// the find
crytic/slither
Static Analyzer for Solidity and Vyper
Slither is a static analysis framework for Solidity and Vyper smart contracts, built by Trail of Bits. It ships 100 detectors covering everything from high-severity reentrancy bugs to gas optimizations, plus a Python API for writing custom analyses. Primary audience is smart contract developers and security auditors who want fast, low-false-positive automated checks in their CI pipeline.
- SlithIR intermediate representation is genuinely well-designed — it normalizes Solidity's AST into SSA form, which makes writing precise custom detectors significantly easier than working against raw AST nodes.
- Detection coverage is broad and maintained: protocol-specific detectors for Chainlink, Pyth, Chronicle, Gelato, and Optimism show active upkeep tracking the actual ecosystem rather than just generic patterns.
- Python plugin API is clean enough that writing a custom detector is ~50 lines, and the plugin_example in the repo actually demonstrates this rather than just claiming it.
- Sub-second execution per contract and direct integration with Hardhat/Foundry build artifacts means it fits into CI without fighting the toolchain.
- Vyper support is second-class — the detector list is almost entirely Solidity-focused, and Vyper codebases will get far fewer findings, which isn't obvious until you run it.
- False positive rate on informational/low detectors (especially missing-zero-check and events-maths) is high enough on real projects that teams routinely disable large chunks of the detector suite, undermining the out-of-box experience.
- The triage/suppression system (pragma-based `// slither-disable` comments) works but there's no persistent baseline file like other SAST tools provide, so CI noise management in actively developed codebases is manual work.
- Cross-contract dataflow analysis has real limits — it treats external calls as opaque, so vulnerabilities that require reasoning across multiple deployment-time-linked contracts will be missed or produce incomplete results.