[STABLE-7559]: Migrate from Slither to Mythril for static analysis (#51)

tongshi · web-flow · commit 4b2eb0cb6eab · 2024-11-21T11:41:53.000-08:00
### Summary
Migrate from Slither to Mythril for static analysis

### Detail
- update Makefile command and update CI
- remove Slither relevant configs and add Mythril config
- update Readme
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -27,13 +27,45 @@ jobs:
       - name: Run Unit Tests
         run: make test
 
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.10'
+
       - name: Run Integration Tests
         run: make anvil-test
 
-      - name: Run Slither
-        uses: crytic/slither-action@v0.3.0
+  analyze-message-transmitter:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v4
+        with:
+          submodules: 'true'
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.10'
+
+      - name: Run Static Analysis on Message Transmitter
+        run: make analyze-message-transmitter
+
+  analyze-token-messenger-minter:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v4
+        with:
+          submodules: 'true'
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
         with:
-          fail-on: none
+          python-version: '3.10'
+
+      - name: Run Static Analysis on Token Messenger Minter
+        run: make analyze-token-messenger-minter
 
   scan:
     needs: lint-and-test
diff --git a/Makefile b/Makefile
@@ -17,7 +17,7 @@ deploy:
 
 anvil:
 	docker rm -f anvil || true
-	@${ANVIL} "anvil --host 0.0.0.0 -a 13 --code-size-limit 250000"	
+	@${ANVIL} "anvil --host 0.0.0.0 -a 13 --code-size-limit 250000"
 
 anvil-test: anvil
 	pip3 install -r requirements.txt
@@ -31,10 +31,15 @@ cast-call:
 
 cast-send:
 	@docker exec anvil cast send ${contract_address} "${function}" --rpc-url http://localhost:8545 --private-key 0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80
-	
+
 clean:
 	@${FOUNDRY} "forge clean"
 
-analyze:
-	pip3 install -r requirements.txt
-	slither .
+analyze-message-transmitter:
+	pip3 install mythril==0.24.8
+	myth -v4 analyze src/MessageTransmitter.sol --solc-json mythril.config.json --solv 0.7.6
+
+analyze-token-messenger-minter:
+	pip3 install mythril==0.24.8
+	myth -v4 analyze src/TokenMessenger.sol --solc-json mythril.config.json --solv 0.7.6
+	myth -v4 analyze src/TokenMinter.sol --solc-json mythril.config.json --solv 0.7.6
diff --git a/README.md b/README.md
@@ -38,7 +38,7 @@ Run `make anvil-test` to setup `anvil` test node in docker container and run int
 Run `yarn lint` to lint all `.sol` files in the `src` and `test` directories.
 
 ### Static analysis
-Run `make analyze` to set up Python dependencies from `requirements.txt` and run Slither on all source files, requiring the foundry cli to be installed locally. If all dependencies have been installed, alternatively run `slither .` to run static analysis on all `.sol` files in the `src` directory.
+Run `make analyze-{message-transmitter | token-messenger-minter}` to set up Mythril dependency and run Mythril on all source files. If Mythril dependency has been installed, alternatively run `myth -v4 analyze $FILE_PATH --solc-json mythril.config.json --solv 0.7.6` to run static analysis on a `.sol` file at the given `$FILE_PATH`. Please note that this can take several minutes.
 
 ### Continuous Integration using Github Actions
 We use Github actions to run linter and all the tests. The workflow configuration can be found in [.github/workflows/ci.yml](.github/workflows/ci.yml)
@@ -79,4 +79,4 @@ The contracts are deployed using [Forge Scripts](https://book.getfoundry.sh/tuto
 3. Run `make deploy RPC_URL=<RPC_URL> SENDER=<SENDER>` to deploy the contracts
 
 ## License
-For license information, see LICENSE and additional notices stored in NOTICES.
+For license information, see LICENSE and additional notices stored in NOTICES.
diff --git a/mythril.config.json b/mythril.config.json
@@ -0,0 +1,8 @@
+{
+  "remappings": [
+    "@memview-sol/=lib/memview-sol/",
+    "@openzeppelin/=lib/openzeppelin-contracts/",
+    "ds-test/=lib/ds-test/src/",
+    "forge-std/=lib/forge-std/src/"
+  ]
+}
diff --git a/requirements.txt b/requirements.txt
@@ -34,7 +34,6 @@ requests==2.28.1
 rlp==2.0.1
 semantic-version==2.10.0
 six==1.16.0
-slither-analyzer==0.8.3
 toolz==0.12.0
 urllib3==1.26.11
 varint==1.0.2
diff --git a/slither.config.json b/slither.config.json
