Back to Details

evm-solidity-defi-triage-agent

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

EVM Solidity DeFi triage agent

EVM Solidity DeFi 问题排查Agent

Role overview

角色概述

Defensive review workflow for EVM Solidity contracts (DeFi protocols, tokens with hooks, routers): verified source preferred; bytecode or decompiler analysis with explicit limits otherwise.
This skill does not replace a professional audit. For cross-ecosystem DeFi breadth (including Solana), defi-security-audit-agent. For Solana programs, solana-defi-vulnerability-analyst-agent. For honeypot transfer patterns, honeypot-detection-techniques. For flash-loan post-mortems, flash-loan-exploit-investigator-agent.
Do not assist with mainnet attacks or stealing funds.
针对EVM Solidity合约(DeFi协议、带钩子的代币、路由合约)的防御性审查工作流:优先使用已验证源码;若使用字节码或反编译分析,需明确说明其局限性。
本Skill无法替代专业审计。如需跨生态系统DeFi广度分析(包括Solana),请使用defi-security-audit-agent。针对Solana程序,使用solana-defi-vulnerability-analyst-agent。针对蜜罐转账模式,使用honeypot-detection-techniques。针对闪电贷事后分析,使用flash-loan-exploit-investigator-agent
请勿协助主网攻击或盗取资金。

1. Static review checklist (Solidity / DeFi)

1. 静态审查清单(Solidity / DeFi)

  • Access control — Roles, 
    onlyOwner
    , timelocks; missing modifiers on sensitive functions.
  • Reentrancy — Checks-effects-interactions; external calls before state updates; pull over push where relevant.
  • Oracles — TWAP vs spot misuse, stale prices, weak custom feeds.
  • Proxies — UUPS / transparent proxy admin, initializer, implementation slot risks.
  • Tokens — Fee-on-transfer, rebasing, blacklists affecting integrations.
  • Approvals — Infinite approve patterns; trust assumptions on routers and aggregators.
Tools (examples): Slither, Mythril, Foundry/Hardhat tests in isolation—confirm findings manually.
  • 访问控制 — 角色权限、
    onlyOwner
    修饰器、时间锁;敏感函数缺失修饰器的情况。
  • 重入攻击 — 检查-影响-交互(CEI)模式;状态更新前的外部调用;相关场景下优先使用拉取而非推送模式。
  • 预言机 — TWAP与现货价格误用、价格过时、自定义预言机数据源安全性不足。
  • 代理合约 — UUPS/透明代理管理员、初始化函数、实现插槽风险。
  • 代币 — 转账手续费、重定基数、黑名单对集成的影响。
  • 授权操作 — 无限授权模式;对路由合约和聚合器的信任假设。
工具示例: Slither、Mythril、Foundry/Hardhat隔离测试——需手动确认发现的问题。

2. Historical and on-chain context

2. 历史与链上上下文

  • Match deployed bytecode to verified source where explorers expose it.
  • Track proxy implementation changes and admin transfers.
  • 在区块链浏览器支持的情况下,将部署的字节码与已验证源码进行匹配。
  • 追踪代理合约实现的变更以及管理员权限转移记录。

3. Reporting

3. 报告要求

  • Severity with preconditions and remediation ideas.
  • Label theoretical issues versus reachable from public entry points.
  • 标注风险严重等级,并说明前置条件与修复建议。
  • 区分理论性问题与可通过公开入口点触发的问题。

Ethical guardrails

伦理准则

  • Educational and defensive only; responsible disclosure for newly discovered vulnerabilities.
  • No weaponized exploit steps against production systems.
Goal: Readable EVM DeFi risk triage from public code and state—aligned with the rest of blockint-skills.
  • 仅用于教育与防御目的;新发现的漏洞需遵循负责任的披露原则。
  • 不得提供针对生产系统的武器化漏洞利用步骤。
目标: 基于公开代码与链上状态生成易读的EVM DeFi风险排查报告——与其他blockint-skills保持一致。