AgentSkillsCN

stronghold-of-security

安全堡垒:面向 Solana/Anchor 智能合约的全方位对抗式安全审计。运行 /stronghold-of-security 获取入门指南,或运行 /SOS:scan 开始安全审计。

SKILL.md
--- frontmatter
name: stronghold-of-security
version: "3.0.0"
description: >
  Stronghold of Security: Comprehensive adversarial security audit for Solana/Anchor smart contracts.
  Run /stronghold-of-security for a getting-started guide, or /SOS:scan to begin an audit.
user-invocable: true
allowed-tools:
  - Read
  - Bash
  - Glob
  - Grep

Stronghold of Security

A comprehensive, multi-agent adversarial security audit pipeline for Solana/Anchor smart contracts.

"The best defense is a thorough offense."


Getting Started

Stronghold of Security runs as a multi-phase pipeline. Each phase is a separate command with its own fresh context window, ensuring maximum quality throughout the entire audit.

Quick Start

code
/SOS:scan

This begins the audit by analyzing your codebase and generating a hot-spots map. Follow the prompts — each phase tells you what was produced and what command to run next.

Full Pipeline

code
┌─────────────────────────────────────────────────────────────────────┐
│                         STRONGHOLD OF SECURITY v3.0                           │
├─────────────────────────────────────────────────────────────────────┤
│                                                                     │
│  /SOS:scan         Phase 0 + 0.25 + 0.5                    │
│  ═══════════════════        Pre-flight analysis                    │
│  Detect ecosystem, protocols, risk indicators                      │
│  Build codebase INDEX.md, generate KB manifest, run pre-scan       │
│  Output: INDEX.md, KB_MANIFEST.md, HOT_SPOTS.md                    │
│                          │                                          │
│                          ▼                                          │
│  /SOS:analyze      Phase 1 + 1.5                          │
│  ════════════════════       Parallel context building               │
│  8-9 specialized auditors analyze the ENTIRE codebase              │
│  Each through a different security lens                            │
│  Output: .audit/context/ (8-9 deep analysis files)                 │
│                          │                                          │
│                          ▼                                          │
│  /SOS:strategize   Phase 2 + 3                            │
│  ═════════════════════      Synthesis + strategy generation        │
│  Merge context into unified architecture                           │
│  Generate 50-100+ attack hypotheses from KB + novel analysis       │
│  Output: ARCHITECTURE.md, STRATEGIES.md                            │
│                          │                                          │
│                          ▼                                          │
│  /SOS:investigate  Phase 4 + 4.5                          │
│  ══════════════════════     Hypothesis investigation               │
│  Priority-ordered batch investigation                              │
│  Coverage verification against knowledge base                      │
│  Output: .audit/findings/ (one per hypothesis), COVERAGE.md        │
│                          │                                          │
│                          ▼                                          │
│  /SOS:report       Phase 5                                │
│  ═════════════════          Final synthesis                        │
│  Combination matrix, attack trees, severity calibration            │
│  Output: FINAL_REPORT.md                                           │
│                                                                     │
│  /SOS:verify       Post-fix verification                  │
│  ═════════════════          (after developer applies fixes)        │
│  Re-check findings, regression scan                                │
│  Output: VERIFICATION_REPORT.md                                    │
│                                                                     │
└─────────────────────────────────────────────────────────────────────┘

Commands

CommandDescription
/stronghold-of-securityThis help guide
/SOS:scanScan codebase, detect config, generate KB manifest, build index, run static pre-scan
/SOS:indexBuild codebase INDEX.md with per-file metadata and focus relevance
/SOS:analyzeDeploy 8-9 parallel context auditors + quality gate
/SOS:strategizeSynthesize context + generate prioritized attack strategies
/SOS:investigateInvestigate hypotheses in priority-ordered batches + coverage check
/SOS:reportGenerate final report with combination analysis and attack trees
/SOS:statusCheck audit progress and get next-step guidance
/SOS:verifyVerify fixes after addressing reported vulnerabilities

Typical Workflow

Run /clear between each phase to give the next phase a fresh context window. This is critical for quality — each phase produces large outputs that would otherwise consume context.

  1. /SOS:scan — Analyze your codebase
  2. /clear
  3. /SOS:analyze — Deploy auditors
  4. /clear
  5. /SOS:strategize — Generate attack strategies
  6. /clear
  7. /SOS:investigate — Run investigations
  8. /clear
  9. /SOS:report — Generate final report
  10. (Fix vulnerabilities)
  11. /SOS:verify — Confirm fixes are effective

Check progress anytime with /SOS:status.


Audit Tiers

TierFocus AreasStrategiesBest For
quick425-40Rapid sanity check, small changes, < 10 files
standard850-75Normal audits, medium codebases, 10-50 files
deep8+100-150Pre-mainnet, high-value protocols, 50+ files

The tier is auto-detected based on codebase size and complexity. Override with:

code
/SOS:scan --tier deep

Focus Areas

The 8 parallel context auditors each analyze through one lens:

  1. Access Control & Account Validation — Authority, signer checks, PDA derivation, type cosplay, ownership
  2. Arithmetic Safety — Overflow, precision loss, rounding
  3. State Machine & Error Handling — Transitions, race conditions, invariants, panic paths, error propagation
  4. CPI & External Calls — Cross-program invocation, program validation, privilege propagation
  5. Token & Economic — Token flows, economic invariants, MEV
  6. Oracle & External Data — Price feeds, staleness, manipulation
  7. Upgrade & Admin — Upgradeability, admin functions, timelocks
  8. Timing & Ordering — Front-running, transaction ordering, atomicity

Plus a conditional Economic Model Analyzer for DeFi protocols.


Knowledge Base

128 exploit patterns across 17 files (~480KB), built from 200+ research searches across 10 waves:

CategoryFilesContent
Core7 files128 EPs with CVSS, PoC outlines, detection rules, fix patterns
Solana4 filesAnchor gotchas, runtime quirks, vulnerable deps, token extensions
Protocols7 filesAMM/DEX, lending, staking, bridge, NFT, oracle, governance playbooks
Reference2 filesBug bounty findings, audit firm patterns

Key Incidents Covered

Wormhole ($320M), Mango Markets ($114M), Cashio ($52M), Crema Finance ($8.7M), MarginFi ($160M), Solend ($1.26M), Step Finance ($30-40M), Candy Machine V2 CVE, Metaplex pNFT bypasses, pump.fun exploits, Agave validator crashes, Ed25519 offset bypass, and 100+ more.


Output Structure

All audit outputs go to .audit/:

code
.audit/
  INDEX.md              — Structured codebase index with focus relevance tags
  KB_MANIFEST.md        — Knowledge base loading manifest
  HOT_SPOTS.md          — Phase 0.5 static pre-scan results
  context/              — 8-9 deep context analyses
  ARCHITECTURE.md       — Unified architecture understanding
  STRATEGIES.md         — Generated attack hypotheses
  findings/             — Individual investigation results
  COVERAGE.md           — Coverage verification report
  FINAL_REPORT.md       — The complete audit report
  VERIFICATION_REPORT.md — Post-fix verification (after /verify)
  PROGRESS.md           — Human-readable progress tracking
  STATE.json            — Machine-readable audit state

Why Phase-Based?

Each phase runs as a separate command with a fresh context window. This is critical for quality:

  • Phase 1 agents produce 300-500KB of analysis each (~3-5MB total)
  • No single context window can hold all of that for synthesis
  • Each phase reads only what it needs (e.g., Phase 2 reads ~88KB of condensed summaries, not ~3.7MB of full analysis)
  • Investigators in Phase 4 can deep-dive into specific focus areas' full analysis when needed
  • Result: Higher quality at every stage of the pipeline

Installation

Copy the skill and commands to your project:

bash
# Option 1: Manual copy
cp -R stronghold-of-security/ your-project/.claude/skills/stronghold-of-security/
cp -R stronghold-of-security/commands/ your-project/.claude/commands/stronghold-of-security/

# Option 2: Install script
./stronghold-of-security/install.sh your-project/

Both the skills/ and commands/ directories are required:

  • skills/stronghold-of-security/ — Skill definition, agents, knowledge base, resources
  • commands/stronghold-of-security/ — Subcommand orchestration files

Requirements

  • Claude Code CLI
  • A Solana/Anchor codebase to audit
  • Optional: semgrep for enhanced Phase 0.5 scanning

Non-Goals

This skill does NOT:

  • Generate exploit code
  • Automatically fix vulnerabilities
  • Replace human auditor judgment
  • Guarantee completeness

The output is a comprehensive starting point for security hardening, not a certification of security. Security is a continuous process, not a one-time event.