ContextQMD
Back to Eliza

Building Secure Smart Contracts

packages/skills/skills/security-building-secure-contracts/SKILL.md

1.7.22.9 KB
Original Source

Building Secure Smart Contracts

When to Use

  • Writing new smart contracts and need security-first patterns
  • Reviewing contract code for common vulnerability classes
  • Hardening existing contracts before audit or deployment
  • Implementing access control, upgrade patterns, or token standards securely
  • Evaluating contract architecture for systemic risks

When NOT to Use

  • General web application security (use other security skills)
  • Off-chain backend code review
  • Non-blockchain cryptographic protocol design

Key Vulnerability Classes

Solidity / EVM

VulnerabilityDescriptionMitigation
ReentrancyExternal calls allow recursive entryChecks-Effects-Interactions pattern; ReentrancyGuard
Integer overflow/underflowArithmetic wraps silently (pre-0.8)Use Solidity >=0.8 or SafeMath
Access controlMissing or incorrect permission checksOpenZeppelin Ownable/AccessControl; multi-sig for admin
Flash loan manipulationPrice or governance manipulation via atomic loansTime-weighted oracles; commit-reveal schemes
Front-runningMempool observation enables MEV extractionCommit-reveal; private mempools; batch auctions
Delegatecall injectionArbitrary code execution via delegatecallRestrict delegatecall targets; avoid user-controlled addresses
Storage collisionProxy upgrade storage layout conflictsUse EIP-1967 storage slots; OpenZeppelin upgradeable contracts

Solana / Rust

VulnerabilityDescriptionMitigation
Missing signer checkInstructions accept unsigned accountsVerify account.is_signer
Missing owner checkAccounts owned by wrong programVerify account.owner == program_id
Account confusionWrong account type passedUse discriminators; Anchor account validation
Arithmetic overflowUnchecked math in native RustUse checked_add, checked_mul; saturating math

Secure Development Checklist

  1. Use established, audited libraries (OpenZeppelin, Anchor)
  2. Follow Checks-Effects-Interactions pattern
  3. Implement comprehensive access control
  4. Use time-weighted average prices for oracles
  5. Add emergency pause mechanisms
  6. Write invariant tests and fuzz tests
  7. Get independent audit before mainnet deployment
  8. Use formal verification where practical

Testing Approach

  • Unit tests for all state transitions
  • Invariant/property-based tests for protocol invariants
  • Fork tests against mainnet state
  • Fuzz testing with Foundry or Echidna
  • Symbolic execution with Halmos or Manticore

Resources