Solidity Security Standards

Language Rule

Always respond in the same language the user is using. If the user asks in Chinese, respond in Chinese. If in English, respond in English.

Private Key Protection

Store private keys in
```
.env
```
, load via
```
source .env
```
— never pass keys as CLI arguments
Never expose private keys in logs, screenshots, conversations, or commits
Provide
```
.env.example
```
with placeholder values for team reference
Add
```
.env
```
to
```
.gitignore
```
— verify with
```
git status
```
before every commit

Security Decision Rules

When writing or reviewing Solidity code, apply these rules:

Situation	Required Action
External ETH/token transfer	Use `ReentrancyGuard` + Checks-Effects-Interactions (CEI) pattern
ERC20 token interaction	Use `SafeERC20` — call `safeTransfer` / `safeTransferFrom` , never raw `transfer` / `transferFrom`
Owner-only function	Inherit `Ownable2Step` (preferred) or `Ownable` from OZ 4.9.x — `Ownable2Step` prevents accidental owner loss
Multi-role access	Use `AccessControl` from `@openzeppelin/contracts/access/AccessControl.sol`
Token approval	Use `safeIncreaseAllowance` / `safeDecreaseAllowance` from `SafeERC20` — never raw `approve`
Price data needed	Use Chainlink `AggregatorV3Interface` if feed exists; otherwise TWAP with min-liquidity check — never use spot pool price directly
Upgradeable contract	Prefer UUPS ( `UUPSUpgradeable` ) over TransparentProxy; always use `Initializable`
Solidity version < 0.8.0	Must use `SafeMath` — but strongly prefer upgrading to 0.8.20+
Emergency scenario	Inherit `Pausable` , add `whenNotPaused` to user-facing functions; keep admin/emergency functions unpaused
Whitelist / airdrop	Use `MerkleProof` for gas-efficient verification — never store full address lists on-chain
Signature-based auth	Use `ECDSA` + `EIP712` — never roll custom signature verification
Signature content	Signature must bind `chainId` + `nonce` + `msg.sender` + `deadline` — prevent replay and cross-chain reuse
Cross-chain bridge / third-party dependency	Audit all inherited third-party contract code — never assume dependencies are safe
Deprecated / legacy contracts	Permanently `pause` or `selfdestruct` deprecated contracts — never leave unused contracts callable on-chain
UUPS upgrade pattern	`_authorizeUpgrade` must have `onlyOwner` ; implementation constructor calls `_disableInitializers()` ; retain `onlyProxy` on `upgradeTo` — EVMbench/basin H-01
Multi-contract trust boundary	Router/Registry relay calls must verify source contract authorization; never trust caller identity inside flash loan callbacks — EVMbench/noya H-08
Counter/ID + external call	All counter increments and ID assignments must complete before external calls; ETH refunds must be last — EVMbench/phi H-06

Reentrancy Protection

All contracts with external calls: inherit

ReentrancyGuard

, add

nonReentrant

modifier

Import:

@openzeppelin/contracts/security/ReentrancyGuard.sol

(OZ 4.9.x)

Always apply CEI pattern even with
```
ReentrancyGuard
```
:
1. Checks — validate all conditions (
```
require
```
  )
2. Effects — update state variables
3. Interactions — external calls last

Input Validation

Reject
```
address(0)
```
for all address parameters
Reject zero amounts for fund transfers
Validate array lengths match when processing paired arrays
Bound numeric inputs to reasonable ranges (prevent dust attacks, gas griefing)

Gas Control

Deployment commands must include
```
--gas-limit
```
(recommended >= 3,000,000)
Monitor gas with
```
forge test --gas-report
```
— review before every PR

Configure optimizer in

foundry.toml

optimizer = true

optimizer_runs = 200

Avoid unbounded loops over dynamic arrays — use pagination or pull patterns

Pre-Audit Checklist

Before submitting code for review or audit, verify:

Access & Control:

All external/public functions have
```
nonReentrant
```
where applicable
No
```
tx.origin
```
used for authentication (use
```
msg.sender
```
)
No
```
delegatecall
```
to untrusted addresses
Owner transfer uses
```
Ownable2Step
```
(not
```
Ownable
```
) to prevent accidental loss
Contracts with user-facing functions inherit
```
Pausable
```
with
```
pause()
```
/
```
unpause()
```
UUPS
```
_authorizeUpgrade
```
has
```
onlyOwner
```
modifier — EVMbench/basin H-01
Implementation constructor calls
```
_disableInitializers()
```
— EVMbench/basin H-01
Router/Registry relay operations verify source contract authorization — EVMbench/noya H-08

Token & Fund Safety:

All ERC20 interactions use
```
SafeERC20
```
(
```
safeTransfer
```
/
```
safeTransferFrom
```
)

No raw

token.transfer()

require(token.transfer())

patterns

Token approvals use
```
safeIncreaseAllowance
```
, not raw
```
approve
```
All
```
external call
```
return values checked

Code Quality:

Events emitted for every state change
No hardcoded addresses — use config or constructor params
```
.env
```
is in
```
.gitignore
```

Oracle & Price (if applicable):

Price data sourced from Chainlink feed or TWAP — never raw spot price
Oracle has minimum liquidity check — revert if pool reserves too low
Price deviation circuit breaker in place

Testing:

```
forge test
```
passes with zero failures
```
forge coverage
```
shows adequate coverage on security-critical paths
Fuzz tests cover arithmetic edge cases (zero, max uint, boundary values)

Security Verification Commands

bash

# Run all tests with gas report
forge test --gas-report

# Fuzz testing with higher runs for critical functions
forge test --fuzz-runs 10000

# Check test coverage
forge coverage

# Dry-run deployment to verify no runtime errors
forge script script/Deploy.s.sol --fork-url $RPC_URL -vvvv

# Static analysis (if slither installed locally)
slither src/

Slither MCP Integration (if available)

When

slither

MCP is configured, prefer it over the CLI for structured analysis:

Approach	When to Use
`slither src/` (CLI)	Quick local scan, raw terminal output
slither MCP `get_detector_results`	Structured results with impact/confidence filtering, AI can parse and reason about findings
slither MCP `get_contract_metadata`	Understanding contract structure before reviewing code
slither MCP `get_function_source`	Locating exact function implementations faster than grep

Recommended: Use slither MCP when working with AI agents (results are structured and actionable). Use CLI for quick local checks during development.

Graceful degradation: If neither slither MCP nor slither CLI is available, rely on the Pre-Audit Checklist above and

forge test --fuzz-runs 10000

for coverage.

solidity-security

NPX Install

Tags

SKILL.md Content