Category: MythX

Project 0x Case Study

Abstract Smart contracts facilitate the transfer of value and help determine digital asset behavior. This results in a higher need for formal proofs and computer-aided checks compared to traditional software which does not typically perform these functions. 0x is an open protocol that enables the peer-to-peer exchange of assets on the Ethereum blockchain. It is one of the largest open protocols with over 30 projects building on top of it, amassing over 713,000 total transactions, and a volume of $750 million.
Sharon Byrne-Cotter
April 17, 2020

Catching Weird Security Bugs in Solidity Smart Contracts with Invariant Checks

Contract invariants are properties of the program program state that are expected to always be true. In my previous article I discussed the use of Solidity assertions to check contract invariants. This article expands on the use of invariants and provides a couple of additional examples. An interesting feature of invariant checking on the bytecode level is that it allows you to detect low-level issues, including issues caused by compiler optimisation or idiosyncrasies of the programming language, by defining high-level rules.
Bernhard Mueller
April 06, 2020

Targeted fuzzing using static lookahead analysis: how to guide fuzzers using online static analysis

In previous posts, we introduced Harvey, a fuzzer for Ethereum smart contracts, and presented two techniques to boost its effectiveness: input prediction and multi-transaction fuzzing. Harvey is being developed by MythX in collaboration with Maria Christakis from MPI-SWS. It is one of the tools that powers our smart contract analysis service. Sign up for our free plan to give it a try! In this post, we summarize our upcoming ICSE 2020 paper and provide a high-level overview of how we use online static analysis to guide Harvey.
Valentin Wustholz
March 31, 2020

Part 3: MythX ❤️ Continuous Integration (DIY)

This is the third and last post in the MythX series on integrating security analysis of smart contracts into your Continuous Integration (CI) system. In the first part we built a CircleCI configuration. In the second part we built a small and beautiful Travis CI configuration. “But I am using a completely different CI system!” - You, maybe. Fret not. The avid reader might have noticed a common pattern in the past two posts: In setups we used the MythX CLI and a basic Python runtime.
Dominik Muhs
March 16, 2020

Easy multi-contract security analysis using Mythril

The MythX platform leverages several internal components to provide the best possible analysis results. One of these components is available open-source; the symbolic executor Mythril. In this article, I’ll demonstrate how you can use Mythril to analyze a set-up of multiple smart contracts. By default, Mythril will analyze a contract in isolation. Interactions with external contracts are generalized so that we capture all possible vulnerabilities. Sometimes, this means we find a weakness in your smart contract that might not affect your particular setup.
Joran Honig
March 09, 2020

MythX and Continuous Integration (Part 2): Travis

In the second part of this series on continuous integration, we will build an easy first integration of the MythX API into the Travis continuous integration platform. Other posts in this series: Part 1: CircleCI Part 2: Travis Part 3: (Coming soon) This three-part series is about integrating MythX into Continuous Integration systems. In the first part of this series I have shown how to automatically check for smart contract vulnerabilities in CircleCI.
Dominik Muhs
February 04, 2020

MythX and Continuous Integration (Part 1): CircleCI

In the first post of a new series, we discuss integrating security considerations to a continuous integration pipeline, starting with CircleCI. Conveyor belts. Because continuity. Get it? Continuous testing of applications can be hard to figure out. While it is difficult to measure CI/CD adoption, the blockchain ecosystem offers a great opportunity to adopt in-depth testing and continuous delivery pipelines where they make sense: right from the start. At MythX we don’t mind which technologies you are using to get things done.
Dominik Muhs
January 28, 2020

More ways to stay secure: Announcing two new plans and another way to pay

We’re introducing new plans offering the highest confidence in the correctness of your code, and allowing payment via credit/debit cards for the first time. We’re excited to announce some changes to our MythX plans that will be going live on January 31, 2020. Now, whenever a team announces “exciting changes” it’s often code word for something bad, but in this case, these changes should positively affect (as far as we can predict) absolutely all of our known users.
Mike Pumphrey
January 21, 2020

Verifying smart contract security with Remix and MythX

Leveraging security tools for verification can help you increase confidence in the correctness of smart contract code. Examples are given here using the MythX plugin for Remix. Whether you are a smart contract developer or auditor you might wonder if there’s any value in using an automatic smart contract analysis tool. Assuming you know what you’re doing, will these tools tell you anything you don’t already know? In this article I’ll describe how you can leverage security tools to increase confidence in the correctness of smart contract code and potentially detect issues that are not easily apparent.
Bernhard Mueller
January 14, 2020

MythX is for all stages of smart contract development

We recommend using MythX through every stage of the smart contract development life-cycle, before, during, and after deployment. (Note: This post was originally published in June 2019 and has been updated.) We talk a lot here on the MythX team about the importance of regular, routine analysis of your smart contracts prior to deployment onto the blockchain. The reason for this is simple: once the contract is deployed, it is immutable.
Mike Pumphrey
January 07, 2020

MythX Tech: Behind the Scenes of Smart Contract Security Analysis

The tech behind MythX smart contract analysis, including the microservices Maru, Harvey, and Mythril, and how they work together. When I first introduced Mythril in 2017, I didn’t expect it to be very useful to smart contract developers. It was a simple symbolic analyzer for Ethereum bytecode with tacked-on Solidity support. Mythril was OK for detecting some security issues and solving CTFs, but it wasn’t written with the needs of developers in mind.
Bernhard Mueller
December 17, 2019

All smart contract security issues in one place: An introduction to the SWC Registry

The SWC Registry is an indispensable resource for securing your smart contracts. Here we show how you can use it most effectively. In our last post, we showed you how you can use Remix with the MythX plugin to detect weaknesses in smart contract code. Now, let’s talk about those weaknesses. Smart contract weaknesses are classified into many different types, allowing for easier management and discussion. The code that generates the weakness may vary widely, but the type of weakness is the same.
Mike Pumphrey
December 10, 2019

A beginner’s guide to MythX

A detailed, step-by-step howto guide on how to use MythX with Remix, showing as well as the differences between MythX and MythX Pro. MythX is a tool for finding smart contract weaknesses. For our single developers and dev teams, we offer two plans: MythX and MythX Pro. (We also offer custom plans too; contact us for details.) We recently posted about the differences between MythX and MythX Pro. But you may find it more useful to see an actual scenario involving testing a smart contract using MythX.
Mike Pumphrey
November 26, 2019

MythX Pro Security Analysis Explained

MythX recently went live with a new Pro upgrade that offers more powerful analysis features than the free version. In this article I’ll explain how the new “full” analysis mode affects the performance of MythX. MythX is a smart contract security service that integrates multiple analysis techniques. The MythX Pro plan comes with a new analysis mode called Full mode. In this mode, submitted contracts are subjected to a thorough fuzzing campaign and deep inspection using symbolic analysis.
Bernhard Mueller
November 19, 2019

Stepping into the light

MythX comes into its own, and creates a partnership with Consensys Diligence. I would like to introduce you to the new MythX blog. This is the place for the whole MythX team, including our researchers, developers, and (yes) marketing folks to be able to share news, tips, ideas, and consolation/hope for the state of security on the Ethereum platform. (Looking for our old blog? It’s here.) But first, some orientation, and how we got here.
Mike Pumphrey
November 12, 2019