Skip links
scout audit tool bg

Scout Audit – an ink! smart contract vulnerability detection tool

Scout for ink! Is a tool that detects security issues in ink! smart contracts. Our journey began in May 2023, just four months ago, when we embarked on creating a tool from scratch to detect security issues in ink! smart contracts. Thanks to the generous funding provided by grants of the Web3 Foundation and Aleph Zero, we can proudly present a powerful tool.

Today our tool is ready for use. You can check it out; It features a user-friendly CLI, a VS Code plugin, and the capability to detect at least 23 vulnerability classes. Detectors have been rigorously tested against several real-world smart contracts and improved to reduce false positives and negatives. Furthermore, it integrates with CI/CD toolsets and vulnerability management tools, among other features.

The initial plan was simple: gather smart contracts with documented vulnerabilities, prioritize the security issues, develop detectors based on a linter. While we had had experience with clippy and Rust linters, we encountered our first challenge. There was a scarcity of information regarding security issues specific to ink! and a lack of examples of documented vulnerable smart contracts. To address this, we created a database of vulnerable smart contracts and compiled a documented list of vulnerabilities particular to ink!–solving this problem

We paid special attention to the set-contract-storage, reentrancy, unprotected-set-code-hash, lazy delegate, unprotected-self-destruct and integer overflow or underflow detectors. Vulnerabilities of these classes could be critical. Moreover, some are particular to ink! and developers could be unaware of their existence.

At one point, we started testing our tool against smart contracts that were either deployed, or soon to be deployed, in order to test the tool. We reviewed results distinguishing between valid alerts (true positives) or false positives.

aleph zero logoWith the assistance of Aleph Zero we identified interesting projects on their network. When the code was publicly available, we engaged security auditors to assess these smart contracts. We then compared their findings with the tool’s results. If we found a vulnerability that our tool did not detect, we added a scaled-down version of the example to our test suite and improved or added a detector if needed. If the tool threw a false positive, again we addressed it.

Notably, we did not stop at adding and testing detectors alone. We transitioned from clippy for dylint, a different linter that facilitated the addition of detectors. We placed an emphasis on integration tests, ensuring that all detectors are tested against an expanding database of vulnerable smart contracts (and also on fixed versions of them). Aleph Zero played a vital role during this phase, providing valuable insights and in helping to uncover bugs. The CI/CD integration streamlined development and release processes, while the inclusion of a binary distribution accelerated installations. 

We are keen on having others contribute with detectors and more vulnerable smart contracts. We added contribution guidelines to make contributions easier.

Another significant improvement was enhancing the user interface and experience. We introduced JSON and HTML output formats, along with the Static Analysis Results Interchange Format (SARIF). The VS Code includes a plugin for SARIF output improves visualization of security issues when using VS Code. 

In just four months, our journey with Scout for Ink! has transformed a bold vision into a powerful reality. With the support from the Web3 Foundation and Aleph Zero, we have created a tool that elevates the security of Ink! smart contracts. Today, Scout for Ink! offers robust detectors, and seamless integration, underpinned by extensive testing and fine-tuning. We’ve not only improved precision and recall, but also focused on user experience, introducing new output formats for enhanced usability. As we stand at this milestone, we’re excited to see how our tool will benefit the developer community and are committed to continual improvement in the realm of smart contract security. Thank you for being part of this remarkable journey.