Security Audit
1. Automated Detection
- •Execution: You MUST run the unified audit script to detect vulnerabilities:
bash
python3 .agent/skills/security-audit/scripts/run_audit.py
- •Analysis: Review the output. If tools fail or report Critical/High issues, they are BLOCKERS.
2. "Think Like a Hacker" Review
Refuse to merge/approve until you have manually verified the code against the relevant checklist in references/checklists/.
🛡️ Smart Contracts (Solidity)
MANDATORY: Read references/checklists/solidity_security.md.
- •Top 3 Checks:
- •Reentrancy: Are checks-effects-interactions followed?
nonReentrantused? - •Price Manipulation: Are spot prices used? (Use Oracles).
- •Access Control: Who owns the contract? Timelocks?
- •Reentrancy: Are checks-effects-interactions followed?
🦀 Smart Contracts (Solana/Rust)
MANDATORY: Read references/checklists/solana_security.md.
- •Top 3 Checks:
- •Account Validation: Are ALL accounts checked for ownership and signer status?
- •PDA bumps: Are bumps strictly validated (Anchor does this, raw Rust often fails)?
- •Arithmetic: Is
overflow_checkson? Checked math used?
🌐 Web/API (Python/JS)
MANDATORY: Read references/checklists/owasp_top_10.md.
- •Check for Injections, Auth flaws, and Secrets.
3. Reporting
- •Critical: Immediate Blocker. (Money at risk, Data leak).
- •High: Must fix before release.
- •Medium/Low: Document in
open_questions.mdor Backlog.