AgentSkillsCN

solidity-vulnerability-scanner

全面的 Solidity 合约安全扫描器,可检测重入、访问控制、算术运算、DeFi、代理及代币等六大类别的 104 种漏洞模式。集成 Slither、Aderyn 和 Mythril,并辅以人工分析,确保检测精度与全面性。

SKILL.md
--- frontmatter
name: solidity-vulnerability-scanner
description: |
  Comprehensive Solidity contract security scanner detecting 104 vulnerability patterns
  across reentrancy, access control, arithmetic, DeFi, proxy, and token categories.
  Integrates Slither, Aderyn, and Mythril with manual analysis.
allowed-tools:
  - Read
  - Grep
  - Glob
  - Bash
  - Write

Solidity Vulnerability Scanner

1. Purpose

Systematically scan Solidity contracts for 104 security vulnerabilities using multi-tool detection: Slither + Aderyn + Mythril + manual pattern matching. All findings require evidence with exact file:line citations.

2. When to Use

  • Auditing Solidity contracts (any framework)
  • Pre-launch security assessment
  • Reviewing DeFi protocol security
  • Preparing for professional audit
  • CI/CD security gate

3. Scanning Workflow

Step 1: Framework & Version Check

bash
# Detect framework
ls foundry.toml hardhat.config.js hardhat.config.ts truffle-config.js

# Check Solidity version
rg "pragma solidity" contracts/

# Check for OpenZeppelin
rg "@openzeppelin" package.json remappings.txt

Step 2: Run Automated Tools

bash
# Slither (primary static analysis)
slither . --json slither-results.json

# Aderyn (fast Rust-based)
aderyn -s contracts/ -o aderyn-report.md

# Mythril (symbolic execution, slower but deeper)
myth analyze contracts/MyContract.sol -o json > mythril-results.json

Step 3: Parallel Vulnerability Scan

Reentrancy (CRITICAL)

bash
rg "\.call\{|\.transfer\(|\.send\(" contracts/
rg "nonReentrant|ReentrancyGuard" contracts/

Access Control (CRITICAL)

bash
rg "onlyOwner|onlyRole|_checkRole|require.*msg\.sender" contracts/
rg "tx\.origin" contracts/
rg "selfdestruct" contracts/

External Calls (HIGH)

bash
rg "\.call\(|\.delegatecall\(|\.staticcall\(" contracts/
rg "IERC20\(.*\)\.transfer" contracts/

Arithmetic Safety (HIGH)

bash
rg "unchecked" contracts/
rg "\/.*\*|precision|rounding" contracts/

Oracle & Price (CRITICAL)

bash
rg "oracle|getPrice|latestRoundData|priceFeed" contracts/
rg "flashLoan|flashMint" contracts/

Transient Storage (CRITICAL — EIP-1153)

bash
rg "tstore|tload|TSTORE|TLOAD|transient" contracts/
rg "ReentrancyGuardTransient" contracts/

EIP-7702 / Account Abstraction (CRITICAL)

bash
rg "tx\.origin.*==.*msg\.sender|isContract|extcodesize" contracts/
rg "IPaymaster|validatePaymasterUserOp|UserOperation|validateUserOp" contracts/

Uniswap V4 Hooks (CRITICAL)

bash
rg "IHooks|BaseHook|afterSwap|beforeSwap|hookData|poolManager" contracts/

Step 4: Evidence Collection

For each potential finding:

  1. Extract exact file:line location
  2. Capture vulnerable code snippet
  3. Cross-reference with tool results
  4. Calculate confidence score

4. Vulnerability Patterns (97 Total)

CRITICAL Severity

IDNameDetectionSWC
ETH-001Single-function ReentrancyExternal call before state updateSWC-107
ETH-006Missing Access ControlState-changing without modifierSWC-105
ETH-007tx.origin Authenticationtx.origin in require/ifSWC-115
ETH-019Delegatecall to Untrusteddelegatecall with user inputSWC-112
ETH-024Oracle ManipulationSingle oracle, no TWAP
ETH-025Flash Loan AttackNo same-block protection
ETH-030Storage Collision (Proxy)Misaligned storage slotsSWC-124
ETH-039Signature ReplayMissing nonce/chain IDSWC-121
ETH-049Uninitialized ImplementationMissing initializer
ETH-057Vault Share InflationFirst depositor attack

HIGH Severity

IDNameDetectionSWC
ETH-002Cross-function ReentrancyShared state + external callSWC-107
ETH-009Default VisibilityMissing visibility specifierSWC-100
ETH-013Integer Overflow/UnderflowUnchecked arithmeticSWC-101
ETH-018Unchecked External Call.call return not checkedSWC-104
ETH-026Sandwich AttackNo slippage protection
ETH-034Strict Equality on Balance== on ETH/token balanceSWC-132
ETH-037Weak Randomnessblock.timestamp/blockhashSWC-120
ETH-041ERC-20 Non-standard ReturnMissing SafeERC20
ETH-044ERC-777 ReentrancyToken hooks without guard
ETH-066Unbounded LoopLoop without gas boundSWC-128

CRITICAL — New (2025-2026)

IDNameDetectionSWC
ETH-081Transient Storage CollisionSame TSTORE slot via delegatecall
ETH-083TSTORE Reentrancy BypassTSTORE lock bypassed cross-contract
ETH-086Broken EOA Check (EIP-7702)tx.origin == msg.sender for EOA
ETH-088EIP-7702 Auth ReplayCross-chain authorization without chain ID
ETH-091Paymaster ExploitationERC-4337 paymaster no limits
ETH-093Validation-Execution ConfusionERC-4337 phase side effects
ETH-094V4 Hook Auth BypassHook callback without msg.sender check

5. Confidence Scoring

ScoreMeaningAction
0.9-1.0Definite vulnerabilityReport as confirmed
0.7-0.9High likelihoodReport with evidence
0.5-0.7Possible issueMark as "Review Required"
< 0.5Low confidenceDo not report

6. Finding Format

markdown
## [SEVERITY] ETH-XXX: Vulnerability Name

**Location**: `contracts/Vault.sol:123` (function_name)
**Confidence**: 0.XX
**Category**: Reentrancy/Access Control/Arithmetic/DeFi

### Description
[What the vulnerability is and why it's dangerous]

### Evidence
```solidity
// Vulnerable code from contracts/Vault.sol:123
[exact code snippet]

Attack Scenario

  1. [Step-by-step exploit]

Recommendation

solidity
// Fixed code
[secure implementation]
code

## 7. Rationalizations to REJECT

| Rationalization | Required Action |
|-----------------|-----------------|
| "This looks vulnerable" | Find exact pattern match |
| "Probably missing check" | Verify absent in ALL paths |
| "Standard pattern, skip" | Document with evidence |
| "Low confidence is fine" | Investigate until >= 0.7 |
| "Solidity 0.8 handles it" | Check for unchecked blocks |