Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

apegurus/incorrect-inheritance-order

Name: incorrect-inheritance-order
Author: apegurus

skills/vulnerability-patterns/incorrect-inheritance-order/SKILL.md

npx skillsauth add apegurus/solidity-argus incorrect-inheritance-order

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Incorrect Inheritance Order

Preconditions

Contract uses multiple inheritance (is ContractA, ContractB, ...)
Two or more parent contracts define a function with the same name and signature
The inheritance order (left-to-right) does not match the developer's intended resolution

Vulnerable Pattern

contract Ownable {
    function owner() public view virtual returns (address) {
        return _owner; // Returns EOA owner
    }
}

contract Governance {
    function owner() public view virtual returns (address) {
        return governance; // Returns governance contract
    }
}

// C3 linearization: rightmost (Ownable) takes precedence
// Developer intended Governance.owner() but gets Ownable.owner()
contract Treasury is Governance, Ownable {
    // owner() resolves to Ownable (rightmost) — may not be intended
    // Should be: is Ownable, Governance (if Governance should win)
}

Detection Heuristics

Identify all contracts using multiple inheritance (is A, B, C)
For each inheritance chain, check if parent contracts define functions with the same name and signature
Verify the inheritance order follows general-to-specific (most base first, most derived last) — Solidity's C3 linearization gives precedence to the rightmost parent
Check override specifiers: override(A, B) should explicitly list which parents are being overridden
Trace the actual resolution order and compare against documented or intended behavior

False Positives

Only one parent defines the function (no ambiguity)
The contract explicitly overrides the function with override(A, B) and provides its own implementation
The inheritance order is intentionally general-to-specific and produces the correct resolution

Remediation

Order inheritance from most base to most derived (general-to-specific, left-to-right)
Explicitly override conflicting functions and specify which parents: override(ContractA, ContractB)
Test function resolution in complex hierarchies

// Correct: general-to-specific order
contract Treasury is Ownable, Governance {
    function owner() public view override(Ownable, Governance) returns (address) {
        return Governance.owner(); // Explicit resolution
    }
}

apegurus/incorrect-inheritance-order

skills/vulnerability-patterns/incorrect-inheritance-order/SKILL.md

- Contract uses multiple inheritance (`is ContractA, ContractB, ...`)

tools

Updated May 13, 2026

$ install --global

skillsauth

npx skillsauth add apegurus/solidity-argus incorrect-inheritance-order

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 13, 2026, 3:29 AM188.8s1 file scanned

SKILL.md

name:: incorrect-inheritance-order
description:: Multiple inheritance declaration needing linearization review
pattern_category:: logic-error
- regex:: is\s+\w+\s*,\s*\w+
severity:: Informational
confidence:: Low
swc:: SWC-125

Incorrect Inheritance Order

Preconditions

Contract uses multiple inheritance (is ContractA, ContractB, ...)
Two or more parent contracts define a function with the same name and signature
The inheritance order (left-to-right) does not match the developer's intended resolution

Vulnerable Pattern

contract Ownable {
    function owner() public view virtual returns (address) {
        return _owner; // Returns EOA owner
    }
}

contract Governance {
    function owner() public view virtual returns (address) {
        return governance; // Returns governance contract
    }
}

// C3 linearization: rightmost (Ownable) takes precedence
// Developer intended Governance.owner() but gets Ownable.owner()
contract Treasury is Governance, Ownable {
    // owner() resolves to Ownable (rightmost) — may not be intended
    // Should be: is Ownable, Governance (if Governance should win)
}

Detection Heuristics

Identify all contracts using multiple inheritance (is A, B, C)
For each inheritance chain, check if parent contracts define functions with the same name and signature
Verify the inheritance order follows general-to-specific (most base first, most derived last) — Solidity's C3 linearization gives precedence to the rightmost parent
Check override specifiers: override(A, B) should explicitly list which parents are being overridden
Trace the actual resolution order and compare against documented or intended behavior

False Positives

Only one parent defines the function (no ambiguity)
The contract explicitly overrides the function with override(A, B) and provides its own implementation
The inheritance order is intentionally general-to-specific and produces the correct resolution

Remediation

Order inheritance from most base to most derived (general-to-specific, left-to-right)
Explicitly override conflicting functions and specify which parents: override(ContractA, ContractB)
Test function resolution in complex hierarchies

// Correct: general-to-specific order
contract Treasury is Ownable, Governance {
    function owner() public view override(Ownable, Governance) returns (address) {
        return Governance.owner(); // Explicit resolution
    }
}

Related Skills

apegurus/vector-scan

testing

VerifiedTrustedCommunity

Specialist profile for mechanically applying the attack-vector deck and classifying vectors as skip, drop, or investigate.

SKILL.mdUpdated May 30, 2026

apegurus/periphery

tools

VerifiedTrustedCommunity

Specialist profile for libraries, helpers, base contracts, adapters, encoders, wrappers, and integration glue.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

testing

VerifiedTrustedCommunity

Specialist profile for rounding, scale, decimal, downcast, and arithmetic accounting edge cases.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

apegurus/invariant

testing

VerifiedTrustedCommunity

Specialist profile for extracting conservation laws and state couplings, then searching for violating paths.

SKILL.mdUpdated May 30, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/apegurus/solidity-argus.git

# Copy into Claude Code skills folder (global)
cp -r solidity-argus/skills/vulnerability-patterns/incorrect-inheritance-order ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

apegurus/solidity-argus

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT