Smart Contract Security Tools for Embark, Truffle, Github and Continuous Integration
Introducing the best submissions from the MythX Ethereal Hackathon.
This April, Microsoft and Gitcoin teamed up to organize the first Ethereal Virtual Hackathon. This was a great opportunity for us to kick off some bounties and introduce the MythX smart contract security API to a wider audience. We were excited to see what developers would come up with and the results didn’t disappoint! We received a total of 16 submissions and awarded a total of 5,000 Dai worth of prizes to 7 winners.
While some of the submissions are still a bit rough around the edges, they go a long way in showing the many use-cases enabled by our API. Here are some of our favorites.
MythX Plugin for Embark Framework
From you Embark project directory, install it with
npm i embark-mythx and follow the configuration instructions in the README. This adds a new “verify” console command that runs security tests on the smart contracts contained in the project. The analysis runs asynchronously in the background. When the analysis is completed, each discovered security issues is listed with line and column number, a short description, and a smart contract weakness classification ID (you can use this ID to look up more detailed desciptions in the SWC registry).
Truffle Sca2t (pronounced “Skärt”) by Teruhiro Tagomori of NRI Secure is a plugin for Truffle framework that assists smart contract auditors in their day-to-day workflow. Besides some other nice features, such as rendering dependency graphs, it integrates MythX in interesting and useful ways:
- It generates Mocha test files that can be used to integrate MythX into continuous integration frameworks like Circle CI, Travis and Jenkins;
- It can export Postman Collection files for MythX API interactions;
- It comes with a standalone command line interface for running security analysis on one or multiple smart contracts.
To top things off, the command line interface can export nice HTML and markdown reports.
GitMythX by Marin Petrunić (Node Factory) is a Github app for continuous integration of MythX security checks. More specifically, it analyzes the smart contracts contained in the repository on every pull request. The test passes if MythX returns no security issues. If issues are detected, the test fails and GitMythX generates an HTML report detailing the issues.
MythX Vulnerability Monitor
MythX Vulnerability Monitor by Belma Gutlic (Node Factory) is a web app for monitoring smart contracts deployed to the Ethereum mainnet. The app allows the user to register a smart contract address that is then periodically scanned for security issues. If a vulnerability is discovered the contract owner is alerted by email. This ensures that contract owners can react if a new vulnerability class is discovered or an upgrade to the EVM introduces a vulnerability.
More Awesome MythX Tools
These are just a few of the first-generation MythX smart contract security tools and integrations. Many more are in the pipeline — including tools for other smart contract platforms such as Roostock, Tron, Quorum and Vechain. A revamped MythX website and a searchable partners & tools directory will be released soon. For now, check out the growing MythX awesome list and join our Discord server.
About Mythril and MythX
Mythril is a free and open-source smart contract security analyzer. It uses symbolic execution to detect a variety of security vulnerabilities.
MythX is a cloud-based smart contract security service that seamlessly integrates into smart contract development environments and build pipelines. It bundles multiple bleeding-edge security analysis processes into an easy-to-use API that allows anyone to create purpose-built smart contract security tools. MythX is compatible with Ethereum, Tron, Vechain, Quorum, Roostock and other EVM-based platforms.