MetaTrust Product Documentation
ProductsBlogsNewsroom
English
English
  • Introduction
    • About MetaTrust
    • MetaScan
      • Security Analyzer
      • Security Prover
      • GPTScan
      • Open Source Analyzer
      • IP Analyzer
      • Code Quality
    • MetaScout
    • MetaScore
      • 🍞Data
      • 🍟Dimensions in portrait system
      • 🍰Score and Rating
    • MPM
  • Getting Started
    • Getting Started with MetaScan
      • Sign-Up and Sign-In
      • Set Up an Integration (Optional)
      • Add Projects
      • Scan for Vulnerabilities
      • View Scan Results
      • Generate and Download Scan Reports
    • How to use Security Prover
  • Product Tour
    • MetaScan
      • Projects
      • Reports
      • Users and Organizations
      • FAQs
    • Glossary
Powered by GitBook
On this page
  1. Getting Started

How to use Security Prover

A step-by-step guide for using the scanning engine Security Prover on MetaScan

PreviousGenerate and Download Scan ReportsNextMetaScan

Last updated 1 year ago

Here is a step-by-step guide for using the scanning engine Security Prover on MetaScan based on the demo contract code. You can also watch the . (Video Link: https://youtu.be/CatvrkcJTNk)

  1. Upload the smart contract to MetaScan. Click "Add Projects" and select "Upload Files" to add the project that needs scanning.

  2. Select the appropriate project type based on the situation. Here we select "Framework-less Solidity Files" and click "Continue".

  3. Upload a zip file of the project and click "Continue".

  4. Input a project name and click "Upload" to upload the project.

  5. Configure contract analysis settings and scan. Click "Start Scan" to prepare for scanning.

  6. Select "Security Prover" and fill in the name of the contract to verify in "Entry Contract", here we fill in "Token". Then click "Start Scan" to start security scanning.

  7. Review key metrics and information from the report.

  8. Click on "EquailzationOfTransferBalances" under "Rules" and check the "Call Trace" information based on violation. From the information, we know the violated condition is assert(balanceBefore == balanceAfter); From the "Rule Call Resolutions" on the right, we know that when msg.sender is the same as $to, it will violate the check condition

  9. Click on the "transfer" in the "Call Trace" to check deeper call stack information. In uint256 senderAmount = _balances[sender]; senderAmount is 20000 In uint256 recipientAmount = _balances[recipient]; recipientAmount is 20000

  10. After calling _balances[sender] = senderAmount.sub(amount);, _balances[sender] becomes 19900

  11. After calling _balances[recipient] = recipientAmount.add(amount);, _balances[recipient] becomes 20100

Thus the assertion assert(balanceBefore == balanceAfter); is finally violated.

video instructions