MythX for Truffle: Painless Smart Contract Security Testing

This article gives an introduction to the MythX security analysis plugin for Truffle.

Do you develop smart contracts? Would you like to be able to check your contract for vulnerabilities without sacrificing your other responsibilities?

This article will introduce you to MythX for Truffle. MythX for Truffle extends the Truffle framework to be able to leverage the MythX platform to test contracts for security holes. It creates actionable reports for your smart contracts to help you remove easy-to-miss weaknesses and vulnerabilities.

Setting up MythX for Truffle

MythX for Truffle is a Truffle plugin, and uses MythX on the back end to inspect your smart contracts for security vulnerabilities. It makes testing your smart contracts for security holes as simple as running a single command.

You can follow along with this vulnerable Truffle project or use your own.

First, install the truffle-security package:

$ npm install -g truffle-security

Currently, Truffle plugins are enabled on a per-project basis. In the future, truffle plans on having a global configuration. For now, add the plugin to truffle-config.js in the root directory of your Truffle project:

module.exports = {
    ...
    plugins: [ "truffle-security" ]
};

Truffle allows you to set a specific compiler version for the contracts that you are analyzing, if needed. The contracts in the example project use solc 0.5.5, so ensure that the compiler is specified in truffle-config.js.

module.exports = {
    ...
    compilers: {
solc: {
version: "0.5.5",
}
}
}

Using MythX for Truffle

You are now ready to analyze your contracts:

$ truffle run verify
Output of the MythX plugin for Truffle

To be sure you have access to the full, unlimited results, you will need to set up a free account on the MythX website. You will specify an Ethereum address and create a password. Sign up is free.

(During the beta, access will remain completely free. Paid plans will eventually be available with fewer restrictions, but there will always be a free option.)

Once you have obtained credentials, set the environment variables MYTHX_ETH_ADDRESS and MYTHX_PASSWORD. If you are using .bashrc, you can add the following lines::

export MYTHX_ETH_ADDRESS=0x1234567891235678900000000000000000000000
export MYTHX_PASSWORD='Put your password in here!'

Understanding the results

Vulnerabilities in the IntegerOverflowMul contract

For the IntegerOverflowMul contract, MythX for Truffle reports an overflow at line 10.

1  //Single transaction overflow
2 //Post-transaction effect: overflow escapes to publicly-readable storage
3
4 pragma solidity 0.5.5;
5
6 contract IntegerOverflowMul {
7 uint public count = 2;
8
9 function run(uint256 input) public {
10 count *= input;
11 }
12 }

As all math in Solidity is mod 2²⁵⁶, count can be overflowed here with a large enough input. For example, if input was 2²⁵⁶ - 1, count will be set to (2²⁵⁶ - 1) * 2 % 2²⁵⁶, which isn’t might not be what is expected. One way to prevent an integer overflow like this is to use OpenZeppelin’s SafeMath.

Each analysis result reports a n SWC ID. For example, the SWC ID for an integer overflow is SWC-101. The Smart Contract Weakness Registry is a resource containing examples and descriptions of smart contract vulnerabilities. If you are unsure about any reported vulnerability, look it up in the registry to understand the bug.

Details about SWC-120: “Weak Sources of Randomness from Chain Attributes”

Future Plans and Directions

The MythX team is planning more integrations beyond just Truffle. MythX analysis is currently being integrated into several IDEs including VSCode and Remix. We are planning on integrating MythX in popular CI solutions as well.

In addition, we are offering a 25% revenue share to developers who create their own MythX integrations, so we hope to see many more integrations after the 1.0 release. The library used by MythX for Truffle and the upcoming VSCode Solidity extension will be made available for developers wanting to write code with MythX or to write integrations.

Conclusion

MythX for Truffle is valuable for every smart contract developer. It helps keep your code secure throughout the entire development process and reveals vulnerabilities the moment they are introduced.

Automated analysis can never replace a professional manual audit, but consistent use of automated analysis tools will certainly make the audit simpler, less painful, and cheaper.

UPDATE: We have published a video showing how to use the MythX for Truffle plugin. Check it out!

Useful Links

Nathan Peercy is a security tool developer on the MythX team.