0x-shashi/skills/advanced/attack-chains
skills/advanced/attack-chains/SKILL.md
Detect multi-step exploit sequences where individual steps may appear benign but combine into critical vulnerabilities. Use when analyzing protocols for flash-loan-to-governance chains, oracle manipulation sequences, or cross-contract re-entrancy paths inspired by real-world exploits like Ronin, Wormhole, and Beanstalk.
$ install --global
skillsauthnpx skillsauth add 0x-shashi/web3-audit-skills skills/advanced/attack-chainsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
4 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
4
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Mar 23, 2026, 10:29 PM79.5s6 files scanned
SKILL.md
- id:
- attack-chains
- title:
- Attack Chains Skill
- category:
- advanced
- difficulty:
- advanced
- last_updated:
- 2026-02-26
- description:
- >-
Attack Chains Skill
Purpose
Detect multi-step exploit sequences where individual steps may appear benign but combine into critical vulnerabilities. Real-world exploits rarely use a single vulnerability — they chain multiple issues together.
Why Attack Chains Matter
- $624M Ronin Bridge: Social engineering → Key compromise → Validator threshold bypass → Fund drain
- $326M Wormhole: Signature verification bypass → Fake VAA → Unauthorized minting
- $182M Beanstalk: Flash loan → Governance vote → Proposal execution → Fund drain
- $130M Cream Finance: Flash loan → Oracle manipulation → Under-collateralized borrow → Drain
Chain Types
| Chain | Description | File | |-------|-------------|------| | Flash Loan | Flash loan enables price/governance manipulation | flash-loan-chains.md | | Oracle | Oracle distortion enables economic exploits | oracle-chains.md | | Bridge | Cross-chain verification bypass chains | bridge-chains.md | | Governance | Vote manipulation and proposal hijacking | governance-chains.md |
Detection Approach
- Identify entry points: Flash loans, large token transfers, governance proposals
- Trace data flow: Follow manipulated values through the system
- Check invariants: Verify economic invariants hold under manipulation
- Simulate chains: Walk through multi-step sequences mentally or in tests
Severity
Attack chains are almost always Critical or High severity because they represent complete exploit paths.
Prerequisites
Attack chain analysis requires familiarity with individual vulnerability types. The Patterns skill MUST be loaded first. Flash loan chains additionally require understanding of DeFi composability.
Validation
To verify attack chain detection, test against known exploit reproductions:
// Example: Flash loan attack chain detection pattern
// Step 1: Flash loan entry
function attack() external {
ILendingPool(pool).flashLoan(address(this), token, amount, "");
}
// Step 2: Price manipulation during callback
function executeOperation(address, uint256 amount, uint256 fee, bytes calldata) external {
// Manipulate oracle price
IOracle(oracle).update(manipulatedPrice);
// Step 3: Exploit manipulated state
IVault(vault).borrow(collateral, inflatedAmount);
// Step 4: Restore and repay
IERC20(token).transfer(pool, amount + fee);
}
# Validate chain detection coverage
known_chains = ["flash-loan", "oracle", "bridge", "governance"]
for chain in known_chains:
assert chain_detector.can_detect(chain), f"Missing detection for {chain}"
# Run chain pattern matching tests
python -m pytest tests/attack_chains/ -v
Behavior Guidelines
- Chain analysis MUST consider all entry points (flash loans, large transfers, governance proposals)
- Auditors should optionally model economic profitability of detected chains
- Cross-contract interactions are required to be traced through all delegate calls
References
- Attack Chains References - Historical exploit timelines and chain diagrams
Related Skills
0x-shashi/skills/variant-analysis
development
VerifiedTrustedCommunity
Systematically hunt for every variant of a discovered vulnerability across the entire codebase. Use when a bug is found and all instances of the same root cause pattern must be identified, or when performing variant analysis during competitive audits on Code4rena or Sherlock.
45SKILL.mdUpdated Mar 23, 2026
0x-shashi/skills/ton-scanner
testing
VerifiedTrustedCommunity
Use when the user wants to audit TON smart contracts for security vulnerabilities, scan FunC or Tact contracts for message chain replay, bounce handling, or gas issues, review TON DeFi protocols for actor-model concurrency flaws, or analyze asynchronous message passing security.
45SKILL.mdUpdated Mar 23, 2026
0x-shashi/skills/token-analyzer
tools
VerifiedTrustedCommunity
Analyze ERC20/ERC721/ERC1155 token implementations for non-standard behavior, fee-on-transfer mechanics, rebasing logic, blacklists, pausability, and integration risks. Use when reviewing protocols that interact with external tokens or implementing token-related features.
45SKILL.mdUpdated Mar 23, 2026
0x-shashi/skills/sui-scanner
testing
VerifiedTrustedCommunity
Use when the user wants to audit Sui Move smart contracts, scan Sui-specific patterns including object ownership, shared objects, or dynamic fields, review Sui DeFi protocols for object model security issues, or analyze Sui-specific transaction and consensus patterns.
45SKILL.mdUpdated Mar 23, 2026