Smart Contract Security on Celo with SmartCheck

SAMPLE (184)1600×900 110 KB

Introduction

Smart contracts are self-executing pieces of code deployed on a blockchain. Ethereum-compatible blockchains such as Celo are free from censorship, downtime, and third-party interference. Since the invention of smart contracts, there has been tremendous growth in how software is perceived. Mistakes in smart contracts can be costly. Undetected bugs and risks ranging from low to critical in severity can cause devastating effects on the network participants technically and financially hence, it is crucial for developers to thoroughly scrutinize contracts code before deploying it onto live networks.

Prerequisites​

This piece guides you through working with smart contracts analytical tool called Smartcheck. The context of this write-up requires that you are at least an intermediate in smart contracts development. If you’re a newbie, I recommend starting from here and here.

Requirements​

Beforee you proceed, I assume you run a computer with linus-based operating system. If you run window OS, please follow this guide to set up linux distribution on your device.

The following tools are recommended and should be installed prior to this stage.

• Maven

• Java 8

• An IDE. VSCode preferably

Note: To properly set up things, I recommend using Ubuntu 20.04.06 or later. I had trouble getting it right using Windows OS. This might not be your case, but research shows Linux OS is better.

What is Smartcheck?

Smartcheck is an extensible static analysis tool for detecting bugs, vulnerabilities, and other issues in smart contract code written in solidity language. _It is described in the academic paper titled

“SmartCheck: Static Analysis of Ethereum Smart Contracts”_ as released on May 27, 2018.

Installing

Note: Tutorials on Smartcheck installation is very limited, hence the installation guide specified here may not work as at today.

Carefully adhere to the following steps to get Smartcheck working for you.

Steps

1. Assume you have installed Ubuntu, launch the command line.

ubuntucmd957×268 2.01 KB

2. Check that Apache Maven is installed.

mvn -version

You should see a response as shown in the image, otherwise, follow this guide to download Maven.

mvn check979×146 4.13 KB

3. Check that Java SDK is installed.

java -version

javaversion983×226 4.03 KB

If otherwise, run the following command from the Ubuntu terminal.

sudo apt install openjdk-8-jdk

Check again to ensure Java is installed.

4. There is a zip file for Smartcheck that contains all the files and dependencies you need to get the tool running. Download and extract the file to the desired location.

5. From the Ubuntu terminal, navigate into the folder, then open in VSCode using the command.

code .

Your file structure should be like this.

6. In the current directory, run yarn to install the dependencies.

At this point, we have the Smartcheck tool fully set up. The tool is targeted at smart contract codes written in solidity. Good enough, Smartcheck allows us to invoke its command on code using their paths.

In the same project directory, make a new folder for the hardhat project or simply create a .sol file anywhere. I prefer the former method. Be sure to have yarn or NPM installed.

Hardhat Installation

• Install Hardhat

yarn add hardhat

• Create Hardhat project

npx hardhat

Follow the instructions to create a javascript project. What we basically need for this tutorial is the Lock.sol file under contracts. When all is set, it’s time to run the analysis.

• In the terminal, move into the target folder, inside it is a couple of files and folders. We need the smartcheck-2.1-SNAPSHOT-jar-with-dependencies.jar to make the invocation. Run the following command and specify the path to the contract file.

For me, the path reads: /home/bobelr/celosage/smart-contract-security-on-celo-with-smartcheck/hardhat/contracts/Lock.sol

java -jar smartcheck-2.1-SNAPSHOT-jar-with-dependencies.jar -p /home/bobelr/celosage/smart-contract-security-on-celo-with-smartcheck/hardhat/contracts/Lock.sol

After running the command, the analysis is performed, and you can see the following issues detected.

successcompile977×200 5.5 KB

Three issues were found.

All vulnerabilities found are warnings marked as 1 in the severity region.

• Compiler issue not fixed.

This is a warning about floating pragma. A quick check on the Lock.sol, we can see that a specific version of the compiler was not specified. This was marked 1 in severity level.

• Prefer external to public visibility level

External functions are often cheaper to call than their public counterparts hence the warning.

• Implicit visibility level

You should always endeavor to explicitly provide visibility for functions, variables in the state, and mappings.

Smartcheck as its name implies performs thoughtful analysis better than a few tools I previously mentioned here and here.

Conclusion​

So far, we have learned how to :

• Install and set up Smartcheck.

• Analyze smart contracts and catch vulnerabilities using the same tool.

What next?

Analyze more solidity code. Did you notice any change? Try to explore more vulnerabilities in the contract, and share with us on Discord.

To learn how to deploy your dream project on the Celo blockchain, visit the Celo academy

About the Author​

Isaac Jesse , aka Bobelr is a smart contract/Web3 developer. He has been in the field since 2018, worked as an ambassador with several projects like Algorand and so on as a content producer. He has also contributed to Web3 projects as a developer.

References​

• Celo developers resources

• Source code

• Link

Approved for you to get started. You can manage the tutorial here by changing the category to Proposals > In Progress then Proposals > Review as you complete the tutorial. Thanks!

Hey @bobelr why this is in review tag?

Sorry, I guess I wrongly tagged it. I’m still trying to acclimatize to this environment. Besides, I’m going through a lot atm. I’ll fix it now

Not an issue , would like to help you in transition process if needed

I just completed the tutorial now.

Tutorial completed!

PR Link : https://github.com/celo-org/docs/pull/1070

Hey @bobelr I think you are nit fully aware of the process, you have to copy paste your markdown file here only, no need to create a PR and all, this is our new website, where we will be doing it every thing, so just copy paste your markdown file, from the Introduction part from your article, and I will be reviewing it here only, and it will be published also on here only, I hope you understood what I am trying to convey here

Oh now I get it. Thank you for passing this information to me. Been going through a lot these days.

Not an issue, and one more thing , no need to add the header image too @bobelr

I will be reviewing your article @bobelr

Ok good. Do I still need to send the markdown?

I deleted this and also, updated the post, I hope you are able to see the changes, so this how you know what are the steps to take care off while creating a new post @bobelr

No , you don’t have too

I am satisfied, moving this in publish section @bobelr

Actually, I saint have much information regarding that. But I’ll definitely scrutinize the academy for it. I also want to make a request from you. Could you please direct me to any guide as to how to make a new post? All of my requests that was previously accepted on Trello were moved to the academy, and by default they’re all in proposal → Request section. I haven’t receive a vote on any of these requests. I am missing vital information regarding this.

Thank you again. So I’ll just go cancel the PR.

I will try to get that solved, I would suggest you to ask your query in discord channel tagging Joe, and will try to get that answered as soon as possible @bobelr

I’ll try that as well. Thank you.

You need to fix the Celo Docs Link included. It’s broken