All Ethereum Security Tools
ConsenSys Diligence is a security-focused group of 30+ Ethereum engineers, auditors and researchers distributed all over the world. We have a tradition of building security tools for ourselves and the Ethereum community. Because our time is precious, we focus on creating polished, highly usable tools that are truly helpful to auditors and smart contract developers. This article introduces some of the highlights.
Visual Auditors for Solidity and Vyper
Written by Martin Ortner a.k.a. tintinweb, Solidity Visual Auditor is a Visual Studio Code extension created to make the life of smart contract auditors easier. It provides security-aware syntax and semantic highlighting, a detailed class outline and advanced Solidity code insights to Visual Studio Code users. Comprehensive security analysis functionality will be added soon. A Vyper version is also available.
Auditing complex smart contract systems may cause your head to explode. Surya by Goncalo Sá aids auditors in understanding and visualizing Solidity smart contracts. It provides information about the contracts’ structure and generates call graphs and inheritance graphs. It also supports querying the function call graph in multiple ways to aid in the manual inspection of contracts.
Surya can produce a DOT-formatted graph of the inheritance tree.
The Swiss Army Knife of smart contract security hardly needs an introduction. On the off chance that you haven’t heard of it, Mythril is a disassembler, hacking tool and security analyzer that uses symbolic analysis and taint analysis to detect a variety of security vulnerabilities. It works with Solidity code and raw EVM bytecode, eWASM support is coming soon.
Don’t accidentally kill it!
Mythril’s little brother, Scrooge McEtherface, takes things a little further by automatically exploiting the detected issues. Only every use this in a test environment!
You just accidentally stole 4 ETH.
Karl by Daniel Luca is a monitor for smart contracts that checks for security vulnerabilities using the Mythril detection engine. It can be used to monitor the Ethereum blockchain for newly deployed vulnerable smart contracts in real-time. It eliminates false positives by running candidate contracts in a virtual copy of the blockchain. Trust us, Karl discovers a lot of interesting gems every day.
Karl scrapes every new block for contract creating transactions and logs vulnerabilities.
The MythX security analysis service is our crown jewel, and yes, we’re eventually going to introduce a paid version with extra features. Why? Because at the end of the day we need to find a sustainable business model (however the MythX organization will be very different from a legacy business, you can stake your ETH on that).
MythX is a cloud-based service that makes powerful smart contract security analysis to anyone* (*who is able to install an npm package). One of the first end-user frontends is the MythX plugin for Truffle. The plugin is compatible with Truffle 5.0 or higher.
MythX for Truffle makes security analysis of Truffle projects painless.
There are also some early MVP command line clients like Sabre and Mythos that abstract away the details of communicating with the MythX service. They can be used to analyze standalone Solidity files.
Sabre is a MythX client MVP that analyzes a single Solidity file (howto)
The real kicker is that anyone can build MythX fronted tools and integrations and earn revenue share once our paid subscription plans go live. We’re currently building out client libraries and documentation to make this as easy as possible:
PythX is a Python library that aims to provide an easy-to-use interface to MythX. Its goal is to turbocharge tool development and make it easy to deal with even complex use cases.
If you are a tool developer of entrepreneurial spirit you should chat with the team on the MythX community Discord.
Panvala is another ambitious project by Diligence. Created by Diligence’s resident token genius Niran Babalola, it’s not a tool, but a crypto-economic game with the goal of making Ethereum safer. In Panvala, smart contracts developers can stake tokens to get get a Panvala mark and will lose the tokens if security issues are found. Ethereum wallets like MetaMask can display Panvala marks directly in the user interface.
Panvala connects grant funders, corporate open source projects and volunteers with a token that gives them all a shared incentive to find sustainable funding together. Panvala Token Grants are issued to reward work that makes Ethereum safer. Join the Panvala Telegram channel if you’d like to get involved.
We are planning to release more polished tools under an open source license later this year — most notably, an IR-based static analyzer named Maru and an innovative greybox fuzzer named Harvey. Both tools are already running in the the MythX backend. Follow us on Medium to stay up-to-date!
Thinking about smart contract security? We can provide training, ongoing advice, and smart contract auditing. Contact us.