smart-contract-security

Original：🇺🇸 English

Translated

1 scriptsChecked / no sensitive code detected

Master smart contract security with auditing, vulnerability detection, and incident response

3installs

Sourcepluginagentmarketplace/custom-plugin-blockchain

Added on2026-02-04

NPX Install

npx skill4agent add pluginagentmarketplace/custom-plugin-blockchain smart-contract-security

SKILL.md Content

View Translation Comparison →

Smart Contract Security Skill

Master smart contract security with vulnerability detection, auditing methodology, and incident response procedures.

Quick Start

python

# Invoke this skill for security analysis
Skill("smart-contract-security", topic="vulnerabilities", severity="high")

Topics Covered

1. Common Vulnerabilities

Recognize and prevent:

Reentrancy: CEI pattern violation
Access Control: Missing modifiers
Oracle Manipulation: Flash loan attacks
Integer Issues: Precision loss

2. Auditing Methodology

Systematic review process:

Manual Review: Line-by-line analysis
Static Analysis: Automated tools
Fuzzing: Property-based testing
Formal Verification: Mathematical proofs

3. Security Tools

Essential tooling:

Slither: Fast static analysis
Mythril: Symbolic execution
Foundry: Fuzzing, invariants
Certora: Formal verification

4. Incident Response

Handle security events:

Triage: Assess severity
Mitigation: Emergency actions
Post-mortem: Root cause analysis
Disclosure: Responsible reporting

Vulnerability Quick Reference

Critical: Reentrancy

solidity

// VULNERABLE
function withdraw(uint256 amount) external {
    (bool ok,) = msg.sender.call{value: amount}("");
    require(ok);
    balances[msg.sender] -= amount;  // After call!
}

// FIXED: CEI Pattern
function withdraw(uint256 amount) external {
    balances[msg.sender] -= amount;  // Before call
    (bool ok,) = msg.sender.call{value: amount}("");
    require(ok);
}

High: Missing Access Control

solidity

// VULNERABLE
function setAdmin(address newAdmin) external {
    admin = newAdmin;  // Anyone can call!
}

// FIXED
function setAdmin(address newAdmin) external onlyOwner {
    admin = newAdmin;
}

High: Unchecked Return Value

solidity

// VULNERABLE
IERC20(token).transfer(to, amount);  // Ignored!

// FIXED: Use SafeERC20
using SafeERC20 for IERC20;
IERC20(token).safeTransfer(to, amount);

Medium: Precision Loss

solidity

// VULNERABLE: Division before multiplication
uint256 fee = (amount / 1000) * rate;

// FIXED: Multiply first
uint256 fee = (amount * rate) / 1000;

Audit Checklist

Pre-Audit

Code compiles without warnings
Tests pass with good coverage
Documentation reviewed

Core Security

CEI pattern followed
Reentrancy guards present
Access control on admin functions
Input validation complete

DeFi Specific

Oracle staleness checks
Slippage protection
Flash loan resistance
Sandwich prevention

Security Tools

Static Analysis

bash

# Slither - Fast vulnerability detection
slither . --exclude-dependencies

# Mythril - Symbolic execution
myth analyze src/Contract.sol

# Semgrep - Custom rules
semgrep --config "p/smart-contracts" .

Fuzzing

solidity

// Foundry fuzz test
function testFuzz_Withdraw(uint256 amount) public {
    amount = bound(amount, 1, type(uint128).max);

    vm.deal(address(vault), amount);
    vault.deposit{value: amount}();

    uint256 before = address(this).balance;
    vault.withdraw(amount);

    assertEq(address(this).balance, before + amount);
}

Invariant Testing

solidity

function invariant_BalancesMatchTotalSupply() public {
    uint256 sum = 0;
    for (uint i = 0; i < actors.length; i++) {
        sum += token.balanceOf(actors[i]);
    }
    assertEq(token.totalSupply(), sum);
}

Severity Classification

Severity	Impact	Examples
Critical	Direct fund loss	Reentrancy, unprotected init
High	Significant damage	Access control, oracle manipulation
Medium	Conditional impact	Precision loss, timing issues
Low	Minor issues	Missing events, naming

Incident Response

1. Detection

bash

# Monitor for suspicious activity
cast logs --address $CONTRACT --from-block latest

2. Mitigation

solidity

// Emergency pause
function pause() external onlyOwner {
    _pause();
}

3. Recovery

Assess damage scope
Coordinate disclosure
Deploy fixes with audit

Common Pitfalls

Pitfall	Risk	Prevention
Only testing happy path	Missing edge cases	Fuzz test boundaries
Ignoring integrations	External call risks	Review all dependencies
Trusting block.timestamp	Miner manipulation	Use for long timeframes only

Cross-References

Bonded Agent:
```
06-smart-contract-security
```
Related Skills:
```
solidity-development
```
,
```
defi-protocols
```

Resources

SWC Registry: Common weakness enumeration
Rekt News: Hack post-mortems
Immunefi: Bug bounties

Version History

Version	Date	Changes
2.0.0	2025-01	Production-grade with tools, methodology
1.0.0	2024-12	Initial release

smart-contract-security

NPX Install

Tags

SKILL.md Content

Smart Contract Security Skill

Quick Start

Topics Covered

1. Common Vulnerabilities

2. Auditing Methodology

3. Security Tools

4. Incident Response

Vulnerability Quick Reference

Critical: Reentrancy

High: Missing Access Control

High: Unchecked Return Value

Medium: Precision Loss

Audit Checklist

Pre-Audit

Core Security

DeFi Specific

Security Tools

Static Analysis

Fuzzing

Invariant Testing

Severity Classification

Incident Response

1. Detection

2. Mitigation

3. Recovery

Common Pitfalls

Cross-References

Resources

Version History