Status Embark + MythX
If you are at all involved in Ethereum smart contract security, you will probably have come across some of the tools that help automate at least parts of the process, such as echidna, mythril and, most recently, MythX. While looking for a way to most conveniently automate a basic security analysis of our smart contracts, we found MythX (at least now, during it’s free beta phase) to be the tool with the most features and its REST API and JavaScript wrappers being fairly easy to integrate with our current development workflow. While the documentation around MythX is somewhat opaque about the analyses running on their servers, here’s a quick summary from Bernhard Mueller, Product Engineer at ConsenSys Diligence, as of March 2019:
- Static analysis with Maru,
- Greybox fuzzing with Harvey and
- Symbolic execution and SMT solving with Mythril.
Taking the MythX truffle plugin as an example, we decided to implement our own little tool to quickly run analyses on our smart contracts. Since we are using Status Embark most of the way, we chose to build an Embark plugin so MythX is only one command away at all times. Enter: embark-mythx.
Implementation
Gathering the data for a MythX call within Embark requires two steps: enable the user to state their intent (register a console command) and collect the data required for the call.
To register your own command with Embark’s console, you initialise a new node package and paste this little snippet into its index.js:
module.exports = function(embark) {
embark.registerConsoleCommand({
description: "Run MythX analysis",
matches: (cmd) => {
// return true if `cmd` matches your intended call
},
usage: "verify [options] [contracts]",
process: (cmd, callback) => {
// command implementation goes here
}
});
}Install the package from your Embark project directory and add a plugin section in your embark.json. If there are contracts you want to permanently exclude from MythX calls, add them here.
"plugins": {
"embark-mythx": {
"ignore": ["Ownable", "Migrations"]
}
},embark-mythx implements three commands, to be precise: verify, verify help and verify status. It also takes advantage of Embark plugins’ event listeners to store your smart contract data as soon as they are compiled.
For the second step, we can simply register an event listener to listen to contracts:compiled:solc events. The moment Embark finishes compiling your contracts, it’ll collect your contracts’ sources, ASTs, bytecode and more. truffle-security and the API specs show how to convert this data into MythX compatible JSON.
The rest of the analysis call follows that of truffle-security: Construct JSON objects out of your contract data, submit, parse response and print to console.
Usage
The most basic use case — submitting all contracts in your project for a quick analysis — simply requires typing verify into the Embark console and will look similar to this:
Embark > verify
embark-mythx: Running MythX analysis in background.
embark-mythx: Submitting 'ERC20' for quick analysis...
embark-mythx:
/home/seb/flex/mythx-plugin/testToken/.embark/contracts/ERC20.sol
1:0 warning A floating pragma is set SWC-103✖ 1 problem (0 errors, 1 warning)MythX analysis found vulnerabilities!
To analyse only a subset of the smart contracts in your project, simply append their names to the call. Use flag -f to run a full analysis instead of the time-limited ‘quick’ one.
Embark > verify -f ERC20 Ownable
embark-mythx: Running MythX analysis in background.
embark-mythx: Submitting 'ERC20' for full analysis...
embark-mythx: Submitting 'Ownable' for full analysis...[...]
(For a complete list of options, see the project’s README.)
If the analysis takes more time than your timeout allows, it’ll print a UUID which you can use with verify status to check on the analysis’ status manually:
Embark > verify status 9baf4d85-e1da-45a9-a59f-20d3b202515a
embark-mythx: /home/seb/flex/mythx-plugin/testToken/.embark/contracts/ERC20.sol, ERC20.sol
embark-mythx: swcID: SWC-103
swcTitle: Floating Pragma
description:
head: A floating pragma is set.
tail: >-
It is recommended to make a conscious choice on what version of Solidity is
used for compilation. Currently any version equal or greater than "0.5.0" is
allowed.
severity: Medium
locations:
- sourceMap: '0:23:0'
extra:
testCase:
initialState:
accounts: null
steps: null(The swcID refers to the Smart Contract Weakness Classification Registry ID.)
Evaluation
Now that we have the functionality nicely integrated, let’s take it for a ride. Trail of Bits have been collecting vulnerable smart contracts in their not-so-smart-contracts repo. While several of these vulnerabilities have been made impossible with later versions of solc, we can still use some of these to see if we are protected.
The attacker uses the fallback function to execute again the vulnerable function before the state variable are changed.
embark-mythx:
/home/seb/flex/mythx/reentrancy/.embark/contracts/Reentrancy.sol
1:0 warning A floating pragma is set SWC-103
17:15 warning A call to a user-supplied address is executed SWC-107
20:8 error persistent state write after call SWC-107✖ 3 problems (1 error, 2 warnings)MythX analysis found vulnerabilities!
2. Integer Overflow, Round 1:❓
Once a first call have be made on
addorsafe_add, a call toaddcan trigger an integer overflow.
embark-mythx:
/home/seb/flex/mythx/reentrancy/.embark/contracts/overflow_1.sol
1:0 warning An outdated compiler version is used SWC-102✖ 1 problem (0 errors, 1 warning)
Integer Overflow, Round 2: ✓
embark-mythx:
/home/seb/flex/mythx/reentrancy/.embark/contracts/Overflow.sol
7:8 error The binary addition can overflow SWC-101✖ 1 problem (1 error, 0 warnings)MythX analysis found vulnerabilities!
3. Unchecked External Call: ✓
If an external call fails, but is not checked, the contract will continue execution as if the call succeeded.
embark-mythx:
/home/seb/flex/mythx/reentrancy/.embark/contracts/KingOfEther.sol
16:0 warning A floating pragma is set SWC-103
65:4 warning Potential incorrect constructor name "KingOfEther" SWC-118
101:12 warning Unchecked return value from low level call SWC-104
108:12 warning Unchecked return value from low level call SWC-104
121:12 warning Unchecked return value from low level call SWC-104
162:8 warning Unchecked return value from low level call SWC-104✖ 6 problems (0 errors, 6 warnings)MythX analysis found vulnerabilities!
4. Missing constructor: ✓
Anyone can call the function that was supposed to be the constructor. As a result anyone can change the state variables initialized in this function.
embark-mythx:
/home/seb/flex/mythx/reentrancy/.embark/contracts/Missing.sol
23:7 error Anyone can withdraw ETH from the contract account SWC-105✖ 1 problem (1 error, 0 warnings)MythX analysis found vulnerabilities!
5. Denial of Service: ✓
A malicious contract can permanently stall another contract by failing in a strategic way. In particular, contracts that bulk perform transactions or updates using a
forloop can be DoS'd if a call to another contract ortransferfails during the loop.
embark-mythx:
/home/seb/flex/mythx/reentrancy/.embark/contracts/DosAuction.sol
5:2 warning State variable shadows another state variable SWC-119
6:2 warning State variable shadows another state variable SWC-119
19:4 error persistent state read after call SWC-107
19:4 error persistent state write after call SWC-107
20:4 error persistent state write after call SWC-107
51:4 warning Unchecked return value from low level call SWC-104✖ 6 problems (3 errors, 3 warnings)MythX analysis found vulnerabilities!
For more examples of what MythX can do, check out Bernhard’s other articles, “A Deep Dive into the MythX Smart Contract Security Analysis API” and “Analyzing Ethereum Smart Contracts for Vulnerabilities”.
Conclusion
MythX is still a work in progress and we stumpled on various occasions when either the documentation was lacking or the service wasn’t working as expected, but once it is stable it will be a handy tool that takes at least some load off of our minds. And thanks to embark-mythx now from within the Embark console.
