Secure Cadence Breaking Changes Analyzer

Hello developers,

The Flow core contributors created a tool which you can use to analyze your Cadence contracts for the recently announced breaking changes which will go into affect with the release of Secure Cadence in the next spork.

You can read more about Secure Cadence and the breaking changes here:
Breaking changes coming with Secure Cadence release

:bulb: NOTE: The analyzer is only able to identify code that might need to change. To verify your changes, use the Secure Cadence beta release of the CLI linked above, and test your code using the Secure Cadence emulator.

Installation

  • On Linux and macOS:

    sh -ci "$(curl -fsSL https://storage.googleapis.com/flow-cli/install-cadence-analyzer.sh)"
    
  • On Windows, in PowerShell:

    iex "& { $(irm 'https://storage.googleapis.com/flow-cli/install-cadence-analyzer.ps1') }"
    

Usage

Analyzing contracts of an account

To analyze all contracts of an account, specify the network and address. This requires you have the Flow CLI installed and configured properly (run flow init).

For example:

cadence-analyzer -network mainnet -address 0x1654653399040a61

Analyzing a transaction

To analyze a transaction, specify the network and transaction ID.

This requires you have the Flow CLI installed and configured (run flow init).

For example:


cadence-analyzer -network mainnet -transaction 44fd8475eeded90d74e7594b10cf456b0866c78221e7f230fcfd4ba1155c542f

Only running some analyzers

By default, all available analyzers are run.

To list all available analyzers, run:

cadence-analyzer -help

For example, to only run the reference-to-optional and the external-mutation analyzers, run:

cadence-analyzer -network mainnet -address 0x1654653399040a61 \
    -analyze reference-to-optional \
    -analyze external-mutation

Analyzing contracts in a CSV file

To analyze all contracts in a CSV file, specify the path to the file.

For example:

cadence-analyzer -csv contracts.csv

The CSV file must be in the following format:

  • Header: location,code
  • Columns:
    • location: The location ID of the program
      • Contracts in accounts have the format A.<address>.<name>,
        e.g. A.e467b9dd11fa00df.FlowStorageFees, where
        • address: Address in hex format, e.g. e467b9dd11fa00df
        • name: The name of the contract, e.g FlowStorageFees
      • Transactions have the format t.<ID>, where
        • id: The ID of the transaction (its hash)
      • Scripts have the format s.<ID>, where
        • id: The ID of the script (its hash)
    • code: The code of the contract, e.g. pub contract Test {}

Full example:

location,code
t.0000000000000000,"
import 0x1
transaction {
    prepare(signer: AuthAccount) {
        Test.hello()
    }
}
"
A.0000000000000001.Test,"
pub contract Test {
    pub fun hello() {
      log(""Hello, world!"")
    }
}
"

We have just released a new version of the analyzer, v0.2:

  • It supports analyzing on-chain transactions by specifying the -transaction flag
  • Some analyzers got improved and they detect now more cases of code that needs to get potentially updated
  • The CSV file format changed and now supports transactions and scripts

You can update the tool by re-running the installation commands:

  • On Linux and macOS:

    sh -ci "$(curl -fsSL https://storage.googleapis.com/flow-cli/install-cadence-analyzer.sh)"
    
  • On Windows, in PowerShell:

    iex "& { $(irm 'https://storage.googleapis.com/flow-cli/install-cadence-analyzer.ps1') }"
    

If you have any questions or feedback, please let us know!

I ran this on Versus on mainnet and I got the following message

> error: update required: missing comma between parameters
>    --> d796ff17107bbff6.Versus:665:50
>     |
> 665 | 			vaultCap: Capability<&{FungibleToken.Receiver}>
>     |                                                   ^ insert missing comma here

the pointer points to the o in Token.

@bjartek The code is indented with tabs, which isn’t handled properly.
The error points to the end, after the >

The tool should now handle tabs in code properly, please update to the latest version, v0.2.1.

is the source code of the analyzer available?

The code is currently in a PR: https://github.com/onflow/cadence/pull/1607