Static Analysis for Enhanced Security

Static analysis, in the context of software development, refers to the examination of a program's code without executing the program. The goal is to identify potential defects, vulnerabilities, or areas for improvement in the software without actually running it. This is in contrast to dynamic analysis, which assesses software through its execution.

Key characteristics and benefits of static analysis include:

  1. Early Detection: Defects can be identified early in the development process, which can lead to cost savings as defects detected later in the development lifecycle tend to be more expensive to fix.

  2. Coverage: Since it examines all code paths, static analysis can identify issues that might be missed in traditional testing due to lack of test coverage.

  3. Security: It can be especially useful for identifying security vulnerabilities, such as SQL injection or buffer overflow vulnerabilities.

  4. Coding Standards: Many static analysis tools can check for adherence to coding standards and best practices.

  5. Complexity Metrics: Some tools provide metrics related to the complexity of the code, which can be used to identify potential areas for refactoring.

  6. Documentation: Certain tools might identify areas where documentation is lacking or inadequate.

  7. Integration: Static analysis tools can often be integrated into build systems and continuous integration pipelines, allowing for automated checks on code changes.
However, static analysis is not without its challenges:

  1. False Positives: These tools might report issues that aren't actual defects. This can require time to review and potentially dismiss.

  2. Learning Curve: Properly configuring and understanding the results from static analysis tools might require some initial learning and adaptation.

  3. Not a Replacement for Testing: While static analysis can catch many issues, it doesn't replace the need for dynamic analysis and other testing methods. Some bugs can only be detected when the program is running.

Static Analysis in Smart Contracts
Smart contracts, especially those written in Solidity for the Ethereum blockchain, have unique behaviors and characteristics that make them particularly vulnerable if not written and reviewed carefully. Given the immutable nature of blockchains and the potential for significant financial losses, it's crucial to catch vulnerabilities before deploying a smart contract. Static analysis in this context means examining the smart contract code without executing it to identify potential vulnerabilities or bad practices.

SimpleWallet Example
Consider a smart contract in Solidity that holds ether and allows withdrawals:

pragma solidity ^0.8.0;

contract SimpleWallet {
    address public owner;

    constructor() {
        owner = msg.sender;

    modifier onlyOwner() {
        require(msg.sender == owner, "Not authorized");

    function withdraw(uint amount) public onlyOwner {
        require(address(this).balance >= amount, "Insufficient funds");

    receive() external payable {}

Upon static analysis of this contract, some observations can be made:

  1. Reentrancy Attack: While this contract uses the transfer method (which is considered safer because it only forwards a limited gas stipend), in more complex contracts where multiple calls are made or state changes occur after transfers or sends, it might be vulnerable to a reentrancy attack.

  2. Lack of Event Logging: The contract lacks event emission, which makes tracking transactions on the blockchain harder. It's a good practice to emit events for significant actions, like withdrawals.

  3. Upgradability: The contract lacks mechanisms for upgradability. Once deployed, its logic is immutable. If a bug is found, there's no direct way to patch it.

  4. No Withdrawal Limit: While the owner can only withdraw what the contract has, it might be a good idea to set daily or weekly withdrawal limits to mitigate potential losses.

Static Analysis and Early Detection of Bugs

Static analysis helps with early detection of bugs by systematically examining the source code without executing it. This method provides several advantages for spotting defects and issues early in the software development lifecycle:

  1. Comprehensive Code Examination: Unlike manual code reviews or testing, which might only cover specific sections or scenarios, static analysis tools can systematically analyze the entire codebase. This thorough examination helps ensure that no parts of the code are overlooked.

  2. Automated Checks: Once set up, static analysis tools can be automated to run regularly or even continuously. This means that as soon as code is written or changed, it can be analyzed immediately, allowing developers to detect and address potential issues before they advance to later stages.

  3. Consistency: Static analysis tools are consistent in their checks, eliminating human variability and oversight. Every piece of code gets the same level of scrutiny, reducing the chances of missing bugs.

  4. Coding Standard Enforcement: Many bugs result from non-adherence to coding standards or best practices. Static analysis tools can enforce these standards, ensuring that the code meets specific quality and safety criteria, which helps in preventing potential bugs.

  5. Identification of Non-obvious Bugs: Some bugs or vulnerabilities might be difficult to spot during manual reviews or even during regular testing, especially if they are part of rarely executed code paths. Static analysis can identify such hidden issues.

  6. Complexity Analysis: Some tools provide metrics on code complexity. High complexity often correlates with a higher likelihood of bugs. By flagging overly complex code, developers can be alerted to potential problem areas that need refactoring or additional testing.

  7. Efficient Resource Allocation: Since bugs are detected early, resources can be better allocated. Fixing a bug in the design or coding phase is usually much cheaper and faster than addressing it after deployment.

Static Analysis Help with Coverage

When we talk about "coverage" in the context of software development, it often refers to the extent to which the software's source code is tested by a particular test suite. One popular form of this is "code coverage," which measures the percentage of code paths, branches, and functions that are exercised by tests. While code coverage is typically associated with dynamic analysis and testing, static analysis can complement and enhance these measures in several ways:

  1. Complete Code Examination: Unlike tests that might only cover specific scenarios, static analysis tools inspect the entire codebase without the need for it to be executed. This means even code paths that aren't covered by tests get examined.

  2. Identify Untested Code: Some static analysis tools can integrate with dynamic testing tools to highlight sections of the code that aren't tested. This can be valuable for teams aiming to increase their code coverage metrics or to ensure critical parts of an application are tested.

  3. Path Analysis: Static analysis tools can analyze possible execution paths through the code. While it's not the same as executing all those paths, this analysis can reveal potential problems in paths that might be rarely executed and thus missed during regular testing.

  4. Complementing Code Coverage: Code coverage metrics, while useful, can sometimes be misleading. 100% code coverage doesn't guarantee an absence of defects. Static analysis can find bugs in the logic or other issues in the fully covered code, offering a more holistic view of code quality.

  5. Highlighting Dead Code: Dead code is code that can never be executed under any circumstances. Not only is this code wasteful, but it can also skew code coverage metrics. Static analysis can identify such unreachable code sections, allowing developers to remove or revise them.

  6. Conditional and Loop Checks: Some tools can assess the conditions and loops in the code, helping developers understand the various states their program can be in. This can guide testing efforts to ensure that different loop iterations and branching conditions are adequately tested.

  7. Data Flow Analysis: Static analysis can track the flow of data through a program, helping to identify paths and conditions where specific data transformations occur or where data might be used improperly.

  8. Enforcing Testing Best Practices: Some static analysis tools can enforce best practices related to testing. For instance, they might flag functions that lack associated unit tests or detect test cases that have grown too complex.

Static Analysis and Security of Smart Contracts

Given the immutable nature of blockchains and the substantial financial stakes often involved, securing smart contracts is of utmost importance. Here's how static analysis contributes to the security of smart contracts:

  1. Identifying Known Vulnerabilities: Many vulnerabilities in smart contracts have been documented over the years. Static analysis tools have checks specifically designed to catch these known patterns, such as reentrancy attacks, integer overflows/underflows, and unprotected selfdestruct calls.

  2. Access Control Checks: Static analysis can identify functions that should be restricted but lack appropriate access control modifiers. This helps in preventing unauthorized actions on the contract.

  3. Unchecked Return Values: In Solidity, not all function calls to external contracts ensure that the called function executed successfully. Static analysis can flag such unchecked calls, prompting developers to handle potential failures properly.

  4. Gas Usage Analysis: Infinite loops or exceedingly high gas consumption can render certain functions unusable. Static analysis tools can help identify patterns that might lead to excessive gas usage.

  5. State Changes after External Calls: One of the best practices in smart contract development is to avoid making state changes after external calls, as this can expose the contract to reentrancy attacks. Static analysis can highlight violations of this pattern.

  6. Data Flow Analysis: Static analysis can trace the flow of data within a contract, helping to identify areas where sensitive data might be exposed or manipulated in insecure ways.

  7. Detecting Dead Code: Unreachable or dead code can clutter a contract and cause confusion. More importantly, the presence of dead code might indicate logical errors. Static analysis tools can flag such code for removal or revision.

  8. Ensuring Correctness: Beyond just security, static analysis can also identify logical inconsistencies or potential pitfalls in the contract's logic that might lead to unintended behavior.

  9. Configuration and Initialization Checks: Static analysis can ensure that certain critical variables or settings are appropriately initialized, reducing the risk of unintended behavior once the contract is deployed.

Static Analysis vs Dynamic Analysis

Both static and dynamic analysis are complementary and essential parts of a comprehensive software development and security assurance process.

CriteriaStatic AnalysisDynamic Analysis
DefinitionExamines the program's source code without executing it.Evaluates the program's behavior during execution.
FocusCode structure, patterns, and potential vulnerabilities in the codebase.Runtime behavior, memory leaks, input validation, etc.
Detection TimeEarly in the development lifecycle (e.g., coding phase).Later in the development lifecycle (e.g., testing or execution phase).
ExecutionDoes not require program execution.Requires program execution, often with specific inputs.
CoverageCan examine the entire codebase and all possible code paths.Covers paths that are executed with the given inputs during testing. Some paths might be missed.
EnvironmentCan be performed in any environment since the code isn't being run.Requires a runtime environment, possibly with specific configurations.
Types of Issues DetectedSyntax errors, code patterns indicative of vulnerabilities, code quality metrics, adherence to coding standards.Runtime errors, performance issues, specific vulnerabilities like input validation flaws.
False PositivesMight produce false positives due to lack of contextual execution information.Generally has fewer false positives since issues arise from real executions.
LimitationsCan't catch runtime-specific errors, environment-based issues, or real-world performance problems.Might miss issues in code paths that aren't executed during testing.

Role of Truscova
The rapid evolution of blockchain technologies necessitates that static analysis tools and techniques keep pace. Truscova's robust research orientation ensures that their offerings remain updated, aligning with the latest vulnerabilities and attack vectors.

Final Thoughts
In the booming world of blockchain, where smart contracts handle transactions worth billions and any vulnerability can have catastrophic repercussions, ensuring their security is non-negotiable. Static analysis emerges as a formidable tool in this quest, and with companies like Truscova at the forefront, the blockchain community can tread with increased confidence.

Further Articles
Formal verification application on smart contracts can further be explored in the following articles:

About Truscova:
Truscova comes with 30+ years of academic research and hundreds of academic publications which pioneered the area of Formal Verification. The team combines academic leadership, industrial strength and Blockchain expertise. Truscova currently analyzes Solidity code combining Formal Verification techniques: abstract interpretation, constraint solving, theorem proving, and equivalence checking.

Ready To Take
The Next Step?

Contact Us


Truscova GmbH
Bremen | Germany

Social Media

©2022 | Imprint & Privacy Policy