Why You Need Multiple Tools
Each tool uses a fundamentally different methodology:
- Slither: Source code static analysis — fast with low false positives
- Mythril: Symbolic execution — deep analysis, slower but finds complex vulnerabilities
- Semgrep: Pattern matching — highly customizable, ideal for CI/CD
No single tool catches every vulnerability. Even The DAO hack was missed by the tools available at the time.
Slither — The Static Analysis Standard
Developed by Trail of Bits, Slither is the de facto standard for Solidity security analysis.
Installation and Usage
pip install slither-analyzer
# Scan a single file
slither contracts/Vault.sol
# Run specific detectors only
slither contracts/Vault.sol --detect reentrancy-eth,unprotected-ether-withdrawal
# JSON output (for CI integration)
slither contracts/Vault.sol --json results.json
Example Output
INFO:Detectors:
Vault.withdraw() (contracts/Vault.sol#12-18) sends eth to arbitrary user
Dangerous calls:
- (success,None) = msg.sender.call{value: amount}() (contracts/Vault.sol#15)
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#suicidal
Reentrancy in Vault.withdraw() (contracts/Vault.sol#12-18):
External calls:
- (success,None) = msg.sender.call{value: amount}() (contracts/Vault.sol#15)
State variables written after the call(s):
- balances[msg.sender] = 0 (contracts/Vault.sol#17)
Slither Strengths / Weaknesses
| Criteria | Rating |
|---|---|
| Speed | ⚡ Fast (seconds) |
| Reentrancy detection | ✅ Excellent |
| Access control | ✅ Excellent |
| Oracle manipulation | ⚠️ Limited |
| False positives | Low |
| Learning curve | Low |
Over 60 built-in detectors, with support for writing custom detectors.
Mythril — Symbolic Execution Engine
Developed by ConsenSys, Mythril uses symbolic execution to explore all possible execution paths. (Note: MythX ≠ Mythril. MythX was a cloud service that included Mythril but shut down on 2026-03-31. Mythril itself remains open-source and fully usable.)
Installation and Usage
pip install mythril
# Analyze a source file
myth analyze contracts/Vault.sol
# Deeper analysis (takes longer)
myth analyze contracts/Vault.sol --execution-timeout 300
# Analyze EVM bytecode directly
myth analyze --bin-runtime 0x608060...
Example Output
==== Reentrancy ====
SWC ID: 107
Severity: High
Contract: Vault
Function name: withdraw()
PC address: 148
The contract account state is changed after an external call.
Initial State:
Account: [attacker], balance: 0x1, nonce:0, storage: {}
Transaction Sequence:
Caller: [attacker], calldata: , value: 0x1
...
Results are categorized according to the SWC (Smart Contract Weakness Classification) standard.
Mythril Strengths / Weaknesses
| Criteria | Rating |
|---|---|
| Speed | 🐢 Slow (minutes to tens of minutes) |
| Complex logic detection | ✅ Excellent |
| Bytecode analysis | ✅ Supported |
| False positives | Medium |
| Learning curve | Medium |
Large contracts may hit timeouts. However, Mythril excels at finding vulnerabilities involving complex state transitions.
Semgrep — Pattern Matching and Customization
Semgrep is a general-purpose code security tool that supports Solidity rulesets. It is especially useful for defining team-specific vulnerability patterns.
Installation and Usage
pip install semgrep
# Use the public Solidity ruleset
semgrep --config=p/solidity contracts/
# Specific ruleset
semgrep --config=p/smart-contracts contracts/Vault.sol
Custom Rule Example
# Custom rule: detect tx.origin usage
rules:
- id: tx-origin-auth
patterns:
- pattern: require(tx.origin == ...)
- pattern: if (tx.origin == ...)
message: |
Using tx.origin for authentication is vulnerable to phishing attacks.
Use msg.sender instead.
languages: [solidity]
severity: WARNING
Semgrep Strengths / Weaknesses
| Criteria | Rating |
|---|---|
| Speed | ⚡ Fast |
| Customization | ✅ Excellent |
| Known pattern detection | ✅ Excellent |
| Deep logic analysis | ❌ Not supported |
| Learning curve | Low (basic) / Medium (custom rules) |
Comprehensive Comparison
| Criteria | Slither | Mythril | Semgrep |
|---|---|---|---|
| Methodology | Static analysis | Symbolic execution | Pattern matching |
| Speed | Fast | Slow | Fast |
| Reentrancy | ✅ | ✅ | ⚠️ |
| Access control | ✅ | ✅ | ✅ |
| Oracle manipulation | ❌ | ⚠️ | ❌ |
| Custom rules | ⚠️ | ❌ | ✅ |
| CI/CD suitability | ✅ | ⚠️ | ✅ |
| MythX replacement | Partial | ✅ | Partial |
Practical Recommendations
Solo developer (indie, fast deployment):
Slither → CI integration → Pre-deployment ContractScan unified scan
Team development (enterprise, multisig management):
Slither + Semgrep (custom rules) → Automated PR checks → Pre-deployment Mythril deep analysis
High-value protocols:
All of the above + External audits (Certik, Trail of Bits, OpenZeppelin Audits)
Unified Scanning: One Command for All Engines
If installing and managing multiple tools separately seems cumbersome, ContractScan wraps five independent engines (Slither, Mythril, Semgrep, Aderyn, and Foundry Fuzz) into a single scan.
# ContractScan CI API — run all five engines simultaneously
curl -X POST https://contract-scanner.raccoonworld.xyz/ci/scan \
-F "file=@contracts/MyContract.sol" \
-H "X-Api-Key: $CONTRACTSCAN_API_KEY"
Or scan directly on the web: https://contract-scanner.raccoonworld.xyz (no signup required)
The AI analysis layer catches business logic issues that static tools miss.
In the next post, we walk through integrating these tools into GitHub Actions step by step — from branch protection rules to automated PR comment generation, covering the complete workflow.