Just a general idea to be able use solc and solc-select to automatically verify the contract.

If we want to extract types of the contracts, we need to know this information to be able precisely understand if contract is type of EIP/ERC standard and at which confidence level.

We basically need a functionality to visit node efficiently from AST and IR. This is possible now by building custom node visitor by yourself and utilising AST Tree. This should be implemented directly into the solgo library.

At current wiki there's ongoing work that needs to be completed. Right now examples and documentations are added for installation and usage, however, more in-depth, package specific documentation is lacking and should be resolved.

Currently we do not support parsing assembly rules discovered in solidity contract.

To be defined...

Problem currently with visited topological sort approach is if we have two of the same name, with different content, only one file will be extracted and sorted, resulting in corrupted sources. For example IERC20.sol interface and IERC20.sol token contract.

As title says, need to get unit testing a bit better and documenting out the whole code including example usage.

Currently, we have the functionality to export AST to JSON, but there is no existing method to reverse the process and cast JSON back into the AST object.

It would be awesome if we could know if contract is type of let's say ERC20 for Tokens, ERC-1155 or for example ERC-721 for NFTs. These are just examples but we could add list of all relevant EIPS and know immediately type of the contract.

This should be part of intermediate representation.

Current EIP package is designed to support Ethereum Improvement Proposals. However, I'll be extending it and renaming it to standards. One of the extensions are to figure out if pancakeswap, uniswap, sushiswap and so on are detected.

This can be later on taken to maybe more quickly understand if current contract supports liquidity or not.

Basically the most important statistics about processed contract. From how many functions to how many calls, external calls, different type of references, basically all of the data that can help out gain statistical information about source code.

Explained just dummy idea. Real idea will follow in the future.

Well... This will be fun. Just adding here for future work. We'll use Bun.

Licenses can be different in parent contracts and are not taken under consideration. Only entry contract. This is in AST

There are changes for event definition added 3 days ago that needs to be added, by it grammars needs to be regenerated.

Right now they are basic, only text. We should change that each by each case as there are so many of them.

Just notes for now:

• Ability to turn AST into CFG.
• Ability to render dot file for graph (graphviz).
• Ability to render image (png, jpeg, svg) from the graph.
• Graph node itself...

Old versions of solidity contracts use for fallback and receive (sometimes even having revert) following function syntax

function () payable { ... }

Current AST parsing will fail if function like above is reached. It will fail under state variable discovery (which is weird).

So far, only investigating potential solutions. Most likely this will be related to grammar file not supporting functions like that. If that's the case, we'll branch off grammar from solidity externals and start maintaining our own (or just apply patches once we sync external repo).

If it's grammar issue, it's in fact, not issue but no longer supported functionality and therefore we cannot file any bugs.
If it's due to antlr-go, then we need to file bug to antlr or fork it off.

It happens very rarely, only with old contracts.

Forward statement resolution in AST seems to be a bit more complicated than it should. However, I am not yet sure how to handle it in the future.

Problematic with forward statement means that node can be anywhere. What that means is that reference for any particular statement can be:

• In any object.
• Defined in the same object but after it is executed.
• Globally defined outside of any object at any point prior or after the statement execution.
• Literally some types, for example events, structs, vars etc... Can be defined literally anywhere in the code and called out from literally anywhere.

Knowing the problem, dealing with solution becomes troublesome when types descriptions are in question. We basically need to understand the type itself and regularly I need to come back to references during testing as some type is not discovered efficiently. For example, node is not found at all, resulting in skewed AST results and panics due to type description object is not found.

For now I am patching the code to resolve it. However, I'd like in the future to find out proper way how to traverse through the tree and figure out all of the types without doing some ad-hoc kumbaya patches to the resolver.

Moreover, even if node is found, are we certain that that particular node corresponds to the proper reference or just globally defined reference? This calls for a node reverse lookup.

Anyway, just ideas posting here so this story can be upgraded in the future and perhaps better solution can be done.

This is just so we are on a same page, a severe amount of work and will broke the entire code resolution once touched.

This will be interesting amount of work but idea is to implement ability to check if contract is proxy or not.

For now in order to get to the point of writing solgo based vulnerability detectors, a package called security will be added and we are going to use https://github.com/crytic/slither to understand what's going on with the code vulnerability wise.

All contracts bellow 0.6 should be checked and parser corrected in case of any issues.

Ability to load contract storage information at particular block from upstream.

Right now, package is capable of to a point to discover statements and references for definitions that occur after. This is a large blocker in order to be able process any type of code that is provided without requirement for source code to be sorted out.

When processing directly from metadata, code can be and usually won't be sorted in order resulting in panicing on all fronts due to type descriptions not being discovered.

This is the highest priority and biggest blocker for ast package to be useful to anyone.

Having them under readme, we can do better. So adding just general issue here...

More about it will be defined later.

Right now standards have ability to calculate confidence and in general, standards management, however, easy usage of interfaces from this package does not exist.

For example, you wish to load token ERC20 and interact with the interface, well that's not possible. Going to add that.

Can be invoked by attempting to parse ABI for: 0x4A3e49f77a2A5b60682a2D6B8899C7c5211EB646

As of right now, that is not quite working so we need to deal with that.

Right now it's contract {ContractName}.

I have no idea what the heck it was in my head that current approach could be useful (which still will be for edge cases) but in order to resolve forwarded statements, with current approach logic of the code needs to become so complex that I just dislike idea of moving forward with it. Therefore, will introduce following changes into the code base:

• Sources sorted based on graph and topological sorting algorithms in order to sort imports by the lowest requirement to the highest. This will help to a point.
• to be defined, not sure what yet...
• Get at least a bit more code coverage and documentation done in the process... It's ridiculous that AST which is a base package is becoming less and less documented and tested.

Currently we get panics because type descriptions cannot be found, including forward contract creations that cannot be discovered in time which results in us needing to write t_unknown_{nodeId} and later on processing them in the resolver. You see, I bored myself already by just typing this thing down. That would be a shit so complex that anyone trying, including me, look into the codebase would just evaporate from the project. Therefore, lets build something performant and nice to look at.

For example, this one right here -> https://bscscan.com/address/0x7a4af156379f512de147ed3b96393047226d923f#code, jumps from contract/statement to a contract/statement like it's a candy season and thus, the reason where I've discovered numerous of panics and well... Let's fix it.

Fun to talk with myself.

The thing is solc-select is a great tool for its purpose. Gives a very nice way of switching global solc version with execution of maximum two commands. It is however, not designed to be thread safe and be used by the APIs.

Current solgo version, as a prototype uses solc-select. We should move away from it from our perspective as soon as possible as it's becoming a blocker on multiple fronts:

• Python so it's slower then it should be.
• Have to use cmd package to interact with it which makes no sense for us, except in extreme conditions when there's no viable alternative.
• It changes global solidity version on machine. Consider what will happen when even 2 concurrent requests occurs...
• Requires time to download/build solc which we can fix by having cmd that downloads all of the versions for specified operating system at once if executed.
• Sometimes it fails, even in CI/CD pipeline to switch as multiple jobs are running.

Probably few more good things we can sort out by doing something more concrete here.

I was thinking to have it as solgo/solc but that's probably not the best solution so instead of that, I'll build and maintain separated repository for this endeavor.

Right now if multiple contracts are discovered in ABI parser, data won't be full.

Current version of checks if it's a proxy as well as proxy confidence is done over very basic detection. We should improve this in the future.

This whole package has its functionalities, however, it's lacking smarter client management package so we can get it to a next level. Therefore, this issue is reserved to introducing clients package that can do following:

• Ability to load multiple clients for multiple eth client supported networks
• Ability to load balance multiple clients
• Ability to failover between full and archive nodes
• Ability to query clients based on different criterias

Right now, if there are multiple contracts involved or contracts that are dependencies, that's really not working. We should change that.

Once AST package is completed will rewrite ABI and sort this issue out.

Very nice project, but seems it lacks nameLocation field for declarations, which is the location just for the identifier

To be defined in the future but basic idea is based on specific criteria, intercept onchain data and do the transformation into a specific concept. For example, Token transformator to fetch the data of any token and get back basic information, including potentially some heavy-weight information such as liquidity.

This is rough idea, probably will be changed by the end of the development.

Ability to manage existing or new accounts...

#140 has the latest development ideas... It's not yet ready...

Referencing #50

Even tho title is describing itself, will be adding more appropriate context about this package in the future.

The last part of the missing functionality in ABIs are passing more complex types then mappings.

Following issue should resolve:

• Parsing structs including nested structs.
• Parsing enums.

Besides this, everything else "should" operate as expected. Take under note that we need to test this against large amount of smart contracts in order to ensure abi parser is completed.

Well, this feature is for sure something that needs to be present. Right now package requires for devs to manually figure out this information. Should not be the case.

Instead of using parser directly going to change it entirely to and use IR package instead.

This will give us ability to fine tune responses as we wish, out of the box multiple contracts support.

More info will be provided later.

Can be invoked by trying to decode: 0xc3B7aF1d8c3ca78F375Eb125F0211164b9071Cc0

Currently there's only one benchmark available in the system which is way too low. Enough said right?

Want to test the most:

• How will solc-select behave concurrently. I think I already know the answer and will need to understand what to do here.
• How many errors we will discover in parsing AST, ABI, IR? -> Address them completely.
• See how system is behaving with contracts solidity version lower then 0.8. Address issues that come up.
• Introduce prometheus and grafana metrics as well so we can build nice dashboard.
• Introduce pprof and see memory/cpu allocation and what can be improved if there's a large need.

More information in upcoming weeks.

Ability to parse contract, transaction, log, any type of bytecode and get back EVM opcode information including a tree for future inspections.

Ability to simulate transactions on local network as well as on the main net.

It works, but really does not work how it should work for production. Just adding placeholder issue here for future work.

Idea of the following package is to provide unification mechanism on top of which multiple exchanges such as pancakeswap, uniswap, sushiswap, etc... can be loaded, registered and used throughout the unpack tools.

Challenges

• Multiple client types, if we only had one, would be great but we can have multiple clients, spawning at any point in time and on top of that there are simulation clients that needs to be taken under consideration.
• Resource management as if we initiate too much, we're not at the right track.

Right now there's no way of getting actual source code of any specific node. This is going to be cumbersome but it has to be done. I am thinking about providing context itself for every node and to provide ToString method on each of 100+ nodes in the ast tree...