Solidity Guide

Optimize your Solidity smart contract security scanning.

Overview

Solidity is the primary language for EVM-compatible blockchains. BlockSecOps provides comprehensive coverage with 11+ specialized scanners.

Supported Versions

Version	Support	Notes
0.8.x	Full	Recommended
0.7.x	Full	Legacy support
0.6.x	Full	Legacy support
0.5.x	Limited	Some scanners may not work
0.4.x	Legacy	Basic analysis only

Available Scanners

Static Analysis

Scanner	Focus	Best For
Slither	Comprehensive detection	All projects
Solhint	Linting, style	Code quality
Aderyn	Modern analysis	Latest patterns
Semgrep	Custom rules	Enterprise
Wake	Framework-aware	Complex projects

Formal Verification

Scanner	Focus	Best For
Mythril	Symbolic execution	Deep bugs
Halmos	Symbolic testing	Property verification
Certora	Formal specs	Critical contracts

Dynamic Analysis

Scanner	Focus	Best For
Echidna	Fuzz testing	Invariant testing
Medusa	Parallel fuzzing	Fast fuzzing

AI-Powered

Scanner	Focus	Best For
SolidityDefend	ML detection	Novel patterns

Scanner Recommendations

For New Projects

Use Standard preset:

Slither for comprehensive analysis
Solhint for code quality
Aderyn for modern patterns
Semgrep for additional coverage

For Pre-Audit

Use Deep preset:

All static analyzers
Mythril for symbolic execution
Echidna for fuzzing
Full coverage

For CI/CD

Use Quick preset:

Slither (fast, comprehensive)
Solhint (instant feedback)
Aderyn (quick analysis)

Project Setup

Directory Structure

project/
├── contracts/          # Upload this directory
│   ├── Token.sol
│   ├── Vault.sol
│   └── interfaces/
│       └── IERC20.sol
├── node_modules/       # Include for dependencies
│   └── @openzeppelin/
├── lib/                # Foundry libraries
│   └── forge-std/
└── foundry.toml        # Project config

What to Upload

Include:

All .sol files
node_modules/ for npm dependencies
lib/ for Foundry libraries
Configuration files (foundry.toml, hardhat.config.js)

Exclude:

Test files (optional)
Build artifacts (out/, artifacts/)
Large unused dependencies

Framework Support

Foundry

Fully supported with automatic detection:

# foundry.toml
[profile.default]
src = "src"
out = "out"
libs = ["lib"]
remappings = [
    "@openzeppelin/=lib/openzeppelin-contracts/",
    "forge-std/=lib/forge-std/src/"
]

Hardhat

Supported with configuration:

// hardhat.config.js
module.exports = {
  solidity: "0.8.20",
  paths: {
    sources: "./contracts",
    tests: "./test"
  }
};

Brownie

Supported with Python config:

# brownie-config.yaml
compiler:
  solc:
    version: "0.8.20"

Common Vulnerability Patterns

High-Risk Issues

Vulnerability	Scanner Detection
Reentrancy	Slither, Mythril, Echidna
Access Control	Slither, Aderyn, Semgrep
Integer Overflow	Slither (pre-0.8), Mythril
Unchecked External Calls	Slither, Wake
Delegate Call Injection	Slither, Mythril

Medium-Risk Issues

Vulnerability	Scanner Detection
Front-running	Slither, SolidityDefend
Timestamp Dependence	Slither, Aderyn
Incorrect Inheritance	Slither, Wake
Missing Events	Solhint, Aderyn

Code Quality

Issue	Scanner Detection
Unused Variables	Solhint, Slither
Shadowing	Slither, Solhint
Naming Conventions	Solhint
Missing NatSpec	Solhint

Scan Configuration

Compiler Settings

Specify Solidity version in your config:

{
  "compiler": {
    "version": "0.8.20",
    "optimizer": {
      "enabled": true,
      "runs": 200
    }
  }
}

Import Remappings

Configure import resolution:

@openzeppelin/=node_modules/@openzeppelin/
@chainlink/=node_modules/@chainlink/

Exclude Patterns

Skip test files or mocks:

**/test/**
**/mocks/**
**/*.t.sol

Best Practices

Code Quality

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.20;

import "@openzeppelin/contracts/token/ERC20/IERC20.sol";
import "@openzeppelin/contracts/security/ReentrancyGuard.sol";

/// @title Secure Vault
/// @author Your Name
/// @notice Stores tokens securely
contract SecureVault is ReentrancyGuard {
    // Use immutable for gas savings
    address public immutable owner;

    // Events for transparency
    event Deposited(address indexed user, uint256 amount);
    event Withdrawn(address indexed user, uint256 amount);

    constructor() {
        owner = msg.sender;
    }

    /// @notice Withdraw tokens safely
    /// @param amount Amount to withdraw
    function withdraw(uint256 amount) external nonReentrant {
        // Checks
        require(balances[msg.sender] >= amount, "Insufficient balance");

        // Effects
        balances[msg.sender] -= amount;

        // Interactions
        (bool success, ) = msg.sender.call{value: amount}("");
        require(success, "Transfer failed");

        emit Withdrawn(msg.sender, amount);
    }
}

Security Patterns

Use OpenZeppelin: Well-audited implementations
Check-Effects-Interactions: Prevent reentrancy
Access Control: Use modifiers consistently
Input Validation: Validate all external inputs
Event Emission: Log state changes

Scan Optimization

Faster Scans

Exclude test files in quick scans
Use specific scanner selection
Limit to changed files in CI

More Thorough Scans

Include all dependencies
Add custom Echidna properties
Configure Certora specifications
Enable all scanners

Troubleshooting

Compilation Errors

"File not found"

Check import paths
Include node_modules
Configure remappings

"Version mismatch"

Specify correct compiler version
Check pragma statements match

Scanner Issues

Slither timeout

Simplify complex contracts
Increase timeout settings

Mythril out of memory

Reduce contract complexity
Use targeted analysis

Example Results

Slither Finding

Token.sol:45 - Reentrancy in Token.withdraw()
  External call: (success, ) = msg.sender.call{value: amount}("")
  State write after call: balances[msg.sender] = 0

Severity: High
Confidence: High

Solhint Finding

Token.sol:12 - Variable 'x' is declared but never used
  Rule: no-unused-vars

Severity: Warning

Next Steps

Framework Guides - Foundry, Hardhat setup
Scanner Catalog - All scanners
Security Best Practices - Writing secure code