pallet-verifier is a tool for detecting common security vulnerabilities and insecure patterns in
FRAME pallets using static program analysis techniques like data-flow analysis,
abstract interpretation and symbolic execution.
FRAME pallets are modules used to build/compose Substrate-based blockchains.
NOTE: 🚧 This project is still work in progress, check back over the next few weeks for regular updates.
NOTE: pallet-verifier requires a Clang binary that supports WebAssembly.
On macOS, the Clang binary from Xcode doesn't support WebAssembly, so you'll need to install
clang/llvm via homebrew and add it to your PATH.
NOTE: On platforms where gcc is the default C compiler (e.g. Debian and Ubuntu),
make sure the gcc-multilib package is also installed.
git clone https://github.com/davidsemakula/pallet-verifier.git
cd pallet-verifier
cargo install --locked --path ./Run the following command from the crate root of a FRAME pallet
(i.e. the directory that contains the Cargo.toml file for the FRAME pallet).
cargo verify-palletNOTE: pallet-verifier compiles the target FRAME pallet code in "test mode" (i.e. the equivalent of running
cargo test or rustc --test), so you'll need to ensure that all prerequisites for test compilation
are installed and/or configured properly, otherwise compilation will fail.
cargo verfiy-pallet subcommand help text.
A tool for detecting common security vulnerabilities and insecure patterns in FRAME pallets using static program analysis techniques.
Usage: cargo verify-pallet
Options:
-h, --help Print help
-V, --version Print version
--pointer-width <32|64> The pointer width for the target execution environment
--allow-hook-panics <list> The hooks in which no warnings should be reported for local panics.
Accepts a comma separated list from: `on_initialize`,`on_finalize`,`on_idle`,`on_poll`,`on_runtime_upgrade`,`offchain_worker`,`integrity_test`You can access library documentation locally by running the following command from the project root
cargo doc --no-deps --openTo learn more about how pallet-verifier works under the hood, check out ARCHITECTURE.md (see also).
You can run UI tests by running the following command from the project root
cargo testCheck out TESTING.md for more details.
Licensed under either MIT or Apache-2.0 license at your option.
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.
🌱 Funded by: the Web3 Foundation.