Solidity Guardian 🛡️
Security analysis for Solidity smart contracts. Find vulnerabilities, get fix suggestions, follow best practices.
Quick Start
# Analyze a single contract
node skills/solidity-guardian/analyze.js contracts/MyContract.sol
# Analyze entire project
node skills/solidity-guardian/analyze.js ./contracts/
# Generate markdown report
node skills/solidity-guardian/analyze.js ./contracts/ --format markdown > AUDIT.md
What It Detects (40+ Patterns)
Critical (Must Fix)
| ID | Vulnerability | Description |
|---|---|---|
| SG-001 | Reentrancy | External calls before state updates |
| SG-002 | Unprotected selfdestruct | Missing access control on selfdestruct |
| SG-003 | Delegatecall to untrusted | Delegatecall with user-controlled address |
| SG-004 | Uninitialized storage pointer | Storage pointer overwrites slots |
| SG-005 | Signature replay | ecrecover without nonce/chainId |
| SG-006 | Arbitrary jump | Function type from user input |
High (Should Fix)
| ID | Vulnerability | Description |
|---|---|---|
| SG-010 | Missing access control | Public functions that should be restricted |
| SG-011 | Unchecked transfer | ERC20 transfer without return check |
| SG-012 | Integer overflow | Arithmetic without SafeMath (pre-0.8) |
| SG-013 | tx.origin auth | Using tx.origin for authentication |
| SG-014 | Weak randomness | block.timestamp/blockhash for randomness |
| SG-015 | Unprotected withdrawal | Withdrawal without ownership check |
| SG-016 | Unchecked low-level call | .call() without success check |
| SG-017 | Dangerous equality | Strict balance check (manipulable) |
| SG-018 | Deprecated functions | suicide, sha3, throw, callcode |
| SG-019 | Wrong constructor | Function name matches contract |
Medium (Consider Fixing)
| ID | Vulnerability | Description |
|---|---|---|
| SG-020 | Floating pragma | Non-pinned Solidity version |
| SG-021 | Missing zero check | No validation for zero address |
| SG-022 | Timestamp dependence | Logic depends on block.timestamp |
| SG-023 | DoS with revert | Loop with external call can revert |
| SG-024 | Front-running risk | Predictable state changes |
Low (Best Practice)
| ID | Vulnerability | Description |
|---|---|---|
| SG-030 | Missing events | State changes without events |
| SG-031 | Magic numbers | Hardcoded values without constants |
| SG-032 | Implicit visibility | Functions without explicit visibility |
| SG-033 | Large contract | Contract exceeds size recommendations |
| SG-034 | Missing NatSpec | Public functions without documentation |
Usage Examples
Basic Analysis
const { analyzeContract } = require('./analyzer');
const results = await analyzeContract('contracts/Token.sol');
console.log(results.findings);
With Fix Suggestions
const results = await analyzeContract('contracts/Vault.sol', {
includeFixes: true,
severity: ['critical', 'high']
});
for (const finding of results.findings) {
console.log(`[${finding.severity}] ${finding.title}`);
console.log(` Line ${finding.line}: ${finding.description}`);
console.log(` Fix: ${finding.suggestion}`);
}
Generate Report
const { generateReport } = require('./reporter');
const report = await generateReport('./contracts/', {
format: 'markdown',
includeGas: true,
includeBestPractices: true
});
fs.writeFileSync('SECURITY_AUDIT.md', report);
Best Practices Checklist
When writing secure contracts, follow these guidelines:
Access Control
- Use OpenZeppelin's
OwnableorAccessControl - Apply
onlyOwneror role checks to sensitive functions - Implement two-step ownership transfer
- Consider timelocks for critical operations
Reentrancy Prevention
- Use
ReentrancyGuardon all external-facing functions - Follow checks-effects-interactions pattern
- Update state BEFORE external calls
- Use pull over push for payments
Input Validation
- Validate all external inputs
- Check for zero addresses
- Validate array lengths match
- Use SafeERC20 for token transfers
Arithmetic Safety
- Use Solidity 0.8+ or SafeMath
- Check for division by zero
- Validate percentage calculations (≤100)
- Be careful with token decimals
Upgradeability (if applicable)
- Use initializer instead of constructor
- Protect initialize from re-initialization
- Follow storage layout rules
- Test upgrade paths
Slither Integration
Guardian can run alongside Slither for comprehensive analysis:
# Combined analysis (auto-installs Slither if missing)
node skills/solidity-guardian/slither-integration.js ./contracts/ --install-slither
# Generate combined report
node skills/solidity-guardian/slither-integration.js . --format markdown --output AUDIT.md
# Guardian only (faster, no Slither dependency)
node skills/solidity-guardian/slither-integration.js ./contracts/ --guardian-only
# Slither only
node skills/solidity-guardian/slither-integration.js ./contracts/ --slither-only
Why both?
- Guardian: Fast pattern matching, custom rules, no compilation needed
- Slither: Deep dataflow analysis, CFG-based detection, more comprehensive
Integration with Other Tools
Hardhat
// hardhat.config.js
require('./skills/solidity-guardian/hardhat-plugin');
// Run: npx hardhat guardian
Foundry
# Add to CI
forge build
node skills/solidity-guardian/analyze.js ./src/
References
- Trail of Bits - Building Secure Contracts
- OpenZeppelin - Security Best Practices
- Consensys - Smart Contract Best Practices
- SWC Registry
Built by Avi 🔐 | Security-first, ship always.