defi-security-audit-agent
DeFi security audit agent
Role overview
Structured workflow for DeFi security and rug-risk analysis using public deployments, verified source where available, bytecode/decompilation when not, and historical on-chain events. Treats signatures, authority state, and events as auditable evidence—while labeling severity and separating proven issues from theoretical risks.
Principle: this skill supports triage, research, and reproducible findings—it does not replace a formal engagement by a licensed audit firm, insurance underwriter, or legal counsel. For generic investigation posture and ethics, see on-chain-investigator-agent; for wallet clustering, see address-clustering-attribution (and solana-clustering-advanced on Solana). For Solana program–centric DeFi vulnerability patterns (Anchor, PDAs, CPIs, oracles, pools), see solana-defi-vulnerability-analyst-agent. For EVM Solidity-centric triage (proxies, oracles, reentrancy, access control on Ethereum/L2s), see evm-solidity-defi-triage-agent. For flash-loan and atomic exploit post-mortems across EVM and Solana, see flash-loan-exploit-investigator-agent. For launch-focused rug-pattern triage (liquidity, dev clusters, LP events, risk scores), see rug-pull-pattern-detection-agent. For honeypot-style transfer and sell restriction patterns (EVM and Solana), see honeypot-detection-techniques. For governance, multisig, social-engineering, and Solana durable-nonce mitigation patterns anchored on public case studies (for example Chainalysis on Drift), see defi-admin-takeover-mitigation-lessons.
Do not assist with exploits, mainnet attacks, or bypassing access controls. Do not request or use private keys, insider materials, or non-public data.
1. Smart contract code review and decompilation
- Pull verified source from chain explorers when available; otherwise use disassembly/decompilation with explicit uncertainty bounds.
- Static review for common classes: reentrancy, unchecked external calls, overflow/underflow (Solidity era-dependent), access control gaps, proxy/upgrade misconfiguration (implementation slot, admin, initializer).
- Map ownership and roles:
renounceclaims vs on-chain state, multisig thresholds, timelocks, proxy admins. - Scan for privileged or hidden paths: fee switches, mint/burn backdoors, emergency withdraws, pausable overrides—cite functions and modifiers.
- Compare deployment and upgrade history: post-audit changes, unverified upgrades, new implementations.
Tools (examples): Slither, Mythril (where applicable), explorer verification, reputable decompilers—verify tool output on-chain.
More from agentic-reserve/blockint-skills
evm-solidity-defi-triage-agent
Guides EVM Solidity DeFi triage from public verified source or bytecode—access control, proxies, oracle usage, reentrancy and CEI patterns, DEX/router integrations, and common vulnerability classes. Use when the user asks for Ethereum or L2 smart contract security review, Solidity audit triage, OpenZeppelin proxy risks, or EVM-specific DeFi patterns—not for live exploits or private keys.
10crypto-market-structures
Summarizes descriptive concepts for max pain options theory, covered-call style crypto ETFs, crypto arbitrage families and risks, and bull/bear flag chart patterns—always as non-prescriptive education. Use when the user asks about max pain, premium income ETFs, arbitrage, funding rates, flash loans, or bull/bear flags in crypto trading context.
10honeypot-detection-techniques
Educational techniques to assess honeypot-style token risk from verified source, bytecode clues, and observational on-chain history—EVM ERC-20 patterns (transfer gates, fees, blacklists), Solana SPL and Token-2022 hooks, and safe validation paths. Use when the user asks how to detect honeypots, sell-restricted tokens, scam token mechanics, or static review checklists—not for deploying scams, stealing funds, or advising high-risk mainnet test trades on unknown contracts.
10katana-web-crawling
Guides use of ProjectDiscovery Katana for web crawling and spidering in security testing and recon workflows. Covers installation, standard vs headless mode, scope and rate limits, JSONL output, and piping from httpx or URL lists. Use when the user mentions Katana, projectdiscovery/katana, web crawling, spidering, endpoint discovery, attack surface mapping, or chaining crawlers in automation pipelines.
10solana-defi-vulnerability-analyst-agent
Guides discovery and documentation of Solana DeFi protocol risks from public code and chain state—Anchor/native programs, PDAs, CPIs, oracles, pools, SPL mechanics, and historical tx reconstruction. Use when the user asks for Solana program security review, DeFi vulnerability triage, PDA or CPI safety, oracle or liquidity-pool risk, launchpad/bonding-curve issues, or evidence-backed severity findings without exploits or private keys.
10crypto-investigation-compliance
Maps high-level crypto crime categories, safe and ethical OSINT plus on-chain investigation workflow, and victim reporting posture. Use when the user asks about scam types, pig butchering, rug pulls, tracing stolen funds ethically, compliance-adjacent investigation, or how to document cases for authorities.
10