Common vulnerability patterns in Solidity and how to prevent them. Use when reviewing contracts for security issues or learning about common exploits.
/plugin marketplace add IvanTorresEdge/molcajete.ai/plugin install ivantorresedge-sol-tech-stacks-solidity@IvanTorresEdge/molcajete.aiThis skill inherits all available tools. When active, it can use any tool Claude has access to.
Reference skill for common Solidity vulnerability patterns. This skill references detailed checklists in the security-audit skill.
Use this skill when:
For comprehensive security auditing, see:
Reentrancy - See security-audit/checklists/common-vulnerabilities.md
Access Control - See security-audit/checklists/access-control-checklist.md
Integer Issues - See security-audit/checklists/common-vulnerabilities.md
Oracle Manipulation - See security-audit/checklists/defi-checklist.md
// ❌ Vulnerable
function withdraw() public {
uint amount = balances[msg.sender];
(bool success, ) = msg.sender.call{value: amount}("");
balances[msg.sender] = 0; // Too late!
}
// ✅ Secure
function withdraw() public nonReentrant {
uint amount = balances[msg.sender];
balances[msg.sender] = 0; // Update first
(bool success, ) = msg.sender.call{value: amount}("");
require(success);
}
// ❌ Missing modifier
function mint(address to, uint amount) public {
_mint(to, amount);
}
// ✅ Protected
function mint(address to, uint amount) public onlyOwner {
_mint(to, amount);
}
// ❌ Pre-0.8 vulnerable
pragma solidity 0.7.6;
uint256 balance = type(uint256).max;
balance += 1; // Overflows silently
// ✅ Solidity 0.8+ safe
pragma solidity 0.8.30;
uint256 balance = type(uint256).max;
balance += 1; // Reverts
contract Attacker {
Target public target;
function attack() external payable {
target.deposit{value: msg.value}();
target.withdraw();
}
receive() external payable {
if (address(target).balance > 0) {
target.withdraw();
}
}
}
function test_ReentrancyAttack() public {
vm.expectRevert(); // Should revert
attacker.attack{value: 1 ether}();
}
function test_RevertWhen_UnauthorizedMint() public {
vm.prank(attacker);
vm.expectRevert("Ownable: caller is not the owner");
token.mint(attacker, 1000);
}
Detailed Vulnerability Information:
Related Skills:
security-audit/checklists/common-vulnerabilities.md - Complete vulnerability checklistsecurity-audit/checklists/defi-checklist.md - DeFi-specific vulnerabilitiessecurity-audit/checklists/upgrade-checklist.md - Upgrade-related issuesNote: This is a reference skill. For comprehensive security auditing, use the security-audit skill which contains detailed checklists and methodologies.
This skill should be used when the user asks to "create a slash command", "add a command", "write a custom command", "define command arguments", "use command frontmatter", "organize commands", "create command with file references", "interactive command", "use AskUserQuestion in command", or needs guidance on slash command structure, YAML frontmatter fields, dynamic arguments, bash execution in commands, user interaction patterns, or command development best practices for Claude Code.
This skill should be used when the user asks to "create an agent", "add an agent", "write a subagent", "agent frontmatter", "when to use description", "agent examples", "agent tools", "agent colors", "autonomous agent", or needs guidance on agent structure, system prompts, triggering conditions, or agent development best practices for Claude Code plugins.
This skill should be used when the user asks to "create a hook", "add a PreToolUse/PostToolUse/Stop hook", "validate tool use", "implement prompt-based hooks", "use ${CLAUDE_PLUGIN_ROOT}", "set up event-driven automation", "block dangerous commands", or mentions hook events (PreToolUse, PostToolUse, Stop, SubagentStop, SessionStart, SessionEnd, UserPromptSubmit, PreCompact, Notification). Provides comprehensive guidance for creating and implementing Claude Code plugin hooks with focus on advanced prompt-based hooks API.