Deep security analysis for Solidity smart contracts with DeFi context
Automatically performs deep security audits on Solidity smart contracts when reviewing .sol files or when security is mentioned. It systematically checks for reentrancy, access control, integer issues, external call safety, token handling, flash loan attacks, and DeFi-specific vulnerabilities like EVK/EVC integration and swap safety. The skill runs parallel vulnerability analyses and generates comprehensive audit reports with findings, recommendations, and gas optimizations.
/plugin marketplace add teliha/dev-workflows/plugin install dev-workflows@dev-workflowsThis skill inherits all available tools. When active, it can use any tool Claude has access to.
README.mdThis skill automatically activates when:
.sol (Solidity) filesBefore diving into vulnerabilities, understand the contract:
Identify Contract Type
Map External Dependencies
Identify Trust Boundaries
CRITICAL: You MUST read the complete contract code before performing the audit. Never audit based on partial information.
PARALLELIZATION OPPORTUNITY: When auditing, run vulnerability categories in parallel:
Use the Task tool with parallel subagents for each vulnerability category:
Task 1: Reentrancy Analysis
- Check all external calls
- Verify Checks-Effects-Interactions pattern
- Look for callback vulnerabilities
Task 2: Access Control Analysis
- Check all public/external functions
- Verify authorization on sensitive operations
- Review modifier usage
Task 3: Integer Operations Analysis
- Check division operations
- Verify precision handling
- Look for edge cases
Task 4: External Call Safety Analysis
- Check return value handling
- Verify error propagation
- Review delegatecall usage
Task 5: Token Handling Analysis
- Check approve patterns
- Verify transfer return values
- Check for fee-on-transfer issues
Task 6: Flash Loan / Oracle Analysis
- Check price manipulation risks
- Verify oracle staleness checks
- Review single-block manipulation
Each subagent focuses on one vulnerability category with deep analysis. Results are combined into the final audit report.
For multiple contracts: Audit each contract in parallel with separate subagents.
Go through each category below systematically:
What to check:
nonReentrant modifiers where appropriate?Look for patterns like:
// VULNERABLE
function withdraw() external {
msg.sender.call{value: balance[msg.sender]}(""); // External call first
balance[msg.sender] = 0; // State change after - BAD!
}
// SAFE
function withdraw() external {
uint256 amount = balance[msg.sender];
balance[msg.sender] = 0; // State change first
msg.sender.call{value: amount}(""); // External call after - GOOD!
}
What to check:
For EVK/EVC contracts specifically:
callThroughEVC modifier?evc.getCurrentOnBehalfOfAccount() used to get the correct user?Look for:
// VULNERABLE
function setOwner(address newOwner) external {
owner = newOwner; // No access control - BAD!
}
// SAFE
function setOwner(address newOwner) external onlyOwner {
owner = newOwner; // Properly protected - GOOD!
}
What to check:
Look for:
// PRECISION LOSS
uint256 result = (a / b) * c; // BAD! Loses precision
// BETTER
uint256 result = (a * c) / b; // GOOD! Multiply first
What to check:
.call, .delegatecall) error-handled?delegatecall operations?Look for:
// VULNERABLE
token.transfer(recipient, amount); // Ignores return value - BAD!
// SAFE
require(token.transfer(recipient, amount), "Transfer failed"); // GOOD!
// OR with Solmate/Modern patterns
ERC20(token).transfer(recipient, amount); // Reverts on failure - GOOD!
What to check:
approve operations checked for race conditions?Look for:
// APPROVE RACE CONDITION
function updateAllowance(address spender, uint256 amount) external {
token.approve(spender, amount); // Vulnerable to race condition
}
// BETTER
function updateAllowance(address spender, uint256 amount) external {
token.approve(spender, 0); // Reset first
token.approve(spender, amount); // Then set new amount
}
What to check:
What to check:
callThroughEVC modifier used on all operator functions?evc.getCurrentOnBehalfOfAccount(address(0)) used to get the actual user?evc.requireAccountStatusCheck(account) called at the end of risky operations?evc.enableCollateral(account, vault)?evc.enableController(account, vault)?evc.call(vault, account, 0, calldata)?Legitimate EVK patterns to recognize (NOT vulnerabilities):
// GOOD PATTERN - EVC Authentication
modifier callThroughEVC() {
require(msg.sender == address(evc), "Must call through EVC");
_;
}
function openPosition(...) external callThroughEVC {
(address account,) = evc.getCurrentOnBehalfOfAccount(address(0));
// ... operations on behalf of account ...
evc.requireAccountStatusCheck(account); // Health check at end
}
What to check:
What to check:
Look for:
// Check that liquidation logic is sound
function isLiquidatable(address user) public view returns (bool) {
(uint256 collateral, uint256 debt) = getAccountValues(user);
uint256 ltv = (debt * 10000) / collateral; // Check for div by zero!
return ltv > liquidationThreshold;
}
What to check:
Look for:
// VULNERABLE - No slippage protection
router.swapExactTokensForTokens(amountIn, 0, path, to, deadline); // BAD!
// SAFE - Slippage protection
uint256 minOut = expectedOut - (expectedOut * maxSlippage / 10000);
router.swapExactTokensForTokens(amountIn, minOut, path, to, deadline); // GOOD!
What to check:
unchecked blocks be used for safe operations?Examples:
// INEFFICIENT
for (uint256 i = 0; i < array.length; i++) { // Reads length every iteration
// ...
}
// OPTIMIZED
uint256 length = array.length; // Cache in memory
for (uint256 i; i < length;) { // i defaults to 0, no need to initialize
// ...
unchecked { ++i; } // Safe increment, saves gas
}
What to check:
After completing the systematic check, generate a comprehensive Markdown audit report.
Report Location: Save to audits/[ContractName]_audit_[YYYY-MM-DD].md
Report Structure:
# Smart Contract Security Audit Report
**Contract**: [ContractName]
**Path**: [file/path.sol]
**Date**: [YYYY-MM-DD HH:MM]
**Auditor**: Claude Code Audit Skill
---
## Executive Summary
- **Overall Risk Level**: [CRITICAL/HIGH/MEDIUM/LOW]
- **Total Issues Found**: [count]
- Critical: [count]
- High: [count]
- Medium: [count]
- Low/Info: [count]
[Brief 2-3 sentence summary of overall contract security]
---
## Findings
### [CRITICAL/HIGH/MEDIUM/LOW] Finding #1: [Descriptive Title]
**Location**: `[filename.sol:line_number]`
**Category**: [Reentrancy/Access Control/Integer/etc.]
**Description**:
[Detailed explanation of the vulnerability]
**Impact**:
[What could an attacker do? What's at risk?]
**Recommendation**:
[Specific steps to fix the issue]
**Vulnerable Code**:
```solidity
// Show the problematic code
Suggested Fix:
// Show how to fix it
[Repeat for each finding]
Location: [filename.sol:line_number]
Current Implementation:
// Current code
Optimized Implementation:
// Optimized code
Estimated Gas Savings: [Approximate savings]
Location: [filename.sol:line_number]
Issue: [Description]
Recommendation: [How to improve]
[High-level observations about:]
[What the contract does well from a security perspective:]
[Overall assessment including:]
This audit was performed by Claude Code's automated audit skill. While comprehensive, it should not replace a professional security audit by human experts, especially for production contracts handling significant value.
### Step 5: Project-Specific Context
**This project's architecture** (from CLAUDE.md):
- **quoteVault**: Quote yield vault (can be collateral or debt)
- **assetVault**: Asset yield vault (can be collateral or debt)
**CRITICAL**: The two vaults use **different underlying tokens** (e.g., quoteVault for USDC and assetVault for WETH).
**Legitimate Patterns** (NOT vulnerabilities):
- `callThroughEVC` modifier for EVC authentication
- `evc.call(vault, account, 0, calldata)` for vault operations on behalf of users
- `evc.requireAccountStatusCheck(account)` at end of operations
- External swap router calls with slippage protection
- Borrowing via EVC then swapping for margin positions
- Single swap per close operation (critical optimization)
**Anti-Patterns to Flag**:
- Direct vault operations without EVC authentication
- Missing `evc.requireAccountStatusCheck()` after position changes
- Swap operations without slippage protection (minAmountOut / maxAmountIn)
- Missing authorization checks on operator functions
- Unchecked external call return values
- Multiple swaps when one swap would suffice (violates single-swap rule)
**Position Management Patterns**:
- **closeLong**: Should use ONE exactInputSwap (asset → quote) to close position
- **closeShort**: Should use ONE exactOutputSwap (quote → asset, exact amount for debt repayment)
- Final user balance should be in quote token (Quote)
- Long positions only have Asset collateral in assetVault
- Short positions only have Quote collateral in quoteVault
<!-- AUDIT:END -->
This skill should be used when the user asks to "create an agent", "add an agent", "write a subagent", "agent frontmatter", "when to use description", "agent examples", "agent tools", "agent colors", "autonomous agent", or needs guidance on agent structure, system prompts, triggering conditions, or agent development best practices for Claude Code plugins.
This skill should be used when the user asks to "create a slash command", "add a command", "write a custom command", "define command arguments", "use command frontmatter", "organize commands", "create command with file references", "interactive command", "use AskUserQuestion in command", or needs guidance on slash command structure, YAML frontmatter fields, dynamic arguments, bash execution in commands, user interaction patterns, or command development best practices for Claude Code.
This skill should be used when the user asks to "create a hook", "add a PreToolUse/PostToolUse/Stop hook", "validate tool use", "implement prompt-based hooks", "use ${CLAUDE_PLUGIN_ROOT}", "set up event-driven automation", "block dangerous commands", or mentions hook events (PreToolUse, PostToolUse, Stop, SubagentStop, SessionStart, SessionEnd, UserPromptSubmit, PreCompact, Notification). Provides comprehensive guidance for creating and implementing Claude Code plugin hooks with focus on advanced prompt-based hooks API.