Introducing Aderyn's Language Server: Elevating Solidity Security with Real-time Feedback
Aderyn's Language Server elevates Solidity developers' experience by providing real-time security diagnostics and coding best practices in any code editor.
Table of Contents
Release v0.3.0
We’re thrilled to announce a major milestone for Aderyn with the release of version 0.3.0, the launch of Aderyn’s built-in LSP server. This update brings us closer to our ultimate vision: a unified Aderyn that seamlessly integrates Aderyn’s CLI and upcoming VS Code extension to provide real-time feedback as developers write Solidity code.
The challenge of iteration
Up until now, using Aderyn has required running the tool manually in a Solidity project’s root directory. This generates a markdown report, similar to traditional security review formats. The biggest drawback of this approach is repetitiveness—every code change requires you to rerun the command and review the report all over again. This workflow can quickly become tedious and inefficient, especially when working on iterative updates.
To address this, we originally introduced the watch command in Aderyn, which monitors a project for changes and updates the report automatically. However, this solution came with its own set of limitations.
Watch Command’s shortcomings
Multiple editor support: Supporting multiple editors meant building and maintaining separate extensions for each, and customizing issue diagnostics for every environment.
Command management: Each extension needs to handle both starting and managing the command, which involves complexities like permissions and process control.
Performance impact: Deserializing command outputs into usable diagnostic information was the responsibility of the extension. This slowed down the process significantly, especially in JavaScript environments.
Enter the Language Server Protocol (LSP)
The Language Server Protocol (LSP), originally proposed by Microsoft, offers a powerful solution to the challenges of Watch Command. LSP has become an industry standard, and many modern editors (like VS Code) have built-in LSP clients capable of communicating with LSP servers to receive and display diagnostics.
This approach simplifies everything:
No need for multiple extensions: Since editors already implement LSP clients, Aderyn can focus on one LSP server, drastically reducing maintenance requirements.
Performance boost: Since the LSP client handles starting the server, permissions and startup logic are no longer managed in the extension.
Editor-native experiences: Diagnostics and issue reports are delivered directly to the editor through the LSP client, adhering to the user's design preferences without extra work.
To activate Aderyn’s LSP server, simply run aderyn --lsp.
How Aderyn's LSP works under the hood
Aderyn’s LSP server is built on the robust and well-documented tower_lsp crate, a popular choice for implementing the Language Server Protocol in Rust. Leveraging this crate, Aderyn’s LSP server adheres to the LSP specification, guaranteeing compatibility with a wide range of editors that already have native LSP client support: VS Code, Sublime, Vim, and more.
The power of tower_lsp
The tower_lsp crate simplifies the creation of LSP servers by providing a framework to handle common tasks such as JSON-RPC communication between the client (the editor) and the server (Aderyn). It abstracts away the complexities of the LSP lifecycle, including initialization, message handling, and method registration.
Aderyn’s LSP server leverages this framework to:
Publish real-time diagnostics: Whenever code is modified, the LSP server scans it and pushes diagnostics to the LSP client if security issues are detected. These diagnostics are instantly reflected in the editor, with issues highlighted inline, eliminating the need for manual report generation and review.
Support future extensibility: One of the key advantages of using tower_lsp is the ease with which new capabilities can be added. In the future, we plan to introduce code actions, allowing Aderyn to highlight vulnerabilities and suggest quick fixes directly within the editor.
Asynchronous handling: Rust’s async/await functionality, combined with Tokio’s asynchronous runtime, allows Aderyn’s LSP server to handle multiple requests efficiently. Even with large Solidity projects or simultaneous diagnostic requests, Aderyn can perform quickly, without blocking other processes. The asynchronous runtime ensures that diagnostics are generated in parallel with user interactions, keeping the editing experience smooth and responsive.
Scalability and efficiency
Aderyn’s LSP server is built on Tokio, one of Rust’s most mature and high-performance asynchronous runtimes, and designed for building fast and reliable systems. This allows Adeyrn to process multiple files, make diagnostic requests, and even handle future capabilities like real-time fixes.
Key benefits of using Tokio for Aderyn’s LSP server include:
Concurrency: Developers won’t experience slowdowns as they code because multiple requests can be processed concurrently. For example, scanning a file while handling LSP messages from the editor.
Non-blocking I/O: Aderyn works heavily with filesystem interactions (reading Solidity files and reporting diagnostics). Tokio’s non-blocking I/O capabilities ensure these tasks are executed efficiently, without holding up critical processes.
Aderyn’s LSP server diagnostics pipeline
The workflow involves:
File change detection: The Aderyn LSP server is notified of a file change using https://github.com/notify-rs/notify (e.g., a Solidity contract is updated).
AST analysis: Aderyn generates the Abstract Syntax Tree (AST) for the modified Solidity file and runs its vulnerability detectors. Detectors analyze the AST nodes for patterns that indicate potential security flaws (e.g., reentrancy risks, unchecked external calls, etc.).
Diagnostic reporting: When issues are identified, the server formats them into LSP-compatible diagnostics, which include:
Range: The specific lines and columns where the issue was discovered.
Severity: Whether the issue is a warning or information.
Message: A clear description of the issue and why it poses a risk.
Real-time feedback: Diagnostics are sent to the editor’s LSP client, displaying them as warnings or errors inline within the developer’s editor. This all happens in real-time, giving developers instant feedback as they code.
Extensibility and future enhancements
The use of tower_lsp also enables Aderyn to support a wider range of LSP features beyond diagnostics. In future versions, we plan to incorporate:
Code actions: Suggest automatic code fixes or improvements based on the vulnerabilities detected. For instance, if Aderyn flags a dangerous external call, it could auto correct it by wrapping it in a require statement to ensure its safety.
Hover documentation: Contextual information about specific Solidity functions or vulnerabilities are displayed as a user hovers over flagged code sections, making it easier to understand the underlying issue.
Refactoring suggestions: Security-oriented refactoring options are offered that can potentially improve contract safety.
In short, this integration with tower_lsp and Tokio lays the foundation for Aderyn to not only offer real-time diagnostics but also evolve into a comprehensive security assistant for Solidity developers.
Conclusion
The release of version 0.3.0 is a turning point for Aderyn. The launch of its native LSP server brings Aderyn closer to a truly unified platform and simplifies the experience for developers writing Solidity-based smart contracts.
We’re excited to see what our community thinks of this new feature and how they use it. As we continue to expand Aderyn’s capabilities, our goal remains the same: making blockchain development safer for everyone
