- Home
- Skills
- Multiversx
- Mx Ai Skills
- Multiversx Dapp Audit
multiversx-dapp-audit_skill
10
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill multiversx/mx-ai-skills --skill multiversx-dapp-audit- SKILL.md9.2 KB
Overview
This skill audits frontend MultiversX dApp components built with @multiversx/sdk-dapp, focusing on wallet integration, transaction construction, and client-side security. It helps reviewers find vulnerabilities that could lead to funds loss, blind signing, XSS, and sensitive data exposure. The goal is actionable findings and remediation steps that improve user safety and transaction integrity.
How this skill works
The auditor inspects React/TypeScript frontend code for dangerous patterns: unsafe transaction payload construction, blind signing flows, insecure storage of keys/tokens, and unsanitized user content. It validates API usage (HTTPS, response validation), session handling, and wallet connection flows, and recommends changes like whitelisting contract calls, explicit transaction previews, and secure token handling. It also provides checks and tools to reproduce and verify issues during review.
When to use it
- Code review of React/TypeScript MultiversX dApps using @multiversx/sdk-dapp
- Before release or after major frontend changes that touch wallet or transaction code
- When assessing user-facing signing or approval UX for blind signing risks
- If you suspect sensitive data leakage in storage, logs, or URLs
- When validating frontend-backend boundaries and API trust assumptions
Best practices
- Whitelist allowed contract functions and validate all transaction arguments before building payloads
- Always present a clear transaction preview (recipient, amount, token, function, gas) to users before signing
- Never store private keys, mnemonics, or seeds in localStorage; use short-lived session storage managed by sdk-dapp
- Sanitize any HTML or user-generated content; prefer React escaping or DOMPurify if HTML is required
- Enforce HTTPS for all endpoints and validate API responses before using data
- Clear session data on logout and enforce token expiry for sensitive operations
Example use cases
- Audit a dApp that builds contract calls from user input to ensure no arbitrary payload injection
- Review wallet connection flow to confirm no private data is transmitted and provider prompts are correct
- Scan codebase for insecure storage or logging of tokens, keys, or mnemonics
- Validate redirect handling and user content rendering to prevent XSS and open redirects
- Test transaction signing UI to ensure users see meaningful previews and gas estimates
FAQ
Search for signing calls that pass hashes or opaque data and check whether the UI shows a human-readable preview. Flag signMessage or signTransaction usage where the user only sees a hash or no context.
What are the most critical code patterns to grep for?
Look for localStorage/sessionStorage of credentials, dangerouslySetInnerHTML, eval(), console.log of tokens, and direct construction of transaction data from unvalidated inputs.