Symbolic execution analysis using Mythril for deep vulnerability detection in smart contracts. Supports configurable transaction depth, timeout settings, and proof-of-concept exploit generation.
Deep vulnerability detection through symbolic execution using Mythril, a security analysis tool for EVM bytecode.
# Install via pip
pip install mythril
# Or use Docker (recommended)
docker pull mythril/myth
# Verify installation
myth version
# Analyze single file
myth analyze Contract.sol
# Analyze with Solidity version
myth analyze Contract.sol --solv 0.8.20
# Analyze specific contract
myth analyze Contract.sol:MyContract
# Analyze deployed contract
myth analyze -a 0x<address> --rpc <rpc_url>
# Analyze bytecode file
myth analyze --bin-runtime contract.bin
# Default depth (2)
myth analyze Contract.sol
# Increased depth for complex interactions
myth analyze Contract.sol --execution-timeout 300 -t 3
# Deep analysis (slow)
myth analyze Contract.sol --execution-timeout 600 -t 4
# Set execution timeout (seconds)
myth analyze Contract.sol --execution-timeout 300
# Set solver timeout
myth analyze Contract.sol --solver-timeout 10000
# Quick scan
myth analyze Contract.sol --execution-timeout 60 -t 2
# Run specific modules
myth analyze Contract.sol --modules ether_thief,suicide
# Available modules
# - ether_thief
# - suicide
# - integer_overflow/underflow
# - delegatecall
# - arbitrary_write
# - state_change_external_call
myth analyze Contract.sol
myth analyze Contract.sol -o json > report.json
myth analyze Contract.sol -o markdown > report.md
myth analyze Contract.sol -o jsonv2 > detailed.json
Mythril detects reentrancy by tracking:
==== External Call To User-Supplied Address ====
SWC ID: 107
Severity: Low
Contract: Vulnerable
Function name: withdraw()
PC address: 1234
Estimated Gas Usage: 2500 - 10000
Type: Informational
...
==== Integer Overflow ====
SWC ID: 101
Severity: High
Contract: Token
Function name: transfer(address,uint256)
PC address: 567
Estimated Gas Usage: 3000 - 5000
A possible integer overflow exists in the function...
==== Unprotected Selfdestruct ====
SWC ID: 106
Severity: High
Contract: Vulnerable
Function name: kill()
Any sender can trigger self-destruction...
# Use concrete values where possible
myth analyze Contract.sol --strategy dfs --execution-timeout 300
# Analyze with constraints file
myth analyze Contract.sol --constraints constraints.json
# Limit state explosion
myth analyze Contract.sol --max-depth 30 --call-depth-limit 3