-
Notifications
You must be signed in to change notification settings - Fork 142
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TON Static Analyzer #436
Comments
The plan looks really awesome! I'm all in favor of this proposal. It would be great to integrate the analyzer with https://github.com/tact-lang/tact-vscode after it's functional. |
This is a great idea. We would like to help you with the implementation, if there is a possibility, contact me at tg: @oocovo |
This will work well in pair with #395 |
I want to apply to this grant, as I have extensive expertise in the Compilers and Static Program Analysis domain. I bring hands-on experience in creating security tools for other blockchain projects, understand the typical security vulnerabilities of smart contracts, and know the approaches to automatically detect bugs as well as their applicability and limitations. I can provide references and look forward to discuss the details privately with TON. |
@byakuren-hijiri, thank you for your interesting bounty. We want to split the bounty into several milestones, and as a first step, develop an MVP and then add other needs. Let's start by forming a detailed list of rules that the analyzer will process. |
Hey @delovoyhomie, Thank you for looking at this.
The idea exactly in this. The current grant application presents an MVP. Future grant applications will aim to improve its capabilities. ContextA static analyzer is a program that reason about other program's behavior without executing it. A simplified pipeline of a static analyzer includes the following steps:
The analyzer proposed in this grant application implements this pipeline with added usability enhanced for developers.
The additional steps highlighted in the grant application requires developing a driver, the execution pipeline and a modular architecture to enable third-party developers write their own analyses. All these steps are necessary to develop an MVP and cannot be omitted. After implementing these, we will have the core of the analyzer and will be able to extend its capabilities. Let's discuss further steps for its improvement. Further plansTo make development more transparent and trackable, further improvements will be divided into several grant applications. This also allows us to collaborate with developers to receive feedback and focus on more important tasks when needed. Each of these milestones will improve either tool' usability or add more security checks making it more effective: 1. Address taint analysis problems 2. Address TON-specific problems 3. Address cross-contracts interaction problems 4. Increase the overall number of lints 5. Improve developers experience 6. Writing educational content That's essentially what this is about. Would be glad to answer any questions and explain the technical details further if needed. |
@byakuren-hijiri for which language do you want to write an analyzer? Tact, FunC, or TVM bytecode? |
The target language of this MVP is Tact, as this is the most straightforward way to get a working project as quickly as possible. Then, it will be extended to support FunC. This task is not complicated from a technical perspective but is time-consuming since it involves writing the FunC frontend and modifying the IR. TVM bytecode is out of scope for now. It might be useful for specific tasks like symbolic execution, but implementing this requires more effort due to the non-standard design of TVM. So, my position is that while it is an interesting target, it is not practical to start with it, as it will take more time at the beginning. |
In terms of milestones, they might be organized as follows:
Each milestone is expected to take up to 3 weeks and requires 3000 USD in TON equivalent. As a result, the static analyzer described in this grant will be developed, presenting the fully-functional MVP. |
I would like refer to the latest grant application in #489, as it suggests a similar security tool but with a different approach.
The tool suggested in this grant is more lightweight, easy-to-use, and will be community-driven. The tool suggested in #489 provides more comprehensive analysis, which makes it a good candidate to find tricky errors, especially when integrated in CI/CD. Thus, determining in which tool should be implemented: both of them, as they complement each other and will strengthen the ecosystem from a security perspective in different aspects. @korifey please let me know if you have any feedback on this, especially regarding certain aspects of the tool I mentioned. I am discussing the approach in general, based on my experience and the grant description to clarify the difference to the TON grant team and suggest supporting both grants. |
@byakuren-hijiri Thanks for a very detailed comparision. Both source-code and bytecode analyzers have their own niches. The same is about technology: dataflow-based and symbolic execution based tools. |
I am on track according to the proposed roadmap, and the first milestone has been completed in two weeks as expected:
The project is now available at: https://github.com/nowarp/misti/. This version includes everything planned:
So, the infrastructure and driver is now ready, and I'm beginning to work on implementing the analyzer's main logic as outlined in the plan. |
I'm currently finalizing the last two lints and polishing the final steps to improve everything before the release. The milestone 2 is fully covered:
The milestone 3 is partially covered:
Thus, it could be finished quite fast, but I would like to make it more generic and reusable from the first release, so I'm still working on it. |
@delovoyhomie I have finished and published the first version of the static analyzer, which implements the functionality stated in this grant application.
The third milestone is finished and the lints are implemented. Here are the references to the documentation with motivation and example and the appropriate implementation:
Key Contributions
AcknowledgmentsMy thanks to the following people who helped make this release possible:
Next stepsThe next desired steps in the development include:
|
@byakuren-hijiri thank you for the contribution!To accurately recognize your valuable contributions in our repository, we kindly request you to submit a Pull Request to the Hall of Fame file, providing the wallet address and a link to the bounty with the number. Please follow these steps:
|
Summary
Develop a modular, extensible static analyzer to enhance the security and reliability of TON smart contracts.
Context
Static analyzers detect potential vulnerabilities in contracts without executing them.
A new tool offers:
From a business perspective, a static analyzer offers these benefits:
Milestones
References
Leading smart contract ecosystems provide security tooling for developers and auditors. An outstanding example is Ethereum's Slither, a community-driven tool known for its extensibility and open development model. It is highly customizable for auditors and follows up the recent vulnerability disclosures, providing up-to-date lints for new findings. Inspired by successful cases, the goal of this grant is to strengthen the TON ecosystem with a similar tool.
Estimate suggested reward
9000 USD in TON equivalent
Estimated time to finish: 8 weeks
The text was updated successfully, but these errors were encountered: