Babysitter mythril-symbolic

Symbolic execution analysis using Mythril for deep vulnerability detection in smart contracts. Supports configurable transaction depth, timeout settings, and proof-of-concept exploit generation.

install

source · Clone the upstream repo

git clone https://github.com/a5c-ai/babysitter

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/a5c-ai/babysitter "$T" && mkdir -p ~/.claude/skills && cp -r "$T/library/specializations/cryptography-blockchain/skills/mythril-symbolic" ~/.claude/skills/a5c-ai-babysitter-mythril-symbolic && rm -rf "$T"

manifest: library/specializations/cryptography-blockchain/skills/mythril-symbolic/SKILL.md

Mythril Symbolic Execution Skill

Deep vulnerability detection through symbolic execution using Mythril, a security analysis tool for EVM bytecode.

Capabilities

Symbolic Execution: Configure and run symbolic execution analysis
Transaction Depth Control: Set appropriate depth for complex interactions
Trace Analysis: Interpret symbolic execution traces
Integer Issues: Detect overflow/underflow paths (pre-0.8 Solidity)
State Analysis: Find reentrancy via state change analysis
Assertion Detection: Identify assertion failures and edge cases
PoC Generation: Generate proof-of-concept exploit inputs

Installation

# Install via pip
pip install mythril

# Or use Docker (recommended)
docker pull mythril/myth

# Verify installation
myth version

Basic Usage

Analyze Source Code

# Analyze single file
myth analyze Contract.sol

# Analyze with Solidity version
myth analyze Contract.sol --solv 0.8.20

# Analyze specific contract
myth analyze Contract.sol:MyContract

Analyze Bytecode

# Analyze deployed contract
myth analyze -a 0x<address> --rpc <rpc_url>

# Analyze bytecode file
myth analyze --bin-runtime contract.bin

Configuration Options

Transaction Depth

# Default depth (2)
myth analyze Contract.sol

# Increased depth for complex interactions
myth analyze Contract.sol --execution-timeout 300 -t 3

# Deep analysis (slow)
myth analyze Contract.sol --execution-timeout 600 -t 4

Timeout Settings

# Set execution timeout (seconds)
myth analyze Contract.sol --execution-timeout 300

# Set solver timeout
myth analyze Contract.sol --solver-timeout 10000

# Quick scan
myth analyze Contract.sol --execution-timeout 60 -t 2

Module Selection

# Run specific modules
myth analyze Contract.sol --modules ether_thief,suicide

# Available modules
# - ether_thief
# - suicide
# - integer_overflow/underflow
# - delegatecall
# - arbitrary_write
# - state_change_external_call

Output Formats

Standard Output

myth analyze Contract.sol

JSON Output

myth analyze Contract.sol -o json > report.json

Markdown Output

myth analyze Contract.sol -o markdown > report.md

JSONV2 (Detailed)

myth analyze Contract.sol -o jsonv2 > detailed.json

Vulnerability Detection

Reentrancy Detection

Mythril detects reentrancy by tracking:

External calls
State changes after calls
ETH transfers

==== External Call To User-Supplied Address ====
SWC ID: 107
Severity: Low
Contract: Vulnerable
Function name: withdraw()
PC address: 1234
Estimated Gas Usage: 2500 - 10000
Type: Informational
...

Integer Overflow/Underflow

==== Integer Overflow ====
SWC ID: 101
Severity: High
Contract: Token
Function name: transfer(address,uint256)
PC address: 567
Estimated Gas Usage: 3000 - 5000
A possible integer overflow exists in the function...

Unprotected Self-Destruct

==== Unprotected Selfdestruct ====
SWC ID: 106
Severity: High
Contract: Vulnerable
Function name: kill()
Any sender can trigger self-destruction...

Advanced Usage

Concolic Execution

# Use concrete values where possible
myth analyze Contract.sol --strategy dfs --execution-timeout 300

Custom Constraints

# Analyze with constraints file
myth analyze Contract.sol --constraints constraints.json

State Space Pruning

# Limit state explosion
myth analyze Contract.sol --max-depth 30 --call-depth-limit 3

CI/CD Integration

GitHub Actions

name: Mythril Analysis
on: [push]

jobs:
  mythril:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3

      - name: Run Mythril
        uses: docker://mythril/myth
        with:
          args: analyze /github/workspace/contracts/*.sol --solv 0.8.20

Custom Script

#!/bin/bash
for file in contracts/*.sol; do
    myth analyze "$file" --solv 0.8.20 -o json > "reports/$(basename $file .sol).json"
done

Interpreting Results

Severity Levels

Level	Description	Action
High	Critical vulnerability	Fix immediately
Medium	Potential issue	Investigate
Low	Minor concern	Consider fixing
Informational	Code quality	Optional fix

SWC Registry

SWC ID	Name	Description
SWC-101	Integer Overflow	Arithmetic overflow
SWC-104	Unchecked Return	Ignored return values
SWC-106	Unprotected Destruct	Accessible selfdestruct
SWC-107	Reentrancy	State change after call
SWC-110	Assert Violation	Reachable assertion
SWC-116	Timestamp Dependence	Block timestamp usage

Process Integration

Process	Purpose
`smart-contract-security-audit.js`	Deep vulnerability analysis
`smart-contract-fuzzing.js`	Complement to fuzzing
`invariant-testing.js`	Property verification

Comparison with Other Tools

Tool	Technique	Speed	Depth
Mythril	Symbolic Execution	Slow	Deep
Slither	Static Analysis	Fast	Surface
Echidna	Fuzzing	Medium	Medium
Certora	Formal Verification	Slow	Deepest

Best Practices

Start with quick scans, increase depth as needed
Use Docker for consistent environment
Run on CI for automated security checks
Combine with static analysis (Slither)
Verify findings manually before reporting
Use appropriate Solidity version flag

Troubleshooting

Out of Memory

# Increase timeout, reduce depth
myth analyze Contract.sol --execution-timeout 600 -t 2

Solver Timeout

# Increase solver timeout
myth analyze Contract.sol --solver-timeout 30000

Compilation Errors

# Specify Solidity version
myth analyze Contract.sol --solv 0.8.20

# Use specific compiler
myth analyze Contract.sol --solc-json solc.json