Security Toolchain
Verify locally: make security && make test-invariant — should pass with 0 high findings.
Current Status
| Tool | High | Medium | Low | Status |
|---|---|---|---|---|
| Aderyn | 0 | 0 | 5 | ✅ All acceptable |
| Slither | 0 | 0 | 3 | ✅ All acceptable |
| Invariant Tests | - | - | - | ✅ 7 passing |
| Unit Tests | - | - | - | ✅ 45 passing |
Tools
Aderyn
Real-time static linting. Fast feedback while coding.
Slither
Deeper static analysis (taint tracking, control-flow). CI fails on high severity.
Foundry Invariant Tests
Stateful fuzzing for core accounting rules (256 runs / 50 depth).
Invariants tested:
shares_issued <= shares_authorized(issuer and stock classes)- Stakeholder/stock class index mapping consistency
- Count consistency between contract and tracked state
- Stock class authorized never exceeds issuer authorized
Unit Tests
45 tests covering core flows, edge cases, access control, factory logic. All passing.
Commands
| Command | Description |
|---|---|
make test | Run all unit tests (45 tests) |
make test-invariant | Short invariant fuzz (256 runs, 50 depth) |
make test-invariant-deep | Deep invariant fuzz (2000 runs, 100 depth) |
make aderyn | Run Aderyn → report.md |
make slither | Run Slither → chain/slither-report.md |
make security | Run aderyn + slither |
Philosophy
- Catch obvious stuff early (Aderyn)
- Dig deeper statically (Slither)
- Stress-test logic over sequences (Invariants)
- Verify specific behaviors & errors (Unit tests)
- Pre-audit cleanup → reduces noise for auditors
- No single tool replaces a full audit