Ethereum security tools built by ConsenSys Diligence
ConsenSys Diligence is a security-focused group of 30+ Ethereum engineers, auditors and researchers distributed all over the world. We have a tradition of building security tools for ourselves and the Ethereum community. Because our time is precious, we focus on creating polished, highly usable tools that are truly helpful to auditors and smart contract developers. This article introduces some of the highlights.
Visual Auditors for Solidity and Vyper
Written by Martin Ortner a.k.a. tintinweb, Solidity Visual Auditor is a Visual Studio Code extension created to make the life of smart contract auditors easier. It provides security-aware syntax and semantic highlighting, a detailed class outline and advanced Solidity code insights to Visual Studio Code users. Comprehensive security analysis functionality will be added soon. A Vyper version is also available.
MythX is a powerful cloud-based service that uses symbolic analysis and input fuzzing to detect security bugs and verify the correctness of smart contract code. It integrates with IDEs like Remix and Truffle and can be used both during development and in the continuous integration pipeline. Using MythX requires an API key which is available on the MythX website.
Auditing complex smart contract systems may cause your head to explode. Surya by Goncalo Sá aids auditors in understanding and visualizing Solidity smart contracts. It provides information about the contracts’ structure and generates call graphs and inheritance graphs. It also supports querying the function call graph in multiple ways to aid in the manual inspection of contracts.
The Swiss Army Knife of smart contract security hardly needs an introduction. On the off chance that you haven’t heard of it, Mythril is a disassembler, hacking tool and security analyzer that uses symbolic analysis and taint analysis to detect a variety of security vulnerabilities. It works with Solidity code and raw EVM bytecode, eWASM support is coming soon.
Mythril’s little brother, Scrooge McEtherface, takes things a little further by automatically exploiting the detected issues. Only every use this in a test environment!
Karl by Daniel Luca is a monitor for smart contracts that checks for security vulnerabilities using the Mythril detection engine. It can be used to monitor the Ethereum blockchain for newly deployed vulnerable smart contracts in real-time. It eliminates false positives by running candidate contracts in a virtual copy of the blockchain. Trust us, Karl discovers a lot of interesting gems every day.
Panvala is another ambitious project by Diligence. Created by Diligence’s resident token genius Niran Babalola, it’s not a tool, but a crypto-economic game with the goal of making Ethereum safer. In Panvala, smart contracts developers can stake tokens to get get a Panvala mark and will lose the tokens if security issues are found. Ethereum wallets like MetaMask can display Panvala marks directly in the user interface.
Panvala connects grant funders, corporate open source projects and volunteers with a token that gives them all a shared incentive to find sustainable funding together. Panvala Token Grants are issued to reward work that makes Ethereum safer. Join the Panvala Telegram channel if you’d like to get involved.
We are planning to release more polished tools under an open source license later this year — most notably, an IR-based static analyzer named Maru and an innovative greybox fuzzer named Harvey. Both tools are already running in the the MythX backend. Follow us on Medium to stay up-to-date!