audit-system 2.0.0

package/obsidian-vault/vulnerabilities/solana-cpi-attacks.md

@@ -0,0 +1,131 @@
+# Cross-Program Invocation (CPI) Attacks
+
+tags: #vulnerability #solana #cpi #critical
+
+---
+
+## Summary
+Cross-Program Invocation (CPI) allows Solana programs to call other programs. If not properly secured, CPIs can lead to reentrancy, unauthorized actions, and privilege escalation.
+
+---
+
+## Pattern Recognition
+
+### Code Signals
+- `invoke()` or `invoke_signed()` calls
+- CPI to programs whose address comes from user input
+- Missing return value checks on CPI
+- PDA signing with uncontrolled seeds
+- Programs that call back (callbacks via CPI)
+
+### Detection Query
+```
+Is the CPI target program address hardcoded or user-provided?
+Is the CPI return value checked?
+Can the called program reenter the caller?
+Are PDA seeds validated before signing?
+```
+
+---
+
+## Variants
+
+### CPI Reentrancy
+```
+Program A calls Program B via CPI
+Program B calls back into Program A
+Program A's state is in an inconsistent mid-transaction state
+```
+
+### Arbitrary CPI
+```
+Attacker controls which program is called
+Malicious program returns fabricated data
+Caller trusts unchecked CPI result
+```
+
+### PDA Signing Bypass
+```
+Program B expects PDA-signed CPI from Program A
+Program A's seeds can be manipulated
+Attacker signs for wrong PDA
+```
+
+### CPI Return Value Manipulation
+```
+Program A calls Program B for a price
+Program B returns manipulated price
+Program A acts on false data
+```
+
+---
+
+## Attack Strategy
+
+```
+1. Find a CPI that calls an external program
+2. Check if the program address is validated
+3. If yes, check if reentrancy is possible
+4. If the called program can call back during CPI:
+   - Enter the first function
+   - CPI triggers callback
+   - Callback reenters caller before state update
+```
+
+---
+
+## Detection Signals
+- CPI with user-provided `program_id`
+- No `require_keys_eq!` on program address
+- `invoke` instead of `invoke_signed` where PDA signing needed
+- Missing `Ok(())` return check from CPI
+
+---
+
+## PoC Template (Rust)
+
+```rust
+#[program]
+pub fn exploit(ctx: Context<ExploitCpi>) -> Result<()> {
+    // Call target which will CPI back to us
+    let target = &ctx.accounts.target_program;
+    let ix = target::instruction::vulnerable_fn(
+        ctx.accounts.target_data.key(),
+    );
+
+    invoke(&ix, &[/* accounts */])?; // Callback triggers reentrancy
+    Ok(())
+}
+```
+
+---
+
+## Fix
+
+```rust
+// 1. Validate program ID
+require_keys_eq!(
+    ctx.accounts.target_program.key(),
+    EXPECTED_PROGRAM_ID
+);
+
+// 2. Check CPI return
+let result = invoke(&ix, &accounts);
+require!(result.is_ok(), MyError::CpiFailed);
+
+// 3. Use reentrancy guard
+// Update state BEFORE CPI call
+```
+
+---
+
+## Real World Examples
+- Solana Wormhole bridge (2022) — $320M lost via CPI validation bypass
+- Cashio App (2022) — Arbitrary CPI allowed minting unbacked tokens
+
+---
+
+## Links
+- [[solana-account-confusion]]
+- [[solana-signer-authorization]]
+- [[reentrancy]] (Solana variant)

package/obsidian-vault/vulnerabilities/solana-signer-authorization.md

@@ -0,0 +1,119 @@
+# Signer & Authorization Vulnerabilities (Solana)
+
+tags: #vulnerability #solana #signer #authorization #critical
+
+---
+
+## Summary
+Solana requires explicit signer checks on every account that needs authorization. Missing or incorrect signer checks allow attackers to impersonate any user.
+
+---
+
+## Pattern Recognition
+
+### Code Signals (Anchor)
+- `AccountInfo` without `Signer` type
+- `UncheckedAccount` used where authorization is needed
+- Missing `#[account(signer)]` constraint
+- Missing `owner` field check on token accounts
+- Authority check done AFTER state modification
+
+### Detection Query
+```
+Does every state-modifying instruction check msg.signer equivalent?
+Are `Signer` types used for all authorized actors?
+Is the authority check performed BEFORE state mutation?
+```
+
+---
+
+## Variants
+
+### Missing Signer Check
+```
+Instruction accepts any account as "authority"
+No Signer constraint → attacker passes any pubkey
+State modified without real authorization
+```
+
+### Owner Check Bypass
+```
+Token account owner not verified
+Attacker passes someone else's token account
+Funds transferred from wrong account
+```
+
+### Delegate Authorization
+```
+SPL token delegate permissions not checked
+Attacker uses own delegation to move other's tokens
+Missing `delegated_amount` verification
+```
+
+---
+
+## Attack Strategy
+
+```
+1. Find instruction with authority-like account parameter
+2. Check if `Signer` constraint or `is_signer` check exists
+3. If missing, call instruction with victim's pubkey
+4. State is modified as if victim authorized it
+```
+
+---
+
+## Detection Signals
+- `Account` type without `Signer` for authority roles
+- `has_one = authority` but no `Signer` constraint
+- Manual `owner` field check not followed by `require_signer`
+
+---
+
+## PoC Template (Anchor/TS)
+
+```typescript
+it("missing signer check", async () => {
+  // Attacker calls without being the authority
+  const tx = await program.methods
+    .adminAction()
+    .accounts({
+      authority: victim.publicKey,  // Not a signer!
+      // ... other accounts
+    })
+    .signers([attacker])  // Only attacker signs
+    .rpc();
+
+  // Assert: unauthorized action succeeded
+});
+```
+
+---
+
+## Fix
+
+```rust
+// Anchor: use Signer type
+#[derive(Accounts)]
+pub struct AdminAction<'info> {
+    #[account(signer)]  // <-- REQUIRED
+    pub authority: Signer<'info>,
+}
+
+// Or manual:
+require!(ctx.accounts.authority.is_signer, MyError::NotSigner);
+```
+
+---
+
+## Real World Examples
+- Multiple Solana bridge hacks
+- Solend protocol — initial admin key lacked proper signer constraints
+- Various Solana NFT projects with missing owner checks
+
+---
+
+## Links
+- [[solana-account-confusion]]
+- [[solana-cpi-attacks]]
+- [[access-control]]

package/package.json

@@ -0,0 +1,56 @@
+{
+  "name": "audit-system",
+  "version": "2.0.0",
+  "description": "Multi-agent smart contract security auditing framework for Solidity (EVM) and Rust (Solana/Anchor) — installable via npx",
+  "type": "module",
+  "bin": {
+    "audit-system": "./cli.js"
+  },
+  "files": [
+    "cli.js",
+    "lib/",
+    "agents/",
+    "skills/",
+    "obsidian-vault/",
+    "config.json"
+  ],
+  "scripts": {
+    "setup": "node scripts/setup.js",
+    "test": "node scripts/test.js",
+    "prepublishOnly": "node scripts/test.js"
+  },
+  "keywords": [
+    "smart-contracts",
+    "security",
+    "auditing",
+    "vulnerability",
+    "blockchain",
+    "solidity",
+    "rust",
+    "solana",
+    "anchor",
+    "claude-code",
+    "multi-agent"
+  ],
+  "author": "Jorge Paim",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/MrAiKen007/audit-system.git"
+  },
+  "bugs": {
+    "url": "https://github.com/MrAiKen007/audit-system/issues"
+  },
+  "homepage": "https://github.com/MrAiKen007/audit-system#readme",
+  "engines": {
+    "node": ">=16.0.0"
+  },
+  "dependencies": {
+    "chalk": "^5.6.2",
+    "fs-extra": "^11.3.4",
+    "minimist": "^1.2.8"
+  },
+  "devDependencies": {
+    "@types/node": "^20.0.0"
+  }
+}

package/skills/audit-connect.md

@@ -0,0 +1,385 @@
+---
+description: Connects current audited project to audit-system resources and activates the multi-agent audit framework using claude-opus-4-6 model
+type: skill
+commands:
+  - audit-connect
+  - audit-init
+  - use-audit-system
+---
+
+# Audit Connect Skill
+
+## Purpose
+
+Ativa o audit-system a partir de qualquer diretório de projeto, conectando TODOS os recursos (skills, agents, obsidian-vault) ao projeto atual.
+
+## Modelo Utilizado
+
+**Modelo Padrão:** `claude-opus-4-6`
+
+Todos os agents são executados com o modelo mais poderoso disponível para garantir análises complexas de vulnerabilidades.
+
+## Detecção Automática de Linguagem
+
+O sistema detecta automaticamente se o projeto alvo usa **Solidity** (EVM) ou **Rust** (Solana/Anchor/ink!):
+
+| Sinal | Linguagem Detectada |
+|-------|-------------------|
+| Arquivos `*.sol` | Solidity |
+| `Anchor.toml` + `Cargo.toml` | Rust (Solana/Anchor) |
+| `Cargo.toml` com dependência `ink` | Rust (ink!/Polkadot) |
+| `Cargo.toml` + pastas `programs/` ou `src/` com `*.rs` | Rust (genérico) |
+| Ambos presentes | Pergunta ao usuário ou roda em modo `both` |
+
+**Override manual:**
+```
+/audit-connect --lang=solidity
+/audit-connect --lang=rust
+/audit-connect --lang=both
+```
+
+A variável `AUDIT_LANG` é definida e todos os agents a consultam para ajustar seus prompts.
+
+## Usage
+
+Quando estiver no diretório de um projeto a ser auditado, execute:
+
+```
+/audit-connect
+```
+
+Ou com parâmetros:
+
+```
+/audit-connect --phase=assumption-analysis --target=./contracts
+```
+
+## O que este skill faz (Integração Completa)
+
+### 1. **Carrega Configuração**
+   - Lê `config.json` do audit-system
+   - Configura `default_model: "claude-opus-4-6"`
+   - Registra todos os caminhos (agents, skills, vault)
+
+### 2. **Registra 8 Agents Especializados**
+   ```
+   Agents carregados de: $AUDIT_SYSTEM_PATH/agents/
+
+   ✓ orchestrator.json         - Coordenador de workflows
+   ✓ assumption-analyzer.json - Phase 1: Quebra de suposições
+   ✓ economic-attacker.json    - Phase 3: Modelagem econômica
+   ✓ state-machine-hacker.json - Phase 4: Máquina de estados
+   ✓ composition-attacker.json - Phase 5: Ataques por composição
+   ✓ exploit-writer.json       - Criação de PoCs
+   ✓ test-generator.json       - Geração de testes
+   ✓ report-writer.json        - Compilação de relatórios
+   ```
+
+### 3. **Carrega 5 Skills no Contexto**
+   ```
+   Skills disponíveis:
+
+   ✓ auditor.md              - Workflow de auditoria padrão
+   ✓ novel-discovery.md      - Framework 6 fases COMPLETO
+   ✓ exploit-generator.md  - Templates de exploits
+   ✓ test-generator.md     - Templates de testes Foundry
+   ✓ audit-connect.md      - Este skill (recursivo)
+   ```
+
+### 4. **Indexa Obsidian-Vault (Knowledge Base)**
+   ```
+   Knowledge base carregado:
+
+   ✓ vulnerabilities/          (4 arquivos)
+     - reentrancy.md
+     - access-control.md
+     - oracle-manipulation.md
+     - flash-loan-attack.md
+
+   ✓ hypotheses/             (1 template)
+     - _template.md
+
+   ✓ invariant-catalog/      (1 catálogo)
+     - defi-invariants.md
+
+   ✓ novel-patterns/         (1 framework)
+     - pattern-mutation-framework.md
+
+   ✓ attack-patterns/        (1 padrão)
+     - state-inconsistency.md
+
+   ✓ test-strategies/        (1 estratégia)
+     - fuzzing.md
+
+   ✓ reports/                (1 template)
+     - _template.md
+
+   ✓ research/               (3 diretórios)
+     - emerging-threats/
+     - protocol-specific/
+     - cross-protocol-analysis/
+   ```
+
+### 5. **Detecta Linguagem do Projeto**
+   - Busca por arquivos `*.sol`, `Anchor.toml`, `Cargo.toml`, `*.rs`
+   - Define `AUDIT_LANG = solidity | rust | both`
+   - Se `both` e nenhum `--lang` passado, pergunta ao usuário
+
+### 6. **Cria Estrutura de Output**
+   ```
+   No projeto atual:
+   ./audit-output/
+   ├── findings/
+   ├── exploits/
+   ├── tests/
+   └── report.md
+   ```
+
+   Se `AUDIT_LANG == rust`:
+   ```
+   ./audit-output/
+   ├── rust/
+   │   ├── findings/
+   │   ├── exploits/
+   │   ├── tests/
+   │   └── report.md
+   ```
+
+### 7. **Configura Variáveis de Ambiente**
+   ```
+   AUDIT_SYSTEM_PATH="<diretório do .audit-system/>"
+   AUDIT_AGENTS_PATH="$AUDIT_SYSTEM_PATH/agents"
+   AUDIT_SKILLS_PATH="$AUDIT_SYSTEM_PATH/skills"
+   AUDIT_VAULT_PATH="$AUDIT_SYSTEM_PATH/vault"
+   AUDIT_MODEL="claude-opus-4-6"
+   AUDIT_PROJECT_PATH="<diretório atual>"
+   AUDIT_OUTPUT_PATH="./audit-output"
+   AUDIT_LANG="solidity | rust | both"
+   ```
+
+## Workflow de Integração
+
+```
+[Projeto Auditado]
+        ↓
+/audit-connect  ← SKILL de ativação
+        ↓
+[Carrega Config] ← config.json (model: claude-opus-4-6)
+        ↓
+[Detecta Linguagem] ← .sol → solidity | Cargo.toml+Anchor.toml → rust
+        ↓
+[Registra Agents] ← 8 agents de ./agents/ (modo LANG-aware)
+        ↓
+[Carrega Skills] ← 5 skills de ./skills/
+        ↓
+[Indexa Vault] ← knowledge base de ./obsidian-vault/ (incl. Rust/Solana)
+        ↓
+[Cria Output Dir] ← ./audit-output/ (estrutura por linguagem)
+        ↓
+[Sistema Conectado] ← AUDIT_LANG=solidity|rust|both
+        ↓
+Escolha do agente → Execução → Resultados
+```
+
+## Agents Disponíveis
+
+Após conectar, os seguintes agentes podem ser invocados:
+
+| Agente | Comando | Descrição | Recursos Utilizados |
+|--------|---------|-----------|---------------------|
+| orchestrator | `/audit-agent full` | Coordena todos os agents (modo LANG-aware) | Todos os recursos |
+| assumption-analyzer | `/audit-agent assumption` | Phase 1: Mapeia e quebra suposições | novel-discovery.md, invariant-catalog/, hypotheses/ |
+| economic-attacker | `/audit-agent economic` | Phase 3: Modelagem econômica | novel-discovery.md, vulnerabilities/ |
+| state-machine-hacker | `/audit-agent state` | Phase 4: Análise de máquina de estados | novel-discovery.md, attack-patterns/, invariant-catalog/ |
+| composition-attacker | `/audit-agent composition` | Phase 5: Ataques por composição | novel-discovery.md, vulnerabilities/, novel-patterns/ |
+| exploit-writer | `/audit-agent exploit` | Cria PoCs (Solidity/Foundry ou Rust/Anchor) | exploit-generator.md, test-strategies/ |
+| test-generator | `/audit-agent test` | Gera testes (Foundry ou Anchor/cargo) | test-generator.md, test-strategies/ |
+| report-writer | `/audit-agent report` | Compila relatórios multi-linguagem | reports/_template.md |
+
+## Como os Recursos se Interligam
+
+### Exemplo: assumption-analyzer em ação (Solidity)
+
+```
+1. Usuário: /audit-agent assumption --target=./contracts/Pool.sol
+
+2. Agente assumption-analyzer ativa:
+   ├── Config: agents/assumption-analyzer.json
+   ├── Modelo: claude-opus-4-6
+   ├── LANG: solidity (auto-detectado)
+   ├── Prompts: skills/novel-discovery.md (Phase 1 - modo Solidity)
+   ├── Contexto: obsidian-vault/invariant-catalog/defi-invariants.md
+   └── Template: obsidian-vault/hypotheses/_template.md
+
+3. Agente analisa o contrato Pool.sol
+
+4. Output gerado:
+   ├── ./audit-output/assumptions-[timestamp].md
+   ├── Referências a invariantes do vault
+   └── Hipóteses formatadas pelo template
+```
+
+### Exemplo: economic-attacker em ação (Rust/Solana)
+
+```
+1. Usuário: /audit-agent economic --target=./programs/amm/src/lib.rs
+
+2. Agente economic-attacker ativa:
+   ├── Config: agents/economic-attacker.json
+   ├── Modelo: claude-opus-4-6
+   ├── LANG: rust (auto-detectado por Anchor.toml)
+   ├── Prompts: skills/novel-discovery.md (Phase 3 - modo Rust/Solana)
+   ├── Contexto: obsidian-vault/vulnerabilities/solana-account-confusion.md
+   └── Contexto: obsidian-vault/invariant-catalog/solana-invariants.md
+
+3. Agente analisa o programa AMM em Rust
+
+4. Output gerado:
+   ├── ./audit-output/rust/economic-analysis-[timestamp].md
+   ├── Análise de ataques econômicos específicos Solana (CPI, PDA, SPL)
+   └── Vetores de ataque com Anchor/Sealevel
+```
+
+
+
+## Exemplos de Uso
+
+### Exemplo 1: Conectar e verificar status
+
+```
+/user está em: ~/projetos/defi-protocol/
+!pwd
+/audit-connect
+/audit-status
+/audit-agents
+```
+
+### Exemplo 2: Executar Phase 1
+
+```
+/audit-connect
+/audit-agent assumption --target=./src/
+```
+
+### Exemplo 3: Auditoria econômica rápida
+
+```
+/audit-connect
+/audit-agent economic --target=./contracts/Pool.sol
+```
+
+### Exemplo 4: Auditoria completa (todos os agents)
+
+```
+/audit-connect
+/audit-agent full --target=./contracts/ --output=./audit-results/
+```
+
+### Exemplo 5: Auditoria Rust/Solana
+
+```
+# Auto-detecção
+/audit-connect
+/audit-agent full --target=./programs/
+
+# Ou forçando Rust
+/audit-connect --lang=rust
+/audit-agent assumption --target=./programs/amm/src/lib.rs
+/audit-agent economic --target=./programs/amm/
+/audit-agent exploit --target=./programs/amm/
+```
+
+### Exemplo 6: Workflow específico
+
+```
+/audit-connect
+/audit-agent assumption   # Gera hipóteses
+/audit-agent economic     # Valida viabilidade econômica
+/audit-agent exploit      # Cria PoC da hipótese mais promissora
+```
+
+## Configuração
+
+### Configurar caminho do audit-system
+
+Se o audit-system estiver em local diferente:
+
+```
+/audit-connect --config-path="<caminho-para-.audit-system>"
+```
+
+### Modos de operação
+
+1. **Mode: connect** (padrão)
+   - Conecta e ativa todos os recursos
+   - Prepara ambiente para auditoria
+
+2. **Mode: init**
+   - Inicializa estrutura de auditoria no projeto
+   - Cria pasta `audit-output/` completa
+
+3. **Mode: full**
+   - Executa auditoria completa automaticamente
+   - Usa orchestrator para coordenar todos os agents
+
+## Comandos Disponíveis
+
+| Comando | Descrição |
+|---------|-----------|
+| `/audit-connect` | Ativa conexão com audit-system |
+| `/audit-connect --config-path=X` | Define caminho customizado |
+| `/audit-status` | Mostra status da conexão e recursos carregados |
+| `/audit-agents` | Lista agents disponíveis |
+| `/audit-agent <name>` | Executa agente específico |
+| `/audit-phase <N>` | Executa fase específica do framework |
+
+## Verificação de Conexão
+
+Para confirmar que TODOS os recursos estão conectados:
+
+```
+/audit-connect
+/audit-status
+```
+
+Saída esperada (Solidity):
+```
+✓ Audit-System conectado
+✓ Modelo: claude-opus-4-6
+✓ Linguagem: solidity (auto-detectado)
+✓ 8 agents registrados (modo EVM)
+✓ 5 skills carregadas
+✓ Vault indexado (14+ arquivos)
+✓ Output directory: ./audit-output/
+```
+
+Saída esperada (Rust/Solana):
+```
+✓ Audit-System conectado
+✓ Modelo: claude-opus-4-6
+✓ Linguagem: rust (auto-detectado via Anchor.toml)
+✓ 8 agents registrados (modo Solana/Sealevel)
+✓ 5 skills carregadas
+✓ Vault indexado (14+ arquivos, incluindo Solana)
+✓ Output directory: ./audit-output/rust/
+```
+
+## Related Resources
+
+- [[../ARCHITECTURE.md]] - Arquitetura completa de integração
+- [[../agents/AGENT_REGISTRY.md]] - Registro de todos os agents
+- [[../config.json]] - Configuração do sistema
+- [[../README.md]] - Documentação principal
+
+## Notas Importantes
+
+- O audit-system não precisa estar no mesmo diretório do projeto
+- Todos os agents usam o modelo `claude-opus-4-6` por padrão
+- Skills são carregadas automaticamente no contexto do Claude
+- O vault é indexado para consulta rápida durante análises
+- Resultados são salvos em `./audit-output/` por padrão
+- Cada agente pode ser chamado individualmente após a conexão
+- O orchestrator pode coordenar workflows multi-agente completos
+- A linguagem é auto-detectada, mas pode ser forçada com `--lang`
+- Em modo `rust`, agents focam em Solana/Anchor/Sealevel/ink!
+- Em modo `solidity`, agents focam em EVM/Solidity/Foundry