multiversx-dapp-audit_skill

This skill audits frontend dApp components for wallet integration and transaction handling security, helping you harden React/TypeScript apps using sdk-dapp.

10

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill multiversx/mx-ai-skills --skill multiversx-dapp-audit

  • SKILL.md9.2 KB

Overview

This skill audits frontend MultiversX dApp components built with @multiversx/sdk-dapp, focusing on wallet integration, transaction construction, and client-side security. It helps reviewers find vulnerabilities that could lead to funds loss, blind signing, XSS, and sensitive data exposure. The goal is actionable findings and remediation steps that improve user safety and transaction integrity.

How this skill works

The auditor inspects React/TypeScript frontend code for dangerous patterns: unsafe transaction payload construction, blind signing flows, insecure storage of keys/tokens, and unsanitized user content. It validates API usage (HTTPS, response validation), session handling, and wallet connection flows, and recommends changes like whitelisting contract calls, explicit transaction previews, and secure token handling. It also provides checks and tools to reproduce and verify issues during review.

When to use it

  • Code review of React/TypeScript MultiversX dApps using @multiversx/sdk-dapp
  • Before release or after major frontend changes that touch wallet or transaction code
  • When assessing user-facing signing or approval UX for blind signing risks
  • If you suspect sensitive data leakage in storage, logs, or URLs
  • When validating frontend-backend boundaries and API trust assumptions

Best practices

  • Whitelist allowed contract functions and validate all transaction arguments before building payloads
  • Always present a clear transaction preview (recipient, amount, token, function, gas) to users before signing
  • Never store private keys, mnemonics, or seeds in localStorage; use short-lived session storage managed by sdk-dapp
  • Sanitize any HTML or user-generated content; prefer React escaping or DOMPurify if HTML is required
  • Enforce HTTPS for all endpoints and validate API responses before using data
  • Clear session data on logout and enforce token expiry for sensitive operations

Example use cases

  • Audit a dApp that builds contract calls from user input to ensure no arbitrary payload injection
  • Review wallet connection flow to confirm no private data is transmitted and provider prompts are correct
  • Scan codebase for insecure storage or logging of tokens, keys, or mnemonics
  • Validate redirect handling and user content rendering to prevent XSS and open redirects
  • Test transaction signing UI to ensure users see meaningful previews and gas estimates

FAQ

Search for signing calls that pass hashes or opaque data and check whether the UI shows a human-readable preview. Flag signMessage or signTransaction usage where the user only sees a hash or no context.

What are the most critical code patterns to grep for?

Look for localStorage/sessionStorage of credentials, dangerouslySetInnerHTML, eval(), console.log of tokens, and direct construction of transaction data from unvalidated inputs.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
multiversx-dapp-audit skill by multiversx/mx-ai-skills | VeilStrat