MythX is upping the smart contract security game
Introducing MythX, a new project that improves the baseline security level of all smart contracts deployed to the Ethereum blockchain.
Bernhard Mueller is a “seasoned cyber security professional” (AKA aging hacker dude) and the creator of the Mythril smart contract analyzer. He’s also two-time Pwnie award nominee (and one-time winner!)
Ethereum is in a dire situation. No, I’m not talking about the price of ETH. I’m talking about the prevalence of high-profile hacks that are harming trust towards decentralized applications and providing talking points for Bitcoin maximalists and blockchain skeptics. What’s especially frustrating is that most, if not all, of the recent hacks that have impeded the growth of the Ethereum ecosystem could have been prevented.
Security analyzers like Mythril— an open-source tool for bug hunting in smart contracts— could have detected batchOverflow, the Rubixi vulnerability, and the Parity “Accidental Suicide” bug. If only the developers had run a free tool on their code, a whole lot of pain would have been prevented.
Let’s be honest: Existing smart contract security tools aren’t optimal for developers. They’re difficult to install, use and keep updated and don’t integrate well with development environments and build pipelines. False positive rates are high, and the reported results are only comprehensible to security experts. Techniques such as symbolic execution and input fuzzing are resource-intensive, resulting in long analysis times and further reducing usability.
The Mythril team and community are attempting to solve this problem. We’re creating an ecosystem of tools that bring advanced security analysis into development environments and build pipelines everywhere. Whether you’re using Truffle on a Mac, Sublime Text on Linux, Visual Studio Code, emacs, CircleCI, or any combination of the above, you now have a turnkey solution that will allow you to verify smart contracts using the most advanced analysis engine on the market. Our mission is to raise the baseline security level of all smart contracts deployed on the Ethereum blockchain.
This project has been under wraps for a long time, and I’m super excited to finally write about it. In this article, I’ll give a brief high-level overview of the system. Detailed articles about different aspects of the project will follow.
Smart Contract Security 2.0
MythX was developed by the team who built Mythril, a popular smart contract analyzer. With a total of 300,000+ downloads from the official Dockerhub and Pypi repositories, Mythril is widely used by developers and auditors throughout the Ethereum ecosystem.
Unbeknownst to the public, our team has spent the last six months cooking up the next generation of analyzers, including:
- Harvey, a dynamic analyzer and input fuzzer developed by Valentin Wüstholz;
- Maru, a static code analyzer and linter developed by a team around Gerhard Wagner;
- Mythril++, an improved version of the Mythril symbolic analyzer built by Joran Honig, Nikhil Parasaram and others.
We’re also building composite analysis tech that orchestrates the various components. For example, static analysis informs symbolic analysis, and the result of both are used to configure dynamic analysis. This allows us to produce highly accurate results with a minimum of false positives. The result is far beyond what any standalone tool on the market can deliver.
All of this has been packaged into a SaaS solution called MythX. The service is free for casual use, but professional users can purchase paid plans to unlock more powerful analysis modes.
Mythril will remain available under a MIT license and we’ll continue maintaining it. Anyone is free to use it however they like, including for commercial purposes.
MythX Tools Marketplace
Having the best security analysis tech is great. Unfortunately, if it comes in the form of a slow and clunky command line tool, only security enthusiasts will use it. Ethereum devs in the real world don’t have time to mess around with this stuff.
We can’t possibly account for the individual preferences of every Ethereum developer. Therefore, we’re enabling our community and partners to build a whole ecosystem of security tools on top of our platform. These tools will be available in package managers, app stores, and products everywhere. MythX tool developers will earn a share of the revenue generated through the use of their tools. To make this happen, we’re working closely with partners like Gitcoin, TopCoder and MadDevs.
We’re currently running a closed alpha of the API and the community has already come up with some cool prototypes. Join our Discord server for updates.
Third-Party Integration
Besides building a tools marketplace, we’re also signing up partners that want to use the MythX stack in their own products and services. For example, MythX technology will be integrated into the Quantstamp protocol. By leveraging Quantstamp’s distributed computing infrastructure, we‘ll enable “deep” security verification that wouldn’t be possible on a standalone system.
Become Active in the Mythril Community
Whether you have an idea for a MythX tool, have developed a novel analysis technique, or want add value to the project in some other way, now is the best time to get involved.
The best way to get in contact is to ping the team on Discord. There are also a whole lot of partner programs that companies can apply for. Check out the FAQ section on our website for more information.
Disclaimer: The views expressed by the author above do not necessarily represent the views of Consensys AG. ConsenSys is a decentralized community with ConsenSys Media being a platform for members to freely express their diverse ideas and perspectives. To learn more about ConsenSys and Ethereum, please visit our website.
