solidity-argus 0.3.6 → 0.5.6

package/AGENTS.md

@@ -11,27 +11,34 @@ CLI: `argus doctor`, `argus init`, `argus install`.
 ## argus
 
 **Role**: Primary security audit orchestrator
-**Description**: Argus Panoptes, the All-Seeing Guardian. Coordinates full Solidity security audits by dispatching Sentinel (analysis), Pythia (research), and Scribe (reporting). Follows a rigorous 7-step methodology: Reconnaissance, Automated Scanning, Manual Review, Attack Surface Mapping, Vulnerability Research, Testing & Verification, and Reporting.
+**Description**: Argus Panoptes, the All-Seeing Guardian. Coordinates full Solidity security audits by dispatching Sentinel (analysis), Pythia (research), Scribe (reporting), and Themis (validation). Follows a rigorous 7-step methodology: Reconnaissance, Automated Scanning, Manual Review, Attack Surface Mapping, Vulnerability Research, Testing & Verification, and Reporting.
 **Model**: anthropic/claude-opus-4-6
-**Tools**: All 12 argus_* tools (argus_slither_analyze, argus_analyze_contract, argus_check_patterns, argus_proxy_detection, argus_solodit_search, argus_forge_test, argus_gas_analysis, argus_forge_fuzz, argus_forge_coverage, argus_skill_load, argus_generate_report, argus_sync_knowledge)
+**Tools**: 14 orchestrator-accessible argus_* tools (argus_slither_analyze, argus_analyze_contract, argus_check_patterns, argus_proxy_detection, argus_solodit_search, argus_forge_test, argus_gas_analysis, argus_forge_fuzz, argus_forge_coverage, argus_skill_load, argus_generate_report, argus_record_finding, argus_read_findings, argus_sync_knowledge). `argus_persist_deduped` is reserved for Scribe.
 
 ## sentinel
 
 **Role**: Static analysis and testing specialist
 **Description**: Finds vulnerabilities through Slither static analysis, Foundry testing, fuzzing, and pattern matching. The tactical executor — runs tools, writes PoC tests, and verifies findings. Dispatched by Argus during Automated Scanning and Testing & Verification phases.
 **Model**: anthropic/claude-sonnet-4-6
-**Tools**: argus_slither_analyze, argus_forge_test, argus_gas_analysis, argus_forge_fuzz, argus_forge_coverage, argus_analyze_contract, argus_check_patterns, argus_proxy_detection, skill
+**Tools**: argus_slither_analyze, argus_forge_test, argus_gas_analysis, argus_forge_fuzz, argus_forge_coverage, argus_analyze_contract, argus_check_patterns, argus_proxy_detection, argus_record_finding, skill
 
 ## pythia
 
 **Role**: Vulnerability researcher
-**Description**: Consults Solodit, SCVD, and the knowledge base to find historical precedents and known attack vectors. Searches 7,769+ real-world audit findings and 44 curated vulnerability pattern files. Dispatched by Argus during Vulnerability Research phase.
+**Description**: Consults Solodit, SCVD, and the knowledge base to find historical precedents and known attack vectors. Searches 7,769+ real-world audit findings and 51 curated vulnerability pattern files. Dispatched by Argus during Vulnerability Research phase.
 **Model**: anthropic/claude-sonnet-4-6
-**Tools**: argus_solodit_search, argus_check_patterns, skill
+**Tools**: argus_solodit_search, argus_check_patterns, argus_record_finding, skill
 
 ## scribe
 
 **Role**: Audit report writer
 **Description**: Transforms raw findings into professional markdown audit reports. Produces structured output with severity classifications (Critical/High/Medium/Low/Informational), impact assessments, proof-of-concept steps, and actionable recommendations. Dispatched by Argus only after all analysis is complete.
 **Model**: anthropic/claude-sonnet-4-6
-**Tools**: argus_generate_report, skill
+**Tools**: argus_read_findings, argus_persist_deduped, argus_generate_report, skill
+
+## themis
+
+**Role**: Audit quality gate
+**Description**: Independent cross-validation agent running on GPT-5.4 (different LLM provider for reasoning diversity). Validates pipeline integrity: compares raw findings against Scribe's deduped output and the final report. Performs second-opinion research via Solodit and vulnerability skill checklists. Returns a structured verdict to Argus who makes the final decision. Dispatched by Argus after Scribe completes.
+**Model**: openai/gpt-5.4
+**Tools**: argus_read_findings, argus_solodit_search, argus_check_patterns, argus_skill_load, skill

package/README.md

@@ -10,7 +10,7 @@
 
 **solidity-argus** is a security auditing plugin for [OpenCode](https://opencode.ai) that brings professional-grade Solidity smart contract auditing directly into your AI coding workflow.
 
-Argus Panoptes — the mythological all-seeing giant — orchestrates a team of 4 specialized AI agents to conduct comprehensive security audits: static analysis, vulnerability research, dynamic testing, and professional report generation.
+Argus Panoptes — the mythological all-seeing giant — orchestrates a team of 5 specialized AI agents to conduct comprehensive security audits: static analysis, vulnerability research, dynamic testing, professional report generation, and independent validation.
 
 **What it does:**
 - Runs Slither static analysis and Foundry tests automatically
@@ -42,6 +42,8 @@ Or install via npm/bun:
 bun add solidity-argus
 ```
 
+`solidity-argus` is Bun/OpenCode-native. The package entrypoints and CLI bins intentionally point at TypeScript source executed by Bun/OpenCode, so use `bun` or `bunx` for CLI commands rather than Node-only runners.
+
 ---
 
 ## Quick Start
@@ -67,9 +69,10 @@ Argus will automatically:
 | `@sentinel` | Static analysis & testing specialist | claude-sonnet-4-6 |
 | `@pythia` | Vulnerability researcher | claude-sonnet-4-6 |
 | `@scribe` | Audit report writer | claude-sonnet-4-6 |
+| `@themis` | Independent audit quality gate | gpt-5.4 |
 
 ### @argus — The Orchestrator
-Argus Panoptes is the lead auditor. It follows a 7-step methodology (Reconnaissance, Automated Scanning, Manual Review, Attack Surface Mapping, Vulnerability Research, Testing & Verification, Reporting) and delegates to Sentinel, Pythia, and Scribe as needed.
+Argus Panoptes is the lead auditor. It follows a 7-step methodology (Reconnaissance, Automated Scanning, Manual Review, Attack Surface Mapping, Vulnerability Research, Testing & Verification, Reporting) and delegates to Sentinel, Pythia, Scribe, and Themis as needed.
 
 ### @sentinel — The Executor
 Runs Slither, writes and executes Foundry tests, performs fuzz testing. Your tactical executor for all dynamic and static analysis tasks.
@@ -80,6 +83,9 @@ Searches Solodit and SCVD for historical exploits, checks vulnerability pattern
 ### @scribe — The Reporter
 Transforms raw findings into professional, structured markdown audit reports with severity classifications, impact assessments, and actionable recommendations.
 
+### @themis — The Quality Gate
+Validates the completed audit by comparing raw findings, deduped findings, and the generated report. Themis challenges false positives, severity choices, and dropped findings before final delivery.
+
 ---
 
 ## Tools
@@ -95,6 +101,10 @@ Transforms raw findings into professional, structured markdown audit reports wit
 | `argus_gas_analysis` | Sentinel | Runs forge gas report analysis, parses per-function gas metrics, and identifies high-gas hotspots above configurable threshold |
 | `argus_forge_fuzz` | Sentinel | Fuzzes specific functions with random inputs to find edge cases and invariant violations |
 | `argus_forge_coverage` | Sentinel | Runs forge coverage analysis and returns structured per-file coverage metrics (lines, statements, branches, functions) |
+| `argus_skill_load` | Pythia, Themis | Loads curated SKILL.md knowledge files on demand for vulnerability patterns, protocol guidance, methodology, and case studies |
+| `argus_record_finding` | Sentinel, Pythia | Records verified manual, static-analysis, research, or testing findings into durable audit state |
+| `argus_read_findings` | Scribe, Themis | Reads persisted findings and audit artifacts for report generation and validation |
+| `argus_persist_deduped` | Scribe | Persists deduplicated findings before final report generation and validation |
 | `argus_generate_report` | Scribe | Generates the final structured audit report in professional markdown format |
 | `argus_sync_knowledge` | Argus | Syncs the local vulnerability database from SCVD (api.scvd.dev) |
 
@@ -260,7 +270,7 @@ Argus supports three distinct knowledge ingestion patterns:
 **Sources:** SCVD local index, Trail of Bits companion skills
 
 - Local index synced periodically via `argus_sync_knowledge`
-- Cached locally in `~/.cache/solidity-argus/scvd-index.json`
+- Cached locally in `ARGUS_CACHE_DIR` (default: `~/.cache/solidity-argus/scvd-index.json`)
 - Refreshed on-demand when `knowledge.autoSync: true`
 - Trail of Bits skills git-cloned on install and updated via companion plugin
 - Example: SCVD findings indexed locally, queried without network latency
@@ -269,7 +279,7 @@ Argus supports three distinct knowledge ingestion patterns:
 
 ## Configuration
 
-Create `.opencode/solidity-argus.jsonc` in your project root:
+Create `.argus/solidity-argus.jsonc` in your project root. `.opencode/solidity-argus.jsonc` remains supported as a project-level compatibility fallback:
 
 ```jsonc
 {
@@ -277,7 +287,8 @@ Create `.opencode/solidity-argus.jsonc` in your project root:
     "argus": { "model": "anthropic/claude-opus-4-6" },
     "sentinel": { "model": "anthropic/claude-sonnet-4-6" },
     "pythia": { "model": "anthropic/claude-sonnet-4-6" },
-    "scribe": { "model": "anthropic/claude-sonnet-4-6" }
+    "scribe": { "model": "anthropic/claude-sonnet-4-6" },
+    "themis": { "model": "openai/gpt-5.4" }
   },
 
   "tools": {
@@ -300,7 +311,7 @@ Create `.opencode/solidity-argus.jsonc` in your project root:
 
   "solodit": {
     "enabled": true,
-    "port": 3000
+    "port": 54173
   },
 
   "disabled_hooks": [],
@@ -327,12 +338,13 @@ Argus uses a **three-channel context delivery system** to inject dynamic audit s
 
 ### Prompt Channel (Static Identity)
 
-Each of the 4 Argus agents has a static prompt file defining its role, methodology, and tool instructions:
+Each of the 5 Argus agents has a static prompt file defining its role, methodology, and tool instructions:
 
 - `src/agents/argus-prompt.ts` — Orchestrator methodology (7-step audit framework)
 - `src/agents/sentinel-prompt.ts` — Static analysis & testing instructions
 - `src/agents/pythia-prompt.ts` — Vulnerability research methodology
 - `src/agents/scribe-prompt.ts` — Report generation format and structure
+- `src/agents/themis-prompt.ts` — Independent validation and quality gate logic
 
 These prompts **never change at runtime** and establish the agent's core identity and decision-making framework.
 
@@ -345,7 +357,7 @@ The `experimental.chat.system.transform` hook injects dynamic audit state into t
 - Tools executed and their results
 - Session-specific audit state (contract under review, scope, etc.)
 
-**Critical Rule:** This hook is **Argus-family gated**. Only agents in `{argus, sentinel, pythia, scribe}` receive injected context. All other agents receive `undefined` (no injection).
+**Critical Rule:** This hook is **Argus-family gated**. Only agents in `{argus, sentinel, pythia, scribe, themis}` receive injected context. All other agents receive `undefined` (no injection).
 
 **Session→Agent Mapping Pattern:**
 1. `chat.params` hook captures `(sessionID, agentName)` pairs during each turn
@@ -370,7 +382,7 @@ This channel is **lazy-loaded** — agents request skills only when needed, redu
 
 - **Dynamic injection:** `system.transform` uses agent-gated dynamic audit state injection via `createSystemPromptHook` (see `src/create-hooks.ts`).
 - **Global transforms forbidden:** No global system context injection unless agent-gated and minimal. Prevents context window overflow.
-- **Audit state persistence:** State is saved to `.opencode/argus-state.json` and restored on session restart (see `Persistent Audit State` section).
+- **Audit state persistence:** Active session state is stored under `.argus/sessions/state-{sessionId}.json` and archived to `.argus/archives/argus-state.{timestamp}.json` on teardown (see `Persistent Audit State` section).
 
 ---
 
@@ -386,7 +398,7 @@ Run diagnostics and setup from the command line:
 # Check that Slither, Foundry, and SCVD are available
 argus doctor
 
-# Generate a starter .opencode/solidity-argus.jsonc config
+# Generate a starter .argus/solidity-argus.json config
 argus init
 
 # Validate SKILL.md files against schema
@@ -412,7 +424,7 @@ Config is resolved by merging three layers (last wins):
 
 1. **Defaults** — Built-in sensible defaults
 2. **User-level** — `~/.config/opencode/solidity-argus.jsonc`
-3. **Project-level** — `.opencode/solidity-argus.jsonc`
+3. **Project-level** — `.argus/solidity-argus.jsonc` (preferred) or `.opencode/solidity-argus.jsonc` (compatibility fallback)
 
 ### Background Agent Management
 
@@ -428,7 +440,7 @@ Background tasks (knowledge sync, long-running analysis) are tracked with config
 
 ### Persistent Audit State
 
-Audit progress survives session restarts. State is saved to `.opencode/argus-state.json` and automatically restored on next session.
+Audit progress survives session restarts. Active runs persist to `.argus/sessions/state-{sessionId}.json` and teardown snapshots are archived to `.argus/archives/argus-state.{timestamp}.json`. `.opencode` remains a read fallback during migration.
 
 ### Error Recovery
 

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "solidity-argus",
-  "version": "0.3.6",
-  "description": "Solidity smart contract security auditing plugin for OpenCode — 4 specialized agents, 12 tools (11 core + optional Solodit), and a curated vulnerability knowledge base",
+  "version": "0.5.6",
+  "description": "Solidity smart contract security auditing plugin for OpenCode — 5 specialized agents, 15 tools (14 core + optional Solodit), and a curated vulnerability knowledge base",
   "keywords": [
     "solidity",
     "security",
@@ -21,7 +21,11 @@
   "module": "./src/index.ts",
   "types": "./src/index.ts",
   "exports": {
-    ".": "./src/index.ts",
+    ".": {
+      "types": "./src/index.ts",
+      "bun": "./src/index.ts",
+      "default": "./src/index.ts"
+    },
     "./package.json": "./package.json"
   },
   "bin": {

package/skills/checklists/cyfrin-best-practices-runtime/SKILL.md

@@ -1,6 +1,7 @@
 ---
 name: cyfrin-best-practices-runtime
 description: Cyfrin best-practice checklist focused on runtime heuristics, cross-chain concerns, and timelock controls
+category: checklist
 ---
 <!-- Source: Cyfrin/audit-checklist -->
 <!-- Auto-generated from https://github.com/Cyfrin/audit-checklist -->

package/skills/checklists/cyfrin-best-practices-upgrades/SKILL.md

@@ -1,6 +1,7 @@
 ---
 name: cyfrin-best-practices-upgrades
 description: Cyfrin best-practice checklist focused on proxy, upgradeability, and versioning concerns
+category: checklist
 ---
 <!-- Source: Cyfrin/audit-checklist -->
 <!-- Auto-generated from https://github.com/Cyfrin/audit-checklist -->

package/skills/checklists/cyfrin-defi-core/SKILL.md

@@ -1,6 +1,7 @@
 ---
 name: cyfrin-defi-core
 description: Cyfrin DeFi checklist covering attacker mindset and protocol-level DeFi primitives
+category: checklist
 source_url: https://github.com/Cyfrin/audit-checklist
 source_license: unspecified
 imported_at: "2025-01-15T00:00:00Z"

package/skills/checklists/cyfrin-defi-integrations/SKILL.md

@@ -1,6 +1,7 @@
 ---
 name: cyfrin-defi-integrations
 description: Cyfrin DeFi checklist covering integrations, token standards, and ecosystem-specific risks
+category: checklist
 ---
 <!-- Source: Cyfrin/audit-checklist -->
 <!-- Auto-generated from https://github.com/Cyfrin/audit-checklist -->

package/skills/checklists/cyfrin-gas/SKILL.md

@@ -1,6 +1,7 @@
 ---
 name: cyfrin-gas
 description: Cyfrin audit checklist — gas optimization and efficiency items for Solidity smart contracts
+category: checklist
 ---
 <!-- Source: Cyfrin/audit-checklist -->
 <!-- Auto-generated from https://github.com/Cyfrin/audit-checklist -->

package/skills/checklists/general-audit/SKILL.md

@@ -1,6 +1,7 @@
 ---
 name: general-audit
 description: Comprehensive Solidity audit checklist spanning access control, reentrancy, oracles, and integrations.
+category: checklist
 ---
 
 <!-- Source: DeFiFoFum/fofum-solidity-skills (MIT) -->

package/skills/methodology/audit-workflow/SKILL.md

@@ -1,6 +1,7 @@
 ---
 name: audit-workflow
 description: Five-phase Solidity audit workflow covering recon, static analysis, manual review, verification, and reporting.
+category: methodology
 source_url: https://github.com/DeFiFoFum/fofum-solidity-skills
 source_license: MIT
 imported_at: "2025-01-15T00:00:00Z"

package/skills/methodology/report-template/SKILL.md

@@ -1,6 +1,7 @@
 ---
 name: report-template
 description: Reusable smart contract audit report structure with severity IDs, finding sections, and appendices.
+category: methodology
 ---
 <!-- Source: DeFiFoFum/fofum-solidity-skills (MIT) -->
 

package/skills/methodology/severity-classification/SKILL.md

@@ -1,6 +1,7 @@
 ---
 name: severity-classification
 description: Impact-versus-likelihood rubric to classify Solidity findings from informational through critical severity.
+category: methodology
 ---
 <!-- Source: DeFiFoFum/fofum-solidity-skills (MIT) -->
 

package/skills/protocol-patterns/amm-dex/SKILL.md

@@ -1,6 +1,7 @@
 ---
 name: amm-dex
 description: AMM and DEX security patterns covering pricing, LP accounting, MEV, and swap invariants.
+category: protocol-pattern
 source_url: https://github.com/DeFiFoFum/fofum-solidity-skills
 source_license: MIT
 imported_at: "2025-01-15T00:00:00Z"

package/skills/protocol-patterns/bridges-cross-chain/SKILL.md

@@ -1,6 +1,7 @@
 ---
 name: bridges-cross-chain
 description: Cross-chain bridge security guidance for message verification, replay prevention, and validator risk.
+category: protocol-pattern
 ---
 <!-- Source: DeFiFoFum/fofum-solidity-skills (MIT) -->
 

package/skills/protocol-patterns/dao-governance/SKILL.md

@@ -1,6 +1,7 @@
 ---
 name: dao-governance
 description: Governance security patterns for voting, timelocks, proposal execution, and quorum safety.
+category: protocol-pattern
 ---
 <!-- Source: DeFiFoFum/fofum-solidity-skills (MIT) -->
 

package/skills/protocol-patterns/lending-borrowing/SKILL.md

@@ -1,6 +1,7 @@
 ---
 name: lending-borrowing
 description: Security review framework for lending and borrowing systems including liquidations and accounting.
+category: protocol-pattern
 ---
 <!-- Source: DeFiFoFum/fofum-solidity-skills (MIT) -->
 

package/skills/protocol-patterns/staking-vesting/SKILL.md

@@ -1,6 +1,7 @@
 ---
 name: staking-vesting
 description: Staking security guidance for reward accounting, lock periods, timing attacks, and withdrawals.
+category: protocol-pattern
 ---
 <!-- Source: DeFiFoFum/fofum-solidity-skills (MIT) -->
 

package/skills/vulnerability-patterns/flash-loan-attacks/SKILL.md

@@ -210,53 +210,3 @@ modifier noFlashLoan() {
 - [Flash Loan Attack Taxonomy (Arxiv)](https://arxiv.org/abs/2003.03810)
 - [Beanstalk Exploit Analysis](https://rekt.news/beanstalk-rekt/)
 - [Euler Exploit (BlockSec)](https://blocksec.com/blog/how-the-200m-euler-exploit-worked)
-
-## Supplemental Heuristics (kadenzipfel)
-
-## Preconditions
-- Contract uses `block.timestamp` (or the deprecated `now` alias) for security-sensitive logic
-- The outcome of that logic can be influenced by a timestamp shift within the manipulation window (~15s on PoW chains, slot-fixed on PoS Ethereum but variable on L2s/sidechains)
-- OR: `block.number` is used as a proxy for elapsed time
-
-## Vulnerable Pattern
-```solidity
-// Timestamp as sole randomness source
-function roll() external {
-    // Validator can manipulate block.timestamp to bias outcome
-    uint256 result = uint256(keccak256(abi.encodePacked(block.timestamp))) % 6;
-    if (result == 0) {
-        _payWinner(msg.sender);
-    }
-}
-
-// Tight time window vulnerable to manipulation
-function claimBonus() external {
-    // 15-second window — validator can push timestamp to include/exclude
-    require(block.timestamp >= deadline && block.timestamp <= deadline + 15);
-    _sendBonus(msg.sender);
-}
-```
-
-## Detection Heuristics
-1. Search for `block.timestamp` and `now` (deprecated alias) usage
-2. If used for randomness (e.g., fed into `keccak256` for a random value), flag immediately — this is always exploitable
-3. If used in conditional logic, check the time window: can a ~15-second manipulation affect the outcome?
-4. Search for `block.number` used as a time proxy (e.g., `block.number * 12` for seconds) — flag as fragile since block times change
-5. For L2/sidechain deployments, check chain-specific timestamp guarantees — some have weaker constraints than mainnet PoS
-
-## False Positives
-- `block.timestamp` used only for logging or non-critical display purposes
-- Time windows are large enough (hours/days) that a 15-second manipulation is irrelevant
-- On PoS Ethereum mainnet, timestamps are fixed per 12-second slots — validator manipulation is constrained to slot boundaries, not arbitrary values
-- `block.timestamp` used with a commit-reveal scheme where the timestamp alone doesn't determine the outcome
-
-## Remediation
-- Never use `block.timestamp` for randomness — use Chainlink VRF or another verifiable randomness oracle
-- For time-dependent logic, ensure the acceptable window is significantly larger than the manipulation range
-- Avoid `block.number` as a time proxy; use `block.timestamp` with appropriate tolerance
-- On L2s/sidechains, verify chain-specific timestamp constraints before relying on `block.timestamp`
-```solidity
-// Safe: large time window where 15s manipulation is irrelevant
-require(block.timestamp >= vestingEnd, "still vesting");
-// vestingEnd is months/years away — manipulation doesn't matter
-```

package/skills/vulnerability-patterns/oracle-manipulation/SKILL.md

@@ -209,66 +209,3 @@ function getPriceWithCircuitBreaker() external returns (uint256) {
 - [samczsun: Taking undercollateralized loans](https://samczsun.com/taking-undercollateralized-loans-for-fun-and-for-profit/)
 - [Chainlink Best Practices](https://docs.chain.link/data-feeds/selecting-data-feeds)
 - [Euler Oracle Manipulation (Omniscia)](https://omniscia.io/reports/euler-finance-oracle-manipulation/)
-
-## Supplemental Heuristics (kadenzipfel)
-
-## Preconditions
-- Transaction inputs are visible in the public mempool before block inclusion
-- The outcome of the function depends on transaction ordering
-- An attacker can profit by observing and front-running (or sandwiching) the victim's transaction
-
-## Vulnerable Pattern
-```solidity
-// DEX swap without slippage protection
-function swap(address tokenIn, address tokenOut, uint256 amountIn) external {
-    // No minimum output amount — attacker sandwiches:
-    // 1. Front-run: buy tokenOut (price goes up)
-    // 2. Victim's swap executes at worse price
-    // 3. Back-run: sell tokenOut (profit from price impact)
-    uint256 amountOut = getAmountOut(amountIn);
-    IERC20(tokenIn).transferFrom(msg.sender, address(this), amountIn);
-    IERC20(tokenOut).transfer(msg.sender, amountOut);
-}
-
-// On-chain secret submission
-function submitAnswer(bytes32 answer) external {
-    // Answer visible in mempool — anyone can copy it
-    require(keccak256(abi.encodePacked(answer)) == targetHash);
-    _reward(msg.sender);
-}
-
-// ERC20 approval race condition
-// User approves 100, wants to change to 50
-// Attacker sees approve(50) in mempool, spends 100, then spends 50 = 150 total
-```
-
-## Detection Heuristics
-1. Search for DEX/swap functions: check for slippage protection (`minAmountOut` parameter) and deadline parameters — flag if absent
-2. Search for on-chain submissions of secrets, answers, or bids — these are observable in the mempool
-3. Search for ERC20 `approve` patterns: check if the contract sets allowance to zero before setting a new value
-4. Look for auction/bidding logic where observing others' bids provides an advantage
-5. Identify any function where the order of execution matters and inputs are publicly visible before inclusion
-
-## False Positives
-- Transaction is submitted via a private mempool (Flashbots Protect, MEV Blocker)
-- Commit-reveal scheme is used: commitment hash submitted first, reveal in a later block
-- Slippage protection with `minAmountOut` and `deadline` parameters are present
-- The function's outcome is order-independent (e.g., simple deposit into a vault at a fixed rate)
-
-## Remediation
-- For DEX operations: require `minAmountOut` and `deadline` parameters for slippage protection
-- For secret submissions: use commit-reveal schemes (hash commitment first, reveal later)
-- For ERC20 approvals: use `increaseAllowance`/`decreaseAllowance` or set to zero first
-- Consider Flashbots or private transaction relays for MEV-sensitive operations
-```solidity
-function swap(
-    address tokenIn, address tokenOut, uint256 amountIn,
-    uint256 minAmountOut, // Slippage protection
-    uint256 deadline       // Time protection
-) external {
-    require(block.timestamp <= deadline, "expired");
-    uint256 amountOut = getAmountOut(amountIn);
-    require(amountOut >= minAmountOut, "slippage");
-    // ... execute swap
-}
-```