Hello, Lido team! I’m Chris, representing Olympix (olympix.ai), a company dedicated to developing essential security tools for Solidity smart contract developers. Our focus is on creating an efficient workflow and enhancing security in the development process.
Overview:
We’re thrilled to share that we’ve already developed a powerful tool, and we’re eager to gather early feedback:
Vscode Static Analyzer: Our Vscode Static Analyzer is a dynamic solution that offers the flexibility to operate as both a Visual Studio Code (VS Code) extension and a Command Line Interface (CLI) with seamless integration into GitHub Actions. This versatile tool performs real-time static analysis, identifying potential vulnerabilities in your Solidity code, whether you prefer to work within your development environment or incorporate it into your continuous integration pipeline.
Summary:
In our pursuit of scaling DeFi, Olympix is committed to assisting developers in securing their code during the development process. Our Vscode Static Analyzer leads this mission, offering the flexibility to work as a VS Code extension, CLI, or integrate seamlessly into your GitHub Actions workflow. By using this tool, you can ensure the security of your Solidity smart contracts from the outset.
We invite you to explore a partnership with us. You’ll have access to our dynamic Static Analyzer, and in exchange, we seek your valuable feedback. We are dedicated to advancing DeFi’s growth, and we are confident that collaborating with you will result in a more secure and efficient future for smart contract development.
Feel free to reach out for a conversation or with any questions you may have about our tool. We eagerly await your response!
Thank you for considering this partnership opportunity with Olympix.
May I ask you a few questions about the approaches you use for the solution described?
I mean whether the principles of detection and rule set are available openly and how they are get maintained and updated?
BTW, do you have an official plugin for hardhat maybe?
JFTR: The following tools have been used for the lido-dao protocol repo’s CI:
Hardhat as the main framework
Slither for static analysis
solhint for syntax-based linting
foundry for libraries invariant and fuzzing tests
various bytecode and storage layout ad-hoc sanitizers
Thanks for getting back to us, and our sincere apologies for the delay on our end as this message was missed.
I wanted to dive a bit deeper into what we’ve achieved with our project. We’ve developed a front-end compiler for Solidity that’s significantly faster and allows for real-time code analysis, around 40x faster than Slither with Solc. Unlike Python-based tools, our compiled language approach enables us to perform complex, accurate queries on user code to identify vulnerabilities swiftly.
When compared to Slither using the euler-contracts as a benchmark, our tool, Olympix, demonstrates superior accuracy (82.01% vs. Slither’s 38.98%). We identified 289 true positives against Slither’s 156, with fewer false positives. Our focus on security rather than informational alerts underscores our tool’s precision. We can send over a link to a case study that references this but are unable to do so on this platform.
Our tool consistently detects more reentrancies, a testament to its effectiveness .We’re proud of what we’ve built: the most advanced, fastest tool with an intuitive UI. Our team, boasting 20 years of software engineering experience, continuously refines our detectors’ accuracy and expands their capabilities every quarter because we know we can always be better than ourselves from a month ago. Only for you to have an idea, only the server capable of finding vulnerabilities, we do around 2,000 commits an year, several thousands of lines of code with improvements.
Our approaches includes:
Analyzing competitors’ detectors to create superior versions.
Reviewing audit reports, such as those from code4rena, to uncover potential improvements.
Regularly updating our servers and extension, aiming for monthly releases. Larger updates might extend to two months to ensure thorough testing and accuracy.
As for the Hardhat plugin query, our tool seamlessly integrates with Hardhat and other frameworks without any special configuration needed. It intelligently focuses on relevant directories like src or contracts to minimize noise, while also scanning node_modules to enhance detection accuracy. Results pertinent to your contracts are prioritized, though vulnerabilities in node_modules can be displayed at your discretion through settings adjustments.We’re here to streamline your security analysis process, offering a robust, accurate, and user-friendly solution.
Let’s continue with discussions on how we can tailor our tool to fit your needs.