安全审计
- 作者仓库星标 5,723
- 叉子 499
- 作者更新于 2026年6月15日 16:05
- 作者仓库 skills
- 领域
- 通用
- 兼容 Agent
-
- Claude Code
- Cursor
- Cline
- Codex
- Windsurf
- Gemini CLI
- +20
- 信任分
- 88 / 100 · 社区维护
- 作者 / 版本 / 许可
- @trailofbits · 未声明 license
- Token 消耗评级
- 低消耗
- 接入复杂程度
- 即装即用
- 是否需要外部 API Key
- 不需要
- 兼容的系统
- macOS · Linux · Windows
- 底层运行要求
- Node.js
- 文件与系统权限
-
- 只读
- 允许写入 / 修改
- 网络行为
- 仅限本地
- 安装命令数
- 26 条
档案由构建时根据 SKILL.md 与安装命令自动衍生,可能与作者实际意图存在差异。
需要注意: 未限定 allowed-tools,默认拥有全部工具权限。
---
name: substrate-vulnerability-scanner
description: Scans Substrate/Polkadot pallets for 7 critical vulnerabilities including arithmetic overflow, p…
category: 通用
runtime: Node.js
---
# substrate-vulnerability-scanner 输出预览
## PART A: 任务判断
- 适用问题:通用任务拆解、检查和交付。
- 输入要求:目标材料、限制条件、期望输出和验收方式。
- 证据边界:围绕“1. Purpose / 2. When to Use This Skill / 3. Platform Detection”读取原文规则,不把推断写成作者承诺。
## PART B: 执行结果
- **01** 任务判断:确认你的需求是否属于通用任务拆解、检查和交付,并标出输入、限制和预期结果。
- **02** 执行计划:优先按“1. Purpose / 2. When to Use This Skill / 3. Platform Detection”拆成步骤,说明每一步会读取什么、修改什么、产出什么。
- **03** 交付结果:给出可复制的命令、文件改动、检查清单或内容草稿,并说明如何继续迭代。
- **04** 风险边界:结合 读取文件、写入/修改文件、主要在本地完成、通常不需要额外 API Key 给出执行前确认项。
## Running Rules
- 读取文件、写入/修改文件;主要在本地完成;通常不需要额外 API Key。
- 先小样例验证,再放大到真实任务。
- 交付时同时给结果、检查口径和下一步迭代建议。 原文没有稳定的斜杠命令要求。安装验证后通常全局生效,直接在对话里点名这个 Skill 并描述任务即可。
告诉 Agent 目标文件或材料、期望结果、不可改范围、是否允许联网或执行命令。本 Skill 的权限画像是:读取文件、写入/修改文件。
先用一个小任务确认它会围绕“1. Purpose / 2. When to Use This Skill / 3. Platform Detection”工作;涉及文件或命令时,先看 diff、日志、预览或测试结果。
检查最终产物是否包含明确结果、必要证据和下一步动作;如果输出泛泛而谈,就补充输入、边界和验收标准后重跑。
---
name: substrate-vulnerability-scanner
description: Scans Substrate/Polkadot pallets for 7 critical vulnerabilities including arithmetic overflow, p…
category: 通用
source: trailofbits/skills
---
# substrate-vulnerability-scanner
## 什么时候使用
- substrate-vulnerability-scanner 是一个通用扩展技能,按 SKILL 适合处理通用任务拆解、检查、交付和复盘,核心价值是把输入、判断、执行、验证和交付边界固定下来,避免 Agent 泛泛回答。 把任务拆成可…
- 面向通用任务拆解、检查和交付,优先处理能明确输入、步骤和验收标准的工作。
## 需要提供什么
- 目标材料、目录范围、期望结果和不可改动内容。
- 是否允许联网、执行命令、读写文件或调用外部服务。
## 执行规则
- 围绕「1. Purpose / 2. When to Use This Skill / 3. Platform Detection」组织步骤,不把推断写成作者事实。
- 读取文件、写入/修改文件;主要在本地完成;通常不需要额外 API Key。
- 先跑小样例,确认结果可检查后再扩大任务范围。
## 输出要求
- 给出最终产物、关键证据、验证方式和下一步动作。
- 信息不足时标记 unknown,不编造命令、平台或依赖。 作者原文负责流程事实;仓库文件负责来源和命令;流狐只补充适用场景、限制和质量判断。
skill "substrate-vulnerability-scanner" {
输入层 -> 用户目标 + 目标文件 + 禁止范围 + 验收标准
上下文层 -> 1. Purpose / 2. When to Use This Skill / 3. Platform Detection
规则层 -> SKILL.md 触发条件 / 执行顺序 / 输出格式
运行层 -> Node.js | 读取文件、写入/修改文件 | 主要在本地完成
安全层 -> 通常不需要额外 API Key + 小任务验证 + diff / 日志复核
输出层 -> 可复制结果 + 检查清单 + 下一步迭代
} Substrate Vulnerability Scanner
1. Purpose
Systematically scan Substrate runtime modules (pallets) for platform-specific security vulnerabilities that can cause node crashes, DoS attacks, or unauthorized access. This skill encodes 7 critical vulnerability patterns unique to Substrate/FRAME-based chains.
2. When to Use This Skill
- Auditing custom Substrate pallets
- Reviewing FRAME runtime code
- Pre-launch security assessment of Substrate chains (Polkadot parachains, standalone chains)
- Validating dispatchable extrinsic functions
- Reviewing weight calculation functions
- Assessing unsigned transaction validation logic
3. Platform Detection
File Extensions & Indicators
- Rust files:
.rs
Language/Framework Markers
// Substrate/FRAME indicators
#[pallet]
pub mod pallet {
use frame_support::pallet_prelude::*;
use frame_system::pallet_prelude::*;
#[pallet::config]
pub trait Config: frame_system::Config { }
#[pallet::call]
impl<T: Config> Pallet<T> {
#[pallet::weight(10_000)]
pub fn example_function(origin: OriginFor<T>) -> DispatchResult { }
}
}
// Common patterns
DispatchResult, DispatchError
ensure!, ensure_signed, ensure_root
StorageValue, StorageMap, StorageDoubleMap
#[pallet::storage]
#[pallet::call]
#[pallet::weight]
#[pallet::validate_unsigned]
Project Structure
pallets/*/lib.rs- Pallet implementationsruntime/lib.rs- Runtime configurationbenchmarking.rs- Weight benchmarksCargo.tomlwithframe-*dependencies
Tool Support
- cargo-fuzz: Fuzz testing for Rust
- test-fuzz: Property-based testing framework
- benchmarking framework: Built-in weight calculation
- try-runtime: Runtime migration testing
4. How This Skill Works
When invoked, I will:
- Search your codebase for Substrate pallets
- Analyze each pallet for the 7 vulnerability patterns
- Report findings with file references and severity
- Provide fixes for each identified issue
- Check weight calculations and origin validation
5. Vulnerability Patterns (7 Critical Patterns)
I check for 7 critical vulnerability patterns unique to Substrate/FRAME. For detailed detection patterns, code examples, mitigations, and testing strategies, see VULNERABILITY_PATTERNS.md.
Pattern Summary:
Arithmetic Overflow ⚠️ CRITICAL
- Direct
+,-,*,/operators wrap in release mode - Must use
checked_*orsaturating_*methods - Affects balance/token calculations, reward/fee math
- Direct
Don't Panic ⚠️ CRITICAL - DoS
- Panics cause node to stop processing blocks
- No
unwrap(),expect(), array indexing without bounds check - All user input must be validated with
ensure!
Weights and Fees ⚠️ CRITICAL - DoS
- Incorrect weights allow spam attacks
- Fixed weights for variable-cost operations enable DoS
- Must use benchmarking framework, bound all input parameters
Verify First, Write Last ⚠️ HIGH (Pre-v0.9.25)
- Storage writes before validation persist on error (pre-v0.9.25)
- Pattern: validate → write → emit event
- Upgrade to v0.9.25+ or use manual
#[transactional]
Unsigned Transaction Validation ⚠️ HIGH
- Insufficient validation allows spam/replay attacks
- Prefer signed transactions
- If unsigned: validate parameters, replay protection, authenticate source
Bad Randomness ⚠️ MEDIUM
pallet_randomness_collective_flipvulnerable to collusion- Must use BABE randomness (
pallet_babe::RandomnessFromOneEpochAgo) - Use
random(subject)notrandom_seed()
Bad Origin ⚠️ CRITICAL
ensure_signedallows any user for privileged operations- Must use
ensure_rootor custom origins (ForceOrigin, AdminOrigin) - Origin types must be properly configured in runtime
For complete vulnerability patterns with code examples, see VULNERABILITY_PATTERNS.md.
6. Scanning Workflow
Step 1: Platform Identification
- Verify Substrate/FRAME framework usage
- Check Substrate version (v0.9.25+ has transactional storage)
- Locate pallet implementations (
pallets/*/lib.rs) - Identify runtime configuration (
runtime/lib.rs)
Step 2: Dispatchable Analysis
For each #[pallet::call] function:
- Arithmetic: Uses checked/saturating operations?
- Panics: No unwrap/expect/indexing?
- Weights: Proportional to cost, bounded inputs?
- Origin: Appropriate validation level?
- Validation: All checks before storage writes?
Step 3: Panic Sweep
# Search for panic-prone patterns
rg "unwrap\(\)" pallets/
rg "expect\(" pallets/
rg "\[.*\]" pallets/ # Array indexing
rg " as u\d+" pallets/ # Type casts
rg "\.unwrap_or" pallets/
Step 4: Arithmetic Safety Check
# Find direct arithmetic
rg " \+ |\+=| - |-=| \* |\*=| / |/=" pallets/
# Should find checked/saturating alternatives instead
rg "checked_add|checked_sub|checked_mul|checked_div" pallets/
rg "saturating_add|saturating_sub|saturating_mul" pallets/
Step 5: Weight Analysis
- Run benchmarking:
cargo test --features runtime-benchmarks - Verify weights match computational cost
- Check for bounded input parameters
- Review weight calculation functions
Step 6: Origin & Privilege Review
# Find privileged operations
rg "ensure_signed" pallets/ | grep -E "pause|emergency|admin|force|sudo"
# Should use ensure_root or custom origins
rg "ensure_root|ForceOrigin|AdminOrigin" pallets/
Step 7: Testing Review
- Unit tests cover all dispatchables
- Fuzz tests for panic conditions
- Benchmarks for weight calculation
- try-runtime tests for migrations
7. Priority Guidelines
Critical (Immediate Fix Required)
- Arithmetic overflow (token creation, balance manipulation)
- Panic DoS (node crash risk)
- Bad origin (unauthorized privileged operations)
High (Fix Before Launch)
- Incorrect weights (DoS via spam)
- Verify-first violations (state corruption, pre-v0.9.25)
- Unsigned validation issues (spam, replay attacks)
Medium (Address in Audit)
- Bad randomness (manipulation possible but limited impact)
8. Testing Recommendations
Fuzz Testing
// Use test-fuzz for property-based testing
#[cfg(test)]
mod tests {
use test_fuzz::test_fuzz;
#[test_fuzz]
fn fuzz_transfer(from: AccountId, to: AccountId, amount: u128) {
// Should never panic
let _ = Pallet::transfer(from, to, amount);
}
#[test_fuzz]
fn fuzz_no_panics(call: Call) {
// No dispatchable should panic
let _ = call.dispatch(origin);
}
}
Benchmarking
# Run benchmarks to generate weights
cargo build --release --features runtime-benchmarks
./target/release/node benchmark pallet \
--chain dev \
--pallet pallet_example \
--extrinsic "*" \
--steps 50 \
--repeat 20
try-runtime
# Test runtime upgrades
cargo build --release --features try-runtime
try-runtime --runtime ./target/release/wbuild/runtime.wasm \
on-runtime-upgrade live --uri wss://rpc.polkadot.io
9. Additional Resources
- Building Secure Contracts:
building-secure-contracts/not-so-smart-contracts/substrate/ - Substrate Documentation: https://docs.substrate.io/
- FRAME Documentation: https://paritytech.github.io/substrate/master/frame_support/
- test-fuzz: https://github.com/trailofbits/test-fuzz
- Substrate StackExchange: https://substrate.stackexchange.com/
10. Quick Reference Checklist
Before completing Substrate pallet audit:
Arithmetic Safety (CRITICAL):
- No direct
+,-,*,/operators in dispatchables - All arithmetic uses
checked_*orsaturating_* - Type conversions use
try_into()with error handling
Panic Prevention (CRITICAL):
- No
unwrap()orexpect()in dispatchables - No direct array/slice indexing without bounds check
- All user inputs validated with
ensure! - Division operations check for zero divisor
Weights & DoS (CRITICAL):
- Weights proportional to computational cost
- Input parameters have maximum bounds
- Benchmarking used to determine weights
- No free (zero-weight) expensive operations
Access Control (CRITICAL):
- Privileged operations use
ensure_rootor custom origins -
ensure_signedonly for user-level operations - Origin types properly configured in runtime
- Sudo pallet removed before production
Storage Safety (HIGH):
- Using Substrate v0.9.25+ OR manual
#[transactional] - Validation before storage writes
- Events emitted after successful operations
Other (MEDIUM):
- Unsigned transactions use signed alternative if possible
- If unsigned: proper validation, replay protection, authentication
- BABE randomness used (not RandomnessCollectiveFlip)
- Randomness uses
random(subject)notrandom_seed()
Testing:
- Unit tests for all dispatchables
- Fuzz tests to find panics
- Benchmarks generated and verified
- try-runtime tests for migrations
先判断是否适合
作者设计意图
作者的方法与取舍
边界和复核