The linting solutions available for detecting code vulnerabilities of the Solidity programming language — underlying smart contracts in Ethereum — mostly focus on the code compliance with the best linting practices. This blog post overviews a comprehensive Solhint linter that allows for detecting syntax-related security code vulnerabilities. Covering a wide range of validation rules, the tool also enables developers to add new ones, while complying with the Solidity style guide and granting 2x–4x boost in performance.

Security issues with smart contracts

Solidity is a high-level programming language the Ethereum smart contracts are written in. The language is designed to create contracts for multi-signature wallets, voting, crowdfunding, blind auctions, etc.

As the Ethereum’s system of smart contracts is still evolving, the security issue is a top priority. The recently reported Parity Multi-Sig Wallet Attack and Reentrance Attack indicate the need to enhance protection.

Using automatic syntax checks makes it possible to detect code vulnerabilities and prevent attacks. However, it is important to ensure that your code complies with the Solidity style guide, is readable, and can be easily maintained.

For checking security rules, you can use the solcheck linter, while Solium can assist you in verifying compliance with the style guide. However, the sets of rules offered by these tools are not comprehensive enough to guarantee that a code is safe and of proper quality.

Being in the need of a tool that will provide a complete and up-to-date set of rules for checking security, as well as validating compliance with the style guide and usage of best practices. So, we set out to work on it.

The new advanced linter

A month of development resulted in the Solhint solution — a library and a command line tool for static analysis of the Solidity code. Unlike alternatives that mostly focus on checking if the Solidity code complies with the best coding practices, the delivered linter allows for detecting syntax-related security vulnerabilities, supports a wide range of rules, as well as enables to add new ones if necessary.

Solhint uses an antlr4-based implementation of the Solidity parser that enables efficient parsing and validation performance. In comparison to other linting solutions, we have achieved a 2x–4x performance boost while linting the source code.

In addition, the tool features flexible configuration options:

Using a preconfigured set of rules

Customizing default rule sets with the .solhint.json file

file Managing the configuration rules at the code level, using special comments (e.g., “solhint-disable-line”)

How it works

First, we need to install the tool. To do that, run the command below.

npm install -g solhint solhint -h

This will return the following output.

Usage: solhint [options] <file> […other_files] Linter for Solidity programming language Options: -V, — version output the version number

-f, — formatter [name] report formatter name

-h, — help output usage information Commands: stdin [options] put source code to stdin of this utility

init-config create sample solhint config in current folder

The tool has three major commands:

By default, it receives a list of the file patterns (**/*.sol, *.sol) and runs an analysis. It is possible to provide a validating source code to STDIN of this application with the stdin command. The init-config command allows to create a basic configuration file that can be customized if needed.

Now, let’s try to lint some code with the following command:

>solhint **/*.sol

For instance, we want to change the first notification (highlighted in red) from “error” to “warning.” To do that, we need to create a configuration file and change the “compiler-fixed” option to “warn.”

To create a configuration file, run the following command.

> solhint init-config

Your current directory will display the .solhint.json file. You can modify it as shown below:

{ “extends”: “default”, “rules”: { “compiler-fixed”: “warn” } }

Next time you run the solhint validation, you will get the following output:

If you need to disable the validation for an error line, you should add the “solhint-disable-line” comment in this line. After that, you will see:

test.sol for (uint i = 0; i<bresult.length; i++) { // solhint-disable-line

Finally, we have provided integration with such text editors as Sublime Text and Atom. The delivered plugins enable developers to automatically analyze source code and highlight the elements with errors.

Furthermore, one can now see the error description on hovering the highlighted element with a mouse.

Complying with the Solidity style guide, the Solhint linter enables developers to detect security vulnerabilities of the Solidity code across multiple validation rules and expanding the list of them if required, while enjoying a 2x–4x performance boost in comparison to alternative solutions.