chore: add slither config

[igorroncevic]

Description

Add a minimal Slither config that uses the local Python dependency.

Context

Slither runs against src by default. The solc-version detector is disabled because the template intentionally keeps broad ^0.8 pragmas for easier integration.

Out of Scope

This PR does not add Justfile commands, CI, or hooks.

Testing Instructions

• Merge chore: add local dependencies #11 first.
• Run python -m venv dev/.venv.
• Run dev/.venv/bin/pip install -r dev/requirements.txt.
• Run dev/.venv/bin/slither src --config-file slither.config.json.

[fedgiac]

Looks good! (Waiting for other PRs to be merged before approving.)
In my experience, Slither is very noisy, so I think we'll eventually end up turning off a lot of the checks. But for now it's fine to start with the defaults and then make tweaks once we learn what we need.

[igorroncevic]

Slither actually reports "^0.8" as "too complex" of a version, so we might need to turn off that rule.

https://github.com/cowprotocol/contracts-template/actions/runs/25554538329/job/75010171728?pr=15#step:5:18

[fedgiac]

(Code is good, just waiting for merging the previous PR.)

Slither actually reports "^0.8" as "too complex" of a version, so we might need to turn off that rule.

While ^0.8.0 is fine. 🤷
I don't mind using ^0.8.0, even if it's a bit silly.

A rule we most likely want to disable is solc-version since it requires the pragma itself to be at least that of a Solidity version with no known vulnerabilities.

[anxolin]

Consider using uv, i think nowadays is better and more predictable and simple to use.

[anxolin]

This PR also has the wrong base branch. This is annoying because every PR we open shows the same changes over and over

[igorroncevic]

Everything's merging into main, I didn't stack PRs.

[anxolin]

This will filter out things like src/lib/Foo.sol

Suggested change

	"filter_paths": "(lib/|test/|script/)"
	"filter_paths": "^(lib|test|script)/"

[igorroncevic]

That's necessary. We don't want to check those, as lib will contain dependencies we won't change or format.

[anxolin]

Fairenough about disabling this, but this also adds the risk of the foundry version being in a vulnerable solidity and no-one noticing

Maybe we could have a check-solc recipe in the Justfile in a follow up PR

[anxolin]

Maybe there's better way, but this could work

  # Check that foundry.toml's pinned solc has no known medium/high-severity bugs
  check-solc:
      #!/usr/bin/env bash
      set -euo pipefail
      SOLC=$(awk -F'"' '/^solc *=/ {print $2; exit}' foundry.toml)
      [ -n "$SOLC" ] || { echo "could not read 'solc' from foundry.toml"; exit 1; }
      BUGS=$(curl -sfL https://raw.githubusercontent.com/ethereum/solidity/develop/docs/bugs.json)
      HITS=$(jq -r --arg v "$SOLC" '
        def vparts: split(".") | map(tonumber);
        .[]
        | select(.severity == "high" or .severity == "medium")
        | (.introduced // "0.0.0") as $i
        echo "solc $SOLC matches known bugs:"
        echo "$HITS"
        exit 1
      fi
      echo "solc $SOLC: no known medium/high-severity bugs"

[igorroncevic]

I just don't see an issue there.

The thing with excluding solc-version detector is reducing noise when slither complains about ^0.8 pragma we want to use. That pragma is already old and possibly vulnerable. Contracts that get deployed with that pragma will always stay there and exploitable if we've made them so.

Also all Solidity versions have some known issues, that's why they're soon moving to 1.x versioning.

I don't think this will help.