Secure Cadence Breaking Changes Analyzer

πŸ› οΈ Builders πŸ„πŸ»β€β™€οΈ Cadence
1

Hello developers,

The Flow core contributors created a tool which you can use to analyze your Cadence contracts for the recently announced breaking changes which will go into affect with the release of Secure Cadence in the next spork.

You can read more about Secure Cadence and the breaking changes here:
Breaking changes coming with Secure Cadence release

:bulb: NOTE: The analyzer is only able to identify code that might need to change. To verify your changes, use the Secure Cadence beta release of the CLI linked above, and test your code using the Secure Cadence emulator.

Installation

  • On Linux and macOS:

    sh -ci "$(curl -fsSL https://storage.googleapis.com/flow-cli/install-cadence-analyzer.sh)"

  • On Windows, in PowerShell:

    iex "& { $(irm 'https://storage.googleapis.com/flow-cli/install-cadence-analyzer.ps1') }"

Usage

Analyzing contracts of an account

To analyze all contracts of an account, specify the network and address. This requires you have the Flow CLI installed and configured properly (run flow init).

For example:

cadence-analyzer -network mainnet -address 0x1654653399040a61

Analyzing a transaction

To analyze a transaction, specify the network and transaction ID.

This requires you have the Flow CLI installed and configured (run flow init).

For example:


cadence-analyzer -network mainnet -transaction 44fd8475eeded90d74e7594b10cf456b0866c78221e7f230fcfd4ba1155c542f

Only running some analyzers

By default, all available analyzers are run.

To list all available analyzers, run:

cadence-analyzer -help

For example, to only run the reference-to-optional and the external-mutation analyzers, run:

cadence-analyzer -network mainnet -address 0x1654653399040a61 \
    -analyze reference-to-optional \
    -analyze external-mutation

Analyzing contracts in a directory

To analyze all contracts in a directory, specify the path.

For example:

cadence-analyzer -directory contracts

The files must be named with the .cdc extension and by their location ID of the program:

  • Contracts in accounts have the format A.<address>.<name>,
    e.g. A.e467b9dd11fa00df.FlowStorageFees, where
    • address: Address in hex format, e.g. e467b9dd11fa00df
    • name: The name of the contract, e.g FlowStorageFees
  • Transactions have the format t.<ID>, where
    • id: The ID of the transaction (its hash)
  • Scripts have the format s.<ID>, where
    • id: The ID of the script (its hash)

Analyzing contracts in a CSV file

To analyze all contracts in a CSV file, specify the path to the file.

For example:

cadence-analyzer -csv contracts.csv

The CSV file must be in the following format:

  • Header: location,code
  • Columns:
    • location: The location ID of the program
      • Contracts in accounts have the format A.<address>.<name>,
        e.g. A.e467b9dd11fa00df.FlowStorageFees, where
        • address: Address in hex format, e.g. e467b9dd11fa00df
        • name: The name of the contract, e.g FlowStorageFees
      • Transactions have the format t.<ID>, where
        • id: The ID of the transaction (its hash)
      • Scripts have the format s.<ID>, where
        • id: The ID of the script (its hash)
    • code: The code of the contract, e.g. pub contract Test {}

Full example:

location,code
t.0000000000000000,"
import 0x1
transaction {
    prepare(signer: AuthAccount) {
        Test.hello()
    }
}
"
A.0000000000000001.Test,"
pub contract Test {
    pub fun hello() {
      log(""Hello, world!"")
    }
}
"
2

We have just released a new version of the analyzer, v0.2:

  • It supports analyzing on-chain transactions by specifying the -transaction flag
  • Some analyzers got improved and they detect now more cases of code that needs to get potentially updated
  • The CSV file format changed and now supports transactions and scripts

You can update the tool by re-running the installation commands:

  • On Linux and macOS:

    sh -ci "$(curl -fsSL https://storage.googleapis.com/flow-cli/install-cadence-analyzer.sh)"

  • On Windows, in PowerShell:

    iex "& { $(irm 'https://storage.googleapis.com/flow-cli/install-cadence-analyzer.ps1') }"

If you have any questions or feedback, please let us know!

3

I ran this on Versus on mainnet and I got the following message

> error: update required: missing comma between parameters
>    --> d796ff17107bbff6.Versus:665:50
>     |
> 665 | 			vaultCap: Capability<&{FungibleToken.Receiver}>
>     |                                                   ^ insert missing comma here

the pointer points to the o in Token.

4

@bjartek The code is indented with tabs, which isn’t handled properly.
The error points to the end, after the >

5

The tool should now handle tabs in code properly, please update to the latest version, v0.2.1.

6

is the source code of the analyzer available?

8
9

The code is currently in a PR: https://github.com/onflow/cadence/pull/1607

10

Hi,

I have a probleme when I run cadence analyzer with this command :

cadence-analyzer -network testnet -transaction da1649ea834b1a638dfd4ad3831ae79e854757d3dc0afbaf0a7aa7335a6f97e4

I have this result :

flag provided but not defined: -transaction
Usage of cadence-analyzer:
  -address string
        analyze contracts in the given account
  -analyze value
        enable analyzer
  -csv string
        analyze all contracts in the specified CSV file
  -network string
        name of network

Available analyzers:
  - address-tostring:
      Detects calls to Address.toString(). The next release will zero-pad the result.
  - deprecated-key-functions:
      Detects usages of the deprecated key management API. It will be removed in a future release.
  - external-mutation:
      Detects mutation of container-typed fields outside of the scope of the enclosing composite. This will be invalid in the next release.
  - number-supertype-binary-operations:
      Detects arithmetic, comparison, and bitwise operations on number super-types. These will be invalid in the next release.
  - parameter-list-missing-commas:
      Detects missing commas in parameter lists. Such code will get rejected in the next release.
  - reference-operator:
      Detects invalid operators in reference expressions. These will get rejected in a future release.
  - reference-to-optional:
      Detects references to an optional value. This will result in optional references in the next release.
  - storage-read-operations:
      Detects calls to AuthAccount.load/copy/borrow and Capability.borrow. These functions will perform a force cast in the next release.
  - supertype-inference:
      Detects expressions with different element types. The next release will infer types differently.

the flag is not recognized. I don’t understand why ?

thanks for your help.

11

Scuse me my cadence analyser was not up to date.
I have run this command sh -ci "$(curl -fsSL https://storage.googleapis.com/flow-cli/install-cadence-analyzer.sh)"
and now it is ok.

1 Like