MythX is a company from ConsenSys which offers a smart contract security tool and service for Ethereum. Recently, they released their product as a service: MythX is offered as a free tool which analyzes ten common smart contract vulnerabilities. The paid version, MythX Pro, has similar functionality but catches many more vulnerabilities to provide an even more thorough analysis.
We sat down with Tom Lindeman, Co-founder of Consensys Diligence and MythX platform strategist, to learn more about how MythX started and where it’s headed.
Tom: My name is Tom Lindeman and I've been with ConsenSys (the parent company of MythX) for a couple of years now. One of the first things I did when I joined was to help form ConsenSys Diligence - which is focused on security services for smart contracts.
A year ago we hired Bernhard Mueller, creator of the very popular open-source tool Mythril. Mythril does automatic security scanning of smart contracts using symbolic execution and already had 400,000 users. We decided to try to add new analysis techniques and productize that into a SaaS service so that we could leverage the power of the cloud to run the computationally intensive analysis so that the developers wouldn't have to run all of that stuff locally.
The second thing we did was integrate the MythX API with tools that developers are already using like Truffle, VS Code, Remix, and Embark. We were happy to launch that last month.
We didn't just do a typical blockchain MVP where we’re just hashing together something that just does the bare minimum. It’s got a very deep and powerful API that’s very easy to use which employs a number of powerful analysis techniques on the backend, all working together. In addition, there is a SaaS service aspect as well. This is a very legit, end to end, well-baked product.
Tom: Before ConsenSys, I spent 20 years at Microsoft, where I shipped 23 products to market. During that time, I became involved in Ethereum and that his was quite early on, even before it was launched.
Well I remember my first crypto transaction was a Litecoin purchase in December 2013. I met Gavin Wood in Seattle over oysters and we talked about some dapp ideas I had, and discussed the Ethereum security audit that they were doing. At the time, I was also mining and playing around with altcoins and some time after that Cale Teeter from Microsoft wrote a Solidity plugin for Visual Studio while I was running the Visual Studio ecosystem.
Around that time we met with ConsenSys at Microsoft Build (a major developer conference) and Joseph Lubin was there, along with ConsenSys co-founders Andrew Keys and Jeremy Millar. So we decided to do this joint hackathon with ConsenSys around building dapps with the Solidity extension and that's really were it all started.
A few years after that, I gave Joe a call and wanted to really get involved. That's where things really took off for me. The first thing I did after joining was jumping right into the security aspect, helping turn ConsenSys Diligence into a full-fledged audit service. Those guys are really top-notch security professionals and it was a great way to dig into this aspect of Ethereum.
Tom: When we started, there were a lot of code analysis tools out there for traditional programming languages like C or C#. But for smart contracts, there weren’t very many.
The tools that existed started off doing kind of static analysis, seeing if there are any bugs in your code. And little by little they started to develop more in-depth, complex analysis techniques. When that happened, some of the tools also became harder to use. Some of the tools you had to really spend time configuring, and creating inputs for, etc. We decided to learn from that and go the other way.
In addition to static analysis, we also added dynamic analysis. The symbolic execution of Mythril was also obviously very important. We added some technology to do advanced fuzzing and we now combine all of these things together into a suite of analysis techniques that all work together.
So MythX doesn't just do one thing. It does several things, and the output from one service is used as the input for another one so that we can better figure out where to go hunting for vulnerabilities. It grew from there and we’ve put into the cloud to make it even easier to use.
We now have a subscription service that uses smart contracts and takes DAI tokens as the payment system. We were one of the first services to launch an on-chain subscription model. We could have used PayPal but this is Web3. We're trying to live the dream that we are trying to help build.
Tom: One challenge has been regarding our SaaS model. Mythril was a free and open source tool. So getting these Ethereum developers who are very used to free, open-source tools to start to pay for something is a little bit of a mindset change for them. Since it is security though, I think they understand the value.
Another challenge we faced was back in 2017 when the ICO boom was happening. We had all kinds of people calling us: “Hey we're launching next Wednesday. Can you do an audit for us by then? Oh, you can’t? Well my cousin Jim said he could do it. Thanks, I’ll just call him.”
That’s not the way to do it. Security is something you need to take very seriously. Even now that is still a challenge. Even with the DAO hack, Parity wallet hack, and all the other hacks that have happened since, getting development teams to start to think about security on a daily basis, rather than just something they do way at the end - that has been a big challenge.
Whether it is MythX or not, we’d like to see developers run automated analysis tools every day. Every time you compile, you should analyze. Compile, analyze. You did a major milestone? Great - run that tool all night long. Let it fuzz through the forest like Little Red Riding Hood and just look for anything that you can. And then once you get done and you’re about to launch the mainnet, you might want to do a formal audit with some humans. They’re gonna really look at for logic errors and make sure the code is safe for your launch.
There is another aspect that people miss. After you’ve launched on mainnet, you’re still not out of the woods. New vulnerabilities could appear that didn't exist when you did your audit or your scans. The compiler could change, Solidity could change, new vulnerabilities could be discovered - all this stuff. We've partnered with Alethio and Amberdata so we can continuously scan your contact live on mainnet using MythX.
As your project matures, you're going to make some more smart contracts. You're going to build on top of your other ones, and now you need to re-evaluate your security status. So security is really not a one-time thing. We need to help these companies get into longer relationships. Whether it's Quantstamp or MythX, we need to let them know we have their back. Getting that whole mindset going has been a challenge.
Some of the older, established projects like 0x and Aragon, Omisego, they get it. We work with them very closely. But many new projects do not quite get it yet so educating the market on security is something we need to do as a formalized alliance.
Tom: It's still such a young ecosystem that standards are in some respects a little tricky. One similar concept which could be more valuable at this stage is best practices.
People are still using different things. They don't know which ones are better than the other ones. We need a unified hub of security best practices. I think that may actually end up being a hub of hubs. ConsenSys Diligence has a nice list of best practices that's open-source and lots of smart people contribute to it. But it’s not the only one, so it may be worth collecting those.
Standards could also arise from when we start to get into specific types of vulnerabilities that you want to make sure don’t happen inside a smart contract. That's how the traditional security industry evolved. They have common blacklists of known malware and viruses and nasty things and they share that with one another.
These lists, such as CWE or CVE vulnerabilities, are the latest greatest information that everyone should know and everyone should share. I think this kind of concept of common, shared information fits better with a decentralized system like Ethereum or blockchain.
Tom: We have a pretty big partner ecosystem which we want to continue to expand. These are partners that build integrations with MythX, leverage the API and even resell the service. These partner integrations are separate and autonomous but they are also connected and collaborating. I look at them like puzzle pieces. They exist separately but every once in a while they plug into each other and you get more value from it. We are going to keep doing that which will both help our business and benefit the ecosystem along the way.
Of course we’ll be continually improving and iterating the MythX product. We’re always trying to get more comprehensive with our tools and as new vulnerabilities are found we want to make sure that we capture those as well.
Tom: I think the most important thing going forward is to build trust in the entire system.
Many of us in the industry are early adopters. We try new things. I sent some Eth in a transaction “before it was cool” and I knew I might not get it back.
However, if this is going to gain mass adoption, where somebody at the grocery store is going to use a dapp and send transactions from their phone, there has to be more trust. That means lower risk which means better confidence in the entire system.
That's really what we're trying to do, is overall make Ethereum safe, make it more secure. We can never say anything is 100% secure but we can get to secure enough that banks will say “That's tested, they did the audit, that's good. I will send a million dollars or 100 million dollars through that smart contract. I feel confident about that.” That's where we need to get to.
While we were doing that, Ethereum 2.0 is happening - Ethereum is evolving. Other exciting things like atomic swaps are also coming. That’s the exciting part. I don’t have any crystal balls or grand visions about where the entire blockchain ecosystem is going, but I think building trust in the transactions of the Ethereum layer is my main mission.
Tom Lindeman is in charge of Strategic Initiatives at ConsenSys Diligence, a security division of ConsenSys which he founded. Find out more about MythX at MythX.io, and learn more about ConsenSys Diligence at Diligence.Consensys.Net.