Using Solhint: Ethereum’s Solidity Linter

by ImmuneBytes

An Introduction to Linting Solidity and Formatting with Solhint

We are back with a new post! And this time we have, Solhint! This is an open-source project for linting Solidity code. Solhint provides both Security and Style Guide validations

Most of the linting solutions available for detecting vulnerabilities in codes of Solidity — underlying smart contracts in Ethereum — usually always focus on code compliance with the best linting practices. Solhint covers a wide range of validation rules and also enables developers to add new ones, while complying with the Solidity style guide and granting a 2x–4x boost in performance. 

With this blog post, we aim to provide an overview of a comprehensive Solhint linter that allows for detecting syntax-related security code vulnerabilities. Let’s get started!

Introduction to Solidity Linting

The Ethereum community has started to develop some great tools that allow users to get closer to the automated workflow that’s present in more mature languages like Javascript or Goes.

Two of those tools touch the most core part of a developer’s workflow: writing code.

  • Linters automatically analyze code for possible programmatic and styling errors (popular example: ESLint for Javascript).
  • Formatters automatically format code according to predefined rules and indentation defaults (popular example: gofmt for Go).

Using Solhint

Solhint is a fantastic community linter for the Solidity programming language, which is similar to an automatic code reviewer who flags up security errors and instills best practices during the smart contract audits process.

Solhint is a library and a command-line tool for static analysis of the Solidity code. Unlike its alternatives that mostly focus on checking if the Solidity code complies with the best coding practices, this linter allows for detecting syntax-related security vulnerabilities, supports a wide range of rules, as well as enables to addition of new ones if necessary.

Solhint uses an antlr4-based implementation of the Solidity parser, enabling efficient parsing and validation performance. In comparison to other linting solutions, you can achieve a 2x–4x performance boost while linting the source code.

Additionally, the tool also features flexible configuration options such as:

  • Using a preconfigured set of rules
  • Customizing default rule sets with the .solhint.json file
  • Managing the configuration rules at the code level, using special comments (e.g., “solhint-disable-line”)

Installing Solhint

To install the tool, run the following command:

npm install -g solhint

solhint -h

Important Commands 

Solhint has three major commands:

  • By default, it receives a list of the file patterns (**/*.sol, *.sol) and runs an analysis.
  • It is possible to provide a validating source code to STDIN of this application with the stdin command.
  • The init-config command allows for creating a basic configuration file that can be customized if needed.

One of the many great things about Solhint is that there is built-in integration with text editors such as Sublime Text and Atom. The delivered plugins enable developers to automatically analyze source code and highlight the elements with errors.

Usage

  • First initialize a configuration file, if you don’t have one. This will create a .solhint.json file with the default rules enabled. 

solhint –init

The .json file has a format:

{

    “extends”: “solhint:recommended”,

    “plugins”: [],

    “rules”: {

      “avoid-suicide”: “error”,

      “avoid-sha3”: “warn”

    }

  }

This file specifies exactly which rules you want Solhint to lint for. Solhint has a pretty amazing coverage of Security Rules, Style Guide rules, and Best Practice rules. One thing to keep in mind before diving in is, very few of the rules are turned on by default.

  • Then run Solhint with one or more Globs as arguments. 

For example, to lint all files inside the contracts directory, you can do the:

solhint ‘contracts/**/*.sol’

Solhint runs on globs that match a file pattern. In the above, it runs on all **/*.sol files in the contracts directory

  • To lint a single file:

solhint contracts/MyToken.sol

Solhint Script

Edit your package.json to include a new script to run Solhint.

“solhint”: “./node_modules/.bin/solhint -f table contracts/**/*.sol”

Solhint in action

npm run solhint

Solhint in action

Solhint in action

Setting up a rule 

Solhint supports a wide range of rules but if you want to add new ones, here’s how to do it:

{

    “rules”: {

        “RULE_NAME”: “<option>”

    }

 }

For example: 

{

    “rules”: {

        “avoid-throw”: “false”

  “avoid-suicide”: “error”

    }

 }

A full list of all supported rules can be found here.

Concluding Words

Solhint is an effective and advanced tool used by auditors and security experts to filter out the bugs present in smart contracts or any code, written in the Solidity language. 

The Solhint project is always adapting to new use-cases and evolutions in the blockchain world. Complying with the Solidity style guide, the linter allows developers to detect security vulnerabilities across multiple validation rules and expand the list of them if required while enjoying a 2x–4x performance boost in comparison to alternative solutions.

About Us 

ImmuneBytes is a Blockchain security firm that employs the industry’s best tools and practices to provide a comprehensive smart contract audit. We have a team of robust and experienced security professionals who are adept at their niches and provide you with a quality service. We have worked on 175+ projects spread across the world on different Blockchain frameworks with some of the industry’s top firms and we continue to unfold the decentralized movement.

We are also providing consultancy, coming up with a bug bounty platform, and also an insurance product to provide our clients with a hassle-free security product catalog. Stay tuned.

Additional Resources

Spread the love

You may also like