swayscan-0.2.9 is not a library.
SwayScanner
Advanced AST-based security scanner for Sway smart contracts with comprehensive vulnerability detection and minimal false positives.
SwayScanner performs deep AST-based static analysis on Sway smart contracts to identify security vulnerabilities, code quality issues, and best practice violations. Built by the Safe Edges Team to secure the decentralized future.
Features
- AST-Based Analysis: Uses Sway language AST for accurate parsing and analysis
- Comprehensive Security Analysis: Detects 14+ categories of vulnerabilities including reentrancy, access control issues, oracle manipulation, and more
- Professional Reports: Export findings as beautifully formatted Markdown or PDF audit reports
- Minimal False Positives: Advanced AST analysis techniques reduce noise and focus on real issues
- Grouped Findings: Similar issues are intelligently grouped for better readability
- Colored Output: Professional terminal output with severity-based color coding
- Multiple Output Formats: Text, JSON, SARIF, CSV, and Markdown support
- Safe Edges Branding: Professional audit reports with Safe Edges branding
🔧 Technical Architecture
AST-Based Analysis Engine
- Sway AST Parser: Uses official Sway language AST for accurate code understanding
- Function Call Graph: Maps function relationships and call chains
- Storage Analysis: Tracks storage read/write operations
- Control Flow Analysis: Analyzes conditional branches and loops
- Security Analysis: Performs vulnerability detection using AST patterns
Key Components
- SwayAstAnalyzer: Main analysis engine using Sway AST
- FunctionCallGraph: Maps caller-callee relationships
- StorageAnalysis: Tracks storage operations and dependencies
- ControlFlowAnalysis: Analyzes program flow and control structures
- SecurityAnalysis: Detects security vulnerabilities using AST patterns
📦 Installation
From crates.io (Recommended)
From Source
🔧 Usage
Basic Usage
# Scan a single file with AST-based analysis
# Scan with Markdown report (recommended)
# Scan all Sway files recursively
Professional Audit Reports
# Generate comprehensive Markdown audit report
# Multiple output formats
Advanced Options
# Scan with specific detectors only
# Exclude specific detectors
# Filter by severity
# Verbose output with detailed AST analysis
Vulnerability Detection
SwayScanner uses AST-based analysis to detect the following vulnerability categories:
Critical & High Severity
- Access Control: Missing or inadequate permission checks using AST function analysis
- Reentrancy: Vulnerable external call patterns detected through AST call graphs
- Arithmetic Issues: Integer overflow/underflow and division errors using AST expression analysis
- Business Logic: Complex logic flaws and validation issues through AST control flow analysis
- Price Oracle Manipulation: Single oracle dependencies and flash loan vulnerabilities
- Flash Loan Attacks: Atomic transaction exploits detected via AST
- External Call Safety: Unchecked external calls and return values using AST call analysis
- UTXO Vulnerabilities: Fuel-specific UTXO model security issues
Medium Severity
- Logic Errors: Off-by-one errors and assignment vs comparison bugs
- Input Validation: Parameter validation and bounds checking
- Unprotected Storage: Storage modifications without access restrictions
Low Severity
- Code Quality: Unused variables, imports, and dead code
- Best Practices: Magic numbers and coding standard violations
Example Output
================================================================================
███████╗██╗ ██╗ █████╗ ██╗ ██╗███████╗ ██████╗ █████╗ ███╗ ██╗
██╔════╝██║ ██║██╔══██╗╚██╗ ██╔╝██╔════╝██╔════╝██╔══██╗████╗ ██║
███████╗██║ █╗ ██║███████║ ╚████╔╝ ███████╗██║ ███████║██╔██╗ ██║
╚════██║██║███╗██║██╔══██║ ╚██╔╝ ╚════██║██║ ██╔══██║██║╚██╗██║
███████║╚███╔███╔╝██║ ██║ ██║ ███████║╚██████╗██║ ██║██║ ╚████║
╚══════╝ ╚══╝╚══╝ ╚═╝ ╚═╝ ╚═╝ ╚══════╝ ╚═════╝╚═╝ ╚═╝╚═╝ ╚═══╝
AST-Based Security Analysis for Sway Smart Contracts
Powered by Safe Edges
https://safeedges.in
================================================================================
Running AST-based detectors... (14 active)
SECURITY AUDIT REPORT
===========================================
CRITICAL: access_control
├─ Missing access control in admin_mint function
├─ Location: contract.sw:45:5 (AST span: 45:5-67:8)
└─ Risk: Unauthorized users can mint tokens
HIGH: reentrancy
├─ Potential reentrancy in unsafe_withdraw function
├─ Location: contract.sw:67:5 (AST span: 67:5-89:12)
└─ Risk: Attacker can drain contract funds
MEDIUM: input_validation
├─ Missing input validation in transfer function
├─ Location: contract.sw:23:5 (AST span: 23:5-45:10)
└─ Risk: Invalid parameters may cause unexpected behavior
Examples
Check out the examples/ directory for sample vulnerable contracts to test SwayScanner:
# Test on example vulnerable contract
🔧 Configuration
Create a swayscan.toml configuration file for custom settings:
[]
= 0.7
= 4
= true
[]
= ["access_control", "reentrancy", "arithmetic_issues"]
= ["magic_number"]
[]
= "text"
= true
Documentation
- API Documentation: docs.rs/swayscan
- Repository: github.com/Safe-Edges/swayscan
- Website: safeedges.in
🤝 Contributing
We welcome contributions! Please see our Contributing Guidelines for details.
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
📄 License
This project is licensed under the MIT License - see the LICENSE file for details.
🛡️ About Safe Edges
SwayScanner is developed by Safe Edges, a team dedicated to securing the decentralized future through advanced security tooling and auditing services.
- Website: https://safeedges.in
- Email: info@safeedges.in
- GitHub: Safe-Edges
Made by the Safe Edges Team