If you're still hitting MythX API endpoints or running mythx-cli in CI, you're getting failures — MythX (ConsenSys Diligence's cloud scanning platform) shut down in 2023. API access has been offline since then.
Two things worth clarifying before going further: MythX was the cloud SaaS. Mythril is the open-source symbolic execution engine that MythX ran on top of. Mythril is still actively maintained under MIT license and works fine as a standalone tool. Replacing MythX doesn't mean giving up symbolic execution.
This post covers how to migrate off dead MythX dependencies and what to use instead.
What's Actually Broken
If your pipeline used MythX, these are the specific things that no longer work:
- All MythX API endpoints are offline
mythx-cliand the MythX Python SDK will fail on authentication and scan requests- Any GitHub Actions or Hardhat plugins built around the MythX integration need replacement
Mythril (pip install mythril) is unaffected and continues to work independently.
Why ContractScan Is a Practical Replacement
| Feature | MythX | ContractScan |
|---|---|---|
| Static analysis | ✅ | ✅ Slither |
| Symbolic execution | ✅ | ✅ Mythril (optional) |
| Pattern-based detection | ❌ | ✅ Semgrep |
| AI-powered analysis | ❌ | ✅ Claude AI |
| Free tier | Limited | Unlimited QuickScan, no sign-up |
| CI/CD integration | ✅ | ✅ (Pro plan) |
ContractScan runs multiple engines in parallel and produces a single report with a security score, per-severity breakdown, and AI-generated remediation suggestions.
Other alternatives worth evaluating: Slither (Trail of Bits, AGPL-3.0) for CI static analysis, Cyfrin Aderyn for Foundry-native analysis, Wake (Ackee Blockchain) for combined testing and analysis. Running Mythril directly is also straightforward if you specifically want symbolic execution.
Quickstart: Scan Your First Contract
No account required. Visit contract-scanner.raccoonworld.xyz and paste your Solidity code directly, or scan by contract address.
For example, to scan the canonical reentrancy vulnerability:
pragma solidity ^0.8.0;
contract Vault {
mapping(address => uint) public balances;
function deposit() public payable {
balances[msg.sender] += msg.value;
}
function withdraw() public {
(bool ok,) = msg.sender.call{value: balances[msg.sender]}("");
require(ok);
balances[msg.sender] = 0; // state updated AFTER external call — reentrancy bug
}
}
ContractScan will flag the reentrancy pattern, explain the exploit path, and suggest the Checks-Effects-Interactions fix — all in one report.
Replacing MythX in Your GitHub Actions CI/CD
The simplest free replacement for MythX in CI is Slither via the official GitHub Action:
# FREE: Slither static analysis (replaces MythX static layer)
- name: Run Slither
uses: crytic/slither-action@v0.4.0
with:
target: 'contracts/'
Slither is the open-source static analyzer from Trail of Bits that catches most of the same structural vulnerability patterns.
ContractScan CI API (Paid Plans)
For teams that want Slither + AI analysis + multi-engine scanning in CI, ContractScan offers a CI/CD API on paid plans:
# ContractScan CI scan (requires Pro/Enterprise API key)
- name: Run ContractScan
run: |
curl -X POST https://contract-scanner.raccoonworld.xyz/ci/scan \
-F "file=@contracts/MyContract.sol" \
-H "X-Api-Key: ${{ secrets.CONTRACTSCAN_API_KEY }}" \
--fail-with-body
The CI endpoint returns structured JSON with severity levels (low, medium, high, critical), compatible with MythX's SWC-level severity model. Use the response to fail your pipeline on findings above your threshold.
Free scans are available at the web UI — unlimited QuickScans, no account needed.
Migrating from the MythX Python SDK
If you used the MythX Python client directly:
# OLD: MythX SDK (no longer works)
from mythx_cli.client import Client
client = Client(api_key="...")
response = client.analyze(source_files={"Vault.sol": source})
ContractScan exposes a REST API at /ci/scan:
# Scan via CI REST API (requires API key for full scan)
curl -X POST https://contract-scanner.raccoonworld.xyz/ci/scan \
-F "file=@contracts/Vault.sol" \
-H "X-Api-Key: $CONTRACTSCAN_API_KEY"
Or use the ContractScan MCP server inside Claude Code:
Scan contracts/Vault.sol for security vulnerabilities using ContractScan.
What the ContractScan Report Looks Like
A typical scan result includes:
- Security Score (0–100): overall contract health
- Findings by severity: Critical / High / Medium / Low / Informational
- Per-issue details: affected lines, exploit description, SWC reference (compatible with MythX's taxonomy)
- AI remediation: concrete code fix suggestions from Claude AI
- PDF export: audit-ready report for client delivery
Pricing
ContractScan's free tier offers unlimited QuickScans with no sign-up. For full multi-engine scans (Slither + Mythril + Semgrep + AI), upgrade to Pro at $59/mo or use Pay-per-scan at $4.99/scan. See the pricing page for details.
Migration Checklist
- Remove all
mythx-cliand MythX SDK references from your pipeline - Add
crytic/slither-action@v0.4.0as a free CI replacement for static analysis - Test your contracts at contract-scanner.raccoonworld.xyz (free, no account needed)
- For symbolic execution specifically, run Mythril directly — it's the same engine MythX used, now without the SaaS wrapper
ContractScan's multi-engine approach covers the analysis breadth MythX offered, with an AI layer on top for logic-level issues that symbolic execution tends to miss.
ContractScan is a smart contract security scanner. Free tier: unlimited QuickScans, no sign-up. CI/CD integration via API is live today. MCP server available on PyPI (pip install contractscan-mcp).
Important Notes
This post is for informational and educational purposes only. It does not constitute financial, legal, or investment advice. The security analysis provided is based on available data and automated tools, which may not capture all potential vulnerabilities. Always conduct a professional audit before deploying smart contracts.