Data

Tools

Indexes

Applications

Experiments

Open Source Science

https://github.com/coinfabrik/scout-audit

Scout is an extensible open-source tool intended to assist smart contract developers and auditors detect common security issues and deviations from best practices. Scout audit is the core development on which we extend scout for specific blockchains.

https://github.com/coinfabrik/scout-audit

Science Score: 26.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
  • codemeta.json file
    Found codemeta.json file
  • .zenodo.json file
    Found .zenodo.json file
  • DOI references
  • Academic publication links
  • Committers with academic emails
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (15.5%) to scientific vocabulary

Keywords

audit auditing blockchain ink rust security smart-contracts soroban static-analysis substrate vulnerability-detection

Keywords from Contributors

vulnerability-scanners smart-contract-security stellarator scout solidity archival projection profiles sequences generic
Last synced: 5 months ago · JSON representation

Repository

Scout is an extensible open-source tool intended to assist smart contract developers and auditors detect common security issues and deviations from best practices. Scout audit is the core development on which we extend scout for specific blockchains.

Basic Info
Statistics
  • Stars: 32
  • Watchers: 2
  • Forks: 9
  • Open Issues: 15
  • Releases: 1
Topics
audit auditing blockchain ink rust security smart-contracts soroban static-analysis substrate vulnerability-detection
Created about 2 years ago · Last pushed 6 months ago
Metadata Files
Readme License

README.md

Scout: Security Analysis Tool

https://img.shields.io/badge/license-MIT-green

Scout in a Dark Forest

Scout is an extensible open-source tool intended to assist ink!, Soroban and Substrate developers and auditors detect common security issues and deviations from best practices.

This tool will help developers write secure and more robust smart contracts.

Our interest in this project comes from our experience in manual auditing and our usage of comparable tools in other blockchains. To improve coverage and precision, we´ll persist in research efforts on static and dynamic analysis techniques.

Quick Start

Make sure that Cargo is installed on your computer. Then, install Scout with the following command:

bash cargo install cargo-scout-audit

To run Scout on your project execute the following command:

bash cargo scout-audit

:bulb: Scout supports Cargo Workspaces. When run on a workspace, Scout will be executed on all packages specified as members of the workspace.

:warning: Make sure that your smart contracts compile properly. Scout won't run if any compilation errors exist.

:warning: We recommend installing Rust using the curl command provided on the official Rust documentation, as using a package manager like Homebrew may cause conflicts.

For more information on Scout's installation and usage, please refer to Scout's documentation.

Output formats

You can choose the output format that best suit your needs (html or markdown). To specify the desired output run the following command:

cargo scout-audit --output-format [html|md|pdf|json|sarif]

Example HTML report

Scout HTML report.

Scout VS Code extension

Add Scout to your development workspace with Scout's VS Code extension to run Scout automatically upon saving your file.

Scout VS Code extension.

:bulb: Tip: To see the errors highlighted in your code, we recommend installing the Error Lens Extension.

:point_right: Download Scout VS Code from Visual Studio Marketplace.

Scout GitHub Action

Integrate Scout into your CI/CD pipeline! Automatically run the tool against the targeted smart contracts. This immediate feedback loop allows developers to quickly address any issues before merging the code into the main branch, reducing the risk of introducing bugs or vulnerabilities.

Scout output as a comment in a pull request

Scout GitHub action output

:point_right: Find Scout GitHub Action in GitHub Marketplace.

Tests

To validate our tool, we provide a set of code examples located in the test-cases folder.

In order to run the integration tests, navigate to apps/cargo-scout-audit and run:

bash cargo test --all --all-features

In order to run the tests for a particular test-case, run the same command on that particular test-case folder (e.g: test-cases/delegate-call/delegate-call-1/vulnerable-example).

Detectors

Refer to Scout's documentation site for a full list of the detectors for Ink, Soroban and Substrate.

Acknowledgements

Scout is an open source vulnerability analyzer developed by CoinFabrik's Research and Development team.

We received support through grants from both the Web3 Foundation Grants Program, the Aleph Zero Ecosystem Funding Program, the Stellar Community Fund and Polkadot Assurance Legion.

| Grant Program | Description | |---------------|-------------| | Web3 Foundation | Proof of Concept: We collaborated with the Laboratory on Foundations and Tools for Software Engineering (LaFHIS) at the University of Buenos Aires to establish analysis techniques and tools for our detectors, as well as to create an initial list of vulnerability classes and code examples. View Grant | Application Form.

Prototype: We built a functioning prototype using linting detectors built with Dylint and expanded the list of vulnerability classes, detectors, and test cases. View Prototype | Application Form. | | Aleph Zero | We improved the precision and number of detectors for the tool with a multi-phase approach. This included a manual vulnerability analysis of projects within the Aleph Zero ecosystem, comprehensive testing of the tool on leading projects, and refining its detection accuracy. | | Stellar Community Fund | We added support for Stellar's smart contract language, Soroban. We included various output formats, such as an HTML report, improved the tool's precision and recall, and added a GitHub action to run the tool with pull requests.| | PAL | We added support for Substrate pallets in all of Scout's features: CLI, VS Code extension and GitHub Action. |

About CoinFabrik

We - CoinFabrik - are a research and development company specialized in Web3, with a strong background in cybersecurity. Founded in 2014, we have worked on over 180 blockchain-related projects, EVM based and also for Solana, Algorand, Stellar and Polkadot. Beyond development, we offer security audits through a dedicated in-house team of senior cybersecurity professionals, currently working on code in Substrate, Solidity, Clarity, Rust, TEAL and Stellar Soroban.

Our team has an academic background in computer science and mathematics, with work experience focused on cybersecurity and software development, including academic publications, patents turned into products, and conference presentations. Furthermore, we have an ongoing collaboration on knowledge transfer and open-source projects with the University of Buenos Aires.

License

Scout is licensed and distributed under a MIT license. Contact us if you're looking for an exception to the terms.

Owner

  • Name: CoinFabrik
  • Login: CoinFabrik
  • Kind: organization
  • Location: Argentina

GitHub Events

Total
  • Create event: 102
  • Issues event: 128
  • Watch event: 18
  • Delete event: 45
  • Member event: 1
  • Issue comment event: 221
  • Push event: 394
  • Pull request review comment event: 3
  • Pull request review event: 35
  • Pull request event: 193
  • Fork event: 6
Last Year
  • Create event: 102
  • Issues event: 128
  • Watch event: 18
  • Delete event: 45
  • Member event: 1
  • Issue comment event: 221
  • Push event: 394
  • Pull request review comment event: 3
  • Pull request review event: 35
  • Pull request event: 193
  • Fork event: 6

Committers

Last synced: 9 months ago

All Time
  • Total Commits: 2,242
  • Total Committers: 25
  • Avg Commits per committer: 89.68
  • Development Distribution Score (DDS): 0.689
Past Year
  • Commits: 879
  • Committers: 13
  • Avg Commits per committer: 67.615
  • Development Distribution Score (DDS): 0.543
Top Committers
Name Email Commits
Jose Garcia Crosta j****a@g****m 698
Facundo Lerena f****a@g****m 356
Víctor M. González v****z@n****m 315
aon 2****n 199
Arturo Beccar-Varela 1****r 175
Camila Gallo c****0@g****m 82
Agustín Losiggio a****o@g****m 81
user i****n@c****m 56
tomasavola 1****a 50
Matias Cabello m****o@c****m 47
aweil d****l@c****m 38
Sofi Azcoaga s****3@h****m 35
fpereira24 f****a@c****m 33
Jose Garcia j****a@M****l 26
Tomas t****a@c****m 16
Aureliano Calvo a****e@c****m 9
Matias Cabello m****o@M****l 8
david weil d****l@e****r 6
dependabot[bot] 4****] 4
unknown a****o@c****m 3
Coinfabrik-Web3 1****3 1
Diego Kelyacoubian 1****f 1
MartinOntiveros 9****s 1
Pinola007 1****7 1
valeriacaracciolo 7****o 1
Committer Domains (Top 20 + Academic)
coinfabrik.com: 7 endlesstruction.com.ar: 1 nektra.com: 1

Packages

  • Total packages: 2
  • Total downloads:
    • cargo 34,316 total
  • Total dependent packages: 0
    (may contain duplicates)
  • Total dependent repositories: 0
    (may contain duplicates)
  • Total versions: 32
  • Total maintainers: 1
crates.io: cargo-scout-audit

Scout is an extensible open-source tool intended to assist Ink! and Soroban smart contract developers and auditors detect common security issues and deviations from best practices.

  • Versions: 31
  • Dependent Packages: 0
  • Dependent Repositories: 0
  • Downloads: 28,706 Total
Rankings
Dependent repos count: 28.0%
Dependent packages count: 32.5%
Forks count: 40.2%
Stargazers count: 41.6%
Average: 47.7%
Downloads: 96.0%
Maintainers (1)
Coinfabrik-Web3
Last synced: 6 months ago
crates.io: scout-utils

Macro utilities for the Scout project.

  • Versions: 1
  • Dependent Packages: 0
  • Dependent Repositories: 0
  • Downloads: 5,610 Total
Rankings
Dependent repos count: 26.0%
Dependent packages count: 34.5%
Average: 52.4%
Downloads: 96.7%
Maintainers (1)
Coinfabrik-Web3
Last synced: 6 months ago

Dependencies

apps/cargo-scout-audit/Cargo.lock cargo
  • 319 dependencies
apps/cargo-scout-audit/Cargo.toml cargo
  • colored 2.0.0 development
  • config 0.13.3 development
  • serde 1.0.163 development
  • ansi_term 0.12.1
  • anyhow 1
  • cargo 0.72.2
  • cargo_metadata 0.17
  • clap 4.3.0
  • dunce 1.0.4
  • dylint 2.3.0
  • env_logger 0.10
  • home 0.5.5
  • itertools 0.11
  • log 0.4
  • regex 1.5
  • scout-audit-internal =0.2.1
  • serde_json 1.0
  • tempfile 3.8
scout-audit-clippy-utils/Cargo.lock cargo
  • arrayvec 0.7.4
  • either 1.9.0
  • if_chain 1.0.2
  • itertools 0.10.5
  • rustc-semver 1.1.0
scout-audit-clippy-utils/Cargo.toml cargo
scout-audit-internal/Cargo.toml cargo
apps/scout-extension/package.json npm
  • @types/command-exists ^1.2.0 development
  • @types/glob ^8.1.0 development
  • @types/mocha ^10.0.1 development
  • @types/node 16.x development
  • @types/vscode ^1.78.0 development
  • @typescript-eslint/eslint-plugin ^5.59.1 development
  • @typescript-eslint/parser ^5.59.1 development
  • @vscode/test-electron ^2.3.0 development
  • esbuild ^0.17.19 development
  • eslint ^8.39.0 development
  • glob ^8.1.0 development
  • mocha ^10.2.0 development
  • prettier ^2.8.8 development
  • typescript ^5.0.4 development
  • command-exists ^1.2.9
  • toml ^3.0.0
apps/scout-extension/pnpm-lock.yaml npm
  • 220 dependencies
.github/workflows/release.yml actions
  • actions/checkout v3 composite
apps/scout-extension/package-lock.json npm
  • 238 dependencies
.github/workflows/general-rust.yml actions
  • actions/cache v4 composite
  • actions/checkout v4 composite
clippy_config/Cargo.lock cargo
  • equivalent 1.0.1
  • hashbrown 0.14.3
  • indexmap 2.2.5
  • memchr 2.7.1
  • proc-macro2 1.0.79
  • quote 1.0.35
  • rustc-semver 1.1.0
  • same-file 1.0.6
  • serde 1.0.197
  • serde_derive 1.0.197
  • serde_spanned 0.6.5
  • syn 2.0.52
  • toml 0.7.8
  • toml_datetime 0.6.5
  • toml_edit 0.19.15
  • unicode-ident 1.0.12
  • walkdir 2.5.0
  • winapi 0.3.9
  • winapi-i686-pc-windows-gnu 0.4.0
  • winapi-util 0.1.6
  • winapi-x86_64-pc-windows-gnu 0.4.0
  • winnow 0.5.40
clippy_config/Cargo.toml cargo
  • walkdir 2.3 development
  • rustc-semver 1.1
  • serde 1.0
  • toml 0.7.3
scout-audit-dylint-linting/Cargo.lock cargo
  • anstyle 1.0.6
  • anyhow 1.0.80
  • assert_cmd 2.0.14
  • bstr 1.9.1
  • camino 1.1.6
  • cargo-platform 0.1.7
  • cargo_metadata 0.18.1
  • difflib 0.4.0
  • doc-comment 0.3.3
  • dylint_internal 2.6.1
  • equivalent 1.0.1
  • hashbrown 0.14.3
  • indexmap 2.2.3
  • itoa 1.0.10
  • libc 0.2.153
  • memchr 2.7.1
  • paste 1.0.14
  • predicates 3.1.0
  • predicates-core 1.0.6
  • predicates-tree 1.0.9
  • proc-macro2 1.0.78
  • quote 1.0.35
  • regex-automata 0.4.5
  • rustversion 1.0.14
  • ryu 1.0.17
  • semver 1.0.22
  • serde 1.0.197
  • serde_derive 1.0.197
  • serde_json 1.0.114
  • serde_spanned 0.6.5
  • syn 2.0.50
  • termtree 0.4.1
  • thiserror 1.0.57
  • thiserror-impl 1.0.57
  • toml 0.8.10
  • toml_datetime 0.6.5
  • toml_edit 0.22.6
  • unicode-ident 1.0.12
  • wait-timeout 0.2.0
  • winnow 0.6.2
scout-audit-dylint-linting/Cargo.toml cargo
  • assert_cmd 2.0 development
  • cargo_metadata 0.18
  • dylint_internal =2.6.1
  • paste 1.0
  • rustversion 1.0
  • serde 1.0
  • thiserror 1.0
  • toml 0.8