FAQ

General

What is MythX?

MythX is a security analysis service for Ethereum smart contracts. It allows any developer or developer team to integrate security into the smart contract development lifecycle.

The MythX suite of industry-leading microservices—including static analysis, dynamic analysis, and symbolic execution—accurately detects security vulnerabilities all through a single service. MythX is integrated into tools developers already use such as Truffle and Remix, and is available directly through a powerful API.

How does MythX work?

When you submit your code to the API it gets analyzed by multiple microservices in parallel: A static analyzer that parses the Soldity AST, a symbolic analyzer that detects possible vulnerable states, and a greybox fuzzer that detects vulnerable execution paths. These tools cooperate to return the more comprehensive results in the execution time provided.

What types of security vulnerabilities does MythX detect?

MythX currently covers almost all of the vulnerability classes listed in the SWC Registry. For full details on what vulnerabilities we are able to detect, please see our SWC coverage.

What is the advantage of using a SaaS platform such as MythX?

By providing our service in a Software-as-a-Service (SaaS) platform, you can expect a much higher performance compared to running security tools locally, plus higher vulnerability coverage than any standalone tool.

You also benefit from continuous improvements to our security analysis technology. We continuously add new and improved security tests to our stack to keep you protected as the smart contract security landscape evolves.

Is it safe to submit my smart contract source code to MythX?

Your analysis requests are encrypted with TLS. To provide comprehensive reports and improve performance, we store some of the contract data in our database, including parts of the source code and bytecode. The data never leaves our secure server and is not shared with any outside parties. We keep the results of your analysis so you can retrieve them later, but the report can be accessed by you only.

To ensure the security of your data, all smart contacts associated with MythX have undergone a thorough manual security audit through ConsenSys Diligence.

Why should I use MythX instead of Mythril or other open source tools?

Existing smart contract security tools are difficult to use, even for developers. MythX leads due to its simplicity; all you need to do is install a tool or plugin for your favorite IDE. Additionally, the MythX analysis engine is significantly more powerful than standalone open source tools. It runs expensive parallel computations that would take a very long time to complete on a standard system.

Do I still have to do a manual audit if I use MythX?

Automated verification tools like MythX are an indispensable tool during development, but they don’t completely remove the need for an audit. Some classes of bugs, such as business logic vulnerabilities, cannot be detected in a generic fashion. Therefore, we always recommend an audit by a human expert. That said, using MythX will likely make your audit easier and less expensive, since there will be fewer problems detected.

In short, MythX doesn’t replace an audit; it prepares you for one.

Using MythX

How do I get started using MythX?

Register for a free account, then use a tool of your choice and configure it with your Ethereum address and password. For a detailed walkthrough, see our Getting Started guide.

Can I use MythX in [my favorite IDE or code editor]?

See the Tools section of our documentation. Also, you can search the package manager or app store of your IDE for “MythX” to discover MythX tools.

How long does a smart contract security analysis take?

The analysis time depends on what mode you are using. The “quick” mode runs for a maximum of 120 seconds, while the “full” mode runs for upwards of 30 minutes.

How do I get detailed information about the security issues reported?

Reported issues should always contain the specific location in the code of the vulnerability, and also a “SWC ID” field. The SWC ID uniquely identifies the issue in the SWC Registry, where detailed information and remediation steps are listed.

Can I view the results of past analysis requests?

Yes. Log in to your account and click “Past Analyses” to see the job history for your account.

How to I get the best analysis results for my smart contract from MythX?

To ensure you always get the most comprehensive results please submit the smart contract source code *.sol file. This allows MythX to thoroughly analyze ever line of code and return results listing all the vulnerabilities MythX can currently detect. Please note if you only submit bytecode (your compiled contract) MythX can still analyze it but with limited results. So beware always submit your source code for best results!

Pricing

What does MythX cost?

MythX has a free plan available to everyone. In addition, MythX Pro includes more features and deeper scans. Please see the Plans page to see the details for each plan.

What is the difference between the free plan and MythX Pro?

The free plan checks only checks against ten common vulnerabilities, while MythX Pro searches for almost every smart contract vulnerability in the SWC Registry. MythX Pro also includes the ability to run “full” mode, which runs a deeper scan with more comprehensive results. For more information, please see the Plans page.

Do I need to have cryptocurrency to pay subscription fees?

We accept cryptocurrency payments exclusively in Dai, a stablecoin with a value pegged to the U.S. Dollar. Enterprise customers may be able to use other forms of payment. Please click the “Help” button below to contact us if you have questions about payment.

How do I use MythX with my team?

] Our Enterprise plans can allow for shared team usage. Please click the “Help” button below to contact us for more details.

Developing / integrating with MythX

Why should I build on MythX?

Building on MythX gives you access to the premier smart contract security analysis service that combines static code analysis, guided greybox fuzzing, and symbolic execution. You can focus on the user experience while we focus on providing the best security analysis engine possible.

You can also earn a revenue share through your tool, with the share calculated based on the number of paying users who use your tool. We are planning to offer 25% of API revenues back to tool builders once our paid subscription plans go live.

Please see our documentation on building security tools with MythX.

What types of tools can be built on MythX?

There are no limitations on what you can build. IDE plugins, GitHub apps, CI tools, extensions for code editors, web apps and dashboards, all are possible. The only thing that matters is that users of your tool need to sign up for a MythX account.

What programming languages does MythX support?

Since MythX is an API, it is not limited to specific programming languages. In terms of language bindings we currently offer a thin JavaScript client library and a Python library. For more information, see our guide on how to build your own security tools with MythX.

How do I learn more about the MythX API?

The MythX API is fully documented and open. You can also view our API walkthrough.

How do I get started building on MythX?

Register for a free account and start building. Don’t forget to pick a unique name for your tool and include it in the clientToolId field with API requests. To become eligible for revenue share you must first register your tool on the MythX Nexus.

Please refer to the documentation on building security tools using MythX for more information.

How can my company become a MythX partner?

MythX partners can integrate MythX into their own products and services. We have a partner portal, the MythX Nexus, where we highlight and showcase our partners and their tools and services.

If you are interested in becoming a partner, you can join here.