When analyzing a smart contract's codebase, it's essential to assess its complexity accurately. Traditional line counts often include comments, documentation, and empty lines, which can obscure the true nature of the code. This is where nSLOC becomes invaluable.
nSLOC stands for Normalized Source Lines of Code, a metric that counts only the lines of code in a program that contain executable instructions.
This metric excludes comments, documentation, and blank lines, thereby providing a more accurate measure of the code's true size and complexity.
By focusing on the essential logic, nSLOC helps developers and auditors better understand the intricacies of the code, making it easier to identify potential issues and areas for improvement.
In the context of smart contract development, understanding code complexity is critical.
Once deployed, smart contracts are immutable. And any errors or inefficiencies in the code are permanent. By using nSLOC, developers can ensure that the core logic of their contracts is as straightforward and error-free as possible, reducing the risk of vulnerabilities and improving the overall security and maintainability of the codebase.
During code reviews nSLOC :
Additionally, nSLOC can be used to estimate the effort required for development and maintenance. This is particularly useful for project managers to allocate resources and plan timelines effectively. It also helps in comparing the complexity of different projects or modules, aiding in better decision-making and prioritization.
By providing a clear and focused measure of code complexity, nSLOC plays a crucial role in enhancing the quality, security, and maintainability of smart contracts in the web3 ecosystem.
Consider the following Solidity code snippet:
1 // This function transfers tokens from one address to another
2 /**
3 * @notice Transfers `_amount` tokens from `_from` to `_to`
4 * @param _from The address to transfer tokens from
5 * @param _to The address to transfer tokens to
6 * @param _amount The amount of tokens to transfer
7 */
8 function transfer(address _from, address _to, uint256 _amount) public {
9 // Ensure the sender has enough tokens
10 require(balanceOf[_from] >= _amount, "Insufficient balance");
11 // Subtract the amount from the sender's balance
12 balanceOf[_from] -= _amount;
13 // Add the amount to the recipient's balance
14 balanceOf[_to] += _amount;
15 // Emit a transfer event
16 emit Transfer(_from, _to, _amount);
17 }
A standard line count indicates that this function has 17 lines. However, when evaluated using nSLOC, the function has only 6 lines. This is because comments and documentation are excluded, focusing only on the lines that contain executable logic.
The nSLOC for this function, after removing non-essential lines, is as follows:
function transfer(address _from, address _to, uint256 _amount)public {
require(balanceOf[_from] >= _amount, "Insufficient balance");
balanceOf[_from] -= _amount;
balanceOf[_to] += _amount;
emit Transfer(_from, _to, _amount);
}
Counting the lines of code above, there are 6. This reflects the code’s true complexity.
Output of nSLOC calculation of the example code above using cloc.
To streamline the process of calculating nSLOC, several tools can automate the task and provide detailed insights Here are three such tools:
Aderyn is an open-source developer tool built with Rust. It serves as a static analyzer for Solidity smart contracts, aiding protocol engineers and security researchers in identifying vulnerabilities within codebases.
cloc (Count Lines of Code) is a popular tool that not only counts lines of code but also differentiates between comment lines, blank lines, and actual source code. It supports a wide variety of programming languages and is highly customizable.
Users can generate reports in various formats, making it easy to integrate into different workflows. cloc is particularly useful for gaining a high-level overview of a project's structure and complexity. GitHub link
Watch a demo of how to install and use cloc on a Cyfrin Updraft smart contract security course.
scc (SLOC, cloc, and code) is a fast, cross-platform tool that combines the functionalities of SLOC, cloc, and code analysis into one package. It provides accurate counts of source lines, comments, and blank lines, while also offering language detection and the ability to handle large codebases efficiently.
scc is known for its speed and minimal resource usage, making it ideal for continuous integration pipelines and large projects. GitHub link
Tokei is a robust and high-performance tool written in Rust, designed to accurately count lines of code, including nSLOC, across numerous programming languages. It provides detailed reports and supports multiple output formats, such as JSON and YAML, for easy integration with other tools.
Tokei is recognized for its speed and precision, making it a reliable choice for developers who need a comprehensive analysis of their codebase. GitHub link