Slither Explained in Detail
Slither is a static analyzer for Solidity and Vyper. It reads source code and compiler output, runs detectors for known risk patterns, and can print useful summaries such as call graphs, entry points, inheritance, and authorization-related state writes.
Slither is useful early in an audit because it finds obvious issues quickly and helps map a codebase. It does not prove that a contract is secure.
Smart contract example
Slither can flag patterns such as unchecked low-level calls:
function notify(address target, bytes calldata data) external {
target.call(data);
}
The warning tells the reviewer where to look. The auditor still decides whether the unchecked call can affect funds, state, or authorization.
Slither in Auditing
Slither is best treated as a fast baseline pass. It can highlight reentrancy, dangerous tx.origin, unchecked return values, shadowing, upgradeability issues, and many other patterns.
The value is not only in detector output. Slither's printers and summaries help auditors understand ownership, state writes, inheritance, and external-call surfaces before deeper manual review.
Red flags in code
-
Teams ship because Slither is clean instead of treating it as a triage pass.
-
Findings are bulk-dismissed without documenting impact and reachability.
-
Slither is run on a single file when the project needs dependency-aware compilation.
-
Upgradeability, authorization, or oracle findings are ignored because they are low confidence.
-
Custom protocol invariants are expected from generic static detectors.
How to test or review it
-
Run Slither through the project's normal build configuration so remappings, dependencies, compiler versions, and inherited contracts are included.
-
Triage each high and medium finding for exploitability and false positives.
-
Use printers to map entry points, state writes, inheritance, and call graphs.
-
Pair Slither output with manual review and fuzz testing.
-
Track dismissed findings so repeated scans do not hide unresolved risks.