Status Embark + MythX

embark-mythx enables MythX smart contract security analyses from within Status Embark.

If you are at all involved in Ethereum smart contract security, you will probably have come across some of the tools that help automate at least parts of the process, such as echidna, mythril and, most recently, MythX. While looking for a way to most conveniently automate a basic security analysis of our smart contracts, we found MythX (at least now, during it’s free beta phase) to be the tool with the most features and its REST API and JavaScript wrappers being fairly easy to integrate with our current development workflow. While the documentation around MythX is somewhat opaque about the analyses running on their servers, here’s a quick summary from Bernhard Mueller, Product Engineer at ConsenSys Diligence, as of March 2019:

  • Static analysis with Maru,
  • Greybox fuzzing with Harvey and
  • Symbolic execution and SMT solving with Mythril.

Taking the MythX truffle plugin as an example, we decided to implement our own little tool to quickly run analyses on our smart contracts. Since we are using Status Embark most of the way, we chose to build an Embark plugin so MythX is only one command away at all times. Enter: embark-mythx.

Implementation

Gathering the data for a MythX call within Embark requires two steps: enable the user to state their intent (register a console command) and collect the data required for the call.

To register your own command with Embark’s console, you initialise a new node package and paste this little snippet into its index.js:

Install the package from your Embark project directory and add a plugin section in your embark.json. If there are contracts you want to permanently exclude from MythX calls, add them here.

embark-mythx implements three commands, to be precise: verify, verify help and verify status. It also takes advantage of Embark plugins’ event listeners to store your smart contract data as soon as they are compiled.

For the second step, we can simply register an event listener to listen to contracts:compiled:solc events. The moment Embark finishes compiling your contracts, it’ll collect your contracts’ sources, ASTs, bytecode and more. truffle-security and the API specs show how to convert this data into MythX compatible JSON.

The rest of the analysis call follows that of truffle-security: Construct JSON objects out of your contract data, submit, parse response and print to console.

Usage

The most basic use case — submitting all contracts in your project for a quick analysis — simply requires typing verify into the Embark console and will look similar to this:

To analyse only a subset of the smart contracts in your project, simply append their names to the call. Use flag -f to run a full analysis instead of the time-limited ‘quick’ one.

(For a complete list of options, see the project’s README.)

If the analysis takes more time than your timeout allows, it’ll print a UUID which you can use with verify status to check on the analysis’ status manually:

(The swcID refers to the Smart Contract Weakness Classification Registry ID.)

Evaluation

Now that we have the functionality nicely integrated, let’s take it for a ride. Trail of Bits have been collecting vulnerable smart contracts in their not-so-smart-contracts repo. While several of these vulnerabilities have been made impossible with later versions of solc, we can still use some of these to see if we are protected.

  1. Basic Reentrancy example

The attacker uses the fallback function to execute again the vulnerable function before the state variable are changed.

2. Integer Overflow, Round 1:❓

Once a first call have be made on add or safe_add, a call to add can trigger an integer overflow.

Integer Overflow, Round 2: ✓

3. Unchecked External Call: ✓

If an external call fails, but is not checked, the contract will continue execution as if the call succeeded.

4. Missing constructor: ✓

Anyone can call the function that was supposed to be the constructor. As a result anyone can change the state variables initialized in this function.

5. Denial of Service: ✓

A malicious contract can permanently stall another contract by failing in a strategic way. In particular, contracts that bulk perform transactions or updates using a for loop can be DoS'd if a call to another contract or transfer fails during the loop.

For more examples of what MythX can do, check out Bernhard’s other articles, “A Deep Dive into the MythX Smart Contract Security Analysis API” and “Analyzing Ethereum Smart Contracts for Vulnerabilities”.

Conclusion

MythX is still a work in progress and we stumpled on various occasions when either the documentation was lacking or the service wasn’t working as expected, but once it is stable it will be a handy tool that takes at least some load off of our minds. And thanks to embark-mythx now from within the Embark console.

Flex Dapps

Putting the OC in Blockchain

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store