secure-workflow-guide
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseSecure Workflow Guide
安全工作流指南
Purpose
目的
Guides through Trail of Bits' secure development workflow - a 5-step process to enhance smart contract security throughout development.
Use this: On every check-in, before deployment, or when you want a security review
引导完成Trail of Bits的安全开发工作流——一个在整个开发过程中提升智能合约安全性的5步流程。
适用场景:每次代码提交时、部署前,或需要进行安全审查时
The 5-Step Workflow
5步工作流
Covers a security workflow including:
涵盖以下安全工作流内容:
Step 1: Check for Known Security Issues
步骤1:检查已知安全问题
Run Slither with 70+ built-in detectors to find common vulnerabilities:
- Parse findings by severity
- Explain each issue with file references
- Recommend fixes
- Help triage false positives
Goal: Clean Slither report or documented triages
运行包含70+内置检测器的Slither,查找常见漏洞:
- 按严重性分类检测结果
- 结合文件引用解释每个问题
- 提供修复建议
- 协助分类误报
目标:获得无问题的Slither报告,或已记录分类结果的报告
Step 2: Check Special Features
步骤2:检查特殊功能
Detect and validate applicable features:
- Upgradeability: slither-check-upgradeability (17 upgrade risks)
- ERC conformance: slither-check-erc (6 common specs)
- Token integration: Recommend token-integration-analyzer skill
- Security properties: slither-prop for ERC20
Note: Only runs checks that apply to your codebase
检测并验证适用的功能:
- 可升级性:运行slither-check-upgradeability(覆盖17种升级风险)
- ERC合规性:运行slither-check-erc(覆盖6种常见规范)
- 代币集成:推荐使用token-integration-analyzer技能
- 安全属性:针对ERC20运行slither-prop
注意:仅运行适用于你的代码库的检查项
Step 3: Visual Security Inspection
步骤3:可视化安全检查
Generate 3 security diagrams:
- Inheritance graph: Identify shadowing and C3 linearization issues
- Function summary: Show visibility and access controls
- Variables and authorization: Map who can write to state variables
Review each diagram for security concerns
生成3种安全图表:
- 继承关系图:识别变量遮蔽和C3线性化问题
- 函数摘要图:展示可见性和访问控制
- 变量与权限图:映射可写入状态变量的角色
审查每张图表以排查安全隐患
Step 4: Document Security Properties
步骤4:记录安全属性
Help document critical security properties:
- State machine transitions and invariants
- Access control requirements
- Arithmetic constraints and precision
- External interaction safety
- Standards conformance
Then set up testing:
- Echidna: Property-based fuzzing with invariants
- Manticore: Formal verification with symbolic execution
- Custom Slither checks: Project-specific business logic
Note: Most important activity for security
协助记录关键安全属性:
- 状态机转换与不变量
- 访问控制要求
- 算术约束与精度
- 外部交互安全性
- 标准合规性
然后设置测试环节:
- Echidna:基于属性的不变量模糊测试
- Manticore:结合符号执行的形式化验证
- 自定义Slither检查:针对项目特定业务逻辑的检查
注意:这是对安全性最重要的环节
Step 5: Manual Review Areas
步骤5:人工审查领域
Analyze areas automated tools miss:
- Privacy: On-chain secrets, commit-reveal needs
- Front-running: Slippage protection, ordering risks, MEV
- Cryptography: Weak randomness, signature issues, hash collisions
- DeFi interactions: Oracle manipulation, flash loans, protocol assumptions
Search codebase for these patterns and flag risks
For detailed instructions, commands, and explanations for each step, see WORKFLOW_STEPS.md.
分析自动化工具遗漏的领域:
- 隐私性:链上机密、提交-揭示机制需求
- 抢先交易:滑点保护、排序风险、MEV
- 密码学:弱随机性、签名问题、哈希碰撞
- DeFi交互:预言机操纵、闪电贷、协议假设
在代码库中搜索这些模式并标记风险
有关每个步骤的详细说明、命令和解释,请查看WORKFLOW_STEPS.md。
How I Work
工作方式
When invoked, I will:
- Explore your codebase to understand structure
- Run Step 1: Slither security scan
- Detect and run Step 2: Special feature checks (only what applies)
- Generate Step 3: Visual security diagrams
- Guide Step 4: Security property documentation
- Analyze Step 5: Manual review areas
- Provide action plan: Prioritized fixes and next steps
Adapts based on:
- What tools you have installed
- What's applicable to your project
- Where you are in development
调用后,我将:
- 探索你的代码库以了解结构
- 运行步骤1:Slither安全扫描
- 检测并运行步骤2:特殊功能检查(仅运行适用项)
- 生成步骤3:可视化安全图表
- 引导步骤4:安全属性记录
- 分析步骤5:人工审查领域
- 提供行动计划:按优先级排序的修复任务和后续步骤
会根据以下情况调整流程:
- 你已安装的工具
- 适用于你项目的内容
- 你的开发阶段
Rationalizations (Do Not Skip)
常见误区(请勿忽略)
| Rationalization | Why It's Wrong | Required Action |
|---|---|---|
| "Slither not available, I'll check manually" | Manual checking misses 70+ detector patterns | Install and run Slither, or document why it's blocked |
| "Can't generate diagrams, I'll describe the architecture" | Descriptions aren't visual - diagrams reveal patterns text misses | Execute slither --print commands, generate actual visual outputs |
| "No upgrades detected, skip upgradeability checks" | Proxies and upgrades are often implicit or planned | Verify with codebase search before skipping Step 2 checks |
| "Not a token, skip ERC checks" | Tokens can be integrated without obvious ERC inheritance | Check for token interactions, transfers, balances before skipping |
| "Can't set up Echidna now, suggesting it for later" | Property-based testing is Step 4, not optional | Document properties now, set up fuzzing infrastructure |
| "No DeFi interactions, skip oracle/flash loan checks" | DeFi patterns appear in unexpected places (price feeds, external calls) | Complete Step 5 manual review, search codebase for patterns |
| "This step doesn't apply to my project" | "Not applicable" without verification = missed vulnerabilities | Verify with explicit codebase search before declaring N/A |
| "I'll provide generic security advice instead of running workflow" | Generic advice isn't actionable, workflow finds specific issues | Execute all 5 steps, generate project-specific findings with file:line references |
| 合理化理由 | 错误原因 | 要求操作 |
|---|---|---|
| "Slither不可用,我将手动检查" | 手动检查无法覆盖70+检测器的模式 | 安装并运行Slither,或记录无法使用的原因 |
| "无法生成图表,我将描述架构" | 文字描述无法替代可视化——图表能揭示文字遗漏的模式 | 执行slither --print命令,生成实际的可视化输出 |
| "未检测到升级需求,跳过可升级性检查" | 代理和升级需求通常是隐含的或已规划的 | 在跳过步骤2的检查前,先通过代码库搜索验证 |
| "不是代币项目,跳过ERC检查" | 代币集成可能无需显式继承ERC | 在跳过前,检查是否存在代币交互、转账、余额相关逻辑 |
| "现在无法设置Echidna,之后再处理" | 基于属性的测试是步骤4的内容,并非可选项 | 现在记录属性,设置模糊测试基础设施 |
| "没有DeFi交互,跳过预言机/闪电贷检查" | DeFi模式可能出现在意想不到的地方(价格喂价、外部调用) | 完成步骤5的人工审查,在代码库中搜索相关模式 |
| "此步骤不适用于我的项目" | 未经验证就判定“不适用”会导致遗漏漏洞 | 在声明不适用前,通过明确的代码库搜索进行验证 |
| "我将提供通用安全建议而非运行工作流" | 通用建议不具备可操作性,工作流能发现具体问题 | 执行全部5个步骤,生成包含文件:行号引用的项目特定检测结果 |
Example Output
示例输出
When I complete the workflow, you'll get a comprehensive security report covering:
- Step 1: Slither findings with severity, file references, and fix recommendations
- Step 2: Special feature validation results (upgradeability, ERC conformance, etc.)
- Step 3: Visual diagrams analyzing inheritance, functions, and state variable authorization
- Step 4: Documented security properties and testing setup (Echidna/Manticore)
- Step 5: Manual review findings (privacy, front-running, cryptography, DeFi risks)
- Action plan: Critical/high/medium priority tasks with effort estimates
- Workflow checklist: Progress on all 5 steps
For a complete example workflow report, see EXAMPLE_REPORT.md.
完成工作流后,你将获得一份全面的安全报告,涵盖:
- 步骤1:带有严重性、文件引用和修复建议的Slither检测结果
- 步骤2:特殊功能验证结果(可升级性、ERC合规性等)
- 步骤3:分析继承关系、函数和状态变量权限的可视化图表
- 步骤4:已记录的安全属性和测试设置(Echidna/Manticore)
- 步骤5:人工审查发现的问题(隐私性、抢先交易、密码学、DeFi风险)
- 行动计划:带有工作量估算的高/中/优先级任务
- 工作流检查清单:5个步骤的完成进度
完整的工作流报告示例,请查看EXAMPLE_REPORT.md。
What You'll Get
你将获得的内容
Security Report:
- Slither findings with severity and fixes
- Special feature validation results
- Visual diagrams (PNG/PDF)
- Manual review findings
Action Plan:
- Critical issues to fix immediately
- Security properties to document
- Testing to set up (Echidna/Manticore)
- Manual areas to review
Workflow Checklist:
- Clean Slither report
- Special features validated
- Visual inspection complete
- Properties documented
- Manual review done
安全报告:
- 带有严重性和修复建议的Slither检测结果
- 特殊功能验证结果
- 可视化图表(PNG/PDF格式)
- 人工审查发现的问题
行动计划:
- 需立即修复的关键问题
- 需记录的安全属性
- 需设置的测试(Echidna/Manticore)
- 需人工审查的领域
工作流检查清单:
- Slither报告无问题
- 特殊功能已验证
- 可视化检查已完成
- 安全属性已记录
- 人工审查已完成
Getting Help
获取帮助
Trail of Bits Resources:
- Office Hours: Every Tuesday (schedule)
- Empire Hacking Slack: #crytic and #ethereum channels
Other Security:
- Remember: Security is about more than smart contracts
- Off-chain security (owner keys, infrastructure) equally critical
Trail of Bits资源:
- 办公时间:每周二(日程安排)
- Empire Hacking Slack:#crytic和#ethereum频道
其他安全提示:
- 请记住:安全不仅仅关乎智能合约
- 链下安全(所有者密钥、基础设施)同样至关重要
Ready to Start
准备开始
Let me know when you're ready and I'll run through the workflow with your codebase!
告诉我你已准备好,我将引导你的代码库完成整个工作流!