Static analyzer for Solidity and Vyper from Crytic. Ships ~90 built-in detectors covering reentrancy, uninitialized storage, shadowing, arbitrary-send, and more, plus a printer/upgrade framework and Python API for custom analyses.
- 01pre-commit / CI static analysis
- 02reentrancy and access-control checks
- 03upgradeability diffing
- 04inheritance and call-graph printers
- 05writing custom detectors
- uv tool install slither-analyzer
- # or: pipx install slither-analyzer
- # Requires solc on PATH — recommended: `uv tool install solc-select && solc-select install 0.8.28 && solc-select use 0.8.28`
Use Slither for static analysis on every Solidity change. Run `slither .` from the repo root (Foundry/Hardhat are auto-detected via crytic-compile) and `slither . --json slither-report.json --sarif slither.sarif` in CI for GitHub code-scanning. Narrow noise with `--detect reentrancy-eth,arbitrary-send-eth,uninitialized-state` or exclude with `--exclude naming-convention,solc-version`. Use `slither-check-upgradeability Proxy Impl` for storage-slot diffs on UUPS/Transparent proxies, and `slither-read-storage` to dump live storage layouts. Wire findings via the official `crytic/slither-action` GitHub Action.
- ⚑High false-positive rate on `reentrancy-benign` and `timestamp` — triage with `// slither-disable-next-line` comments rather than disabling whole detectors.
- ⚑Slither models EVM semantics, not your business logic — it cannot find protocol-level bugs (oracle manipulation, MEV) and must be paired with fuzzing/formal verification.
- ⚑Detectors silently degrade when solc version is wrong; pin via `solc-select use <ver>` before running, otherwise inheritance graphs and SSA will be incomplete.
- ⚑`slither .` re-runs the full compile — large monorepos should pass `--compile-force-framework foundry` and `--ignore-compile` after a warm build to keep CI fast.
- ⚑JSON output schema is not stable across major versions; SARIF is preferred for tooling integrations.