ClawHub

Solidity

Avoid common Solidity mistakes — reentrancy, gas traps, storage collisions, and security pitfalls.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
2 · 839 · 2 current installs · 2 all-time installs
byIván@ivangdavila
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (Solidity security pitfalls) matches the SKILL.md content: reentrancy, gas, storage, upgrades, etc. The skill requests no binaries, env vars, or config paths that would be unrelated to its stated purpose.
Instruction Scope
SKILL.md contains static best-practice guidance and does not instruct the agent to read local files, access environment variables, call external endpoints, run commands, or transmit data. The instructions stay within the scope of providing security advice for Solidity.
Install Mechanism
No install spec and no code files are present. Because this is instruction-only, nothing is downloaded or written to disk at install time.
Credentials
The skill declares no required environment variables, credentials, or config paths. There are no requests for unrelated secrets or system access.
Persistence & Privilege
The skill does not request always:true and is user-invocable only; it does not request unusual persistent privileges or modifications to other skills or global agent settings.
Assessment
This skill is an offline, read-only collection of Solidity security tips and does not require credentials or install-time actions. It appears safe and coherent for use as a reference. Before relying on it for production security decisions, cross-check its recommendations against the latest Solidity docs and well-known sources (OpenZeppelin, ConsenSys, official Solidity changelogs), since language semantics and best practices can change between compiler versions.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk976qp72jgm4acghf0mts0eft180w734

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis
OSLinux · macOS · Windows

SKILL.md

Reentrancy

  • External calls before state updates — attacker can re-enter before state changes
  • Checks-Effects-Interactions pattern — validate, update state, THEN external call
  • ReentrancyGuard from OpenZeppelin — use nonReentrant modifier on vulnerable functions
  • transfer() and send() have 2300 gas limit — but don't rely on this for security

Integer Handling

  • Solidity 0.8+ reverts on overflow — but unchecked {} blocks bypass this
  • Division truncates toward zero — 5 / 2 = 2, no decimals
  • Use fixed-point math for precision — multiply before divide, or use libraries
  • type(uint256).max for max value — don't hardcode large numbers

Gas Gotchas

  • Unbounded loops can exceed block gas limit — paginate or limit iterations
  • Storage writes cost 20k gas — memory/calldata much cheaper
  • delete refunds gas but has limits — refund capped, don't rely on it
  • Reading storage in loop — cache in memory variable first

Visibility and Access

  • State variables default to internal — not private, derived contracts see them
  • private doesn't mean hidden — all blockchain data is public, just not accessible from other contracts
  • tx.origin is original sender — use msg.sender, tx.origin enables phishing attacks
  • external can't be called internally — use public or this.func() (wastes gas)

Ether Handling

  • payable required to receive ether — non-payable functions reject ether
  • selfdestruct sends ether bypassing fallback — contract can receive ether without receive function
  • Check return value of send() — returns false on failure, doesn't revert
  • call{value: x}("") preferred over transfer() — forward all gas, check return value

Storage vs Memory

  • storage persists, memory is temporary — storage costs gas, memory doesn't persist
  • Structs/arrays parameter default to memory — explicit storage to modify state
  • calldata for external function inputs — read-only, cheaper than memory
  • Storage layout matters for upgrades — never reorder or remove storage variables

Upgradeable Contracts

  • Constructors don't run in proxies — use initialize() with initializer modifier
  • Storage collision between proxy and impl — use EIP-1967 storage slots
  • Never selfdestruct implementation — breaks all proxies pointing to it
  • delegatecall uses caller's storage — impl contract storage layout must match proxy

Common Mistakes

  • Block timestamp can be manipulated slightly — don't use for randomness or precise timing
  • require for user errors, assert for invariants — assert failures indicate bugs
  • String comparison with == doesn't work — use keccak256(abi.encodePacked(a)) == keccak256(abi.encodePacked(b))
  • Events not indexed — first 3 params can be indexed for efficient filtering

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…