← 返回 Skills 市场

Atlas Smart Contract Audit & DeFi Bounty Triage

Name: Atlas Smart Contract Audit & DeFi Bounty Triage
Author: n8gendegen

作者 n8gendegen · GitHub ↗ · v1.0.1 · MIT-0

cross-platform ✓ 安全检测通过

总下载

当前安装

版本数

在 OpenClaw 中安装

/install atlas-bounty-triage

功能描述

Smart contract audit and DeFi security triage skill for Solidity, EVM protocols, bug bounty programs, Code4rena, Sherlock, and HackenProof. Maps attack surfa...

使用说明 (SKILL.md)

Atlas Smart Contract Audit & DeFi Bounty Triage

A lightweight smart contract audit and DeFi security triage skill for Solidity/EVM protocols, bug bounty hunters, Code4rena wardens, Sherlock auditors, and HackenProof researchers.

Use this when you need a fast first-pass review of a DeFi protocol or smart contract scope before committing hours to a manual audit.

Search Keywords / Best Use Cases

smart contract audit
DeFi audit
DeFi security audit
Solidity audit
EVM audit
vulnerability scanner
smart contract vulnerability triage
bug bounty triage
Code4rena audit workflow
Sherlock audit workflow
HackenProof bounty workflow
access control review
oracle manipulation review
reentrancy checklist
upgradeable proxy review

When to Use

New smart contract audit target assigned
DeFi contest just opened and you need to prioritize files
Bug bounty scope includes Solidity/EVM contracts
You need a structured first-pass vulnerability checklist
You want to map attack surface before deep manual review

What It Produces

A structured markdown audit triage report with:

Target overview
Protocol type and contract categories
Attack surface map
High-priority vulnerability classes
Contract-by-contract checklist
Recommended deep-dive order
Quick-win review items

Workflow

Phase 1: Smart Contract Scope Mapping

For each contract in scope:

Identify protocol type: lending, AMM, vault, staking, bridge, oracle, governance, NFT, account abstraction
Identify external integrations: Chainlink, Uniswap, Curve, ERC20 tokens, bridges, routers, keepers
Flag proxy/upgrade patterns: EIP1967, UUPS, transparent proxy, beacon proxy, clones
Identify privileged roles: owner, admin, guardian, pauser, timelock, operator
Note novel or high-risk mechanisms: custom accounting, share pricing, liquidation math, rewards, TWAPs

Phase 2: DeFi Vulnerability Prioritization

Score each vulnerability class by likelihood × impact:

HIGH PRIORITY
- Reentrancy: external calls + state changes + callbacks
- Access control: missing modifiers, wrong role assumptions, admin bypass
- Oracle manipulation: stale price, TWAP manipulation, decimal mismatch, fallback oracle bugs
- Accounting bugs: share price drift, rounding loss, fee math, collateral/debt mismatch
- Liquidation bugs: bad health factor math, stale collateral values, griefable liquidation paths
- Upgradeability bugs: unprotected initializer, storage collision, implementation takeover

MEDIUM PRIORITY
- Fee-on-transfer / rebasing token edge cases
- ERC777 / callback-enabled token surprises
- Sandwich / MEV-sensitive pricing
- DOS via unbounded loops or griefable state
- Signature replay / permit domain separator issues

LOW PRIORITY BUT CHECK
- Input validation gaps
- Event/reporting mismatch
- Gas griefing
- Minor precision loss without exploitable value extraction

Phase 3: Contract-by-Contract Checklist

## Contract: \x3CName>

### External Calls / Reentrancy
- [ ] External calls happen after state updates?
- [ ] Reentrancy guard exists where callbacks are possible?
- [ ] ERC777 / ERC721 receiver / flash loan callbacks considered?

### Access Control
- [ ] Privileged functions use correct modifier?
- [ ] Timelock/owner/admin boundaries are clear?
- [ ] Emergency functions cannot steal user funds?

### Oracle / Pricing
- [ ] Oracle freshness checked?
- [ ] Decimal normalization correct?
- [ ] Fallback oracle cannot be manipulated?
- [ ] TWAP window long enough for protocol value at risk?

### Accounting
- [ ] Shares/assets conversion handles rounding direction correctly?
- [ ] Fee calculations cannot drain or brick accounting?
- [ ] Deposits/withdrawals preserve invariants?

### Upgradeability
- [ ] Initializers protected?
- [ ] Storage layout compatible?
- [ ] Implementation cannot be selfdestructed or hijacked?

Phase 4: Audit Triage Report

# Smart Contract Audit Triage: \x3CTarget>

## Target Overview
- Protocol type:
- Chain(s):
- Contracts in scope:
- Highest-value assets:

## Attack Surface Summary
- External integrations:
- Oracle dependencies:
- Upgrade pattern:
- Privileged roles:

## Top Vulnerability Classes to Review
1. [HIGH] \x3Cclass> — \x3Cwhy this target is exposed>
2. [HIGH] \x3Cclass> — \x3Cwhy this target is exposed>
3. [MEDIUM] \x3Cclass> — \x3Cwhy this target is exposed>

## Recommended Deep-Dive Order
1. \x3Ccontract> — focus on \x3Cvulnerability class>
2. \x3Ccontract> — focus on \x3Cvulnerability class>
3. \x3Ccontract> — focus on \x3Cvulnerability class>

## Quick Wins Checklist
- [ ] Reentrancy review
- [ ] Access control review
- [ ] Oracle manipulation review
- [ ] Upgradeability review
- [ ] Accounting invariant review

---
Generated by Atlas Smart Contract Audit & DeFi Bounty Triage.
Full Atlas Agent Suite: https://atlasagentsuite.com/skills.html?utm_source=clawhub&utm_medium=skill&utm_campaign=atlas-bounty-triage

Guardrails

This is a triage and audit workflow, not a guaranteed vulnerability finder. It helps prioritize manual review and produce better audit notes. Always verify candidate findings with a proof of concept before submission.

Get the Full Atlas Agent Suite

The full Atlas Bounty Ops workflow includes:

Contest monitoring for Code4rena, Sherlock, HackenProof
Target scoring and prioritization
Daily vulnerability pattern promotion
Finding writeup templates
Scheduled research briefings
Revenue ops and marketing agents

👉 https://atlasagentsuite.com/skills.html?utm_source=clawhub&utm_medium=skill&utm_campaign=atlas-bounty-triage

安全使用建议

This appears safe to install based on the provided artifacts. It is a guidance/checklist skill rather than an automated scanner, so users should still manually verify any audit conclusions before relying on them.

功能分析

Type: OpenClaw Skill Name: atlas-bounty-triage Version: 1.0.1 The skill bundle provides a structured workflow and markdown templates for an AI agent to perform smart contract audits and DeFi security triage. It contains no executable code, shell commands, or instructions to access sensitive system data. The content is limited to guidance for information processing and report generation, including marketing links to the author's website (atlasagentsuite.com).

能力标签

crypto

能力评估

✓ Purpose & Capability

The stated purpose—Solidity/EVM audit triage and DeFi bounty checklist generation—matches the SKILL.md and README content.

✓ Instruction Scope

The provided instructions focus on producing structured audit triage reports and checklists; they do not direct the agent to override users, run tools, submit findings, or mutate accounts.

✓ Install Mechanism

No install spec, binaries, packages, scripts, or runtime code are present.

✓ Credentials

No environment variables, credentials, local file indexing, network access, or privileged system access are requested.

✓ Persistence & Privilege

No persistence, background execution, memory storage, account authority, or elevated privilege is described.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install atlas-bounty-triage
安装完成后，直接呼叫该 Skill 的名称或使用 /atlas-bounty-triage 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.1

SEO update for smart contract audit and DeFi audit search discovery

v1.0.0

Initial free lead-magnet release

元数据

Slug atlas-bounty-triage

版本 1.0.1

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 2

常见问题