Add real-world hardening patterns to existing skills#34
Open
claucondor wants to merge 10 commits into
Open
Conversation
…-patterns audit-checklist.md — new Cross-VM and DeFi Advanced Checks section: - Stuck state / missing emergency exit (burnCallback + external dependency) - Cross-VM timing races (stale timelock snapshot) - Lingering EVM approvals after claimRedeem - EVM call result not validated (coa.call unchecked) - Bridge precision loss UFix64↔uint256 (HackenProof Critical) - Fixed-point overflow in AMM liquidity (Cetus $223M pattern) - access(account) co-deploy privilege escalation (Dec 2025 exploit) - Burnable.burnCallback() griefing via external token - Cross-VM bridge as exploit exit with no rate limit - Contract initializer argument type smuggling (Dec 2025 infinite mint) - Use-after-free via retained reference after resource destroy (Halborn 2021) anti-patterns.md — two new anti-patterns: - AP6: access(account) in multi-contract accounts (co-deploy risk) - AP7: Burner.burn() on external token vaults without type validation
…-patterns audit-checklist.md — new Cross-VM and DeFi Advanced Checks section: - Stuck state / missing emergency exit - Cross-VM timing races (stale deadline in deferred operations) - Lingering EVM approvals after redemption - EVM call result not validated - Bridge precision loss UFix64↔uint256 (HackenProof Critical) - Fixed-point overflow in AMM liquidity (Cetus $223M pattern) - access(account) co-deploy privilege escalation (Dec 2025 exploit) - Burnable.burnCallback() griefing via external token - Cross-VM bridge as exploit exit with no rate limit - Contract initializer argument type smuggling (Dec 2025 infinite mint) - Use-after-free via retained reference after resource destroy (Halborn 2021) anti-patterns.md — two new anti-patterns: - AP6: access(account) in multi-contract accounts (co-deploy escalation) - AP7: Burner.burn() on external token vaults without type validation All patterns are general-purpose — no references to specific project code.
testing.md — new section documenting three patterns that silently drop tests from flow test output: Test.newBlockchain() (non-existent API), triple-quoted heredoc strings (unsupported in Cadence), and wrong module-level account variable types. Includes count-match rule. testing-patterns.md — hard constraints table at the top of the CDC native section; explicit count check before proceeding.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds reference content to five existing skills, based on hitting real walls
with Flow/Cadence:
cu-optimization.md(CU cost per operation, dictvs array trade-offs, resource inlining, composite key packing, sweep
methodology for MAX_SAFE_N, EVM CU interaction); 2 new entries in
anti-patterns.md(access(account)in multi-contract accounts;Burner.burn()on external token vaults)audit-checklist.mdcovering 11 vuln classes from real exploits (Cetusfixed-point overflow, bridge precision loss, the Dec 2025 init-arg
smuggling,
access(account)co-deploy escalation, use-after-free)protocol-architecture.md(atomicity guarantees, EVM.Status values,gas exhaustion, partial batch failures, CU interaction)
testing-patterns.md(decision tree, adversarialcategories, coverage interpretation) plus a "Common Mistakes That
Silently Drop Tests" section in
testing.md. Caught a case where 11tests disappeared from the runner because of a heredoc string.
upgrade-strategies.md(what Cadenceallows/forbids, new-contract-name strategy, rollback, multi-contract
coordinated deploy)