Standard bug bounty workflow for smart contracts across EVM, Vyper, Solana, CosmWasm, Cairo, Substrate, TON, and Algorand targets. Use when auditing privileged entry points, token logic, upgrade paths, or protocol invariants.
How this skill is triggered — by the user, by Claude, or both
Slash command
/bounty-hunting-programs:bounty-program-smart-contractsThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Use this workflow when the target is primarily on-chain and the main risks are state transitions, privileged entry points, callbacks, accounting, or upgrade logic.
Use this workflow when the target is primarily on-chain and the main risks are state transitions, privileged entry points, callbacks, accounting, or upgrade logic.
Load these references on demand:
../../references/bounty-standard.md../../references/codex-ready-building-blocks.md../../references/smart-contract-matrix.md../../references/report-checklist.mdsmart-contract-matrix.md.smart-contract-matrix.md and write down:
entry-point-analyzer when installedbounty-program-triage active in parallel instead of pretending the issue is purely on-chainsolana-audit, then strengthen invariants with kani-proof where neededevm-protocol-audit for the first deep pass, then use building-secure-contracts skills such as secure-workflow-guide, guidelines-advisor, and token-integration-analyzer as specialist follow-onsbuilding-secure-contracts scanner firstsmart-contract-matrix.md so the first deep pass matches the system you actually have.property-based-testing for protocol invariantsdimensional-analysis for share, price, debt, collateral, and settlement arithmeticmutation-testing to see whether tests would have caught the issuekani-proof for Rust or Solana invariants that need machine-checked confidencespec-to-code-compliance when docs, whitepapers, or audits define intended behaviortrailmark when you need static call paths, blast radius, or taint-guided audit prioritizationvariant-analysis after the first confirmed medium+ root cause, not before.When audit-targets/<slug>/ came from the upgraded bootstrap flow, consume these before the first deep pass:
scope/chain-inventory.jsonscope/protocol-archetype.mdscope/proxy-topology.mdscope/dependency-boundaries.mdprep/attack-surface-map.mdprep/protocol-invariants.mdprep/web3-readiness.mdprep/severity-conditions.mdFor EVM targets, do not skip the tool-readiness check. If replay is only static-only, say so and adjust claim confidence instead of pretending fork validation happened.
Before going deep, produce:
prep/severity-conditions.md before assigning severity.medium+ finding exists or an exact blocker is recorded.npx claudepluginhub daothinh/spec-cdex --plugin bounty-hunting-programsCreates structured, bite-sized implementation plans from specs or requirements before writing code. Useful for breaking down multi-step tasks into testable steps with file structure and task boundaries.