defi-security
Scannednpx machina-cli add skill 0xlayerghost/solidity-agent-kit/defi-security --openclawFiles (1)
SKILL.md
6.1 KB
DeFi Security Principles
Language Rule
- Always respond in the same language the user is using. If the user asks in Chinese, respond in Chinese. If in English, respond in English.
Scope: Only applicable to DeFi projects (DEX, lending, staking, LP, yield). Non-DeFi projects can ignore this skill.
Protection Decision Rules
| Threat | Required Protection |
|---|---|
| Whale manipulation | Daily transaction caps + per-tx amount limits + cooldown window |
| MEV / sandwich attack | EOA-only checks (msg.sender == tx.origin), or use commit-reveal pattern |
| Arbitrage | Referral binding + liquidity distribution + fixed yield model + lock period |
| Reentrancy | ReentrancyGuard on all external-call functions (see solidity-security skill) |
| Flash loan attack | Check block.number change between operations, or use TWAP pricing |
| Price manipulation | Chainlink oracle or TWAP — never rely on spot AMM reserves for pricing |
| Approval exploit | Use safeIncreaseAllowance / safeDecreaseAllowance, never raw approve for user flows |
| Governance attack | Voting requires snapshot + minimum token holding period; timelock ≥ 48h on proposal execution |
| ERC4626 inflation attack | First deposit must enforce minimum amount or use virtual shares to prevent share dilution via rounding |
| Cross-vault trust bypass | Router/Registry relay must verify vault authorization; never trust caller identity inside flash loan callbacks — EVMbench/noya H-08 |
| Collateral ownership exploit | Liquidation/staking operations must verify actual NFT/collateral ownership — EVMbench/benddao |
| Bonding curve manipulation | ID/pricing params in create operations must be fully determined before external calls — EVMbench/phi H-06 |
DEX pair _transfer TOCTOU | Never distinguish operation type by balance/reserve checks in _transfer — both directions are exploitable: buy vs removeLiquidity (pair→user) and sell vs addLiquidity (user→pair); use address whitelist only; new projects prefer Uniswap V4 Hook |
Anti-Whale Implementation Rules
- Maximum single transaction amount: configurable via
onlyOwnersetter - Daily cumulative limit per address: track with
mapping(address => mapping(uint256 => uint256))(address → day → amount) - Cooldown between transactions: enforce minimum time gap with
block.timestampcheck - Whitelist for exempt addresses (deployer, LP pair, staking contract)
Flash Loan Protection Rules
- For price-sensitive operations: require that
block.numberhas changed since last interaction - For oracle-dependent calculations: use time-weighted average (TWAP) over minimum 30 minutes
- For critical state changes: add minimum holding period before action (e.g., must hold tokens for N blocks)
Protocol Composability Risks
Source: EVMbench (OpenAI/Paradigm, Feb 2026) — vulnerability patterns from Code4rena audits
- Cross-vault operations [noya H-08]: Registry/Router relay calls must verify vault-level authorization; prevent keeper from using flash loan to impersonate other vaults
- Lending collateral [benddao]: Liquidation functions must verify
msg.senderactually owns or is authorized to operate on target collateral - Bonding curve [phi H-06]: In create + auto-buy operations, ID assignment and pricing params must be fully determined before the buy transaction executes; prevent reentrancy from modifying them
- Shared registries [noya H-08]: Permission propagation chains in shared registries must be verified hop-by-hop; never rely solely on "trusted sender" flags
Launch Checklist
Before mainnet deployment, verify all items:
- All
onlyOwnerfunctions transferred to multisig wallet - Timelock contract deployed and configured (minimum 24h delay for critical changes)
- Emergency pause mechanism tested — both pause and unpause functions work correctly
- Daily limit parameters documented and set to reasonable values
- Third-party security audit completed and all critical/high findings resolved
- Testnet deployment running for minimum 7 days with no issues
- Slippage, fee, and lock period parameters reviewed and documented
- Initial liquidity plan documented (amount, lock duration, LP token handling)
- Fuzz testing passes with high iterations (10000+) on all DeFi-critical functions
Emergency Response Procedure
| Step | Action |
|---|---|
| 1. Detect | Monitor alerts trigger (on-chain monitoring, community reports) |
| 2. Pause | Designated address calls pause() — must respond within minutes |
| 3. Assess | Technical lead analyzes root cause, estimates fund impact |
| 4. Communicate | Post incident notice to community channels (Discord, Twitter, Telegram) |
| 5. Fix | Deploy fix or prepare recovery plan |
| 6. Resume | Call unpause() after fix verified on fork — or migrate to new contract |
| 7. Post-mortem | Publish detailed incident report within 48 hours |
DeFi Testing Reference
| Test Scenario | Approach |
|---|---|
| Fuzz test fund flows | Run fuzz tests on staking/pool contracts with high iterations (10000+) |
| Fork mainnet testing | Use Foundry fork mode against mainnet RPC to test with real state |
| Simulate whale transaction | Use Foundry cast CLI to simulate large-amount calls on a forked network |
Source
git clone https://github.com/0xlayerghost/solidity-agent-kit/blob/main/skills/defi-security/SKILL.mdView on GitHub Overview
Implements risk controls for DeFi contracts (DEX, lending, staking, LP, token), covering anti-whale, anti-MEV, flash loan protection, launch checklists, and emergency response. Triggered on any deployment or security review of DeFi-related contracts.
How This Skill Works
Applies threat-specific protections via on-chain rules: whale caps with per-tx limits and daily totals, cooldowns; MEV defenses using EO A-only checks or commit-reveal patterns; flash loan safeguards with block-number checks and TWAP pricing; safe-approval patterns; and governance safeguards like snapshots and timelocks. It also provides a structured launch checklist and emergency response guidance for DeFi deployments.
When to Use It
- Before deploying a new DEX, lending, staking, LP, or token contract
- During security reviews or audits of existing DeFi protocols
- When implementing anti-whale or cooldown mechanisms to limit large trades
- When integrating flash loan protections and TWAP-based pricing
- During governance changes or cross-vault interactions requiring stricter authorization and timelocks
Quick Start
- Step 1: Review threat categories (whale, MEV, flash loan, governance) and enable per-tx limits, daily caps, and cooldowns
- Step 2: Implement MEV protections (EOA checks or commit-reveal), TWAP pricing, and safe allowance patterns; add ReentrancyGuard
- Step 3: Run the launch checklist, enforce governance guards (snapshot, timelock), and prepare emergency response procedures
Best Practices
- Configure maximum single-transaction amounts and daily caps; expose via onlyOwner controls
- Enforce MEV protections with EO A-only checks or commit-reveal patterns
- Adopt safeIncreaseAllowance / safeDecreaseAllowance instead of raw approve for user flows
- Apply ReentrancyGuard on external-call functions and verify ownership in critical operations
- Implement governance safeguards: require snapshots, minimum holding periods, and a 48h timelock for proposals
Example Use Cases
- A DeFi protocol adds daily transaction caps to limit whale impact during high-volatility events
- Launch of a new token uses EO A-only checks or a commit-reveal pattern to reduce MEV risk
- Protocol adopts TWAP pricing and block-number changes to defend against flash loans during price-sensitive actions
- Governance changes are protected with vote snapshots and a minimum 48-hour timelock before execution
- Router/Registry relays verify vault authorization to prevent cross-vault trust bypass during complex operations
Frequently Asked Questions
Add this skill to your agents
