Closed zhangzone closed 2 months ago
This is somewhat related to a previous question https://github.com/crytic/slither/issues/2364 for background. Some detectors explore the control flow graph to gather information and visit all of their successors e.g.:
It really depends on what you're trying to accomplish. Slither doesn't have a graph of data dependencies but you could think of each operation's result as creating an edge i.e. result = expression
creates an edge (result, operation) and the taint analysis is asking "is their a path in the graph from the source to the variable in question" (a reachability query). That is, a variable's dependencies are the transitive closure of its parents.
This recording explains some of how to write an analysis/detector https://www.youtube.com/watch?v=sC7CHMSP3Dg&t=526s
When conducting detection and analysis of contracts, does Slither convert contract code into a graph structure for analysis?