陌讯skills聚合平台

software-crypto-web3

📁 vasilyu1983/ai-agents-public 📅 Jan 23, 2026
72
总安装量
72
周安装量
#3046
全站排名
安装命令
npx skills add https://github.com/vasilyu1983/ai-agents-public --skill software-crypto-web3

Agent 安装分布

claude-code 39
opencode 39
codex 36
cursor 31
github-copilot 29

Skill 文档

Software Crypto/Web3 Engineering

Use this skill to design, implement, and review secure blockchain systems: smart contracts, on-chain/off-chain integration, custody and signing, testing, audits, and production operations.

Defaults to: security-first development, explicit threat models, comprehensive testing (unit + integration + fork + fuzz/invariants), formal methods when high-value, upgrade safety (timelocks, governance, rollback plans), and defense-in-depth for key custody and signing.

Quick Reference

Task Tool/Framework Command When to Use
Solidity Development Hardhat/Foundry npx hardhat init or forge init Ethereum/EVM smart contracts
Solana Programs Anchor anchor init Solana blockchain development
Cosmos Contracts CosmWasm cargo generate --git cosmwasm-template Cosmos ecosystem contracts
TON Contracts Tact/FunC + Blueprint npm create ton@latest TON blockchain development
Testing (Solidity) Foundry/Hardhat forge test or npx hardhat test Unit, fork, invariant tests
Security Audit Slither/Aderyn/Echidna slither . or aderyn . Static analysis, fuzzing
AI-Assisted Review AI scanners (optional) N/A Pre-audit preparation (verify findings manually)
Fuzzing Echidna/Medusa echidna . or medusa fuzz Property-based fuzzing
Gas Optimization Foundry Gas Snapshots forge snapshot Benchmark and optimize gas
Deployment Hardhat Deploy/Forge Script npx hardhat deploy Mainnet/testnet deployment
Verification Etherscan API npx hardhat verify Source code verification
Upgradeable Contracts OpenZeppelin Upgrades @openzeppelin/hardhat-upgrades Proxy-based upgrades
Smart Wallets ERC-4337, EIP-7702 Account abstraction SDKs Smart accounts and sponsored gas (verify network support)

Scope

Use this skill when you need:

  • Smart contract development (Solidity, Rust, CosmWasm)
  • DeFi protocol implementation (AMM, lending, staking, yield farming)
  • NFT and token standards (ERC20, ERC721, ERC1155, SPL tokens)
  • DAO governance systems
  • Cross-chain bridges and interoperability
  • Gas optimization and storage patterns
  • Smart contract security audits
  • Testing strategies (Foundry, Hardhat, Anchor)
  • Oracle integration (Chainlink, Pyth)
  • Upgradeable contract patterns (proxies, diamonds)
  • Web3 frontend integration (ethers.js, web3.js, @solana/web3.js)
  • Blockchain indexing (The Graph, subgraphs)
  • MEV protection and flashbots
  • Layer 2 scaling solutions (Base, Arbitrum, Optimism, zkSync)
  • Account abstraction (ERC-4337, EIP-7702, smart wallets)
  • Backend crypto integration (.NET/C#, multi-provider architecture, CQRS)
  • Webhook handling and signature validation (Fireblocks, custodial providers)
  • Event-driven architecture with Kafka for crypto payments
  • Transaction lifecycle management and monitoring
  • Wallet management (custodial vs non-custodial)

Decision Tree: Blockchain Platform Selection

Project needs: [Use Case]
  - EVM-compatible smart contracts?
    - Complex testing needs -> Foundry (fuzzing, invariants, gas snapshots)
    - TypeScript ecosystem -> Hardhat (plugins, TS, Ethers.js/Viem)
    - Enterprise features -> NestJS + Hardhat

  - High throughput / low fees?
    - Rust-based -> Solana (Anchor)
    - EVM L2 -> Arbitrum/Optimism/Base (Ethereum security, lower gas)
    - Telegram distribution -> TON (Tact/FunC)

  - Interoperability across chains?
    - Cosmos ecosystem -> CosmWasm (IBC)
    - Multi-chain apps -> LayerZero or Wormhole (verify trust assumptions)
    - Bridge development -> custom (high risk; threat model required)

  - Token standard implementation?
    - Fungible tokens -> ERC20 (OpenZeppelin), SPL Token (Solana)
    - NFTs -> ERC721/ERC1155 (OpenZeppelin), Metaplex (Solana)
    - Semi-fungible -> ERC1155 (gaming, fractionalized NFTs)

  - DeFi protocol development?
    - AMM/DEX -> Uniswap V3 fork or custom (concentrated liquidity)
    - Lending -> Compound/Aave fork (collateralized borrowing)
    - Staking/yield -> custom reward distribution contracts

  - Upgradeable contracts required?
    - Transparent proxy -> OpenZeppelin (admin/user separation)
    - UUPS -> upgrade logic in implementation
    - Diamond -> modular functionality (EIP-2535)

  - Backend integration?
    - .NET/C# -> multi-provider architecture (see backend integration references)
    - Node.js -> Ethers.js/Viem + durable queues
    - Python -> Web3.py + FastAPI

Chain-Specific Considerations:

  • Ethereum/EVM: Security-first, higher gas costs, largest ecosystem
  • Solana: Performance-first, Rust required, lower fees
  • Cosmos: Interoperability-first, IBC native, growing ecosystem
  • TON: Telegram-first, async contracts, unique architecture

See references/ for chain-specific best practices.

Security-First Patterns (Jan 2026)

Security baseline: Assume an adversarial environment. Treat contracts and signing infrastructure as public, attackable APIs.

Custody, Keys, and Signing (Core)

Key management is a dominant risk driver in production crypto systems. Use a real key management standard as baseline (for example, NIST SP 800-57).

Model Who holds keys Typical use Primary risks Default controls
Non-custodial End user wallet Consumer apps, self-custody Phishing, approvals, UX errors Hardware wallet support, clear signing UX, allowlists
Custodial Your service (HSM/MPC) Exchanges, payments, B2B Key theft, insider threat, ops mistakes HSM/MPC, separation of duties, limits/approvals, audit logs
Hybrid Split responsibility Enterprises Complex failure modes Explicit recovery/override paths, runbooks

BEST:

  • Separate hot/warm/cold signing paths with limits and approvals [Inference]
  • Require dual control for high-value transfers (policy engine + human approval) [Inference]
  • Keep an immutable audit trail for signing requests (who/what/when/why) [Inference]

AVOID:

  • Storing private keys in databases or application config
  • Reusing signing keys across environments (dev/staging/prod)
  • Hot-wallet automation without rate limits and circuit breakers [Inference]

Checks-Effects-Interactions (CEI) Pattern

Mandatory for all state-changing functions.

// Correct: CEI pattern
function withdraw(uint256 amount) external {
    // 1. CHECKS: Validate conditions
    require(balances[msg.sender] >= amount, "Insufficient balance");

    // 2. EFFECTS: Update state BEFORE external calls
    balances[msg.sender] -= amount;

    // 3. INTERACTIONS: External calls LAST
    (bool success, ) = msg.sender.call{value: amount}("");
    require(success, "Transfer failed");
}

// Wrong: External call before state update (reentrancy risk)
function withdrawUnsafe(uint256 amount) external {
    require(balances[msg.sender] >= amount);
    (bool success, ) = msg.sender.call{value: amount}("");
    require(success);
    balances[msg.sender] -= amount; // Too late!
}

Security Tools (Jan 2026)

Category Tool Purpose When to Use
Static Analysis Slither Vulnerability detection, 92+ detectors Every contract
Static Analysis Aderyn Rust-based, faster for large codebases Large projects
Fuzzing Echidna Property-based fuzzing Complex state
Fuzzing Medusa Parallelized Go fuzzer CI/CD pipelines
Formal Verification SMTChecker Built-in Solidity checker Every contract
Formal Verification Certora Property-based proofs (CVL) DeFi, high-value
Formal Verification Halmos Symbolic testing Complex invariants
AI-Assisted Sherlock AI ML vulnerability detection Pre-audit prep
AI-Assisted Olympix DevSecOps integration CI/CD security
AI-Assisted AuditBase 423+ detectors, LLM-powered Business logic
Mutation Testing SuMo Test suite quality assessment Test validation 
// Certora CVL rule example
rule balanceNeverNegative(address user) {
    env e;
    require balances[user] >= 0;
    deposit(e);
    assert balances[user] >= 0;
}

AI-assisted review: Use AI tooling for pre-audit preparation and coverage, not for final security decisions. Treat outputs as untrusted and reproduce findings with deterministic tools, tests, and manual review.

MEV Protection

Strategy Implementation
Private mempool Flashbots Protect, MEV Blocker
Commit-reveal Hash commitment, reveal after deadline
Batch auctions CoW Protocol, Gnosis Protocol
Encrypted mempools Shutter Network 
// Commit-reveal pattern
mapping(address => bytes32) public commitments;

function commit(bytes32 hash) external {
    commitments[msg.sender] = hash;
}

function reveal(uint256 value, bytes32 salt) external {
    require(
        keccak256(abi.encodePacked(value, salt)) == commitments[msg.sender],
        "Invalid reveal"
    );
    // Process revealed value
}

Account Abstraction (Jan 2026)

Note: Adoption numbers and upgrade timelines change quickly. Verify current ERC-4337 ecosystem state and any EIP-7702 activation details with WebSearch before making recommendations.

ERC-4337 vs EIP-7702

Standard Type Key Feature Use Case
ERC-4337 Smart contract wallets Full AA without protocol changes New wallets, DeFi, gaming
EIP-7702 EOA enhancement EOAs execute smart contract code Existing wallets, batch txns
ERC-6900 Modular accounts Plugin management for AA wallets Extensible wallet features

ERC-4337 Architecture:

User -> UserOperation -> Bundler -> EntryPoint -> Smart Account -> Target Contract
                          |
                          v
                      Paymaster (gas sponsorship)

EIP-7702 (Pectra Upgrade):

  • EOAs can temporarily delegate to smart contracts
  • Enables batch transactions, sponsored gas for existing addresses
  • Complementary to ERC-4337 (uses same bundler/paymaster infra)
  • Supported by Ambire, Trust Wallet, and growing

Key Capabilities:

  • Gasless transactions: Paymasters sponsor gas in ERC-20 or fiat
  • Batch operations: Multiple actions in single transaction
  • Social recovery: Multi-sig or guardian-based key recovery
  • Session keys: Limited permissions for dApps without full wallet access

Smart Wallet Development

// Minimal ERC-4337 Account (simplified)
import "@account-abstraction/contracts/core/BaseAccount.sol";

contract SimpleAccount is BaseAccount {
    address public owner;

    function validateUserOp(
        UserOperation calldata userOp,
        bytes32 userOpHash,
        uint256 missingAccountFunds
    ) external override returns (uint256 validationData) {
        // Verify signature
        require(_validateSignature(userOp, userOpHash), "Invalid sig");
        // Pay prefund if needed
        if (missingAccountFunds > 0) {
            (bool success,) = payable(msg.sender).call{value: missingAccountFunds}("");
            require(success);
        }
        return 0; // Valid
    }
}

Layer 2 Development (Jan 2026)

Note: L2 market share and risk stages change quickly. Use current data (for example, L2Beat and ecosystem dashboards) before stating rankings, TVL, or stage classifications.

L2 Selection Guide

L2 Type Best For Key Feature
Base Optimistic Consumer apps, mainstream adoption Coinbase integration, low fees
Arbitrum Optimistic DeFi, mature ecosystem Largest TVL, DAO grants
Optimism Optimistic Public goods, Superchain OP Stack, grant programs
zkSync Era ZK-Rollup Fast finality, native AA zkEVM, no withdrawal delay
StarkNet ZK-Rollup Cairo development, ZK-native STARK proofs, custom VM

Enterprise Rollups (2025-2026 Trend)

Major institutions launching L2s on OP Stack:

  • Kraken INK – Exchange-native L2
  • Uniswap UniChain – DeFi-optimized
  • Sony Soneium – Gaming and media
  • Robinhood – Arbitrum integration

EIP-4844 Blob Optimization

Since March 2024, rollups use blob-based data posting:

Before: calldata posting -> expensive
After:  blob posting -> lower data availability cost

Optimism, zkSync optimized batching for blobs in 2025.

Common Mistakes (2025-2026)

Reality check: Exploits regularly cause large losses. Access control, signing/custody, and integration bugs remain top incident drivers.

Mistake Impact Prevention
Missing access control Unauthorized admin actions Use OpenZeppelin Ownable2Step, AccessControl
Reentrancy Drain funds via callback CEI pattern, ReentrancyGuard, Slither checks
Unchecked external calls Silent failures Always check return values, use SafeERC20
Integer overflow (pre-0.8) Arbitrary value manipulation Use Solidity 0.8.x+ (built-in checks)
Frontrunning MEV extraction, sandwich attacks Commit-reveal, Flashbots Protect, private mempool
Oracle manipulation Price feed attacks TWAP, multiple oracles, sanity bounds
Improper initialization Proxy takeover Use initializer modifier, _disableInitializers()
Storage collision (proxies) Data corruption Follow EIP-1967 slots, use OpenZeppelin upgrades

Anti-Patterns to Avoid

AVOID:

  • Using tx.origin for authorization (phishing risk)
  • Storing secrets on-chain (all data is public)
  • Using block.timestamp for randomness (miner/validator influence)
  • Ignoring return values from transfer/send
  • Using deprecated tooling (Truffle/Ganache/Brownie)

BEST:

  • Run static analysis on every change (for example, Slither and Aderyn)
  • Add fuzz/invariant tests before any audit
  • Use formal methods for high-value DeFi (for example, Certora and symbolic testing)

LLM Limitations in Smart Contracts

Do not rely on LLMs for:

  • Security-critical logic verification
  • Gas optimization calculations
  • Complex mathematical proofs

Use LLMs for:

  • Boilerplate generation (tests, docs)
  • Code explanation and review prep
  • Initial vulnerability hypotheses (verify manually)

When NOT to Use This Skill

Navigation

Resources

Templates

Related Skills

Trend Awareness Protocol

IMPORTANT: When users ask recommendation questions about Web3/crypto development, you MUST use WebSearch to check current trends before answering.

Trigger Conditions

  • “What’s the best blockchain for [use case]?”
  • “What should I use for [smart contracts/DeFi/NFTs]?”
  • “What’s the latest in Web3 development?”
  • “Current best practices for [Solidity/auditing/gas optimization]?”
  • “Is [chain/protocol] still relevant in 2026?”
  • “[Ethereum] vs [Solana] vs [other L1/L2]?”
  • “Best framework for [smart contract development]?”

Required Searches

  1. Search: "Web3 development best practices 2026"
  2. Search: "[Ethereum/Solana/Base] development updates 2026"
  3. Search: "smart contract security 2026"
  4. Search: "[Hardhat/Foundry] comparison 2026"

What to Report

After searching, provide:

  • Current landscape: What chains/tools are popular NOW
  • Emerging trends: New protocols or patterns gaining traction
  • Deprecated/declining: Chains or approaches losing relevance
  • Recommendation: Based on fresh data and ecosystem activity

Example Topics (verify with fresh search)

  • L2 ecosystem growth (Base, Arbitrum, Optimism)
  • Solidity vs Rust for smart contracts
  • Foundry vs Hardhat tooling
  • Account abstraction (ERC-4337) adoption
  • Cross-chain bridges and interoperability
  • DeFi security patterns and audit practices

Operational Playbooks

GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台
本页面由 陌讯 Skills 聚合平台 收录整理,数据定期更新。