陌讯skills聚合平台

defi-security

📁 0xlayerghost/solidity-agent-kit 📅 4 days ago
0
总安装量
3
周安装量
安装命令
npx skills add https://github.com/0xlayerghost/solidity-agent-kit --skill defi-security

Agent 安装分布

claude-code 3
windsurf 1
trae 1
cursor 1
codex 1

Skill 文档

DeFi Security Principles

Language Rule

  • Always respond in the same language the user is using. If the user asks in Chinese, respond in Chinese. If in English, respond in English.

Scope: Only applicable to DeFi projects (DEX, lending, staking, LP, yield). Non-DeFi projects can ignore this skill.

Protection Decision Rules

Threat Required Protection
Whale manipulation Daily transaction caps + per-tx amount limits + cooldown window
MEV / sandwich attack EOA-only checks (msg.sender == tx.origin), or use commit-reveal pattern
Arbitrage Referral binding + liquidity distribution + fixed yield model + lock period
Reentrancy ReentrancyGuard on all external-call functions (see solidity-security skill)
Flash loan attack Check block.number change between operations, or use TWAP pricing
Price manipulation Chainlink oracle or TWAP — never rely on spot AMM reserves for pricing
Approval exploit Use safeIncreaseAllowance / safeDecreaseAllowance, never raw approve for user flows

Anti-Whale Implementation Rules

  • Maximum single transaction amount: configurable via onlyOwner setter
  • Daily cumulative limit per address: track with mapping(address => mapping(uint256 => uint256)) (address → day → amount)
  • Cooldown between transactions: enforce minimum time gap with block.timestamp check
  • Whitelist for exempt addresses (deployer, LP pair, staking contract)

Flash Loan Protection Rules

  • For price-sensitive operations: require that block.number has changed since last interaction
  • For oracle-dependent calculations: use time-weighted average (TWAP) over minimum 30 minutes
  • For critical state changes: add minimum holding period before action (e.g., must hold tokens for N blocks)

Launch Checklist

Before mainnet deployment, verify all items:

  • All onlyOwner functions transferred to multisig (e.g., Gnosis Safe)
  • Timelock contract deployed and configured (minimum 24h delay for critical changes)
  • Pausable emergency switch tested — both pause() and unpause() work correctly
  • Daily limit parameters documented and set to reasonable values
  • Third-party security audit completed and all critical/high findings resolved
  • Testnet deployment running for minimum 7 days with no issues
  • Slippage, fee, and lock period parameters reviewed and documented
  • Initial liquidity plan documented (amount, lock duration, LP token handling)
  • forge test --fuzz-runs 10000 passes on all DeFi-critical functions

Emergency Response Procedure

Step Action
1. Detect Monitor alerts trigger (on-chain monitoring, community reports)
2. Pause Designated address calls pause() — must respond within minutes
3. Assess Technical lead analyzes root cause, estimates fund impact
4. Communicate Post incident notice to community channels (Discord, Twitter, Telegram)
5. Fix Deploy fix or prepare recovery plan
6. Resume Call unpause() after fix verified on fork — or migrate to new contract
7. Post-mortem Publish detailed incident report within 48 hours

DeFi Testing Commands

# Fuzz test fund flows with high iterations
forge test --match-contract StakingTest --fuzz-runs 10000

# Fork mainnet to test against real state
forge test --fork-url $MAINNET_RPC -vvvv

# Simulate whale transaction on fork
cast send <CONTRACT> "stake(uint256)" 1000000000000000000000000 \
  --rpc-url $FORK_RPC --private-key $TEST_KEY
GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台
本页面由 陌讯 Skills 聚合平台 收录整理,数据定期更新。