Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Combinatorial Methods for Trust and Assurance

Magic mirror vulnerability testing tool

MagicMirror is a white-box fuzzing tool written mainly in Python 3 for Solidity Smart Contracts. It supports the detection of 9 popular security vulnerabilities. It is easy to use and provides various informative reports as output. MagicMirror is fast and can generally achieve high code coverage on many contracts. MagicMirror utilizes techniques that include constraint solving, random test generation, random state exploration, coverage and data dependency guided fuzzing, and combinatorial testing. 


MagicMirror works on both Linux and Windows with minimal dependency requirements, as well as a Docker image that would work in any environment as long as Docker is supported. 


  • Detects 9 security vulnerabilities, e.g., reentrancy, exception disorder, and dangerous delegate call.

  • Achieve high code coverage on most contracts.

  • Fast transaction execution via production Geth EVM.

  • Supports contracts written with Solidity >= 0.4.0.

  • Multiplatform support, releases in Docker image, Windows executable, Linux executable. 

  • Automatic solc compiler version detection and switching. Users do not need to manually install and switch solc compilers. 

  • Geth EVM included and fully configured with a custom wrapper. Users do not need to configure EVM on their own. 

  • Informative coverage reports, detailed test cases for reproducing every detected vulnerability. 


Rick Kuhn

Raghu Kacker

M S Raunak


Security and Privacy: assurance, modeling, testing & validation

Technologies: software & firmware

Created May 24, 2016, Updated July 22, 2024