Solidity code linting and known vulnerability checks with Solium

[gaboesquivel]

It seems that we currently haven't setup a linter for the solidity code.

This is great set of tools can help improve the quality and security of the solidity code:

• Solidity code linting known vulnerability checks with Solium.
• Code testing coverage reports with solidity-coverage and codecov.
• Ethereum gas cost reporter with eth-gas-reporter is also nice to have.

If approved I can make PR with npm scripts to execute these tools, the CI server can be configured to execute them automatically every PR.

[DanielVF]

I've found solhint to be much more useful than solium - it's found actual problems in our contracts before.

eth-gas-reporter looks great. I hacked in some gas reporting in our repo, but I'm aways happiest when I don't have to maintain something.

[gaboesquivel]

Hey @DanielVF, OpenZeppelin uses Solium. Solium seems more active with 15 contributors, Solhint has only 6. Solium has a --fix flag to automatically fix code style. IMO Solium has better docs. It also supports plugins/extensions http://solium.readthedocs.io/en/latest/user-guide.html#plugins

Security wise both project have rule sets are based out of consensys best practices The list of supported rules is larger on duaraghav8/solium-plugin-security

There are only couple ones implemented in Solhint that doens't seem to be part of Solium security plugin: reentrancy, compiler-fixed, compiler-gt-0_4, no-complex-fallback https://protofire.github.io/solhint/rules.html. The compiler ones can be catched easily on code reviews.

Another diffences is that Solhint follows Solidity Style Guide, whereas Solium does not strictly adhere to Solidity Style Guide. It aims to promote coding practices agreed upon by the community at large.