DeFi Security Principles
Language Rule
- Always respond in the same language the user is using. If the user asks in Chinese, respond in Chinese. If in English, respond in English.
Scope: Only applicable to DeFi projects (DEX, lending, staking, LP, yield). Non-DeFi projects can ignore this skill.
Protection Decision Rules
| Threat | Required Protection |
|---|---|
| Whale manipulation | Daily transaction caps + per-tx amount limits + cooldown window |
| MEV / sandwich attack | EOA-only checks (msg.sender == tx.origin), or use commit-reveal pattern |
| Arbitrage | Referral binding + liquidity distribution + fixed yield model + lock period |
| Reentrancy | ReentrancyGuard on all external-call functions (see solidity-security skill) |
| Flash loan attack | Check block.number change between operations, or use TWAP pricing |
| Price manipulation | Chainlink oracle or TWAP — never rely on spot AMM reserves for pricing |
| Approval exploit | Use safeIncreaseAllowance / safeDecreaseAllowance, never raw approve for user flows |
| Governance attack | Voting requires snapshot + minimum token holding period; timelock ≥ 48h on proposal execution |
| ERC4626 inflation attack | First deposit must enforce minimum amount or use virtual shares to prevent share dilution via rounding |
| Cross-vault trust bypass | Router/Registry relay must verify vault authorization; never trust caller identity inside flash loan callbacks — EVMbench/noya H-08 |
| Collateral ownership exploit | Liquidation/staking operations must verify actual NFT/collateral ownership — EVMbench/benddao |
| Bonding curve manipulation | ID/pricing params in create operations must be fully determined before external calls — EVMbench/phi H-06 |
DEX pair _transfer TOCTOU | Never distinguish operation type by balance/reserve checks in _transfer — both directions are exploitable: buy vs removeLiquidity (pair→user) and sell vs addLiquidity (user→pair); use address whitelist only; new projects prefer Uniswap V4 Hook |
Anti-Whale Implementation Rules
- Maximum single transaction amount: configurable via
onlyOwnersetter - Daily cumulative limit per address: track with
mapping(address => mapping(uint256 => uint256))(address → day → amount) - Cooldown between transactions: enforce minimum time gap with
block.timestampcheck - Whitelist for exempt addresses (deployer, LP pair, staking contract)
Flash Loan Protection Rules
- For price-sensitive operations: require that
block.numberhas changed since last interaction - For oracle-dependent calculations: use time-weighted average (TWAP) over minimum 30 minutes
- For critical state changes: add minimum holding period before action (e.g., must hold tokens for N blocks)
Protocol Composability Risks
Source: EVMbench (OpenAI/Paradigm, Feb 2026) — vulnerability patterns from Code4rena audits
- Cross-vault operations [noya H-08]: Registry/Router relay calls must verify vault-level authorization; prevent keeper from using flash loan to impersonate other vaults
- Lending collateral [benddao]: Liquidation functions must verify
msg.senderactually owns or is authorized to operate on target collateral - Bonding curve [phi H-06]: In create + auto-buy operations, ID assignment and pricing params must be fully determined before the buy transaction executes; prevent reentrancy from modifying them
- Shared registries [noya H-08]: Permission propagation chains in shared registries must be verified hop-by-hop; never rely solely on "trusted sender" flags
Launch Checklist
Before mainnet deployment, verify all items:
- All
onlyOwnerfunctions transferred to multisig wallet - Timelock contract deployed and configured (minimum 24h delay for critical changes)
- Emergency pause mechanism tested — both pause and unpause functions work correctly
- Daily limit parameters documented and set to reasonable values
- Third-party security audit completed and all critical/high findings resolved
- Testnet deployment running for minimum 7 days with no issues
- Slippage, fee, and lock period parameters reviewed and documented
- Initial liquidity plan documented (amount, lock duration, LP token handling)
- Fuzz testing passes with high iterations (10000+) on all DeFi-critical functions
Emergency Response Procedure
| Step | Action |
|---|---|
| 1. Detect | Monitor alerts trigger (on-chain monitoring, community reports) |
| 2. Pause | Designated address calls pause() — must respond within minutes |
| 3. Assess | Technical lead analyzes root cause, estimates fund impact |
| 4. Communicate | Post incident notice to community channels (Discord, Twitter, Telegram) |
| 5. Fix | Deploy fix or prepare recovery plan |
| 6. Resume | Call unpause() after fix verified on fork — or migrate to new contract |
| 7. Post-mortem | Publish detailed incident report within 48 hours |
DeFi Testing Reference
| Test Scenario | Approach |
|---|---|
| Fuzz test fund flows | Run fuzz tests on staking/pool contracts with high iterations (10000+) |
| Fork mainnet testing | Use Foundry fork mode against mainnet RPC to test with real state |
| Simulate whale transaction | Use Foundry cast CLI to simulate large-amount calls on a forked network |