Repository inventory

scalus3/scalus

Skills indexed from this repository, with install-style signals scoped to the repo.
1 skills100 GitHub stars0 weekly installsGitHubOwner profile

Overview

This skill performs a security review of Scalus/Cardano smart contracts by analyzing @Compile-annotated validators and related on-chain code. It detects common vulnerabilities such as redirect attacks, missing token verification, inexact value checks, integer overflows, and self-dealing. Use it to verify exploitability before deploying validators or when /security-review is invoked. The tool requires an explicit path argument to target the repository code.

How this skill works

The review discovers on-chain code by locating @Compile annotations, classes extending Validator variants, and explicit Plutus.compile calls. It classifies each validator, runs a checklist of vulnerability patterns, and attempts concrete attack transaction traces to verify exploitability. Only verified issues are reported with file:line locations and suggested fixes, and interactive remediation steps are provided to apply or decline fixes.

When to use it

  • Before deploying any validator to mainnet
  • When merging PRs that add or modify on-chain logic
  • If /security-review endpoint is invoked by CI or a reviewer
  • During security audits of dApp contract bundles
  • When adding parameterized or multi-purpose validators

Best practices

  • Always provide the repository path argument so discovery targets only intended files
  • Trace a concrete attack transaction for every flagged pattern before reporting
  • Prioritize fixing Critical and High severity verified issues first
  • Write unit tests that reproduce exploit traces when verification is uncertain
  • Use precise equality (===) for token and ADA checks and bounds-check index accesses
  • Log remediation decisions (fixed/declined/false positive) and re-run sbtn quick to verify builds

Example use cases

  • Scan a repository path to find all @Compile objects and list validator types
  • Detect missing state token checks that would allow token theft and propose a fix
  • Verify an alleged double-satisfaction attack by constructing and tracing a concrete attack tx
  • Check index usages (.at(idx)) across validators and flag missing bounds checks
  • Run an interactive remediation session to apply fixes, compile, and produce a summary report

FAQ

Provide the project root path that contains Scala sources. The tool uses that path to grep @Compile, extends Validator, and Plutus.compile calls.

Will the tool report every pattern match as a vulnerability?

No. Every potential issue must be verified by tracing a concrete attack transaction. Only issues that pass all require() checks in the trace are reported.

Can I automate this in CI?

Yes. Invoke the review with the repo path in CI. Configure it to fail on verified Critical/High findings and to produce the interactive report artifacts.

1 skills

smart-contract-security-review
Code Review

This skill analyzes Scalus/Cardano on-chain validators for security vulnerabilities and guides remediation before deployment, with precise findings.

DebuggingSecurityTestingScala
More from this maintainer
Other repositories and skills published under the same GitHub owner.
View owner shelf →
Skills library
Jump back to the full directory or explore grouped topics.
All skills →All topics →
Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational