Skip to content

Latest commit

 

History

History
194 lines (126 loc) · 17.3 KB

README.md

File metadata and controls

194 lines (126 loc) · 17.3 KB

Scout Soroban: Security Analysis Tool

https://img.shields.io/badge/license-MIT-green

Scout in a Dark Forest

Scout is an extensible open-source tool intended to assist Soroban Stellar smart contract developers and auditors detect common security issues and deviations from best practices.

This tool helps developers write secure and more robust smart contracts.

Our interest in this project comes from our experience in manual auditing and vulnerability detection in other blockchains (see Scout for ink!).

Quick Start

Make sure that Cargo is installed on your computer. Then, follow these 5 simple steps:

1. Install Rust Nightly Toolchain:

rustup toolchain install nightly-2023-12-16

2. Set Default Nightly Toolchain:

rustup default nightly-2023-12-16

3. Add rust-src Component:

rustup component add rust-src --toolchain nightly-2023-12-16

4. Install additional tools required by Scout:

cargo install cargo-dylint dylint-link mdbook

5. Install Scout Audit:

cargo install cargo-scout-audit

6. Run Scout Audit:

Finally, to run Scout on your project, navigate to the directory of your smart contract and execute the following command:

cargo scout-audit

⚠️ Currently Scout doesn't offer full support for workspaces. If you have a workspace, run Scout in each member instead of running it in the workspace Cargo.toml.

├── your-soroban-project
│   ├── your-smart-contract
│   │   ├── // Run Scout here.
│   │   ├── src
│   │   |   ├── contract.rs 
│   ├── Cargo.lock
│   ├── Cargo.toml
│   ├── README.md

⚠️ Make sure that your smart contracts compile properly. Scout won't run if any compilation errors exist.

For more information on installation and usage, please refer to the Getting Started section in our documentation section below.

Detectors

Currently Scout includes the following detectors.

Detector ID What it Detects Test Cases Severity
divide-before-multiply Performing a division operation before a multiplication, leading to loss of precision. 1, 2, 3 Medium
unsafe-unwrap Inappropriate usage of the unwrap method, causing unexpected program crashes. 1 Medium
unsafe-expect Improper usage of the expect method, leading to unexpected program crashes. 1 Medium
overflow-check An arithmetic operation overflows or underflows the available memory allocated to the variable. 1 Critical
insufficiently-random-values Avoid using block attributes for random number generation to prevent manipulation. 1 Critical
unprotected-update-current-contract-wasm If users are allowed to call update_current_contract_wasm(), they can intentionally modify the contract behaviour. 1 Critical
avoid-core-mem-forget The use of core::mem::forget() could lead to memory leaks and logic errors. 1 Enhancement
set-contract-storage Insufficient access control on env.storage() method. 1, 2, 3 Critical
avoid-panic-error Code panics on error instead of using descriptive enum. 1 Enhancement
avoid-unsafe-block Using unsafe blocks in risks code safety and reliability. 1 Critical
dos-unbounded-operation DoS due to unbounded operation. 1, 2, 3 Medium
soroban-version Using an old version of Soroban can be dangerous, as it may have bugs or security issues. Use the latest version available. 1 Enhancement
unused-return-enum Return enum from a function is not completely used. 1, 2 Minor
iterators-over-indexing Iterating with hardcoded indexes is slower than using an iterator. Also, if the index is out of bounds, it will panic. 1 Enhancement
assert-violation Avoid the usage of the macro assert!, it can panic. 1 Enhancement
unprotected-mapping-operation Modifying mappings with an arbitrary key given by users can be a significant vulnerability. 1, 2 Critical
dos-unexpected-revert-with-vector DoS due to improper storage. 1 Medium
unrestricted-transfer-from Avoid passing an user-defined parameter as a from field in transfer-from. 1 Critical
unsafe-map-get Inappropriate usage of the get method for Map in soroban 1 Medium
zero-or-test-address Avoid zero or test address assignment to prevent contract control loss. 1 Medium
incorrect-exponentation Warns against incorrect usage of ´^´. 1 Critical

Output formats

You can choose the output format that best suit your needs (html or markdown). To specify the desired output run the following command:

cargo scout-audit --output-format [html|md]

Example HTML report

Scout HTML report.

Scout VS Code extension

Add Scout to your development workspace with Scout's VS Code extension to run Scout automatically upon saving your file.

Scout VS Code extension.

⚠️ To ensure the extension runs properly, make sure that you open the directory containing your smart contract, rather than the entire project. For example, if your smart contracts are located in myproject/contracts, and you want to work on the token contract while using the Scout VS Code Extension, open myproject/contracts/token.

💡 Tip: To see the errors highlighted in your code, we recommend installing the Error Lens Extension.

👉 Download Scout VS Code from Visual Studio Marketplace.

Scout GitHub Action

Integrate Scout into your CI/CD pipeline! Automatically run the tool against the targeted smart contracts. This immediate feedback loop allows developers to quickly address any issues before merging the code into the main branch, reducing the risk of introducing bugs or vulnerabilities.

Scout output as a comment in a pull request

Scout GitHub action output

👉 Find Scout GitHub Action in GitHub Marketplace.

Learning to Scout

Join us for an exciting series of video tutorials where you'll learn how to install and run Scout. Discover how to identify and resolve specific issues detected by the tool, and enhance your skills with our expert guidance.

🎬 More videos comming soon!

Tests

To validate our tool, we provide a set of code examples located in the test-cases folder.

In order to run the integration tests, navigate to apps/cargo-scout-audit and run:

cargo test --all --all-features

In order to run the tests for a particular test-case, run the same command on that particular test-case folder (e.g: test-cases/divide-before-multiply/divide-before-multiply-1)

Documentation

Follow our documentation links below and learn more about the vulnerabilities detected by Scout, how the tool works and how to contribute to the project!

Acknowledgements

Scout for Soroban is an open source vulnerability analyzer developed by CoinFabrik's Research and Development team.

We received support through a grant from the Stellar Community Fund (SCF).

About CoinFabrik

We - CoinFabrik - are a research and development company specialized in Web3, with a strong background in cybersecurity. Founded in 2014, we have worked on over 180 blockchain-related projects, EVM based and also for Solana, Algorand, Stellar and Polkadot. Beyond development, we offer security audits through a dedicated in-house team of senior cybersecurity professionals, currently working on code in Substrate, Solidity, Clarity, Rust, TEAL and Stellar Soroban.

Our team has an academic background in computer science and mathematics, with work experience focused on cybersecurity and software development, including academic publications, patents turned into products, and conference presentations. Furthermore, we have an ongoing collaboration on knowledge transfer and open-source projects with the University of Buenos Aires.

License

Scout is licensed and distributed under a MIT license. Contact us if you're looking for an exception to the terms.