DeFi Security Principles

Language Rule

• Always respond in the same language the user is using. If the user asks in Chinese, respond in Chinese. If in English, respond in English.

Scope: Only applicable to DeFi projects (DEX, lending, staking, LP, yield). Non-DeFi projects can ignore this skill.

Protection Decision Rules

Threat	Required Protection
Whale manipulation	Daily transaction caps + per-tx amount limits + cooldown window
MEV / sandwich attack	EOA-only checks (msg.sender == tx.origin), or use commit-reveal pattern
Arbitrage	Referral binding + liquidity distribution + fixed yield model + lock period
Reentrancy	ReentrancyGuard on all external-call functions (see solidity-security skill)
Flash loan attack	Check block.number change between operations, or use TWAP pricing
Price manipulation	Chainlink oracle or TWAP — never rely on spot AMM reserves for pricing
Approval exploit	Use safeIncreaseAllowance / safeDecreaseAllowance, never raw approve for user flows
Governance attack	Voting requires snapshot + minimum token holding period; timelock ≥ 48h on proposal execution
ERC4626 inflation attack	First deposit must enforce minimum amount or use virtual shares to prevent share dilution via rounding
Cross-vault trust bypass	Router/Registry relay must verify vault authorization; never trust caller identity inside flash loan callbacks — EVMbench/noya H-08
Collateral ownership exploit	Liquidation/staking operations must verify actual NFT/collateral ownership — EVMbench/benddao
Bonding curve manipulation	ID/pricing params in create operations must be fully determined before external calls — EVMbench/phi H-06
DEX pair _transfer TOCTOU	Never distinguish operation type by balance/reserve checks in _transfer — both directions are exploitable: buy vs removeLiquidity (pair→user) and sell vs addLiquidity (user→pair); use address whitelist only; new projects prefer Uniswap V4 Hook

Anti-Whale Implementation Rules

• Maximum single transaction amount: configurable via onlyOwner setter
• Daily cumulative limit per address: track with mapping(address => mapping(uint256 => uint256)) (address → day → amount)
• Cooldown between transactions: enforce minimum time gap with block.timestamp check
• Whitelist for exempt addresses (deployer, LP pair, staking contract)

Flash Loan Protection Rules

• For price-sensitive operations: require that block.number has changed since last interaction
• For oracle-dependent calculations: use time-weighted average (TWAP) over minimum 30 minutes
• For critical state changes: add minimum holding period before action (e.g., must hold tokens for N blocks)

Protocol Composability Risks

Source: EVMbench (OpenAI/Paradigm, Feb 2026) — vulnerability patterns from Code4rena audits

• Cross-vault operations [noya H-08]: Registry/Router relay calls must verify vault-level authorization; prevent keeper from using flash loan to impersonate other vaults
• Lending collateral [benddao]: Liquidation functions must verify msg.sender actually owns or is authorized to operate on target collateral
• Bonding curve [phi H-06]: In create + auto-buy operations, ID assignment and pricing params must be fully determined before the buy transaction executes; prevent reentrancy from modifying them
• Shared registries [noya H-08]: Permission propagation chains in shared registries must be verified hop-by-hop; never rely solely on "trusted sender" flags

Launch Checklist

Before mainnet deployment, verify all items:

• All onlyOwner functions transferred to multisig wallet
• Timelock contract deployed and configured (minimum 24h delay for critical changes)
• Emergency pause mechanism tested — both pause and unpause functions work correctly
• Daily limit parameters documented and set to reasonable values
• Third-party security audit completed and all critical/high findings resolved
• Testnet deployment running for minimum 7 days with no issues
• Slippage, fee, and lock period parameters reviewed and documented
• Initial liquidity plan documented (amount, lock duration, LP token handling)
• Fuzz testing passes with high iterations (10000+) on all DeFi-critical functions

Emergency Response Procedure

Step	Action
1. Detect	Monitor alerts trigger (on-chain monitoring, community reports)
2. Pause	Designated address calls pause() — must respond within minutes
3. Assess	Technical lead analyzes root cause, estimates fund impact
4. Communicate	Post incident notice to community channels (Discord, Twitter, Telegram)
5. Fix	Deploy fix or prepare recovery plan
6. Resume	Call unpause() after fix verified on fork — or migrate to new contract
7. Post-mortem	Publish detailed incident report within 48 hours

DeFi Testing Reference

Test Scenario	Approach
Fuzz test fund flows	Run fuzz tests on staking/pool contracts with high iterations (10000+)
Fork mainnet testing	Use Foundry fork mode against mainnet RPC to test with real state
Simulate whale transaction	Use Foundry cast CLI to simulate large-amount calls on a forked network