Smart contracts are self-executing pieces of code deployed on a blockchain. Ethereum-compatible blockchains such as Celo are free from censorship, downtime, and third-party interference. Since the invention of smart contracts, there has been tremendous growth in how software is perceived. Mistakes in smart contracts can be costly. Undetected bugs and risks ranging from low to critical in severity can cause devastating effects on the network participants technically and financially hence, it is crucial for developers to thoroughly scrutinize contracts code before deploying it onto live networks.
This piece guides you through working with smart contracts analytical tool called Smartcheck. The context of this write-up requires that you are at least an intermediate in smart contracts development. If you’re a newbie, I recommend starting from here and here.
Beforee you proceed, I assume you run a computer with linus-based operating system. If you run window OS, please follow this guide to set up linux distribution on your device.
The following tools are recommended and should be installed prior to this stage.
Note: To properly set up things, I recommend using Ubuntu 20.04.06 or later. I had trouble getting it right using Windows OS. This might not be your case, but research shows Linux OS is better.
What is Smartcheck?
Smartcheck is an extensible static analysis tool for detecting bugs, vulnerabilities, and other issues in smart contract code written in solidity language. _It is described in the academic paper titled
“SmartCheck: Static Analysis of Ethereum Smart Contracts”_ as released on May 27, 2018.
Note: Tutorials on Smartcheck installation is very limited, hence the installation guide specified here may not work as at today.
Carefully adhere to the following steps to get Smartcheck working for you.
- Assume you have installed Ubuntu, launch the command line.
- Check that
Apache Maven is installed.
You should see a response as shown in the image, otherwise, follow this guide to download Maven.
- Check that Java SDK is installed.
If otherwise, run the following command from the Ubuntu terminal.
sudo apt install openjdk-8-jdk
Check again to ensure Java is installed.
There is a zip file for Smartcheck that contains all the files and dependencies you need to get the tool running. Download and extract the file to the desired location.
From the Ubuntu terminal, navigate into the folder, then open in VSCode using the command.
Your file structure should be like this.
- In the current directory, run
yarnto install the dependencies.
At this point, we have the Smartcheck tool fully set up. The tool is targeted at smart contract codes written in solidity. Good enough, Smartcheck allows us to invoke its command on code using their paths.
In the same project directory, make a new folder for the hardhat project or simply create a
.sol file anywhere. I prefer the former method. Be sure to have yarn or NPM installed.
- Install Hardhat
yarn add hardhat
- Create Hardhat project
Lock.sol file under
contracts. When all is set, it’s time to run the analysis.
- In the terminal, move into the
targetfolder, inside it is a couple of files and folders. We need the
smartcheck-2.1-SNAPSHOT-jar-with-dependencies.jarto make the invocation. Run the following command and specify the path to the contract file.
For me, the path reads:
java -jar smartcheck-2.1-SNAPSHOT-jar-with-dependencies.jar -p /home/bobelr/celosage/smart-contract-security-on-celo-with-smartcheck/hardhat/contracts/Lock.sol
After running the command, the analysis is performed, and you can see the following issues detected.
Three issues were found.
All vulnerabilities found are warnings marked as 1 in the severity region.
- Compiler issue not fixed.
This is a warning about floating pragma. A quick check on the
Lock.sol, we can see that a specific version of the compiler was not specified. This was marked
1 in severity level.
- Prefer external to public visibility level
External functions are often cheaper to call than their public counterparts hence the warning.
- Implicit visibility level
You should always endeavor to explicitly provide visibility for functions, variables in the state, and mappings.
So far, we have learned how to :
Install and set up Smartcheck.
Analyze smart contracts and catch vulnerabilities using the same tool.
Analyze more solidity code. Did you notice any change? Try to explore more vulnerabilities in the contract, and share with us on Discord.
To learn how to deploy your dream project on the Celo blockchain, visit the Celo academy
Isaac Jesse , aka Bobelr is a smart contract/Web3 developer. He has been in the field since 2018, worked as an ambassador with several projects like Algorand and so on as a content producer. He has also contributed to Web3 projects as a developer.