[AUTO-INVOKE] MUST be invoked BEFORE deploying DeFi contracts (DEX, lending, staking, LP, token). Covers anti-whale, anti-MEV, flash loan protection, launch checklists, and emergency response. Trigger: any deployment or security review of DeFi-related contracts.
Scope: Only applicable to DeFi projects (DEX, lending, staking, LP, yield). Non-DeFi projects can ignore this skill.
| Threat | Required Protection |
|---|---|
| Whale manipulation | Daily transaction caps + per-tx amount limits + cooldown window |
| MEV / sandwich attack | EOA-only checks (msg.sender == tx.origin), or use commit-reveal pattern |
| Arbitrage | Referral binding + liquidity distribution + fixed yield model + lock period |
| Reentrancy | ReentrancyGuard on all external-call functions (see solidity-security skill) |
| Flash loan attack | Check block.number change between operations, or use TWAP pricing |
| Price manipulation | Chainlink oracle or TWAP — never rely on spot AMM reserves for pricing |
| Approval exploit | Use safeIncreaseAllowance / safeDecreaseAllowance, never raw approve for user flows |
| Governance attack | Voting requires snapshot + minimum token holding period; timelock ≥ 48h on proposal execution |
| ERC4626 inflation attack | First deposit must enforce minimum amount or use virtual shares to prevent share dilution via rounding |
onlyOwner settermapping(address => mapping(uint256 => uint256)) (address → day → amount)block.timestamp checkblock.number has changed since last interactionBefore mainnet deployment, verify all items:
onlyOwner functions transferred to multisig (e.g., Gnosis Safe)Pausable emergency switch tested — both pause() and unpause() work correctlyforge test --fuzz-runs 10000 passes on all DeFi-critical functions| Step | Action |
|---|---|
| 1. Detect | Monitor alerts trigger (on-chain monitoring, community reports) |
| 2. Pause | Designated address calls pause() — must respond within minutes |
| 3. Assess | Technical lead analyzes root cause, estimates fund impact |
| 4. Communicate | Post incident notice to community channels (Discord, Twitter, Telegram) |
| 5. Fix | Deploy fix or prepare recovery plan |
| 6. Resume | Call unpause() after fix verified on fork — or migrate to new contract |
| 7. Post-mortem | Publish detailed incident report within 48 hours |
# Fuzz test fund flows with high iterations
forge test --match-contract StakingTest --fuzz-runs 10000
# Fork mainnet to test against real state
forge test --fork-url $MAINNET_RPC -vvvv
# Simulate whale transaction on fork
cast send <CONTRACT> "stake(uint256)" 1000000000000000000000000 \
--rpc-url $FORK_RPC --private-key $TEST_KEY