fhevm-security-audit
FHE Security Audit
Use this skill when reviewing FHEVM contract code for correctness and security issues. FHE contracts fail differently from plaintext Solidity. Many bugs are silent — no revert, no obvious error, just wrong encrypted state that nobody can detect until decryption.
When To Use
- Auditing a new FHEVM contract before deployment
- Reviewing a pull request that modifies encrypted state logic
- Investigating unexpected behavior in an existing FHEVM contract
- Verifying that ACL grants are complete across all code paths
- Checking that unwrap or decryption flows cannot be exploited
- Validating that events do not leak private information
Core Mental Model
An FHEVM audit traces handles, not values. You cannot inspect what an encrypted value contains. Instead, you trace the lifecycle of each handle: where it is created, what
More from z-korp/fhevm-cookbook
fhevm-router
Routes Zama FHEVM tasks to the right official docs path and next step
11fhevm-testing
Use when writing, structuring, or debugging tests for FHEVM contracts. Covers mocked mode vs real protocol, Hardhat decrypt helpers, input encryption in tests, and the false-confidence gap between local and testnet behavior.
11fhevm-acl-lifecycle
Use when granting, auditing, or debugging ACL permissions on encrypted handles in FHEVM. Covers FHE.allow, FHE.allowThis, FHE.allowTransient, and the critical rule that new handles do not inherit prior persistent ACL grants.
11fhevm-control-flow
Use when replacing if/else, require, or any conditional logic that depends on encrypted values in FHEVM. Covers FHE.select as the inline branching primitive, fallback semantics on encrypted conditions, and async public decryption when logic must branch back to plaintext state.
11oz-utils-safemath
Use when you need overflow-safe encrypted arithmetic on euint64 values. Covers the OpenZeppelin FHESafeMath library (tryIncrease, tryDecrease, tryAdd, trySub), uninitialized-handle semantics, and when to prefer it over raw FHE.add / FHE.sub.
11fhevm-public-decryption
Use when implementing two-step public decryption for state-changing operations in FHEVM. Covers makePubliclyDecryptable, off-chain proof retrieval, onchain verification with checkSignatures, and the critical single-step unwrap bug.
11