Open in app

Sign in

Write

Sign in

Powered by MythX

Tom Lindeman
ConsenSys Media
Published in
9 min readSep 28, 2018

Introducing the MythX Partner Program

I am a ConsenSys Diligence co-founder, MythX business strategist and co-chair of Enterprise Ethereum Alliance Security Working Group. I am currently building web3 products with a focus on disruptive decentralized products, security, developer tools, and n-sided ecosystems.

Introduction

As smart contracts and decentralized applications become more ubiquitous and more complex, the need for powerful and accessible security tools is greater than ever before. MythX Platform is a new web3 SaaS solution that addresses this growing problem by bringing advanced security analysis directly into smart contract development environments and build pipelines in an accessible API. MythX Platform also bundles multiple bleeding-edge tools and techniques into an extensible platform and SDK which allows developers to create purpose-built Ethereum security tools which are “Powered by MythX.”

Today I am excited to announce the MythX Partner Program with the goal of building a “better together” ecosystem of smart contract analysis tools and extensions to make Ethereum safer for end users of all kinds. We are getting ready to launch v1.0 of MythX Platform and we are building out a powerful and dynamic ecosystem of partners to come along with us and attack the challenge of contract security from multiple fronts.

MythX and Smart Contract SDLC

There are many methodologies and processes being used in web3 development today, and one thing is becoming more and more clear: security must be woven into the process from end to end. This isn’t traditional cyber security, application security, or network security. This is smart contract and dapp security; one wrong line or logic mistake can lead to complete disaster.

Developers, testers, solutions providers, and security auditors can soon use MythX Platform to address security from the beginning of the development life cycle and continuing through live deployment. This isn’t DevOps where you toss things out there and fix them on the fly. The new smart contract SDLC has testing and verification embedded into every phase of development and looks like this:

Smart Contract SDLC
  1. Plan and design the contracts, system architecture, economics and end user behaviors by following smart contract best practices and readiness guides, running simulations with partners like AtChai, using Open Zeppelin standard libraries and avoiding pitfalls of not-so-smart contracts.
  2. Develop the code using Truffle, VS Code or the Solidity plug-in for Visual Studio, Remix or your favorite editor and write clear, easy to audit code and a full suite of test cases (bugs are no longer bugs, they are wrecking balls).
  3. Test Test Test. In addition to human testing, implement automated verification using security analysis tools such as MythX Platform with integrated partner extensions and modules. For example, GuardRails has integrated MythX to perform automated analysis runs whenever a pull request is made from Github and will show you the exact line of code to fix if any errors are detected. Pretty cool!
  4. Deploy the system to Rinkbey Testnet or Ethereum Mainnet and run more tests and simulations. This is a great place to run a bug bounty program, find, fix, test, rinse, repeat. You may decide to deploy to Azure Blockchain Workbench and configure your own authentication or consensus algorithms.
  5. Audit. Once the code is 100% baked, do a full professional security audit using a trusted firm such as Trail of Bits, BlocTrax, Quantstamp or ConsenSys Diligence. This may be the most important and most expensive phase of the entire project.
  6. Monitor live contracts using Alethio or Etherscan to visualize and analyze transactions, attacks, user behavior and more.
  7. Signal to the public that your contracts are safer than others by applying to the Panvala registry. Once Panvala marks are granted, applications such as wallets or explorers can display the mark in the UI to help users understand which contracts are safer to interact with.

Synergistic Smart Analysis

In the smart contract SDLC example above, the test and audit phases are arguably to most critical when it comes to verifying the security and the safety of particular solution. MythX’s suite of integrated deep analysis micro-services and tools seamlessly work together to help narrow down vulnerability surface area and focus efforts on specific areas of code.

Maru is an advanced static analysis linter that is used to detect and check for security related code smells and best practices. Maru helps determine what can safely be ignored during dynamic analysis, for example methods that just read values and don’t change.

Mythril++ is the core symbolic analysis engine based on the popular open source version of Mythril which now has additional modules and extensions that offer enhanced functionality and ease of use. Quick analysis can be done on a daily basis or automatically kicked off after check-ins. Full analysis can be used at major milestones or after heavy changes, and custom analysis via system specific modules can be run any time.

Harvey is a slightly white, greybox dynamic analysis and fuzzer that checks for common security vulnerabilities while also exploring as many execution paths as possible. Intelligent analysis inputs are received from Mythril when execution paths or traces that can possibly lead to an exploit are discovered. Harvey can then verify MythX’s concretized transaction traces by running them in the official GO EVM implementation.

Maestro analyzes, orchestrates and reports on all output from various tool components which provides deeper inputs for further testing. Maestro reports often drive the creation of additional tests or new modules with specific properties. For example, using the output of Maru and Harvey, Maestro will be able to determine if an overflow is caused by the developer by checking if the instruction location maps to an arithmetic expression that can overflow.

MythX Partner Ecosystem

We BUIDL together, we LAUNCH together. Since our overall goal is to truly make Ethereum safer, we decided early on to enable the community to extend and enhance the MythX platform and build new functionality that we may have never thought of. Tool developers can build MythX security tools using an easy-to-use SDK and instead of implementing their own security analysis logic — they simply submit source code and/or bytecode to the API for analysis.

The open-source version of MythX has 260,000 downloads today, and we expect to attract tons developers, end users and professional tools builders who want to easy to use features and tools. We currently have two main categories of MythX partners and have already signed up several launch partners for version 1.0 in 2019.

MythX Platform Partners

Platform Integration Partners

These partners are granted the right to use the full MythX Platform security analysis stack to power their own security systems, tools, plug-ins and power-ups. This allows them to build a wide variety of innovative and useful products and services without the high upfront cost for R&D. In turn, these products and services help drive usage of MythX Platform API and increase the functionality and scenarios.

Some examples:

  • IDE Vendors (Truffle, VS Code, etc) allow integration with MythX Platform API to seamlessly include security verification into the secure development life cycle.
  • ALM vendors (Jira, TFS, etc.) can integrate with MythX Platform API to automatically launch test runs and create work items for developers to follow up on.
  • CI Automation Service Providers (Jenkins, GuardRails, Circle CI, etc.) can add support for smart contract development environments by integrating the MythX platform contain test suites that verify each change to the code.
  • Security Services Providers (NRI Secure, Quantstamp, etc.) of all kinds can take advantage of the full version of MythX Platform API to enhance their security offerings. MythX is a ready to use service that partners can send analysis requests to and receive a share of revenue earned from traffic.
  • Monitoring Services (Alethio, EtherScan, etc.) can integrate with MythX Platform API to verify changes in contracts deployed to MainNet and discover vulnerabilities, version mismatches, or behavioral or transactional anomalies in live systems.

System Development Partners

Typically, these are companies and organizations that are instrumental in collaborating with our team to build out the MythX Platform. They contribute code to MythX OSS and Platform API and contribute new analysis modules that improve the quality of the platform. Agreements with system development partners may take many different forms, for example the partner might provide some IP and/or resources for free or at a reduced rate.

Innovations and Opportunities

The MythX team is innovating on several levels and creating new opportunities for partners only available in a collaborative web3 tokenized system.

Perks!

I learned from running the partner ecosystem for Visual Studio that partners want benefits that span development, business development and marketing. We get it and we agree. The MythX Partner Program offers a win-win set of perks to help with several aspects of your project or business. Got an idea for a new perk? Let us know!

Technical

  • License to integrate MythX Platform API (or a custom build for offline use) in commercial product(s) and/or service(s)
  • Early access to upcoming Platform revisions to ensure readiness as a Launch Partner
  • Personal support and integration consulting as well as support forums

Business

  • While the launch of a MYTH token to power the SaaS service has now been replaced by the DAI stable coin, we are not discounting the possibility of a MythX specific token in the future. If such a token does materialize, our partners will be considered as preferred early-adopters
  • Revenue sharing opportunity when your tool or service drives usage of the MythX API
  • Custom business development agreements

Awareness

  • Promotion of your integrated tool on the MythX web site and at events
  • Use of the MythX Partner logo and “Powered by MythX” badge
  • Co-marketing such as joint events, co-written articles or quotes from MythX for press releases and blog posts

Pricing and Revenue Share

With our innovative tokenized SaaS licensing model, MythX developers and partners are now incentivized to build high-usability security tools on top of or along side the MythX Platform. These developers earn a revenue share based off how much their tools drive overall MythX usage. Specific program pricing and terms for MythX licensing are determined on an case by case basis.

Pay Per Use Model

With MythX Platform, we are introducing a novel usage-based tokenized license system where tokens are deducted for actual use only. Usage tokens are also less expensive when bought in larger activation packs that are used to govern access to the API.

In order to provide better cost predictability for users and partners, and to combat the current volatility in the market,we have decided to use the DAI stable coin to power the MythX Service.

  • 24 hours of access (with up to 1,000 analysis passes) for 2 DAI
  • 30 days of access (with up to 1,000 analysis passes per day) for 50 DAI
  • 365 days of access (with up to 1,000 analysis passes per day) for 550 DAI

MythX subscriptions are also divisible and can be shared and transferred between users simply by sending tokens. This gifting dynamic covers volume license scenarios and can act as a driver for viral growth.

MythX Marketplace

In addition to co-marketing and co-branding opportunities, partners will be highlighted at MythX events including product launches and hack-athons. In order to help drive awareness to our partner’s tools, we also plan to create a Marketplace for MythX power ups, extensions, tools and services. Expect this portal to be fully web3 enabled showcase for awesome products and experiences created by our friends and partners.

Get Ready for Launch!

Partners will be working closely with us to get ready for the launch of the live MythX service and dapp in 2019 and we are exited to help amplify the power of the ecosystem to improve overall safety and security of Ethereum. Whether you have an idea for a Mythril tool, have developed a novel analysis technique, or want add value to the project in some other way, now is the best time to get involved.

Interested in being an official MythX Partner? Contact me at tom.lindeman@consensys.net

Have some other cool ideas for making the ecosystem safer? Get in touch with the MythX team on Discord. Also check out the FAQ section on our website for more information.

Want to brainstorm in person? Come see us at TruffleCon 2018, DevCon 4 and the Hi-Ether Conference in Tokyo over the next few weeks.

Disclaimer: The views expressed by the author above do not necessarily represent the views of Consensys AG. ConsenSys is a decentralized community withConsenSys Media being a platform for members to freely express their diverse ideas and perspectives. To learn more about ConsenSys and Ethereum, please visit our website.

Ethereum
Security
Smart Contracts
Consensys
Artificial Intelligence

--

--

Tom Lindeman
ConsenSys Media

Written by Tom Lindeman

48 Followers
Writer for

CEO 5thnode LTD, CSO Runtime Verification Inc, Co-Founder ConsenSys Diligence & MythX, 20 year Microsoft Director and Researcher

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams