What is MythX?
MythX is a security analysis service for Ethereum smart contracts. It allows any developer or developer team to integrate security into the smart contract development lifecycle.
How does MythX work?
When you submit your code to the API it gets analyzed by multiple microservices in parallel: A static analyzer that parses the Soldity AST, a symbolic analyzer that detects possible vulnerable states, and a greybox fuzzer that detects vulnerable execution paths. These tools cooperate to return the more comprehensive results in the execution time provided.
What types of security vulnerabilities does MythX detect?
For more details, please see the list of vulnerabilities covered by MythX.
What is the advantage of using a SaaS platform such as MythX?
By using our Software-as-a-Service (SaaS) platform, you will get much higher performance compared to running security tools locally, plus higher vulnerability coverage than any standalone tool.
You also benefit from continuous improvements to our security analysis technology. We continuously add new and improved security tests to our stack to keep you protected as the smart contract security landscape evolves.
Is it safe to submit my smart contract source code to MythX?
Your analysis requests are encrypted with TLS. To provide comprehensive reports and improve performance, we store some of the contract data in our database, including parts of the source code and bytecode. The data never leaves our secure server and is not shared with any outside parties. We keep the results of your analysis so you can retrieve them later, but the report can be accessed by you only.
To ensure the security of your data, all smart contacts associated with MythX have undergone a thorough manual security audit through ConsenSys Diligence.
Why should I use MythX instead of Mythril or other open source tools?
Existing smart contract security tools are difficult to use, even for developers. MythX leads due to its simplicity; all you need to do is install a tool or plugin for your favorite IDE. Additionally, the MythX analysis engine is significantly more powerful than standalone open source tools. It runs expensive parallel computations that would take a very long time to complete on a standard system.
Do I still have to do a manual audit if I use MythX?
Automated verification tools like MythX are an indispensable tool during development, but they don’t completely remove the need for an audit. Some classes of bugs, such as business logic vulnerabilities, cannot be detected in a generic fashion. Therefore, we always recommend an audit by a human expert. That said, using MythX will likely make your audit easier and less expensive, since there will be fewer problems detected.
In short, MythX doesn’t replace an audit; it prepares you for one.
What is residual risk?
Residual risk is the probability of a vulnerability being in the part of the smart contracts that have not received in-depth analysis. The longer the analysis runs for, the lower the residual risk will be.
What are the benefits of a longer computing time?
With more computing time dedicated to each analysis, MythX will be more likely to detect even deeper hidden security bugs in the smart contract code and minimize residual risk. The Deep scan feature available in our Professional plan also enables users to ensure functional correctness of their smart contracts with high confidence.
How do I get started using MythX?
Register for an account, select a subscription plan or buy an scan pack, then use a tool of your choice and configure it with your API key. For a detailed walkthrough, see our Getting Started guide.
Can I use MythX in [my favorite IDE or code editor]?
See the Tools section of our documentation. Also, you can search the package manager or app store of your IDE for “MythX” to discover MythX tools.
How long does a smart contract security analysis take?
The computing time dedicated to each analysis depends on the plan you are on. Quick scan runs for 5 minutes, Standard scan runs for 30 minutes, and Deep scan runs for 90 minutes.
How do I get detailed information about the security issues reported?
Reported issues should always contain the specific location in the code of the vulnerability, and also a “SWC ID” field. The SWC ID uniquely identifies the issue in the SWC Registry, where detailed information and remediation steps are listed.
Can I view the results of past analysis requests?
Yes. Log in to your account and click "View Analyses” to see the job history for your account.
How to I get the best analysis results for my smart contract from MythX?
To ensure you always get the most comprehensive results please submit the smart contract source code
*.sol file. This allows MythX to thoroughly analyze ever line of code and return results listing all the vulnerabilities MythX can currently detect. Please note if you only submit bytecode (your compiled contract) MythX can still analyze it but with limited results.
So beware always submit your source code for best results!
What does MythX cost?
MythX has two subscription plans MythX Developer and Professional in addition to on demand scan packs. Please see our Pricing page for more details.
What payment methods do you accept?
We accept both credit card, debit card, and cryptocurrency payments (exclusively in Dai) for our Developer and Professional plans. Enterprise customers will be invoiced. Please click the “Help” button below to contact us if you have questions about payment.
What if I need a custom plan?
Our Enterprise plan provides custom support, deployments, and integrations. If you would like to know more about our Enterprise offerings, please contact us.
Can I use my Ledger/Trezor wallet connected to Metamask to register?
These hardware wallets do not currently support the Metamask signature methods we require to register new users and pay for subscriptions, so a traditional Metamask account is necessary.
How do I upgrade my plan?
You can upgrade your plan at any time. When upgrading from the Developer to Professional plan before your renewal date, your current subscription balance will not be refunded. The features of your upgraded plan will start immediately after purchasing.
How do I downgrade my plan? Do you offer refunds?
There are two options when downgrading from a paid plan:
- You can downgrade from the Professional plan to the Developer plan at any time by cancelling your subscription, then purchasing the Developer plan.
- You can downgrade to the On Demand plan at any time by canceling your current payment. You will then switch to the On Demand plan at your next renewal date.
We do not offer refunds for cancellations or plan downgrades.
Developing / integrating with MythX
Why should I build on MythX?
Building on MythX gives you access to the premier smart contract security analysis service that combines static code analysis, guided greybox fuzzing, and symbolic execution. You can focus on the user experience while we focus on providing the best security analysis engine possible.
You can also earn a revenue share through your tool, with the share calculated based on the number of paying users who use your tool. We are planning to offer 25% of API revenues back to tool builders once our paid subscription plans go live.
Please see our documentation on building security tools with MythX.
What types of tools can be built on MythX?
There are no limitations on what you can build. IDE plugins, GitHub apps, CI tools, extensions for code editors, web apps and dashboards, all are possible. The only thing that matters is that users of your tool need to sign up for a MythX account.
What programming languages does MythX support?
How do I learn more about the MythX API?
How do I get started building on MythX?
Register for an account and start building. Don’t forget to pick a unique name for your tool and include it in the
clientToolId field with API requests. To become eligible for revenue share you must first register your tool on the MythX Nexus.
Please refer to the documentation on building security tools using MythX for more information.