SECURITY ANALYSIS TOOL

Mythril

Helping developers find and fix vulnerabilities during their Smart Contract Development lifecycle.

Overview

Mythril is an open source Ethereum smart contract and dapp (decentralized app) security analysis engine and platform that integrates with several commonly used IDEs.

It analyzes Ethereum smart contract source code as an nmap-style of black box blockchain scanner.

Mythril on Github

Mythril Detection Capabilities:

  • Unprotected functions
  • Missing check on CALL return value
  • Re-entrancy
  • Multiple sends in a single transaction
  • External call to untrusted contract
  • Delegatecall or callcode to untrusted contract
  • Integer overflow/underflow
  • Timestamp dependence
  • Payable transaction does not revert in case of failure
  • Use of tx.origin
  • Type confusion
  • Predictable RNG
  • Transaction order dependence
  • Information exposure
  • Complex fallback function (uses more than 2,300 gas)
  • Use require() instead of assert()
  • Use of depreciated functions
  • Detect tautologies

Mythril’s security analysis is structured into separate Python modules, and one file exists for each type of analysis. Detailed module info

Mythril uses the LASER-ethereum symbolic virtual machine which models most features of the EVM to detect the issues above.

How to use Mythril

For Auditors

By default, the Mythril IDE extensions connect to a public Mythril API hosted on Heroku. If a developer wants to run Mythril locally, they can install a Python package and this could possibly be containerized.

The IDE extension submits the contract byte code to the Mythril API which analyzes the bytecode and returns a of identified issues. The detected security problems are then mapped to particular positions in the Solidity code and displayed in the IDE. Currently, Mythril API access is free and does not require registration.

mythril diagram

bernhard's photo

Creator

Mythril and LASER-ethereum were created by b-mueller who has recently joined ConsenSys Diligence.