The tech behind MythX smart contract analysis, including the microservices Maru, Harvey, and Mythril, and how they work together.

When I first introduced Mythril in 2017, I didn’t expect it to be very useful to smart contract developers. It was a simple symbolic analyzer for Ethereum bytecode with tacked-on Solidity support. Mythril was OK for detecting some security issues and solving CTFs, but it wasn’t written with the needs of developers in mind.

As soon as you want to use Mythril, or any other open source smart contract security tool for that matter, on an actual real-world project, things fall apart very quickly. Mythril takes ages to install and has 30+ command line flags. Running it consumes a lot of computing power. It reports only a limited subset of what’s in the SWC Registry. It doesn’t integrate well with development tools. And most frustratingly, when dealing with large projects, something always breaks. TL;DR: Mythril sucks for developers.

Yet, there seemed to be demand for a tool like Mythril and people actually started using it, building it into their own software, and posting hundreds of issues on Github. As of today, Mythril has been downloaded 470,000 times.

It was always clear to me that whatever we did, Mythril-the-Python-tool could never reach the usability and reliability required to be truly helpful to smart contract developers in their day-to-day job. Then, in early 2018, the “INFURA of smart contract security idea” lightbulb went on: What if one could submit your contracts to a simple API and get back a a security analysis report? Voilà, MythX was born (well actually, Mythril Platform was born, but that had to be renamed due to legal threats from the Tolkien troll army).

The MythX project started in early 2018 with funding from ConsenSys and two developers. Since then, the MythX team has grown to 18 heads and we have built a lot of awesome tech to pack into our security analysis engine. We also built an API that’s scalable and won’t break down even when people throw gigantic Truffle projects at it (I’m looking at you Aragon).

Our mission statement was to provide comprehensive smart contract security analysis at the click of a button.

The SWC Registry is an indispensable resource for securing your smart contracts. Here we show how you can use it most effectively.

In our last post, we showed you how you can use Remix with the MythX plugin to detect weaknesses in smart contract code.

Now, let’s talk about those weaknesses.

Smart contract weaknesses are classified into many different types, allowing for easier management and discussion. The code that generates the weakness may vary widely, but the type of weakness is the same.

This sort of thing isn’t unique to smart contracts, of course. The idea of “signatures” in an antivirus context has been around for decades, and the Common Weakness Enumeration (CWE), describes software weaknesses in much the same way.

But smart contracts, due to the specific nature of the blockchain, require specialized discussion. A weakness in software written in C++ is just not the same.

With this in mind, a group of developers, auditors, and researchers at ConsenSys Diligence (where MythX was originally developed) created an analog to the CWE called the SWC Registry, or Smart Contract Weakness Classification Registry.

The SWC Registry is designed to provide smart contract developers with both language and remediation steps for dealing with issues that come up in the smart contract secure development lifecycle (SDLC).

In the SWC Registry, each entry (what we call an “SWC”) has its own ID and signature, description, code samples and remediation steps. In short, the SWC Registry contains everything you need to know to fix your smart contracts. Plus, it is both open source and community-managed.

Now let’s take a look at the registry itself.

A detailed, step-by-step howto guide on how to use MythX with Remix, showing as well as the differences between MythX and MythX Pro.

MythX is a tool for finding smart contract weaknesses. For our single developers and dev teams, we offer two plans: MythX and MythX Pro.

(We also offer custom plans too; contact us for details.)

We recently posted about the differences between MythX and MythX Pro. But you may find it more useful to see an actual scenario involving testing a smart contract using MythX.

Let’s meet Sam.

MythX recently went live with a new Pro upgrade that offers more powerful analysis features than the free version. In this article I’ll explain how the new “full” analysis mode affects the performance of MythX.

MythX is a smart contract security service that integrates multiple analysis techniques. The MythX Pro plan comes with a new analysis mode called Full mode. In this mode, submitted contracts are subjected to a thorough fuzzing campaign and deep inspection using symbolic analysis. It discovers complex security issues and can be used for checking the correctness of smart contracts.

Background

When you submit a smart contract to MythX, the analysis service spawns a number of workers that perform various analysis tasks in parallel. Each worker is given a maximum time budget it may spend on testing the code. The more computing time is available, the higher the coverage achieved by the analysis engine (at the cost of having to wait longer for the results).

MythX comes into its own, and creates a partnership with ConsenSys Diligence.

I would like to introduce you to the new MythX blog.

This is the place for the whole MythX team, including our researchers, developers, and (yes) marketing folks to be able to share news, tips, ideas, and consolation/hope for the state of security on the Ethereum platform.

(Looking for our old blog? It’s here.)

But first, some orientation, and how we got here.