Solidity智能合约审计员 | 专业安全漏洞检测与Gas优化审计工具

solidity-auditor by schwepps/skills

94 周安装量

7 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/schwepps/skills --skill solidity-auditor

自动化区块链安全

🇨🇳中文介绍

Solidity 智能合约审计员

一个专业级的智能合约审计技能，涵盖安全漏洞、Gas 优化、存储模式和代码架构。适配 Solidity 特定版本。

审计类型

根据用户请求确定审计类型：

用户请求	审计类型	主要参考文件
"全面审计", "综合审查"	全面审计	所有参考文件
"安全审计", "漏洞扫描"	安全重点审计	`references/security-checklist.md`
"Gas 优化", "降低 Gas 成本"	Gas 优化审计	`references/gas-optimization.md`
"存储优化", "存储模式"	存储优化审计	`references/storage-optimization.md`
"代码审查", "架构审查"

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

核心审计工作流程

第一阶段：准备

识别 Solidity 版本：检查 pragma 声明。阅读 references/version-specific.md 了解版本特定注意事项：
- 0.8.0 之前：检查 SafeMath 使用情况、算术漏洞
- 0.8.0+：审查 unchecked 块，检查自定义错误使用情况
理解范围：
- 列出所有合约、接口、库
- 识别外部依赖项（OpenZeppelin 等）
- 注意继承层次结构
- 记录入口点（外部/公共函数）
收集上下文信息：如果未提供，请询问：
- 协议目的和预期行为
- 部署链
- 预期的用户流程
- 管理员角色和权限

第二阶段：静态分析

使用安全清单中的模式进行思维自动化检查：
- 访问控制模式
- 状态更改操作流程（检查-效果-交互）
- 外部调用模式
- 算术操作（尤其是在 unchecked 块中）
映射攻击面：
- 外部/公共函数
- 处理 ETH/代币的函数
- 具有访问控制的函数
- 升级机制

第三阶段：漏洞评估

阅读 references/security-checklist.md 并评估每个类别：

关键优先级（首先检查）：

访问控制漏洞 (OWASP SC-01) - 损失超过 9.53 亿美元
逻辑错误 (OWASP SC-02) - 损失超过 6400 万美元
重入攻击 (OWASP SC-03) - 损失超过 3600 万美元

高优先级： 4. 闪电贷攻击向量 (OWASP SC-04) 5. 输入验证 (OWASP SC-05) 6. 预言机操纵 (OWASP SC-06) 7. 未检查的外部调用 (OWASP SC-07)

中优先级： 8. 整数溢出/下溢（版本相关） 9. 拒绝服务向量 10. 抢先交易漏洞

第四阶段：优化分析（如请求）

Gas 优化：阅读 references/gas-optimization.md 存储优化：阅读 references/storage-optimization.md

第五阶段：报告生成

使用 references/report-template.md 中的模板来组织发现的问题。

严重性	标准	措施
关键	可能导致直接资金损失，无需用户交互	需要立即修复，不得部署
高	在特定条件下可能导致资金损失，影响重大	部署前必须修复
中	影响有限，不太可能被利用，或为治理问题	应修复，评估风险
低	小问题，违反最佳实践	建议修复
信息性	代码质量，Gas 优化，建议	可选改进

快速参考：主要攻击向量 (2024-2025)

来自 OWASP 智能合约十大风险 (2025) 及实际损失：

访问控制 (9.532亿美元)：缺少/错误的修饰符，暴露的管理员函数
逻辑错误 (6380万美元)：有缺陷的业务逻辑，错误计算
重入攻击 (3570万美元)：外部调用后更新状态
闪电贷 (3380万美元)：价格操纵，治理攻击
输入验证 (1460万美元)：缺少边界检查，未检查的参数
预言机操纵 (880万美元)：TWAP 操纵，过时价格

清晰的发现标题 及严重性
位置：合约名称、函数、行号
描述：问题是什么
影响：潜在后果
概念证明：如何被利用（如适用）
建议：具体的修复方案及代码示例

尽可能将建议格式化为可操作的代码更改。

根据审计类型按需加载：

references/security-checklist.md - 包含检测模式的完整漏洞清单
references/gas-optimization.md - Gas 优化技术和模式
references/storage-optimization.md - 存储布局和优化
references/architecture-review.md - 代码架构最佳实践
references/version-specific.md - Solidity 版本注意事项
references/report-template.md - 专业审计报告模板

🇺🇸English

Solidity Smart Contract Auditor

A professional-grade smart contract audit skill covering security vulnerabilities, gas optimization, storage patterns, and code architecture. Adapted to Solidity version specifics.

Audit Types

Determine the audit type based on user request:

User Request	Audit Type	Primary Reference
"Full audit", "comprehensive review"	Full Audit	All references
"Security audit", "vulnerability scan"	Security Focused	`references/security-checklist.md`
"Gas optimization", "reduce gas costs"	Gas Optimization	`references/gas-optimization.md`
"Storage optimization", "storage patterns"	Storage Optimization	`references/storage-optimization.md`
"Code review", "architecture review"	Architecture Review	`references/architecture-review.md`
"DeFi audit", "protocol review"	DeFi Protocol	Security + Architecture references

Core Audit Workflow

Phase 1: Preparation

Identify Solidity Version : Check pragma statement. Read references/version-specific.md for version-specific considerations:
- Pre-0.8.0: Check for SafeMath usage, arithmetic vulnerabilities
- 0.8.0+: Review unchecked blocks, check custom errors usage
Understand Scope :
- List all contracts, interfaces, libraries
- Identify external dependencies (OpenZeppelin, etc.)
- Note inheritance hierarchy
- Document entry points (external/public functions)
Gather Context : Ask if not provided:
- Protocol purpose and intended behavior
- Deployment chain(s)
- Expected user flows
- Admin roles and privileges

Phase 2: Static Analysis

Run automated checks mentally using patterns from the security checklist:
- Access control patterns
- State-changing operations flow (checks-effects-interactions)
- External call patterns
- Arithmetic operations (especially in unchecked blocks)
Map attack surface :
- External/public functions
- Functions handling ETH/tokens
- Functions with access control
- Upgrade mechanisms

Phase 3: Vulnerability Assessment

Read references/security-checklist.md and evaluate each category:

Critical Priority (check first):

Access Control Vulnerabilities (OWASP SC-01) - $953M+ in losses
Logic Errors (OWASP SC-02) - $64M+ in losses
Reentrancy (OWASP SC-03) - $36M+ in losses

High Priority: 4. Flash Loan Attack Vectors (OWASP SC-04) 5. Input Validation (OWASP SC-05) 6. Oracle Manipulation (OWASP SC-06) 7. Unchecked External Calls (OWASP SC-07)

Medium Priority: 8. Integer Overflow/Underflow (version-dependent) 9. Denial of Service vectors 10. Front-running vulnerabilities

Phase 4: Optimization Analysis (if requested)

For gas optimization: Read references/gas-optimization.md For storage optimization: Read references/storage-optimization.md

Phase 5: Report Generation

Use the template in references/report-template.md to structure findings.

Severity Classification

Severity	Criteria	Action
Critical	Direct fund loss possible, no user interaction needed	Immediate fix required, do not deploy
High	Fund loss possible with specific conditions, significant impact	Must fix before deployment
Medium	Limited impact, unlikely exploitation, or governance issue	Should fix, assess risk
Low	Minor issue, best practice violation	Recommended fix
Informational	Code quality, gas optimization, suggestions	Optional improvement

Quick Reference: Top Attack Vectors (2024-2025)

From OWASP Smart Contract Top 10 (2025) with real losses:

Access Control ($953.2M): Missing/incorrect modifiers, exposed admin functions
Logic Errors ($63.8M): Flawed business logic, incorrect calculations
Reentrancy ($35.7M): State updates after external calls
Flash Loans ($33.8M): Price manipulation, governance attacks
Input Validation ($14.6M): Missing bounds checks, unchecked parameters
Oracle Manipulation ($8.8M): TWAP manipulation, stale prices

Output Guidelines

Always provide:

Clear finding title with severity
Location : Contract name, function, line numbers
Description : What the issue is
Impact : Potential consequences
Proof of Concept : How it could be exploited (when applicable)
Recommendation : Specific fix with code example

Format recommendations as actionable code changes when possible.

Reference Files

Load these as needed based on audit type:

references/security-checklist.md - Complete vulnerability checklist with detection patterns
references/gas-optimization.md - Gas optimization techniques and patterns
references/storage-optimization.md - Storage layout and optimization
references/architecture-review.md - Code architecture best practices
references/version-specific.md - Solidity version considerations
references/report-template.md - Professional audit report template

Weekly Installs

Repository

schwepps/skills

GitHub Stars

First Seen

Jan 24, 2026

Security Audits

Gen Agent Trust HubPass SocketPass SnykPass

Installed on

opencode83

gemini-cli80

codex79

github-copilot76

claude-code70

cursor69

Skills CLI 使用指南：AI Agent 技能包管理器安装与管理教程

43,100 周安装