0x-shashi/skills/token-analyzer
skills/token-analyzer/SKILL.md
Analyze ERC20/ERC721/ERC1155 token implementations for non-standard behavior, fee-on-transfer mechanics, rebasing logic, blacklists, pausability, and integration risks. Use when reviewing protocols that interact with external tokens or implementing token-related features.
$ install --global
skillsauthnpx skillsauth add 0x-shashi/web3-audit-skills skills/token-analyzerInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
4 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
4
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Mar 23, 2026, 11:21 PM150.5s4 files scanned
SKILL.md
- id:
- token-analyzer
- title:
- Token Analyzer Skill
- category:
- analysis
- difficulty:
- intermediate
- last_updated:
- 2026-02-26
- description:
- >-
Token Analyzer Skill
Purpose
Analyze ERC20/ERC721/ERC1155 token implementations for non-standard behavior, fee-on-transfer mechanics, rebasing logic, and integration risks.
Detection Capabilities
- Fee-on-transfer tokens (deflationary)
- Rebasing tokens (elastic supply)
- Tokens with blacklists/whitelists (USDC, USDT)
- Tokens with pausable transfers
- Tokens with max transaction limits
- Missing return values (USDT-style)
- Tokens with callback hooks (ERC777)
- Tokens returning false instead of reverting
- Approval race conditions
- Double-entry point tokens (tusd-style)
- Tokens with admin mint/burn
Why This Matters
Over $500M has been lost due to protocol assumptions about "standard" ERC20 behavior. Most tokens deviate from the standard in subtle ways that break DeFi integrations.
Resources
- Integration Patterns
- Weird Tokens List
Workflows
- Token Analysis
Prerequisites
Token analysis requires the Solidity Scanner for EVM token implementations. Non-EVM token analysis may require chain-specific scanner skills.
Validation
To verify token detection capabilities, test against known weird tokens:
// Example: Detecting fee-on-transfer behavior
interface IERC20 {
function transfer(address to, uint256 amount) external returns (bool);
function balanceOf(address account) external view returns (uint256);
}
// Detection pattern: balance before/after comparison
uint256 balanceBefore = token.balanceOf(address(this));
token.transferFrom(sender, address(this), amount);
uint256 received = token.balanceOf(address(this)) - balanceBefore;
// If received < amount → fee-on-transfer detected
assert(received == amount); // Will fail for deflationary tokens
# Validate token categorization
def test_weird_token_detection():
categories = ['fee-on-transfer', 'rebasing', 'blacklist', 'pausable', 'missing-return']
for cat in categories:
assert token_analyzer.can_detect(cat), f"Missing detection: {cat}"
print("All token categories verified")
# Token risk scoring
token: USDT
risks:
- missing_return_value: true # Does not return bool
- blacklist: true # Admin can freeze addresses
- pausable: true # Admin can pause transfers
risk_level: medium
Behavior Guidelines
- Token analysis MUST check all integration points where external tokens are received
- Fee-on-transfer detection is required for any DeFi protocol handling arbitrary ERC20s
- Rebasing token checks may optionally be skipped if the protocol explicitly disallows them
- Missing return value handling ALWAYS needs verification (USDT compatibility)
Related Skills
0x-shashi/skills/variant-analysis
development
VerifiedTrustedCommunity
Systematically hunt for every variant of a discovered vulnerability across the entire codebase. Use when a bug is found and all instances of the same root cause pattern must be identified, or when performing variant analysis during competitive audits on Code4rena or Sherlock.
45SKILL.mdUpdated Mar 23, 2026
0x-shashi/skills/ton-scanner
testing
VerifiedTrustedCommunity
Use when the user wants to audit TON smart contracts for security vulnerabilities, scan FunC or Tact contracts for message chain replay, bounce handling, or gas issues, review TON DeFi protocols for actor-model concurrency flaws, or analyze asynchronous message passing security.
45SKILL.mdUpdated Mar 23, 2026
0x-shashi/skills/sui-scanner
testing
VerifiedTrustedCommunity
Use when the user wants to audit Sui Move smart contracts, scan Sui-specific patterns including object ownership, shared objects, or dynamic fields, review Sui DeFi protocols for object model security issues, or analyze Sui-specific transaction and consensus patterns.
45SKILL.mdUpdated Mar 23, 2026
0x-shashi/skills/static-analysis
tools
VerifiedTrustedCommunity
Integrate automated static analysis tools (Slither, Mythril, Aderyn, Semgrep) into the audit workflow to catch known vulnerability patterns before manual review. Use when starting an audit to establish a coverage baseline, or when configuring static analysis tooling for a project.
45SKILL.mdUpdated Mar 23, 2026