Run Slither for static analysis

[PaulRBerg]

See the Static Analyzers section of the Foundry Book.

[andreivladbrg]

What is this useful for? First time seeing this

[PaulRBerg]

It's mostly useful for running a suite of vulnerability detectors that are not detected by the compiler - see the README.

I've known about Slither for a long time, it's a popular tool in Ethereum.

[PaulRBerg]

riiight, so I just installed and tried to use it, but got this error ..

Error:
Top level UsingForDirective not supported

Unfortunately, Slither does not support the latest feature introduced in Solidity v0.8.13, that is, using the using for directive for value types. There is an open issue about this:

crytic/slither#1352

I will label this issue as "backlog" for the time being.

[PaulRBerg]

Update: the Slither team has just marked issue #1352 as completed.

Will remove the "backlog" label from our issue.

[PaulRBerg]

We're currently waiting for the following bug to be fixed so we can run Slither on the v2-core repository:

crytic/slither#1607

There's an open PR with a fix:

crytic/slither#1625

[PaulRBerg]

That PR has been merged, so we should be able to run Slither now in this code base (though we have to build it from the source since they didn't release v0.9.3 just yet).

I will remove the backlog label now.

[PaulRBerg]

I managed to run Slither using a version built from commit 776dcab.

Notes:

• Slither found only two noteworthy issues; one was a minor variable overshadow, the other a reentrancy issue in the _cancel function (which I fixed via refactor: transfer recipients assets first in "_cancel" #382)
• At least two of the other issues it reported were due to bugs in Slither itself, see [Bug]: calls-loop does not report the context of the loop crytic/slither#1468 and [False-Positive]: unimplemented-functions for mappings that contain custom types and directly implement interfaces crytic/slither#1778
• The others were false positive, irrelevant, or inconsequential
• Running slither . didn't work, only individual contracts did (e.g. slither src/SablierV2LockupLinear.sol) but I will wait for a new Slither version to be shipped on PyPI before reporting this as a bug

Going to drop Warp.dev permanlinks that contain the full report for all contracts:

• src/abstracts
• src/interfaces
• src/SablierV2Comptroller.sol
• src/SablierV2LockupLinear.sol
• src/SablierV2LockupDynamic.sol

[PaulRBerg]

Note: we will integrate Slither in CI once they ship a new version to PyPI, so that their GitHub Action will pull a version that works with user-defined value types.