One of the tools that help us a lot in our audits is our own SmartCheck. It has been available online and free for a long time. The good news is that now it is also open source (GNU General Public License v3.0)!

What SmartCheck is

SmartCheck is a static smart contract code security analyzer. It checks Solidity and Vyper code for vulnerabilities and bad practices. We use it in our audits and development and recommend to our clients, since it helps to detect many widespread flaws and increase code quality. Of course, we use other security tools, too, because there always are things that one tool detects and the other does not.

We started building SmartCheck in spring 2017 and back then it was one of the first security tools for Solidity. Recently we added Vyper support, so now SmartCheck is the first and the only security tool that works directly with Vyper code (not considering EVM bytecode analyzers).

Changes

In the latest version of SmartCheck, the following upgrades were implemented:

Vyper support added

new Solidity grammar used

new vulnerability search rules added

old rules improved

analysis engine upgraded

Why open source

Why would users need SmartCheck source codes when the tool is available online? Because now they will be able to:

run the tool on premise and get results faster

get results in .xml format

get results without uploading their code anywhere

embed SmartCheck into their SDLC/platform/tool

see the vulnerability search rules and suggest improvements

deactivate particular rules that they don’t need for their purpose

see the analysis engine

create their own rules

The last one is particularly important. One can implement rules to search for a variety of code constructions, not only for security but also for internal style guides/library functions use/etc.

Feedback

It would be great to get feedback from the community, so please use/comment/commit: