--- name: audit description: Deep EVM smart contract security audit system. Use when asked to audit a contract, find vulnerabilities, review code for security issues, or file security issues on a GitHub repo. Covers 500+ non-obvious checklist items across 19 domains via parallel sub-agents. Different from the security skill (which teaches defensive coding) — this is for systematically auditing contracts you didn't write. --- # EVM Smart Contract Audit A full audit system for any EVM contract. Runs parallel specialist agents against domain-specific checklists, synthesizes findings, and files GitHub issues. ## The Checklists 20 specialized skills covering every major vulnerability domain. Fetch the master index first: ``` https://raw.githubusercontent.com/austintgriffith/evm-audit-skills/main/evm-audit-master/SKILL.md ``` The master index contains: - Full routing table (which skills to load for which contract types) - The complete audit methodology (recon → parallel agents → synthesis → issues) - Standard finding format with severity definitions All 20 skill checklists are at: ``` https://raw.githubusercontent.com/austintgriffith/evm-audit-skills/main//references/checklist.md ``` ## Skills Available | Skill | When to Load | |-------|-------------| | `evm-audit-general` | Always | | `evm-audit-precision-math` | Always | | `evm-audit-erc20` | Contract interacts with ERC20 tokens | | `evm-audit-defi-amm` | AMM, DEX, Uniswap V3/V4, liquidity pools | | `evm-audit-defi-lending` | Lending, borrowing, CDP, liquidations | | `evm-audit-defi-staking` | Staking, liquid staking, restaking, EigenLayer | | `evm-audit-erc4626` | Vaults, share/asset conversion | | `evm-audit-erc4337` | Account abstraction, paymasters, session keys | | `evm-audit-bridges` | Cross-chain, LayerZero, CCIP, Wormhole | | `evm-audit-proxies` | Upgradeable contracts, UUPS, Transparent, Diamond | | `evm-audit-signatures` | Off-chain signatures, EIP-712, permits | | `evm-audit-governance` | DAO voting, timelocks, multi-sig | | `evm-audit-oracles` | Chainlink, TWAP, Pyth, price feeds | | `evm-audit-assembly` | Inline assembly, Yul, CREATE2 | | `evm-audit-chain-specific` | Non-mainnet: Arbitrum, OP, zkSync, Blast, BSC | | `evm-audit-flashloans` | Flash loan attack vectors | | `evm-audit-erc721` | NFTs, ERC721, ERC1155 | | `evm-audit-dos` | DoS, unbounded loops, gas griefing | | `evm-audit-access-control` | Ownership, roles, centralization risks | ## How To Run An Audit 1. Fetch the master skill (link above) — it has the full pipeline 2. Read the contract(s) 3. Select 5-8 skills using the routing table 4. Spawn one opus sub-agent per skill (parallel) 5. Each agent walks its checklist and writes `findings-.md` 6. Synthesize all findings into `AUDIT-REPORT.md` 7. File GitHub issues for Medium severity and above ## Invocation ``` Audit this contract and file issues: https://github.com/owner/repo/blob/main/contracts/Foo.sol Checklists: https://raw.githubusercontent.com/austintgriffith/evm-audit-skills/main/evm-audit-master/SKILL.md ``` ## Sources Built from research by Dacian, beirao.xyz, Sigma Prime, RareSkills, Decurity, weird-erc20, Spearbit, Hacken, OpenZeppelin, Cyfrin, and more. Full attribution: https://github.com/austintgriffith/evm-audit-skills#attribution--thanks