Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

apegurus/share-accounting-desynchronization

Name: share-accounting-desynchronization
Author: apegurus

skills/vulnerability-patterns/share-accounting-desynchronization/SKILL.md

Asset/share systems drift out of sync across views, transfers, or reward logic, enabling value leakage, bypasses, or protocol lockups.

tools

Updated May 13, 2026

$ install --global

skillsauth

npx skillsauth add apegurus/solidity-argus share-accounting-desynchronization

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 13, 2026, 3:30 AM120.0s1 file scanned

SKILL.md

name:: share-accounting-desynchronization
description:: Numerical conditions that amplify desynchronization impact
category:: vulnerability-pattern
pattern_category:: erc4626
source_url:: https://github.com/bailsec/BailSec
source_license:: CC0
imported_at:: 2025-02-20T00:00:00Z
- regex:: (round|mulDiv|division by zero|overflow|underflow)
severity:: Medium

Share Accounting Desynchronization Vulnerabilities

Overview

Share-accounting desynchronization appears when a protocol tracks ownership in shares but exposes user actions, approvals, rewards, or integrations in asset-denominated values without guaranteed synchronization. If share supply, token supply, and fee accrual are updated at different times or with inconsistent caps, attackers and edge cases can exploit the mismatch to bypass approvals, drain value, lock funds, or break reward accounting.

Unlike a single arithmetic bug, this is a system-level failure of consistency across view logic, state updates, and transfer semantics.

Common Patterns

Approval consumption and transfer amount are evaluated in different units.
View functions use theoretical future supply while state-changing paths use capped or delayed supply updates.
Reward accumulators assume minted fees that are not actually minted.
Rounding strategy differs across conversion helpers, causing exploitable drift in repeated operations.

Detection Heuristics

Map all conversions between shares and assets, then verify consistent rounding direction by context.
Compare view-only paths (pending, preview, realBalance) against state-changing mint/burn/update behavior.
Check behavior when fee collector address changes, updates are delayed, or supply caps are hit.
Fuzz with long periods of inactivity, then sudden updates to detect discontinuities.

Examples from Audits

Share transfer path that could bypass token-amount approval checks under specific conversion outcomes.
Reward preview functions allocating value from uncapped or unminted fees, creating inconsistent accumulator states.
Systems where stale supply updates or abrupt fee-recipient changes altered debase/reward behavior and destabilized accounting.

Remediation

Adopt a single canonical accounting model and centralize conversions in audited helper functions with documented rounding policy. Enforce that view and state paths share the same cap logic and fee-mint assumptions. Add invariant tests ensuring assets <-> shares coherence under updates, pauses, and collector changes. When conversions can become stale, force synchronization before sensitive operations or require bounded slippage from callers. This reduces drift accumulation and makes behavior predictable for integrations.

Related Skills

apegurus/vector-scan

testing

VerifiedTrustedCommunity

Specialist profile for mechanically applying the attack-vector deck and classifying vectors as skip, drop, or investigate.

SKILL.mdUpdated May 30, 2026

apegurus/periphery

tools

VerifiedTrustedCommunity

Specialist profile for libraries, helpers, base contracts, adapters, encoders, wrappers, and integration glue.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

testing

VerifiedTrustedCommunity

Specialist profile for rounding, scale, decimal, downcast, and arithmetic accounting edge cases.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

apegurus/invariant

testing

VerifiedTrustedCommunity

Specialist profile for extracting conservation laws and state couplings, then searching for violating paths.

SKILL.mdUpdated May 30, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/apegurus/solidity-argus.git

# Copy into Claude Code skills folder (global)
cp -r solidity-argus/skills/vulnerability-patterns/share-accounting-desynchronization ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

apegurus/solidity-argus

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT

apegurus/share-accounting-desynchronization

skills/vulnerability-patterns/share-accounting-desynchronization/SKILL.md

Asset/share systems drift out of sync across views, transfers, or reward logic, enabling value leakage, bypasses, or protocol lockups.

tools

Updated May 13, 2026

$ install --global

skillsauth

npx skillsauth add apegurus/solidity-argus share-accounting-desynchronization

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 13, 2026, 3:30 AM120.0s1 file scanned

SKILL.md

name:: share-accounting-desynchronization
description:: Numerical conditions that amplify desynchronization impact
category:: vulnerability-pattern
pattern_category:: erc4626
source_url:: https://github.com/bailsec/BailSec
source_license:: CC0
imported_at:: 2025-02-20T00:00:00Z
- regex:: (round|mulDiv|division by zero|overflow|underflow)
severity:: Medium

Share Accounting Desynchronization Vulnerabilities

Overview

Unlike a single arithmetic bug, this is a system-level failure of consistency across view logic, state updates, and transfer semantics.

Common Patterns

Approval consumption and transfer amount are evaluated in different units.
View functions use theoretical future supply while state-changing paths use capped or delayed supply updates.
Reward accumulators assume minted fees that are not actually minted.
Rounding strategy differs across conversion helpers, causing exploitable drift in repeated operations.

Detection Heuristics

Map all conversions between shares and assets, then verify consistent rounding direction by context.
Compare view-only paths (pending, preview, realBalance) against state-changing mint/burn/update behavior.
Check behavior when fee collector address changes, updates are delayed, or supply caps are hit.
Fuzz with long periods of inactivity, then sudden updates to detect discontinuities.

Examples from Audits

Share transfer path that could bypass token-amount approval checks under specific conversion outcomes.
Reward preview functions allocating value from uncapped or unminted fees, creating inconsistent accumulator states.
Systems where stale supply updates or abrupt fee-recipient changes altered debase/reward behavior and destabilized accounting.

Remediation

Related Skills

apegurus/vector-scan

testing

VerifiedTrustedCommunity

Specialist profile for mechanically applying the attack-vector deck and classifying vectors as skip, drop, or investigate.

SKILL.mdUpdated May 30, 2026

apegurus/periphery

tools

VerifiedTrustedCommunity

Specialist profile for libraries, helpers, base contracts, adapters, encoders, wrappers, and integration glue.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

testing

VerifiedTrustedCommunity

Specialist profile for rounding, scale, decimal, downcast, and arithmetic accounting edge cases.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

apegurus/invariant

testing

VerifiedTrustedCommunity

Specialist profile for extracting conservation laws and state couplings, then searching for violating paths.

SKILL.mdUpdated May 30, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/apegurus/solidity-argus.git

# Copy into Claude Code skills folder (global)
cp -r solidity-argus/skills/vulnerability-patterns/share-accounting-desynchronization ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

apegurus/solidity-argus

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT