crytic/caracal crytic/caracal

  • Stars
    star
    130
  • Rank 277,575 (Top 6 %)
  • Language Cairo
  • License
    GNU Affero Genera...
  • Created almost 2 years ago
  • Updated 10 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
crytic/caracal
github

crytic

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Static Analyzer for Starknet smart contracts

Caracal

Caracal is a static analyzer tool over the SIERRA representation for Starknet smart contracts.

Features

  • Detectors to detect vulnerable Cairo code
  • Printers to report information
  • Taint analysis
  • Data flow analysis framework
  • Easy to run in Scarb projects

Installation

Precompiled binaries

Precompiled binaries are available on our releases page. If you are using Cairo compiler 1.x.x uses the binary v0.1.x otherwise if you are using the Cairo compiler 2.x.x uses v0.2.x.

Building from source

You need the Rust compiler and Cargo. Building from git:

cargo install --git https://github.com/crytic/caracal --profile release --force

Building from a local copy:

git clone https://github.com/crytic/caracal
cd caracal
cargo install --path . --profile release --force

Usage

List detectors:

caracal detectors

List printers:

caracal printers

Standalone

To use with a standalone cairo file and you have a local cairo compiler binary it's enough to point it to the file. Otherwise otherwise a bundled compiler is used and you need to pass the path to the corelib library either with the --corelib cli option or by setting the CORELIB_PATH environment variable.
Run detectors:

caracal detect path/file/to/analyze
caracal detect path/file/to/analyze --corelib path/to/corelib/src

Run printers:

caracal print path/file/to/analyze --printer printer_to_use --corelib path/to/corelib/src

Cairo project

If you have a cairo project with multiple files and contracts you may need to specify which contracts with --contract-path. The local cairo compiler binary is used if available otherwise a bundled compiler is used. In the latter case you also need to specify the corelib as explained above for the standalone case. The path is the directory where cairo_project.toml resides.
Run detectors:

caracal detect path/to/dir
caracal detect path/to/dir --contract-path token::myerc20::... token::myerc721::...

Run printers:

caracal print path/to/dir --printer printer_to_use

Scarb

If you have a project that uses Scarb you need to add the following in Scarb.toml:

[[target.starknet-contract]]
sierra = true

[cairo]
sierra-replace-ids = true

Then pass the path to the directory where Scarb.toml resides. Run detectors:

caracal detect path/to/dir

Run printers:

caracal print path/to/dir --printer printer_to_use

Detectors

Num Detector What it Detects Impact Confidence Cairo
1 controlled-library-call Library calls with a user controlled class hash High Medium 1 & 2
2 unchecked-l1-handler-from Detect L1 handlers without from address check High Medium 1 & 2
3 felt252-unsafe-arithmetic Detect user controlled operations with felt252 type, which is not overflow/underflow safe Medium Medium 1 & 2
4 reentrancy Detect when a storage variable is read before an external call and written after Medium Medium 1 & 2
5 read-only-reentrancy Detect when a view function read a storage variable written after an external call Medium Medium 1 & 2
6 unused-events Events defined but not emitted Medium Medium 1 & 2
7 unused-return Unused return values Medium Medium 1 & 2
8 unenforced-view Function has view decorator but modifies state Medium Medium 1
9 tx-origin Detect usage of the transaction origin address as access control Medium Medium 2
10 unused-arguments Unused arguments Low Medium 1 & 2
11 reentrancy-benign Detect when a storage variable is written after an external call but not read before Low Medium 1 & 2
12 reentrancy-events Detect when an event is emitted after an external call leading to out-of-order events Low Medium 1 & 2
13 dead-code Private functions never used Low Medium 1 & 2
14 use-after-pop-front Detect use of an array or a span after removing element(s) Low Medium 1 & 2

The Cairo column represent the compiler version(s) for which the detector is valid.

Printers

  • cfg: Export the CFG of each function to a .dot file
  • callgraph: Export function call graph to a .dot file

How to contribute

Check the wiki on the following topics:

Limitations

  • Inlined functions are not handled correctly.
  • Since it's working over the SIERRA representation it's not possible to report where an error is in the source code but we can only report SIERRA instructions/what's available in a SIERRA program.

More Repositories

1

slither

Static Analyzer for Solidity and Vyper
Python
5,270
star
2

echidna

Ethereum smart contract fuzzer
Haskell
2,714
star
3

building-secure-contracts

Guidelines and training material to write secure smart contracts
Solidity
2,208
star
4

not-so-smart-contracts

Examples of Solidity security issues
Solidity
2,150
star
5

awesome-ethereum-security

A curated list of awesome Ethereum security references
1,318
star
6

evm-opcodes

Ethereum opcodes and instruction reference
1,300
star
7

ethersplay

EVM dissassembler
Python
836
star
8

solc-select

Manage and switch between Solidity compiler versions
Python
747
star
9

blockchain-security-contacts

Directory of security contacts for blockchain companies
400
star
10

pyevmasm

Ethereum Virtual Machine (EVM) disassembler and assembler
Python
353
star
11

rattle

evm binary static analysis
Python
349
star
12

etheno

Simplify Ethereum security analysis and testing
Python
330
star
13

ida-evm

IDA Processor Module for the Ethereum Virtual Machine (EVM)
Python
307
star
14

medusa

Parallelized, coverage-guided, mutational Solidity smart contract fuzzing, powered by go-ethereum
Go
292
star
15

properties

Pre-built security properties for common Ethereum operations
Solidity
281
star
16

crytic-compile

Abstraction layer for smart contract build systems
Python
150
star
17

amarna

Amarna is a static-analyzer and linter for the Cairo programming language.
Python
148
star
18

slither-action

Shell
128
star
19

evm_cfg_builder

EVM CFG recovery
Python
118
star
20

echidna-streaming-series

A 6-part series on how to use Echidna on real-world codebases
Solidity
97
star
21

optik

Optik is a set of symbolic execution tools that assist smart-contract fuzzers
Python
89
star
22

fuzz-utils

A tool to automatically generate Foundry unit test cases from Echidna and Medusa failed properties
Solidity
89
star
23

roundme

Rust
86
star
24

tayt

StarkNet smart contract fuzzer
Python
75
star
25

diffusc

Experimental tool to ease the review of smart contracts upgrades
Solidity
74
star
26

tealer

Static Analyzer for Teal
Python
61
star
27

echidna-action

GitHub Action to run Echidna, the Ethereum smart contract fuzzer
Shell
59
star
28

attacknet

Tool and testing methodology for subjecting blockchain devnets to simulated network and side channel attacks
Go
54
star
29

fluxture

A crawling framework for blockchains and peer-to-peer systems
Python
46
star
30

secureum-medusa

Solidity
43
star
31

echidna-spearbit-demo

Example code for testing using Echidna explained during the Spearbit presentation
Solidity
39
star
32

slither-docs-action

Write documentation for your code in pull requests using Slither and OpenAI.
TypeScript
36
star
33

solana-lints

Lints based on the Sealevel Attacks
Rust
30
star
34

contract-explorer

Visual Studio Code integration for Slither, a Solidity static analysis framework
TypeScript
30
star
35

echidna-parade

Python
28
star
36

trailofbits-security

The Trail of Bits Truffle Security Toolbox
JavaScript
24
star
37

whipstaff

A specification of the CBC Casper consensus protocols written in TLA+ and PlusCal (transpiled to TLA+)
TLA
20
star
38

cloudexec

A general purpose foundation for cloud-based fuzzing and mutation testing jobs
Go
17
star
39

damn-vulnerable-defi-echidna

Solidity
12
star
40

slither-docs-demo

A demo on how to use the slither-docs actions (https://github.com/crytic/slither-docs-action)
Solidity
11
star
41

medusa-geth

A go-ethereum fork enabling additional testing capabilities for medusa
10
star
42

amarna-action

Github action for the Amarna static analyzer
Shell
9
star
43

slightly-smarter-contracts

Python
7
star
44

vscode-starknet-explorer

StarkNet support extension for VSCode. Visualize StarkNet contracts: view storage variables, external and view functions, and events.
TypeScript
6
star
45

solc

4
star
46

fuzz-vs-fv

TypeScript
4
star
47

embark-contract-info

embark-contract-info
JavaScript
3
star
48

addressarrayutils_demo

Demonstration for using echidna to test a Solidity library
Solidity
2
star
49

remix-plugin-8000

JavaScript
2
star
50

ethdam

2
star
51

slither-workshop

Slither workshop (secureum)
Python
1
star
52

slither-lsp

Python
1
star