{"id":13621193,"url":"https://github.com/eth-sri/securify2","last_synced_at":"2025-07-23T14:10:05.826Z","repository":{"id":37689204,"uuid":"235597819","full_name":"eth-sri/securify2","owner":"eth-sri","description":"Securify v2.0","archived":false,"fork":false,"pushed_at":"2025-05-25T17:35:38.000Z","size":886,"stargazers_count":606,"open_issues_count":36,"forks_count":140,"subscribers_count":24,"default_branch":"master","last_synced_at":"2025-05-25T18:41:32.940Z","etag":null,"topics":["datalog","ethereum","security","smart-contract","solidity","static-analysis","vulnerability"],"latest_commit_sha":null,"homepage":null,"language":"Solidity","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/eth-sri.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2020-01-22T15:03:58.000Z","updated_at":"2025-05-25T17:35:43.000Z","dependencies_parsed_at":"2024-04-06T06:44:18.444Z","dependency_job_id":null,"html_url":"https://github.com/eth-sri/securify2","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/eth-sri/securify2","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eth-sri%2Fsecurify2","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eth-sri%2Fsecurify2/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eth-sri%2Fsecurify2/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eth-sri%2Fsecurify2/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/eth-sri","download_url":"https://codeload.github.com/eth-sri/securify2/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eth-sri%2Fsecurify2/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":266691580,"owners_count":23969182,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-23T02:00:09.312Z","response_time":66,"last_error":null,"robots_txt_status":null,"robots_txt_updated_at":null,"robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["datalog","ethereum","security","smart-contract","solidity","static-analysis","vulnerability"],"created_at":"2024-08-01T21:01:03.499Z","updated_at":"2025-07-23T14:10:05.810Z","avatar_url":"https://github.com/eth-sri.png","language":"Solidity","readme":"![securify](/img/securify-v2-0.png)\n\nSecurify v2.0\n===\n\nSecurify 2.0 is a security scanner for Ethereum smart contracts supported by the\n[Ethereum\nFoundation](https://ethereum.github.io/blog/2018/08/17/ethereum-foundation-grants-update-wave-3/)\nand [ChainSecurity](https://chainsecurity.com). The core\n[research](https://files.sri.inf.ethz.ch/website/papers/ccs18-securify.pdf)\nbehind Securify was conducted at the [Secure, Reliable, and Intelligent Systems Lab](https://www.sri.inf.ethz.ch/) at ETH\nZurich.\n\nIt is the successor of the popular Securify security scanner (you can find the old version [here](https://github.com/eth-sri/securify)).\n\n\nFeatures\n===\n- Supports 37 vulnerabilities (see [table](#supported-vulnerabilities) below)\n- Implements novel context-sensitive static analysis written in Datalog\n- Analyzes contracts written in Solidity \u003e= 0.5.8\n\n\nDocker\n===\nTo build the container:\n```angular2\nsudo docker build -t securify .\n```\nTo run the container:\n````angular2\nsudo docker run -it -v \u003ccontract-dir-full-path\u003e:/share securify /share/\u003ccontract\u003e.sol\n````\nNote: to run the code via Docker with a Solidity version that is different than `0.5.12`, you will need to modify the variable `ARG SOLC=0.5.12` at the top of the `Dockerfile` to point to your version. After building with the correct version, you should not run into errors.\n\n\n\nInstall\n===\n\n## Prerequisites\nThe following instructions assume that a Python is already installed. In addition to that, Securify requires `solc`, `souffle` and `graphviz` to be installed on the system:\n\n### [Solc](https://solidity.readthedocs.io/en/v0.5.10/installing-solidity.html) \n```\nsudo add-apt-repository ppa:ethereum/ethereum\nsudo apt-get update\nsudo apt-get install solc\n```\n\n### [Souffle](https://souffle-lang.github.io/install) \n\nFollow the instructions here: https://souffle-lang.github.io/download.html\n\n*Please do not opt for the unstable version since it might break at any point.*\n\n### [Graphviz / Dot](https://www.graphviz.org/download/)\n```\nsudo apt install graphviz\n```\n\n## Setting up the virtual environment\n\nAfter the prerequisites have been installed, we can set up the python virtual environment from which we will run the scripts in this project. \n\nIn the project's root folder, execute the following commands to set up and activate the virtual environment:\n\n```\nvirtualenv --python=/usr/bin/python3.7 venv\nsource venv/bin/activate\n```\n\nVerify that the `python` version is actually `3.7`:\n\n```\npython --version\n```\n\nSet `LD_LIBRARY_PATH`:\n```\ncd \u003csecurify_root\u003e/securify/staticanalysis/libfunctors\nexport LD_LIBRARY_PATH=$LD_LIBRARY_PATH:`pwd`\n```\n\nFinally, install the project's dependencies by running the following commands from the `\u003csecurify_root\u003e` folder:\n```\npip install --upgrade pip\npip install -r requirements.txt\npip install -e .\n```\n\nNow you're ready to start using the securify framework.\n\nRemember: Before executing the framework's scripts, you'll need to activate the virtual environment with the following command:\n```\nsource venv/bin/activate\n```\n\nUsage\n===\n\n## Analyzing a contract\nCurrently Securify2 supports only flat contracts, i.e., contracts that do not contain import statements.\n\nTo analyze a local contract simply run:\n```\nsecurify \u003ccontract_source\u003e.sol [--use-patterns Pattern1 Pattern2 ...]\n```\nOr download it from the Blockchain using the Etherscan.io API:\n```\nsecurify \u003ccontract_address\u003e --from-blockchain [--key \u003ckey-file\u003e]\n```\n*Notice that you need an API-key from Etherscan.io to use this functionality.*\n\nTo analyze a contract against specific severity levels run:\n```\nsecurify \u003ccontract_source\u003e.sol [--include-severity Severity1 Severity2]\nsecurify \u003ccontract_source\u003e.sol [--exclude-severity Severity1 Severity2]\n```\nTo get all the available patterns run:\n```\nsecurify --list\n```\n\nSupported vulnerabilities\n===\n\n\n| ID | Pattern name | Severity | Slither ID | SWC ID | Comments |\n|----|-------------| ---------|------------|--------|----------|\n| 1 | TODAmount | Critical | - | [SWC-114](https://swcregistry.io/docs/SWC-114) |\n| 2 | TODReceiver| Critical | - | [SWC-114](https://swcregistry.io/docs/SWC-114)|\n| 3 | TODTransfer | Critical | - | [SWC-114](https://swcregistry.io/docs/SWC-114) |\n| 4 | UnrestrictedWrite | Critical | - | [SWC-124](https://swcregistry.io/docs/SWC-124) | \n| 5 | RightToLeftOverride | High | `rtlo`| [SWC-130](https://swcregistry.io/docs/SWC-130) |\n| 6 | ShadowedStateVariable | High | `shadowing-state`, `shadowing-abstract` | [SWC-119](https://swcregistry.io/docs/SWC-119) | \n| 7 | UnrestrictedSelfdestruct | High | `suicidal` | [SWC-106](https://swcregistry.io/docs/SWC-106) |\n| 8 | UninitializedStateVariable | High | `uninitialized-state`| [SWC-109](https://swcregistry.io/docs/SWC-109) |\n| 9 | UninitializedStorage | High | `uninitialized-storage`| [SWC-109](https://swcregistry.io/docs/SWC-109) |\n| 10 | UnrestrictedDelegateCall | High | `controlled-delegatecall`| [SWC-112](https://swcregistry.io/docs/SWC-112) |\n| 11 | DAO | High | `reentrancy-eth` | [SWC-107](https://swcregistry.io/docs/SWC-107) |\n| 12 | ERC20Interface | Medium | `erc20-interface` | - |\n| 13 | ERC721Interface | Medium | `erc721-interface` | - |\n| 14 | IncorrectEquality | Medium | `incorrect-equality`| [SWC-132](https://swcregistry.io/docs/SWC-132) |\n| 15 | LockedEther | Medium | `locked-ether` | - |\n| 16 | ReentrancyNoETH | Medium | `reentrancy-no-eth` | [SWC-107](https://swcregistry.io/docs/SWC-107) |\n| 17 | TxOrigin | Medium |`tx-origin` | [SWC-115](https://swcregistry.io/docs/SWC-115) |\n| 18 | UnhandledException | Medium | `unchecked-lowlevel` | - |\n| 19 | UnrestrictedEtherFlow | Medium | `unchecked-send` |[SWC-105](https://swcregistry.io/docs/SWC-105) |\n| 20 | UninitializedLocal | Medium | `uninitialized-local` | [SWC-109](https://swcregistry.io/docs/SWC-109) |\n| 21 | UnusedReturn | Medium | `unused-return` | [SWC-104](https://swcregistry.io/docs/SWC-104) |\n| 22 | ShadowedBuiltin | Low | `shadowing-builtin` | - |\n| 23 | ShadowedLocalVariable | Low | `shadowing-local` | - |\n| 24 | CallToDefaultConstructor?| Low | `void-cst` | - |\n| 25 | CallInLoop | Low | `calls-loop` | [SWC-104](https://swcregistry.io/docs/SWC-104) |\n| 26 | ReentrancyBenign | Low | `reentrancy-benign` | [SWC-107](https://swcregistry.io/docs/SWC-107) |\n| 27 | Timestamp | Low | `timestamp` | [SWC-116](https://swcregistry.io/docs/SWC-116) |\n| 28 | AssemblyUsage | Info | `assembly` | - |\n| 29 | ERC20Indexed | Info | `erc20-indexed` | - |\n| 30 | LowLevelCalls | Info | `low-level-calls` | - |\n| 31 | NamingConvention | Info | `naming-convention` | - |\n| 32 | SolcVersion | Info | `solc-version` | [SWC-103](https://swcregistry.io/docs/SWC-103) |\n| 33 | UnusedStateVariable | Info | `unused-state` | - |\n| 34 | TooManyDigits | Info | `too-many-digits` | - |\n| 35 | ConstableStates | Info | `constable-states` | - |\n| 36 | ExternalFunctions | Info | `external-function` | - | \n| 37 | StateVariablesDefaultVisibility | Info | - | [SWC-108](https://swcregistry.io/docs/SWC-108) |\n\nThe following Slither patterns are not checked by Securify since they are checked by the Solidity compiler (ver. 0.5.8):\n- `constant-function`\n- `deprecated-standards`\n- `pragma`\n\nThe following SWC vulnerabilities do not apply to Solidity contracts with pragma \u003e=5.8 and are therefore not checked by Securify:\n\n- SWC-118 (Incorrect Constructor Name)\n- SWC-129 (Usage of +=)\n\n\nAcknowledgments\n===\nThe following people have contributed to Securify v2.0:\n\n- Ioannis Sachinoglou\n- Lavrentios Frobeen\n- Frederic Vogel\n- Dimitar Dimitrov\n- Petar Tsankov\n","funding_links":[],"categories":["Tools","Solidity","📖 Contents","\u003ca name=\"tools\"\u003e\u003c/a\u003e Tools","Code Analyzers"],"sub_categories":["Static Analyzers","Security Analysis Tools for SC","\u003ca name=\"sast\"\u003e SAST/DAST/Unity Test Analysis","Programming Languages that Compile zk-SNARK Circuits and Proofs"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feth-sri%2Fsecurify2","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Feth-sri%2Fsecurify2","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feth-sri%2Fsecurify2/lists"}