Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

apegurus/assert-violation

Name: assert-violation
Author: apegurus

skills/vulnerability-patterns/assert-violation/SKILL.md

npx skillsauth add apegurus/solidity-argus assert-violation

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Assert Violation

Preconditions

Contract uses assert() statements
The assert condition can be reached through valid program execution (not a true invariant)
OR: assert() is used to validate user input or external call results instead of require()

Vulnerable Pattern

function transfer(address to, uint256 amount) external {
    // WRONG: assert used for input validation — should be require
    // In Solidity <0.8.0, this consumes ALL remaining gas on failure
    assert(balances[msg.sender] >= amount);

    balances[msg.sender] -= amount;
    balances[to] += amount;
}

function withdraw() external {
    uint256 bal = balances[msg.sender];
    balances[msg.sender] = 0;
    (bool success,) = msg.sender.call{value: bal}("");
    // WRONG: assert used to check external call result
    assert(success);
}

Detection Heuristics

Search for all assert( calls in the codebase
For each, determine whether the condition is a true invariant (mathematically impossible to violate in a correct contract) or an input/state validation
If the condition depends on user input, external call results, or mutable external state, flag it — it should be require() instead
Check Solidity version: in <0.8.0, failing assert uses the 0xfe INVALID opcode and consumes ALL remaining gas; in >=0.8.0, it reverts with Panic(uint256) error code 0x01 (refunds remaining gas but provides no custom message)
If an assert can be triggered by an attacker, check if the gas consumption creates a griefing vector

False Positives

The assert checks a genuine invariant (e.g., assert(totalSupply == sumOfAllBalances) after a provably correct operation)
The condition is mathematically unreachable given the contract's logic
Used in test code, not production contracts

Remediation

Use require() for input validation and external call checks — it refunds remaining gas and accepts an error message
Reserve assert() only for invariant checks that should never fail in a correct contract
In Solidity >=0.8.4, prefer custom errors with require for gas-efficient error handling

// Correct: require for input validation
function transfer(address to, uint256 amount) external {
    require(balances[msg.sender] >= amount, "insufficient balance");
    balances[msg.sender] -= amount;
    balances[to] += amount;
    // assert is appropriate here: totalSupply should never change during transfer
    assert(balances[msg.sender] + balances[to] == oldSum);
}

apegurus/assert-violation

skills/vulnerability-patterns/assert-violation/SKILL.md

- Contract uses `assert()` statements

tools

Updated May 13, 2026

$ install --global

skillsauth

npx skillsauth add apegurus/solidity-argus assert-violation

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 13, 2026, 3:25 AM148.4s1 file scanned

SKILL.md

name:: assert-violation
description:: assert used in code path that may be user reachable
pattern_category:: logic-error
- regex:: assert\(
severity:: Low
confidence:: Medium
swc:: SWC-110

Assert Violation

Preconditions

Contract uses assert() statements
The assert condition can be reached through valid program execution (not a true invariant)
OR: assert() is used to validate user input or external call results instead of require()

Vulnerable Pattern

function transfer(address to, uint256 amount) external {
    // WRONG: assert used for input validation — should be require
    // In Solidity <0.8.0, this consumes ALL remaining gas on failure
    assert(balances[msg.sender] >= amount);

    balances[msg.sender] -= amount;
    balances[to] += amount;
}

function withdraw() external {
    uint256 bal = balances[msg.sender];
    balances[msg.sender] = 0;
    (bool success,) = msg.sender.call{value: bal}("");
    // WRONG: assert used to check external call result
    assert(success);
}

Detection Heuristics

Search for all assert( calls in the codebase
For each, determine whether the condition is a true invariant (mathematically impossible to violate in a correct contract) or an input/state validation
If the condition depends on user input, external call results, or mutable external state, flag it — it should be require() instead
Check Solidity version: in <0.8.0, failing assert uses the 0xfe INVALID opcode and consumes ALL remaining gas; in >=0.8.0, it reverts with Panic(uint256) error code 0x01 (refunds remaining gas but provides no custom message)
If an assert can be triggered by an attacker, check if the gas consumption creates a griefing vector

False Positives

The assert checks a genuine invariant (e.g., assert(totalSupply == sumOfAllBalances) after a provably correct operation)
The condition is mathematically unreachable given the contract's logic
Used in test code, not production contracts

Remediation

Use require() for input validation and external call checks — it refunds remaining gas and accepts an error message
Reserve assert() only for invariant checks that should never fail in a correct contract
In Solidity >=0.8.4, prefer custom errors with require for gas-efficient error handling

// Correct: require for input validation
function transfer(address to, uint256 amount) external {
    require(balances[msg.sender] >= amount, "insufficient balance");
    balances[msg.sender] -= amount;
    balances[to] += amount;
    // assert is appropriate here: totalSupply should never change during transfer
    assert(balances[msg.sender] + balances[to] == oldSum);
}

Related Skills

apegurus/vector-scan

testing

VerifiedTrustedCommunity

Specialist profile for mechanically applying the attack-vector deck and classifying vectors as skip, drop, or investigate.

SKILL.mdUpdated May 30, 2026

apegurus/periphery

tools

VerifiedTrustedCommunity

Specialist profile for libraries, helpers, base contracts, adapters, encoders, wrappers, and integration glue.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

testing

VerifiedTrustedCommunity

Specialist profile for rounding, scale, decimal, downcast, and arithmetic accounting edge cases.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

apegurus/invariant

testing

VerifiedTrustedCommunity

Specialist profile for extracting conservation laws and state couplings, then searching for violating paths.

SKILL.mdUpdated May 30, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/apegurus/solidity-argus.git

# Copy into Claude Code skills folder (global)
cp -r solidity-argus/skills/vulnerability-patterns/assert-violation ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

apegurus/solidity-argus

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT