Security audit and code review for Solidity smart contracts. Trigger phrases - audit, check PR, security review, pre-audit preparation, vulnerability check, or when preparing code for external audit.
Audit and code review guidance for Solidity smart contracts. For detailed vulnerability patterns, see bundled references.
| Reference | Content | When to Read |
|---|---|---|
.claude/skills/audit/references/vulnerability-checklist.md | 17 vulnerability categories | During security reviews |
.claude/skills/audit/references/audit-workflow.md | Step-by-step audit process | When conducting formal audits |
.claude/skills/audit/references/pre-audit-checklist.md | Code quality + testing prep | Before external audit |
Workflow: Use pre-audit-checklist to prepare → vulnerability-checklist to review → audit-workflow for formal
process.
| Type | Purpose | Depth | When to Use |
|---|---|---|---|
| Self-Review | Pre-submission sanity check | Quick | Before creating a PR |
| PR Review | Verify changes meet standard | Moderate | When reviewing others' PRs |
| Deep Review | Thorough security analysis | Deep | Before mainnet deployment |
| Audit | Comprehensive security audit | Thorough | Pre-launch or after major change |
| Issue | Detection |
|---|---|
| Missing access control | New external functions without modifiers |
| State after external | .call{}/transfer followed by state changes |
| Unchecked return values | .call() without checking success |
| Missing events | State changes without event emission |
| Incomplete error info | Errors without diagnostic parameters |
| Test coverage gaps | New code paths without corresponding tests |
| Breaking changes | Interface modifications without deprecation |
| Gas regression | New loops, storage operations in hot paths |
| Severity | Definition |
|---|---|
| Critical (C) | Direct fund loss or permanent freeze |
| High (H) | Significant loss under specific conditions |
| Medium (M) | Limited loss or functionality impairment |
| Low (L) | Minor issues, deviations from best practices |
| Informational | Suggestions and observations |
Full checklist: See
.claude/skills/audit/references/vulnerability-checklist.mdfor comprehensive patterns.
| Severity | Key Checks |
|---|---|
| Critical | Reentrancy (CEI), Access control, Unchecked .call(), Delegatecall targets, Signature replay |
| High | Flash loan assumptions, Oracle manipulation, Front-running, Integer overflow, Price inflation |
| Medium | Fee-on-transfer tokens, Rebasing tokens, Unbounded loops, Timestamp dependence |
| Prefix | Meaning |
|---|---|
BLOCKING: | Must fix before merge |
IMPORTANT: | Should fix, but can be follow-up |
SUGGESTION: | Nice to have, optional |
NIT: | Minor style preference |
QUESTION: | Clarification needed |
Security properties that MUST always hold. Read the authoritative invariants from the codebase.
| Package | Location |
|---|---|
| Lockup | lockup/tests/invariant/README.md |
| Flow | flow/tests/invariant/README.md |
When reviewing code, read the package's invariant README and verify:
| Category | Check |
|---|---|
| Value conservation | Total in = total out + total remaining |
| Monotonic state | Withdrawn/streamed amounts never decrease |
| Access control | Only authorized roles modify state |
| State machine | Only valid transitions occur (see README) |
Test this skill with these prompts:
withdraw function"SablierFlow.sol contract"