solidity-security
wshobson/agents
Master smart contract security best practices and prevent common Solidity vulnerabilities.
What is solidity-security?
This skill teaches secure smart contract development patterns, vulnerability prevention techniques, and best practices for Solidity. Use it when writing or auditing smart contracts, implementing DeFi protocols, or preparing contracts for professional security audits.
- Prevent reentrancy attacks using secure patterns
- Protect against integer overflow and underflow vulnerabilities
- Enforce access control and authorization checks
- Implement Checks-Effects-Interactions (CEI) pattern for safe state management
- Write comprehensive security tests using Hardhat
- Document contracts properly for audit readiness
How to install solidity-security
npx skills add https://github.com/wshobson/agents --skill solidity-securityHow to use solidity-security
- 1.Review the security patterns in references/details.md for your specific use case
- 2.Identify which vulnerabilities apply to your contract (reentrancy, overflow, access control)
- 3.Implement the appropriate secure patterns (CEI pattern, ReentrancyGuard, access modifiers)
- 4.Write security tests using Hardhat to verify protections against attack vectors
- 5.Document your contract thoroughly with NatSpec comments for audit preparation
- 6.Test edge cases and potential attack scenarios before deployment
Use cases
- Writing secure smart contracts from scratch
- Auditing existing contracts for common vulnerabilities
- Implementing secure DeFi protocols and token contracts
- Preventing reentrancy, overflow, and access control exploits
- Preparing contracts for professional security audits
- Smart contract developers
- Blockchain security engineers
- DeFi protocol developers
- Contract auditors
- Web3 developers preparing for mainnet deployment
solidity-security FAQ
CEI is a secure pattern for state-changing functions: first check all conditions (CHECKS), then update state (EFFECTS), then interact with external contracts (INTERACTIONS). This prevents reentrancy attacks by ensuring state is updated before external calls.
Use the CEI pattern, implement a ReentrancyGuard, or use the checks-effects-interactions ordering. The skill provides examples of ReentrancyGuard implementation and proper function structure.
The skill covers reentrancy attacks, integer overflow/underflow, improper access control, unsafe external calls, and gas optimization issues while maintaining security.
Use NatSpec comments (@dev, @notice, @param, @return) for all public functions and state variables. Include clear descriptions of what each function does and any security considerations.
Full instructions (SKILL.md)
Source of truth, from wshobson/agents.
name: solidity-security description: Master smart contract security best practices to prevent common vulnerabilities and implement secure Solidity patterns. Use when writing smart contracts, auditing existing contracts, or implementing security measures for blockchain applications.
Solidity Security
Master smart contract security best practices, vulnerability prevention, and secure Solidity development patterns.
When to Use This Skill
- Writing secure smart contracts
- Auditing existing contracts for vulnerabilities
- Implementing secure DeFi protocols
- Preventing reentrancy, overflow, and access control issues
- Optimizing gas usage while maintaining security
- Preparing contracts for professional audits
- Understanding common attack vectors
Detailed patterns and worked examples
Detailed pattern documentation lives in references/details.md. Read that file when the navigation tier above is insufficient.
Testing for Security
// Hardhat test example
const { expect } = require("chai");
const { ethers } = require("hardhat");
describe("Security Tests", function () {
it("Should prevent reentrancy attack", async function () {
const [attacker] = await ethers.getSigners();
const VictimBank = await ethers.getContractFactory("SecureBank");
const bank = await VictimBank.deploy();
const Attacker = await ethers.getContractFactory("ReentrancyAttacker");
const attackerContract = await Attacker.deploy(bank.address);
// Deposit funds
await bank.deposit({ value: ethers.utils.parseEther("10") });
// Attempt reentrancy attack
await expect(
attackerContract.attack({ value: ethers.utils.parseEther("1") }),
).to.be.revertedWith("ReentrancyGuard: reentrant call");
});
it("Should prevent integer overflow", async function () {
const Token = await ethers.getContractFactory("SecureToken");
const token = await Token.deploy();
// Attempt overflow
await expect(token.transfer(attacker.address, ethers.constants.MaxUint256))
.to.be.reverted;
});
it("Should enforce access control", async function () {
const [owner, attacker] = await ethers.getSigners();
const Contract = await ethers.getContractFactory("SecureContract");
const contract = await Contract.deploy();
// Attempt unauthorized withdrawal
await expect(contract.connect(attacker).withdraw(100)).to.be.revertedWith(
"Ownable: caller is not the owner",
);
});
});
Audit Preparation
contract WellDocumentedContract {
/**
* @title Well Documented Contract
* @dev Example of proper documentation for audits
* @notice This contract handles user deposits and withdrawals
*/
/// @notice Mapping of user balances
mapping(address => uint256) public balances;
/**
* @dev Deposits ETH into the contract
* @notice Anyone can deposit funds
*/
function deposit() public payable {
require(msg.value > 0, "Must send ETH");
balances[msg.sender] += msg.value;
}
/**
* @dev Withdraws user's balance
* @notice Follows CEI pattern to prevent reentrancy
* @param amount Amount to withdraw in wei
*/
function withdraw(uint256 amount) public {
// CHECKS
require(amount <= balances[msg.sender], "Insufficient balance");
// EFFECTS
balances[msg.sender] -= amount;
// INTERACTIONS
(bool success, ) = msg.sender.call{value: amount}("");
require(success, "Transfer failed");
}
}
Related skills
More from wshobson/agents and the wider catalog.
tailwind-design-system
Build production-ready design systems with Tailwind CSS v4, design tokens, and component libraries.
typescript-advanced-types
Master TypeScript's advanced type system: generics, conditional types, mapped types, and utility types for type-safe applications.
nodejs-backend-patterns
Build production-ready Node.js backends with Express/Fastify, middleware patterns, auth, and database integration.
python-performance-optimization
Profile and optimize Python code using cProfile, memory profilers, and performance best practices.
brand-landingpage
Brand-first landing page designer with guided interviews and Stitch-powered iteration.
python-testing-patterns
Implement comprehensive testing strategies with pytest, fixtures, mocking, and test-driven development.