FAQ

MythX is a security analysis service for Ethereum smart contracts. It allows any developer or developer team to integrate security into the smart contract development lifecycle.

MythX is integrated into widely used tools such as Remix

When you submit your code to the API it gets analyzed by multiple microservices in parallel: A static analyzer that parses the Soldity AST, a symbolic analyzer that detects possible vulnerable states, and a greybox fuzzer that detects vulnerable execution paths. These tools cooperate to return the more comprehensive results in the execution time provided.

For more details, please see the list of vulnerabilities covered by MythX.

By using our Software-as-a-Service (SaaS) platform, you will get much higher performance compared to running security tools locally, plus higher vulnerability coverage than any standalone tool.

You also benefit from continuous improvements to our security analysis technology. We continuously add new and improved security tests to our stack to keep you protected as the smart contract security landscape evolves.

Your analysis requests are encrypted with TLS. To provide comprehensive reports and improve performance, we store some of the contract data in our database, including parts of the source code and bytecode. The data never leaves our secure server and is not shared with any outside parties. We keep the results of your analysis so you can retrieve them later, but the report can be accessed by you only.

To ensure the security of your data, all smart contacts associated with MythX have undergone a thorough manual security audit through Consensys Diligence.

Existing smart contract security tools are difficult to use, even for developers. MythX leads due to its simplicity; all you need to do is install a tool or plugin for your favorite IDE. Additionally, the MythX analysis engine is significantly more powerful than standalone open source tools. It runs expensive parallel computations that would take a very long time to complete on a standard system.

Automated verification tools like MythX are an indispensable tool during development, but they don’t completely remove the need for an audit. Some classes of bugs, such as business logic vulnerabilities, cannot be detected in a generic fashion. Therefore, we always recommend an audit by a human expert. That said, using MythX will likely make your audit easier and less expensive, since there will be fewer problems detected.

In short, MythX doesn’t replace an audit; it prepares you for one.

Residual risk is the probability of a vulnerability being in the part of the smart contracts that have not received in-depth analysis. The longer the analysis runs for, the lower the residual risk will be.

With more computing time dedicated to each analysis, MythX will be more likely to detect even deeper hidden security bugs in the smart contract code and minimize residual risk. The Deep scan feature available in our Professional plan also enables users to ensure functional correctness of their smart contracts with high confidence.

Register for an account, select a subscription plan or buy an scan pack, then use a tool of your choice and configure it with your API key. For a detailed walkthrough, see our Getting Started guide.

See the Tools section of our documentation. Also, you can search the package manager or app store of your IDE for “MythX” to discover MythX tools.

The computing time dedicated to each analysis depends on the plan you are on. Quick scan runs for 5 minutes, Standard scan runs for 30 minutes, and Deep scan runs for 90 minutes.

Reported issues should always contain the specific location in the code of the vulnerability, and also a “SWC ID” field. The SWC ID uniquely identifies the issue in the SWC Registry, where detailed information and remediation steps are listed.

Yes. Log in to your account and click "View Analyses” to see the job history for your account.

To ensure you always get the most comprehensive results please submit the smart contract source code *.sol file. This allows MythX to thoroughly analyze ever line of code and return results listing all the vulnerabilities MythX can currently detect. Please note if you only submit bytecode (your compiled contract) MythX can still analyze it but with limited results. So beware always submit your source code for best results!

MythX has two subscription plans MythX Developer and Professional in addition to on demand scan packs. Please see our Pricing page for more details.

We accept credit card payments, handled by Stripe, for our Scan Packs and Developer and Professional subscription plans. Enterprise customers will be invoiced. Please click the “Help” button below to contact us if you have questions about payment.

Our Enterprise plan provides custom support, deployments, and integrations. If you would like to know more about our Enterprise offerings, please contact us.

These hardware wallets do not currently support the Metamask signature methods we require to register new users and pay for subscriptions, so a traditional Metamask account is necessary.

You can upgrade your plan at any time. When upgrading from the Developer to Professional plan before your renewal date, your current subscription balance will not be refunded. The features of your upgraded plan will start immediately after purchasing.

There are two options when downgrading from a paid plan:

• You can downgrade from the Professional plan to the Developer plan at any time by cancelling your subscription, then purchasing the Developer plan.

• You can downgrade to the On Demand plan at any time by canceling your current payment. You will then switch to the On Demand plan at your next renewal date.

We do not offer refunds for cancellations or plan downgrades.

Building on MythX gives you access to the premier smart contract security analysis service that combines static code analysis, guided greybox fuzzing, and symbolic execution. You can focus on the user experience while we focus on providing the best security analysis engine possible.

You can also earn a revenue share through your tool, with the share calculated based on the number of paying users who use your tool. We are planning to offer 25% of API revenues back to tool builders once our paid subscription plans go live.

Please see our documentation on building security tools with MythX.

There are no limitations on what you can build. IDE plugins, GitHub apps, CI tools, extensions for code editors, web apps and dashboards, all are possible. The only thing that matters is that users of your tool need to sign up for a MythX account.

The MythX API is fully documented and open. You can also view our API walkthrough.

Register for an account and start building. Don’t forget to pick a unique name for your tool and include it in the clientToolId field with API requests. To become eligible for revenue share you must first register your tool on the MythX Partner Program.

Please refer to the documentation on building security tools using MythX for more information.

MythX partners can integrate MythX into their own products and services. We have a partner portal, the MythX Partner Program, where we highlight and showcase our partners and their tools and services.

If you are interested in becoming a partner, you can join here.