From ebe50c34fd54add847aad37a980c93d3bf9386b7 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Sat, 15 Nov 2025 12:37:40 +0000 Subject: [PATCH] Add content from: Level up your Solidity LLM tooling with Slither-MCP --- src/SUMMARY.md | 1 + .../llm-assisted-auditing-with-slither-mcp.md | 62 +++++++++++++++++++ .../mutation-testing-with-slither.md | 9 ++- 3 files changed, 70 insertions(+), 2 deletions(-) create mode 100644 src/blockchain/smart-contract-security/llm-assisted-auditing-with-slither-mcp.md diff --git a/src/SUMMARY.md b/src/SUMMARY.md index 78a38276770..a315a561487 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -87,6 +87,7 @@ - [Basic Python](generic-methodologies-and-resources/python/basic-python.md) - [Threat Modeling](generic-methodologies-and-resources/threat-modeling.md) - [Blockchain & Crypto](blockchain/blockchain-and-crypto-currencies/README.md) + - [Llm Assisted Auditing With Slither Mcp](blockchain/smart-contract-security/llm-assisted-auditing-with-slither-mcp.md) - [Mutation Testing With Slither](blockchain/smart-contract-security/mutation-testing-with-slither.md) - [Defi/AMM Hook Precision](blockchain/blockchain-and-crypto-currencies/defi-amm-hook-precision.md) - [Lua Sandbox Escape](generic-methodologies-and-resources/lua/bypass-lua-sandboxes/README.md) diff --git a/src/blockchain/smart-contract-security/llm-assisted-auditing-with-slither-mcp.md b/src/blockchain/smart-contract-security/llm-assisted-auditing-with-slither-mcp.md new file mode 100644 index 00000000000..e3aee8c5400 --- /dev/null +++ b/src/blockchain/smart-contract-security/llm-assisted-auditing-with-slither-mcp.md @@ -0,0 +1,62 @@ +# LLM-assisted Solidity auditing with Slither-MCP + +{{#include ../../banners/hacktricks-training.md}} + +Slither-MCP is a Model Context Protocol (MCP) server that exposes Slither’s static analysis to LLM clients (Claude Desktop/Code, Cursor, etc.). Instead of brittle grep/read_file flows, an agent can query a deterministic Slither index of your Foundry/Hardhat project to resolve sources, traverse call graphs, inspect inheritance, and run detectors in-scope. + +Why it matters +- Deterministic program analysis as ground truth (fewer hallucinations and wrong-file selections). +- Lower token/tool churn: ask for the exact implementation and usage paths directly. + +Core capabilities (via MCP tools) +- Source extraction: return canonical source for a contract/function across imports/inheritance. +- Call graph navigation: enumerate callers and callees for precise usage mapping. +- Inheritance introspection: list base/derived classes and resolved members/overrides. +- Signature resolution: map interface signatures (e.g., `IOracle.price(uint256)`) to concrete implementations. +- Detectors: run Slither’s detectors and filter results to specific contracts/functions. + +Auditing workflow example (ERC20.transfer) +- Resolve the canonical implementation even in large trees with multiple ERC20s: + - get_function_source for `transfer(address,uint256)` to fetch the true implementation (accounts for imports/overrides). +- Map usage precisely: + - List callers of `transfer(address,uint256)` to see where it’s invoked (e.g., fee controllers, test doubles, adapters). + - List callees from the resolved function to understand downstream effects. +- Focused triage: + - Run Slither detectors scoped to the resolved contract/function to surface high-signal findings first. + +Signature-to-implementation mapping +- Query by interface signature (e.g., `IOracle.price(uint256)`) to locate concrete implementations before tracing calls or running detectors. This avoids analyzing mocks/stubs by mistake. + +Setup in common MCP clients +- Claude Code (stdio transport): + +```bash +claude mcp add --transport stdio slither -- uvx --from git+https://github.com/trailofbits/slither-mcp slither-mcp +``` + +- Cursor IDE (append to `~/.cursor/mcp.json`): + +```json +{ + "mcpServers": { + "slither-mcp": { + "command": "uvx --from git+https://github.com/trailofbits/slither-mcp slither-mcp", + "env": { + "PYTHONUNBUFFERED": "1" + } + } + } +} +``` + +Usage tips +- Start from a function of interest and use signature resolution to anchor analysis on the real implementation. +- Pivot through callers/callees to build accurate usage paths before running detectors. +- Scope detector runs to relevant contracts/functions to keep output actionable on large codebases. + +## References + +- [Level up your Solidity LLM tooling with Slither-MCP (Trail of Bits)](https://blog.trailofbits.com/2025/11/15/level-up-your-solidity-llm-tooling-with-slither-mcp/) +- [Slither-MCP (GitHub)](https://github.com/trailofbits/slither-mcp) + +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/blockchain/smart-contract-security/mutation-testing-with-slither.md b/src/blockchain/smart-contract-security/mutation-testing-with-slither.md index 2b30ce67547..8df5d25f300 100644 --- a/src/blockchain/smart-contract-security/mutation-testing-with-slither.md +++ b/src/blockchain/smart-contract-security/mutation-testing-with-slither.md @@ -117,11 +117,16 @@ Guidance: Treat survivors that affect value transfers, accounting, or access con - Replace unrealistic mocks; simulate failure modes. - Iterate until all mutants are killed or justified with comments and rationale. +## Related + +{{#ref}} +llm-assisted-auditing-with-slither-mcp.md +{{#endref}} + ## References - [Use mutation testing to find the bugs your tests don't catch (Trail of Bits)](https://blog.trailofbits.com/2025/09/18/use-mutation-testing-to-find-the-bugs-your-tests-dont-catch/) - [Arkis DeFi Prime Brokerage Security Review (Appendix C)](https://github.com/trailofbits/publications/blob/master/reviews/2024-12-arkis-defi-prime-brokerage-securityreview.pdf) - [Slither (GitHub)](https://github.com/crytic/slither) -{{#include ../../banners/hacktricks-training.md}} - +{{#include ../../banners/hacktricks-training.md}} \ No newline at end of file