Static Analysis

Threat Detection

Using the Detectors provided by Slither, it is possible to detect threats within the Hook. Herbicide automatically executes the following Detectors to find and warn about threats.

Informational Gathering

Using the Slither-Printer, it displays critical information regarding the access control of the contract. In Herbicide, the Printer is automatically executed to extract and display.

Contract Information

  • info-variable

    • Prints state variables and the functions using them.

  • info-inline-access-control

    • Checks require&assert&revert conditions.

  • info-inheritance

    • Prints the contract's inheritance information.

  • info-library

    • Prints the usage of libraries of the contract.

Semgrep-Solidity + Python

In the Simple Contract Analyzer, users can input contract to receive processed key information according to predefined Semgrep rules by Herbicide. This lets users easily review details about functions and storage variables declared in

Threat Detection

  • info-layer2-assignee

    • Checks storage re-used while double-initializing the hook.

  • low-call

    • Checks if the hook is low-calling to other addresses.

  • getSlot0-check

    • Checks if the hook is calling getSlot0 function, as it is dangerous if the hook operates as an oracle, returning the getSlot0 value as the price of the pool.

  • missing-token-transfer-while-burnt

    • Checks if the hook is not transfer the underlying token while the token is burnt.

  • missing-onlyPoolManager-modifier

    • Checks if onlyPoolManager modifier is not applied to the hook functions.

  • misconfigured-hook

    • Checks if the hook functions are not yet implemented, while the function flag of getHookPermissions returns true.

Last updated