You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Enhance Misti with more powerful Tact detectors to promote security best practices in the ecosystem.
Context
Misti is a static analyzer for the TON blockchain supported by the TON Foundation. Version 0.1 introduced the core of the analyzer, comprehensive documentation, and five detectors. The next minor release, version 0.2, introduced five more detectors, along with various improvements and fixes that enhance the tool's integrability, including the development of the Blueprint plugin.
Planned Improvements
In the next 0.4 version, the focus will be on more powerful Tact security checks. The roadmap includes:
Introducing ten new Tact detectors covering more complex issues. These six are considered the most important as they address real-world problems:
Other planned detectors are included in the 0.4 roadmap. Detectors may be changed or added based on ecosystem needs and project constraints, but there will be at least ten.
Warning suppression, allowing developers to suppress specific detectors in comments. This requires changes to Tact's internals.
The imports graph feature, which will be useful in both Misti and Tact. See: Dump import graph and related discussions.
Implement at least 10 new detectors along with the required improvements to the Tact compiler API as described above.
Write a blog post on security risks in Tact.
A blog post will be written addressing Tact's security issues, focusing on the problems Misti addresses. It will showcase some Tact issues and offer recommendations on how to mitigate them using the tool.
Report grant results.
Key Contributions
Improve Tact support, achieving a total of 25+ detectors to cover important security issues and code smells.
Foster Tact API development, which will contribute to the growth of the ecosystem.
Enhance tool support for auditors, such as the imports graph, which helps in understanding the structure of a project.
Start a discussion on Tact security.
Next Plans
The next priority will be FunC support in the following release. This release will make Tact support strong enough to focus on Func in the subsequent months. The decision was made to prioritize it over other tasks to increase community engagement.
Estimated completion date: November 15, 2024. This is subject to change based on the Tact release cycle and the grant application process. But delays should not exceed a few weeks.
UPD: Adjusted the estimated completion date according to the new Tact 1.6.0 release date. UPD: Updated the roadmap. The next version number will be 0.4, as we need to release an additional minor version to support Tact 1.5, resolving this issue: https://t.me/misti_dev/105
The text was updated successfully, but these errors were encountered:
The Misti static smart-contract analyzer, despite its early stage of development has already found critical issues in soon-to-be released projects written in Tact. I'm all for supporting this project to make it even better! And it also has great potential to also support FunC.
Summary
Enhance Misti with more powerful Tact detectors to promote security best practices in the ecosystem.
Context
Misti is a static analyzer for the TON blockchain supported by the TON Foundation. Version 0.1 introduced the core of the analyzer, comprehensive documentation, and five detectors. The next minor release, version 0.2, introduced five more detectors, along with various improvements and fixes that enhance the tool's integrability, including the development of the Blueprint plugin.
Planned Improvements
In the next 0.4 version, the focus will be on more powerful Tact security checks. The roadmap includes:
Introducing ten new Tact detectors covering more complex issues. These six are considered the most important as they address real-world problems:
SendParameters
Sanity CheckerOther planned detectors are included in the 0.4 roadmap. Detectors may be changed or added based on ecosystem needs and project constraints, but there will be at least ten.
Warning suppression, allowing developers to suppress specific detectors in comments. This requires changes to Tact's internals.
The imports graph feature, which will be useful in both Misti and Tact. See: Dump import graph and related discussions.
All improvements to the Tact compiler API needed to implement features in Misti: Tact frontend API: Improvements for tooling.
Updating documentation for detectors, the API reference, and tests as part of the development process.
Milestones
A blog post will be written addressing Tact's security issues, focusing on the problems Misti addresses. It will showcase some Tact issues and offer recommendations on how to mitigate them using the tool.
Key Contributions
Next Plans
The next priority will be FunC support in the following release. This release will make Tact support strong enough to focus on Func in the subsequent months. The decision was made to prioritize it over other tasks to increase community engagement.
References
Estimate suggested reward
10,000 USD in TON equivalent.
Estimated completion date: November 15, 2024. This is subject to change based on the Tact release cycle and the grant application process. But delays should not exceed a few weeks.
UPD: Adjusted the estimated completion date according to the new Tact 1.6.0 release date.
UPD: Updated the roadmap. The next version number will be 0.4, as we need to release an additional minor version to support Tact 1.5, resolving this issue: https://t.me/misti_dev/105
The text was updated successfully, but these errors were encountered: