Review Solidity AMM, liquidity pool, and swap flow security risks.
Copy the install command and let the AI configure it · recommended for beginners
Please install the "defi-amm-security" skill from askskill: 1. Download https://raw.githubusercontent.com/affaan-m/ECC/main/skills/defi-amm-security/SKILL.md 2. Save it as ~/.claude/skills/defi-amm-security/SKILL.md 3. Reload skills and tell me it's ready
Please perform a security review of this Solidity AMM contract, focusing on reentrancy, CEI ordering, integer math, slippage protection, admin controls, and possible donation or inflation attacks. List issues by severity with fixes.
A severity-ranked security issue checklist with remediation advice and review notes.
I am designing a liquidity pool contract. Use an AMM security checklist to check for oracle manipulation, share inflation, reserve calculation errors, and withdrawal flow bugs, and suggest missing safeguards.
A vulnerability analysis of the pool design with recommended safeguards and implementation guidance.
Please assess the security of this swap flow, analyzing price manipulation, slippage settings, external call ordering, state update timing, and access controls, then produce a pre-deployment checklist.
A pre-deployment swap flow security checklist including risk points and validation steps.
Critical vulnerability patterns and hardened implementations for Solidity AMM contracts, LP vaults, and swap functions.
token.balanceOf(address(this)) in share or reserve mathUse this as a checklist-plus-pattern library. Review every user entrypoint against the categories below and prefer the hardened examples over hand-rolled variants.
The shell commands in this skill are local audit examples. Run them only in a trusted checkout or disposable sandbox, and do not splice untrusted contract names, paths, RPC URLs, private keys, or user-supplied flags into shell commands. Ask before installing tools or running long fuzzing/static-analysis jobs that may consume significant local or paid resources.
Never include secrets, private keys, seed phrases, API tokens, or mainnet signing credentials in command examples, logs, or reports.
Vulnerable:
function withdraw(uint256 amount) external {
require(balances[msg.sender] >= amount);
token.transfer(msg.sender, amount);
balances[msg.sender] -= amount;
}
Safe:
import {ReentrancyGuard} from "@openzeppelin/contracts/utils/ReentrancyGuard.sol";
import {SafeERC20} from "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";
using SafeERC20 for IERC20;
function withdraw(uint256 amount) external nonReentrant {
require(balances[msg.sender] >= amount, "Insufficient");
balances[msg.sender] -= amount;
token.safeTransfer(msg.sender, amount);
}
Do not write your own guard when a hardened library exists.
Using token.balanceOf(address(this)) directly for share math lets attackers manipulate the denominator by sending tokens to the contract outside the intended path.
// Vulnerable
function deposit(uint256 assets) external returns (uint256 shares) {
shares = (assets * totalShares) / token.balanceOf(address(this));
}
// Safe
uint256 private _totalAssets;
function deposit(uint256 assets) external nonReentrant returns (uint256 shares) {
uint256 balBefore = token.balanceOf(address(this));
token.safeTransferFrom(msg.sender, address(this), assets);
uint256 received = token.balanceOf(address(this)) - balBefore;
shares = totalShares == 0 ? received : (received * totalShares) / _totalAssets;
_totalAssets += received;
totalShares += shares;
}
Track internal accounting and measure actual tokens received.
Spot prices are flash-loan manipulable. Prefer TWAP.
uint32[] memory secondsAgos = new uint32[](2);
secondsAgos[0] = 1800;
secondsAgos[1] = 0;
(int56[] memory tickCumulatives,) = IUniswapV3Pool(pool).observe(secondsAgos);
int24 twapTick = int24(
(tickCumulatives[1] - tickCumulatives[0]) / int56(uint56(30 minutes))
);
uint160 sqrtPriceX96 = TickMath.getSqrtRatioAtTick(twapTick);
Every swap path needs caller-provided slippage and a deadline.
function swap(
uint256 amountIn,
uint256 amountOutMin,
uint256 deadline
) external returns (uint256 amountOut) {
require(block.timestamp <= deadline, "Expired");
amountOut = _calculateOut(amountIn);
require(amountOut >= amountOutMin, "Slippage exceeded");
_executeSwap(amountIn, amountOut);
}
import {FullMath} from "@uniswap/v3-core/contracts/libraries/FullMath.sol";
uint256 result = FullMath.mulDiv(a, b, c);
For large reserve math, avoid naive a * b / c when overflow risk exists.
…
Set up and manage Pi-hole DNS, blocking, and home network resolution.
Create reusable Manim animated explainers for technical concepts, graphs, and system flows.
Create animation-rich web presentations or convert PowerPoint decks for talks and pitches.
Orchestrate RFC-based multi-agent workflows with quality gates and merge queues.
Translate visa document images into English and generate a bilingual PDF.
Troubleshoot BGP sessions, routing policy issues, and collect safe diagnostic evidence.
Statically audit Solidity contracts to find and fix common security vulnerabilities.
Design security and risk controls for autonomous trading agents with transaction authority
Assess Base token exit cost, depeg risk, and liquidity fragility.
Perform cross-chain crypto actions, contract decoding, portfolio checks, and security screening.
Lets AI agents swap tokens, manage LP positions, and route across AMMs.
Assess Solana token exit-liquidity risk before swaps for trading agents.