Back to Details

analyzing-ethereum-smart-contract-vulnerabilities

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Analyzing Ethereum Smart Contract Vulnerabilities

以太坊智能合约漏洞分析

Overview

概述

Smart contract vulnerabilities have led to billions of dollars in losses across DeFi protocols. Unlike traditional software, deployed smart contracts are immutable and handle real financial assets, making pre-deployment security analysis critical. Slither performs fast static analysis using an intermediate representation to detect over 90 vulnerability patterns in seconds, while Mythril uses symbolic execution and SMT solving to discover complex execution path vulnerabilities like reentrancy and integer overflows. This skill covers running both tools against Solidity contracts, interpreting results, triaging findings by severity, and generating audit reports.
智能合约漏洞已导致DeFi协议损失数十亿美元。与传统软件不同,已部署的智能合约具有不可变性且处理真实金融资产,因此部署前的安全分析至关重要。Slither使用中间表示法执行快速静态分析,可在数秒内检测90余种漏洞模式;而Mythril则利用符号执行和SMT求解来发现复杂执行路径漏洞,例如重入和整数溢出。本技能涵盖使用这两款工具对Solidity合约进行检测、解读分析结果、按严重程度分类筛选发现的问题,以及生成审计报告。

When to Use

适用场景

  • When investigating security incidents that require analyzing ethereum smart contract vulnerabilities
  • When building detection rules or threat hunting queries for this domain
  • When SOC analysts need structured procedures for this analysis type
  • When validating security monitoring coverage for related attack techniques
  • 当需要分析以太坊智能合约漏洞以调查安全事件时
  • 当为该领域构建检测规则或威胁狩猎查询时
  • 当SOC分析师需要此类分析的结构化流程时
  • 当验证相关攻击技术的安全监控覆盖范围时

Prerequisites

前置条件

  • Python 3.10+ with pip
  • Slither (pip install slither-analyzer) and solc compiler
  • Mythril (pip install mythril) with solc-select for compiler version management
  • Solidity source code or compiled contract bytecode
  • Foundry or Hardhat development framework (optional, for project-level analysis)
  • 带有pip的Python 3.10及以上版本
  • Slither(通过pip install slither-analyzer安装)和solc编译器
  • Mythril(通过pip install mythril安装)及用于编译器版本管理的solc-select
  • Solidity源代码或已编译的合约字节码
  • Foundry或Hardhat开发框架(可选,用于项目级分析)

Steps

步骤

Step 1: Run Slither Static Analysis

步骤1:运行Slither静态分析

Execute Slither against the contract codebase to identify vulnerability patterns, optimization opportunities, and code quality issues using its 90+ built-in detectors.
针对合约代码库执行Slither,利用其90余种内置检测器识别漏洞模式、优化机会及代码质量问题。

Step 2: Run Mythril Symbolic Execution

步骤2:运行Mythril符号执行

Run Mythril deep analysis to explore execution paths and discover reentrancy, unchecked external calls, and arithmetic vulnerabilities that require path-sensitive analysis.
运行Mythril深度分析以探索执行路径,发现重入、未检查外部调用以及需要路径敏感分析的算术漏洞。

Step 3: Triage and Correlate Findings

步骤3:分类筛选与关联发现结果

Combine results from both tools, deduplicate findings, assess severity based on exploitability and financial impact, and filter false positives.
整合两款工具的分析结果,去除重复发现,根据可利用性和财务影响评估严重程度,并过滤误报。

Step 4: Generate Audit Report

步骤4:生成审计报告

Produce a structured audit report with vulnerability descriptions, affected code locations, exploit scenarios, and remediation recommendations.
生成结构化审计报告,包含漏洞描述、受影响代码位置、利用场景及修复建议。

Expected Output

预期输出

JSON report listing vulnerabilities with SWC (Smart Contract Weakness Classification) identifiers, severity ratings, affected functions, and suggested fixes.
列出漏洞的JSON报告,包含SWC(智能合约弱点分类)标识符、严重程度评级、受影响函数及建议修复方案。