Solidity Audit Pre-Check Skill

Automated security pre-flight for Solidity contracts. Catches common vulnerabilities, validates OpenZeppelin usage, and surfaces gas inefficiencies — before you pay $20k+ for a manual audit.

When to Use

• Before submitting contracts to a paid auditor (Trail of Bits, Certik, Spearbit, etc.)
• After writing a new contract feature or major refactor
• During internal review of a PR that touches contract code
• When onboarding a new contract codebase to understand risk surface
• Pre-deployment to mainnet or any public testnet

When NOT to Use

• As a replacement for a manual audit. This is a pre-filter, not a security guarantee.
• For non-Solidity contracts (Rust/Anchor, Cairo, Stylus — use language-specific tools)
• For already-deployed and immutable contracts (nothing actionable)
• For frontend/UI code or off-chain scripts
• As a compliance certification — automated tools have known false negative rates

Toolchain Setup

Install required CLI tools:

# Slither — most complete static analyzer
pip install slither-analyzer

# Mythril — symbolic execution / SMT-based analysis
pip install mythril

# Foundry (forge, cast, anvil) — for testing and gas snapshots
curl -L https://foundry.paradigm.xyz | bash && foundryup

# Solhint — linter for style and security rules
npm install -g solhint

# Aderyn — Rust-based Solidity AST analyzer (fast)
cargo install aderyn

Verify:

slither --version
myth version
forge --version
solhint --version
aderyn --version

Pre-Check Workflow

Step 1 — Inventory the Codebase

# Count contracts, identify external deps
find . -name "*.sol" | head -50
cat foundry.toml   # or hardhat.config.ts
cat remappings.txt

# Identify entry points (deployed contracts vs libraries/interfaces)
grep -r "contract " src/ --include="*.sol" | grep -v "interface\|abstract\|library"

Key questions:

• How many contracts? How many are deployed vs inherited?
• What OpenZeppelin version? (lib/openzeppelin-contracts/package.json)
• External protocols used? (Uniswap, Aave, Chainlink, etc.)
• Upgradeability pattern? (UUPS, Transparent Proxy, Beacon, none)

Step 2 — Slither Static Analysis

# Full scan with all detectors
slither . --checklist --markdown-root .

# JSON output for structured review
slither . --json slither-output.json

# Print human-readable summary
slither . --print human-summary

# Filter by severity
slither . --filter-paths "lib/,node_modules/" --exclude-low

Severity levels:

Common high-severity detectors to watch:

• reentrancy-eth — reentrant Ether transfers
• unchecked-transfer — ERC20 transfer without return value check
• arbitrary-send-eth — unrestricted ETH send
• controlled-delegatecall — attacker-controlled delegatecall
• suicidal — selfdestruct reachable by anyone
• tx-origin — tx.origin used for auth

Step 3 — Mythril Symbolic Execution

# Analyze single contract (slower, deeper)
myth analyze contracts/MyContract.sol --solc-json mythril-config.json

# With timeout for large contracts
myth analyze contracts/MyContract.sol --execution-timeout 120 --max-depth 12

# Output as JSON
myth analyze contracts/MyContract.sol -o json

Mythril catches:

• Integer overflow/underflow (pre-0.8.x contracts)
• Reentrancy via symbolic paths
• Delegatecall to user-supplied addresses
• Unprotected selfdestruct
• Dependence on predictable values (block.timestamp, blockhash)

Step 4 — Aderyn AST Analysis

# Run from project root
aderyn .

# Output markdown report
aderyn . --output report.md

# Target specific directory
aderyn src/ --output aderyn-report.md

Aderyn is fast (sub-second on most codebases) and catches:

• Centralization risk (single owner controls)
• Missing events on state changes
• Unsafe ERC20 operations
• Weak access control patterns
• Incorrect inheritance order

Step 5 — Solhint Linting

# Init config
solhint --init

# Lint all contracts
solhint 'contracts/**/*.sol'

# Use security ruleset
solhint --config .solhint.json 'contracts/**/*.sol'

Recommended .solhint.json:

{
  "extends": "solhint:recommended",
  "rules": {
    "avoid-call-value": "error",
    "avoid-low-level-calls": "warn",
    "avoid-tx-origin": "error",
    "check-send-result": "error",
    "compiler-version": ["error", "^0.8.20"],
    "func-visibility": ["warn", {"ignoreConstructors": true}],
    "mark-callable-contracts": "error",
    "multiple-sends": "error",
    "no-complex-fallback": "error",
    "no-inline-assembly": "warn",
    "not-rely-on-block-hash": "error",
    "not-rely-on-time": "warn",
    "reentrancy": "error",
    "state-visibility": "error"
  }
}

Step 6 — OpenZeppelin Pattern Validation

Manual checklist — verify each applies:

# Check OZ version
cat lib/openzeppelin-contracts/package.json | grep '"version"'

# Find all inherited OZ contracts
grep -r "import.*openzeppelin" contracts/ --include="*.sol"

Access Control:

• Ownable2Step used instead of Ownable (prevents accidental ownership transfer)
• AccessControl roles defined with keccak256 constants, not inline strings
• DEFAULT_ADMIN_ROLE not held by an EOA in production (use multisig)
• renounceRole and revokeRole tested for edge cases

Tokens (ERC20/ERC721):

• SafeERC20.safeTransfer used for all external token transfers
• _safeMint used in ERC721 (not _mint)
• Callback hooks (onERC721Received) handled
• Reentrancy guard on any function that calls external contracts after state change

Upgradeability:

• Initializers called correctly (no constructor logic in upgradeable contracts)
• _disableInitializers() called in implementation constructor
• Storage gaps defined in all base contracts
• ERC-7201 namespaced storage used (OZ v5+)
• No storage collisions between proxy and implementation

Pausability:

• Pausable integrated with whenNotPaused on critical functions
• pause() protected by role (not public)
• Emergency unpause path defined and tested

Step 7 — Gas Optimization Audit

# Forge gas snapshot baseline
forge snapshot

# Gas report per function
forge test --gas-report

# Compare before/after optimization
forge snapshot --diff .gas-snapshot

Common gas optimizations to flag:

Custom error pattern (saves ~50 gas per revert):

// Bad
require(balance >= amount, "Insufficient balance");

// Good
error InsufficientBalance(uint256 balance, uint256 required);
if (balance < amount) revert InsufficientBalance(balance, amount);

Step 8 — SWC Registry Cross-Reference

Cross-check findings against SWC Registry:

Step 9 — Manual Review Checklist

Items automated tools miss — must be done by human:

Business Logic:

• Economic invariants hold (balances sum to total supply, etc.)
• State machine transitions are complete and non-overlapping
• Off-by-one errors in fee/slippage calculations
• Rounding direction favors protocol, not attacker (round down for user, up for protocol)
• Flash loan attack surface: any function callable within a single tx that can drain funds?

Access Control Logic:

• Every privileged function has a role check
• Role assignments tested for separation of duties
• Time locks on critical parameter changes (fee changes, oracle updates)

Oracle / Price Feed:

• Chainlink feeds: stale data check (updatedAt + heartbeat)
• Chainlink feeds: min/max circuit breakers handled
• TWAP used instead of spot price for large positions
• No single-source price oracle

Proxy Patterns:

• Proxy admin is a multisig, not an EOA
• Implementation cannot be initialized by attacker
• selfdestruct in implementation would brick proxy — is it present?

Step 10 — Pre-Audit Report Template

Generate a structured handoff document for the audit team:

# Pre-Audit Report: [Contract Name]
Date: YYYY-MM-DD
Audited by: [Team]
Commit: [git hash]

## Scope
- Contracts: [list]
- Out of scope: [list]
- Solidity version: [version]
- OZ version: [version]

## Automated Scan Results
### Slither
- High: [N] findings
- Medium: [N] findings
- [Link to slither-output.json]

### Mythril
- [N] issues found
- [Summary]

### Aderyn
- [N] issues found

## Known Issues (Won't Fix)
- [Issue]: [Rationale]

## Fixed Issues (Pre-Audit)
- [Issue]: [Fix applied, commit hash]

## Gas Baseline
- forge snapshot attached
- Estimated deployment cost: [N] ETH at [gwei] gwei

## Areas of Concern for Auditors
- [Specific complex logic to focus on]
- [External protocol integrations]
- [Novel patterns used]

## Test Coverage
forge coverage output:
[paste output]

Example: Full Pre-Check Run

#!/bin/bash
# precheck.sh — run from project root

echo "=== Solidity Audit Pre-Check ==="
echo "Date: $(date)"
echo "Commit: $(git rev-parse --short HEAD)"

mkdir -p audit-precheck

echo "\n[1/5] Slither..."
slither . --filter-paths "lib/,node_modules/" \
  --json audit-precheck/slither.json \
  --markdown-root . 2>&1 | tee audit-precheck/slither.log

echo "\n[2/5] Aderyn..."
aderyn . --output audit-precheck/aderyn.md

echo "\n[3/5] Solhint..."
solhint 'contracts/**/*.sol' > audit-precheck/solhint.log 2>&1

echo "\n[4/5] Forge gas snapshot..."
forge snapshot --snap audit-precheck/.gas-snapshot

echo "\n[5/5] Forge coverage..."
forge coverage --report lcov > audit-precheck/coverage.log 2>&1

echo "\nPre-check complete. Results in ./audit-precheck/"
echo "Run: cat audit-precheck/slither.log | grep 'Impact\|Result'"

Integration with Other Skills

• develop-secure-contracts — Use to integrate OpenZeppelin patterns that this skill validates
• upgrade-solidity-contracts — Pre-check upgradeable proxies before upgrade
• ethskills — General Ethereum dev context and deployment patterns
• erc20-tokenomics-builder — Pre-check token contracts built with this skill

Severity Thresholds for Deployment Go/No-Go

A clean pre-check (zero High/Critical, documented Mediums) typically reduces manual audit time by 30-50% and audit cost by 20-40%.