Step-by-Step Guide to Using Securify for Smart Contract Auditing

Table of Contents

1. Prerequisites
2. Installing Securify
3. Preparing a Sample Smart Contract
4. Running Securify on the Smart Contract
5. Interpreting Securify's Output
6. Best Practices and Next Steps

Prerequisites

Before we begin, ensure that your development environment meets the following requirements:

1. Operating System: Linux or macOS. While Securify can run on Windows via WSL (Windows Subsystem for Linux), this guide assumes a Unix-like environment.
2. Java Development Kit (JDK): Securify is built using Java, so you need JDK 8 or higher installed.
3. Git: To clone the Securify repository.
4. Maven: For building the project.
5. Node.js and npm: If you prefer using Docker, these might not be necessary, but having them installed can be helpful for other blockchain development tasks.
6. Docker (Optional): Securify can be run using Docker, which simplifies the setup process.

Installing Required Software

1. Install Java (JDK)

Check if Java is installed:

java -version

sudo apt update

sudo apt install open-11-jdk

2. Install Git

sudo apt install git;

3. Install Maven

sudo apt install maven

4.Install Docker (Optional)

If you prefer using Docker to run Securify, install Docker from Docker's official website.

Installing Securify

There are two primary ways to set up Securify:

1. Building from Source
2. Using Docker

We'll cover both methods so you can choose the one that best fits your preferences.

Method 1: Building Securify from Source

Step 1: Clone the Securify Repository

git clone https://github.com/eth-sri/securify2.git

cd securify2

Note: As of the knowledge cutoff in September 2021, the repository was named securify2. Please verify the latest repository name here.

Step 2: Build the Project

Ensure that you have Maven installed. Then, run:

mvn clean package

This command compiles the source code and packages it into a JAR file located in the target directory.

Step 3: Verify the Installation

After successful compilation, you can verify the installation by running:

java -jar target/securify-cli.jar -h

This should display the help menu for Securify's command-line interface.

Method 2: Using Docker

Using Docker simplifies the setup process by encapsulating all dependencies within a container.

Step 1: Pull the Securify Docker Image

As of the latest information, Securify might not have an official Docker image. However, you can build one yourself.

Create a Dockerfile with the following content:

# Use OpenJDK as the base image

FROM openjdk:11-jre-slim

# Set working directory

WORKDIR /app

# Install required packages

RUN apt-get update && apt-get install -y git maven && rm -rf /var/lib/apt/lists/*

# Clone Securify repository

RUN git clone https://github.com/eth-sri/securify2.git

# Build Securify

WORKDIR /app/securify2

RUN mvn clean package

# Set entrypoint

ENTRYPOINT ["java", "-jar", "target/securify-cli.jar"]

Step 2: Build the Docker Image

Navigate to the directory containing the Dockerfile and run:

docker build -t securify:latest .

This command builds the Docker image and tags it as securify:latest.

Step 3: Verify the Docker Image

Run the help command to verify:

docker run --rm securify:latest -h

You should see Securify's help menu.

Preparing a Sample Smart Contract

For this tutorial, we'll create a simple Solidity smart contract with intentional vulnerabilities to demonstrate how Securify detects issues.

Example: Vulnerable Token Contract

Create a file named VulnerableToken.sol with the following content:

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.0;

/**

* @title VulnerableToken

* @dev Simple ERC20 Token example with intentional vulnerabilities

*/

contract VulnerableToken {

string public name = "VulnerableToken";

string public symbol = "VULN";

uint8 public decimals = 18;

uint256 public totalSupply;

mapping(address => uint256) public balanceOf;

address public owner;

constructor(uint256 _initialSupply) {

owner = msg.sender;

totalSupply = _initialSupply (10 * uint256(decimals));

balanceOf[owner] = totalSupply;

}

/**

* @dev Transfer tokens to a specified address

* Vulnerable to reentrancy attack

*/

function transfer(address to, uint256 value) public returns (bool success) {

require(balanceOf[msg.sender] >= _value, "Insufficient balance");

balanceOf[msg.sender] -= _value;

balanceOf[_to] += _value;

// External call without checks-effects-interactions pattern

(bool sent, ) = _to.call{value: 0}("");

require(sent, "Transfer failed");

return true;

}

/**

* @dev Fallback function to accept Ether

*/

receive() external payable {}

}

Intentional Vulnerabilities:

1. Reentrancy Vulnerability: The transfer function makes an external call to _to without following the checks-effects-interactions pattern, making it susceptible to reentrancy attacks.
2. Lack of Access Control: Functions like transfer do not have access restrictions beyond basic balance checks, which can be problematic in more complex contracts.

Running Securify on the Smart Contract

Now that we have our sample smart contract ready, let's use Securify to audit it.

Using Securify from the Command Line

Assuming you've built Securify from source or have the Docker image ready, follow these steps.

Step 1: Save the Smart Contract

Save the VulnerableToken.sol file in a directory, e.g., ~/smart-contracts/VulnerableToken.sol.

Step 2: Run Securify

Option A: Using Securify Built from Source

Navigate to the Securify directory and run:

java -jar target/securify-cli.jar check --file ~/smart-contracts/VulnerableToken.sol

Option B: Using Docker

Run the Docker container and mount the directory containing the smart contract:

docker run --rm -v ~/smart-contracts:/contracts securify:latest check --file /contracts/VulnerableToken.sol

Explanation of the Command:

• check: Command to perform a security check.
• --file: Specifies the path to the Solidity file to be analyzed.

Step 3: Wait for Analysis

Securify will parse the smart contract, perform pattern identification, formal verification, and vulnerability scanning. This process may take a few moments depending on the contract's complexity.

Using Securify's Web Interface (If Available)

As of the last update, Securify also offers a web-based interface. If available, you can use it as follows:

1. Visit the Securify Web Interface (ensure this is the correct and updated URL).
2. Upload your VulnerableToken.sol file.
3. Click on the "Analyze" or "Run Audit" button.
4. Wait for the analysis to complete and view the results on the dashboard.

Note: The availability and URL of the web interface might have changed. Refer to the official Securify repository for the latest information.

Interpreting Securify's Output

After running the audit, Securify will generate a report detailing the findings. Let's understand the typical sections of the output and what they mean.

Sample Output

Here's a hypothetical example of what Securify's output might look like for our VulnerableToken.sol contract:

Securify - Smart Contract Security Analysis Report

---------------------------------------------------

File: VulnerableToken.sol

Contract: VulnerableToken

Status:

- Reentrancy: Violation detected

- Access Control: Warning - Functions lack proper access restrictions

- Integer Overflow/Underflow: Safe (Solidity ^0.8.0 has built-in checks)

- Unchecked External Calls: Violation detected

- Compliance: ERC20 Standard - Compliant

Detailed Findings:

1. Reentrancy Vulnerability

Description: The transfer function makes an external call to _to without following the checks-effects-interactions pattern, allowing reentrancy attacks.

Recommendation: Update the transfer function to follow the checks-effects-interactions pattern. Consider using reentrancy guards.

2. Unchecked External Calls

Description: External call to _to.call in the transfer function lacks proper validation and could lead to unexpected behaviors.

Recommendation: Ensure that external calls are handled securely. Validate the recipient address and handle return values appropriately.

3. Access Control Warning

Description: Functions lack explicit access control, which might be necessary for administrative functions in more complex contracts.

Recommendation: Implement access control mechanisms like Ownable or Role-Based Access Control (RBAC) for sensitive functions.

Summary:

- High Severity Issues: 2

- Medium Severity Issues: 1

- Low Severity Issues: 0

Understanding the Report

1. Status Section: Provides an overview of various security aspects assessed by Securify, indicating whether each aspect is safe, has warnings, or violations.
2. Detailed Findings: Lists each detected issue with a description and recommended actions to mitigate the vulnerability.
3. Summary: Offers a quick glance at the number and severity of issues detected.

Addressing the Findings

Based on the sample report, here's how you can address the identified vulnerabilities:

1. Reentrancy Vulnerability

Issue: The transfer function performs an external call to _to.call before updating the state, making it vulnerable to reentrancy attacks.

Solution:

• Follow Checks-Effects-Interactions Pattern: Update the state before making external calls.
• Use Reentrancy Guards: Implement a mutex to prevent reentrant calls.

Revised transfer Function Example:

bool private locked = false;

modifier noReentrancy() {

require(!locked, "Reentrant call detected!");

locked = true;

_;

locked = false;

}

function transfer(address to, uint256 value) public noReentrancy returns (bool success) {

require(balanceOf[msg.sender] >= _value, "Insufficient balance");

balanceOf[msg.sender] -= _value;

balanceOf[_to] += _value;

(bool sent, ) = _to.call{value: 0}("");

require(sent, "Transfer failed");

return true;

}

2. Unchecked External Calls

Issue: The external call to _to.call lacks proper validation.

Solution:

• Validate Recipient Address: Ensure _to is not the zero address.
• Handle Return Values Properly: Check the success status of the external call.

Revised transfer Function Example:

function transfer(address to, uint256 value) public noReentrancy returns (bool success) {

require(_to != address(0), "Cannot transfer to the zero address");

require(balanceOf[msg.sender] >= _value, "Insufficient balance");

balanceOf[msg.sender] -= _value;

balanceOf[_to] += _value;

(bool sent, ) = _to.call{value: 0}("");

require(sent, "Transfer failed");

return true;

}

3. Access Control Warning

Issue: Functions lack explicit access control, which could be problematic for administrative functions.

Solution:

• Implement Access Control: Use OpenZeppelin's Ownable contract or Role-Based Access Control (RBAC) to restrict access to sensitive functions.

Implementing Ownable:

import "@openzeppelin/contracts/access/Ownable.sol";

contract VulnerableToken is Ownable {

// Rest of the contract code

/**

* @dev Function to mint new tokens

*/

function mint(address to, uint256 amount) public onlyOwner {

require(_to != address(0), "Cannot mint to the zero address");

balanceOf[_to] += _amount;

totalSupply += _amount;

}

}

Best Practices and Next Steps

Auditing smart contracts using tools like Securify is an essential step in ensuring their security and reliability. However, it's crucial to complement automated audits with manual reviews and adhere to best practices in smart contract development.

Best Practices

1. Follow Solidity Best Practices: Refer to the Solidity documentation for security considerations and best coding practices.
2. Use Reputable Libraries: Leverage well-audited libraries like OpenZeppelin for common functionalities (e.g., ERC20 implementation, access control).
3. Implement Comprehensive Testing: Write unit tests and use testing frameworks like Truffle or Hardhat to ensure your contract behaves as expected.
4. Conduct Multiple Audits: Use multiple auditing tools and consider manual code reviews by security experts to uncover a broader range of vulnerabilities.
5. Stay Updated: Keep abreast of the latest security vulnerabilities and updates in the blockchain ecosystem.

Next Steps

1. Improve Your Smart Contract: Based on the audit findings, revise your smart contract to fix the identified vulnerabilities.
2. Re-Audit: After making changes, run Securify again to ensure that the vulnerabilities have been addressed and no new issues have been introduced.
3. Seek Professional Audits: For high-stakes projects, consider hiring professional security auditors to perform a thorough manual review.
4. Deploy to Test Networks: Before deploying to the mainnet, deploy your contract to test networks like Ropsten or Rinkeby to perform real-world testing.
5. Monitor Post-Deployment: Use monitoring tools to observe the contract's behavior after deployment and respond promptly to any suspicious activities.

Conclusion

Securify is a robust tool that automates the process of auditing smart contracts, identifying potential vulnerabilities, and ensuring compliance with best practices. By following this step-by-step guide, you can leverage Securify to enhance the security of your smart contracts effectively.

Remember, while tools like Securify are invaluable, they should be part of a broader security strategy that includes manual reviews, comprehensive testing, and adherence to best practices. Prioritizing security in your smart contract development process is crucial for building trustworthy and reliable decentralized applications.

Additional Resources

• Securify GitHub Repository: https://github.com/eth-sri/securify2
• Solidity Documentation: https://docs.soliditylang.org/
• OpenZeppelin Contracts: https://github.com/OpenZeppelin/openzeppelin-contracts
• Truffle Suite: https://www.trufflesuite.com/
• Hardhat: https://hardhat.org/