Skill

smart-contract-security

Smart contract security audit pattern library — SWC Registry vulnerabilities (reentrancy SWC-107, integer overflow SWC-101, access control SWC-115, unchecked call return SWC-104, denial of service SWC-113, weak randomness SWC-120, front-running SWC-114, timestamp dependence SWC-116, signature replay SWC-121), formal analysis tools (Slither static analyzer, Mythril symbolic execution, Certora Prover formal verification, Echidna property-based fuzzer, Manticore), MEV mitigation (commit-reveal schemes, batch auctions, private mempools Flashbots Protect), economic attack vectors (oracle manipulation via flash loans, sandwich attacks, JIT liquidity), upgrade safety (storage collisions, function selector clashes in proxies), and the pre-audit checklist (CEI pattern verification, reentrancy guards on every external interaction, custom errors review, access control matrix, integer arithmetic safety, gas griefing). Use when auditing existing contracts before mainnet deploy, hardening DeFi protocols, integrating Slither/Mythril into CI, or designing security-first contract architectures. Differentiates from generic security-reviewer by EVM-specific attack vectors (reentrancy, MEV, oracle manipulation, flash loan attacks) that don't exist in traditional web apps.

Install

npx claudepluginhub arnwaldn/atum-plugins-collection --plugin atum-stack-backend

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Ce skill couvre les **vulnérabilités spécifiques aux smart contracts EVM** et les outils pour les détecter. Aucune autre catégorie de bug ne se traduit aussi rapidement en perte irrécupérable de fonds.

SKILL.md

Similar Skills

skill-lookup

Searches, retrieves, and installs Agent Skills from prompts.chat registry using MCP tools like search_skills and get_skill. Activates for finding skills, browsing catalogs, or extending Claude.

prompts.chat

157.6k

prompt-lookup

Searches prompts.chat for AI prompt templates by keyword or category, retrieves by ID with variable handling, and improves prompts via AI. Use for discovering or enhancing prompts.

prompts.chat

157.6k

Hook Development

10 files

Guides implementation of event-driven hooks in Claude Code plugins using prompt-based validation and bash commands for PreToolUse, Stop, and session events.

plugin-dev

83.2k

Stats

Parent Repo Stars0

Parent Repo Forks0

Last CommitApr 8, 2026

Actions

View Source View Plugin View on GitHub View README

Smart Contract Security Patterns

Ce skill couvre les vulnérabilités spécifiques aux smart contracts EVM et les outils pour les détecter. Aucune autre catégorie de bug ne se traduit aussi rapidement en perte irrécupérable de fonds.

Règle de base : un smart contract déployé en mainnet est immuable (sauf upgrade). Audit AVANT, pas après.

1. Top vulnerabilities (SWC)

SWC-107 — Reentrancy

L'attaque fondatrice (The DAO 2016 → ETH/ETC fork). Une fonction qui appelle un contrat externe AVANT d'updater son state peut être ré-entrée par le callee.

// VULNERABLE
function withdraw() external {
    uint256 amount = balances[msg.sender];
    (bool ok, ) = msg.sender.call{value: amount}(""); // ← attaquant peut ré-entrer ici
    require(ok);
    balances[msg.sender] = 0; // Trop tard
}

// SAFE: CEI + ReentrancyGuard
function withdraw() external nonReentrant {
    uint256 amount = balances[msg.sender];
    balances[msg.sender] = 0; // Effects AVANT
    (bool ok, ) = msg.sender.call{value: amount}(""); // Interaction APRÈS
    require(ok);
}

SWC-115 — Authorization via tx.origin

// VULNERABLE — phishing
modifier onlyOwner() {
    require(tx.origin == owner);
    _;
}

// SAFE
modifier onlyOwner() {
    require(msg.sender == owner);
    _;
}

SWC-104 — Unchecked call return

// VULNERABLE — silent failure
recipient.call{value: amount}("");

// SAFE
(bool ok, ) = recipient.call{value: amount}("");
require(ok, "Transfer failed");

SWC-114 — Transaction Order Dependence (front-running)

Le mempool est public. Une transaction avec une commission élevée peut passer devant. Exemple : un MEV bot voit un swap qui va déplacer le prix → il achète avant et vend après (sandwich).

Mitigations :

Commit-reveal : commit un hash, reveal après N blocks
Slippage protection : minOut paramètre dans les swaps
Flashbots Protect / private mempools
Batch auctions (CoW Protocol)

SWC-116 — Block timestamp manipulation

// VULNERABLE
function lottery() external {
    if (block.timestamp % 2 == 0) {
        // payout
    }
}

Les miners peuvent ajuster block.timestamp de quelques secondes. Pour de l'aléatoire vrai → Chainlink VRF.

SWC-121 — Signature replay

// VULNERABLE
function permit(address user, uint256 amount, bytes calldata signature) external {
    bytes32 hash = keccak256(abi.encodePacked(user, amount));
    address signer = recover(hash, signature);
    require(signer == user);
    _doSomething(amount); // Peut être rejoué !
}

// SAFE: nonce + chain ID + contract address (EIP-712)
function permit(address user, uint256 amount, uint256 nonce, bytes calldata signature) external {
    require(nonce == nonces[user]++, "Invalid nonce");
    bytes32 domain = keccak256(abi.encode(EIP712_DOMAIN, address(this), block.chainid));
    bytes32 hash = keccak256(abi.encodePacked("\x19\x01", domain, keccak256(abi.encode(user, amount, nonce))));
    require(recover(hash, signature) == user);
    _doSomething(amount);
}

2. Outils d'analyse statique

Slither (recommandé en CI)

pip install slither-analyzer

slither . --filter-paths "lib|test"

Sortie type : detection de reentrancy, integer overflow, uninitialized state, missing zero address checks, etc.

# .github/workflows/security.yml
- name: Slither
  uses: crytic/slither-action@v0.3
  with:
    target: 'src/'
    fail-on: medium

Mythril (symbolic execution)

pip install mythril
myth analyze src/MyContract.sol --solv 0.8.26

Plus lourd que Slither, plus profond. Bon pour les audits ponctuels.

Echidna (property-based fuzzer)

// echidna_test.sol
contract Test is MyToken {
    function echidna_total_supply_never_exceeds_max() public view returns (bool) {
        return totalSupply() <= maxSupply;
    }

    function echidna_balance_sum_equals_total_supply() public view returns (bool) {
        // ...
        return true;
    }
}

echidna . --contract Test --test-mode property

Certora (formal verification — payant)

Spec en CVL (Certora Verification Language) qui prouve mathematiquement des propriétés.

3. MEV mitigations

Commit-reveal pattern

mapping(address => bytes32) public commitments;
mapping(address => uint256) public commitBlock;

function commit(bytes32 hash) external {
    commitments[msg.sender] = hash;
    commitBlock[msg.sender] = block.number;
}

function reveal(uint256 value, bytes32 salt) external {
    require(block.number > commitBlock[msg.sender] + 5, "Wait 5 blocks");
    require(keccak256(abi.encodePacked(value, salt, msg.sender)) == commitments[msg.sender], "Invalid");
    // ... process value ...
}

Slippage protection

function swap(uint256 amountIn, uint256 minAmountOut, address tokenOut) external {
    uint256 amountOut = _calcSwap(amountIn, tokenOut);
    require(amountOut >= minAmountOut, "Slippage too high");
    // ... execute ...
}

Flashbots Protect

Le user envoie sa tx via le RPC https://rpc.flashbots.net/ au lieu du mempool public. La tx est forwarded directement aux validators sans passer par le mempool → MEV bots ne peuvent pas la voir.

4. Oracle manipulation (flash loan attacks)

// VULNERABLE: prix d'oracle = balance de DEX
function priceOf(address token) public view returns (uint256) {
    return ERC20(token).balanceOf(uniswapPair) * 1e18 / ERC20(WETH).balanceOf(uniswapPair);
}

Un attaquant flash-loan 1M$, swap dans Uniswap → fait varier le prix → liquide des positions au prix manipulé → remboursement du flash-loan dans le même block.

Mitigations :

TWAP (Time-Weighted Average Price) : Uniswap V3 oracle, moyenne sur N blocks
Chainlink Price Feeds : oracle externe agrégé multi-source
Multiple sources : require que 2+ oracles soient cohérents
Circuit breakers : pause si déviation > X%

5. Access control patterns

OpenZeppelin AccessControl

import {AccessControl} from "@openzeppelin/contracts/access/AccessControl.sol";

contract MyContract is AccessControl {
    bytes32 public constant MINTER_ROLE = keccak256("MINTER_ROLE");
    bytes32 public constant PAUSER_ROLE = keccak256("PAUSER_ROLE");

    constructor(address admin) {
        _grantRole(DEFAULT_ADMIN_ROLE, admin);
    }

    function mint(address to, uint256 amount) external onlyRole(MINTER_ROLE) {
        // ...
    }
}

Multisig + Timelock pour les actions critiques

import {TimelockController} from "@openzeppelin/contracts/governance/TimelockController.sol";

// Constructor d'un contrat important :
// _grantRole(DEFAULT_ADMIN_ROLE, address(timelock));
// _grantRole(DEFAULT_ADMIN_ROLE, address(0)); // Renounce direct admin

Toute action admin doit passer par un multisig (Gnosis Safe 3-of-5 par exemple) qui propose la tx au Timelock, et le timelock applique après 48h. Les users ont 48h pour réagir si le multisig est compromis.

6. Upgrade safety

Storage collisions

// V1
contract MyContractV1 {
    uint256 public a; // slot 0
    uint256 public b; // slot 1
}

// V2 — BAD
contract MyContractV2 {
    uint256 public b; // slot 0 ← collision, b lit la valeur de a
    uint256 public a; // slot 1
}

// V2 — GOOD
contract MyContractV2 {
    uint256 public a; // slot 0
    uint256 public b; // slot 1
    uint256 public c; // slot 2 (nouveau)
}

OpenZeppelin Upgrades plugin détecte ces collisions automatiquement.

Function selector clashes (Transparent Proxy)

Le proxy a une fonction admin() qui peut entrer en collision avec une fonction du contrat implémentation. Solutions :

UUPS (pas de fonctions admin sur le proxy)
Diamond Standard (EIP-2535) avec function selector mapping

7. Pre-audit checklist

8. Anti-patterns critiques

Pas d'audit avant mainnet — perte garantie sur les contrats à TVL > $1M
Owner key sur 1 EOA — single point of failure (Ronin Bridge $625M)
Oracle = balance d'un DEX — flash loan attack (Harvest, Cream, Beanstalk)
Pas de slippage protection — sandwich profitable
Reentrancy guard absent — The DAO encore et toujours
Storage collision après upgrade — corruption permanente
Hardcoded gas limit — casse aux hard forks
Tests sur happy path uniquement — bugs subtils en prod
Pas de pause function — incident impossible à arrêter
Logique économique non simulée — bugs à 7 chiffres

Outils CI complets

# .github/workflows/security.yml
name: Security
on: [pull_request, push]
jobs:
  slither:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: crytic/slither-action@v0.3
        with:
          target: 'src/'
          fail-on: medium

  mythril:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: pip install mythril
      - run: myth analyze src/*.sol --solv 0.8.26 --execution-timeout 120

  echidna:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: crytic/echidna-action@v2
        with:
          files: .
          contract: TestContract
          test-mode: assertion

Quand déléguer

Solidity development → skill solidity-patterns (ce plugin)
Off-chain integration → skill web3-integration (ce plugin)
Audit externe (paid) → cabinets (Trail of Bits, OpenZeppelin, etc.)
Bug bounty → Immunefi
Architectural blockchain decisions → agent blockchain-expert (ce plugin)

Ressources

https://swcregistry.io/
https://consensys.github.io/smart-contract-best-practices/
https://github.com/crytic/slither
https://github.com/Consensys/mythril
https://github.com/crytic/echidna
https://immunefi.com/explore/ (bug bounties actifs = retours d'expérience réels)