Solidity Audit Pre-Check Skill

Automated security pre-flight for Solidity contracts. Catches common vulnerabilities, validates OpenZeppelin usage, and surfaces gas inefficiencies — before you pay $20k+ for a manual audit.

When to Use

• Before submitting contracts to a paid auditor (Trail of Bits, Certik, Spearbit, etc.)
• After writing a new contract feature or major refactor
• During internal review of a PR that touches contract code
• When onboarding a new contract codebase to understand risk surface
• Pre-deployment to mainnet or any public testnet

When NOT to Use

• As a replacement for a manual audit. This is a pre-filter, not a security guarantee.
• For non-Solidity contracts (Rust/Anchor, Cairo, Stylus — use language-specific tools)
• For already-deployed and immutable contracts (nothing actionable)
• For frontend/UI code or off-chain scripts
• As a compliance certification — automated tools have known false negative rates

---

Toolchain Setup

Install required CLI tools:

# Slither — most complete static analyzer
pip install slither-analyzer

# Mythril — symbolic execution / SMT-based analysis
pip install mythril

# Foundry (forge, cast, anvil) — for testing and gas snapshots
curl -L https://foundry.paradigm.xyz | bash && foundryup

# Solhint — linter for style and security rules
npm install -g solhint

# Aderyn — Rust-based Solidity AST analyzer (fast)
cargo install aderyn

Verify:

slither --version
myth version
forge --version
solhint --version
aderyn --version

---

Pre-Check Workflow

Step 1 — Inventory the Codebase

# Count contracts, identify external deps
find . -name "*.sol" | head -50
cat foundry.toml   # or hardhat.config.ts
cat remappings.txt

# Identify entry points (deployed contracts vs libraries/interfaces)
grep -r "contract " src/ --include="*.sol" | grep -v "interface\|abstract\|library"

Key questions:

• How many contracts? How many are deployed vs inherited?
• What OpenZeppelin version? (lib/openzeppelin-contracts/package.json)
• External protocols used? (Uniswap, Aave, Chainlink, etc.)
• Upgradeability pattern? (UUPS, Transparent Proxy, Beacon, none)

---

Step 2 — Slither Static Analysis

# Full scan with all detectors
slither . --checklist --markdown-root .

# JSON output for structured review
slither . --json slither-output.json

# Print human-readable summary
slither . --print human-summary

# Filter by severity
slither . --filter-paths "lib/,node_modules/" --exclude-low

Severity levels:

Level	Action
High	Block deployment — fix before audit
Medium	Must address — provide justification if not fixed
Low	Fix or document rationale
Informational	Style/gas — address in optimization pass

Common high-severity detectors to watch:

• reentrancy-eth — reentrant Ether transfers
• unchecked-transfer — ERC20 transfer without return value check
• arbitrary-send-eth — unrestricted ETH send
• controlled-delegatecall — attacker-controlled delegatecall
• suicidal — selfdestruct reachable by anyone
• tx-origin — tx.origin used for auth

---

Step 3 — Mythril Symbolic Execution

# Analyze single contract (slower, deeper)
myth analyze contracts/MyContract.sol --solc-json mythril-config.json

# With timeout for large contracts
myth analyze contracts/MyContract.sol --execution-timeout 120 --max-depth 12

# Output as JSON
myth analyze contracts/MyContract.sol -o json

Mythril catches:

• Integer overflow/underflow (pre-0.8.x contracts)
• Reentrancy via symbolic paths
• Delegatecall to user-supplied addresses
• Unprotected selfdestruct
• Dependence on predictable values (block.timestamp, blockhash)

---

Step 4 — Aderyn AST Analysis

# Run from project root
aderyn .

# Output markdown report
aderyn . --output report.md

# Target specific directory
aderyn src/ --output aderyn-report.md

Aderyn is fast (sub-second on most codebases) and catches:

• Centralization risk (single owner controls)
• Missing events on state changes
• Unsafe ERC20 operations
• Weak access control patterns
• Incorrect inheritance order

---

Step 5 — Solhint Linting

# Init config
solhint --init

# Lint all contracts
solhint 'contracts/**/*.sol'

# Use security ruleset
solhint --config .solhint.json 'contracts/**/*.sol'

Recommended .solhint.json:

{
  "extends": "solhint:recommended",
  "rules": {
    "avoid-call-value": "error",
    "avoid-low-level-calls": "warn",
    "avoid-tx-origin": "error",
    "check-send-result": "error",
    "compiler-version": ["error", "^0.8.20"],
    "func-visibility": ["warn", {"ignoreConstructors": true}],
    "mark-callable-contracts": "error",
    "multiple-sends": "error",
    "no-complex-fallback": "error",
    "no-inline-assembly": "warn",
    "not-rely-on-block-hash": "error",
    "not-rely-on-time": "warn",
    "reentrancy": "error",
    "state-visibility": "error"
  }
}

---

Step 6 — OpenZeppelin Pattern Validation

Manual checklist — verify each applies:

# Check OZ version
cat lib/openzeppelin-contracts/package.json | grep '"version"'

# Find all inherited OZ contracts
grep -r "import.*openzeppelin" contracts/ --include="*.sol"

Access Control:

• Ownable2Step used instead of Ownable (prevents accidental ownership transfer)
• AccessControl roles defined with keccak256 constants, not inline strings
• DEFAULT_ADMIN_ROLE not held by an EOA in production (use multisig)
• renounceRole and revokeRole tested for edge cases

Tokens (ERC20/ERC721):

• SafeERC20.safeTransfer used for all external token transfers
• _safeMint used in ERC721 (not _mint)
• Callback hooks (onERC721Received) handled
• Reentrancy guard on any function that calls external contracts after state change

Upgradeability:

• Initializers called correctly (no constructor logic in upgradeable contracts)
• _disableInitializers() called in implementation constructor
• Storage gaps defined in all base contracts
• ERC-7201 namespaced storage used (OZ v5+)
• No storage collisions between proxy and implementation

Pausability:

• Pausable integrated with whenNotPaused on critical functions
• pause() protected by role (not public)
• Emergency unpause path defined and tested

---

Step 7 — Gas Optimization Audit

# Forge gas snapshot baseline
forge snapshot

# Gas report per function
forge test --gas-report

# Compare before/after optimization
forge snapshot --diff .gas-snapshot

Common gas optimizations to flag:

Pattern	Issue	Fix
uint256 i = 0 in loop	Wastes gas	uint256 i (zero default)
storage variable read in loop	SLOAD per iteration	Cache in memory first
require(condition, "long string")	String costs gas	Use custom errors
Multiple mappings vs struct	Extra SLOADs	Pack into struct
public on internal functions	Extra ABI overhead	internal or private
Unbounded loops	DoS risk + gas	Add maxIterations param
transfer() / send()	2300 gas limit	Use call{value: x}("")

Custom error pattern (saves ~50 gas per revert):

// Bad
require(balance >= amount, "Insufficient balance");

// Good
error InsufficientBalance(uint256 balance, uint256 required);
if (balance < amount) revert InsufficientBalance(balance, amount);

---

Step 8 — SWC Registry Cross-Reference

Cross-check findings against SWC Registry:

SWC	Name	Slither Detector	Severity
SWC-100	Function Default Visibility	suicidal, controlled-selfdestruct	High
SWC-101	Integer Overflow/Underflow	integer-overflow	High (pre-0.8.x)
SWC-104	Unchecked Call Return Value	unchecked-transfer	High
SWC-105	Unprotected Ether Withdrawal	arbitrary-send-eth	High
SWC-106	Unprotected SELFDESTRUCT	suicidal	High
SWC-107	Reentrancy	reentrancy-eth, reentrancy-no-eth	High/Med
SWC-111	Use of Deprecated Functions	deprecated-standards	Med
SWC-112	Delegate Call to Untrusted Callee	controlled-delegatecall	High
SWC-115	Authorization via tx.origin	tx-origin	High
SWC-116	Block values as time proxy	weak-prng, block-timestamp	Low/Med
SWC-120	Weak Sources of Randomness	weak-prng	High
SWC-128	DoS With Block Gas Limit	costly-loop	Med

---

Step 9 — Manual Review Checklist

Items automated tools miss — must be done by human:

Business Logic:

• Economic invariants hold (balances sum to total supply, etc.)
• State machine transitions are complete and non-overlapping
• Off-by-one errors in fee/slippage calculations
• Rounding direction favors protocol, not attacker (round down for user, up for protocol)
• Flash loan attack surface: any function callable within a single tx that can drain funds?

Access Control Logic:

• Every privileged function has a role check
• Role assignments tested for separation of duties
• Time locks on critical parameter changes (fee changes, oracle updates)

Oracle / Price Feed:

• Chainlink feeds: stale data check (updatedAt + heartbeat)
• Chainlink feeds: min/max circuit breakers handled
• TWAP used instead of spot price for large positions
• No single-source price oracle

Proxy Patterns:

• Proxy admin is a multisig, not an EOA
• Implementation cannot be initialized by attacker
• selfdestruct in implementation would brick proxy — is it present?

---

Step 10 — Pre-Audit Report Template

Generate a structured handoff document for the audit team:

# Pre-Audit Report: [Contract Name]
Date: YYYY-MM-DD
Audited by: [Team]
Commit: [git hash]

## Scope
- Contracts: [list]
- Out of scope: [list]
- Solidity version: [version]
- OZ version: [version]

## Automated Scan Results
### Slither
- High: [N] findings
- Medium: [N] findings
- [Link to slither-output.json]

### Mythril
- [N] issues found
- [Summary]

### Aderyn
- [N] issues found

## Known Issues (Won't Fix)
- [Issue]: [Rationale]

## Fixed Issues (Pre-Audit)
- [Issue]: [Fix applied, commit hash]

## Gas Baseline
- forge snapshot attached
- Estimated deployment cost: [N] ETH at [gwei] gwei

## Areas of Concern for Auditors
- [Specific complex logic to focus on]
- [External protocol integrations]
- [Novel patterns used]

## Test Coverage
forge coverage output:
[paste output]

---

Example: Full Pre-Check Run

#!/bin/bash
# precheck.sh — run from project root

echo "=== Solidity Audit Pre-Check ==="
echo "Date: $(date)"
echo "Commit: $(git rev-parse --short HEAD)"

mkdir -p audit-precheck

echo "\n[1/5] Slither..."
slither . --filter-paths "lib/,node_modules/" \
  --json audit-precheck/slither.json \
  --markdown-root . 2>&1 | tee audit-precheck/slither.log

echo "\n[2/5] Aderyn..."
aderyn . --output audit-precheck/aderyn.md

echo "\n[3/5] Solhint..."
solhint 'contracts/**/*.sol' > audit-precheck/solhint.log 2>&1

echo "\n[4/5] Forge gas snapshot..."
forge snapshot --snap audit-precheck/.gas-snapshot

echo "\n[5/5] Forge coverage..."
forge coverage --report lcov > audit-precheck/coverage.log 2>&1

echo "\nPre-check complete. Results in ./audit-precheck/"
echo "Run: cat audit-precheck/slither.log | grep 'Impact\|Result'"

---

Integration with Other Skills

• develop-secure-contracts — Use to integrate OpenZeppelin patterns that this skill validates
• upgrade-solidity-contracts — Pre-check upgradeable proxies before upgrade
• ethskills — General Ethereum dev context and deployment patterns
• erc20-tokenomics-builder — Pre-check token contracts built with this skill

---

Severity Thresholds for Deployment Go/No-Go

Severity	Count	Decision
Critical/High	Any	Block — do not deploy
Medium	> 3	Block — audit required
Medium	1-3	Mitigate or justify in writing
Low	Any	Document and accept or fix
Informational	Any	Fix in optimization pass

A clean pre-check (zero High/Critical, documented Mediums) typically reduces manual audit time by 30-50% and audit cost by 20-40%.