Slither Static Analysis¶
Status¶
Evidence required. No Slither report artifacts were found in the current local snapshot.
Required Review Themes¶
- Access control on all mutating functions.
- External call ordering and reentrancy controls.
- Upgradeability and storage layout risks.
- Proxy selector collision risks.
- Dead code or stale state names after refactors.
- Events for operational monitoring.
Production Evidence To Archive¶
Tool version, command, config, full report, triage notes, accepted risks, fixed findings, and final clean or acknowledged report.
Triage Rule¶
Do not treat a clean Slither run as sufficient protocol assurance. Use it to surface access-control, proxy, reentrancy, dead-code, and code-quality risks, then map every material finding to the permission matrix, runbooks, or threat model. Accepted findings need explicit rationale.
Evidence Model¶
| Field | Requirement |
|---|---|
| Purpose | static analysis for common Solidity risk patterns. |
| Expected location | Slither JSON and triage notes. |
| Current local evidence status | Evidence required unless the named artifact is present in this repository or the Solidity source snapshot and has been inspected in the current run. |
| What it proves | known static warnings and anti-patterns. |
| What it does not prove | semantic correctness of accepted business logic. |
| How to regenerate | Run the documented tool from a clean environment, archive command, commit/source hash, config, stdout/stderr, and result files. |
| Production requirement | Results must be tied to the exact source manifest lock, compiler version, dependency lock, and deployment artifact under review. |
| Owner responsible | Protocol engineering owns source/test correctness; security review owns independent challenge; governance owns accepting residual risk. |
| Failure meaning | A failure blocks release, launch, upgrade, or operation until root cause is fixed or explicitly accepted with documented risk. |
Review Notes¶
Do not write “pass” for Slither without current evidence. If evidence is missing, stale, or tied to a different source snapshot, write Evidence required and keep the gap visible in the release or operations checklist.