All Ethereum Security Tools Built by ConsenSys Diligence

Bernhard Mueller
Mar 29, 2019 · 4 min read

ConsenSys Diligence is a security-focused group of 30+ Ethereum engineers, auditors and researchers distributed all over the world. We have a tradition of building security tools for ourselves and the Ethereum community. Because our time is precious, we focus on creating polished, highly usable tools that are truly helpful to auditors and smart contract developers. This article introduces some of the highlights.

Image for post
Image for post

Visual Auditors for Solidity and Vyper

Written by Martin Ortner a.k.a. tintinweb, Solidity Visual Auditor is a Visual Studio Code extension created to make the life of smart contract auditors easier. It provides security-aware syntax and semantic highlighting, a detailed class outline and advanced Solidity code insights to Visual Studio Code users. Comprehensive security analysis functionality will be added soon. A Vyper version is also available.

Image for post
Image for post

MythX

MythX is a powerful cloud-based service that uses symbolic analysis and input fuzzing to detect security bugs and verify the correctness of smart contract code. It integrates with IDEs like Remix and Truffle and can be used both during development and in the continuous integration pipeline. Using MythX requires an API key which is available on the MythX website.

Image for post
Image for post
MythX is a professional symbolic analyzer and input fuzzer that is usable from GUIs and CI environments.

Surya

Auditing complex smart contract systems may cause your head to explode. Surya by Goncalo Sá aids auditors in understanding and visualizing Solidity smart contracts. It provides information about the contracts’ structure and generates call graphs and inheritance graphs. It also supports querying the function call graph in multiple ways to aid in the manual inspection of contracts.

Image for post
Image for post
Surya can produce a DOT-formatted graph of the inheritance tree.

Mythril

The Swiss Army Knife of smart contract security hardly needs an introduction. On the off chance that you haven’t heard of it, Mythril is a disassembler, hacking tool and security analyzer that uses symbolic analysis and taint analysis to detect a variety of security vulnerabilities. It works with Solidity code and raw EVM bytecode, eWASM support is coming soon.

Image for post
Image for post
Don’t accidentally kill it!

Mythril’s little brother, Scrooge McEtherface, takes things a little further by automatically exploiting the detected issues. Only every use this in a test environment!

You just accidentally stole 4 ETH.

Karl

Karl by Daniel Luca is a monitor for smart contracts that checks for security vulnerabilities using the Mythril detection engine. It can be used to monitor the Ethereum blockchain for newly deployed vulnerable smart contracts in real-time. It eliminates false positives by running candidate contracts in a virtual copy of the blockchain. Trust us, Karl discovers a lot of interesting gems every day.

Image for post
Image for post
Karl scrapes every new block for contract creating transactions and logs vulnerabilities.

Panvala

Panvala is another ambitious project by Diligence. Created by Diligence’s resident token genius Niran Babalola, it’s not a tool, but a crypto-economic game with the goal of making Ethereum safer. In Panvala, smart contracts developers can stake tokens to get get a Panvala mark and will lose the tokens if security issues are found. Ethereum wallets like MetaMask can display Panvala marks directly in the user interface.

Image for post
Image for post

Panvala connects grant funders, corporate open source projects and volunteers with a token that gives them all a shared incentive to find sustainable funding together. Panvala Token Grants are issued to reward work that makes Ethereum safer. Join the Panvala Telegram channel if you’d like to get involved.

Coming soon

We are planning to release more polished tools under an open source license later this year — most notably, an IR-based static analyzer named Maru and an innovative greybox fuzzer named Harvey. Both tools are already running in the the MythX backend. Follow us on Medium to stay up-to-date!

ConsenSys Diligence

ConsenSys Diligence has the mission of solving Ethereum…

Sign up for Smart Contract Security Newsletter

By ConsenSys Diligence

The goal of this newsletter is to help you keep up with, (and understand) the latest attacks, threats and defenses, and security best practices in the blockchain and smart contract security. Take a look

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

Bernhard Mueller

Written by

Security researcher, uncertified hacker, crypto trader. Author of the OWASP Mobile Security Guide. Pwnie winner. Former @ConsenSys

ConsenSys Diligence

ConsenSys Diligence has the mission of solving Ethereum smart contract security. Contact us for an audit at diligence@consensys.net.

Bernhard Mueller

Written by

Security researcher, uncertified hacker, crypto trader. Author of the OWASP Mobile Security Guide. Pwnie winner. Former @ConsenSys

ConsenSys Diligence

ConsenSys Diligence has the mission of solving Ethereum smart contract security. Contact us for an audit at diligence@consensys.net.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store