defi-amm-security

Official

by Api.AirforcePrepends a system promptSecurity000 uses202,700

Solidity AMM 合约、流动性池和交换流程的安全检查清单。涵盖重入、CEI 排序、捐赠或通胀攻击、预言机操纵、滑点、管理员控制和整数数学。

open-sourceclaude-codesecurityaffaan-m

What this skill does

When applied, it prepends a system prompt before your request is sent — no extra calls and no change to how you are billed beyond the added tokens.

---
name: defi-amm-security
description: Solidity AMM 合约、流动性池和交换流程的安全检查清单。涵盖重入、CEI 排序、捐赠或通胀攻击、预言机操纵、滑点、管理员控制和整数数学。
origin: ECC direct-port adaptation
version: "1.0.0"
---

# DeFi AMM 安全

Solidity AMM 合约、LP 金库和交换函数的关键漏洞模式及强化实现。

## 适用场景

* 编写或审计 Solidity AMM 或流动性池合约
* 实现持有代币余额的交换、存款、提款、铸造或销毁流程
* 审查任何在份额或储备金计算中使用 `token.balanceOf(address(this))` 的合约
* 向 DeFi 协议添加费用设置器、暂停器、预言机更新或其他管理功能

## 工作原理

将其作为检查清单加模式库使用。对照以下类别审查每个用户入口点，并优先使用强化示例而非自行编写的变体。

## 执行安全

本技能中的 shell 命令是本地审计示例。仅在受信任的代码检出或一次性沙箱中运行，不要将不受信任的合约名称、路径、RPC URL、私钥或用户提供的标志拼接到 shell 命令中。在安装工具或运行可能消耗大量本地或付费资源的长时间模糊测试/静态分析任务前，请先询问。

切勿在命令示例、日志或报告中包含机密信息、私钥、助记词、API 令牌或主网签名凭证。

## 示例

### 重入攻击：强制遵循 CEI 顺序

存在漏洞：

```solidity
function withdraw(uint256 amount) external {
    require(balances[msg.sender] >= amount);
    token.transfer(msg.sender, amount);
    balances[msg.sender] -= amount;
}
```

安全：

```solidity
import {ReentrancyGuard} from "@openzeppelin/contracts/utils/ReentrancyGuard.sol";
import {SafeERC20} from "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";

using SafeERC20 for IERC20;

function withdraw(uint256 amount) external nonReentrant {
    require(balances[msg.sender] >= amount, "Insufficient");
    balances[msg.sender] -= amount;
    token.safeTransfer(msg.sender, amount);
}
```

当存在经过验证的库时，不要自行编写防护措施。

### 捐赠或通胀攻击

直接使用 `token.balanceOf(address(this))` 进行份额计算，会让攻击者通过向合约发送代币（绕过预期路径）来操纵分母。

```solidity
// Vulnerable
function deposit(uint256 assets) external returns (uint256 shares) {
    shares = (assets * totalShares) / token.balanceOf(address(this));
}
```

```solidity
// Safe
uint256 private _totalAssets;

function deposit(uint256 assets) external nonReentrant returns (uint256 shares) {
    uint256 balBefore = token.balanceOf(address(this));
    token.safeTransferFrom(msg.sender, address(this), assets);
    uint256 received = token.balanceOf(address(this)) - balBefore;

    shares = totalShares == 0 ? received : (received * totalShares) / _totalAssets;
    _totalAssets += received;
    to

Use this skill

Per request

Add a "skill" field with the skill’s ID to your chat completion request. It is applied server-side before your prompt is sent — no extra calls.

{
  "model": "gpt-4o-mini",
  "skill": "imp-f2bc5fb2-c90e-4e24-9d4e-64a1d2bead7f",
  "messages": [{ "role": "user", "content": "…" }]
}

Always on — no field to send

Install the skill, enable it in your dashboard and (optionally) limit it to specific models. It then applies automatically to every matching request — with no "skill" field to send each time.

Set it up in your dashboard

More skills

1password

Set up and use 1Password CLI for sign-in, desktop integration, and reading or injecting secrets.

apple-notes

Create, view, edit, delete, search, move, or export Apple Notes via the memo CLI on macOS.

apple-reminders

List, add, edit, complete, or delete Apple Reminders and reminder lists via remindctl.

bear-notes

Create, search, and manage Bear notes via grizzly CLI.

blogwatcher

Monitor blogs and RSS/Atom feeds for updates using the blogwatcher CLI.

blucli

BluOS CLI (blu) for discovery, playback, grouping, and volume.

camsnap

Capture frames or clips from RTSP/ONVIF cameras.

clawhub

Search, install, update, sync, or publish agent skills with the ClawHub CLI and registry.