Upgrade Misti with Advanced Tact Detectors

[jubnzv]

Summary

Enhance Misti with more powerful Tact detectors to promote security best practices in the ecosystem.

Context

Misti is a static analyzer for the TON blockchain supported by the TON Foundation. Version 0.1 introduced the core of the analyzer, comprehensive documentation, and five detectors. The next minor release, version 0.2, introduced five more detectors, along with various improvements and fixes that enhance the tool's integrability, including the development of the Blueprint plugin. Version 0.3 was published in order to support Tact 1.5 and introduce 5 more detectors and API changes used in custom detectors. Version 0.4 will result after testing the analyzer on real-world contracts, includes 5 new detectors and the GitHub actions integration.

Thus, Misti will support 20 Tact detectors when starting working on this grant described here: https://nowarp.io/tools/misti/docs/detectors.

Planned Improvements

In the next 0.5 version, the focus will be on more powerful Tact security checks. The roadmap includes:

• Introducing ten new Tact detectors covering more complex issues. These six are considered the most important as they address real-world problems:
  • Cell Overflow and Cell Underflow
  • Unbounded Maps
  • Unprotected Calls
  • SendParameters Sanity Checker
  • Result of Expression Evaluation is Unused
  • Proper Exit Codes Usage

Note that the implementation of the suggested detectors is more complex than most of the detectors that have already been introduced. It will take more time to develop these, and it might require changes in the analyzer's internals.

Other planned detectors are included in the 0.5 roadmap. Detectors may be changed or added based on ecosystem needs and project constraints, but there will be at least ten.

• Warning suppression, allowing developers to suppress specific detectors in comments. This requires changes to Tact's internals.
• The imports graph feature, which will be useful in both Misti and Tact. See: Dump import graph and related discussions.
• All improvements to the Tact compiler API needed to implement features in Misti: Tact frontend API: Improvements for tooling.
• Updating documentation for detectors, the API reference, and tests as part of the development process.

Milestones

1. Implement at least 10 new detectors along with the required improvements to the Tact compiler API as described above.
2. Write a blog post on security risks in Tact.
   A blog post will be written addressing Tact's security issues, focusing on the problems Misti addresses. It will showcase some Tact issues and offer recommendations on how to mitigate them using the tool.
3. Report grant results.

Key Contributions

• Improve Tact support, achieving a total of 30+ detectors to cover important security issues and code smells.
• Foster Tact API development, which will contribute to the growth of the ecosystem.
• Enhance tool support for auditors, such as the imports graph, which helps in understanding the structure of a project.
• Start a discussion on Tact security.

Next Plans

The next priority will be FunC support in the following release. This release will make Tact support strong enough to focus on Func in the subsequent months. The decision was made to prioritize it over other tasks to increase community engagement.

References

• nowarp/misti: TON Static Analyzer
• nowarp/blueprint-misti: Blueprint Misti Plugin
• Misti Documentation
• Misti API Reference

Estimate suggested reward

10,000 USD in TON equivalent.

Estimated completion date: November 15, 2024. This is subject to change based on the Tact release cycle and the grant application process. But delays should not exceed a few weeks.

UPD: Adjusted the estimated completion date according to the new Tact 1.6.0 release date.
UPD: Updated the roadmap. The next version number will be 0.4, as we need to release an additional minor version to support Tact 1.5, resolving this issue: https://t.me/misti_dev/105
UPD: 0.4 will be released before this in order to implement the Misti GitHub action and support more required features

[anton-trunov]

The Misti static smart-contract analyzer, despite its early stage of development has already found critical issues in soon-to-be released projects written in Tact. I'm all for supporting this project to make it even better! And it also has great potential to also support FunC.