near-contract-audit
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseNEAR Contract Audit
NEAR合约审计
Security audit skill for NEAR smart contracts in Rust.
针对使用Rust编写的NEAR智能合约的安全审计技能。
Audit Workflow
审计工作流
Phase 1: Automated Analysis
阶段1:自动化分析
Run your preferred Rust static analysis and NEAR-focused security tools on the contract to:
- Scan for common vulnerability patterns (reentrancy, unsafe math, unhandled promises, access control issues, etc.)
- Highlight potentially risky patterns for deeper manual review
运行你偏好的Rust静态分析工具和NEAR专属安全工具对合约进行扫描,以:
- 检测常见漏洞模式(重入、不安全数学运算、未处理promise、访问控制问题等)
- 标记潜在风险模式以便深入人工审查
Phase 2: Manual Review
阶段2:人工审查
After automated analysis, perform manual review for:
- Business logic vulnerabilities
- Access control patterns
- Economic attack vectors
- Cross-contract interaction safety
自动化分析完成后,开展人工审查以检查:
- 业务逻辑漏洞
- 访问控制模式
- 经济攻击向量
- 跨合约交互安全性
Phase 3: Code-Specific Analysis
阶段3:代码专项分析
For each finding, verify:
- Is it a true positive?
- What is the exploitability?
- What is the recommended fix?
针对每个发现的问题,验证以下内容:
- 是否为真阳性?
- 可被利用的程度如何?
- 推荐的修复方案是什么?
Phase 4: Report Generation
阶段4:报告生成
Document findings with severity, location, description, and remediation.
记录发现的问题,包含严重程度、位置、描述以及修复建议。
Vulnerability Quick Reference
漏洞速查表
| Severity | Detector ID | Description |
|---|---|---|
| High | | Callback missing |
| High | | State change after cross-contract call |
| High | | Using native integer types in JSON interfaces |
| High | | Collection modifications not persisted |
| High | | Missing caller/owner verification |
| High | | Missing |
| High | | Same storage prefix for different collections |
| High | | Missing |
| Medium | | Unbounded loops causing DoS |
| Medium | | Predictable randomness from block data |
| Medium | | Insufficient gas reserved for callbacks |
| Low | | Missing storage deposit verification |
| Low | | Arithmetic without overflow checks |
| Low | | Using floating point types for financial math |
| 严重程度 | 检测器ID | 描述 |
|---|---|---|
| 高危 | | 回调函数缺失 |
| 高危 | | 跨合约调用后修改状态 |
| 高危 | | JSON接口中使用原生整数类型 |
| 高危 | | 集合修改未持久化 |
| 高危 | | 缺失调用者/所有者验证 |
| 高危 | | 敏感函数缺失 |
| 高危 | | 不同集合使用相同存储前缀 |
| 高危 | | 初始化方法缺失 |
| 中危 | | 无界循环导致拒绝服务(DoS) |
| 中危 | | 基于区块数据的可预测随机性 |
| 中危 | | 为回调预留的Gas不足 |
| 低危 | | 缺失存储押金验证 |
| 低危 | | 未做溢出检查的算术运算 |
| 低危 | | 金融运算中使用浮点类型 |
Reference Files
参考文件
For detailed vulnerability documentation with code examples:
- high-severity.md - Critical vulnerabilities (8 detectors)
- medium-severity.md - Medium vulnerabilities (4 detectors)
- low-severity.md - Low severity findings (3 detectors)
如需查看包含代码示例的详细漏洞文档:
- high-severity.md - 高危漏洞(8种检测项)
- medium-severity.md - 中危漏洞(4种检测项)
- low-severity.md - 低危漏洞(3种检测项)