Smart Contract Vulnerability Coverage

MythX currently detects most SWCs found in the SWC Registry. Below you can find the types of vulnerabilities MythX covers.

Detector	Analyses Type	SWC-ID
Solidity assert violation	Symbolic analysis, fuzzing (bytecode)	SWC-110
MythX assertion violation (AssertionFailed event)	Symbolic analysis, fuzzing (bytecode)	SWC-110

Detector	Analyses Type	SWC-ID
Integer overflow in arithmetic operation	Symbolic analysis, fuzzing (bytecode)	SWC-101
Integer underflow in arithmetic operation	Symbolic analysis, fuzzing (bytecode)	SWC-101
Caller can redirect execution to arbitrary locations	Symbolic analysis, fuzzing (bytecode)	SWC-127
Caller can write to arbitrary storage locations	Symbolic analysis, fuzzing (bytecode)	SWC-124
Dangerous use of uninitialized storage variables	Solidity code analysis	SWC-109

Detector	Analyses Type	SWC-ID
Any sender can withdraw ETH from the contract account	Symbolic analysis, fuzzing (bytecode)	SWC-105
Any sender can trigger SELFDESTRUCT	Symbolic analysis, fuzzing (bytecode)	SWC-106
Use of "tx.origin" as a part of authorization control	Solidity code analysis	SWC-115

Detector	Analyses Type	SWC-ID
Delegatecall to a user-supplied address	Symbolic analysis (bytecode)	SWC-112
Call to a user-supplied address	Symbolic analysis (bytecode)	SWC-107
Unchecked return value from external call	Solidity code analysis	SWC-104
Block timestamp influences a control flow decision	Taint analysis (bytecode)	SWC-116
Environment variables influence a control flow decisions	Taint analysis (bytecode)	SWC-120
Loop over unbounded data structure	Solidity code analysis	SWC-128
Implicit loop over unbounded data structure	Solidity code analysis	SWC-128
Usage of "continue" in "do-while"	Solidity code analysis	N/A
Multiple calls are executed in the same transaction	Static analysis (bytecode)	SWC-113
Persistent state read following external call	Static analysis, fuzzing (bytecode)	SWC-107
Persistent state write following external call	Static analysis, fuzzing (bytecode)	SWC-107
Account state accessed after call to user-defined address	Symbolic analysis (bytecode)	SWC-107
Return value of an external call is not checked	Static analysis (bytecode)	SWC-104
Potential weak source of randonmness	Solidity code analysis	SWC-120
Requirement violation	Fuzzing (bytecode)	SWC-123
Call with hardcoded gas amount	Solidity code analysis	SWC-134

Detector	Analyses Type	SWC-ID
Incorrect ERC20 implementation	Solidity code analysis	N/A

Detector	Analyses Type	SWC-ID
Outdated compiler version	Solidity code analysis	SWC-102
No or floating compiler version set	Solidity code analysis	SWC-103
Use of right-to-left-override control character	Solidity code analysis	SWC-130
Shadowing of built-in symbol	Solidity code analysis	SWC-119
Incorrect constructor name	Solidity code analysis	SWC-118
State variable shadows another state variable	Solidity code analysis	SWC-119
Local variable shadows a state variable	Solidity code analysis	SWC-119
Function parameter shadows a state variable	Solidity code analysis	SWC-119
Named return value shadows a state variable	Solidity code analysis	SWC-119
Unary operation without effect	Solidity code analysis	SWC-129
Unary operation directly after assignment	Solidity code analysis	SWC-129
Unused state variable	Solidity code analysis	SWC-131
Unused local variable	Solidity code analysis	SWC-131
Function visibility is not set	Solidity code analysis	SWC-100
State variable visibility is not set	Solidity code analysis	SWC-108
Use of deprecated functions: callcode(), sha3(), ...	Solidity code analysis	SWC-111
Use of deprecated global variables (msg.gas, ...)	Solidity code analysis	SWC-111
Use of deprecated keywords (throw, var)	Solidity code analysis	SWC-111
Incorrect function state mutability	Solidity code analysis	N/A