Embark dashboard with MythX

How MythX works

MythX scans for security vulnerabilities in Ethereum and other EVM-based blockchain smart contracts. MythX’s comprehensive range of analysis techniques — including static analysis, dynamic analysis, and symbolic execution — can accurately detect security vulnerabilities to provide an in-depth analysis report. These security analyses can be used throughout the development lifecycle to aid in preparation for a security audit. Using MythX during development eases the impact of a security audit and helps to build secure Smart Contracts from the ground up. The idea is that once MythX returns no technical errors, the contracts are ready for a full audit.

MythX detects the majority of vulnerabilities listed in the SWC Registry. The report will return a listing of all the weaknesses found in the code, including the exact position of the issue and its SWC ID. Analysis reports generated can be only accessed by the owner of the account (you).

Contracts are submitted to MythX using their API. A full list of all completed analysis reports can be seen in the MythX dashboard.

MythX dashboard with analyses

MythX was designed to work with third party security tools and developer plugins. This has paved the way to allow MythX integration in to Embark, by way of the Embark MythX plugin. The Embark MythX plugin allows developers to easily submit their contracts (all contracts, or just those that need it) for analysis and see the resulting report in the console.

Let’s walk through this and see how it can be done!

  1. Prerequisites
  2. Create a ÐApp
  3. Install the Embark MythX plugin
  4. Create a .env file with MythX credentials
  5. Run Embark
  6. Run some MythX commands
  7. Conclusion

Step 1. Prerequisites

Before we can submit our first contract for analysis, let’s take care of a few requirements.

Install Embark

Install Embark either globally or as a package in your ÐApp. The most simple way forward is to install Embark globally on your system:

yarn global add embark
# OR
npm i -g embark

The rest of this article will assume you have Embark installed globally, and therefore available from the CLI.

Create a MythX account

You’ll need to create a MythX account before any contracts can be submitted. The dashboard of this account will list all completed analyses. Signing up for a free plan is easy. The free plan is a great way to test out MythX’s features without forking over any dollary-doos. You may skip the step of connecting your Ethereum address with MetaMask if you’d like, as a username, password, and API key are sufficient to proceed with this tutorial.

Obtain a MythX API key

Once you’ve created a MythX account, we need to obtain an API key. This can be done on the Tools page. Simply enter your MythX password and click the “Generate API Key” button. We will use the API key in Step 4.

Step 2. Create a ÐApp

For this article, we will be creating a demo ÐApp to use as a base for submitting our first contract for analysis. However, if you already have a ÐApp with contracdts that you’d like to use instead, simply skip this step.

Creating an Embark demo is easy, simply run the following commands:

embark demo
cd embark_demo

This will create a ÐApp with one contract, SimpleStorage, which we will submit to MythX for analysis.

Step 3. Install the Embark MythX plugin

Installing the Embark MythX plugin in our ÐApp is extremely simple:

  1. Add the embark-mythx package to your ÐApp:
    yarn add embark-mythx
    # OR
    npm i embark-mythx --save
  2. Add the embark-mythx plugin to embark.json:
    // embark.json
    // ...
    "plugins": {
    "embark-ipfs": {},
    "embark-swarm": {},
    "embark-whisper-geth": {},
    "embark-geth": {},
    "embark-parity": {},
    "embark-profiler": {},
    "embark-graph": {},
    "embark-mythx": {} // <====== add this!
    },
    // ...

Step 4. Create a .env file with MythX credentials

Create a .env file in the root of your ÐApp. Add your MythX API key, username, and password like so:

MYTHX_API_KEY="1234...7890"
MYTHX_USERNAME="[email protected]"
MYTHX_PASSWORD="abc123"

Step 5. Run Embark

Now that we have installed the plugin, let’s run Embark to get access to its dashboard:

embark run --nobrowser

Once Embark has completed bootstrapping, we should see a command prompt in the Embark dashboard at the bottom:
MythX dashboard with analyses

Step 6. Run some MythX commands

All functionality for the Embark MythX plugin can be accessed via the verify command.

Available commands

For a full list of available options and usage instructions, execute the help command in the console:

Embark (development) > verify help

We can see there are a few options for us to use and we can also see how they can be used:

Available Commands

verify <options> [contracts] Runs MythX verification. If array of contracts are specified, only those contracts will be analysed.
verify report [--format] uuid Get the report of a completed analysis.
verify status uuid Get the status of an already submitted analysis.
verify list Displays a list of the last 20 submitted analyses in a table.
verify help Display this usage guide.

Examples

verify --mode full SimpleStorage ERC20 Runs a full MythX verification for the SimpleStorage and ERC20 contracts only.
verify status 0d60d6b3-e226-4192-b9c6-66b45eca3746 Gets the status of the MythX analysis with the specified uuid.
verify report --format stylish 0d60d6b3-e226-4192-b9c6-66b45eca3746 Gets the status of the MythX analysis with the specified uuid.

Verify options

-m, --mode string Analysis mode. Options: quick, standard, deep (default: quick).
-o, --format string Output format. Options: text, stylish, compact, table, html, json (default: stylish).
-c, --no-cache-lookup Deactivate MythX cache lookups (default: false).
-d, --debug Print MythX API request and response.
-l, --limit number Maximum number of concurrent analyses (default: 10).
-t, --timeout number Timeout in secs to wait for analysis to finish (default: smart default based on mode).

Verify the SimpleStorage contract

Let’s take a peek to see how easy it is to analyse our SimpleStorage contract.
In the Embark console, execute the following command to submit our SimpleStorage contract for MythX security analysis:

verify

The results should look the following:
SimpleStorage security analysis

First, we can see that a MythX job was submitted, with a URL that takes us to the analysis job in the MythX dashboard.

Second, we can see from the security analysis output in the console that there is a warning marked “SWC-103”. Looking at the SWC Registry for SWC-103 help, we can remedy this by changing line 1 of our contracts/simple_storage.sol to:

pragma solidity 0.6.1;

Embark will detect the change in the contract and automatically recompile and redeploy our contract. We can then re-submit our contract for analysis:

verify

And voila!
SimpleStorage security analysis success

MythX has confirmed that we no longer have any security issues!

Viewing the submissions in the MythX dashboard

Open your browser and go to the MythX analyses page. After logging in, you should be able to see a list of all the contracts you’ve submitted for analyses.

Mythx Analysis List

Click in to each job and then in to each contract, and you will should see details of the security analysis, along with line numbers in the source and a preview of issues in the code at the bottom of the page.

Mythx Analysis Detail

Conclusion

We have seen firsthand how the Embark MythX plugin can assist in our development workflow, allowing us to analyse the security of our contracts throughout the development lifecycle. While we have only scraped the surface as to the complexity of the MythX’s security analysis, the Status Embark + MythX article dives in to more detail on common contract vulnerabilities and how they are presented using the Embark MythX plugin.