MythX is a security analysis service for Ethereum smart contracts. It allows any developer or developer team to integrate security into the smart contract development lifecycle.
The MythX suite of industry-leading microservices—including static analysis, dynamic analysis, and symbolic execution—accurately detects security vulnerabilities all through a single service. MythX is integrated into tools developers already use such as Truffle and Remix, and is available directly through a powerful API.
When you submit your code to the API it gets analyzed by multiple microservices in parallel: A static analyzer that parses the Soldity AST, a symbolic analyzer that detects possible vulnerable states, and a greybox fuzzer that detects vulnerable execution paths. These tools cooperate to return the more comprehensive results in the execution time provided.
By providing our service in a Software-as-a-Service (SaaS) platform, you can expect a much higher performance compared to running security tools locally, plus higher vulnerability coverage than any standalone tool.
You also benefit from continuous improvements to our security analysis technology. We continuously add new and improved security tests to our stack to keep you protected as the smart contract security landscape evolves.
Your analysis requests are encrypted with TLS. To provide comprehensive reports and improve performance, we store some of the contract data in our database, including parts of the source code and bytecode. The data never leaves our secure server and is not shared with any outside parties. We keep the results of your analysis so you can retrieve them later, but the report can be accessed by you only.
To ensure the security of your data, all smart contacts associated with MythX have undergone a thorough manual security audit through ConsenSys Diligence.
Existing smart contract security tools are difficult to use, even for developers. MythX leads due to its simplicity; all you need to do is install a tool or plugin for your favorite IDE. Additionally, the MythX analysis engine is significantly more powerful than standalone open source tools. It runs expensive parallel computations that would take a very long time to complete on a standard system.
Automated verification tools like MythX are an indispensable tool during development, but they don’t completely remove the need for an audit. Some classes of bugs, such as business logic vulnerabilities, cannot be detected in a generic fashion. Therefore, we always recommend an audit by a human expert. That said, using MythX will likely make your audit easier and less expensive, since there will be fewer problems detected.
In short, MythX doesn’t replace an audit; it prepares you for one.
See the Tools section of our documentation. Also, you can search the package manager or app store of your IDE for “MythX” to discover MythX tools.
The analysis time depends on what mode you are using. The “quick” mode runs for a maximum of 120 seconds, while the “full” mode runs for upwards of 30 minutes.
Reported issues should always contain the specific location in the code of the vulnerability, and also a “SWC ID” field. The SWC ID uniquely identifies the issue in the SWC Registry, where detailed information and remediation steps are listed.
MythX has a free plan available to everyone. In addition, MythX Pro includes more features and deeper scans. Please see the Plans page to see the details for each plan.
The free plan checks only checks against ten common vulnerabilities, while MythX Pro searches for almost every smart contract vulnerability in the SWC Registry. MythX Pro also includes the ability to run “full” mode, which runs a deeper scan with more comprehensive results. For more information, please see the Plans page.
We accept cryptocurrency payments exclusively in Dai, a stablecoin with a value pegged to the U.S. Dollar. Enterprise customers may be able to use other forms of payment. Please click the “Help” button below to contact us if you have questions about payment.
Our Enterprise plans can allow for shared team usage. Please click the “Help” button below to contact us for more details.
Building on MythX gives you access to the premier smart contract security analysis service that combines static code analysis, guided greybox fuzzing, and symbolic execution. You can focus on the user experience while we focus on providing the best security analysis engine possible.
You can also earn a revenue share through your tool, with the share calculated based on the number of paying users who use your tool. We are planning to offer 25% of API revenues back to tool builders once our paid subscription plans go live.
Please see our documentation on building security tools with MythX.
There are no limitations on what you can build. IDE plugins, GitHub apps, CI tools, extensions for code editors, web apps and dashboards, all are possible. The only thing that matters is that users of your tool need to sign up for a MythX account.
Register for a free account and start building. Don’t forget to pick a unique name for your tool and include it in the
clientToolId field with API requests. To become eligible for revenue share you must first register your tool on the MythX Nexus.
Please refer to the documentation on building security tools using MythX for more information.