{"skill":{"slug":"atlas-bounty-triage","displayName":"DeFi Audit & Smart Contract Bounty Triage","summary":"Smart contract audit and DeFi security triage skill for Solidity, EVM protocols, bug bounty programs, Code4rena, Sherlock, and HackenProof. Maps attack surfa...","description":"---\nname: DeFi Audit & Smart Contract Bounty Triage\nslug: atlas-bounty-triage\nversion: 1.0.4\ndescription: Smart contract audit and DeFi security triage skill for Solidity, EVM protocols, bug bounty programs, Code4rena, Sherlock, and HackenProof. Maps attack surface, prioritizes vulnerabilities, and generates a structured audit checklist/report.\nhomepage: https://atlasagentsuite.com/skills.html?utm_source=clawhub&utm_medium=skill&utm_campaign=atlas-bounty-triage\nchangelog: \"Conversion SEO v1.0.4: exact-match DeFi audit title, smart contract audit keywords, stronger star/download CTA, and paid ZIP funnel copy.\"\ntags:\n - security\n - audit\n - smart-contract\n - smart-contract-audit\n - defi\n - defi-audit\n - solidity\n - evm\n - vulnerability-scanner\n - bug-bounty\n - code4rena\n - sherlock\n - hackenproof\n - defi-security\n - solidity-audit\n - smart-contract-security\n - defi-bounty\n - audit-checklist\n - latest\n - atlas\nmetadata:\n AtlasAgentSuite:\n tier: free\n use_cases:\n - smart contract audit triage\n - DeFi protocol audit checklist\n - Solidity vulnerability review\n - EVM security research\n - bug bounty target prioritization\n upsells:\n - \"Atlas Starter/Pro ZIP Packs ($49/$150): https://atlasagentsuite.com/skills.html?utm_source=clawhub&utm_medium=skill&utm_campaign=atlas-bounty-triage\"\n - \"Concierge Install: https://atlasagentsuite.com/concierge.html?utm_source=clawhub&utm_medium=skill&utm_campaign=atlas-bounty-triage\"\n---\n\n# DeFi Audit & Smart Contract Bounty Triage\n\nA lightweight **smart contract audit** and **DeFi security triage** skill for Solidity/EVM protocols, bug bounty hunters, Code4rena wardens, Sherlock auditors, and HackenProof researchers.\n\nUse this when you need a fast first-pass review of a DeFi protocol or smart contract scope before committing hours to a manual audit.\n\n## Search Keywords / Best Use Cases\n\n- paid security skill pack\n- DeFi audit workflow\n- DeFi audit checklist\n- DeFi audit template\n- smart contract audit workflow\n- smart contract audit checklist\n- smart contract audit template\n- smart contract bounty triage\n- DeFi bounty triage\n- Solidity bug bounty workflow\n- Code4rena smart contract audit\n- Sherlock smart contract audit\n- HackenProof DeFi bounty\n- paid DeFi audit pack\n- Atlas bounty skill pack\n- Solidity audit template\n- DeFi audit checklist\n- bug bounty report template\n- Code4rena audit prep\n- Sherlock audit prep\n- HackenProof bounty workflow\n\n- smart contract audit\n- DeFi audit\n- DeFi security audit\n- Solidity audit\n- EVM audit\n- vulnerability scanner\n- smart contract vulnerability triage\n- bug bounty triage\n- Code4rena audit workflow\n- Sherlock audit workflow\n- HackenProof bounty workflow\n- access control review\n- oracle manipulation review\n- reentrancy checklist\n- upgradeable proxy review\n\n## When to Use\n\n- New smart contract audit target assigned\n- DeFi contest just opened and you need to prioritize files\n- Bug bounty scope includes Solidity/EVM contracts\n- You need a structured first-pass vulnerability checklist\n- You want to map attack surface before deep manual review\n\n## What It Produces\n\nA structured markdown audit triage report with:\n\n- Target overview\n- Protocol type and contract categories\n- Attack surface map\n- High-priority vulnerability classes\n- Contract-by-contract checklist\n- Recommended deep-dive order\n- Quick-win review items\n\n## Workflow\n\n### Phase 1: Smart Contract Scope Mapping\n\nFor each contract in scope:\n\n1. Identify protocol type: lending, AMM, vault, staking, bridge, oracle, governance, NFT, account abstraction\n2. Identify external integrations: Chainlink, Uniswap, Curve, ERC20 tokens, bridges, routers, keepers\n3. Flag proxy/upgrade patterns: `EIP1967`, `UUPS`, transparent proxy, beacon proxy, clones\n4. Identify privileged roles: owner, admin, guardian, pauser, timelock, operator\n5. Note novel or high-risk mechanisms: custom accounting, share pricing, liquidation math, rewards, TWAPs\n\n### Phase 2: DeFi Vulnerability Prioritization\n\nScore each vulnerability class by **likelihood × impact**:\n\n```text\nHIGH PRIORITY\n- Reentrancy: external calls + state changes + callbacks\n- Access control: missing modifiers, wrong role assumptions, admin bypass\n- Oracle manipulation: stale price, TWAP manipulation, decimal mismatch, fallback oracle bugs\n- Accounting bugs: share price drift, rounding loss, fee math, collateral/debt mismatch\n- Liquidation bugs: bad health factor math, stale collateral values, griefable liquidation paths\n- Upgradeability bugs: unprotected initializer, storage collision, implementation takeover\n\nMEDIUM PRIORITY\n- Fee-on-transfer / rebasing token edge cases\n- ERC777 / callback-enabled token surprises\n- Sandwich / MEV-sensitive pricing\n- DOS via unbounded loops or griefable state\n- Signature replay / permit domain separator issues\n\nLOW PRIORITY BUT CHECK\n- Input validation gaps\n- Event/reporting mismatch\n- Gas griefing\n- Minor precision loss without exploitable value extraction\n```\n\n### Phase 3: Contract-by-Contract Checklist\n\n```markdown\n## Contract: \n\n### External Calls / Reentrancy\n- [ ] External calls happen after state updates?\n- [ ] Reentrancy guard exists where callbacks are possible?\n- [ ] ERC777 / ERC721 receiver / flash loan callbacks considered?\n\n### Access Control\n- [ ] Privileged functions use correct modifier?\n- [ ] Timelock/owner/admin boundaries are clear?\n- [ ] Emergency functions cannot steal user funds?\n\n### Oracle / Pricing\n- [ ] Oracle freshness checked?\n- [ ] Decimal normalization correct?\n- [ ] Fallback oracle cannot be manipulated?\n- [ ] TWAP window long enough for protocol value at risk?\n\n### Accounting\n- [ ] Shares/assets conversion handles rounding direction correctly?\n- [ ] Fee calculations cannot drain or brick accounting?\n- [ ] Deposits/withdrawals preserve invariants?\n\n### Upgradeability\n- [ ] Initializers protected?\n- [ ] Storage layout compatible?\n- [ ] Implementation cannot be selfdestructed or hijacked?\n```\n\n### Phase 4: Audit Triage Report\n\n```markdown\n# Smart Contract Audit Triage: \n\n## Target Overview\n- Protocol type:\n- Chain(s):\n- Contracts in scope:\n- Highest-value assets:\n\n## Attack Surface Summary\n- External integrations:\n- Oracle dependencies:\n- Upgrade pattern:\n- Privileged roles:\n\n## Top Vulnerability Classes to Review\n1. [HIGH] \n2. [HIGH] \n3. [MEDIUM] \n\n## Recommended Deep-Dive Order\n1. — focus on \n2. — focus on \n3. — focus on \n\n## Quick Wins Checklist\n- [ ] Reentrancy review\n- [ ] Access control review\n- [ ] Oracle manipulation review\n- [ ] Upgradeability review\n- [ ] Accounting invariant review\n\n---\nGenerated by Atlas Smart Contract Audit & DeFi Bounty Triage.\nFull Atlas Agent Suite: https://atlasagentsuite.com/skills.html?utm_source=clawhub&utm_medium=skill&utm_campaign=atlas-bounty-triage\n```\n\n## Guardrails\n\nThis is a **triage and audit workflow**, not a guaranteed vulnerability finder. It helps prioritize manual review and produce better audit notes. Always verify candidate findings with a proof of concept before submission.\n\n## Get the Full Atlas Agent Suite\n\nThe full Atlas Bounty Ops workflow includes:\n\n- Contest monitoring for Code4rena, Sherlock, HackenProof\n- Target scoring and prioritization\n- Daily vulnerability pattern promotion\n- Finding writeup templates\n- Scheduled research briefings\n- Revenue ops and marketing agents\n\n👉 https://atlasagentsuite.com/skills.html?utm_source=clawhub&utm_medium=skill&utm_campaign=atlas-bounty-triage\n\n\n## Star + Download CTA\n\nIf this free DeFi audit and bounty triage workflow helped, please **star it on ClawHub** and leave a short comment. Stars/comments help other wardens find it for `defi audit`, `smart contract audit`, and `bug bounty` searches.\n\nFor production-ready templates, use the Atlas paid ZIP packs: https://atlasagentsuite.com/skills.html?utm_source=clawhub&utm_medium=skill&utm_campaign=atlas-bounty-triage\n\n## Upgrade: Atlas Paid ZIP Packs ($49 / $150)\n\nThis free ClawHub skill is the discovery layer. If you want the ready-to-run premium workflow, Atlas has two small ZIP packages:\n\n- **Starter — $49:** prompt pack, triage checklist, markdown report templates, and setup guide.\n- **Pro — $150:** everything in Starter plus advanced DeFi modules, risk scoring rubric, bounty-readiness checklist, and reusable audit workspace template.\n\nGet the paid packs here: https://atlasagentsuite.com/skills.html?utm_source=clawhub&utm_medium=skill&utm_campaign=atlas-bounty-triage\n\nIf this free skill helped, please star/comment on ClawHub so other builders can find it.\n","tags":{"atlas":"1.0.4","bug-bounty":"1.0.4","code4rena":"1.0.4","defi-audit":"1.0.4","hackenproof":"1.0.4","latest":"1.0.4","sherlock":"1.0.4","smart-contract-audit":"1.0.4","solidity-audit":"1.0.4","audit":"1.0.1","defi":"1.0.1","evm":"1.0.1","security":"1.0.1","smart-contract":"1.0.1","solidity":"1.0.1","vulnerability-scanner":"1.0.1"},"stats":{"comments":0,"downloads":606,"installsAllTime":1,"installsCurrent":1,"stars":0,"versions":5},"createdAt":1777737660552,"updatedAt":1779030408272},"latestVersion":{"version":"1.0.4","createdAt":1779028577732,"changelog":"Conversion SEO v1.0.4: exact-match DeFi audit title, smart contract audit keywords, stronger star/download CTA, and paid ZIP funnel copy.","license":"MIT-0"},"metadata":{"setup":[],"os":null,"systems":null},"owner":{"handle":"n8gendegen","userId":"s178kk8n3h54fa7qzx3gsf72md85y3vm","displayName":"n8gendegen","image":"https://avatars.githubusercontent.com/u/264058056?v=4"},"moderation":null}