--- id: wiki-2026-0508-smart-contract-auditing title: Smart Contract Auditing category: 10_Wiki/Topics status: verified canonical_id: self aliases: [Solidity Audit, Web3 Security Audit, Contract Security Review] duplicate_of: none source_trust_level: A confidence_score: 0.9 verification_status: applied tags: [security, web3, solidity, audit, ai-security] raw_sources: [] last_reinforced: 2026-05-10 github_commit: pending tech_stack: language: solidity framework: foundry/slither/mythril --- # Smart Contract Auditing ## 매 한 줄 > **"매 smart contract audit 의 layered defense — static (Slither) + symbolic (Mythril/Manticore) + fuzz (Echidna/Foundry invariant) + formal (Certora) + AI (Claude / GPT-5 audit) + human review"**. 매 2026 의 reality 의 single tool 의 X — 매 ensemble + AI-augmented review 의 ROI 의 best. 매 SWC registry, 매 Trail of Bits 의 building security in 의 reference. ## 매 핵심 ### 매 Tool layers - **Static (Slither, Aderyn)**: 매 known pattern detector — reentrancy, tx.origin, ... - **Symbolic (Mythril, Manticore)**: 매 path explore + SMT solver. - **Fuzz (Echidna, Foundry invariant)**: 매 property-based. - **Formal (Certora Prover, halmos)**: 매 spec proof. - **AI (Claude Opus 4.7, GPT-5, OpenZeppelin AI)**: 매 nuanced logic bug, NatSpec 의 intent vs code 의 mismatch. ### 매 Common vuln (SWC) - **Reentrancy** (SWC-107): CEI pattern, ReentrancyGuard. - **Integer over/underflow**: Solidity 0.8+ checked, 매 unchecked block 의 careful. - **Access control**: onlyOwner, role-based, 매 init function 의 protect. - **Oracle manipulation**: 매 single-block TWAP X, Chainlink + heartbeat. - **MEV / front-run**: commit-reveal, private mempool. ### 매 응용 1. **Pre-deploy audit** — 매 mainnet deploy 의 prerequisite. 2. **CI gate** — 매 PR 의 Slither / Foundry test 의 fail 의 block. 3. **Bug bounty** — Immunefi 등록 의 ongoing. 4. **Upgrade audit** — UUPS / Transparent proxy 의 upgrade diff review. ## 💻 패턴 ### Slither CI (GitHub Actions) ```yaml name: slither on: [push, pull_request] jobs: analyze: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: crytic/slither-action@v0.4.0 with: fail-on: medium slither-args: "--exclude-informational --filter-paths node_modules" ``` ### Foundry invariant test ```solidity // test/Invariant.t.sol import "forge-std/Test.sol"; import {Vault} from "src/Vault.sol"; contract VaultInvariant is Test { Vault vault; address[] users; function setUp() public { vault = new Vault(); for (uint i; i < 5; i++) users.push(makeAddr(string(abi.encodePacked("u", i)))); } function invariant_totalShares_eq_sumBalances() public view { uint sum; for (uint i; i < users.length; i++) sum += vault.balanceOf(users[i]); assertEq(vault.totalSupply(), sum); } } ``` ### Reentrancy (CEI + Guard) ```solidity import "@openzeppelin/contracts/utils/ReentrancyGuard.sol"; contract Pool is ReentrancyGuard { mapping(address => uint) public balance; // BAD function withdrawBad() external { uint b = balance[msg.sender]; (bool ok,) = msg.sender.call{value: b}(""); // 매 external before state require(ok); balance[msg.sender] = 0; } // GOOD: CEI + nonReentrant function withdraw() external nonReentrant { uint b = balance[msg.sender]; balance[msg.sender] = 0; // Effects (bool ok,) = msg.sender.call{value: b}(""); // Interaction require(ok, "send fail"); } } ``` ### Echidna property test ```solidity contract VaultEchidna is Vault { function echidna_no_negative_balance() public view returns (bool) { // 매 reachable balance 의 always >= 0 (uint, but check via burn) return totalSupply() >= 0; } function echidna_total_eq_deposits() public view returns (bool) { return address(this).balance == totalDeposited; } } // echidna . --contract VaultEchidna --test-mode property ``` ### AI audit (Claude 4.7) ```python import anthropic client = anthropic.Anthropic() def ai_audit(contract_src: str) -> str: msg = client.messages.create( model="claude-opus-4-7", max_tokens=4000, system="""You are a senior smart contract auditor. Review for: 1. Reentrancy, access control, integer issues 2. Oracle / price manipulation 3. Logic bugs vs NatSpec intent 4. Gas / DoS 5. Upgrade safety For each finding: severity (H/M/L), location, exploit, fix.""", messages=[{"role": "user", "content": f"```solidity\n{contract_src}\n```"}], ) return msg.content[0].text ``` ### Certora spec ``` // MyToken.spec methods { function balanceOf(address) external returns (uint) envfree; function totalSupply() external returns (uint) envfree; } invariant totalSupply_eq_sum_balances() totalSupply() == sumOfBalances() { preserved transfer(address to, uint amt) with (env e) { require balanceOf(e.msg.sender) >= amt; } } ``` ### Chainlink oracle (safe) ```solidity import "@chainlink/contracts/src/v0.8/shared/interfaces/AggregatorV3Interface.sol"; contract PriceConsumer { AggregatorV3Interface immutable feed; uint constant STALE = 3600; function price() public view returns (uint) { (, int answer,, uint updatedAt,) = feed.latestRoundData(); require(answer > 0, "neg price"); require(block.timestamp - updatedAt < STALE, "stale"); return uint(answer); } } ``` ## 매 결정 기준 | 상황 | Tool | |---|---| | CI gate | Slither + Foundry test | | Pre-deploy | Slither + Mythril + Echidna + AI + human | | High-value protocol | + Certora formal | | Upgrade | diff + storage layout check | | Bounty | Immunefi | **기본값**: Slither CI + Foundry invariant + AI review + manual senior review before mainnet. ## 🔗 Graph ## 🤖 LLM 활용 **언제**: NatSpec vs code intent diff, logic bug, gas optimization, exploit hypothesis 의 generate. **언제 X**: deterministic detection (Slither faster), formal proof (Certora). ## ❌ 안티패턴 - **Single tool reliance**: 매 Slither alone 의 logic bug miss. - **No mainnet rehearsal**: 매 fork test X. - **Owner = EOA**: 매 multisig / timelock 의 use. - **Unchecked external call**: low-level call 의 return 의 ignore. ## 🧪 검증 / 중복 - Verified (Trail of Bits, OpenZeppelin, ConsenSys Diligence). - 신뢰도 A. ## 🕓 Changelog | 날짜 | 변경 | |---|---| | 2026-05-08 | Phase 1 | | 2026-05-10 | Manual cleanup — full content with tool stack + AI audit pattern |