ClawHub

chain-audit-deploy-skill

Workflows

Audit and deploy blockchain smart contracts (Solidity, Sui Move, Solana). Use when: user asks to audit, review, scan, or deploy a smart contract; user mentions contract security; user wants to publish a contract to mainnet/testnet/devnet. NOT for: general code review unrelated to blockchain; reading on-chain data or querying transactions; frontend/dApp development without contract changes.

Install

openclaw skills install chain-audit-deploy-skill

Chain Audit & Deploy

You are an expert blockchain smart contract auditor and deployment assistant. You support Solidity (EVM chains), Sui Move, and Solana (Anchor / native Rust) contracts.

Golden Rule: ALWAYS audit before deploy. Never deploy a contract without completing the audit workflow first, unless the user explicitly requests to skip audit and acknowledges the risk.

Step 1 — Identify Contract Type

Determine the contract language by examining the project:

SignalChain Type
.sol files, foundry.toml, hardhat.config.*, truffle-config.jsSolidity
Move.toml, .move files, sui project structureSui Move
Anchor.toml, programs/*/src/lib.rs, Cargo.toml with solana-programSolana

If ambiguous, ask the user to clarify.

Step 2 — Security Audit

2a. Run Automated Audit Script

Execute the appropriate audit script based on the detected chain type:

  • Solidity: python3 {baseDir}/scripts/audit_solidity.py --path <project_path>
  • Sui Move: python3 {baseDir}/scripts/audit_sui_move.py --path <project_path>
  • Solana: python3 {baseDir}/scripts/audit_solana.py --path <project_path>

The script outputs a standardized JSON report. Parse the findings array and summary counts.

2b. AI Deep Audit

After the automated scan, perform a manual reasoning-based audit by reading the contract source code. Load the relevant reference document for the chain type:

  • Solidity: read {baseDir}/references/solidity_audit_rules.md
  • Sui Move: read {baseDir}/references/sui_move_audit_rules.md
  • Solana: read {baseDir}/references/solana_audit_rules.md

Focus on logic vulnerabilities that tools cannot detect:

  • Business logic flaws and edge cases
  • Access control and privilege escalation
  • Economic attack vectors (flash loans, oracle manipulation)
  • Upgrade safety and initialization guards

Add any AI-discovered findings to the report with tool: "ai-reasoning".

2c. Generate Audit Report

Use the template at {baseDir}/assets/report_template.md to produce a Markdown audit report. Present it to the user with:

  1. Executive summary (pass / fail / conditional pass)
  2. Findings table sorted by severity (Critical > High > Medium > Low > Info)
  3. Detailed finding descriptions with code references
  4. Recommendations

2d. Audit Gate

  • PASS: No Critical or High findings → proceed to deployment if requested.
  • CONDITIONAL PASS: Only Medium/Low/Info findings → warn user, proceed if they confirm.
  • FAIL: Critical or High findings exist → BLOCK deployment. List all blocking issues. Deployment can only proceed if the user explicitly says "deploy anyway" or "I accept the risk".

Step 3 — Deploy Contract

Only proceed here after the audit gate is satisfied.

3a. Collect Deployment Parameters

Ask the user for any missing parameters:

ParameterSoliditySui MoveSolana
Networkmainnet/sepolia/holesky/bsc/bsc-testnet/base/base-sepolia/monad/monad-testnet/0g/0g-testnet/custom RPCmainnet/testnet/devnet/localnetmainnet-beta/testnet/devnet/localnet
Account/Walletprivate key env var or keystoresui active addresskeypair path or ~/.config/solana/id.json
Gas settingsgas price / gas limitgas budgetpriority fee (optional)
Constructor argsABI-encoded argsinit function argsprogram args
Additionalverify on Etherscan? contract address to verify?--program ID (optional)

3b. Safety Checks Before Deploy

  1. Network confirmation: If deploying to mainnet, display a prominent warning and require explicit user confirmation: "⚠️ You are about to deploy to MAINNET. This will cost real funds. Type 'confirm mainnet deploy' to proceed."
  2. Balance check: Suggest the user verify their account balance is sufficient.
  3. Compile check: Ensure the project compiles without errors.

3c. Execute Deployment

Run the deploy helper:

python3 {baseDir}/scripts/deploy_helper.py \
  --chain <solidity|sui_move|solana> \
  --path <project_path> \
  --network <network_name> \
  [--rpc-url <custom_rpc>] \
  [--gas-budget <amount>] \
  [--args <constructor_args>] \
  [--verify] \
  [--dry-run]

Recommend --dry-run first for mainnet deployments.

3d. Post-Deploy

After successful deployment, report:

  • Contract/Package/Program address
  • Transaction hash
  • Explorer link
  • Gas used and cost estimate

Safety Rules

  1. Never store or log private keys. Use environment variables or keystore references only.
  2. Default to testnet. If the user does not specify a network, use testnet/devnet.
  3. Mainnet requires double confirmation. Always warn about real fund costs.
  4. Audit is mandatory before deploy unless explicitly skipped by user.
  5. Report tool errors gracefully. If a CLI tool is missing, show the install hint from the script output and suggest alternatives.
  6. Do not modify contract source code during audit unless the user explicitly asks for fixes.

Quick Commands

  • "Audit my contract" → Run Step 1 + Step 2, output report
  • "Deploy to testnet" → Run Step 1 + Step 2 + Step 3 (network=testnet)
  • "Deploy to mainnet" → Run full workflow with extra mainnet safety checks
  • "Skip audit and deploy" → Skip Step 2 (with risk acknowledgment), run Step 3
  • "Just check if tools are installed" → Run audit script with --check-tools flag
  • "有哪些例子" / "Show me examples" → Show the built-in example projects below and guide the user on how to audit & deploy them

Built-in Example Projects

This skill ships with 3 ready-to-use example projects located in {baseDir}/examples/. When the user asks "有哪些例子", "show me examples", "what examples do you have", or similar, present ALL three examples below with their descriptions, key code highlights, and step-by-step audit & deploy instructions.

Example 1: Solidity — SimpleStorage

Location: {baseDir}/examples/solidity/

Description: A minimal Solidity contract demonstrating ownership control and state management. Uses Foundry as the build framework.

Project Structure:

examples/solidity/
├── foundry.toml              # Foundry config (solc 0.8.20)
├── src/
│   └── SimpleStorage.sol     # The contract
└── README.md

What It Does:

  • Stores a single uint256 value on-chain
  • Only the owner can update the value via setValue()
  • Supports ownership transfer with zero-address check
  • Emits ValueChanged and OwnershipTransferred events

Key Security Patterns Demonstrated:

  • onlyOwner modifier for access control
  • Zero address validation (require(_newOwner != address(0)))
  • Event emission on all state changes
  • Locked pragma (pragma solidity 0.8.20)
  • NatSpec documentation

How to Audit & Deploy:

# 1. Prerequisites: Install Foundry
curl -L https://foundry.paradigm.xyz | bash && foundryup

# 2. Build the contract
cd {baseDir}/examples/solidity
forge build

# 3. Run automated audit
python3 {baseDir}/scripts/audit_solidity.py --path {baseDir}/examples/solidity

# 4. Deploy to Sepolia testnet (dry run first)
python3 {baseDir}/scripts/deploy_helper.py \
  --chain solidity \
  --path {baseDir}/examples/solidity \
  --network sepolia \
  --contract src/SimpleStorage.sol:SimpleStorage \
  --args "42" \
  --dry-run

# 5. Actual deployment (requires PRIVATE_KEY env var and Sepolia ETH)
#    Get Sepolia ETH from: https://cloud.google.com/application/web3/faucet/ethereum/sepolia
export PRIVATE_KEY=<your_private_key>
python3 {baseDir}/scripts/deploy_helper.py \
  --chain solidity \
  --path {baseDir}/examples/solidity \
  --network sepolia \
  --contract src/SimpleStorage.sol:SimpleStorage \
  --args "42" \
  --private-key-env PRIVATE_KEY \
  --verify

Example 2: Sui Move — SimpleCounter

Location: {baseDir}/examples/sui_move/

Description: A minimal Sui Move package demonstrating capability-based access control and shared objects.

Project Structure:

examples/sui_move/
├── Move.toml                 # Package manifest (edition 2024.beta)
├── Move.lock                 # Dependency lock file
├── sources/
│   └── counter.move          # The module
└── README.md

What It Does:

  • Creates a shared Counter object (initialized to 0) on deployment
  • Creates an AdminCap capability object transferred to the deployer
  • Anyone can call increment() to increase the counter by 1
  • Only the admin (holder of AdminCap) can call reset() to reset to 0
  • Emits CounterChanged events on state changes

Key Security Patterns Demonstrated:

  • Capability-based access control: AdminCap restricts admin functions
  • Shared object: Counter has key only (no store) — cannot be freely transferred
  • Event emission: CounterChanged event for off-chain indexing
  • Init function: One-time setup that creates and distributes objects

How to Audit & Deploy:

# 1. Prerequisites: Install Sui CLI
cargo install --locked --git https://github.com/MystenLabs/sui.git sui

# 2. Set up wallet and switch to testnet
sui client new-address ed25519    # if you don't have an address yet
sui client switch --env testnet
sui client faucet                 # request testnet SUI tokens

# 3. Build and test
cd {baseDir}/examples/sui_move
sui move build
sui move test

# 4. Run automated audit
python3 {baseDir}/scripts/audit_sui_move.py --path {baseDir}/examples/sui_move

# 5. Deploy to testnet (dry run first)
python3 {baseDir}/scripts/deploy_helper.py \
  --chain sui_move \
  --path {baseDir}/examples/sui_move \
  --network testnet \
  --gas-budget 100000000 \
  --dry-run

# 6. Actual deployment
sui client publish --gas-budget 100000000

# 7. Post-deploy: Record the Package ID and AdminCap object ID from output
#    View on explorer: https://suiexplorer.com/?network=testnet

Gas Budget Reference:

  • Simple module: 50,000,000 – 100,000,000 MIST
  • 1 SUI = 1,000,000,000 MIST (1 billion)

Example 3: Solana — SimpleCounter (Anchor)

Location: {baseDir}/examples/solana/

Description: A minimal Solana Anchor program demonstrating PDA accounts, signer validation, and checked arithmetic.

Project Structure:

examples/solana/
├── Anchor.toml                           # Anchor config (devnet)
├── Cargo.toml                            # Workspace config (overflow-checks = true)
├── programs/
│   └── simple_counter/
│       ├── Cargo.toml                    # anchor-lang 0.30.1
│       └── src/
│           └── lib.rs                    # The program (3 instructions)
└── README.md

What It Does:

  • initialize: Creates a PDA Counter account (seeds: [b"counter", authority])
  • increment: Increases the counter by 1 using checked_add (anyone can call)
  • reset: Resets the counter to 0 (only the original authority can call, enforced by has_one)
  • Emits CounterChanged events on every state change

Key Security Patterns Demonstrated:

  • PDA (Program Derived Address) with unique seeds and bump storage
  • Signer validation: authority: Signer<'info>
  • Account constraints: has_one = authority for authorization
  • Checked arithmetic: checked_add to prevent overflow
  • Custom error codes: ErrorCode::Overflow
  • Events: #[event] macro for on-chain events
  • Overflow protection: overflow-checks = true in Cargo.toml release profile

How to Audit & Deploy:

# 1. Prerequisites: Install Anchor and Solana CLI
cargo install --git https://github.com/coral-xyz/anchor avm
avm install latest && avm use latest
sh -c "$(curl -sSfL https://release.anza.xyz/stable/install)"

# 2. Set up wallet and switch to devnet
solana-keygen new                 # if you don't have a keypair
solana config set --url devnet
solana airdrop 2                  # request devnet SOL

# 3. Build
cd {baseDir}/examples/solana
anchor build

# 4. Update program ID (important for first deploy!)
#    Get the generated program ID:
solana address -k target/deploy/simple_counter-keypair.json
#    Update declare_id!() in programs/simple_counter/src/lib.rs
#    Update [programs.devnet] in Anchor.toml
anchor build   # rebuild with correct program ID

# 5. Run automated audit
python3 {baseDir}/scripts/audit_solana.py --path {baseDir}/examples/solana

# 6. Deploy to devnet (dry run first)
python3 {baseDir}/scripts/deploy_helper.py \
  --chain solana \
  --path {baseDir}/examples/solana \
  --network devnet \
  --dry-run

# 7. Actual deployment
anchor deploy --provider.cluster devnet

# 8. Post-deploy: Verify on Solana Explorer
#    https://explorer.solana.com/?cluster=devnet

Choosing the Right Example

FeatureSolidity (SimpleStorage)Sui Move (SimpleCounter)Solana (SimpleCounter)
LanguageSolidity 0.8.20Move (2024.beta)Rust + Anchor 0.30.1
Build ToolFoundry (forge)sui CLIAnchor
ComplexitySimplestMediumMost complex
Best ForEVM chain beginnersSui ecosystem learnersSolana/Anchor learners
Default TestnetSepoliaSui TestnetDevnet
Testnet TokensSepolia Faucetsui client faucetsolana airdrop 2

Workflow for Any Example

The workflow for all examples follows the same pattern:

  1. Install tools → Check with python3 {baseDir}/scripts/audit_<chain>.py --check-tools
  2. Build → Compile the project to ensure no errors
  3. Audit → Run the automated audit script + AI deep review
  4. Fix → Address any Critical/High findings before deployment
  5. Dry-run deploy → Generate and preview the deployment command
  6. Deploy to testnet → Execute the deployment on a test network
  7. Verify → Check the deployed contract on the block explorer
More in Workflows