General
What is MythX?
MythX is a security analysis service for Ethereum smart contracts. It allows any developer or developer team to integrate security into the smart contract development lifecycle.
MythX is integrated into widely used tools such as Truffle and Remix
How does MythX work?
When you submit your code to the API it gets analyzed by multiple microservices in parallel: A static analyzer that parses the Soldity AST, a symbolic analyzer that detects possible vulnerable states, and a greybox fuzzer that detects vulnerable execution paths. These tools cooperate to return the more comprehensive results in the execution time provided.
What types of security vulnerabilities does MythX detect?
For more details, please see the list of vulnerabilities covered by MythX.
What is the advantage of using a SaaS platform such as MythX?
By using our Software-as-a-Service (SaaS) platform, you will get much higher performance compared to running security tools locally, plus higher vulnerability coverage than any standalone tool.
You also benefit from continuous improvements to our security analysis technology. We continuously add new and improved security tests to our stack to keep you protected as the smart contract security landscape evolves.
Is it safe to submit my smart contract source code to MythX?
Your analysis requests are encrypted with TLS. To provide comprehensive reports and improve performance, we store some of the contract data in our database, including parts of the source code and bytecode. The data never leaves our secure server and is not shared with any outside parties. We keep the results of your analysis so you can retrieve them later, but the report can be accessed by you only.
To ensure the security of your data, all smart contacts associated with MythX have undergone a thorough manual security audit through ConsenSys Diligence.
Why should I use MythX instead of Mythril or other open source tools?
Existing smart contract security tools are difficult to use, even for developers. MythX leads due to its simplicity; all you need to do is install a tool or plugin for your favorite IDE. Additionally, the MythX analysis engine is significantly more powerful than standalone open source tools. It runs expensive parallel computations that would take a very long time to complete on a standard system.
Do I still have to do a manual audit if I use MythX?
Automated verification tools like MythX are an indispensable tool during development, but they don’t completely remove the need for an audit. Some classes of bugs, such as business logic vulnerabilities, cannot be detected in a generic fashion. Therefore, we always recommend an audit by a human expert. That said, using MythX will likely make your audit easier and less expensive, since there will be fewer problems detected.
In short, MythX doesn’t replace an audit; it prepares you for one.
What is residual risk?
Residual risk is the probability of a vulnerability being in the part of the smart contracts that have not received in-depth analysis. The longer the analysis runs for, the lower the residual risk will be.
What are the benefits of a longer computing time?
With more computing time dedicated to each analysis, MythX will be more likely to detect even deeper hidden security bugs in the smart contract code and minimize residual risk. The Deep scan feature available in our Professional plan also enables users to ensure functional correctness of their smart contracts with high confidence.
Using MythX
How do I get started using MythX?
Register for an account, select a subscription plan or buy an scan pack, then use a tool of your choice and configure it with your API key. For a detailed walkthrough, see our Getting Started guide.
Can I use MythX in [my favorite IDE or code editor]?
See the Tools section of our documentation. Also, you can search the package manager or app store of your IDE for “MythX” to discover MythX tools.
How long does a smart contract security analysis take?
The computing time dedicated to each analysis depends on the plan you are on. Quick scan runs for 2 minutes, Standard scan runs for 15 minutes, and Deep scan runs for 45 minutes.
How do I get detailed information about the security issues reported?
Reported issues should always contain the specific location in the code of the vulnerability, and also a “SWC ID” field. The SWC ID uniquely identifies the issue in the SWC Registry, where detailed information and remediation steps are listed.
Can I view the results of past analysis requests?
Yes. Log in to your account and click "View Analyses” to see the job history for your account.
How to I get the best analysis results for my smart contract from MythX?
To ensure you always get the most comprehensive results please submit the smart contract source code *.sol
file. This allows MythX to thoroughly analyze ever line of code and return results listing all the vulnerabilities MythX can currently detect. Please note if you only submit bytecode (your compiled contract) MythX can still analyze it but with limited results.
So beware always submit your source code for best results!
Developing / integrating with MythX
Why should I build on MythX?
Building on MythX gives you access to the premier smart contract security analysis service that combines static code analysis, guided greybox fuzzing, and symbolic execution. You can focus on the user experience while we focus on providing the best security analysis engine possible.
You can also earn a revenue share through your tool, with the share calculated based on the number of paying users who use your tool. We are planning to offer 25% of API revenues back to tool builders once our paid subscription plans go live.
Please see our documentation on building security tools with MythX.
What types of tools can be built on MythX?
There are no limitations on what you can build. IDE plugins, GitHub apps, CI tools, extensions for code editors, web apps and dashboards, all are possible. The only thing that matters is that users of your tool need to sign up for a MythX account.
What programming languages does MythX support?
Since MythX is an API, it is not limited to specific programming languages. In terms of language bindings we currently offer a thin JavaScript client library and a Python library. For more information, see our guide on how to build your own security tools with MythX.
How do I learn more about the MythX API?
The MythX API is fully documented and open. You can also view our API walkthrough.
How do I get started building on MythX?
Register for an account and start building. Don’t forget to pick a unique name for your tool and include it in the clientToolId
field with API requests. To become eligible for revenue share you must first register your tool on the MythX Partner Program.
Please refer to the documentation on building security tools using MythX for more information.
How can my company become a MythX partner?
MythX partners can integrate MythX into their own products and services. We have a partner portal, the MythX Partner Program, where we highlight and showcase our partners and their tools and services.
If you are interested in becoming a partner, you can join here.