Hey there, I am Samrat Gupta aka Sm4rty, an Independent Smart Contract Auditor and a part-time bug Bounty Hunter. In this blog, I will share some VSCode extensions used in Smart Contract hacking. Using these extensions will help you find bugs and be efficient while hunting bugs in Smart contracts. Let’s start:
Table of Content:
1. Inline Bookmarks
2. Solidity Visual Developer
3. EthOver
4. Slither VSCode
5. GraphViz Interactive Preview
6. MythXvsc[BONUS]
1. Inline Bookmarks:
Inline Bookmarks extension help to bookmark the code itself. The extension can be used to keep track of development notes and to-do’s, for document review, as well as log analysis and auditing purposes. Since bookmarks are stored with your documents you can easily share your notes and bookmarks with others.
The following default trigger words/tags are configured by default:
@todo
- (blue) General ToDo remark.@note
- (blue) General remark.@remind
- (blue) General remark.@follow-up
- (blue) General remark.@audit
- (red) General bookmark for potential issues.@audit-info
- (blue) General bookmark for information to be noted for later use.@audit-ok
- (green) Add a note that a specific line is not an issue even though it might look like it.@audit-issue
- (purple) Reference a code location an issue was filed for.
Reference:
https://github.com/tintinweb/vscode-inline-bookmarks
2. Solidity Visual Developer:
This is a must extension for a Smart-contract auditor. The features of this extension are quite impressive. This extension contributes security-centric syntax and semantic highlighting, a detailed class outline, specialized views, advanced Solidity code insights, and augmentation to Visual Studio Code.
Some of the features of this extension are:
- Syntax Highlighting
- Semantics Highlighting
- Graph- and Reporting Features
- Review Features
- Multiple Views
Reference:
https://marketplace.visualstudio.com/items?itemName=tintinweb.solidity-visual-auditor
3. EthOver
Sometimes, we hardcode the addresses of the smart contract to integrate them with ours. EthOver extension is used to instantly view the details of hardcoded addresses in smart contracts. It saves a lot of time as you don’t need to copy and paste the address on Etherscan again and again.
All you need to do is hover over an Ethereum address and you get a bunch of options like:
- Open it in Etherscan.
- Show address balance in hover.
- Download the bytecode and disassemble it.
- Download the bytecode and show it.
- Show verified contract source (etherscan.io)
- Show reconstructed contract source from eveem.org
- Show reconstructed contract source from evm.js
- Run vscode-decompiler to decompile it manually using panoramix (eveem.org) locally
Reference:
https://marketplace.visualstudio.com/items?itemName=tintinweb.vscode-ethover
4. Slither vscode
This extension offers Visual Studio Code integration for Slither, a Solidity static analysis framework written in Python 3. With Slither for Visual Studio Code, users can run a suite of vulnerability detectors on their Solidity smart contracts to annotate potentially dangerous code and receive suggested fixes.
It provides clean view of all the bugs found. Unlike in CLI version of Slither where it’s a bit difficult to read. If you are using slither it’s recommended to have a VSCode extension for it.
Some Features of Slither are:
- Analyze open workspaces
- Explore results in a custom tree, sorted by issue type or severity
- View results as native Visual Studio Code information/warnings/errors
- See annotations for relevant source code for each issue
- Print detailed issue descriptions and recommendations
- Filter issues by type (per workspace configuration)
- Specify custom solc path (per workspace configuration)
- Solidity Syntax Highlighting
Reference:
https://marketplace.visualstudio.com/items?itemName=trailofbits.slither-vscode
5. GraphViz Interactive Preview
GraphViz Interactive Preview is a VSCode extension that provides some features like syntax highlighting, snippets, and an interactive, zoom-, pan- and searchable, live preview with edge tracing for graphs in Graphviz / dot format. It increases your efficiency especially if the project you’re auditing is a huge one. Mindmaps help to get an overall understanding of the flow of the project.
Some Features of Graphviz are:
- It Renders dot/Graphviz sources in an interactive live preview.
- It updates the preview as you type.
- You can search for nodes in the graph.
- You can also export the graph as
svg
ordot
. - Interactive edge tracing. Click on a node to highlight incoming and outgoing edges (
ESC
to unselect). The Direction of the highlighting can be changed (options: single, upstream, downstream, bidirectional) - It has a configurable render engine, render options & tracing preference: e.g.
transitionDelay
,transitionDuration
.
Reference:
https://marketplace.visualstudio.com/items?itemName=tintinweb.graphviz-interactive-preview
[BONUS] Mythx VSC:
MythX is a suite of analysis techniques that automatically detects security vulnerabilities in Ethereum smart contracts. MythX VSC is an extension for running MythX smart contract analysis from Visual Studio Code.
MythX uses an API key for authentication. Once your account is set up, head over to the dashboard.mythx.io/. In the Profile section, there is an element labeled MythX API Key
.
Some of the features of this Extension are:
- Smart contract compilation (via the Solidity VS Code extension)
- Authentication to the MythX platform
- AST extraction from compiled source
- Submission of analysis
- Displaying analysis results in VS Code in a linting fashion
Reference:
https://marketplace.visualstudio.com/items?itemName=MythX.mythxvsc