityScan

SolidityScan is a cloud-based smart contract vulnerability scanner designed to uncover vulnerabilities and facilitate the publication of audit reports following vulnerability mitigations.

The report generated by SolidityScan is comprehensive audit report containing detailed information about potential security vulnerabilities within your code. Additionally, SolidityScan provides a security score that aids in assessing the security status of contracts. This allows developers to rescan their contracts after addressing issues to enhance their score and share the audit report with the community.

Additionally, here are some other noteworthy tools:

• Manticore

• MythX

• Securify

• SmartCheck

VS Code Extensions

These VS Code extensions can help you find bugs efficiently and enhance your workflow:

Solidity Visual Developer

• This is a must-have extension for smart contract auditors.

• It offers security-focused syntax and semantic highlighting.

• Provides a detailed class outline, specialized views, and advanced Solidity code insights.

• Enhances Visual Studio Code for Solidity development.

Slither VSC

• Integrates Slither, into Visual Studio Code.

• Run vulnerability detectors on Solidity smart contracts and get suggested fixes.

• Offers a cleaner view of identified bugs compared to the CLI version of Slither.

• Highly recommended if you use Slither for auditing.

EthOver

• Simplifies viewing details of hardcoded addresses in smart contracts.

• Saves time by eliminating the need to repeatedly copy and paste addresses on Etherscan.

• Streamlines integration with smart contracts.

Mythx VSC

• An extension for running MythX smart contract analysis directly from Visual Studio Code.

EthLint

• Analyzes Solidity code for style and security best practices.

• Automatically corrects issues when detected.

• Offers a command-line interface for linting contracts.

Additionally, you can explore other useful tools like Inline Bookmarks, Solidity Metrics, and GraphViz Interactive, solidity-coverage , Prettier + Solidity Plugin

Auditing Books and Guides:

• The Auditors Book: This compilation gathers the finest discoveries from independent security researchers at Code4rena and Sherlock.

• Audit Checklist: A comprehensive checklist outlining key aspects to examine during the audit of Solidity smart contracts.

• Solidity Attack Vectors: An open-source repository dedicated to exploring Solidity attack vectors, providing valuable insights into potential vulnerabilities and security threats.

BuildBear

BuildBear lets you create a personalized and private Testnet tailored to your specific requirements. Here’s why BuildBear stands out:

• BuildBear Faucet: Instantly access Native and Popular ERC20 Testnet tokens through the BuildBear Faucet.

• Forking Mainnets: With BuildBear, you can effortlessly fork various EVM-compatible chains, including Ethereum, Polygon, Arbitrum, Optimism, Fantom, Binance, and Avalanche, all with a simple click.

• Faster Transactions: Enjoy accelerated transaction speeds with BuildBear. Execute standard test scripts involving 10 transactions in under 26 seconds, compared to the 2+ minutes typically required on public Testnets like Sepolia.

In conclusion, it’s a highly advisable practice to employ auditing tools at the outset to identify and eliminate common vulnerabilities. However, solely relying on their outcomes can be a significant oversight. While many tools in the market excel at detecting pattern-based vulnerabilities, they may overlook other types, particularly those tied to the business logic. As a result, conducting a manual security assessment on your smart contract once it’s functioning correctly becomes imperative in preventing potential future breaches.

If you notice any missing tools, please send us a message.

If you support our efforts, please consider following us on Twitter and LinkedIn. If you haven’t already, we invite you to join our Telegram group by clicking here.