[STABLE-7559]: Migrate from Slither to Mythril for static analysis (circlefin#47)

tongshi · web-flow · commit 2ae9be392547 · 2024-11-21T13:14:08.000-08:00
### Summary Migrate from Slither to Mythril for static analysis ### Detail - update Makefile command and update CI - remove Slither relevant configs and add Mythril config - update Readme -- *story*: https://circlepay.atlassian.net/browse/STABLE-7559
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -15,7 +15,7 @@ jobs:
       - name: Setup Python
         uses: actions/setup-python@v5
         with:
-          python-version: '3.10' 
+          python-version: '3.10'
 
       - name: Install Node
         uses: actions/setup-node@v4
@@ -38,10 +38,53 @@ jobs:
       - name: Run v2 Integration Tests
         run: make anvil-test-v2
 
-      - name: Run Slither
-        uses: crytic/slither-action@v0.3.0
+  analyze-message-transmitter:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v4
+        with:
+          submodules: 'true'
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
         with:
-          fail-on: none
+          python-version: '3.10'
+
+      - name: Run Static Analysis on Message Transmitter
+        run: make analyze-message-transmitter
+
+  analyze-message-transmitter-v2:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v4
+        with:
+          submodules: 'true'
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.10'
+
+      - name: Run Static Analysis on Message Transmitter V2
+        run: make analyze-message-transmitter-v2
+
+  analyze-token-messenger-minter:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v4
+        with:
+          submodules: 'true'
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.10'
+
+      - name: Run Static Analysis on Token Messenger Minter
+        run: make analyze-token-messenger-minter
 
   scan:
     needs: lint-and-test
diff --git a/Makefile b/Makefile
@@ -53,7 +53,7 @@ deploy-address-utils-external:
 
 anvil:
 	docker rm -f anvil || true
-	@${ANVIL} "anvil --host 0.0.0.0 -a 13 --code-size-limit 250000"	
+	@${ANVIL} "anvil --host 0.0.0.0 -a 13 --code-size-limit 250000"
 
 anvil-test: anvil
 	pip3 install -r requirements.txt
@@ -71,10 +71,21 @@ cast-call:
 
 cast-send:
 	@docker exec anvil cast send ${contract_address} "${function}" --rpc-url http://localhost:8545 --private-key 0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80
-	
+
 clean:
 	@${FOUNDRY} "forge clean"
 
-analyze:
-	pip3 install -r requirements.txt
-	slither .
+analyze-message-transmitter:
+	pip3 install mythril==0.24.8
+	myth -v4 analyze src/MessageTransmitter.sol --solc-json mythril.config.json --solv 0.7.6
+
+analyze-message-transmitter-v2:
+	pip3 install mythril==0.24.8
+	myth -v4 analyze src/v2/MessageTransmitterV2.sol --solc-json mythril.config.json --solv 0.7.6
+
+analyze-token-messenger-minter:
+	pip3 install mythril==0.24.8
+	myth -v4 analyze src/TokenMessenger.sol --solc-json mythril.config.json --solv 0.7.6
+	myth -v4 analyze src/TokenMinter.sol --solc-json mythril.config.json --solv 0.7.6
+	myth -v4 analyze src/v2/TokenMessengerV2.sol --solc-json mythril.config.json --solv 0.7.6
+	myth -v4 analyze src/v2/TokenMinterV2.sol --solc-json mythril.config.json --solv 0.7.6
diff --git a/README.md b/README.md
@@ -47,7 +47,7 @@ Run `yarn lint` to lint all `.sol` files in the `src` and `test` directories.
 
 ### Static analysis
 
-Run `make analyze` to set up Python dependencies from `requirements.txt` and run Slither on all source files, requiring the foundry cli to be installed locally. If all dependencies have been installed, alternatively run `slither .` to run static analysis on all `.sol` files in the `src` directory.
+Run `make analyze-{message-transmitter | message-transmitter-v2 | token-messenger-minter}` to set up Mythril dependency and run Mythril on all source files. If Mythril dependency has been installed, alternatively run `myth -v4 analyze $FILE_PATH --solc-json mythril.config.json --solv 0.7.6` to run static analysis on a `.sol` file at the given `$FILE_PATH`. Please note that this can take several minutes.
 
 ### Continuous Integration using Github Actions
 
diff --git a/mythril.config.json b/mythril.config.json
@@ -0,0 +1,8 @@
+{
+  "remappings": [
+    "@memview-sol/=lib/memview-sol/",
+    "@openzeppelin/=lib/openzeppelin-contracts/",
+    "ds-test/=lib/ds-test/src/",
+    "forge-std/=lib/forge-std/src/"
+  ]
+}
diff --git a/requirements.txt b/requirements.txt
@@ -34,7 +34,6 @@ requests==2.28.1
 rlp==2.0.1
 semantic-version==2.10.0
 six==1.16.0
-slither-analyzer==0.8.3
 toolz==0.12.0
 urllib3==1.26.11
 varint==1.0.2
diff --git a/slither.config.json b/slither.config.json
