mvx_entry_points_skill

This skill identifies and analyzes MultiversX smart contract entry points to reveal attack surfaces and improve security.

10

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill multiversx/mx-ai-skills --skill mvx_entry_points

  • SKILL.md2.9 KB

Overview

This skill identifies and analyzes MultiversX smart contract entry points to reveal the contract attack surface. It enumerates functions annotated with multiversx_sc macros and classifies risk levels so developers can prioritize fixes. The output is a clear inventory and attack-surface summary for security reviews and audits.

How this skill works

The analyzer scans source files for multiversx_sc macros such as #[endpoint], #[view], #[payable], #[init], #[upgrade], and #[callback]. It lists each entry point, tags access control and payable behavior, maps touched storage mappers, and assigns a risk classification (Critical/High/Medium/Low). It also highlights missing token validation, unchecked payable paths, and endpoints lacking access restrictions.

When to use it

  • Before deployment to identify and harden public interaction points.
  • During security audits to produce a prioritized entry-point inventory.
  • While developing new features to catch accidental public exposure early.
  • When preparing test scenarios (Mandos) to ensure coverage of critical endpoints.
  • After upgrades to validate upgrade handlers and migration safety.

Best practices

  • List every #[endpoint], #[view], #[payable], #[init], #[upgrade], and #[callback] in the inventory.
  • Enforce strict access control on state-changing endpoints (OnlyOwner, role checks).
  • Validate all incoming value and token IDs on payable functions; avoid implicit acceptance.
  • Avoid unbounded storage writes from public endpoints; limit set sizes and validate inputs.
  • Treat init and upgrade handlers as critical: require multi-sig or governance checks.

Example use cases

  • Generate an endpoint inventory table for an upcoming audit with risk tags and storage touched.
  • Find payable functions that accept EGLD/ESDT without token ID validation to prevent fund theft.
  • Detect accidentally public admin or upgrade handlers that enable privilege escalation.
  • Identify public functions that cause unbounded growth (DoS via storage exhaustion).
  • Create a checklist of endpoints missing Mandos scenarios for integration test coverage.

FAQ

Payable endpoints handle value transfers; without token validation or proper checks they allow theft or unintended fund acceptance, making them critical.

How are access controls inferred?

The skill looks for explicit guards and common patterns (OnlyOwner annotations, require! checks) and flags endpoints lacking clear restrictions as public.

Does the analyzer detect state changes in views?

It flags views that perform unexpected mutations or use interior mutability patterns, since views should normally be read-only.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
mvx_entry_points skill by multiversx/mx-ai-skills | VeilStrat