ico-arrow-big-left

Mythril - Smart Contract Security Analysis Web API

Key Information

Register
Submit
The challenge is finished.
Show Deadlines

Challenge Overview

The scope of this challenge is create an asynchronous API for the Mythril security analysis tool. The API should allow users to submit Ethereum bytecode which is then passed to Mythril for analysis. Once the analysis is finished, users should be able to retrieve a JSON-formatted list of detected issues.

The main goal is to make the security analysis functions of the myth command line tool available via an API. How exactly you do this is up to you, but given that Mythril runs on Python 3, you'll most likely want to use Django with Mythril installed as a dependency.

Suggested Stack

Blockchain Community

This challenge is brought to you with the help of Topcoder Blockchain Community; please check and join it, if you have not done it already, and if you would like to see more blockchain-related challenges on Topcoder!

Detailed Requirements

Create a web app that provides a REST API endpoint. The API endpoint should support three request types:

1. Bytecode submission
The client submits EVM bytecode(s) of one or multiple smart contracts in the format of hex strings (e.g. “0x5060...”). Input data should be processed in the same way as in the myth command line tool. Specifically:
  1. If bytecode for a single contract is submitted, analyze that contract.
  2. If multiple contract bytecodes are submitted, map those contracts to addresses 0x0000(..), 0x1111(...), etc. in the order submitted. Then start the analysis with the first submitted contract as the entry point. See the code for processing multiple input files in the myth command line tool.
The requests may look as follows:
POST /mythril/v1/analysis/
{"type":"bytecode", "contract_0":"0x5050(...)", "contract_1":"0x5060(...0"}

If valid inputs are supplied the web app should queue the analysis as a background job. An UUID should be returned, which the client may then use to retrieve the scan status and results. For example:
{"result":"Queued for analysis", "uuid":"[some-uuid]"}
In case of an error, a detailed error message should be included (e.g. “invalid bytecode”).

2. Status API
This endpoint returns the current status of a particular analysis, or an error if an invalid or non-existent analysis id is supplied. E.g.:
GET /mythril/v1/analysis/[uuid]
Possible results:
{"result":"Queued", "uuid":"[some_id]"}
{"result":"In progress", "uuid":"[some_id]"}
{"result":"Finished", "aid":"[some_id]"}
{"result":"Error", "message":"AID does not exist."}


3. Reports API
Once a scan is finished, clients can retrieve the results via the reports API. This should return the list of detected issues in JSON format.
GET /mythril/v1/analysis/[aid]/issues

Additional Information

  • It is essential to understand the basics of using Mythril on the command line, as well as the class interfaces and utility functions used by the myth command line tool. Install Mythril and run the examples listed in the README to familiarise yourself with the tool. Note the various input options and command line arguments. You can run Mythril on the provided Solidity files and on the Ethernaut challenges.
  • Note that Mythril's analysis can take several minutes for more complex contracts, and needs to be implemented using background jobs.
  • Feel free to make changes and improve on to the suggested APIs, as long as the required functionality is provided.
  • Unit tests and 80% coverage is required 

Resources

Final Submission Guidelines

Submissions should contain fully self-contained web app code that can be deployed on Heroku or other cloud platforms.

Ideally, manage your code in a private GitHub or GitLab repository and share a link to the repo in your submission.

Reliability Rating and Bonus

For challenges that have a reliability bonus, the bonus depends on the reliability rating at the moment of registration for that project. A participant with no previous projects is considered to have no reliability rating, and therefore gets no bonus. Reliability bonus does not apply to Digital Run winnings. Since reliability rating is based on the past 15 projects, it can only have 15 discrete values.
Read more.

ELIGIBLE EVENTS:

2018 Topcoder(R) Open

REVIEW STYLE:

Final Review:

Community Review Board
?

Approval:

User Sign-Off
?

CHALLENGE LINKS:

Review Scorecard

?