near-contract-audit_skill

This skill conducts automated and manual NEAR contract audits to identify vulnerabilities and guide secure Rust smart contract fixes.

8

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

3 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill near/agent-skills --skill near-contract-audit

  • SKILL.md3.1 KB

Overview

This skill provides a comprehensive security audit workflow for NEAR Protocol smart contracts written in Rust. It combines automated scanning with focused manual review to find and prioritize vulnerabilities that affect correctness, safety, and funds. The goal is clear findings with exploitability assessment and actionable remediation for developers and auditors.

How this skill works

First, run Rust static analysis and NEAR-aware scanners to identify common patterns like reentrancy, unsafe math, unhandled promises, and access control gaps. Next, perform manual review of business logic, cross-contract interactions, and economic attack surfaces. Each finding is validated for true positive status, exploitability, and recommended fixes, then compiled into a structured report with severity and remediation.

When to use it

  • Before mainnet deployment of NEAR contracts written in Rust
  • During security reviews after major feature changes or refactors
  • When third-party integrations or callbacks are added
  • For pre-release audits requested by auditors or stakeholders
  • When handling funds, tokens, or privileged access in contract logic

Best practices

  • Run both automated NEAR-aware tools and manual code walkthroughs; tools find patterns, humans assess logic.
  • Treat cross-contract calls as untrusted boundaries: check callbacks, use #[private], and reserve gas for callbacks.
  • Use assert_one_yocto and explicit owner/caller checks on sensitive methods.
  • Avoid native integer types in JSON interfaces; use string-encoded amounts or safe wrappers.
  • Persist collection changes immediately and use distinct storage prefixes to prevent collisions.

Example use cases

  • Detecting and fixing reentrancy where state changes occur after external calls.
  • Verifying callbacks are marked private and protected with appropriate gas and deposit assertions.
  • Finding and remediating storage collisions between collections after a refactor.
  • Reviewing token transfer and staking logic for unsafe arithmetic or floating point use.
  • Assessing gas griefing risks in loops and ensuring prepaid gas for cross-contract flows.

FAQ

High priority includes missing #[private] callbacks, reentrancy (state change after external call), native integer types in JSON interfaces, unsaved collection changes, missing owner checks, missing assert_one_yocto, storage prefix collisions, and missing #[init].

What tools should I run first?

Start with Rust static analyzers and NEAR-focused scanners that detect patterns like reentrancy, unhandled promises, and storage issues, then follow with manual review of business logic and cross-contract flows.

How do you validate a reported issue?

Validate by reproducing the pattern in code, reasoning about exploitability, checking call flow and state transitions, and proposing a minimal remediation with code examples when possible.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational