Static Analysis

• Static Analysis is performed by reviewing the source code without running the program
• It is mostly for ensuring proper coding standards, best practices, syntax errors, etc

Static Analysis : tools

• Solidity Static Analysis - Remix Plugin
• sFuzz - fuzzer to find common vulnerabilities
• SmartCheck - sc vulnerabilities and bugs detector
• slither - Solidity static analyzer
• echidna - rapid sc fuzzer
• Securify - Solidity security static analyzer

Dynamic Analysis

• Analysis is performed by executing the program
• Unit testing is a type of dynamic analysis

Dynamic Analysis

• Truffle tests
• Vertigo - Mutation testing for Ethereum smart contracts
• Unit Testing Plugin - Remix Plugin

Limitations

• All tools still have limitations
• Not all vulnerabilities can be found by analysis
• Not scalable to large or complex programs
• Still need to do manual auditing and testing

Recommended Resources

• Ethereum Smart Contract Security Best Practices
• Smart Contract Weakness Classification and Test Cases