Audits Solidity smart contracts for reentrancy vulnerabilities including token transfer reentrancy via ERC777/callback tokens, state updates after external calls enabling draining, cross-function reentrancy manipulating shared state, and read-only reentrancy exploiting stale state during callbacks (project)
Audits Solidity oracle integrations for vulnerabilities including missing stale price checks against heartbeat intervals, missing L2 sequencer uptime validation, same heartbeat for multiple feeds, assuming oracle precision, incorrect price feed addresses, unhandled oracle reverts, unhandled depeg events, oracle min/max price issues during flash crashes, using manipulable slot0 prices, price feed direction confusion, and missing circuit breaker checks (project)
Audits Solidity smart contracts for arithmetic precision vulnerabilities including division-before-multiplication causing value loss, small amounts rounding to zero enabling fee bypass, token decimal mismatches in multi-asset pools, unsafe downcasts truncating storage values, incorrect rounding direction leaking protocol fees, inverted oracle price pairs, hardcoded decimal assumptions, and time unit confusion in interest calculations
Audits Solidity liquidation mechanisms for incentive structure vulnerabilities including missing liquidation rewards making trustless liquidation unprofitable, insufficient incentives for small positions causing bad debt accumulation, profitable users withdrawing collateral eliminating liquidation incentive, missing bad debt handling mechanisms, partial liquidation bypassing bad debt accounting, and lack of partial liquidation preventing whale position liquidations
Audits Solidity liquidation mechanisms for denial of service vulnerabilities including unbounded loops over positions causing out-of-gas reverts, data structure corruption preventing liquidation, front-running to block liquidation via nonce changes or self-liquidation, pending withdrawals forcing reverts, malicious ERC721/ERC20 callback reverts, collateral in external vaults not seized, insufficient insurance fund blocking liquidation, fixed bonus exceeding available collateral, incorrect decimal handling, conflicting nonReentrant modifiers, zero value transfer reverts, token deny list issues, and single borrower edge cases
Audits Solidity liquidation mechanisms for calculation vulnerabilities including incorrect liquidator reward decimals making rewards too small/large, unprioritized liquidator rewards paid after other fees removing incentive, excessive protocol fees making liquidation unprofitable, minimum collateral requirements not accounting for liquidation costs, unaccounted yield/PNL not included in collateral valuation, missing swap fees during liquidation, and oracle sandwich self-liquidation manipulation
Audits Solidity lending and borrowing protocols for vulnerabilities including premature liquidation before default, collateral manipulation preventing liquidation, loan closure without repayment, asymmetric pause mechanisms, token disallowance blocking operations, missing grace periods, incorrect liquidation share calculations, repayments to zero address, forced loan assignments, loan state manipulation via refinancing, double debt accounting, and dust loan griefing attacks
Audits Solidity auction mechanisms for manipulation vulnerabilities including self-bidding to reset auction timer, auction start during L2 sequencer downtime affecting timing fairness, insufficient auction length validation allowing very short auctions for immediate seizure, and off-by-one errors allowing seizure during active auction period (project)
Audits the security posture of a CockroachDB cluster (Cloud or self-hosted) across network, authentication, authorization, encryption, audit logging, and backup dimensions. Use when assessing cluster security readiness, preparing for compliance reviews, or investigating security configuration gaps.
Detects storage slot inefficiencies in Solidity contracts: struct packing gaps, suboptimal field ordering, mapping-vs-array tradeoffs, SSTORE2 for large static data, transient storage for within-transaction state, and batch mutation patterns. Use when writing or reviewing struct definitions, state variable declarations, or storage-heavy contract logic in Foundry-based Solidity projects. Covers SL-001 through SL-010: slot packing, address+uint96 pairing, storage caching, delete refunds, transient reentrancy guards, flash-loan flags, SSTORE2, batch writes, keccak constant precomputation, and mapping-vs-array decisions.
Ethereum development tutor and builder for Scaffold-ETH 2 projects. Triggers on "build", "create", "dApp", "smart contract", "Solidity", "DeFi", "Ethereum", "web3", or any blockchain development task. ALWAYS uses fork mode to test against real protocol state.
Detects state variables that should be declared constant or immutable in Solidity contracts. Constant for compile-time-known values (inlined by compiler, zero runtime cost), immutable for constructor-set-once values (baked into bytecode, ~3 gas per read vs 2100 gas cold SLOAD). Covers IC-001 (constant for literal assignments), IC-002 (immutable for constructor-set values), IC-003 (immutable for frequently-read address variables). Use when writing constructors or reviewing state variable declarations in Foundry-based Solidity projects.
Site reliability engineering -- SLO/SLI/SLA, error budgets, toil, on-call, runbooks, incidents.
Use when implementing or reviewing changes in this Chemical-Thermodynamics repository. Apply the repo contract by reading .agents/brain/brain.md first, preserving SI-unit and public-API invariants, shipping thin vertical slices with a runnable golden path, running CI-equivalent quality gates (ruff format, ruff format --check, ruff check, pyright, pytest), verifying editable and non-editable install smoke checks, and updating ADR/brain docs when architecture or public API changes.
Background knowledge about how HTTP Signatures work in ActivityPub and the Fediverse, including the signing and verification process, the public key model, authorized fetch / secure mode, key rotation, instance actors, and known interoperability quirks across implementations. Load when the user asks about implementing HTTP signatures, debugging signature verification failures, the Digest header, the (request-target) pseudo-header, keyId resolution, the publicKey property on actors, hs2019, clock skew, or federation failing between specific implementations. Also load when reviewing or writing code that signs or verifies ActivityPub requests.
Audits Solidity concentrated liquidity manager (CLM) protocols for vulnerabilities including forced unfavorable liquidity deployment via missing TWAP checks, owner rug-pull via TWAP parameter manipulation, tokens permanently stuck from rounding errors, stale token approvals after router updates, and retrospective fee application on previously earned rewards (project)
Use for LawnBerry Pi runtime contract work that starts with drift audit and ends with aligned docs, config, scripts, service definitions, and targeted validation. Covers ports, startup behavior, proxies, systemd units, and maintainer-facing runtime guidance.
Detects loop gas inefficiencies in Solidity contracts: uncached array length in loop conditions, storage variable reads inside loop bodies, unprotected loop counters without unchecked, post-increment usage, do-while opportunities, and short-circuit ordering. Use when writing or reviewing for/while loops in Foundry-based Solidity projects. Covers LO-001 through LO-006: length caching, body storage caching, unchecked counters, pre-increment, do-while patterns, and boolean short-circuit evaluation.
Test security features and verify implementation before deployment. Use this skill when you need to test CSRF protection, rate limiting, input validation, verify security headers, run security audits, or check the pre-deployment security checklist. Triggers include "test security", "security testing", "verify security", "security checklist", "pre-deployment", "test CSRF", "test rate limit", "security verification".
Adversarial security audit playbook for Plutus V3 Aiken DEX contracts (threat model, invariants, findings, tests, tx repro shapes).
GitHub Actions YAML with embedded output contract: security-first, minimal permissions, version pinning. For CI, release, PR checks. Differs from generic templates by spec compliance and auditability.
How to create, manage, and use Ethereum wallets. Covers EOAs, smart contract wallets, multisig (Safe), and account abstraction. Essential for any AI agent that needs to interact with Ethereum — sending transactions, signing messages, or managing funds. Includes guardrails for safe key handling.
