mariano-aguero

solidity-security-audit

Comprehensive Solidity smart contract security auditing and vulnerability analysis skill. Based on methodologies from Trail of Bits, OpenZeppelin, Consensys Diligence, Sherlock, CertiK, Cyfrin, Spearbit, Halborn, and other leading Web3 security firms. This skill should be used whenever the user asks to "audit a smart contract", "review Solidity code for security", "find vulnerabilities", "check for reentrancy", "analyze gas optimization", "review access control", "check proxy patterns", "analyze DeFi protocol security", "review ERC20/ERC721 implementation", "check oracle manipulation risks", "review upgrade patterns", or mentions any security review of EVM-compatible smart contracts. Also triggers for keywords like "slither", "echidna", "foundry fuzz", "formal verification", "invariant testing", "flash loan attack", "MEV", "sandwich attack", "front-running", "delegatecall", "selfdestruct", "reentrancy guard", "access control vulnerability", "storage collision", "proxy upgrade security", "smart contract exploit", "L2 security", "cross-chain", "bridge security", "sequencer", "LayerZero", "CCIP", "account abstraction", "ERC-4337", "smart account", "paymaster", "bundler", "UserOperation", "re-audit", "diff audit", "remediation review", "fix verification", "Uniswap v4 hooks", "Chainlink integration", "Aave integration", "flash loan receiver", "ERC-4626 vault", "restaking", "EigenLayer", "AVS", "severity classification", "severity decision", "perpetual", "perp dex", "GMX", "Synthetix", "funding rate", "liquidation cascade", "intent protocol", "UniswapX", "Permit2", "1inch Fusion", "Dutch auction order", "ZK-VM", "zkSync", "Polygon zkEVM", "ZK proof", "Risc0", "SP1", "Circom", "under-constrained", "ERC-7683", "cross-chain intents", "IOriginSettler", "IDestinationSettler", "CrossChainOrder", "filler protocol", "origin settler", "destination settler", "orderId", "fillDeadline", "EIP-7002", "triggerable exit", "execution layer withdrawal", "validator exit", "EIP-7251", "MaxEB", "max effective balance", "validator consolidation", "consolidation", "EIP-6110", "beacon deposit", "validator deposit", "liquid staking security", "OWASP SC", "OWASP smart contract", "SC01", "SC02", "ERC-6909", "multi-token", "PoolManager claims", "claim token", "isOperator", "MEV bot", "MEV contract", "arbitrage bot", "sandwich bot", "sweep function", "AI-generated code", "Copilot", "vibe coding", "LLM-generated Solidity", "Wake", "eth-wake", "Ackee Blockchain", "TSTORE", "TLOAD", "transient storage", "tstore compiler bug", "tstore poison", "solc 0.8.28", "solc via-ir", "via-ir optimizer", "reentrancy guard bypass tstore", "EOF", "EIP-7692", "Fusaka upgrade", "EXTDELEGATECALL", "EVM object format", "gas observability", "code observability", "CODESIZE EXTCODESIZE EOF", "ERC-7726", "price adapter", "price oracle adapter", "false validity assumption", "IQuote", "getQuote oracle", "phantom collateral", "orphaned state", "Abracadabra exploit", "cook batch router", "failed external call state", "liquidation ghost debt", "overflow sentinel", "Cetus exploit", "bit-shift guard", "FullMath overflow", "PRBMath overflow", "custom math library overflow", "OpenZeppelin v5 migration", "OZ v4 to v5", "ERC-7201 namespaced storage", "sequential storage layout", "namespaced storage layout", "storage slot migration", "LDF rounding", "Bunni exploit", "liquidity distribution function", "asymmetric rounding liquidity", "flash tick shift", "JIT liquidity attack", "just-in-time liquidity", "V4 JIT", "Morpho Blue", "Euler V2", "EVC", "modular lending", "permissionless market", "EigenVault", "cross-vault health", "ERC-4337 executor vault", "EIP-7701", "native account abstraction", "ACCEPT_ROLE opcode", "per-transaction validation", "legacy contract validation", "Cork Protocol", "V4 hook drain", "onlyPoolManager hook", "missing onlyPoolManager", "TransientStorageClearingHelperCollision", "delete transient storage", "delete tstore bug", "ERC-7579 module poisoning", "module onUninstall revert", "stale module state", "executor delegatecall module", "ERC-7484", "module registry attestation", "ERC-7821", "minimal batch executor", "EIP-7821", "sweeper delegation campaign", "tx.origin bypass Pectra", "EIP-7702 sweeper", "cross-chain sandwich", "source chain event leakage", "CeDeFi", "recursive leverage collapse", "oracle price hardcoding", "hardcoded collateral price", "cook() flag bypass", "batch router flag reset", "deferred solvency check bypass", "oracle chain complexity", "restaking oracle chain", "chained price adapter", "Hyperliquid exploit", "vault liquidation absorber", "HLP vault manipulation", "Fusaka gas cap", "EIP-7825", "per-transaction gas limit", "app chain fork", "Berachain fork", "forked L1 inherited bugs", "Aderyn v0.6", "Aderyn LSP server", "echidna verification mode", "halmos recon reproducer", "slither triage", "too many slither findings", "slither false positive", "slither 200 findings", "slither filter", "slither config", "slither suppress", "slither FP", "slither findings triage", "slither-check-upgradeability", "slither priority", "when to skip slither finding", "Solidity 0.9.0", "transfer deprecated", "send deprecated solidity", "transfer removed 0.9", "send removed 0.9", "migrate from transfer call", "PUSH0 cross-chain", "PUSH0 opcode incompatible", "evm-version paris", "evmVersion paris", "shanghai fork compatibility", "non-shanghai chain", "PUSH0 zkSync", "EIP-3855", "ERC-1967 slot corruption", "proxy storage slot", "implementation slot overwrite", "UUPS brick attack", "upgradeTo interface check", "proxiableUUID missing", "storage layout migration", "proxy slot collision", "delegatecall slot overwrite", "ePBS", "EIP-7732", "enshrined PBS", "proposer builder separation consensus", "block access lists", "Block Access Lists", "BALs EIP-7928", "EIP-7928", "Glamsterdam", "payload withholding attack", "preconfirmation timing", "preconf security", "AI-generated code audit", "vibe coding security", "LLM contract review", "copilot Solidity", "hallucinated interface", "broken reentrancy guard AI", "incomplete access control AI", "Noir circuit", "unconstrained Noir", "pub input Noir", "Noir language audit", "SP1 zkVM", "SP1 Succinct", "SP1 cycle limit", "SP1 precompile security", "Polygon CDK", "CDK chain audit", "LxLy bridge", "AggLayer security", "folding scheme", "Nova IVC", "SuperNova folding", "HyperNova", "ProtoStar IVC", "dYdX v4", "dYdX Cosmos chain", "CLOB trust model", "CometBFT MEV", "Gains Network", "gTrade", "DAI vault counterparty", "synthetic perp solvency", "skew manipulation funding", "funding rate oracle", "insurance fund drain", "cross-margin contagion", "isolated to cross margin switch", "xUSD exploit", "Stream Finance exploit", "hardcoded oracle dollar", "Hyperliquid HLP exploit", "HLP liquidation absorber", "dual role vault", "RWA protocol", "real world asset", "tokenized asset", "NAV manipulation", "pool manager trust", "senior tranche", "junior tranche", "epoch redemption", "KYC transfer restriction", "ERC-1400", "ERC-3643", "Centrifuge audit", "Maple Finance audit", "Goldfinch audit", "TrueFi audit", "options protocol", "options settlement oracle", "implied volatility manipulation", "IV oracle", "options expiry manipulation", "covered call vault", "put selling vault", "Ribbon Finance audit", "Dopex audit", "Lyra audit", "Opyn audit", "Hegic audit", "option strike manipulation", "Premia audit", "Aevo audit", "Thetanuts audit", "options-protocols.md", "oToken", "theta vault", "SSOV", "option collateral", "option margin", "option settlement", "call spread payoff", "IV drainage", "Deus DAO oracle", "Gnosis Auction abuse", "prediction market", "prediction market oracle", "resolver manipulation", "conditional token", "CTF conditional", "Gnosis CTF", "LMSR AMM", "market resolution bribe", "Polymarket audit", "Gnosis Safe module", "Safe module audit", "Safe guard", "Safe fallback handler", "enableModule security", "Safe storage collision", "delegatecall Safe", "Zodiac module", "Safe recovery module", "social recovery Safe", "module threshold bypass", "BNB Chain bridge exploit", "BSC bridge Merkle proof", "iavl library bug", "forged Merkle proof bridge", "Multichain exploit", "MPC key centralization", "TSS bridge centralization", "MPC bridge audit", "bridge operator jurisdiction", "single point of failure bridge", "MPC key rotation", "off-chain proof library audit", "ICS23 proof verification", "cross-chain proof forgery", "Code4rena", "C4 contest", "Sherlock contest", "Immunefi", "Cantina contest", "CodeHawks", "Cyfrin Updraft", "warden submission", "Watson submission", "bug bounty submission", "audit contest", "audit competition", "contest finding", "submit to contest", "contest report", "H/M finding", "QA report warden", "vm.signDelegation", "vm.attachDelegation", "vm.signAndAttachDelegation", "ERC-7702 Foundry", "ERC-7702 PoC", "delegation revocation", "forge build --eof", "forge test --eof", "EOF PoC", "EOF migration", "EXTDELEGATECALL proxy", "selfdestruct EOF", "EOF container validation", "Move language", "Move audit", "Sui audit", "Aptos audit", "Move resource", "Sui object model", "Aptos fungible asset", "MoveBit", "OtterSec Move", "hot potato Move", "capability token Move", "Sui PTB", "Move bytecode verifier". Even if the user simply pastes Solidity code and asks "is this safe?" or "any issues here?", use this skill.