Guidelines Advisor
Automate and integrate Guidelines Advisor for smarter compliance recommendations
Category: productivity Source: trailofbits/skillsGuidelines Advisor is a community skill for advising on secure smart contract development guidelines, covering vulnerability pattern detection, coding standard enforcement, security best practice recommendations, audit checklist generation, and remediation guidance for blockchain development teams.
What Is This?
Overview
Guidelines Advisor provides security guidance for smart contract development based on established vulnerability databases and audit practices. It covers vulnerability pattern detection that identifies known insecure coding patterns in Solidity and other smart contract languages, coding standard enforcement that checks contracts against security-focused style guides and naming conventions, security best practice recommendations that suggest defensive coding patterns for common attack vectors like reentrancy and integer overflow, audit checklist generation that produces structured review checklists tailored to the contract type and complexity, and remediation guidance that provides specific fix recommendations for identified security issues. The skill enables development teams to integrate security review into their smart contract workflow.
Who Should Use This
This skill serves Solidity developers building DeFi protocols and token contracts, smart contract auditors conducting security reviews, and blockchain development teams establishing secure coding standards.
Why Use It?
Problems It Solves
Smart contract vulnerabilities cause significant financial losses when deployed without thorough security review. Developers unfamiliar with blockchain-specific attack vectors introduce common vulnerabilities like reentrancy and unchecked external calls. Security audit checklists vary in coverage and may miss contract-type-specific risks. Remediation guidance often lacks concrete code examples making fixes difficult to implement correctly.
Core Highlights
Pattern scanner identifies known vulnerability signatures in smart contract source code. Standard checker validates code against security style guides and best practices. Checklist generator produces audit checklists specific to contract functionality. Fix advisor provides code-level remediation examples for detected issues.
How to Use It?
Basic Usage
import re
class GuidelineChecker:
PATTERNS = {
'reentrancy': (
r'\.call\{value:',
'External call before'
' state change'),
'unchecked_return': (
r'\w+\.call\(',
'Unchecked low-level'
' call return'),
'tx_origin': (
r'tx\.origin',
'tx.origin used for'
' authentication')}
def check(
self,
source: str
) -> list[dict]:
findings = []
lines = source.split(
'\n')
for i, line\
in enumerate(lines):
for name, (
pattern, desc
) in self.PATTERNS\
.items():
if re.search(
pattern, line):
findings.append({
'rule': name,
'line': i + 1,
'description':
desc,
'severity':
'high'})
return findings
Real-World Examples
class AuditChecklist:
DEFI_CHECKS = [
'Reentrancy guards on'
' external calls',
'Slippage protection'
' on swaps',
'Oracle manipulation'
' resistance',
'Flash loan attack'
' vectors reviewed',
'Access control on'
' privileged functions']
TOKEN_CHECKS = [
'Transfer function'
' overflow protection',
'Approval race'
' condition handling',
'Zero address'
' validation',
'Total supply'
' consistency']
def generate(
self,
contract_type: str,
has_external: bool
= True
) -> list[dict]:
checks = []
base = [
'Compiler version'
' pinned',
'No floating pragma',
'Events emitted for'
' state changes']
checks.extend([
{'item': c,
'category': 'base'}
for c in base])
if contract_type\
== 'defi':
checks.extend([
{'item': c,
'category': 'defi'}
for c
in self.DEFI_CHECKS])
elif contract_type\
== 'token':
checks.extend([
{'item': c,
'category':
'token'}
for c in self\
.TOKEN_CHECKS])
return checks
Advanced Tips
Combine static pattern matching with symbolic execution tools like Slither and Mythril for deeper vulnerability detection beyond surface pattern matching. Maintain organization-specific checklist extensions that cover internal coding standards beyond public security guidelines. Review access control patterns against the principle of least privilege for every external and public function.
When to Use It?
Use Cases
Review a Solidity contract against common vulnerability patterns before deployment. Generate an audit checklist tailored to a DeFi protocol with external integrations. Produce remediation guidance with code examples for security findings from an audit report.
Related Topics
Smart contract security, Solidity, blockchain auditing, vulnerability detection, DeFi security, secure coding standards, and remediation.
Important Notes
Requirements
Solidity source code access for pattern analysis. Knowledge of target blockchain platform and its specific security considerations. Updated vulnerability database reflecting recent exploit patterns.
Usage Recommendations
Do: combine automated pattern detection with manual code review since automated tools miss logic-level vulnerabilities. Update vulnerability patterns regularly as new attack vectors emerge. Prioritize findings by severity and exploitability for efficient remediation.
Don't: rely solely on pattern matching for security assurance since many vulnerabilities require understanding business logic context. Skip security review for contracts that interact with external protocols. Deploy contracts without addressing all high-severity findings.
Limitations
Static pattern matching cannot detect business logic vulnerabilities that depend on the intended behavior of the contract. New vulnerability classes may not be covered until patterns are added to the detection database. Remediation suggestions are generic and may need adaptation to specific contract architectures.