Назад към всички

solidity-guardian

// Smart contract security analysis skill. Detect vulnerabilities, suggest fixes, generate audit reports. Supports Hardhat/Foundry projects. Uses pattern matching + best practices from Trail of Bits, OpenZeppelin, and Consensys.

$ git log --oneline --stat
stars:1,933
forks:367
updated:March 4, 2026
SKILL.mdreadonly
SKILL.md Frontmatter
namesolidity-guardian
version1.0.0
descriptionSmart contract security analysis skill. Detect vulnerabilities, suggest fixes, generate audit reports. Supports Hardhat/Foundry projects. Uses pattern matching + best practices from Trail of Bits, OpenZeppelin, and Consensys.
authoraviclaw
tagssolidity,security,audit,smart-contracts,ethereum,vulnerability,scanner

Solidity Guardian 🛡️

Security analysis for Solidity smart contracts. Find vulnerabilities, get fix suggestions, follow best practices.

Quick Start

# Analyze a single contract
node skills/solidity-guardian/analyze.js contracts/MyContract.sol

# Analyze entire project
node skills/solidity-guardian/analyze.js ./contracts/

# Generate markdown report
node skills/solidity-guardian/analyze.js ./contracts/ --format markdown > AUDIT.md

What It Detects (40+ Patterns)

Critical (Must Fix)

IDVulnerabilityDescription
SG-001ReentrancyExternal calls before state updates
SG-002Unprotected selfdestructMissing access control on selfdestruct
SG-003Delegatecall to untrustedDelegatecall with user-controlled address
SG-004Uninitialized storage pointerStorage pointer overwrites slots
SG-005Signature replayecrecover without nonce/chainId
SG-006Arbitrary jumpFunction type from user input

High (Should Fix)

IDVulnerabilityDescription
SG-010Missing access controlPublic functions that should be restricted
SG-011Unchecked transferERC20 transfer without return check
SG-012Integer overflowArithmetic without SafeMath (pre-0.8)
SG-013tx.origin authUsing tx.origin for authentication
SG-014Weak randomnessblock.timestamp/blockhash for randomness
SG-015Unprotected withdrawalWithdrawal without ownership check
SG-016Unchecked low-level call.call() without success check
SG-017Dangerous equalityStrict balance check (manipulable)
SG-018Deprecated functionssuicide, sha3, throw, callcode
SG-019Wrong constructorFunction name matches contract

Medium (Consider Fixing)

IDVulnerabilityDescription
SG-020Floating pragmaNon-pinned Solidity version
SG-021Missing zero checkNo validation for zero address
SG-022Timestamp dependenceLogic depends on block.timestamp
SG-023DoS with revertLoop with external call can revert
SG-024Front-running riskPredictable state changes

Low (Best Practice)

IDVulnerabilityDescription
SG-030Missing eventsState changes without events
SG-031Magic numbersHardcoded values without constants
SG-032Implicit visibilityFunctions without explicit visibility
SG-033Large contractContract exceeds size recommendations
SG-034Missing NatSpecPublic functions without documentation

Usage Examples

Basic Analysis

const { analyzeContract } = require('./analyzer');

const results = await analyzeContract('contracts/Token.sol');
console.log(results.findings);

With Fix Suggestions

const results = await analyzeContract('contracts/Vault.sol', {
  includeFixes: true,
  severity: ['critical', 'high']
});

for (const finding of results.findings) {
  console.log(`[${finding.severity}] ${finding.title}`);
  console.log(`  Line ${finding.line}: ${finding.description}`);
  console.log(`  Fix: ${finding.suggestion}`);
}

Generate Report

const { generateReport } = require('./reporter');

const report = await generateReport('./contracts/', {
  format: 'markdown',
  includeGas: true,
  includeBestPractices: true
});

fs.writeFileSync('SECURITY_AUDIT.md', report);

Best Practices Checklist

When writing secure contracts, follow these guidelines:

Access Control

  • Use OpenZeppelin's Ownable or AccessControl
  • Apply onlyOwner or role checks to sensitive functions
  • Implement two-step ownership transfer
  • Consider timelocks for critical operations

Reentrancy Prevention

  • Use ReentrancyGuard on all external-facing functions
  • Follow checks-effects-interactions pattern
  • Update state BEFORE external calls
  • Use pull over push for payments

Input Validation

  • Validate all external inputs
  • Check for zero addresses
  • Validate array lengths match
  • Use SafeERC20 for token transfers

Arithmetic Safety

  • Use Solidity 0.8+ or SafeMath
  • Check for division by zero
  • Validate percentage calculations (≤100)
  • Be careful with token decimals

Upgradeability (if applicable)

  • Use initializer instead of constructor
  • Protect initialize from re-initialization
  • Follow storage layout rules
  • Test upgrade paths

Slither Integration

Guardian can run alongside Slither for comprehensive analysis:

# Combined analysis (auto-installs Slither if missing)
node skills/solidity-guardian/slither-integration.js ./contracts/ --install-slither

# Generate combined report
node skills/solidity-guardian/slither-integration.js . --format markdown --output AUDIT.md

# Guardian only (faster, no Slither dependency)
node skills/solidity-guardian/slither-integration.js ./contracts/ --guardian-only

# Slither only
node skills/solidity-guardian/slither-integration.js ./contracts/ --slither-only

Why both?

  • Guardian: Fast pattern matching, custom rules, no compilation needed
  • Slither: Deep dataflow analysis, CFG-based detection, more comprehensive

Integration with Other Tools

Hardhat

// hardhat.config.js
require('./skills/solidity-guardian/hardhat-plugin');

// Run: npx hardhat guardian

Foundry

# Add to CI
forge build
node skills/solidity-guardian/analyze.js ./src/

References

Built by Avi 🔐 | Security-first, ship always.