HackTricks-wiki · carlospolop · Nov 15, 2025
diff --git a/src/SUMMARY.md b/src/SUMMARY.md
@@ -87,6 +87,7 @@
   - [Basic Python](generic-methodologies-and-resources/python/basic-python.md)
 - [Threat Modeling](generic-methodologies-and-resources/threat-modeling.md)
 - [Blockchain & Crypto](blockchain/blockchain-and-crypto-currencies/README.md)
+  - [Llm Assisted Auditing With Slither Mcp](blockchain/smart-contract-security/llm-assisted-auditing-with-slither-mcp.md)
   - [Mutation Testing With Slither](blockchain/smart-contract-security/mutation-testing-with-slither.md)
   - [Defi/AMM Hook Precision](blockchain/blockchain-and-crypto-currencies/defi-amm-hook-precision.md)
 - [Lua Sandbox Escape](generic-methodologies-and-resources/lua/bypass-lua-sandboxes/README.md)

diff --git a/src/blockchain/smart-contract-security/llm-assisted-auditing-with-slither-mcp.md b/src/blockchain/smart-contract-security/llm-assisted-auditing-with-slither-mcp.md
@@ -0,0 +1,62 @@
+# LLM-assisted Solidity auditing with Slither-MCP
+
+{{#include ../../banners/hacktricks-training.md}}
+
+Slither-MCP is a Model Context Protocol (MCP) server that exposes Slither’s static analysis to LLM clients (Claude Desktop/Code, Cursor, etc.). Instead of brittle grep/read_file flows, an agent can query a deterministic Slither index of your Foundry/Hardhat project to resolve sources, traverse call graphs, inspect inheritance, and run detectors in-scope.
+
+Why it matters
+- Deterministic program analysis as ground truth (fewer hallucinations and wrong-file selections).
+- Lower token/tool churn: ask for the exact implementation and usage paths directly.
+
+Core capabilities (via MCP tools)
+- Source extraction: return canonical source for a contract/function across imports/inheritance.
+- Call graph navigation: enumerate callers and callees for precise usage mapping.
+- Inheritance introspection: list base/derived classes and resolved members/overrides.
+- Signature resolution: map interface signatures (e.g., `IOracle.price(uint256)`) to concrete implementations.
+- Detectors: run Slither’s detectors and filter results to specific contracts/functions.
+
+Auditing workflow example (ERC20.transfer)
+- Resolve the canonical implementation even in large trees with multiple ERC20s:
+  - get_function_source for `transfer(address,uint256)` to fetch the true implementation (accounts for imports/overrides).
+- Map usage precisely:
+  - List callers of `transfer(address,uint256)` to see where it’s invoked (e.g., fee controllers, test doubles, adapters).
+  - List callees from the resolved function to understand downstream effects.
+- Focused triage:
+  - Run Slither detectors scoped to the resolved contract/function to surface high-signal findings first.
+
+Signature-to-implementation mapping
+- Query by interface signature (e.g., `IOracle.price(uint256)`) to locate concrete implementations before tracing calls or running detectors. This avoids analyzing mocks/stubs by mistake.
+
+Setup in common MCP clients
+- Claude Code (stdio transport):
+
+```bash
+claude mcp add --transport stdio slither -- uvx --from git+https://github.com/trailofbits/slither-mcp slither-mcp
+```
+
+- Cursor IDE (append to `~/.cursor/mcp.json`):
+
+```json
+{
+  "mcpServers": {
+    "slither-mcp": {
+      "command": "uvx --from git+https://github.com/trailofbits/slither-mcp slither-mcp",
+      "env": {
+        "PYTHONUNBUFFERED": "1"
+      }
+    }
+  }
+}
+```
+
+Usage tips
+- Start from a function of interest and use signature resolution to anchor analysis on the real implementation.
+- Pivot through callers/callees to build accurate usage paths before running detectors.
+- Scope detector runs to relevant contracts/functions to keep output actionable on large codebases.
+
+## References
+
+- [Level up your Solidity LLM tooling with Slither-MCP (Trail of Bits)](https://blog.trailofbits.com/2025/11/15/level-up-your-solidity-llm-tooling-with-slither-mcp/)
+- [Slither-MCP (GitHub)](https://github.com/trailofbits/slither-mcp)
+
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/src/blockchain/smart-contract-security/mutation-testing-with-slither.md b/src/blockchain/smart-contract-security/mutation-testing-with-slither.md
@@ -117,11 +117,16 @@ Guidance: Treat survivors that affect value transfers, accounting, or access con
 - Replace unrealistic mocks; simulate failure modes.
 - Iterate until all mutants are killed or justified with comments and rationale.
 
+## Related
+
+{{#ref}}
+llm-assisted-auditing-with-slither-mcp.md
+{{#endref}}
+
 ## References
 
 - [Use mutation testing to find the bugs your tests don't catch (Trail of Bits)](https://blog.trailofbits.com/2025/09/18/use-mutation-testing-to-find-the-bugs-your-tests-dont-catch/)
 - [Arkis DeFi Prime Brokerage Security Review (Appendix C)](https://github.com/trailofbits/publications/blob/master/reviews/2024-12-arkis-defi-prime-brokerage-securityreview.pdf)
 - [Slither (GitHub)](https://github.com/crytic/slither)
 
-{{#include ../../banners/hacktricks-training.md}}
-
+{{#include ../../banners/hacktricks-training.md}}