software-crypto-web3
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseSoftware Crypto/Web3 Engineering
加密货币/Web3软件工程
Use this skill to design, implement, and review secure blockchain systems: smart contracts, on-chain/off-chain integration, custody and signing, testing, audits, and production operations.
Defaults to: security-first development, explicit threat models, comprehensive testing (unit + integration + fork + fuzz/invariants), formal methods when high-value, upgrade safety (timelocks, governance, rollback plans), and defense-in-depth for key custody and signing.
本技能用于设计、实现和审查安全的区块链系统:智能合约、链上/链下集成、资产托管与签名、测试、审计以及生产运营。
默认遵循:安全优先的开发原则、明确的威胁模型、全面的测试(单元测试+集成测试+分叉测试+模糊/不变量测试)、高价值场景下使用形式化方法、安全的升级机制(时间锁、治理、回滚计划),以及密钥托管与签名的纵深防御策略。
Quick Reference
快速参考
| Task | Tool/Framework | Command | When to Use |
|---|---|---|---|
| Solidity Development | Hardhat/Foundry | | Ethereum/EVM smart contracts |
| Solana Programs | Anchor | | Solana blockchain development |
| Cosmos Contracts | CosmWasm | | Cosmos ecosystem contracts |
| TON Contracts | Tact/FunC + Blueprint | | TON blockchain development |
| Testing (Solidity) | Foundry/Hardhat | | Unit, fork, invariant tests |
| Security Audit | Slither/Aderyn/Echidna | | Static analysis, fuzzing |
| AI-Assisted Review | AI scanners (optional) | N/A | Pre-audit preparation (verify findings manually) |
| Fuzzing | Echidna/Medusa | | Property-based fuzzing |
| Gas Optimization | Foundry Gas Snapshots | | Benchmark and optimize gas |
| Deployment | Hardhat Deploy/Forge Script | | Mainnet/testnet deployment |
| Verification | Etherscan API | | Source code verification |
| Upgradeable Contracts | OpenZeppelin Upgrades | | Proxy-based upgrades |
| Smart Wallets | ERC-4337, EIP-7702 | Account abstraction SDKs | Smart accounts and sponsored gas (verify network support) |
| 任务 | 工具/框架 | 命令 | 适用场景 |
|---|---|---|---|
| Solidity开发 | Hardhat/Foundry | | Ethereum/EVM智能合约 |
| Solana程序开发 | Anchor | | Solana区块链开发 |
| Cosmos合约开发 | CosmWasm | | Cosmos生态合约 |
| TON合约开发 | Tact/FunC + Blueprint | | TON区块链开发 |
| Solidity测试 | Foundry/Hardhat | | 单元测试、分叉测试、不变量测试 |
| 安全审计 | Slither/Aderyn/Echidna | | 静态分析、模糊测试 |
| AI辅助审查 | AI扫描工具(可选) | N/A | 审计前准备(需手动验证发现的问题) |
| 模糊测试 | Echidna/Medusa | | 基于属性的模糊测试 |
| Gas优化 | Foundry Gas Snapshots | | Gas基准测试与优化 |
| 部署 | Hardhat Deploy/Forge Script | | 主网/测试网部署 |
| 代码验证 | Etherscan API | | 源代码验证 |
| 可升级合约 | OpenZeppelin Upgrades | | 基于代理的合约升级 |
| 智能钱包 | ERC-4337, EIP-7702 | 账户抽象SDK | 智能账户与Gas赞助(需验证网络支持) |
Scope
适用范围
Use this skill when you need:
- Smart contract development (Solidity, Rust, CosmWasm)
- DeFi protocol implementation (AMM, lending, staking, yield farming)
- NFT and token standards (ERC20, ERC721, ERC1155, SPL tokens)
- DAO governance systems
- Cross-chain bridges and interoperability
- Gas optimization and storage patterns
- Smart contract security audits
- Testing strategies (Foundry, Hardhat, Anchor)
- Oracle integration (Chainlink, Pyth)
- Upgradeable contract patterns (proxies, diamonds)
- Web3 frontend integration (ethers.js, web3.js, @solana/web3.js)
- Blockchain indexing (The Graph, subgraphs)
- MEV protection and flashbots
- Layer 2 scaling solutions (Base, Arbitrum, Optimism, zkSync)
- Account abstraction (ERC-4337, EIP-7702, smart wallets)
- Backend crypto integration (.NET/C#, multi-provider architecture, CQRS)
- Webhook handling and signature validation (Fireblocks, custodial providers)
- Event-driven architecture with Kafka for crypto payments
- Transaction lifecycle management and monitoring
- Wallet management (custodial vs non-custodial)
当你需要以下能力时使用本技能:
- 智能合约开发(Solidity、Rust、CosmWasm)
- DeFi协议实现(AMM、借贷、质押、收益农耕)
- NFT与代币标准(ERC20、ERC721、ERC1155、SPL代币)
- DAO治理系统
- 跨链桥与互操作性
- Gas优化与存储模式
- 智能合约安全审计
- 测试策略(Foundry、Hardhat、Anchor)
- 预言机集成(Chainlink、Pyth)
- 可升级合约模式(代理、钻石模式)
- Web3前端集成(ethers.js、web3.js、@solana/web3.js)
- 区块链索引(The Graph、子图)
- MEV防护与Flashbots
- Layer 2扩容方案(Base、Arbitrum、Optimism、zkSync)
- 账户抽象(ERC-4337、EIP-7702、智能钱包)
- 加密货币后端集成(.NET/C#、多提供商架构、CQRS)
- Webhook处理与签名验证(Fireblocks、托管提供商)
- 基于Kafka的加密货币支付事件驱动架构
- 交易生命周期管理与监控
- 钱包管理(托管 vs 非托管)
Decision Tree: Blockchain Platform Selection
区块链平台选择决策树
text
Project needs: [Use Case]
- EVM-compatible smart contracts?
- Complex testing needs -> Foundry (fuzzing, invariants, gas snapshots)
- TypeScript ecosystem -> Hardhat (plugins, TS, Ethers.js/Viem)
- Enterprise features -> NestJS + Hardhat
- High throughput / low fees?
- Rust-based -> Solana (Anchor)
- EVM L2 -> Arbitrum/Optimism/Base (Ethereum security, lower gas)
- Telegram distribution -> TON (Tact/FunC)
- Interoperability across chains?
- Cosmos ecosystem -> CosmWasm (IBC)
- Multi-chain apps -> LayerZero or Wormhole (verify trust assumptions)
- Bridge development -> custom (high risk; threat model required)
- Token standard implementation?
- Fungible tokens -> ERC20 (OpenZeppelin), SPL Token (Solana)
- NFTs -> ERC721/ERC1155 (OpenZeppelin), Metaplex (Solana)
- Semi-fungible -> ERC1155 (gaming, fractionalized NFTs)
- DeFi protocol development?
- AMM/DEX -> Uniswap V3 fork or custom (concentrated liquidity)
- Lending -> Compound/Aave fork (collateralized borrowing)
- Staking/yield -> custom reward distribution contracts
- Upgradeable contracts required?
- Transparent proxy -> OpenZeppelin (admin/user separation)
- UUPS -> upgrade logic in implementation
- Diamond -> modular functionality (EIP-2535)
- Backend integration?
- .NET/C# -> multi-provider architecture (see backend integration references)
- Node.js -> Ethers.js/Viem + durable queues
- Python -> Web3.py + FastAPIChain-Specific Considerations:
- Ethereum/EVM: Security-first, higher gas costs, largest ecosystem
- Solana: Performance-first, Rust required, lower fees
- Cosmos: Interoperability-first, IBC native, growing ecosystem
- TON: Telegram-first, async contracts, unique architecture
See references/ for chain-specific best practices.
text
项目需求: [使用场景]
- 是否需要兼容EVM的智能合约?
- 复杂测试需求 -> Foundry(模糊测试、不变量测试、Gas快照)
- TypeScript生态 -> Hardhat(插件、TS、Ethers.js/Viem)
- 企业级功能 -> NestJS + Hardhat
- 是否需要高吞吐量/低手续费?
- 基于Rust -> Solana(Anchor)
- EVM L2 -> Arbitrum/Optimism/Base(以太坊安全保障,更低Gas)
- Telegram分发 -> TON(Tact/FunC)
- 是否需要跨链互操作性?
- Cosmos生态 -> CosmWasm(IBC)
- 多链应用 -> LayerZero或Wormhole(需验证信任假设)
- 跨链桥开发 -> 自定义方案(高风险;需制定威胁模型)
- 是否需要实现代币标准?
- 可替代代币 -> ERC20(OpenZeppelin)、SPL Token(Solana)
- NFT -> ERC721/ERC1155(OpenZeppelin)、Metaplex(Solana)
- 半替代代币 -> ERC1155(游戏、碎片化NFT)
- 是否需要开发DeFi协议?
- AMM/DEX -> Uniswap V3分叉或自定义(集中流动性)
- 借贷 -> Compound/Aave分叉(抵押借贷)
- 质押/收益 -> 自定义奖励分发合约
- 是否需要可升级合约?
- 透明代理 -> OpenZeppelin(管理员/用户权限分离)
- UUPS -> 升级逻辑内置在实现合约中
- 钻石模式 -> 模块化功能(EIP-2535)
- 是否需要后端集成?
- .NET/C# -> 多提供商架构(参见后端集成参考文档)
- Node.js -> Ethers.js/Viem + 持久化队列
- Python -> Web3.py + FastAPI链特定注意事项:
- Ethereum/EVM: 安全优先,Gas成本较高,生态系统最庞大
- Solana: 性能优先,需使用Rust,手续费较低
- Cosmos: 互操作性优先,原生支持IBC,生态持续增长
- TON: Telegram优先,异步合约,独特架构
查看 references/ 获取各链最佳实践。
Security-First Patterns (Jan 2026)
安全优先模式(2026年1月)
Security baseline: Assume an adversarial environment. Treat contracts and signing infrastructure as public, attackable APIs.
安全基线: 假设环境存在恶意攻击者。将合约和签名基础设施视为公开可被攻击的API。
Custody, Keys, and Signing (Core)
资产托管、密钥与签名(核心)
Key management is a dominant risk driver in production crypto systems. Use a real key management standard as baseline (for example, NIST SP 800-57).
| Model | Who holds keys | Typical use | Primary risks | Default controls |
|---|---|---|---|---|
| Non-custodial | End user wallet | Consumer apps, self-custody | Phishing, approvals, UX errors | Hardware wallet support, clear signing UX, allowlists |
| Custodial | Your service (HSM/MPC) | Exchanges, payments, B2B | Key theft, insider threat, ops mistakes | HSM/MPC, separation of duties, limits/approvals, audit logs |
| Hybrid | Split responsibility | Enterprises | Complex failure modes | Explicit recovery/override paths, runbooks |
BEST:
- Separate hot/warm/cold signing paths with limits and approvals [Inference]
- Require dual control for high-value transfers (policy engine + human approval) [Inference]
- Keep an immutable audit trail for signing requests (who/what/when/why) [Inference]
AVOID:
- Storing private keys in databases or application config
- Reusing signing keys across environments (dev/staging/prod)
- Hot-wallet automation without rate limits and circuit breakers [Inference]
密钥管理是生产级加密货币系统的主要风险来源。以实际密钥管理标准为基线(例如 NIST SP 800-57)。
| 模式 | 密钥持有者 | 典型用途 | 主要风险 | 默认控制措施 |
|---|---|---|---|---|
| 非托管 | 终端用户钱包 | 消费级应用、自托管 | 钓鱼攻击、授权失误、UX错误 | 支持硬件钱包、清晰的签名UX、白名单机制 |
| 托管 | 服务方(HSM/MPC) | 交易所、支付、B2B | 密钥被盗、内部威胁、操作失误 | HSM/MPC、职责分离、额度/授权机制、审计日志 |
| 混合模式 | 责任拆分 | 企业级应用 | 复杂故障模式 | 明确的恢复/覆盖路径、运行手册 |
最佳实践:
- 分离热/温/冷签名路径,并设置额度与授权机制 [推论]
- 高价值转账需双控(策略引擎 + 人工审批)[推论]
- 为签名请求保留不可变审计轨迹(谁/什么/何时/原因)[推论]
需避免:
- 在数据库或应用配置中存储私钥
- 跨环境(开发/预发布/生产)复用签名密钥
- 热钱包自动化无速率限制与断路器 [推论]
Checks-Effects-Interactions (CEI) Pattern
检查-效应-交互(CEI)模式
Mandatory for all state-changing functions.
solidity
// Correct: CEI pattern
function withdraw(uint256 amount) external {
// 1. CHECKS: Validate conditions
require(balances[msg.sender] >= amount, "Insufficient balance");
// 2. EFFECTS: Update state BEFORE external calls
balances[msg.sender] -= amount;
// 3. INTERACTIONS: External calls LAST
(bool success, ) = msg.sender.call{value: amount}("");
require(success, "Transfer failed");
}
// Wrong: External call before state update (reentrancy risk)
function withdrawUnsafe(uint256 amount) external {
require(balances[msg.sender] >= amount);
(bool success, ) = msg.sender.call{value: amount}("");
require(success);
balances[msg.sender] -= amount; // Too late!
}所有状态变更函数必须遵循。
solidity
// Correct: CEI pattern
function withdraw(uint256 amount) external {
// 1. CHECKS: Validate conditions
require(balances[msg.sender] >= amount, "Insufficient balance");
// 2. EFFECTS: Update state BEFORE external calls
balances[msg.sender] -= amount;
// 3. INTERACTIONS: External calls LAST
(bool success, ) = msg.sender.call{value: amount}("");
require(success, "Transfer failed");
}
// Wrong: External call before state update (reentrancy risk)
function withdrawUnsafe(uint256 amount) external {
require(balances[msg.sender] >= amount);
(bool success, ) = msg.sender.call{value: amount}("");
require(success);
balances[msg.sender] -= amount; // Too late!
}Security Tools (Jan 2026)
安全工具(2026年1月)
| Category | Tool | Purpose | When to Use |
|---|---|---|---|
| Static Analysis | Slither | Vulnerability detection, 92+ detectors | Every contract |
| Static Analysis | Aderyn | Rust-based, faster for large codebases | Large projects |
| Fuzzing | Echidna | Property-based fuzzing | Complex state |
| Fuzzing | Medusa | Parallelized Go fuzzer | CI/CD pipelines |
| Formal Verification | SMTChecker | Built-in Solidity checker | Every contract |
| Formal Verification | Certora | Property-based proofs (CVL) | DeFi, high-value |
| Formal Verification | Halmos | Symbolic testing | Complex invariants |
| AI-Assisted | Sherlock AI | ML vulnerability detection | Pre-audit prep |
| AI-Assisted | Olympix | DevSecOps integration | CI/CD security |
| AI-Assisted | AuditBase | 423+ detectors, LLM-powered | Business logic |
| Mutation Testing | SuMo | Test suite quality assessment | Test validation |
solidity
// Certora CVL rule example
rule balanceNeverNegative(address user) {
env e;
require balances[user] >= 0;
deposit(e);
assert balances[user] >= 0;
}AI-assisted review: Use AI tooling for pre-audit preparation and coverage, not for final security decisions. Treat outputs as untrusted and reproduce findings with deterministic tools, tests, and manual review.
| 类别 | 工具 | 用途 | 适用场景 |
|---|---|---|---|
| 静态分析 | Slither | 漏洞检测,支持92+种检测器 | 所有合约 |
| 静态分析 | Aderyn | 基于Rust,大型代码库分析速度更快 | 大型项目 |
| 模糊测试 | Echidna | 基于属性的模糊测试 | 复杂状态场景 |
| 模糊测试 | Medusa | 并行化Go语言模糊测试器 | CI/CD流水线 |
| 形式化验证 | SMTChecker | Solidity内置检查器 | 所有合约 |
| 形式化验证 | Certora | 基于属性的证明(CVL) | DeFi、高价值场景 |
| 形式化验证 | Halmos | 符号化测试 | 复杂不变量 |
| AI辅助工具 | Sherlock AI | 机器学习漏洞检测 | 审计前准备 |
| AI辅助工具 | Olympix | DevSecOps集成 | CI/CD安全 |
| AI辅助工具 | AuditBase | 423+种检测器,基于LLM | 业务逻辑检测 |
| 变异测试 | SuMo | 测试套件质量评估 | 测试有效性验证 |
solidity
// Certora CVL rule example
rule balanceNeverNegative(address user) {
env e;
require balances[user] >= 0;
deposit(e);
assert balances[user] >= 0;
}AI辅助审查: 使用AI工具进行审计前准备和覆盖范围检查,但不要用于最终安全决策。将输出视为不可信内容,需通过确定性工具、测试和手动审查重现发现的问题。
MEV Protection
MEV防护
| Strategy | Implementation |
|---|---|
| Private mempool | Flashbots Protect, MEV Blocker |
| Commit-reveal | Hash commitment, reveal after deadline |
| Batch auctions | CoW Protocol, Gnosis Protocol |
| Encrypted mempools | Shutter Network |
solidity
// Commit-reveal pattern
mapping(address => bytes32) public commitments;
function commit(bytes32 hash) external {
commitments[msg.sender] = hash;
}
function reveal(uint256 value, bytes32 salt) external {
require(
keccak256(abi.encodePacked(value, salt)) == commitments[msg.sender],
"Invalid reveal"
);
// Process revealed value
}| 策略 | 实现方案 |
|---|---|
| 私有内存池 | Flashbots Protect、MEV Blocker |
| 提交-披露 | 哈希提交,截止日期后披露 |
| 批量拍卖 | CoW Protocol、Gnosis Protocol |
| 加密内存池 | Shutter Network |
solidity
// Commit-reveal pattern
mapping(address => bytes32) public commitments;
function commit(bytes32 hash) external {
commitments[msg.sender] = hash;
}
function reveal(uint256 value, bytes32 salt) external {
require(
keccak256(abi.encodePacked(value, salt)) == commitments[msg.sender],
"Invalid reveal"
);
// Process revealed value
}Account Abstraction (Jan 2026)
账户抽象(2026年1月)
Note: Adoption numbers and upgrade timelines change quickly. Verify current ERC-4337 ecosystem state and any EIP-7702 activation details with WebSearch before making recommendations.
注意: adoption数量和升级时间线变化迅速。在提供建议前,请通过WebSearch验证当前ERC-4337生态系统状态和EIP-7702激活细节。
ERC-4337 vs EIP-7702
ERC-4337 vs EIP-7702
| Standard | Type | Key Feature | Use Case |
|---|---|---|---|
| ERC-4337 | Smart contract wallets | Full AA without protocol changes | New wallets, DeFi, gaming |
| EIP-7702 | EOA enhancement | EOAs execute smart contract code | Existing wallets, batch txns |
| ERC-6900 | Modular accounts | Plugin management for AA wallets | Extensible wallet features |
ERC-4337 Architecture:
text
User -> UserOperation -> Bundler -> EntryPoint -> Smart Account -> Target Contract
|
v
Paymaster (gas sponsorship)EIP-7702 (Pectra Upgrade):
- EOAs can temporarily delegate to smart contracts
- Enables batch transactions, sponsored gas for existing addresses
- Complementary to ERC-4337 (uses same bundler/paymaster infra)
- Supported by Ambire, Trust Wallet, and growing
Key Capabilities:
- Gasless transactions: Paymasters sponsor gas in ERC-20 or fiat
- Batch operations: Multiple actions in single transaction
- Social recovery: Multi-sig or guardian-based key recovery
- Session keys: Limited permissions for dApps without full wallet access
| 标准 | 类型 | 核心特性 | 适用场景 |
|---|---|---|---|
| ERC-4337 | 智能合约钱包 | 无需协议修改的完整账户抽象 | 新钱包、DeFi、游戏 |
| EIP-7702 | EOA增强 | EOA可执行智能合约代码 | 现有钱包、批量交易 |
| ERC-6900 | 模块化账户 | 智能钱包插件管理 | 可扩展钱包功能 |
ERC-4337架构:
text
用户 -> UserOperation -> Bundler -> EntryPoint -> 智能账户 -> 目标合约
|
v
Paymaster(Gas赞助)EIP-7702(Pectra升级):
- EOA可临时委托给智能合约
- 支持批量交易、现有地址的Gas赞助
- 与ERC-4337互补(使用相同的Bundler/Paymaster基础设施)
- 已被Ambire、Trust Wallet等支持,且支持方持续增加
核心能力:
- 无Gas交易: Paymaster以ERC-20或法币赞助Gas
- 批量操作: 单交易执行多个操作
- 社交恢复: 多签或监护人密钥恢复
- 会话密钥: 为dApp提供有限权限,无需完整钱包访问权
Smart Wallet Development
智能钱包开发
solidity
// Minimal ERC-4337 Account (simplified)
import "@account-abstraction/contracts/core/BaseAccount.sol";
contract SimpleAccount is BaseAccount {
address public owner;
function validateUserOp(
UserOperation calldata userOp,
bytes32 userOpHash,
uint256 missingAccountFunds
) external override returns (uint256 validationData) {
// Verify signature
require(_validateSignature(userOp, userOpHash), "Invalid sig");
// Pay prefund if needed
if (missingAccountFunds > 0) {
(bool success,) = payable(msg.sender).call{value: missingAccountFunds}("");
require(success);
}
return 0; // Valid
}
}solidity
// Minimal ERC-4337 Account (simplified)
import "@account-abstraction/contracts/core/BaseAccount.sol";
contract SimpleAccount is BaseAccount {
address public owner;
function validateUserOp(
UserOperation calldata userOp,
bytes32 userOpHash,
uint256 missingAccountFunds
) external override returns (uint256 validationData) {
// Verify signature
require(_validateSignature(userOp, userOpHash), "Invalid sig");
// Pay prefund if needed
if (missingAccountFunds > 0) {
(bool success,) = payable(msg.sender).call{value: missingAccountFunds}("");
require(success);
}
return 0; // Valid
}
}Layer 2 Development (Jan 2026)
Layer 2开发(2026年1月)
Note: L2 market share and risk stages change quickly. Use current data (for example, L2Beat and ecosystem dashboards) before stating rankings, TVL, or stage classifications.
注意: L2市场份额和风险阶段变化迅速。在说明排名、TVL或阶段分类前,请使用最新数据(例如L2Beat和生态仪表板)。
L2 Selection Guide
L2选择指南
| L2 | Type | Best For | Key Feature |
|---|---|---|---|
| Base | Optimistic | Consumer apps, mainstream adoption | Coinbase integration, low fees |
| Arbitrum | Optimistic | DeFi, mature ecosystem | Largest TVL, DAO grants |
| Optimism | Optimistic | Public goods, Superchain | OP Stack, grant programs |
| zkSync Era | ZK-Rollup | Fast finality, native AA | zkEVM, no withdrawal delay |
| StarkNet | ZK-Rollup | Cairo development, ZK-native | STARK proofs, custom VM |
| L2 | 类型 | 最佳适用场景 | 核心特性 |
|---|---|---|---|
| Base | 乐观型Rollup | 消费级应用、主流 adoption | Coinbase集成、低手续费 |
| Arbitrum | 乐观型Rollup | DeFi、成熟生态 | TVL最大、DAO资助 |
| Optimism | 乐观型Rollup | 公共物品、Superchain | OP Stack、资助计划 |
| zkSync Era | ZK-Rollup | 快速终局性、原生账户抽象 | zkEVM、无提款延迟 |
| StarkNet | ZK-Rollup | Cairo开发、ZK原生 | STARK证明、自定义VM |
Enterprise Rollups (2025-2026 Trend)
企业级Rollup(2025-2026趋势)
Major institutions launching L2s on OP Stack:
- Kraken INK - Exchange-native L2
- Uniswap UniChain - DeFi-optimized
- Sony Soneium - Gaming and media
- Robinhood - Arbitrum integration
主流机构基于OP Stack推出L2:
- Kraken INK - 交易所原生L2
- Uniswap UniChain - DeFi优化
- Sony Soneium - 游戏与媒体
- Robinhood - Arbitrum集成
EIP-4844 Blob Optimization
EIP-4844 Blob优化
Since March 2024, rollups use blob-based data posting:
text
Before: calldata posting -> expensive
After: blob posting -> lower data availability costOptimism, zkSync optimized batching for blobs in 2025.
自2024年3月起,Rollup使用基于Blob的数据发布:
text
之前: calldata发布 -> 成本高昂
之后: Blob发布 -> 数据可用性成本降低Optimism、zkSync在2025年优化了Blob批处理。
Common Mistakes (2025-2026)
常见错误(2025-2026)
Reality check: Exploits regularly cause large losses. Access control, signing/custody, and integration bugs remain top incident drivers.
| Mistake | Impact | Prevention |
|---|---|---|
| Missing access control | Unauthorized admin actions | Use OpenZeppelin |
| Reentrancy | Drain funds via callback | CEI pattern, |
| Unchecked external calls | Silent failures | Always check return values, use |
| Integer overflow (pre-0.8) | Arbitrary value manipulation | Use Solidity 0.8.x+ (built-in checks) |
| Frontrunning | MEV extraction, sandwich attacks | Commit-reveal, Flashbots Protect, private mempool |
| Oracle manipulation | Price feed attacks | TWAP, multiple oracles, sanity bounds |
| Improper initialization | Proxy takeover | Use |
| Storage collision (proxies) | Data corruption | Follow EIP-1967 slots, use OpenZeppelin upgrades |
现实情况: 漏洞利用定期造成巨额损失。访问控制、签名/托管和集成漏洞仍是事件的主要驱动因素。
| 错误 | 影响 | 预防措施 |
|---|---|---|
| 缺失访问控制 | 未授权管理员操作 | 使用OpenZeppelin |
| 重入攻击 | 通过回调盗走资金 | CEI模式、 |
| 未检查外部调用 | 静默失败 | 始终检查返回值、使用 |
| 整数溢出(0.8版本前) | 任意值操纵 | 使用Solidity 0.8.x+(内置检查) |
| 抢先交易 | MEV提取、三明治攻击 | 提交-披露模式、Flashbots Protect、私有内存池 |
| 预言机操纵 | 价格馈送攻击 | TWAP、多预言机、合理性边界 |
| 初始化不当 | 代理接管 | 使用 |
| 存储冲突(代理) | 数据损坏 | 遵循EIP-1967插槽规范、使用OpenZeppelin升级工具 |
Anti-Patterns to Avoid
需避免的反模式
AVOID:
- Using for authorization (phishing risk)
tx.origin - Storing secrets on-chain (all data is public)
- Using for randomness (miner/validator influence)
block.timestamp - Ignoring return values from /
transfersend - Using deprecated tooling (Truffle/Ganache/Brownie)
BEST:
- Run static analysis on every change (for example, Slither and Aderyn)
- Add fuzz/invariant tests before any audit
- Use formal methods for high-value DeFi (for example, Certora and symbolic testing)
需避免:
- 使用进行授权(钓鱼风险)
tx.origin - 在链上存储机密(所有数据公开)
- 使用生成随机数(受矿工/验证者影响)
block.timestamp - 忽略/
transfer的返回值send - 使用已弃用工具(Truffle/Ganache/Brownie)
最佳实践:
- 每次变更都运行静态分析(例如Slither和Aderyn)
- 审计前添加模糊/不变量测试
- 高价值DeFi使用形式化方法(例如Certora和符号化测试)
LLM Limitations in Smart Contracts
大语言模型在智能合约中的局限性
Do not rely on LLMs for:
- Security-critical logic verification
- Gas optimization calculations
- Complex mathematical proofs
Use LLMs for:
- Boilerplate generation (tests, docs)
- Code explanation and review prep
- Initial vulnerability hypotheses (verify manually)
请勿依赖大语言模型完成以下工作:
- 安全关键逻辑验证
- Gas优化计算
- 复杂数学证明
大语言模型适用于:
- 样板代码生成(测试、文档)
- 代码解释与审查准备
- 初始漏洞假设(需手动验证)
When NOT to Use This Skill
不适用场景
- Traditional backend without blockchain -> Use software-backend
- Pure API design without Web3 -> Use dev-api-design
- General security without smart contracts -> Use software-security-appsec
- Frontend-only dApp UI -> Use software-frontend + Web3 libraries
- 无区块链的传统后端 -> 使用 software-backend
- 无Web3的纯API设计 -> 使用 dev-api-design
- 无智能合约的通用安全 -> 使用 software-security-appsec
- 纯前端dApp UI -> 使用 software-frontend + Web3库
Navigation
导航
Resources
- references/blockchain-best-practices.md - Universal blockchain patterns and security
- references/backend-integration-best-practices.md - .NET/C# crypto integration patterns (CQRS, Kafka, multi-provider)
- references/solidity-best-practices.md - Solidity/EVM-specific guidance
- references/rust-solana-best-practices.md - Solana + Anchor patterns
- references/cosmwasm-best-practices.md - Cosmos/CosmWasm guidance
- references/ton-best-practices.md - TON contracts (Tact/Fift/FunC) and deployment
- ../software-security-appsec/references/smart-contract-security-auditing.md - Smart contract audit workflows and tools (see software-security-appsec skill)
- data/sources.json - Curated external references per chain
- Shared secure review checklist: ../software-clean-code-standard/assets/checklists/secure-code-review-checklist.md
Templates
- Ethereum/EVM: assets/ethereum/template-solidity-hardhat.md, assets/ethereum/template-solidity-foundry.md
- Solana: assets/solana/template-rust-anchor.md
- Cosmos: assets/cosmos/template-cosmwasm.md
- TON: assets/ton/template-tact-blueprint.md, assets/ton/template-func-blueprint.md
- Bitcoin: assets/bitcoin/template-bitcoin-core.md
Related Skills
- ../software-security-appsec/SKILL.md - Security hardening, threat modeling, OWASP vulnerabilities
- ../software-architecture-design/SKILL.md - System decomposition, modularity, dependency design
- ../ops-devops-platform/SKILL.md - Infrastructure, CI/CD, observability for blockchain nodes
- ../software-backend/SKILL.md - API integration with smart contracts, RPC nodes, indexers
- ../qa-resilience/SKILL.md - Resilience, circuit breakers, retry logic for chains
- ../software-code-review/SKILL.md - Code review patterns and quality gates
- ../dev-api-design/SKILL.md - RESTful design for Web3 APIs and dApp backends
资源
- references/blockchain-best-practices.md - 通用区块链模式与安全
- references/backend-integration-best-practices.md - .NET/C#加密货币集成模式(CQRS、Kafka、多提供商)
- references/solidity-best-practices.md - Solidity/EVM特定指南
- references/rust-solana-best-practices.md - Solana + Anchor模式
- references/cosmwasm-best-practices.md - Cosmos/CosmWasm指南
- references/ton-best-practices.md - TON合约(Tact/Fift/FunC)与部署
- ../software-security-appsec/references/smart-contract-security-auditing.md - 智能合约审计工作流与工具(参见software-security-appsec技能)
- data/sources.json - 各链精选外部参考
- 共享安全审查清单: ../software-clean-code-standard/assets/checklists/secure-code-review-checklist.md
模板
- Ethereum/EVM: assets/ethereum/template-solidity-hardhat.md, assets/ethereum/template-solidity-foundry.md
- Solana: assets/solana/template-rust-anchor.md
- Cosmos: assets/cosmos/template-cosmwasm.md
- TON: assets/ton/template-tact-blueprint.md, assets/ton/template-func-blueprint.md
- Bitcoin: assets/bitcoin/template-bitcoin-core.md
相关技能
- ../software-security-appsec/SKILL.md - 安全加固、威胁建模、OWASP漏洞
- ../software-architecture-design/SKILL.md - 系统分解、模块化、依赖设计
- ../ops-devops-platform/SKILL.md - 区块链节点基础设施、CI/CD、可观测性
- ../software-backend/SKILL.md - 智能合约、RPC节点、索引器的API集成
- ../qa-resilience/SKILL.md - 区块链韧性、断路器、重试逻辑
- ../software-code-review/SKILL.md - 代码审查模式与质量门
- ../dev-api-design/SKILL.md - Web3 API与dApp后端的RESTful设计
Trend Awareness Protocol
趋势感知协议
IMPORTANT: When users ask recommendation questions about Web3/crypto development, you MUST use WebSearch to check current trends before answering.
重要提示: 当用户询问Web3/加密货币开发相关建议时,必须先通过WebSearch检查当前趋势再作答。
Trigger Conditions
触发条件
- "What's the best blockchain for [use case]?"
- "What should I use for [smart contracts/DeFi/NFTs]?"
- "What's the latest in Web3 development?"
- "Current best practices for [Solidity/auditing/gas optimization]?"
- "Is [chain/protocol] still relevant in 2026?"
- "[Ethereum] vs [Solana] vs [other L1/L2]?"
- "Best framework for [smart contract development]?"
- "[使用场景]的最佳区块链是什么?"
- "[智能合约/DeFi/NFT]应该用什么工具?"
- "Web3开发的最新趋势是什么?"
- "[Solidity/审计/Gas优化]的当前最佳实践是什么?"
- "[链/协议]在2026年还相关吗?"
- "[Ethereum] vs [Solana] vs [其他L1/L2]?"
- "[智能合约开发]的最佳框架是什么?"
Required Searches
必要搜索
- Search:
"Web3 development best practices 2026" - Search:
"[Ethereum/Solana/Base] development updates 2026" - Search:
"smart contract security 2026" - Search:
"[Hardhat/Foundry] comparison 2026"
- 搜索:
"Web3 development best practices 2026" - 搜索:
"[Ethereum/Solana/Base] development updates 2026" - 搜索:
"smart contract security 2026" - 搜索:
"[Hardhat/Foundry] comparison 2026"
What to Report
需报告内容
After searching, provide:
- Current landscape: What chains/tools are popular NOW
- Emerging trends: New protocols or patterns gaining traction
- Deprecated/declining: Chains or approaches losing relevance
- Recommendation: Based on fresh data and ecosystem activity
搜索后提供:
- 当前格局: 哪些链/工具现在最受欢迎
- 新兴趋势: 获得关注的新协议或模式
- 已弃用/衰退: 失去相关性的链或方法
- 建议: 基于最新数据和生态活动
Example Topics (verify with fresh search)
示例主题(需通过最新搜索验证)
- L2 ecosystem growth (Base, Arbitrum, Optimism)
- Solidity vs Rust for smart contracts
- Foundry vs Hardhat tooling
- Account abstraction (ERC-4337) adoption
- Cross-chain bridges and interoperability
- DeFi security patterns and audit practices
- L2生态增长(Base、Arbitrum、Optimism)
- Solidity vs Rust智能合约开发
- Foundry vs Hardhat工具对比
- 账户抽象(ERC-4337)adoption
- 跨链桥与互操作性
- DeFi安全模式与审计实践
Operational Playbooks
运营手册
- references/operational-playbook.md - Smart contract architecture, security-first workflows, and platform-specific patterns
- references/operational-playbook.md - 智能合约架构、安全优先工作流、平台特定模式