// the find
eth-sri/securify2
Securify v2.0
Securify v2.0 is a static analysis tool for Ethereum smart contracts from ETH Zurich's SRI Lab, backed by the Ethereum Foundation. It compiles Solidity to a custom IR, encodes it as Datalog facts, and runs Soufflé to check 37 vulnerability patterns. Aimed at developers and auditors who want automated scanning without relying on symbolic execution.
The Datalog/Soufflé backend is the real differentiator — context-sensitive dataflow analysis expressed as logic rules is far easier to reason about and extend than ad-hoc AST walking. The pattern library maps cleanly to SWC IDs and Slither equivalents, which makes it straightforward to cross-reference findings. The Dockerfile means you don't have to fight the Python 3.7 + Soufflé + solc version matrix manually. The test suite includes real deployed contracts (Augur, 0x, RelayHub) rather than toy examples, which gives some confidence the IR handles real-world patterns.
Hard-capped at Solidity 0.5.x — anything using 0.6+ features (custom errors, try/catch, immutables) won't parse, which rules out the entire last five years of contracts in production. Flat-contract-only is a serious practical limitation: real audits involve multi-file projects with imports, and you'd have to flatten everything with a separate tool before scanning. The project shows signs of abandonment — Python 3.7 requirement is EOL, the last substantive commit activity was years ago despite the 2025 push date, and several patterns listed in the README (dos-gas-limit, missing-input-validation, mul-after-div) exist as .dl files but don't appear in the official pattern table. False positive rate is undocumented.