stacy-analyzer


Namestacy-analyzer JSON
Version 0.1.1 PyPI version JSON
download
home_pagehttps://github.com/coinfabrik/stacy
SummaryClarity Static Analyzer
upload_time2024-06-28 13:34:27
maintainerNone
docs_urlNone
authorCoinFabrik
requires_python>=3.6
licenseNone
keywords stacks auditor security clarity smart-contracts
VCS
bugtrack_url
requirements No requirements were recorded.
Travis-CI No Travis.
coveralls test coverage No coveralls.
            ![Tests passing](https://github.com/coinfabrik/stacy/actions/workflows/test.yml/badge.svg)

# STACY - Stacks Static Analyzer for Clarity

Stacy is an open-source static analyzer for Clarity smart contracts. It is intended to assist Clarity smart contract developers and auditors detect common security issues and deviations from best practices. 

This tool will help developers write secure and more robust smart contracts.

## Install

```shell
pip install git+https://github.com/xlittlerag/tree-sitter-clarity
pip install stacy-analyzer
```

## Documentation

- [Vulnerabilities](https://github.com/CoinFabrik/stacy/tree/main/docs/vulnerabilities)

## Detectors

Severities are based on worst case scenarios and the detector's finding may vary depending on the context.

| Detector ID                                                                                                              | What it Detects                                                                                                                                                                                           | Test Cases                                                                                                                                                                                                                                               | Severity    |
| ------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- |
| [assert-block-height](https://github.com/CoinFabrik/stacy/blob/main/docs/vulnerabilities/1-assert-block-height.md)         | Usage of `block-height` as time tracker.                  | [1](https://github.com/CoinFabrik/stacy/tree/main/tests/assert_block_height) | Critical    |
| [call-inside-as-contract](https://github.com/CoinFabrik/stacy/blob/main/docs/vulnerabilities/2-call-inside-as-contract.md)                           | Calling another contract losing the first contract's context.                                                           | [1](https://github.com/CoinFabrik/stacy/tree/main/tests/call_inside_as_contract)                                                                                                                                                | Critical    |
| [divide-before-multiply](https://github.com/CoinFabrik/stacy/blob/main/docs/vulnerabilities/3-divide-before-multiply.md)                                               | Performing a division operation before a multiplication, leading to loss of precision.                                                                                | [1](https://github.com/CoinFabrik/stacy/tree/main/tests/divide_before_multiply)                                                                             | Critical    |
| [private-function-not-used](https://github.com/CoinFabrik/stacy/blob/main/docs/vulnerabilities/4-private-function-not-used.md)                                          | Dead code(private functions) inside the smart contract.                                                                        | [1](https://github.com/CoinFabrik/stacy/tree/main/tests/private_function_not_used)                                                                                                                                                                  | Enhancement |
| [todo-comment](https://github.com/CoinFabrik/stacy/blob/main/docs/vulnerabilities/5-todo-comment.md)                                          | TODO comments left in the smart contract.                                                                        | [1](https://github.com/CoinFabrik/stacy/tree/main/tests/todo_comment)                                                                                                                                                                  | Enhancement |
| [tx-sender-in-assert](https://github.com/CoinFabrik/stacy/blob/main/docs/vulnerabilities/5-tx-sender-in-assert.md)                                          | Usage of tx-sender in assert is truly intended.                                                                       | [1](https://github.com/CoinFabrik/stacy/tree/main/tests/tx_sender_in_assert)                                                                                                                                                                  | High |
| [unwrap-panic-usage](https://github.com/CoinFabrik/stacy/blob/main/docs/vulnerabilities/6-unwrap-panic-usage.md)                                          | Inappropriate usage of the `unwrap-panic` method, causing unexpected program crashes.                                                                         | [1](https://github.com/CoinFabrik/stacy/tree/main/tests/unwrap_panic_usage)                                                                                                                                                                  | Enhancement |
| [var-could-be-constant](https://github.com/CoinFabrik/stacy/blob/main/docs/vulnerabilities/7-var-could-be-constant.md)                                          | Code that does not change and could be re-define.                                                                         | [1](https://github.com/CoinFabrik/stacy/tree/main/tests/var_could_be_constant)                                                                                                                                                                  | Enhancement |
| [updated-functions](https://github.com/CoinFabrik/stacy/blob/main/docs/vulnerabilities/9-updated-functions.md)                                          | Old functions.                                                                         | [1](https://github.com/CoinFabrik/stacy/tree/main/tests/updated_functions)                                                                                                                                                                  | Enhancement |
| [tx-sender-in-assert](https://github.com/CoinFabrik/stacy/blob/main/docs/vulnerabilities/6-tx-sender-in-assert.md)                                          | Usage of tx-sender in assert is truly intended.                                                                       | [1](https://github.com/CoinFabrik/stacy/tree/main/tests/tx_sender_in_assert)                                                                                                                                                                  | High |
| [unwrap-panic-usage](https://github.com/CoinFabrik/stacy/blob/main/docs/vulnerabilities/7-unwrap-panic-usage.md)                                          | Inappropriate usage of the `unwrap-panic` method, causing unexpected program crashes.                                                                         | [1](https://github.com/CoinFabrik/stacy/tree/main/tests/unwrap_panic_usage)                                                                                                                                                                  | Enhancement |
| [var-could-be-constant](https://github.com/CoinFabrik/stacy/blob/main/docs/vulnerabilities/8-var-could-be-constant.md)                                          | Code that does not change and could be re-define.                                                                         | [1](https://github.com/CoinFabrik/stacy/tree/main/tests/var_could_be_constant)                                                                                                                                                                  | Enhancement |


## About CoinFabrik

We - [CoinFabrik](https://www.coinfabrik.com/) - are a research and development company specialized in Web3, with a strong background in cybersecurity. Founded in 2014, we have worked on over 180 blockchain-related projects, EVM based and also for Solana, Algorand, and Polkadot. Beyond development, we offer security audits through a dedicated in-house team of senior cybersecurity professionals, currently working on code in Substrate, Solidity, Clarity, Rust, and TEAL.

Our team has an academic background in computer science and mathematics, with work experience focused on cybersecurity and software development, including academic publications, patents turned into products, and conference presentations. Furthermore, we have an ongoing collaboration on knowledge transfer and open-source projects with the University of Buenos Aires.

## License


Stacy is licensed and distributed under a MIT license. [Contact us](https://www.coinfabrik.com/) if you're looking for an exception to the terms.

            

Raw data

            {
    "_id": null,
    "home_page": "https://github.com/coinfabrik/stacy",
    "name": "stacy-analyzer",
    "maintainer": null,
    "docs_url": null,
    "requires_python": ">=3.6",
    "maintainer_email": null,
    "keywords": "stacks, auditor, security, clarity, smart-contracts",
    "author": "CoinFabrik",
    "author_email": null,
    "download_url": "https://files.pythonhosted.org/packages/05/15/e2f53244710cff0d96691c38033a0f3468f7761ced2d3b5f5ffd6091b5bf/stacy_analyzer-0.1.1.tar.gz",
    "platform": null,
    "description": "![Tests passing](https://github.com/coinfabrik/stacy/actions/workflows/test.yml/badge.svg)\n\n# STACY - Stacks Static Analyzer for Clarity\n\nStacy is an open-source static analyzer for Clarity smart contracts. It is intended to assist Clarity smart contract developers and auditors detect common security issues and deviations from best practices. \n\nThis tool will help developers write secure and more robust smart contracts.\n\n## Install\n\n```shell\npip install git+https://github.com/xlittlerag/tree-sitter-clarity\npip install stacy-analyzer\n```\n\n## Documentation\n\n- [Vulnerabilities](https://github.com/CoinFabrik/stacy/tree/main/docs/vulnerabilities)\n\n## Detectors\n\nSeverities are based on worst case scenarios and the detector's finding may vary depending on the context.\n\n| Detector ID                                                                                                              | What it Detects                                                                                                                                                                                           | Test Cases                                                                                                                                                                                                                                               | Severity    |\n| ------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- |\n| [assert-block-height](https://github.com/CoinFabrik/stacy/blob/main/docs/vulnerabilities/1-assert-block-height.md)         | Usage of `block-height` as time tracker.                  | [1](https://github.com/CoinFabrik/stacy/tree/main/tests/assert_block_height) | Critical    |\n| [call-inside-as-contract](https://github.com/CoinFabrik/stacy/blob/main/docs/vulnerabilities/2-call-inside-as-contract.md)                           | Calling another contract losing the first contract's context.                                                           | [1](https://github.com/CoinFabrik/stacy/tree/main/tests/call_inside_as_contract)                                                                                                                                                | Critical    |\n| [divide-before-multiply](https://github.com/CoinFabrik/stacy/blob/main/docs/vulnerabilities/3-divide-before-multiply.md)                                               | Performing a division operation before a multiplication, leading to loss of precision.                                                                                | [1](https://github.com/CoinFabrik/stacy/tree/main/tests/divide_before_multiply)                                                                             | Critical    |\n| [private-function-not-used](https://github.com/CoinFabrik/stacy/blob/main/docs/vulnerabilities/4-private-function-not-used.md)                                          | Dead code(private functions) inside the smart contract.                                                                        | [1](https://github.com/CoinFabrik/stacy/tree/main/tests/private_function_not_used)                                                                                                                                                                  | Enhancement |\n| [todo-comment](https://github.com/CoinFabrik/stacy/blob/main/docs/vulnerabilities/5-todo-comment.md)                                          | TODO comments left in the smart contract.                                                                        | [1](https://github.com/CoinFabrik/stacy/tree/main/tests/todo_comment)                                                                                                                                                                  | Enhancement |\n| [tx-sender-in-assert](https://github.com/CoinFabrik/stacy/blob/main/docs/vulnerabilities/5-tx-sender-in-assert.md)                                          | Usage of tx-sender in assert is truly intended.                                                                       | [1](https://github.com/CoinFabrik/stacy/tree/main/tests/tx_sender_in_assert)                                                                                                                                                                  | High |\n| [unwrap-panic-usage](https://github.com/CoinFabrik/stacy/blob/main/docs/vulnerabilities/6-unwrap-panic-usage.md)                                          | Inappropriate usage of the `unwrap-panic` method, causing unexpected program crashes.                                                                         | [1](https://github.com/CoinFabrik/stacy/tree/main/tests/unwrap_panic_usage)                                                                                                                                                                  | Enhancement |\n| [var-could-be-constant](https://github.com/CoinFabrik/stacy/blob/main/docs/vulnerabilities/7-var-could-be-constant.md)                                          | Code that does not change and could be re-define.                                                                         | [1](https://github.com/CoinFabrik/stacy/tree/main/tests/var_could_be_constant)                                                                                                                                                                  | Enhancement |\n| [updated-functions](https://github.com/CoinFabrik/stacy/blob/main/docs/vulnerabilities/9-updated-functions.md)                                          | Old functions.                                                                         | [1](https://github.com/CoinFabrik/stacy/tree/main/tests/updated_functions)                                                                                                                                                                  | Enhancement |\n| [tx-sender-in-assert](https://github.com/CoinFabrik/stacy/blob/main/docs/vulnerabilities/6-tx-sender-in-assert.md)                                          | Usage of tx-sender in assert is truly intended.                                                                       | [1](https://github.com/CoinFabrik/stacy/tree/main/tests/tx_sender_in_assert)                                                                                                                                                                  | High |\n| [unwrap-panic-usage](https://github.com/CoinFabrik/stacy/blob/main/docs/vulnerabilities/7-unwrap-panic-usage.md)                                          | Inappropriate usage of the `unwrap-panic` method, causing unexpected program crashes.                                                                         | [1](https://github.com/CoinFabrik/stacy/tree/main/tests/unwrap_panic_usage)                                                                                                                                                                  | Enhancement |\n| [var-could-be-constant](https://github.com/CoinFabrik/stacy/blob/main/docs/vulnerabilities/8-var-could-be-constant.md)                                          | Code that does not change and could be re-define.                                                                         | [1](https://github.com/CoinFabrik/stacy/tree/main/tests/var_could_be_constant)                                                                                                                                                                  | Enhancement |\n\n\n## About CoinFabrik\n\nWe - [CoinFabrik](https://www.coinfabrik.com/) - are a research and development company specialized in Web3, with a strong background in cybersecurity. Founded in 2014, we have worked on over 180 blockchain-related projects, EVM based and also for Solana, Algorand, and Polkadot. Beyond development, we offer security audits through a dedicated in-house team of senior cybersecurity professionals, currently working on code in Substrate, Solidity, Clarity, Rust, and TEAL.\n\nOur team has an academic background in computer science and mathematics, with work experience focused on cybersecurity and software development, including academic publications, patents turned into products, and conference presentations. Furthermore, we have an ongoing collaboration on knowledge transfer and open-source projects with the University of Buenos Aires.\n\n## License\n\n\nStacy is licensed and distributed under a MIT license. [Contact us](https://www.coinfabrik.com/) if you're looking for an exception to the terms.\n",
    "bugtrack_url": null,
    "license": null,
    "summary": "Clarity Static Analyzer",
    "version": "0.1.1",
    "project_urls": {
        "Bug Reports": "https://github.com/coinfabrik/stacy/issues",
        "Documentation": "https://github.com/coinfabrik/stacy",
        "Homepage": "https://github.com/coinfabrik/stacy",
        "Source Code": "https://github.com/coinfabrik/stacy"
    },
    "split_keywords": [
        "stacks",
        " auditor",
        " security",
        " clarity",
        " smart-contracts"
    ],
    "urls": [
        {
            "comment_text": "",
            "digests": {
                "blake2b_256": "bafefb244b124bf9ace579ec6d5d644747b4be8d24e498a18ec31d93f24a054e",
                "md5": "aeba523da62ecb25c43972ae505c5a00",
                "sha256": "8ac62f21b2b04aea05501ea5076276f916ff37ae11b6c143dad57829684a431e"
            },
            "downloads": -1,
            "filename": "stacy_analyzer-0.1.1-py3-none-any.whl",
            "has_sig": false,
            "md5_digest": "aeba523da62ecb25c43972ae505c5a00",
            "packagetype": "bdist_wheel",
            "python_version": "py3",
            "requires_python": ">=3.6",
            "size": 16338,
            "upload_time": "2024-06-28T13:34:25",
            "upload_time_iso_8601": "2024-06-28T13:34:25.599496Z",
            "url": "https://files.pythonhosted.org/packages/ba/fe/fb244b124bf9ace579ec6d5d644747b4be8d24e498a18ec31d93f24a054e/stacy_analyzer-0.1.1-py3-none-any.whl",
            "yanked": false,
            "yanked_reason": null
        },
        {
            "comment_text": "",
            "digests": {
                "blake2b_256": "0515e2f53244710cff0d96691c38033a0f3468f7761ced2d3b5f5ffd6091b5bf",
                "md5": "51cdf694cfb015892484a232f187b8ca",
                "sha256": "182e116fbb10aeeb113c83ad484782758e149bef703a1d40d8330007434eab45"
            },
            "downloads": -1,
            "filename": "stacy_analyzer-0.1.1.tar.gz",
            "has_sig": false,
            "md5_digest": "51cdf694cfb015892484a232f187b8ca",
            "packagetype": "sdist",
            "python_version": "source",
            "requires_python": ">=3.6",
            "size": 13485,
            "upload_time": "2024-06-28T13:34:27",
            "upload_time_iso_8601": "2024-06-28T13:34:27.470320Z",
            "url": "https://files.pythonhosted.org/packages/05/15/e2f53244710cff0d96691c38033a0f3468f7761ced2d3b5f5ffd6091b5bf/stacy_analyzer-0.1.1.tar.gz",
            "yanked": false,
            "yanked_reason": null
        }
    ],
    "upload_time": "2024-06-28 13:34:27",
    "github": true,
    "gitlab": false,
    "bitbucket": false,
    "codeberg": false,
    "github_user": "coinfabrik",
    "github_project": "stacy",
    "travis_ci": false,
    "coveralls": false,
    "github_actions": true,
    "tox": true,
    "lcname": "stacy-analyzer"
}
        
Elapsed time: 0.31807s