9.5 KiB
title: Smart Contract security analysis with MythX summary: "Analyse Smart Contract security throughout the development lifecycle using the Embark MythX plugin." author: eric_mastro categories:
- smart-contracts
- security
- mythx
- tutorial layout: blog-post image: '/assets/images/mythx_dashboard.png'
How MythX works
MythX scans for security vulnerabilities in Ethereum and other EVM-based blockchain smart contracts. MythX's comprehensive range of analysis techniques — including static analysis, dynamic analysis, and symbolic execution — can accurately detect security vulnerabilities to provide an in-depth analysis report. These security analyses can be used throughout the development lifecycle to aid in preparation for a security audit. Using MythX during development eases the impact of a security audit and helps to build secure Smart Contracts from the ground up. The idea is that once MythX returns no technical errors, the contracts are ready for a full audit.
MythX detects the majority of vulnerabilities listed in the SWC Registry. The report will return a listing of all the weaknesses found in the code, including the exact position of the issue and its SWC ID. Analysis reports generated can be only accessed by the owner of the account (you).
Contracts are submitted to MythX using their API. A full list of all completed analysis reports can be seen in the MythX dashboard.
MythX was designed to work with third party security tools and developer plugins. This has paved the way to allow MythX integration in to Embark, by way of the Embark MythX plugin. The Embark MythX plugin allows developers to easily submit their contracts (all contracts, or just those that need it) for analysis and see the resulting report in the console.
Let's walk through this and see how it can be done!
- Prerequisites
- Create a ÐApp
- Install the Embark MythX plugin
- Create a
.env
file with MythX credentials - Run Embark
- Run some MythX commands
- Conclusion
Step 1. Prerequisites
Before we can submit our first contract for analysis, let's take care of a few requirements.
Install Embark
Install Embark either globally or as a package in your ÐApp. The most simple way forward is to install Embark globally on your system:
yarn global add embark
# OR
npm i -g embark
The rest of this article will assume you have Embark installed globally, and therefore available from the CLI.
Create a MythX account
You'll need to create a MythX account before any contracts can be submitted. The dashboard of this account will list all completed analyses. Signing up for a free plan is easy. The free plan is a great way to test out MythX's features without forking over any dollary-doos. You may skip the step of connecting your Ethereum address with MetaMask if you'd like, as a username, password, and API key are sufficient to proceed with this tutorial.
Obtain a MythX API key
Once you've created a MythX account, we need to obtain an API key. This can be done on the Tools page. Simply enter your MythX password and click the "Generate API Key" button. We will use the API key in Step 4.
Step 2. Create a ÐApp
For this article, we will be creating a demo ÐApp to use as a base for submitting our first contract for analysis. However, if you already have a ÐApp with contracdts that you'd like to use instead, simply skip this step.
Creating an Embark demo is easy, simply run the following commands:
embark demo
cd embark_demo
This will create a ÐApp with one contract, SimpleStorage, which we will submit to MythX for analysis.
Step 3. Install the Embark MythX plugin
Installing the Embark MythX plugin in our ÐApp is extremely simple:
- Add the
embark-mythx
package to your ÐApp:
yarn add embark-mythx
# OR
npm i embark-mythx --save
- Add the
embark-mythx
plugin toembark.json
:
// embark.json
// ...
"plugins": {
"embark-ipfs": {},
"embark-swarm": {},
"embark-whisper-geth": {},
"embark-geth": {},
"embark-parity": {},
"embark-profiler": {},
"embark-graph": {},
"embark-mythx": {} // <====== add this!
},
// ...
Step 4. Create a .env
file with MythX credentials
Create a .env
file in the root of your ÐApp. Add your MythX API key, username, and password like so:
MYTHX_API_KEY="1234...7890"
MYTHX_USERNAME="satoshi.nakamoto@gmail.com"
MYTHX_PASSWORD="abc123"
Step 5. Run Embark
Now that we have installed the plugin, let's run Embark to get access to its dashboard:
embark run --nobrowser
Once Embark has completed bootstrapping, we should see a command prompt in the Embark dashboard at the bottom:
Step 6. Run some MythX commands
All functionality for the Embark MythX plugin can be accessed via the verify
command.
Available commands
For a full list of available options and usage instructions, execute the help
command in the console:
Embark (development) > verify help
We can see there are a few options for us to use and we can also see how they can be used:
Available Commands
verify <options> [contracts] Runs MythX verification. If array of contracts are specified, only those contracts will be analysed.
verify report [--format] uuid Get the report of a completed analysis.
verify status uuid Get the status of an already submitted analysis.
verify list Displays a list of the last 20 submitted analyses in a table.
verify help Display this usage guide.
Examples
verify --mode full SimpleStorage ERC20 Runs a full MythX verification for the SimpleStorage and ERC20 contracts only.
verify status 0d60d6b3-e226-4192-b9c6-66b45eca3746 Gets the status of the MythX analysis with the specified uuid.
verify report --format stylish 0d60d6b3-e226-4192-b9c6-66b45eca3746 Gets the status of the MythX analysis with the specified uuid.
Verify options
-m, --mode string Analysis mode. Options: quick, standard, deep (default: quick).
-o, --format string Output format. Options: text, stylish, compact, table, html, json (default: stylish).
-c, --no-cache-lookup Deactivate MythX cache lookups (default: false).
-d, --debug Print MythX API request and response.
-l, --limit number Maximum number of concurrent analyses (default: 10).
-t, --timeout number Timeout in secs to wait for analysis to finish (default: smart default based on mode).
Verify the SimpleStorage contract
Let's take a peek to see how easy it is to analyse our SimpleStorage contract. In the Embark console, execute the following command to submit our SimpleStorage contract for MythX security analysis:
verify
The results should look the following:
First, we can see that a MythX job was submitted, with a URL that takes us to the analysis job in the MythX dashboard.
Second, we can see from the security analysis output in the console that there is a warning marked "SWC-103". Looking at the SWC Registry for SWC-103 help, we can remedy this by changing line 1 of our contracts/simple_storage.sol
to:
pragma solidity 0.6.1;
Embark will detect the change in the contract and automatically recompile and redeploy our contract. We can then re-submit our contract for analysis:
verify
MythX has confirmed that we no longer have any security issues!
Viewing the submissions in the MythX dashboard
Open your browser and go to the MythX analyses page. After logging in, you should be able to see a list of all the contracts you've submitted for analyses.
Click in to each job and then in to each contract, and you will should see details of the security analysis, along with line numbers in the source and a preview of issues in the code at the bottom of the page.
Conclusion
We have seen firsthand how the Embark MythX plugin can assist in our development workflow, allowing us to analyse the security of our contracts throughout the development lifecycle. While we have only scraped the surface as to the complexity of the MythX's security analysis, the Status Embark + MythX article dives in to more detail on common contract vulnerabilities and how they are presented using the Embark MythX plugin.