/docs/skills
Vulnerability skills.
45 auto-invoked detection skills. Each activates when Claude sees matching code patterns.
| Skill | What it detects |
|---|---|
access-control | Detect missing or incorrect access control — missing modifiers, wrong role checks, privileged function exposure, public initializers, and role-escalation paths. Activate on any function that mutates state, transfers funds, mints tokens, sets admin parameters, upgrades implementations, or pauses/unpauses. |
approval-issues | Detect ERC-20 approval pitfalls — approve race (front-run), missing safeApprove, infinite approvals, approval-without-revoke, Permit2 misuse, max-approval to untrusted contracts. Activate on `approve`, `safeApprove`, `permit`, `forceApprove`, `Permit2`, `IERC20.allowance`. |
caching-and-incremental | Always-on meta-skill — cache audit results per file by content hash so unchanged files aren't re-analyzed on subsequent runs. Activate on every /audit, /quick-scan, /audit-changes invocation. |
centralization-risk | Detect centralization and trust-assumption risks — admin powers, single-key risk, missing timelocks, upgrade authority, treasury keys, pause permanence, blacklisting authority, oracle authority. Activate on `onlyOwner`, `onlyRole`, `AccessControl`, upgrade authorizations, pause/unpause functions, mint/burn caps, treasury/fee setters. |
confidence-scoring | Always-on meta-skill — for every finding produced, attach a confidence level (HIGH/MEDIUM/LOW) and a reasoning trace. Activate on every /audit, /audit-deep, /audit-changes, /audit-live, /quick-scan invocation. |
cosmwasm | Detect bug classes specific to CosmWasm (Rust) contracts — missing info.sender authorization in execute handlers, unbounded map iteration → gas/DoS, reply/submessage reply_id confusion, migrate admin backdoors, addr_validate vs raw string addresses, unchecked info.funds, Uint128 overflow, query reentrancy, and migration/version state. Activate on any `.rs` file with `use cosmwasm_std`, `#[entry_point]`, `ExecuteMsg`, `InstantiateMsg`, `QueryMsg`, `cw_storage_plus`, or `DepsMut`. |
cross-chain-messaging | Detect cross-chain messaging bugs — replay protection gaps, untrusted-remote acceptance, default-config inheritance, validator-set misconfig, force-include vulnerabilities, chainId / domain-separator omissions. Activate on `_lzReceive`, `ccipReceive`, `handle` (Hyperlane), `receiveMessage`, `verifyVAA`, IRouterClient, IMailbox, EndpointV2, OApp/OFT, LayerZero / CCIP / Hyperlane / Wormhole / Axelar / Polyhedra integration code. |
cross-contract-state | Detect cross-contract state inconsistency — two or more contracts sharing a token, oracle, or price feed where one mutates and another reads stale, cached state that drifts from source of truth, non-atomic multi-contract updates, accounting that assumes synchronized state, and reads during callbacks. Activate whenever a system spans multiple contracts that must agree on a value but update at different times. |
delegatecall-risks | Detect delegatecall risks — uninitialized proxies, malicious implementations, storage-slot collisions, delegatecall to user-controlled addresses, library delegatecall pitfalls. Activate on `delegatecall`, UUPS proxy upgrades, multicall implementations, diamond facets, governor-execute patterns. |
diamond-eip2535 | Detect Diamond (EIP-2535) bugs — facet selector collisions, init-vs-upgrade safety, storage-namespace collisions, facet selfdestruct paths, missing facet cuts. Activate on Diamond imports, DiamondCut, IDiamondLoupe, IDiamondCut, LibDiamond, facet patterns. |
dos-vectors | Detect denial-of-service vectors — unbounded loops, gas griefing, push-payment chokepoints, block-stuffing exposure, revert-on-receive blocking. Activate on loops over user-controlled arrays, batch withdrawals, push-style payouts, queues, auctions with "highest-bidder" refunds, large airdrops. |
erc1271-contract-signatures | Detect ERC-1271 contract-signature bugs — magic-value handling, signature validation edge cases, smart-wallet interactions (Safe, Argent), replay-via-signature-update. Activate on `isValidSignature`, ERC1271 imports, smart-wallet integration, signed orders that may originate from contracts. |
erc4337-account-abstraction | Detect ERC-4337 account-abstraction bugs — validateUserOp storage-rule violations, paymaster postOp DoS, session-key scope bypasses, signature aggregation issues, EIP-7702 delegation risks. Activate on `validateUserOp`, `validatePaymasterUserOp`, `postOp`, `UserOperation`, `EntryPoint`, `IAccount`, `IPaymaster`, session-key modules, ERC-7579 modules, EIP-7702 authorization payloads. |
erc4626-inflation | Detect ERC-4626 inflation/donation attacks — first depositor share-price manipulation, naive convertToShares math, missing virtual-shares defense. Activate on any ERC-4626 vault implementation, share/asset math, `convertToShares`, `convertToAssets`, `previewDeposit`, `previewMint`, `totalAssets`, `_decimalsOffset`. |
false-positive-feedback-loop | Meta-skill for managing user-dismissed findings. Before reporting any finding, check it against the project's .rugproof.yml ignore list and inline rugproof-ignore markers. Activate on every audit command. |
fee-on-transfer | Detect fee-on-transfer / deflationary / rebasing token accounting bugs — crediting the *passed amount* instead of the measured balance delta. Activate whenever code calls transfer/transferFrom and then credits, mints shares for, or records the literal amount argument, in deposits, AMM swaps, lending collateral, vaults, staking, or bridges — without measuring balanceAfter - balanceBefore. |
flash-loan-attacks | Detect vulnerability to flash-loan-funded attacks — governance manipulation, price manipulation, collateral inflation, vault donation attacks. Activate when reviewing AMMs, lending protocols, governors, ERC-4626 vaults, staking with voting power, or any system whose state depends on its own balance. |
initialization | Detect initialization bugs in upgradeable contracts — missing `_disableInitializers()`, re-init attacks, parent-init not chained, constructor-vs-initializer confusion, public `initialize`. Activate on OZ Upgradeable, UUPS, Transparent proxy, Initializable, or any contract with `initialize` / `__init`. |
inline-assembly | Detect bugs in inline Yul / assembly — manual memory mismanagement, free-memory-pointer corruption, return-data manipulation, missing return-data-size checks, dirty-bits in narrow types. Activate on any `assembly { … }` block, Yul code, Solady-style assembly usage. |
integer-issues | Detect integer over/underflow in `unchecked` blocks, downcasting losses, fixed-point precision errors, division-before-multiplication, signed/unsigned mixing. Activate on any arithmetic in `unchecked { }`, `SafeCast`, `uintN(uintM(x))` casts, division and modulo, percentage/basis-points math, AMM share/asset math. |
intents-erc7683 | Detect ERC-7683 / intent-based protocol bugs — solver griefing, intent expiration, settlement race conditions, surplus theft, cross-chain replay, allowance front-runs. Activate on `IOriginSettler`, `IDestinationSettler`, `CrossChainOrder`, ERC-7683 imports, UniswapX reactor patterns, CoW settlement, 1inch Fusion, Across spoke pool / hub pool. |
known-good-comparison | When auditing a contract that resembles a canonical implementation (OpenZeppelin, Solady, Uniswap, Compound, etc.), compare against the reference. Treat deviations as suspect by default. |
liquidation-cascade | Detect cascading liquidations and socialized bad debt — correlated collateral (multiple LSTs/stables), bad debt socialized across unrelated markets, oracle flash-crash triggering mass liquidation, insurance-fund depletion ordering, liquidation incentives too low to clear bad debt, and depeg cascades. Activate whenever a lending/perp/CDP protocol liquidates positions, prices collateral, or has shared-risk pools. |
mev-frontrunning | Detect MEV exposure and front-running risks — sandwich attacks, missing commit-reveal, missing/manipulable deadlines, slippage absent, public mempool dependence. Activate on swaps, mints, liquidations, NFT mints with reveals, auctions, and any function whose ordering can extract value. |
mev-pbs | Detect MEV and proposer-builder-separation exposure — sandwichable swaps with no minOut, JIT liquidity, oracle-update frontrunning, backrunnable state, false reliance on private mempools, builder censorship, missing commit-reveal, and multi-block MEV post-PBS. Activate whenever code performs swaps/liquidations/auctions/redemptions whose ordering or price is observable in the public mempool before execution. |
multi-pass-self-critique | Meta-skill for /audit-strict and high-stakes audits. Run two independent passes with different starting contexts, then keep only consensus findings. Aggressively cuts false positives. |
oracle-manipulation | Detect oracle manipulation risks — spot-price reads from AMMs, stale Chainlink answers, single-source dependence, TWAP gaming. Activate whenever code reads a price, conversion rate, exchange rate, or `getReserves`, `latestAnswer`, `latestRoundData`, `consult`, `quote`, `slot0`, `observe`, `getAmountsOut`. |
oracle-redundancy | Detect oracle fallback and redundancy failure modes (distinct from price manipulation) — single point of failure, missing staleness/heartbeat/deviation checks, an "all oracles down" path that reverts or silently returns stale/zero, missing L2 sequencer-uptime feed, and absent circuit breakers. Activate whenever code reads a price/rate feed, especially Chainlink latestRoundData, with fallbacks or on an L2. |
permit2-patterns | Detect Permit2 / EIP-2612 lifecycle bugs — signature lifecycle, allowance transfer vs signature transfer confusion, nonce reuse, deadline manipulation, witness-data misuse. Activate on `permit`, `permitTransferFrom`, `IPermit2`, `SignatureTransfer`, `AllowanceTransfer`, `PermitWitnessTransferFrom`, `PermitBatchTransferFrom`. |
pragma-and-addresses | Detect floating pragma, hardcoded addresses, missing zero-address checks, deprecated Solidity versions. Activate on every `pragma solidity` line, `constant ADDRESS = 0x...`, `immutable` address parameters, address comparisons. |
progress-and-streaming | Convention for streaming progress on long-running audit commands. Use during /audit, /audit-deep, /audit-strict, /simulate, /exploit-chain — anything taking >10 seconds. |
reentrancy | Detect reentrancy vulnerabilities — classic, cross-function, and cross-contract (especially read-only reentrancy). Activate whenever Solidity/Vyper code performs external calls, low-level call/transfer/send, ERC-721 safeTransfer with a receiver hook, or any pattern where control flow leaves the contract before state finalization. |
restaking-eigenlayer | Detect restaking / AVS bugs — EigenLayer / Symbiotic / Karak operator slashing edge cases, withdrawal-queue gaming, cascading-slashing across AVSs, LST depeg solvency, AVS opt-in granularity. Activate on EigenLayer / Symbiotic / Karak imports, StrategyManager, DelegationManager, EigenPod, AVS registration, slasher contracts. |
selfdestruct-eip6780 | Detect selfdestruct misuse and EIP-6780 implications post-Cancun — bricked contracts, broken `assert(balance == X)` invariants, factory patterns relying on redeploy, deployment-tx-only selfdestruct corner cases. Activate on `selfdestruct`, `suicide`, `CREATE2` factories, contracts asserting on `address(this).balance`. |
signature-malleability | Detect ECDSA signature malleability and ecrecover pitfalls — missing low-s (EIP-2) enforcement, unconstrained v, unchecked address(0) from ecrecover, replay across chainId/contract from a missing EIP-712 domain separator, EIP-2098 compact-signature confusion, and signature reuse. Activate whenever code calls ecrecover directly, parses (r,s,v) from bytes, or verifies signed messages without OpenZeppelin ECDSA. |
signature-replay | Detect signature-replay, EIP-712 / EIP-2612 mistakes, malleable signatures, cross-chain replay, missing nonces. Activate on `ecrecover`, `permit`, meta-transactions, signed orders, signed approvals, EIP-712 domain construction, gasless transaction relayers. |
solana-anchor | Detect bug classes specific to Solana / Anchor (Rust) programs — missing signer checks, missing account owner checks, account-confusion / type-cosplay without discriminator validation, unchecked AccountInfo, non-canonical PDA seeds/bumps & seed collisions, missing has_one/constraint, CPI to unverified programs, close-account lamport-drain & revival, sysvar spoofing, and arbitrary-account substitution. Activate on any `.rs` file with `use anchor_lang`, `#[program]`, `#[derive(Accounts)]`, `#[account]`, `Signer<'info>`, or `AccountInfo`. |
storage-layout | Detect storage-layout issues in upgradeable contracts — slot collisions, slot reuse, packing changes, missing gap. Activate when reviewing UUPS/Transparent proxies, OZ Upgradeable contracts, diamonds (EIP-2535), libraries with structs, or any contract using assembly to read storage slots. |
stylus-rust | Detect bug classes specific to Arbitrum Stylus (Rust→WASM) contracts — storage aliasing & EVM state-cache coherence, msg::value / #[payable] handling, external-call reentrancy, panic-on-attacker-input DoS, release-mode integer wrapping, host-IO (evm::) misuse, #[entrypoint]/#[public] access control, and lossy U256 conversions. Activate on any `.rs` file with `use stylus_sdk`, `#[entrypoint]`, `#[storage]`, `sol_storage!`, `#[public]`, or `#[payable]`. |
token-compatibility | Detect ERC-20 token compatibility issues — fee-on-transfer, rebasing, non-standard return values, missing decimals(), low-decimal tokens, blacklistable tokens (USDC), pausable tokens. Activate on any ERC-20 integration, `transfer`/`transferFrom` use, balance-based accounting, decimal scaling. |
tx-context-misuse | Detect misuse of tx.origin, block.timestamp, block.number — phishing via tx.origin, timestamp dependence, L2-block-number assumptions. Activate on `tx.origin`, `block.timestamp`, `block.number`, `blockhash`, `block.prevrandao`, `block.coinbase`. |
unchecked-calls | Detect ignored external-call return values — silent failures from low-level call/delegatecall/staticcall, ignored ERC20 transfer return values, return-data length issues. Activate on `.call`, `.delegatecall`, `.staticcall`, `.send`, `transfer`/`transferFrom` (without SafeERC20), and any function returning `bool` whose return is discarded. |
ve-lock-governance | Detect vote-escrow (ve) governance manipulation — Curve veCRV, Velodrome/Aerodrome veNFT, Balancer veBAL, and gauge/bribe markets. Activate whenever code reads voting power from a lock balance, computes gauge weights, distributes bribes/incentives, snapshots votes, or lets locks be created/extended/merged/split/transferred — especially when vote weight is read live rather than at proposal-creation block. |
vyper-specific | Detect Vyper-specific bug classes — compiler-version reentrancy bugs, raw_call return-value handling, send/raw_call gas defaults, immutables vs constants, default-bytes scope, msg.sender-based auth corner cases. Activate on any `.vy` file or `pragma version` directive. |
zk-verifier-bugs | Detect ZK proof-verifier contract bugs — missing public-input binding (unconstrained input → forgery), proof malleability, BN254 field-element range checks (input >= field modulus), unchecked pairing/ecAdd/ecMul precompile returns, nullifier reuse / double-spend, verification-key upgradeability, and trusted-setup assumptions. Activate whenever a contract verifies a SNARK/STARK proof, calls the bn256/altbn128 precompiles, or consumes nullifiers. |