{"id":13742197,"url":"https://github.com/eth-sri/securify","last_synced_at":"2025-07-23T14:10:16.322Z","repository":{"id":72961620,"uuid":"148622491","full_name":"eth-sri/securify","owner":"eth-sri","description":"[DEPRECATED] Security Scanner for Ethereum Smart Contracts","archived":false,"fork":false,"pushed_at":"2020-01-23T17:02:22.000Z","size":1072,"stargazers_count":221,"open_issues_count":18,"forks_count":50,"subscribers_count":11,"default_branch":"master","last_synced_at":"2025-05-08T23:35:59.787Z","etag":null,"topics":["chainsecurity","datalog","depricated","ethereum","evm","obsolete","security","smart-contract","solidity","static-analysis"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/eth-sri.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":"AUTHORS"}},"created_at":"2018-09-13T10:33:15.000Z","updated_at":"2025-03-27T09:45:49.000Z","dependencies_parsed_at":"2024-01-13T10:11:58.019Z","dependency_job_id":"aaf131be-672e-4a0a-97fd-51661d3e0a85","html_url":"https://github.com/eth-sri/securify","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/eth-sri/securify","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eth-sri%2Fsecurify","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eth-sri%2Fsecurify/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eth-sri%2Fsecurify/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eth-sri%2Fsecurify/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/eth-sri","download_url":"https://codeload.github.com/eth-sri/securify/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eth-sri%2Fsecurify/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":266691581,"owners_count":23969182,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-23T02:00:09.312Z","response_time":66,"last_error":null,"robots_txt_status":null,"robots_txt_updated_at":null,"robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["chainsecurity","datalog","depricated","ethereum","evm","obsolete","security","smart-contract","solidity","static-analysis"],"created_at":"2024-08-03T05:00:19.538Z","updated_at":"2025-07-23T14:10:16.265Z","avatar_url":"https://github.com/eth-sri.png","language":"Java","funding_links":[],"categories":["Tools"],"sub_categories":["Bug finding tools"],"readme":"# [DEPRECATED] Securify\n\nThis is version of Securify is deprecated and will be no longer supported. Please use [Securify v2.0](https://github.com/eth-sri/securify2).\n\n\n![securify](/img/foundation_securify.png)\n\nSecurify is a security scanner for Ethereum smart contracts supported by the\n[Ethereum\nFoundation](https://ethereum.github.io/blog/2018/08/17/ethereum-foundation-grants-update-wave-3/)\nand [ChainSecurity](https://chainsecurity.com). The core\n[research](https://files.sri.inf.ethz.ch/website/papers/ccs18-securify.pdf)\nbehind Securify was conducted at the [ICE Center](http://ice.ethz.ch) at ETH\nZurich.\n\n\n[![scan now](/img/scan.png)](https://securify.chainsecurity.com/)\n\n\nIt features an extensive list of security patterns commonly found in smart\ncontracts:\n\n* some forms of the DAO bug (also known as reentrancy)\n* locked ether\n* missing input validation\n* transaction ordering-dependent amount, receiver and transfer\n* unhandled exceptions\n* unrestricted ether flow\n\n\nThe project is meant to be an open platform welcoming contributions from all of the\nEthereum Security Community. To suggest new patterns, to volunteer for testing or to\ncontribute developing new patterns please get in touch through our\n[Discord](https://discord.gg/nN77ckb) group.\n\n## Getting Started\n### Requirements\n\n* Soufflé: https://github.com/souffle-lang/souffle/releases (Securify should work with\n  the latest package, please raise an issue if it does not). If you cannot\n  install Soufflé, look at the Docker container for an alternative. Securify\n  will crash without the `souffle` binary.\n  As of writing, Soufflé is not available on Windows, so Securify should not be\n  expected to run on Windows either.\n* Java 8\n* A `solc` binary is required to be able to use Solidity file as input.\n  Securify assumes that the right version is installed for the given file.\n  `solc` is available [here](https://github.com/ethereum/solidity/releases).\n\n### Use\n\nTo build:\n```sh\n./gradlew jar\n```\n\nTo run Securify on a Solidity file:\n```sh\njava -jar build/libs/securify.jar -fs src/test/resources/solidity/transaction-reordering.sol\n```\n\nTo run Securify on the decompilation output provided by the [pysolc.py\nscript](scripts/pysolc.py) (which requires py-solc):\n```sh\njava -jar build/libs/securify.jar -co out.json\n```\n\nTo run Securify on some EVM binary (produced e.g. by `solc`):\n```sh\njava -jar build/libs/securify.jar -fh src/test/resources/solidity/transaction-reordering.bin.hex\n```\n\nTo see the full list of options:\n```sh\njava -jar build/libs/securify.jar -h\n```\n\nTo run the tests (which use JUnit4):\n```sh\n./gradlew test\n```\n\nA Python wrapper helps to deal with `solc` and `truffle`. The requirements are\nin the [requirements.txt](requirements.txt) file. The Dockerfile can be used as\na reference to set-up your local environment to use this wrapper.\n\n### Docker\n\nThe installation should be simple enough on Debian derivatives, or any other\nplatform supported by Soufflé.\n\nFor a quick demonstration which does not require Soufflé, you can use Docker.\n\nBuild the Docker image:\n```sh\ndocker build . -t securify\n```\n\nRun Securify on a small example:\n```sh\ndocker run securify\n```\n\nYou can change the files analyzed by specifying a volume to mount, and every\n`*.sol` file contained will then be processed by Securify:\n```sh\ndocker run -v $(pwd)/folder_with_solidity_files:/project securify\n```\n\nAdding a `--truffle` flag should allow Securify to run over Truffle project in\nwhich dependencies have already been installed (so run `npm install` before if\nneed be). Without this flag, the project is compiled using `solc`. Add a `-h`\nto obtain the full list of options. In particular, if the user wants to receive\ncompilation information from Truffle, he should add the `-v` flag.\n\nIf one wants to receive JSON output, the docker supports a `--json` flag that\nwill suppress the pretty output and return JSON instead. Make sure to add the\n`-q` flag if no progress information should be displayed, hence resulting in\npure JSON output. The indices of the lines matched are 0-based, meaning that\na match to line `i` means that the `i+1`th line is matched. In particular, the\nfirst line has an index of 0.\n\n\n### Tests\n\nBasic end to end tests can be run through the [test.py](test.py) file:\n```py\npython3 test.py\n```\n\nThe requirements can be installed using Pipenv:\n```sh\npipenv install\n```\n\nor using `pip`:\n```sh\npip install -r requirements.txt\n```\n\nThese tests compare the current json output given by Securify with some past\noutput, and report differences between the two.\n\n### Travis Integration\n\nYou can add the following `.travis.yml` to your project to run Securify on new\ncommits:\n```\nservices:\n  - docker\n\nbefore_install:\n  - docker pull chainsecurity/securify\n\nscript:\n- docker run -v $(pwd):/project chainsecurity/securify\n```\n\nThis should allow Securify to run over Truffle project in which dependencies\nhave already been installed (so run `npm install` before if need be).\n\n### Output\n\nThe output loosely follows the clang style. Only warnings and vulnerabilities\nare reported. If one wishes to also get the compliance information, please use\nthe `--json` flag in the docker, or `-co` flag on the Java executable to get\nall analysis information in JSON format.\n\n## Contributing\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md).\n\nJoin our [Discord](https://discord.gg/nN77ckb) to discuss with other users.\n\n## Known Limitations\n\nAlthough Securify is regularly used to help audits at ChainSecurity, there are\nstill bugs, including:\n* the code in  the fallback function is currently not analyzed. A workaround is\n  to name this function instead.\n* in some cases, a StackOverflowError exception is thrown, due to\n  `computeBranches` being recursive. In most cases,\n  it is enough to increase the stack size using the `-Xss` option of `java`,\n  e.g. `java -Xss1G -jar ...`.\n* libraries are not properly supported\n* abstract contracts (whose binary cannot be obtained via `solc`) are not\n  supported\n\n## Presentations, research, and blogs about Securify\n\n* [Securify research paper](https://files.sri.inf.ethz.ch/website/papers/ccs18-securify.pdf) presented at [ACM CCS'18](https://www.sigsac.org/ccs/CCS2018/) in Toronto, Canada\n* [Summary of the Securify research paper in The Morning Paper](https://blog.acolyer.org/2018/12/03/securify-practical-security-analysis-of-smart-contracts/)\n* [TechCrunch: This smart contract scanner will ensure your token is tip-top](https://techcrunch.com/2018/07/02/this-smart-contract-scanner-will-ensure-your-token-is-tip-top/)\n* [Talk at EPFL in Lausanne](https://www.youtube.com/watch?v=YNbj_JElzuc)\n* [Talk at Devcon3 in Cancún](https://www.youtube.com/watch?v=ewOEEpJs-pg)\n* [Talk at d10e in Davos](https://www.youtube.com/watch?v=FO2E8x1yptg)\n* [Researchers from ETH Zürich release a free state-of-the-art security scanner for Ethereum smart contracts](https://medium.com/chainsecurity/researchers-release-a-free-state-of-the-art-security-scanner-for-ethereum-smart-contracts-b58b57ce0e38)\n* [Automated security analysis of Ethereum smart contracts](https://medium.com/chainsecurity/researchers-release-a-free-state-of-the-art-security-scanner-for-ethereum-smart-contracts-b58b57ce0e38)\n* [Automatically detecting the bug that froze Parity's wallets](https://medium.com/chainsecurity/automatically-detecting-the-bug-that-froze-parity-wallets-ad2bebebd3b0)\n\n## Technical details\n\nSecurify statically analyzes the EVM code of the smart contract to infer\nimportant semantic information (including control-flow and data-flow facts)\nabout the contract. This step is fully automated using\n[Soufflé](https://souffle-lang.github.io/), a scalable Datalog solver. Then,\nSecurify checks the inferred facts to discover security violations or prove the\ncompliance of security-relevant instructions.\n\nThe full technical details behind the Securify scanner are available in the\n[research\npaper](https://files.sri.inf.ethz.ch/website/papers/ccs18-securify.pdf).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feth-sri%2Fsecurify","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Feth-sri%2Fsecurify","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feth-sri%2Fsecurify/lists"}