Back to Details

solidity-auditor

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Solidity Smart Contract Auditor

Solidity智能合约审计工具

A professional-grade smart contract audit skill covering security vulnerabilities, gas optimization, storage patterns, and code architecture. Adapted to Solidity version specifics.
一款专业级智能合约审计工具,涵盖安全漏洞排查、Gas优化、存储模式分析及代码架构审查,适配不同Solidity版本的特性。

Audit Types

审计类型

Determine the audit type based on user request:
User RequestAudit TypePrimary Reference
"Full audit", "comprehensive review"Full AuditAll references
"Security audit", "vulnerability scan"Security Focused
references/security-checklist.md
"Gas optimization", "reduce gas costs"Gas Optimization
references/gas-optimization.md
"Storage optimization", "storage patterns"Storage Optimization
references/storage-optimization.md
"Code review", "architecture review"Architecture Review
references/architecture-review.md
"DeFi audit", "protocol review"DeFi ProtocolSecurity + Architecture references
根据用户需求确定审计类型:
用户需求审计类型主要参考文档
"全面审计"、"综合审查"全面审计所有参考文档
"安全审计"、"漏洞扫描"安全聚焦审计
references/security-checklist.md
"Gas优化"、"降低Gas成本"Gas优化审计
references/gas-optimization.md
"存储优化"、"存储模式"存储优化审计
references/storage-optimization.md
"代码审查"、"架构审查"架构审查
references/architecture-review.md
"DeFi审计"、"协议审查"DeFi协议审计安全+架构参考文档

Core Audit Workflow

核心审计流程

Phase 1: Preparation

阶段1:准备工作

  1. Identify Solidity Version: Check pragma statement. Read 
    references/version-specific.md
    for version-specific considerations:
    • Pre-0.8.0: Check for SafeMath usage, arithmetic vulnerabilities
    • 0.8.0+: Review 
      unchecked
      blocks, check custom errors usage
  2. Understand Scope:
    • List all contracts, interfaces, libraries
    • Identify external dependencies (OpenZeppelin, etc.)
    • Note inheritance hierarchy
    • Document entry points (external/public functions)
  3. Gather Context: Ask if not provided:
    • Protocol purpose and intended behavior
    • Deployment chain(s)
    • Expected user flows
    • Admin roles and privileges
  1. 识别Solidity版本:检查pragma声明。阅读
    references/version-specific.md
    了解版本特定注意事项:
    • 0.8.0之前版本:检查SafeMath使用情况、算术漏洞
    • 0.8.0及以上版本:审查
      unchecked
      代码块、检查自定义错误的使用
  2. 明确审计范围
    • 列出所有合约、接口、库
    • 识别外部依赖(如OpenZeppelin等)
    • 记录继承层级
    • 文档化入口点(外部/公共函数)
  3. 收集上下文信息:若用户未提供,需询问:
    • 协议用途与预期行为
    • 部署链
    • 预期用户流程
    • 管理员角色与权限

Phase 2: Static Analysis

阶段2:静态分析

  1. Run automated checks mentally using patterns from the security checklist:
    • Access control patterns
    • State-changing operations flow (checks-effects-interactions)
    • External call patterns
    • Arithmetic operations (especially in 
      unchecked
      blocks)
  2. Map attack surface:
    • External/public functions
    • Functions handling ETH/tokens
    • Functions with access control
    • Upgrade mechanisms
  1. 基于安全检查表中的模式,进行自动化检查
    • 访问控制模式
    • 状态变更操作流程(检查-效应-交互原则)
    • 外部调用模式
    • 算术运算(尤其是
      unchecked
      块中的运算)
  2. 梳理攻击面
    • 外部/公共函数
    • 处理ETH/代币的函数
    • 带有访问控制的函数
    • 升级机制

Phase 3: Vulnerability Assessment

阶段3:漏洞评估

Read 
references/security-checklist.md
and evaluate each category:
Critical Priority (check first):
  1. Access Control Vulnerabilities (OWASP SC-01) - $953M+ in losses
  2. Logic Errors (OWASP SC-02) - $64M+ in losses
  3. Reentrancy (OWASP SC-03) - $36M+ in losses
High Priority: 4. Flash Loan Attack Vectors (OWASP SC-04) 5. Input Validation (OWASP SC-05) 6. Oracle Manipulation (OWASP SC-06) 7. Unchecked External Calls (OWASP SC-07)
Medium Priority: 8. Integer Overflow/Underflow (version-dependent) 9. Denial of Service vectors 10. Front-running vulnerabilities
阅读
references/security-checklist.md
并评估每个类别:
最高优先级(优先检查):
  1. 访问控制漏洞(OWASP SC-01)- 已造成超9.53亿美元损失
  2. 逻辑错误(OWASP SC-02)- 已造成超6400万美元损失
  3. 重入漏洞(OWASP SC-03)- 已造成超3600万美元损失
高优先级: 4. 闪电贷攻击向量(OWASP SC-04) 5. 输入验证(OWASP SC-05) 6. 预言机操纵(OWASP SC-06) 7. 未检查的外部调用(OWASP SC-07)
中优先级: 8. 整数溢出/下溢(依赖版本) 9. 拒绝服务攻击向量 10. 抢先交易漏洞

Phase 4: Optimization Analysis (if requested)

阶段4:优化分析(若用户要求)

For gas optimization: Read 
references/gas-optimization.md
For storage optimization: Read 
references/storage-optimization.md
Gas优化:阅读
references/gas-optimization.md
存储优化:阅读
references/storage-optimization.md

Phase 5: Report Generation

阶段5:报告生成

Use the template in 
references/report-template.md
to structure findings.
使用
references/report-template.md
中的模板构建审计结果报告。

Severity Classification

严重程度分类

SeverityCriteriaAction
CriticalDirect fund loss possible, no user interaction neededImmediate fix required, do not deploy
HighFund loss possible with specific conditions, significant impactMust fix before deployment
MediumLimited impact, unlikely exploitation, or governance issueShould fix, assess risk
LowMinor issue, best practice violationRecommended fix
InformationalCode quality, gas optimization, suggestionsOptional improvement
严重程度判断标准处理建议
Critical(关键)无需用户交互即可直接造成资金损失需立即修复,禁止部署
High(高)在特定条件下可能造成资金损失,影响重大部署前必须修复
Medium(中)影响有限,被利用可能性低,或属于治理问题应修复,评估风险
Low(低)轻微问题,违反最佳实践建议修复
Informational(信息性)代码质量、Gas优化相关建议可选改进项

Quick Reference: Top Attack Vectors (2024-2025)

快速参考:顶级攻击向量(2024-2025)

From OWASP Smart Contract Top 10 (2025) with real losses:
  1. Access Control ($953.2M): Missing/incorrect modifiers, exposed admin functions
  2. Logic Errors ($63.8M): Flawed business logic, incorrect calculations
  3. Reentrancy ($35.7M): State updates after external calls
  4. Flash Loans ($33.8M): Price manipulation, governance attacks
  5. Input Validation ($14.6M): Missing bounds checks, unchecked parameters
  6. Oracle Manipulation ($8.8M): TWAP manipulation, stale prices
基于OWASP智能合约十大风险(2025版)及真实损失数据:
  1. 访问控制(9.532亿美元):缺失/错误的修饰器、暴露的管理员函数
  2. 逻辑错误(6380万美元):有缺陷的业务逻辑、计算错误
  3. 重入(3570万美元):外部调用后更新状态
  4. 闪电贷(3380万美元):价格操纵、治理攻击
  5. 输入验证(1460万美元):缺失边界检查、未校验参数
  6. 预言机操纵(880万美元):TWAP操纵、价格过时

Output Guidelines

输出指南

Always provide:
  1. Clear finding title with severity
  2. Location: Contract name, function, line numbers
  3. Description: What the issue is
  4. Impact: Potential consequences
  5. Proof of Concept: How it could be exploited (when applicable)
  6. Recommendation: Specific fix with code example
Format recommendations as actionable code changes when possible.
始终提供以下内容:
  1. 清晰的发现标题,附带严重程度
  2. 位置:合约名称、函数、行号
  3. 描述:问题内容
  4. 影响:潜在后果
  5. 概念验证:漏洞可能的利用方式(适用时)
  6. 建议:具体修复方案,附带代码示例
尽可能将建议格式化为可执行的代码变更。

Reference Files

参考文件

Load these as needed based on audit type:
  • references/security-checklist.md
    - Complete vulnerability checklist with detection patterns
  • references/gas-optimization.md
    - Gas optimization techniques and patterns
  • references/storage-optimization.md
    - Storage layout and optimization
  • references/architecture-review.md
    - Code architecture best practices
  • references/version-specific.md
    - Solidity version considerations
  • references/report-template.md
    - Professional audit report template
根据审计类型按需加载:
  • references/security-checklist.md
    - 完整漏洞检查表,含检测模式
  • references/gas-optimization.md
    - Gas优化技术与模式
  • references/storage-optimization.md
    - 存储布局与优化
  • references/architecture-review.md
    - 代码架构最佳实践
  • references/version-specific.md
    - Solidity版本相关注意事项
  • references/report-template.md
    - 专业审计报告模板