SolidScript ships two commands that run its security pipeline:Documentation Index
Fetch the complete documentation index at: https://docs.solidscipt.zoracle.xyz/llms.txt
Use this file to discover all available pages before exploring further.
verify and secure-deploy. verify reports findings without blocking. secure-deploy refuses to deploy unless all enabled gates pass, making it the right command for any environment that touches real value.
Gates
| # | Gate | Engine | What it catches |
|---|---|---|---|
| 1 | Native validator | SolidScript | Footguns including tx.origin, selfdestruct, zero-address mint, unbounded loops, missing visibility, and view mutation |
| 2 | Solc compile | solc | Syntax and type errors in emitted Solidity |
| 3 | SMTChecker | Solc/Z3 | Assertions, arithmetic safety, division by zero, contract-level invariants |
| 4 | Mythril | Mythril/Z3 | Deeper symbolic execution paths; opt in with --deep |
| 5 | Slither | Slither | Reentrancy, arbitrary send, weak randomness, locked ether, strict equality risks |
| 6 | Pattern library | SolidScript | Unsafe or unknown inherited bases/imports |
| 7 | Fuzz harness | Forge | Unexpected reverts across generated public-method fuzz tests |
| 8 | Invariant tests | Forge | @invariant properties across random call sequences |
| 9 | Attestation | SolidScript | Reproducible-build manifest and gate results |
Skipping gates during local iteration
You can skip slow gates while iterating locally. Pass--skip with a comma-separated list of gate names, or tune fuzz depth with --fuzz-runs:
Running deep symbolic execution
Mythril is slower than the default path, so it is opt-in via--deep. You can also cap its timeout to keep CI times predictable:
The pipeline catches code-level vulnerability classes. It cannot prove economic trust assumptions, off-chain relayer correctness, or chain reorg behavior.