Why You Need More Than One Tool
These three tools work differently at a fundamental level:
- Slither: Dataflow-based static analysis — fast, low false positives, excellent for structural issues
- Mythril: Symbolic execution — enumerates execution paths to find complex state-dependent vulnerabilities
- Semgrep: Pattern matching — highly customizable, purpose-built for CI/CD integration
None of them catches everything. Even The DAO hack was missed by the tools available at the time. The realistic goal is defense in depth: each engine surfaces issues the others don't.
Slither — Dataflow Static Analysis
Developed by Trail of Bits and released under AGPL-3.0, Slither is the de facto standard for Solidity static analysis. It builds an intermediate representation of your contracts and runs dataflow analysis across it — tracking how values propagate through functions, where state changes relative to external calls, and which functions lack access control.
Installation and Usage
pip install slither-analyzer
# Scan a single file
slither contracts/Vault.sol
# Run specific detectors only
slither contracts/Vault.sol --detect reentrancy-eth,unprotected-ether-withdrawal
# JSON output (for CI integration)
slither contracts/Vault.sol --json results.json
Example Output
INFO:Detectors:
Vault.withdraw() (contracts/Vault.sol#12-18) sends eth to arbitrary user
Dangerous calls:
- (success,None) = msg.sender.call{value: amount}() (contracts/Vault.sol#15)
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#suicidal
Reentrancy in Vault.withdraw() (contracts/Vault.sol#12-18):
External calls:
- (success,None) = msg.sender.call{value: amount}() (contracts/Vault.sol#15)
State variables written after the call(s):
- balances[msg.sender] = 0 (contracts/Vault.sol#17)
Slither Strengths / Weaknesses
| Criteria | Rating |
|---|---|
| Speed | ⚡ Fast (seconds) |
| Reentrancy detection | ✅ Excellent |
| Access control | ✅ Excellent |
| Oracle manipulation | ⚠️ Limited |
| False positives | Low |
| Learning curve | Low |
Over 60 built-in detectors, with support for writing custom detectors in Python.
Mythril — Symbolic Execution Engine
Developed by ConsenSys and released under MIT, Mythril uses symbolic execution to explore execution paths through your contracts. Unlike static analysis tools that reason about code structure, Mythril reasons about runtime behavior: it constructs symbolic inputs and traces what happens across all reachable state transitions.
Important: Mythril (the open-source tool) is distinct from MythX (the cloud SaaS that ran on top of it). MythX shut down in 2023. Mythril itself remains actively maintained.
Installation and Usage
pip install mythril
# Analyze a source file
myth analyze contracts/Vault.sol
# Deeper analysis (takes longer)
myth analyze contracts/Vault.sol --execution-timeout 300
# Analyze EVM bytecode directly
myth analyze --bin-runtime 0x608060...
Example Output
==== Reentrancy ====
SWC ID: 107
Severity: High
Contract: Vault
Function name: withdraw()
PC address: 148
The contract account state is changed after an external call.
Initial State:
Account: [attacker], balance: 0x1, nonce:0, storage: {}
Transaction Sequence:
Caller: [attacker], calldata: , value: 0x1
...
Results map to the SWC (Smart Contract Weakness Classification) taxonomy.
Mythril Strengths / Weaknesses
| Criteria | Rating |
|---|---|
| Speed | 🐢 Slow (minutes to tens of minutes) |
| Complex logic detection | ✅ Excellent |
| Bytecode analysis | ✅ Supported |
| False positives | Medium |
| Learning curve | Medium |
Large contracts will hit timeouts with default settings. Increase --execution-timeout for thorough coverage, but plan for the runtime cost.
Semgrep — Pattern Matching
Semgrep is a general-purpose code analysis tool with Solidity support, released under LGPL-2.1. It works by matching code against declarative YAML rules — no dataflow, no execution modeling. What it gives up in depth it makes up for in speed and the ability to encode team-specific patterns that neither Slither nor Mythril can express.
Installation and Usage
pip install semgrep
# Use the public Solidity ruleset
semgrep --config=p/solidity contracts/
# Specific ruleset
semgrep --config=p/smart-contracts contracts/Vault.sol
Custom Rule Example
# Custom rule: detect tx.origin usage
rules:
- id: tx-origin-auth
patterns:
- pattern: require(tx.origin == ...)
- pattern: if (tx.origin == ...)
message: |
Using tx.origin for authentication is vulnerable to phishing attacks.
Use msg.sender instead.
languages: [solidity]
severity: WARNING
Semgrep Strengths / Weaknesses
| Criteria | Rating |
|---|---|
| Speed | ⚡ Fast |
| Customization | ✅ Excellent |
| Known pattern detection | ✅ Excellent |
| Deep logic analysis | ❌ Not supported |
| Learning curve | Low (basic) / Medium (custom rules) |
Comprehensive Comparison
| Criteria | Slither | Mythril | Semgrep |
|---|---|---|---|
| Methodology | Static dataflow analysis | Symbolic execution | Pattern matching |
| License | AGPL-3.0 | MIT | LGPL-2.1 |
| Speed | Fast | Slow | Fast |
| Reentrancy | ✅ | ✅ | ⚠️ |
| Access control | ✅ | ✅ | ✅ |
| Oracle manipulation | ❌ | ⚠️ | ❌ |
| Custom rules | ⚠️ | ❌ | ✅ |
| CI/CD suitability | ✅ | ⚠️ | ✅ |
Practical Recommendations
Solo developer (indie, fast deployment):
Slither → CI integration → Pre-deployment ContractScan unified scan
Team development (enterprise, multisig management):
Slither + Semgrep (custom rules) → Automated PR checks → Pre-deployment Mythril deep analysis
High-value protocols:
All of the above + External audits (Certik, Trail of Bits, OpenZeppelin Audits)
Unified Scanning: One Command for All Engines
If managing multiple tools separately is cumbersome, ContractScan wraps five independent engines (Slither, Mythril, Semgrep, Aderyn, and AI) into a single scan.
# ContractScan CI API — run all five engines simultaneously
curl -X POST https://contract-scanner.raccoonworld.xyz/ci/scan \
-F "file=@contracts/MyContract.sol" \
-H "X-Api-Key: $CONTRACTSCAN_API_KEY"
Or scan directly on the web: https://contract-scanner.raccoonworld.xyz (no signup required)
The AI analysis layer catches business logic issues that static tools miss.
The next post walks through integrating these tools into your CI/CD pipeline — from branch protection rules to automated PR comment generation.
Important Notes
This post is for informational and educational purposes only. It does not constitute financial, legal, or investment advice. The security analysis provided is based on available data and automated tools, which may not capture all potential vulnerabilities. Always conduct a professional audit before deploying smart contracts.