Smart Contract Vulnerabilities
Run a structured EVM/Solidity vulnerability audit in your agent before mainnet deploy or during incident triage.
Overview
Smart Contract Vulnerabilities is an agent skill most often used in Ship (also Build, Operate) that guides systematic audits of Solidity/EVM contracts for reentrancy, access control, delegatecall, flash-loan, signature,
Install
npx skills add https://github.com/yaklang/hack-skills --skill smart-contract-vulnerabilitiesWhat is this skill?
- Covers reentrancy (single, cross-function, cross-contract, read-only) with execution-order reasoning
- Maps integer overflow, access control, delegatecall, and proxy storage-collision pitfalls
- Includes flash loans, signature replay, randomness manipulation, and front-running/MEV angles
- Routes to defi-attack-patterns and deserialization-insecure for adjacent exploit chains
- Optional SOLIDITY_VULN_PATTERNS.md for vulnerable-vs-fixed side-by-sides and gas-trap failures
- Playbook spans reentrancy (single, cross-function, cross-contract, read-only) plus flash loan, signature replay, and MEV
- Optional SOLIDITY_VULN_PATTERNS.md for side-by-side vulnerable vs fixed examples and gas optimization traps
Adoption & trust: 1k installs on skills.sh; 980 GitHub stars; 1/3 security scanners passed (skills.sh audits).
What problem does it solve?
You are shipping Solidity but cannot trust shallow checklist reviews to catch cross-contract reentrancy, proxy storage collisions, or composable DeFi exploit paths.
Who is it for?
Indie builders auditing own contracts, fork reviews, or bug-bounty prep on EVM chains before deploy or after a suspicious transaction.
Skip if: Teams only building off-chain apps with no smart contracts, or audits expecting formal verification or automated scanner substitution without human follow-through.
When should I use this skill?
Auditing Solidity/EVM contracts for reentrancy, integer overflow, access control, delegatecall, flash loan, signature replay, and MEV-related attack patterns.
What do I get? / Deliverables
You get a prioritized vulnerability-class review aligned to an expert playbook and clear pointers to deeper pattern references or related DeFi/off-chain skills when the attack chain extends beyond one contract.
- Vulnerability-class findings mapped to playbook sections (reentrancy, access control, delegatecall, etc.)
- Recommended follow-up loads (defi-attack-patterns, SOLIDITY_VULN_PATTERNS) when patterns match
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Canonical shelf is Ship because the skill is an expert attack playbook for pre-release and release-gate security review of on-chain code. Security subphase matches contract auditing, exploit pattern coverage, and hardening—not day-to-day feature implementation.
Where it fits
Review a new withdrawal function for cross-function reentrancy while the contract is still in development.
Run the playbook against an upgradeable proxy before enabling admin functions on mainnet.
After an alert on odd delegatecall usage, use the skill to hypothesize exploit classes and patch priorities.
How it compares
Use as a procedural audit playbook in the agent, not as a replacement for professional audit firms or on-chain monitoring products.
Common Questions / FAQ
Who is smart-contract-vulnerabilities for?
Solo and small-team builders writing or reviewing Solidity/EVM contracts who want structured exploit-pattern coverage beyond generic security tips.
When should I use smart-contract-vulnerabilities?
During Ship security review before mainnet, while hardening upgradeable proxies in Build, or in Operate when investigating a suspected on-chain exploit or abnormal fund flow.
Is smart-contract-vulnerabilities safe to install?
Treat it as offensive-security reference material in your repo; review the Security Audits panel on this Prism page before installing skills from third-party GitHub sources.
SKILL.md
READMESKILL.md - Smart Contract Vulnerabilities
# SKILL: Smart Contract Vulnerabilities — Expert Attack Playbook > **AI LOAD INSTRUCTION**: Expert smart contract audit techniques. Covers reentrancy (single, cross-function, cross-contract, read-only), integer overflow, access control, delegatecall, randomness manipulation, flash loans, signature replay, front-running/MEV, and CREATE2 exploitation. Base models miss subtle cross-contract reentrancy and storage layout collisions in proxy patterns. ## 0. RELATED ROUTING - [defi-attack-patterns](../defi-attack-patterns/SKILL.md) when the vulnerability is part of a DeFi protocol exploit (flash loans, oracle manipulation, governance attacks) - [deserialization-insecure](../deserialization-insecure/SKILL.md) when the target is off-chain infrastructure deserializing blockchain data ### Advanced Reference Also load [SOLIDITY_VULN_PATTERNS.md](./SOLIDITY_VULN_PATTERNS.md) when you need: - Side-by-side vulnerable vs fixed code patterns for each vulnerability class - Gas optimization traps that introduce vulnerabilities - Proxy pattern storage collision examples with slot calculations --- ## 1. REENTRANCY The most iconic smart contract vulnerability. External calls transfer execution control; if state is not updated before the call, the callee can re-enter. ### 1.1 Classic Reentrancy (Single-Function) ``` Victim.withdraw() ├── checks balance[msg.sender] > 0 ✓ ├── msg.sender.call{value: balance}("") ← external call │ └── Attacker.receive() │ └── Victim.withdraw() ← re-enters before state update │ ├── checks balance[msg.sender] ← still > 0! │ └── sends ETH again └── balance[msg.sender] = 0 ← too late ``` ### 1.2 Cross-Function Reentrancy Two functions share state; attacker re-enters a different function during callback: | Step | Execution | State | |---|---|---| | 1 | Call `withdraw()` → external call | balance still positive | | 2 | Attacker fallback calls `transfer(attacker2)` | balance used before reset | | 3 | `transfer` reads stale balance → moves funds | attacker2 receives tokens | | 4 | Original `withdraw` completes, zeroes balance | damage done | ### 1.3 Cross-Contract Reentrancy Contract A calls Contract B, which calls back into Contract A (or Contract C that reads A's stale state). Especially dangerous in DeFi protocols where multiple contracts share state. ### 1.4 Read-Only Reentrancy The re-entered function is a `view` function used by a third-party contract for price calculation. No state modification in the victim, but the stale intermediate state misleads the reader. **Real-world**: Curve pool `get_virtual_price()` read during `remove_liquidity()` callback → inflated price → profit on dependent lending protocol. ### Mitigations | Pattern | Protection Level | |---|---| | Checks-Effects-Interactions (CEI) | Core defense; update state before external call | | `ReentrancyGuard` (OpenZeppelin) | Mutex lock; prevents same-tx re-entry | | Pull payment pattern | Eliminate external calls in state-changing functions | | CEI + guard on all public functions | Defense-in-depth against cross-function | --- ## 2. INTEGER OVERFLOW / UNDERFLOW ### Pre-Solidity 0.8 Arithmetic silently wraps: `uint8(255) + 1 == 0`, `uint8(0) - 1 == 255`. | Attack | Example | |---|---| | Balance underflow | `balances[attacker] -= amount` when amount > balance → huge balance | | Supply overflow | `totalSupply + mintAmount` wraps → bypass cap checks | | Timelock bypass | `lockTime[msg.sender] + extend` wraps to past → early unlock | ### Post-Solidity 0.8 Default checked arithmetic reverts on overflow. But `unchecked{}` blocks reintroduce risk: ```solidity unchecked { // "gas optim