원클릭으로
fork-ancestry
Trigger Pattern Always (run during recon TASK 0, not breadth) - Inject Into Recon agent only (meta_buffer.md enrichment)
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Trigger Pattern Always (run during recon TASK 0, not breadth) - Inject Into Recon agent only (meta_buffer.md enrichment)
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Trigger Pattern Always (run during recon TASK 0, not breadth) - Inject Into Recon agent only (meta_buffer.md enrichment)
Trigger Pattern Always (run during recon TASK 0, not breadth) - Inject Into Recon agent only (meta_buffer.md enrichment)
Trigger STABLESWAP_FORK flag (fork-ancestry detects Curve/StableSwap parent via get_d/get_y/ramp_a/StableSwap patterns) - Agent Type general-purpose (standalone niche agent, 1 budget slot)
Trigger Pattern Always (run during recon TASK 0, not breadth) - Inject Into Recon agent only (meta_buffer.md enrichment)
Trigger Pattern Always (run during recon TASK 0, not breadth) - Inject Into Recon agent only (meta_buffer.md enrichment)
Protocol Type Trigger NAMED_EXTERNAL_PROTOCOL (detected when recon finds import/interface for an identifiable external protocol — not standard libraries). Researches known integration hazards of the target protocol.
| name | fork-ancestry |
| description | Trigger Pattern Always (run during recon TASK 0, not breadth) - Inject Into Recon agent only (meta_buffer.md enrichment) |
Trigger Pattern: Always (run during recon TASK 0, not breadth) Inject Into: Recon agent only (meta_buffer.md enrichment) Finding prefix:
[FA-N]Purpose: Detect known parent Soroban contracts and Stellar DeFi ecosystem projects, and inherit their historical vulnerability patterns.
Grep the codebase for known parent Soroban/Stellar project signatures:
| Parent Project | Detection Patterns | Common Forks |
|---|---|---|
| SoroSwap | soroswap|SoroswapPair|SoroswapFactory|soroswap_router|soroswap_pair|get_reserves|swap_exact_tokens | AMM/DEX forks |
| Blend Protocol | blend|BlendPool|BlendEmissions|backstop|b_token|d_token|blend_capital|BlendLendingPool|reserve_data | Lending protocol forks |
| Phoenix DEX | phoenix|PhoenixPool|phoenix_multihop|phoenix_factory|lp_share|phoenix_swap|stake_lp | Concentrated liquidity / AMM forks |
| Aquarius | aquarius|AquariusPool|aqua_token|aquarius_amm|reward_token|voting_escrow | Liquidity incentive / vote-escrow forks |
| Reflector (oracle) | reflector|oracle_asset|TimeWeightedAverage|PriceData|reflector_oracle|get_price|get_twap | Price oracle forks |
| Stellar Asset Contract (SAC) | token::Client|stellar_asset_contract|soroban_token_interface|TokenInterface|token_contract | Any SAC-compatible token implementation |
| Curve StableSwap | get_d|get_y|get_y_d|ramp_a|stop_ramp_a|stableswap|StableSwap|A_PRECISION|RATE_MULTIPLIER|calc_withdraw_one_coin|remove_liquidity_imbalance|get_virtual_price|admin_fee|commit_new_fee|apply_new_fee | StableSwap AMM forks — set STABLESWAP_FORK flag if MEDIUM+ confidence |
| Comet Protocol | comet|CometPool|comet_amm|weighted_pool|join_pool|exit_pool | Balancer-style weighted pool forks |
| soroban-examples | soroban_examples|soroban-examples|soroban_sdk::contract|soroban_sdk::contractimpl | Contracts directly derived from official examples |
| Stellar Turrets | turret|TxFunction|fee_bump|turret_contract | Legacy function-as-a-service pattern (now deprecated) |
Also check:
Cargo.toml dependencies for parent crate names (e.g., blend-contract-sdk, phoenix-dex, soroswap-lib)use blend_contract_sdk::, use phoenix::, etc.soroban-sdk version in Cargo.toml (soroban-sdk = "X.Y.Z") — known vulnerabilities per SDK versionGit-based detection (complements code-pattern matching — catches forks that renamed all identifiers).
Skip if REPO_SHAPE: squashed_import in build_status.md — single-commit repos have no meaningful git metadata.
.gitmodules for submodule URLs pointing to known parent reposgit remote -v for origin URLs matching known Stellar/Soroban organizations (stellar, soroswap, blend-capital, phoenix-protocol, esteblock)GIT_ONLY_FORKOutput: List of detected parents with confidence level:
Cargo.toml dependenciesFor each detected parent (confidence MEDIUM or HIGH):
// Query 1: Known high-quality issues
search_solodit_live(
keywords="{parent_name} soroban stellar",
impact=["HIGH", "CRITICAL"],
language="Rust",
quality_score=3,
sort_by="Quality",
max_results=15
)
// Query 2: Fork-specific divergence issues
search_solodit_live(
keywords="{parent_name} fork modified soroban",
impact=["HIGH", "MEDIUM"],
language="Rust",
sort_by="Rarity",
max_results=10
)
tavily_search(query="{parent_name} soroban stellar contract vulnerability exploit audit finding 2024 2025 2026")
Compile results into:
| Parent | Known Issue | Severity | Root Cause | Solodit Ref | Applicable to Fork? |
|---|---|---|---|---|---|
| {parent} | {issue title} | {severity} | {brief root cause} | {link/ID} | YES / NO / CHECK |
Applicability criteria:
If Solodit AND Tavily BOTH fail, use this minimum catalog — check EACH applicable parent.
This floor is keyed on the dependency's TYPE (generic mechanism), NOT on any specific protocol name — brand-keyed rows are prohibited (a floor row naming a specific protocol is the confirmed benchmark-contamination vector; see the HARD no-overfit rule). Classify the detected parent into a type below and check the generic hazard class.
| Parent (generic type) | Critical Known Issue | Root Cause | Search Keywords |
|---|---|---|---|
| AMM / swap pool (constant-product model) | First-depositor share inflation (share = 0 for tiny initial deposit) | deposit() mints shares proportionally; tiny first deposit sets price, second depositor can lose funds | amm swap pool first deposit share inflation liquidity |
| Lending / reserve-accrual parent | Reserve accrual desync: interest/accrual index not updated on every balance-mutating path | Interest index update not triggered on every operation path (deposit/borrow/repay/withdraw), causing tracked-balance divergence | lending reserve accrual index desync interest |
| Concentrated-liquidity AMM | Concentrated liquidity bin boundary precision loss at extreme price ranges | Fixed-point arithmetic at bin edges truncates, accumulating rounding errors over many swaps | concentrated liquidity bin precision rounding soroban |
| External price/data oracle parent | No staleness check enforcement at consumer level (consumer does not validate data age) | Oracle publishes fresh data; consuming contracts read without checking the source last_update/timestamp | oracle staleness consumer check soroban |
| SAC token interface | transfer_from allowance bypass via contract-to-contract calls where from == contract_address | SAC allowance model differs from ERC-20: contract calling on its own behalf bypasses allowance check | stellar asset contract transfer_from allowance bypass |
| soroban-sdk (early versions) | Storage key collision via Symbol::new with similar string prefixes | Symbol::new and Symbol::short have different encodings; key collision possible for certain strings | soroban-sdk symbol storage key collision |
Any contract using env.ledger().timestamp() | Timestamp is ledger close time, NOT block time; consecutive ledgers can have same timestamp if closed quickly | SCP allows back-to-back ledger closes with identical timestamps; timestamp-based cooldowns may be bypassable | soroban ledger timestamp same consecutive cooldown |
For each detected parent:
Compare fork vs parent in security-critical paths:
| Component | Parent Behavior | Fork Behavior | Security Impact |
|---|---|---|---|
| {component} | {original} | {modified or SAME} | {new risk or NONE} |
Soroban-specific divergence focus areas (ordered by criticality):
Soroban uses a capability-based auth model (env.require_auth(&address)). Unlike EVM's msg.sender, auth must be explicitly required for each address that should authorize a call.
require_auth calls?admin to user or removed auth entirely)?require_auth_for_args (more restrictive — limits auth to specific arguments) vs plain require_auth (allows authorization for any arguments)?require_auth from a state-modifying function means ANY caller can execute it.mock_all_auths() in non-test code? (This disables auth entirely — a catastrophic mistake if left in production.)Symbol, different enum variant, different data key type)?invoke_contract with an unvalidated address allows the admin (or an attacker who can set the address) to redirect calls to a malicious contract.transfer behavior (e.g., fee-on-transfer tokens)?token::Client::transfer succeeds but the received amount is less than requested (fee-on-transfer)?temporary → persistent or vice versa) — TTL semantics differFor each modification:
Append to {SCRATCHPAD}/meta_buffer.md:
## Fork Ancestry Analysis
### Detected Parents
| Parent | Confidence | Patterns Found | soroban-sdk Version |
|--------|-----------|---------------|---------------------|
### Inherited Vulnerabilities to Verify
| # | Parent Issue | Severity | Location in Fork | Status |
|---|-------------|----------|------------------|--------|
| 1 | {issue} | {severity} | {fork location: file:line} | CHECK / VERIFIED_SAFE / VULNERABLE |
### Fork Divergences (Security-Critical)
| # | Component | Change Type | Change Description | New Risk? |
|---|-----------|------------|-------------------|-----------|
| 1 | {component} | AUTH / STORAGE_KEY / EXTERNAL_ADDRESS / TOKEN_INTERFACE / MATH / OTHER | {what changed} | YES/NO/CHECK |
### soroban-sdk Version Vulnerabilities
| Version | Known Issue | Applicable? |
|---------|-----------|-------------|
| {version from Cargo.toml} | {known issue for this version} | YES/NO |
### Questions for Breadth Agents
1. {derived from inherited vulnerabilities}
2. {derived from divergence analysis}
3. {derived from external address changes}
| Section | Required | Completed? | Notes |
|---|---|---|---|
| 1. Detect Fork Indicators | YES | ||
| 2. Query Known Parent Issues | IF parent detected | ||
| 2d. Hardcoded Known-Issue Floor | IF Solodit+Tavily both fail | ||
| 3. Divergence Analysis | IF parent detected | ||
| 3a. Authorization Changes | IF parent detected | ||
| 3a. Storage Key Changes | IF parent detected | ||
| 3a. External Contract Address Changes | IF parent detected | ||
| 3a. Token Interface Changes | IF fork changes token model | ||
| 4. Output to meta_buffer.md | YES |
After Step 1: If soroban-sdk version detected -> check against known SDK version vulnerabilities immediately.
After Step 3a (Authorization): Feed changed/removed require_auth calls to breadth agents for targeted re-analysis of all state-modifying functions.
After Step 3a (Storage Key): Feed changed key definitions to depth-state-trace for ghost state and privilege bypass analysis.
After Step 3a (External Address): Feed new external call targets to EXTERNAL_PRECONDITION_AUDIT skill for address validation audit.