What are examples of major security breaches in blockchain, and how could MythX have mitigated the problem?

There are two incidents most often mentioned: The DAO attack in June of 2016, during which $60 million was lost due to a smart contract error, and the Parity Wallet takeover in June of 2017, which caused a loss of $30 million. The error that caused the latter was fixed, but unfortunately not very well. A couple of months later, the Parity self-destruct vulnerability resulted in a loss of a further $150 million, allegedly by a non-hacker who stumbled upon the bug.

In terms of learnings, the Parity team indicated that instead of just having more smart contract audits, they believed that there needs to be more extensive formal tooling and testing and monitoring procedures during the development life cycle in order for the ecosystem to really prevent such events from occurring. That’s where MythX comes in. It’s a security analysis API that integrates with dev tools like Truffle, Visual Studio Code, Embark and Remix to allow security analysis right from the dev environment.

What does this mean for developers?

With MythX, as a developer, you can integrate security scanning into your development life cycle. Whether you’re at the beginning, building test cases, or in the development process, every time you do a pull request or every time you compile a contract, with MythX you can run a security analysis. MythX has a whole set of micro-services that handle symbolic analysis, dynamic analysis, static analysis, fuzzing, linting and other checks. Every security check that can be done has been built into MythX, where it can be run as a SaaS service. Users don’t have to run it on their own machines and use up computing cycles, and the service is always up-to-date. Our free version runs between 30 seconds and two minutes. That’s what we call “quick” mode, and it is very useful for double checking small code changes on the fly.

Further, we have created what’s called the SWC Registry — the Smart Contract Weakness Classification Registry — which is an open source initiative. It is growing in scope, and enumerates all the major known smart contract vulnerabilities: re-entrancy, the self-destruct bug, categories of smart contract vulnerabilities and subsets. It provides descriptions, code examples, mitigations, et cetera. That’s one of the core tools that MythX uses to gauge what we’re finding and what we’re checking.

When you move to the paid version of MythX, which we are calling MythX Pro, which launches on September 9th, that will enable users to scan for many more of the SWC IDs, and for a longer amount of time, so that you can get into deeper analysis. MythX Pro uses a smart contract-driven subscription service from CoDeFi powered by Dai tokens.