alt-research/solidity-vulnerability-scanner
.claude/skills/solidity-guard/skills/vulnerability-scanner/SKILL.md
Comprehensive Solidity contract security scanner detecting 104 vulnerability patterns across reentrancy, access control, arithmetic, DeFi, proxy, and token categories. Integrates Slither, Aderyn, and Mythril with manual analysis.
$ install --global
skillsauthnpx skillsauth add alt-research/solidityguard solidity-vulnerability-scannerInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 3, 2026, 4:00 PM4.8s2 files scanned
SKILL.md
- name:
- solidity-vulnerability-scanner
- description:
- |
Solidity Vulnerability Scanner
1. Purpose
Systematically scan Solidity contracts for 104 security vulnerabilities using multi-tool detection: Slither + Aderyn + Mythril + manual pattern matching. All findings require evidence with exact file:line citations.
2. When to Use
- Auditing Solidity contracts (any framework)
- Pre-launch security assessment
- Reviewing DeFi protocol security
- Preparing for professional audit
- CI/CD security gate
3. Scanning Workflow
Step 1: Framework & Version Check
# Detect framework
ls foundry.toml hardhat.config.js hardhat.config.ts truffle-config.js
# Check Solidity version
rg "pragma solidity" contracts/
# Check for OpenZeppelin
rg "@openzeppelin" package.json remappings.txt
Step 2: Run Automated Tools
# Slither (primary static analysis)
slither . --json slither-results.json
# Aderyn (fast Rust-based)
aderyn -s contracts/ -o aderyn-report.md
# Mythril (symbolic execution, slower but deeper)
myth analyze contracts/MyContract.sol -o json > mythril-results.json
Step 3: Parallel Vulnerability Scan
Reentrancy (CRITICAL)
rg "\.call\{|\.transfer\(|\.send\(" contracts/
rg "nonReentrant|ReentrancyGuard" contracts/
Access Control (CRITICAL)
rg "onlyOwner|onlyRole|_checkRole|require.*msg\.sender" contracts/
rg "tx\.origin" contracts/
rg "selfdestruct" contracts/
External Calls (HIGH)
rg "\.call\(|\.delegatecall\(|\.staticcall\(" contracts/
rg "IERC20\(.*\)\.transfer" contracts/
Arithmetic Safety (HIGH)
rg "unchecked" contracts/
rg "\/.*\*|precision|rounding" contracts/
Oracle & Price (CRITICAL)
rg "oracle|getPrice|latestRoundData|priceFeed" contracts/
rg "flashLoan|flashMint" contracts/
Transient Storage (CRITICAL — EIP-1153)
rg "tstore|tload|TSTORE|TLOAD|transient" contracts/
rg "ReentrancyGuardTransient" contracts/
EIP-7702 / Account Abstraction (CRITICAL)
rg "tx\.origin.*==.*msg\.sender|isContract|extcodesize" contracts/
rg "IPaymaster|validatePaymasterUserOp|UserOperation|validateUserOp" contracts/
Uniswap V4 Hooks (CRITICAL)
rg "IHooks|BaseHook|afterSwap|beforeSwap|hookData|poolManager" contracts/
Step 4: Evidence Collection
For each potential finding:
- Extract exact file:line location
- Capture vulnerable code snippet
- Cross-reference with tool results
- Calculate confidence score
4. Vulnerability Patterns (97 Total)
CRITICAL Severity
| ID | Name | Detection | SWC |
|----|------|-----------|-----|
| ETH-001 | Single-function Reentrancy | External call before state update | SWC-107 |
| ETH-006 | Missing Access Control | State-changing without modifier | SWC-105 |
| ETH-007 | tx.origin Authentication | tx.origin in require/if | SWC-115 |
| ETH-019 | Delegatecall to Untrusted | delegatecall with user input | SWC-112 |
| ETH-024 | Oracle Manipulation | Single oracle, no TWAP | — |
| ETH-025 | Flash Loan Attack | No same-block protection | — |
| ETH-030 | Storage Collision (Proxy) | Misaligned storage slots | SWC-124 |
| ETH-039 | Signature Replay | Missing nonce/chain ID | SWC-121 |
| ETH-049 | Uninitialized Implementation | Missing initializer | — |
| ETH-057 | Vault Share Inflation | First depositor attack | — |
HIGH Severity
| ID | Name | Detection | SWC |
|----|------|-----------|-----|
| ETH-002 | Cross-function Reentrancy | Shared state + external call | SWC-107 |
| ETH-009 | Default Visibility | Missing visibility specifier | SWC-100 |
| ETH-013 | Integer Overflow/Underflow | Unchecked arithmetic | SWC-101 |
| ETH-018 | Unchecked External Call | .call return not checked | SWC-104 |
| ETH-026 | Sandwich Attack | No slippage protection | — |
| ETH-034 | Strict Equality on Balance | == on ETH/token balance | SWC-132 |
| ETH-037 | Weak Randomness | block.timestamp/blockhash | SWC-120 |
| ETH-041 | ERC-20 Non-standard Return | Missing SafeERC20 | — |
| ETH-044 | ERC-777 Reentrancy | Token hooks without guard | — |
| ETH-066 | Unbounded Loop | Loop without gas bound | SWC-128 |
CRITICAL — New (2025-2026)
| ID | Name | Detection | SWC |
|----|------|-----------|-----|
| ETH-081 | Transient Storage Collision | Same TSTORE slot via delegatecall | — |
| ETH-083 | TSTORE Reentrancy Bypass | TSTORE lock bypassed cross-contract | — |
| ETH-086 | Broken EOA Check (EIP-7702) | tx.origin == msg.sender for EOA | — |
| ETH-088 | EIP-7702 Auth Replay | Cross-chain authorization without chain ID | — |
| ETH-091 | Paymaster Exploitation | ERC-4337 paymaster no limits | — |
| ETH-093 | Validation-Execution Confusion | ERC-4337 phase side effects | — |
| ETH-094 | V4 Hook Auth Bypass | Hook callback without msg.sender check | — |
5. Confidence Scoring
| Score | Meaning | Action | |-------|---------|--------| | 0.9-1.0 | Definite vulnerability | Report as confirmed | | 0.7-0.9 | High likelihood | Report with evidence | | 0.5-0.7 | Possible issue | Mark as "Review Required" | | < 0.5 | Low confidence | Do not report |
6. Finding Format
## [SEVERITY] ETH-XXX: Vulnerability Name
**Location**: `contracts/Vault.sol:123` (function_name)
**Confidence**: 0.XX
**Category**: Reentrancy/Access Control/Arithmetic/DeFi
### Description
[What the vulnerability is and why it's dangerous]
### Evidence
```solidity
// Vulnerable code from contracts/Vault.sol:123
[exact code snippet]
Attack Scenario
- [Step-by-step exploit]
Recommendation
// Fixed code
[secure implementation]
## 7. Rationalizations to REJECT
| Rationalization | Required Action |
|-----------------|-----------------|
| "This looks vulnerable" | Find exact pattern match |
| "Probably missing check" | Verify absent in ALL paths |
| "Standard pattern, skip" | Document with evidence |
| "Low confidence is fine" | Investigate until >= 0.7 |
| "Solidity 0.8 handles it" | Check for unchecked blocks |
Related Skills
alt-research/solidityguard
tools
VerifiedTrustedCommunity
Advanced Solidity/EVM smart contract security auditor with 104 vulnerability patterns, multi-tool integration, and professional report generation.
93SKILL.mdUpdated Apr 3, 2026
alt-research/storage-analyzer
testing
VerifiedTrustedCommunity
Analyzes storage layout, proxy patterns, and state variable security in Solidity contracts. Detects storage collisions, uninitialized pointers, and upgrade risks. Use when auditing proxy/upgradeable contracts.
83SKILL.mdUpdated Apr 3, 2026
alt-research/spec-compliance
development
VerifiedTrustedCommunity
Validates Solidity implementation against specification documents. Extracts behavior from docs (README, specs, NatSpec) and verifies code matches documented intent. Uses Trail of Bits methodology for divergence detection.
83SKILL.mdUpdated Apr 3, 2026
alt-research/report-generator
testing
VerifiedTrustedCommunity
Generates professional security audit reports from findings. Creates OpenZeppelin/Trail of Bits style reports with executive summary, methodology, severity-classified findings, and remediation recommendations.
83SKILL.mdUpdated Apr 3, 2026