solidity-argus 0.1.8 → 0.3.0

package/skills/case-studies/parity-multisig/SKILL.md

@@ -0,0 +1,55 @@
+---
+name: parity-multisig
+description: "Case study of the 2017 Parity Multisig Freeze: delegatecall + self-destruct exploit freezing ~$150M"
+category: reference
+source_url: "https://rekt.news/parity-rekt/"
+source_license: "CC0"
+imported_at: "2025-02-20T00:00:00Z"
+detection_rules:
+  - regex: 'delegatecall\(.*\)'
+    severity: "High"
+    description: "Detects use of delegatecall, which can be dangerous if the target contract is not trusted or can be modified."
+  - regex: 'selfdestruct\(.*\)'
+    severity: "High"
+    description: "Detects use of selfdestruct, which can be used to destroy a contract and freeze funds if not properly protected."
+---
+<!-- Source: rekt.news (CC0) -->
+<!-- Source: SunWeb3Sec/DeFiHackLabs (Reference) -->
+
+# Parity Multisig Freeze (2017)
+
+## Overview
+In November 2017, a user accidentally triggered a vulnerability in the Parity Multisig wallet library contract. By calling an uninitialized `initWallet` function, the user became the owner of the library contract and subsequently called `kill()`, which executed `selfdestruct`. This froze approximately 513,000 ETH (worth ~$150M at the time) across 587 wallets that depended on this library.
+
+## Root Cause
+The Parity Multisig wallets used `delegatecall` to execute logic from a shared library contract. However, the library contract itself was not initialized. This allowed any user to call the `initWallet` function on the library contract directly, making them the owner of the library. Once they were the owner, they could call the `kill` function, which contained a `selfdestruct` instruction.
+
+## Attack Flow
+1. A user (devops199) found the uninitialized library contract.
+2. The user called `initWallet()` on the library contract, becoming its owner.
+3. The user then called `kill()` on the library contract.
+4. The library contract executed `selfdestruct`, removing its code from the blockchain.
+5. All multisig wallets that used `delegatecall` to this library now had no logic to execute, effectively freezing all funds held in them.
+
+## Impact
+- **Loss**: ~$150M (513k ETH)
+- **Protocol**: Parity Multisig
+- **Chain**: Ethereum
+- **Date**: 2017-11-06
+
+## Key Transactions
+- Initialization tx: `0x05f5c113c130f928d4d0d261046c5511846909b77060ef6568bf9158ad312a06`
+- Kill tx: `0x47f7cff3ad8733831a0e273108ef239bb0d0657da3a4279b1d17ac2616a12487`
+
+## Detection Heuristics
+- Pattern 1: Uninitialized library contracts that contain sensitive functions like `selfdestruct` or `init`.
+- Pattern 2: Use of `delegatecall` to a contract that can be destroyed or modified by unauthorized users.
+
+## Remediation
+- Fix 1: Initialize library contracts during deployment or use a constructor to disable initialization functions.
+- Fix 2: Avoid using `selfdestruct` in library contracts.
+- Fix 3: Use static libraries or ensure the target of `delegatecall` is immutable and properly initialized.
+
+## References
+- [rekt.news/parity-rekt/](https://rekt.news/parity-rekt/)
+- [paritytech.io/blog/security-alert-heavy-update/](https://www.parity.io/blog/security-alert-heavy-update/)

package/skills/case-studies/poly-network/SKILL.md

@@ -0,0 +1,51 @@
+---
+name: poly-network
+description: "Case study of the 2021 Poly Network exploit: cross-chain relay manipulation draining ~$600M"
+category: reference
+source_url: "https://rekt.news/polynetwork-rekt/"
+source_license: "CC0"
+imported_at: "2025-02-20T00:00:00Z"
+detection_rules:
+  - regex: 'putCurEpochConPubKeyBytes'
+    severity: "High"
+    description: "Detects functions that can modify the public keys of cross-chain relayers/keepers."
+---
+<!-- Source: rekt.news (CC0) -->
+<!-- Source: SunWeb3Sec/DeFiHackLabs (Reference) -->
+
+# Poly Network (2021)
+
+## Overview
+In August 2021, Poly Network, a cross-chain interoperability protocol, was exploited for approximately $611 million across Ethereum, Binance Smart Chain, and Polygon. The attacker was able to manipulate the protocol's "keeper" role, allowing them to sign and execute arbitrary cross-chain transactions.
+
+## Root Cause
+The vulnerability was in the `EthCrossChainManager` contract. The contract had a function `crossChain` that could call any contract on the target chain. The attacker used this to call the `EthCrossChainData` contract's `putCurEpochConPubKeyBytes` function. This function was intended to update the public keys of the "keepers" (the entities that sign cross-chain messages). Because the `EthCrossChainManager` was the owner of the `EthCrossChainData` contract, the call was authorized, allowing the attacker to replace the official keeper keys with their own.
+
+## Attack Flow
+1. Attacker crafted a cross-chain message on a source chain (e.g., Ontology).
+2. The message was designed to trigger a call to `putCurEpochConPubKeyBytes` on the target chain (Ethereum/BSC/Polygon).
+3. The `EthCrossChainManager` received the message and, because it was the owner of the data contract, executed the call.
+4. The attacker's public key was now registered as the only valid keeper key.
+5. The attacker then crafted and signed withdrawal transactions for the bridge's assets using their own key.
+6. The bridge accepted these transactions as valid and released the funds.
+
+## Impact
+- **Loss**: ~$611M (Most was later returned by the attacker)
+- **Protocol**: Poly Network
+- **Chain**: Ethereum, BSC, Polygon
+- **Date**: 2021-08-10
+
+## Key Transactions
+- Attack tx (Ethereum): `0xb1f3535b698f3a0917a219673e7c0e1501c35f9bb8a2811b7a781363bd23c228`
+
+## Detection Heuristics
+- Pattern 1: Cross-chain managers that can call arbitrary functions on internal data or configuration contracts.
+- Pattern 2: Lack of strict access control on functions that modify critical system roles (like keepers or validators).
+
+## Remediation
+- Fix 1: Implement a whitelist of allowed functions that can be called via cross-chain messages.
+- Fix 2: Ensure that critical configuration functions (like updating keeper keys) require multi-signature authorization or a time-lock, and cannot be triggered by a single cross-chain call.
+
+## References
+- [rekt.news/polynetwork-rekt/](https://rekt.news/polynetwork-rekt/)
+- [slowmist.medium.com/the-analysis-and-q-a-of-poly-network-hack-8112a353e439](https://slowmist.medium.com/the-analysis-and-q-a-of-poly-network-hack-8112a353e439)

package/skills/case-studies/rari-fuse/SKILL.md

@@ -0,0 +1,51 @@
+---
+name: rari-fuse
+description: "Case study of the 2022 Rari Fuse exploit: reentrancy in Compound fork draining ~$80M"
+category: reference
+source_url: "https://rekt.news/rari-fuse-rekt/"
+source_license: "CC0"
+imported_at: "2025-02-20T00:00:00Z"
+detection_rules:
+  - regex: 'CEther|CToken'
+    severity: "Medium"
+    description: "Detects usage of Compound-style lending tokens. Forks must ensure reentrancy guards are applied to all sensitive functions."
+---
+<!-- Source: rekt.news (CC0) -->
+<!-- Source: SunWeb3Sec/DeFiHackLabs (Reference) -->
+
+# Rari Fuse (2022)
+
+## Overview
+In April 2022, several Rari Fuse lending pools were exploited for approximately $80 million. The attack targeted a reentrancy vulnerability in the protocol's `CEther` contract, which was a fork of Compound. The attacker was able to borrow assets against their collateral and then re-enter the contract to withdraw the collateral before the borrow was recorded.
+
+## Root Cause
+The vulnerability was a classic reentrancy bug in the `exitMarket` function of the `Comptroller` or the `redeem` function of the `CEther` contract. When a user withdrew ETH, the contract made an external call to the user's address before updating the internal state. Because Rari's fork of Compound did not have a reentrancy guard on these specific functions (or the guard was bypassed), the attacker could recursively call the contract to drain funds.
+
+## Attack Flow
+1. Attacker deposited collateral into a Rari Fuse pool.
+2. Attacker initiated a withdrawal of their collateral (ETH).
+3. The `CEther` contract sent ETH to the attacker's malicious contract via a low-level call.
+4. The attacker's fallback function triggered a call to borrow other assets from the same pool.
+5. Because the collateral withdrawal was not yet finalized in the state, the protocol still saw the attacker as having full collateral, allowing the borrow to succeed.
+6. The attacker effectively withdrew their collateral AND borrowed assets against it, leaving the pool with bad debt.
+
+## Impact
+- **Loss**: ~$80M
+- **Protocol**: Rari Capital (Fuse)
+- **Chain**: Ethereum
+- **Date**: 2022-04-30
+
+## Key Transactions
+- Attack tx: `0xab4860125185a341599c543974807217b3911714771725567b746761632a2939`
+
+## Detection Heuristics
+- Pattern 1: Compound forks that lack reentrancy guards on `redeem`, `borrow`, or `exitMarket` functions.
+- Pattern 2: External calls (especially ETH transfers) made before state updates in lending protocols.
+
+## Remediation
+- Fix 1: Apply the `nonReentrant` modifier to all functions that involve external calls or state changes.
+- Fix 2: Use the Checks-Effects-Interactions pattern to ensure state is updated before any external interaction.
+
+## References
+- [rekt.news/rari-fuse-rekt/](https://rekt.news/rari-fuse-rekt/)
+- [twitter.com/BlockSecTeam/status/1520351351111651328](https://twitter.com/BlockSecTeam/status/1520351351111651328)

package/skills/case-studies/ronin-bridge/SKILL.md

@@ -0,0 +1,52 @@
+---
+name: ronin-bridge
+description: "Case study of the 2022 Ronin Bridge exploit: compromised validator keys draining ~$625M"
+category: reference
+source_url: "https://rekt.news/ronin-rekt/"
+source_license: "CC0"
+imported_at: "2025-02-20T00:00:00Z"
+detection_rules:
+  - regex: 'onlyValidator'
+    severity: "Low"
+    description: "Detects validator-only functions. While not a bug, it highlights the critical trust points in the system."
+---
+<!-- Source: rekt.news (CC0) -->
+<!-- Source: SunWeb3Sec/DeFiHackLabs (Reference) -->
+
+# Ronin Bridge (2022)
+
+## Overview
+In March 2022, the Ronin Network, an Ethereum-linked sidechain for the Axie Infinity game, was exploited for 173,600 ETH and 25.5M USDC (worth ~$625M). This was not a smart contract bug but a social engineering attack that led to the compromise of 5 out of 9 validator private keys.
+
+## Root Cause
+The Ronin bridge required 5 out of 9 validator signatures to authorize withdrawals. The attacker (Lazarus Group) used a fake job offer to compromise a developer's computer, gaining access to 4 validator keys held by Sky Mavis. They also gained access to a 5th validator key held by the Axie DAO, which had been granted a temporary "allowance" to sign on behalf of Sky Mavis during a period of high traffic and was never revoked.
+
+## Attack Flow
+1. Attacker used social engineering (fake job interview/PDF) to plant malware on a Sky Mavis engineer's laptop.
+2. Attacker extracted 4 validator private keys from Sky Mavis infrastructure.
+3. Attacker discovered an RPC backdoor to the Axie DAO validator, which had been authorized to sign for Sky Mavis months earlier.
+4. With 5 keys, the attacker had the supermajority needed to sign withdrawal transactions.
+5. Attacker submitted two withdrawal transactions to the Ronin bridge on Ethereum, draining the funds.
+
+## Impact
+- **Loss**: ~$625M
+- **Protocol**: Ronin Bridge (Sky Mavis)
+- **Chain**: Ronin / Ethereum
+- **Date**: 2022-03-23 (Discovered 2022-03-29)
+
+## Key Transactions
+- Withdrawal tx 1: `0xc28fad5e8d5e0ce6a2eaf67b6687be5d58113e16be590824d6cfa1a691f6d7b3`
+- Withdrawal tx 2: `0xed2c1225a57b6811c570930c7e9996a8a18b19a472f5502013f80f53c7a32730`
+
+## Detection Heuristics
+- Pattern 1: Low validator count (centralization risk).
+- Pattern 2: Long-standing "temporary" permissions or allowances in governance/bridge contracts.
+
+## Remediation
+- Fix 1: Increase the number of validators and the threshold for consensus (Ronin moved to 21 validators).
+- Fix 2: Implement strict security protocols for validator key management (HSMs, multi-party computation).
+- Fix 3: Regular audits of off-chain infrastructure and social engineering training for employees.
+
+## References
+- [rekt.news/ronin-rekt/](https://rekt.news/ronin-rekt/)
+- [roninchain.com/blog/posts/community-alert-ronin-bridge-exploit-post-mortem](https://roninchain.com/blog/posts/community-alert-ronin-bridge-exploit-post-mortem)

package/skills/case-studies/wormhole-bridge/SKILL.md

@@ -0,0 +1,51 @@
+---
+name: wormhole-bridge
+description: "Case study of the 2022 Wormhole Bridge exploit: missing signature validation draining ~$320M"
+category: reference
+source_url: "https://rekt.news/wormhole-rekt/"
+source_license: "CC0"
+imported_at: "2025-02-20T00:00:00Z"
+detection_rules:
+  - regex: 'load_instruction_at'
+    severity: "High"
+    description: "Detects usage of deprecated or dangerous instruction loading in Solana programs which can be used to spoof sysvars."
+---
+<!-- Source: rekt.news (CC0) -->
+<!-- Source: SunWeb3Sec/DeFiHackLabs (Reference) -->
+
+# Wormhole Bridge (2022)
+
+## Overview
+In February 2022, the Wormhole bridge was exploited for 120,000 wETH (worth ~$320M) on the Solana side. The attacker was able to bypass the signature verification process and mint wETH without providing any collateral on the Ethereum side.
+
+## Root Cause
+The vulnerability existed in the Wormhole's Solana program. Specifically, the `verify_signatures` function used a deprecated Solana system function `load_instruction_at` to verify the `instructions` sysvar. The attacker provided a spoofed sysvar account that mimicked the real sysvar but contained fake data, allowing them to bypass the signature check.
+
+## Attack Flow
+1. Attacker identified that the `verify_signatures` function did not properly validate the `instructions` sysvar account.
+2. Attacker created a malicious account that mimicked the `instructions` sysvar.
+3. Attacker called `post_vaa` with the spoofed sysvar, which made the program believe the signatures were valid.
+4. Attacker then called `complete_wrapped_eth` to mint 120,000 wETH on Solana.
+5. Attacker bridged some of the wETH back to Ethereum and swapped the rest on Solana.
+
+## Impact
+- **Loss**: ~$320M
+- **Protocol**: Wormhole Bridge
+- **Chain**: Solana / Ethereum
+- **Date**: 2022-02-02
+
+## Key Transactions
+- Solana Attack tx: `2thJ77y986Yfs4S6996Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9` (Example representation)
+- Mint tx: `399986Yfs4S6996Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9Yv9`
+
+## Detection Heuristics
+- Pattern 1: Use of `load_instruction_at` or other deprecated sysvar loading methods in Solana without proper account validation.
+- Pattern 2: Missing checks to ensure that system accounts (like `sysvar::instructions`) are actually the official system accounts.
+
+## Remediation
+- Fix 1: Use the modern `get_instruction_relative` or properly validate the sysvar account address.
+- Fix 2: Ensure all system accounts passed to the program are checked against their known addresses.
+
+## References
+- [rekt.news/wormhole-rekt/](https://rekt.news/wormhole-rekt/)
+- [jumpcrypto.com/wormhole-exploit-post-mortem/](https://jumpcrypto.com/wormhole-exploit-post-mortem/)

package/skills/checklists/cyfrin-defi-core/SKILL.md

@@ -1,6 +1,9 @@
 ---
 name: cyfrin-defi-core
 description: Cyfrin DeFi checklist covering attacker mindset and protocol-level DeFi primitives
+source_url: https://github.com/Cyfrin/audit-checklist
+source_license: unspecified
+imported_at: "2025-01-15T00:00:00Z"
 ---
 <!-- Source: Cyfrin/audit-checklist -->
 <!-- Auto-generated from https://github.com/Cyfrin/audit-checklist -->

package/skills/manifests/cyfrin.json

@@ -0,0 +1,16 @@
+{
+  "name": "cyfrin",
+  "mode": "baked-in",
+  "url": "https://github.com/Cyfrin/audit-checklist",
+  "license": "unspecified",
+  "updateCadence": "per-release",
+  "lastVerified": "2026-02-19",
+  "files": [
+    "checklists/cyfrin-best-practices-runtime/SKILL.md",
+    "checklists/cyfrin-best-practices-upgrades/SKILL.md",
+    "checklists/cyfrin-defi-core/SKILL.md",
+    "checklists/cyfrin-defi-integrations/SKILL.md",
+    "checklists/cyfrin-gas/SKILL.md",
+    "checklists/general-audit/SKILL.md"
+  ]
+}

package/skills/manifests/defifofum.json

@@ -0,0 +1,25 @@
+{
+  "name": "defifofum",
+  "mode": "baked-in",
+  "url": "https://github.com/DeFiFoFum/fofum-solidity-skills",
+  "license": "MIT",
+  "updateCadence": "per-release",
+  "lastVerified": "2026-02-19",
+  "files": [
+    "vulnerability-patterns/access-control/SKILL.md",
+    "vulnerability-patterns/flash-loan-attacks/SKILL.md",
+    "vulnerability-patterns/logic-errors/SKILL.md",
+    "vulnerability-patterns/oracle-manipulation/SKILL.md",
+    "vulnerability-patterns/reentrancy/SKILL.md",
+    "vulnerability-patterns/weird-tokens/SKILL.md",
+    "methodology/audit-workflow/SKILL.md",
+    "methodology/report-template/SKILL.md",
+    "methodology/severity-classification/SKILL.md",
+    "protocol-patterns/amm-dex/SKILL.md",
+    "protocol-patterns/bridges-cross-chain/SKILL.md",
+    "protocol-patterns/dao-governance/SKILL.md",
+    "protocol-patterns/lending-borrowing/SKILL.md",
+    "protocol-patterns/staking-vesting/SKILL.md",
+    "checklists/general-audit/SKILL.md"
+  ]
+}

package/skills/manifests/kadenzipfel.json

@@ -0,0 +1,48 @@
+{
+  "name": "kadenzipfel",
+  "mode": "baked-in",
+  "url": "https://github.com/kadenzipfel/smart-contract-vulnerabilities",
+  "license": "MIT",
+  "updateCadence": "per-release",
+  "lastVerified": "2026-02-19",
+  "files": [
+    "vulnerability-patterns/access-control/SKILL.md",
+    "vulnerability-patterns/arbitrary-storage-location/SKILL.md",
+    "vulnerability-patterns/assert-violation/SKILL.md",
+    "vulnerability-patterns/asserting-contract-from-code-size/SKILL.md",
+    "vulnerability-patterns/authorization-txorigin/SKILL.md",
+    "vulnerability-patterns/default-visibility/SKILL.md",
+    "vulnerability-patterns/delegatecall-untrusted-callee/SKILL.md",
+    "vulnerability-patterns/dos-gas-limit/SKILL.md",
+    "vulnerability-patterns/dos-revert/SKILL.md",
+    "vulnerability-patterns/flash-loan-attacks/SKILL.md",
+    "vulnerability-patterns/floating-pragma/SKILL.md",
+    "vulnerability-patterns/hash-collision/SKILL.md",
+    "vulnerability-patterns/inadherence-to-standards/SKILL.md",
+    "vulnerability-patterns/incorrect-constructor/SKILL.md",
+    "vulnerability-patterns/incorrect-inheritance-order/SKILL.md",
+    "vulnerability-patterns/insufficient-gas-griefing/SKILL.md",
+    "vulnerability-patterns/lack-of-precision/SKILL.md",
+    "vulnerability-patterns/logic-errors/SKILL.md",
+    "vulnerability-patterns/missing-protection-signature-replay/SKILL.md",
+    "vulnerability-patterns/msgvalue-loop/SKILL.md",
+    "vulnerability-patterns/off-by-one/SKILL.md",
+    "vulnerability-patterns/oracle-manipulation/SKILL.md",
+    "vulnerability-patterns/outdated-compiler-version/SKILL.md",
+    "vulnerability-patterns/overflow-underflow/SKILL.md",
+    "vulnerability-patterns/reentrancy/SKILL.md",
+    "vulnerability-patterns/shadowing-state-variables/SKILL.md",
+    "vulnerability-patterns/signature-malleability/SKILL.md",
+    "vulnerability-patterns/unbounded-return-data/SKILL.md",
+    "vulnerability-patterns/unchecked-return-values/SKILL.md",
+    "vulnerability-patterns/unencrypted-private-data-on-chain/SKILL.md",
+    "vulnerability-patterns/unexpected-ecrecover-null-address/SKILL.md",
+    "vulnerability-patterns/uninitialized-storage-pointer/SKILL.md",
+    "vulnerability-patterns/unsafe-low-level-call/SKILL.md",
+    "vulnerability-patterns/unsecure-signatures/SKILL.md",
+    "vulnerability-patterns/unsupported-opcodes/SKILL.md",
+    "vulnerability-patterns/unused-variables/SKILL.md",
+    "vulnerability-patterns/use-of-deprecated-functions/SKILL.md",
+    "vulnerability-patterns/weak-sources-randomness/SKILL.md"
+  ]
+}

package/skills/manifests/scvd.json

@@ -0,0 +1,9 @@
+{
+  "name": "scvd",
+  "mode": "hybrid",
+  "url": "https://api.scvd.dev",
+  "license": "CC0",
+  "updateCadence": "on-sync",
+  "lastVerified": "2026-02-19",
+  "files": []
+}

package/skills/manifests/smartbugs.json

@@ -0,0 +1,9 @@
+{
+  "name": "smartbugs",
+  "mode": "baked-in",
+  "url": "https://github.com/smartbugs/smartbugs-curated",
+  "license": "Apache-2.0",
+  "updateCadence": "per-release",
+  "lastVerified": "2026-02-19",
+  "files": ["references/smartbugs-examples/SKILL.md"]
+}

package/skills/manifests/solodit.json

@@ -0,0 +1,9 @@
+{
+  "name": "solodit",
+  "mode": "on-demand",
+  "url": "https://solodit.xyz",
+  "license": "varies",
+  "updateCadence": "per-request",
+  "lastVerified": "2026-02-19",
+  "files": []
+}

package/skills/manifests/sunweb3sec.json

@@ -0,0 +1,9 @@
+{
+  "name": "sunweb3sec",
+  "mode": "baked-in",
+  "url": "https://github.com/SunWeb3Sec/DeFiHackLabs",
+  "license": "reference-only",
+  "updateCadence": "per-release",
+  "lastVerified": "2026-02-19",
+  "files": ["references/exploit-reference/SKILL.md"]
+}

package/skills/manifests/trailofbits.json

@@ -0,0 +1,9 @@
+{
+  "name": "trailofbits",
+  "mode": "hybrid",
+  "url": "https://github.com/trailofbits/solidity-security-research",
+  "license": "varies",
+  "updateCadence": "on-install",
+  "lastVerified": "2026-02-19",
+  "files": []
+}

package/skills/methodology/audit-workflow/SKILL.md

@@ -1,6 +1,9 @@
 ---
 name: audit-workflow
 description: Five-phase Solidity audit workflow covering recon, static analysis, manual review, verification, and reporting.
+source_url: https://github.com/DeFiFoFum/fofum-solidity-skills
+source_license: MIT
+imported_at: "2025-01-15T00:00:00Z"
 ---
 <!-- Source: DeFiFoFum/fofum-solidity-skills (MIT) -->
 

package/skills/protocol-patterns/amm-dex/SKILL.md

@@ -1,6 +1,9 @@
 ---
 name: amm-dex
 description: AMM and DEX security patterns covering pricing, LP accounting, MEV, and swap invariants.
+source_url: https://github.com/DeFiFoFum/fofum-solidity-skills
+source_license: MIT
+imported_at: "2025-01-15T00:00:00Z"
 ---
 <!-- Source: DeFiFoFum/fofum-solidity-skills (MIT) -->
 

package/skills/references/exploit-reference/SKILL.md

@@ -1,6 +1,9 @@
 ---
 name: exploit-reference
 description: Reference guide to major DeFi exploits and reproducible Foundry workflows from DeFiHackLabs
+source_url: https://github.com/SunWeb3Sec/DeFiHackLabs
+source_license: reference-only
+imported_at: "2025-01-15T00:00:00Z"
 ---
 <!-- Source: SunWeb3Sec/DeFiHackLabs (reference only, no license) -->
 

package/skills/vulnerability-patterns/access-control/SKILL.md

@@ -1,6 +1,33 @@
 ---
 name: access-control
 description: Access-control exploit patterns and secure authorization approaches for privileged Solidity functions.
+pattern_category: access-control
+source_url: https://github.com/kadenzipfel/smart-contract-vulnerabilities
+source_license: MIT
+imported_at: "2025-01-15T00:00:00Z"
+detection_rules:
+  - regex: 'onlyOwner'
+    severity: Medium
+    confidence: Medium
+    description: Privileged modifier usage that requires authorization review
+  - regex: 'require\(msg\.sender'
+    severity: Medium
+    confidence: Medium
+    swc: SWC-105
+    description: Inline sender authorization check on sensitive paths
+  - regex: 'function\s+initialize'
+    severity: Critical
+    confidence: High
+    description: Initializer function detected — if missing initializer modifier, anyone can take ownership
+  - regex: 'selfdestruct\(|suicide\('
+    severity: High
+    confidence: High
+    description: Contract uses selfdestruct — can destroy contract and send ETH to arbitrary address
+  - regex: 'function\s+\w+\s*\([^)]*\)\s+(external|public)'
+    severity: High
+    confidence: Low
+    swc: SWC-105
+    description: External/public function — verify appropriate access control modifiers are applied
 ---
 
 <!-- Source: DeFiFoFum/fofum-solidity-skills (MIT) -->

package/skills/vulnerability-patterns/arbitrary-storage-location/SKILL.md

@@ -1,6 +1,18 @@
 ---
 name: arbitrary-storage-location
-description: - Contract has a dynamic array in storage
+description: '- Contract has a dynamic array in storage'
+pattern_category: logic-error
+detection_rules:
+  - regex: 'assembly\s*\{'
+    severity: Medium
+    confidence: Low
+    swc: SWC-124
+    description: Inline assembly context where arbitrary storage writes may occur
+  - regex: 'sstore\('
+    severity: High
+    confidence: Low
+    swc: SWC-124
+    description: Direct storage slot writes require strict slot provenance checks
 ---
 <!-- Source: kadenzipfel/smart-contract-vulnerabilities (MIT) -->
 

package/skills/vulnerability-patterns/assert-violation/SKILL.md

@@ -1,6 +1,13 @@
 ---
 name: assert-violation
-description: - Contract uses `assert()` statements
+description: '- Contract uses `assert()` statements'
+pattern_category: logic-error
+detection_rules:
+  - regex: 'assert\('
+    severity: Low
+    confidence: Medium
+    swc: SWC-110
+    description: assert used in code path that may be user reachable
 ---
 <!-- Source: kadenzipfel/smart-contract-vulnerabilities (MIT) -->
 

package/skills/vulnerability-patterns/asserting-contract-from-code-size/SKILL.md

@@ -1,6 +1,17 @@
 ---
 name: asserting-contract-from-code-size
-description: - Contract uses `extcodesize` or `address.code.length` to check whether an address is an EOA vs. a contract
+description: '- Contract uses `extcodesize` or `address.code.length` to check whether an address is an EOA vs. a contract'
+pattern_category: logic-error
+detection_rules:
+  - regex: 'extcodesize'
+    severity: Medium
+    confidence: Medium
+    swc: SWC-113
+    description: extcodesize-based contract detection can be bypassed in constructors
+  - regex: 'isContract\('
+    severity: Medium
+    confidence: Medium
+    description: isContract helper usage should not gate security decisions
 ---
 <!-- Source: kadenzipfel/smart-contract-vulnerabilities (MIT) -->
 

package/skills/vulnerability-patterns/authorization-txorigin/SKILL.md

@@ -1,6 +1,13 @@
 ---
 name: authorization-txorigin
-description: - Contract uses `tx.origin` for authorization or access control checks (e.g., `require(tx.origin == owner)`)
+description: "Contract uses tx.origin for authorization or access control checks (e.g., require(tx.origin == owner))"
+pattern_category: access-control
+detection_rules:
+  - regex: 'tx\.origin'
+    severity: High
+    confidence: High
+    swc: SWC-115
+    description: tx.origin usage in authorization logic is phishing-prone
 ---
 <!-- Source: kadenzipfel/smart-contract-vulnerabilities (MIT) -->