Why You Need Multiple Tools
Each tool uses a fundamentally different methodology:
- Slither: Source code static analysis — fast with low false positives
- Mythril: Symbolic execution — deep analysis, slower but finds complex vulnerabilities
- Semgrep: Pattern matching — highly customizable, ideal for CI/CD
No single tool catches every vulnerability. Even The DAO hack was missed by the tools available at the time.
Slither — The Static Analysis Standard
Developed by Trail of Bits, Slither is the de facto standard for Solidity security analysis.
Installation and Usage
pip install slither-analyzer
# Scan a single file
slither contracts/Vault.sol
# Run specific detectors only
slither contracts/Vault.sol --detect reentrancy-eth,unprotected-ether-withdrawal
# JSON output (for CI integration)
slither contracts/Vault.sol --json results.json
Example Output
INFO:Detectors:
Vault.withdraw() (contracts/Vault.sol#12-18) sends eth to arbitrary user
Dangerous calls:
- (success,None) = msg.sender.call{value: amount}() (contracts/Vault.sol#15)
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#suicidal
Reentrancy in Vault.withdraw() (contracts/Vault.sol#12-18):
External calls:
- (success,None) = msg.sender.call{value: amount}() (contracts/Vault.sol#15)
State variables written after the call(s):
- balances[msg.sender] = 0 (contracts/Vault.sol#17)
Slither Strengths / Weaknesses
| Criteria | Rating |
|---|---|
| Speed | ⚡ Fast (seconds) |
| Reentrancy detection | ✅ Excellent |
| Access control | ✅ Excellent |
| Oracle manipulation | ⚠️ Limited |
| False positives | Low |
| Learning curve | Low |
Over 60 built-in detectors, with support for writing custom detectors.
Mythril — Symbolic Execution Engine
Developed by ConsenSys, Mythril uses symbolic execution to explore all possible execution paths. (Note: MythX ≠ Mythril. MythX was a cloud service that included Mythril but shut down on 2026-03-31. Mythril itself remains open-source and fully usable.)
Installation and Usage
pip install mythril
# Analyze a source file
myth analyze contracts/Vault.sol
# Deeper analysis (takes longer)
myth analyze contracts/Vault.sol --execution-timeout 300
# Analyze EVM bytecode directly
myth analyze --bin-runtime 0x608060...
Example Output
==== Reentrancy ====
SWC ID: 107
Severity: High
Contract: Vault
Function name: withdraw()
PC address: 148
The contract account state is changed after an external call.
Initial State:
Account: [attacker], balance: 0x1, nonce:0, storage: {}
Transaction Sequence:
Caller: [attacker], calldata: , value: 0x1
...
Results are categorized according to the SWC (Smart Contract Weakness Classification) standard.
Mythril Strengths / Weaknesses
| Criteria | Rating |
|---|---|
| Speed | 🐢 Slow (minutes to tens of minutes) |
| Complex logic detection | ✅ Excellent |
| Bytecode analysis | ✅ Supported |
| False positives | Medium |
| Learning curve | Medium |
Large contracts may hit timeouts. However, Mythril excels at finding vulnerabilities involving complex state transitions.
Semgrep — Pattern Matching and Customization
Semgrep is a general-purpose code security tool that supports Solidity rulesets. It is especially useful for defining team-specific vulnerability patterns.
Installation and Usage
pip install semgrep
# Use the public Solidity ruleset
semgrep --config=p/solidity contracts/
# Specific ruleset
semgrep --config=p/smart-contracts contracts/Vault.sol
Custom Rule Example
# Custom rule: detect tx.origin usage
rules:
- id: tx-origin-auth
patterns:
- pattern: require(tx.origin == ...)
- pattern: if (tx.origin == ...)
message: |
Using tx.origin for authentication is vulnerable to phishing attacks.
Use msg.sender instead.
languages: [solidity]
severity: WARNING
Semgrep Strengths / Weaknesses
| Criteria | Rating |
|---|---|
| Speed | ⚡ Fast |
| Customization | ✅ Excellent |
| Known pattern detection | ✅ Excellent |
| Deep logic analysis | ❌ Not supported |
| Learning curve | Low (basic) / Medium (custom rules) |
Comprehensive Comparison
| Criteria | Slither | Mythril | Semgrep |
|---|---|---|---|
| Methodology | Static analysis | Symbolic execution | Pattern matching |
| Speed | Fast | Slow | Fast |
| Reentrancy | ✅ | ✅ | ⚠️ |
| Access control | ✅ | ✅ | ✅ |
| Oracle manipulation | ❌ | ⚠️ | ❌ |
| Custom rules | ⚠️ | ❌ | ✅ |
| CI/CD suitability | ✅ | ⚠️ | ✅ |
| MythX replacement | Partial | ✅ | Partial |
Practical Recommendations
Solo developer (indie, fast deployment):
Slither → CI integration → Pre-deployment ContractScan unified scan
Team development (enterprise, multisig management):
Slither + Semgrep (custom rules) → Automated PR checks → Pre-deployment Mythril deep analysis
High-value protocols:
All of the above + External audits (Certik, Trail of Bits, OpenZeppelin Audits)
Unified Scanning: One Command for All Engines
If installing and managing multiple tools separately seems cumbersome, ContractScan wraps five independent engines (Slither, Mythril, Semgrep, Aderyn, and AI) into a single scan.
# ContractScan CI API — run all five engines simultaneously
curl -X POST https://contract-scanner.raccoonworld.xyz/ci/scan \
-F "file=@contracts/MyContract.sol" \
-H "X-Api-Key: $CONTRACTSCAN_API_KEY"
Or scan directly on the web: https://contract-scanner.raccoonworld.xyz (no signup required)
The AI analysis layer catches business logic issues that static tools miss.
In the next post, we walk through integrating these tools into your CI/CD pipeline step by step — from branch protection rules to automated PR comment generation, covering the complete workflow.
Try ContractScan free at contract-scanner.raccoonworld.xyz
Top comments (0)