with one click
evm-audit-skills
evm-audit-skills contains 20 collected skills from austintgriffith, with repository-level occupation coverage and site-owned skill detail pages.
Skills in this repository
General Solidity/EVM security checklist — non-obvious footguns that apply to every smart contract. Covers external calls, force-feeding, pause mechanisms, read-only reentrancy, merkle trees, code asymmetry, multicall hazards, and general EVM quirks. Load this for EVERY audit.
Oracle vulnerabilities including Chainlink staleness, minAnswer/maxAnswer circuit breakers, L2 sequencer uptime, TWAP manipulation, VRF front-running, spot price attacks, peg assumptions, and oracle decimal mismatches. Load when the contract uses any price oracle or external data feed.
EVM smart contract audit checklist for non-obvious access control issues. Covers centralization risks, privilege escalation, two-step ownership, role management, and admin rug vectors. Use when auditing protocols with privileged roles, admin functions, or governance. Load references/checklist.md for the full checklist.
Inline assembly, CREATE/CREATE2, EXTCODESIZE, and low-level opcode vulnerabilities. Covers metamorphic contracts, constructor-time code absence, assembly math overflow, and div-by-zero returning 0. Load when the contract uses inline assembly or CREATE2.
Cross-chain bridge vulnerabilities for LayerZero V2, Chainlink CCIP, Wormhole, Across, and general bridge security. Covers message ordering, fee handling, relayer trust, dust/normalization, and configuration pitfalls. Load when auditing any cross-chain protocol.
Chain-specific EVM quirks for Arbitrum, Optimism, Base, zkSync, Blast, BNB, Berachain and other L2s. Covers block.number behavior, sequencer downtime, address aliasing, retryable tickets, opcode differences, gas fee variations, and PUSH0 support. Load when deploying to any non-mainnet EVM chain.
AMM-specific vulnerabilities including Uniswap V3/V4 hooks, concentrated liquidity, swap routing, TWAMM, slippage, and DEX integration pitfalls. Load when auditing any AMM, DEX, swap router, or Uniswap V4 hook.
CDP, lending market, liquidation, and borrowing vulnerabilities. Covers collateral handling, health factors, auction liquidations, bad debt, interest accrual, and lending protocol integration (AAVE, Compound). Load when auditing any lending/borrowing protocol.
Liquid staking derivatives (stETH, rETH, cbETH, sfrxETH), LRTs, restaking, staking rewards, and yield farming vulnerabilities. Load when auditing staking protocols, LSD integrations, or yield aggregators.
EVM smart contract audit checklist for denial-of-service and griefing attacks. Covers gas griefing, unbounded loops, returndata bombing, block stuffing, and DoS via revert. Use when auditing protocols with loops, external calls, or time-sensitive operations. Load references/checklist.md for the full checklist.
Weird ERC20 token edge cases that break protocols. Covers fee-on-transfer, rebasing, missing return values, blocklists, multiple addresses, flash minting, ERC777 hooks, approval race conditions, and more. Load when the contract interacts with ANY ERC20 tokens.
Account abstraction (ERC-4337) vulnerabilities including wallet factories, paymaster replay, session keys, EntryPoint bugs, ERC-1271 cross-account replay, and module security. Load when auditing smart wallets, paymasters, or AA infrastructure.
ERC4626 vault standard vulnerabilities including inflation attacks, rounding direction, share price manipulation, first depositor attacks, compliance checks, and cross-chain vault issues. Load when auditing any ERC4626 vault or vault-like protocol.
EVM smart contract audit checklist for ERC721/ERC1155 tokens. Covers weird NFT behaviors, dual-standard tokens, wrapped/legacy collections, permit issues, fractionalization, pausability, blacklists, and upgradeable NFTs. Use when auditing protocols that interact with arbitrary ERC721/ERC1155 tokens. Load references/checklist.md for the full checklist.
EVM smart contract audit checklist for flash loan attack patterns. Covers flash loan governance attacks, oracle manipulation via flash loans, flash deposit-withdraw attacks, and flash mint inflation. Use when auditing DeFi protocols vulnerable to single-transaction economic attacks. Load references/checklist.md for the full checklist.
DAO governance vulnerabilities including flash loan voting, proposal execution ordering, timelock bypass, fake proposals via CREATE2, quorum manipulation, Gnosis Safe module bypasses, and reward distribution attacks. Load when auditing any governance system.
Master index for EVM smart contract security audit skills. Load this FIRST for every audit to determine which specialized skills to load. Contains routing table and audit methodology.
Precision loss, rounding errors, division ordering, fixed-point math, and mathematical edge cases in Solidity. Load this for EVERY audit — math bugs are the
Proxy and upgrade vulnerabilities including UUPS, transparent proxy, beacon proxy, storage collisions, metamorphic contracts, initializer issues, and function selector clashing. Load when auditing any upgradeable contract.
Signature vulnerabilities including cross-chain replay, ecrecover pitfalls, EIP-712 domain separator issues, permit edge cases, malleability, and meta-transaction security. Load when the contract uses any off-chain signatures.