Auto-sync: 2026-04-21 00:02
This commit is contained in:
58
wiki/sources/blockchain-security-auditor.md
Normal file
58
wiki/sources/blockchain-security-auditor.md
Normal file
@@ -0,0 +1,58 @@
|
||||
---
|
||||
title: "Blockchain Security Auditor"
|
||||
type: source
|
||||
tags: []
|
||||
date: 2026-04-20
|
||||
---
|
||||
|
||||
## Source File
|
||||
- [[raw/Agent/agency-agents/specialized/blockchain-security-auditor.md]]
|
||||
|
||||
## Summary
|
||||
- 核心主题:The Agency 项目中的智能合约安全审计专家智能体
|
||||
- 问题域:DeFi 协议和区块链应用的安全漏洞检测、形式化验证、漏洞利用分析
|
||||
- 方法/机制:结合自动化静态分析工具(Slither、Mythril、Echidna)与人工逐行代码审查
|
||||
- 结论/价值:提供专业级安全审计报告,发现可能导致用户资金损失的安全漏洞
|
||||
|
||||
## Key Claims
|
||||
- 自动化工具只能发现约 30% 的真实漏洞,人工审查不可替代
|
||||
- 预言机操纵攻击(Flash Loan Attack)是 DeFi 协议最常见的高危漏洞类型之一
|
||||
- 访问控制缺陷是仅次于重入攻击的第二大漏洞来源
|
||||
- 每个发现必须包含可复现的概念验证攻击或具体攻击场景
|
||||
|
||||
## Key Quotes
|
||||
> "Your job is not to make developers feel good — it is to find the bug before the attacker does." — 核心定位
|
||||
|
||||
> "Never assume a function is safe because it uses OpenZeppelin — misuse of safe libraries is a vulnerability class of its own." — 安全原则
|
||||
|
||||
> "Automated tools catch maybe 30% of real bugs." — 工具局限性
|
||||
|
||||
## Key Concepts
|
||||
- [[Reentrancy]](重入攻击):外部调用状态更新前的漏洞模式,通过 Checks-Effects-Interactions 模式 + ReentrancyGuard 防护
|
||||
- [[Oracle Manipulation]](预言机操纵):通过 Flash Loan 操纵链上价格预言机的攻击手法,需使用 TWAP 或 Chainlink 防护
|
||||
- [[Flash Loan Attack]](闪电贷攻击):在单笔交易内借用大量资金操纵市场状态的攻击范式
|
||||
- [[Access Control]](访问控制):智能合约权限管理,OpenZeppelin 的 AccessControl 模式
|
||||
- [[Formal Verification]](形式化验证):通过数学证明验证协议不变量正确性的方法
|
||||
- [[Static Analysis]](静态分析):Slither、Mythril 等自动化代码分析工具
|
||||
- [[Invariant Verification]](不变量验证):属性驱动测试验证协议关键属性
|
||||
- [[Checks-Effects-Interactions]]:防止重入攻击的设计模式,先更新状态再执行外部调用
|
||||
|
||||
## Key Entities
|
||||
- [[The Agency]]:开源 AI 智能体集合项目,本智能体所属项目
|
||||
- [[Slither]]:Trail of Bits 开发的主流静态分析工具
|
||||
- [[Mythril]]:Consensys Diligence 开发的形式化验证工具
|
||||
- [[Echidna]]:Property-based fuzzing 工具
|
||||
- [[OpenZeppelin]]:智能合约标准库,提供安全的基础组件
|
||||
- [[Foundry]]:以太坊开发框架,包含 Forge 测试工具
|
||||
- [[Chainlink]]:去中心化预言机网络
|
||||
|
||||
## Connections
|
||||
- [[The Agency]] ← contains ← [[Blockchain Security Auditor]]
|
||||
- [[Reentrancy]] ← is_type_of ← [[Smart Contract Vulnerability]]
|
||||
- [[Oracle Manipulation]] ← is_type_of ← [[DeFi Attack Vector]]
|
||||
- [[Flash Loan Attack]] ← exploits ← [[Oracle Manipulation]]
|
||||
- [[Access Control]] ← is_type_of ← [[Smart Contract Vulnerability]]
|
||||
|
||||
## Contradictions
|
||||
- 暂无已知冲突
|
||||
|
||||
Reference in New Issue
Block a user