defender
Blue-team release-gate analysis for smart contract deployment and upgrade readiness. Classifies repositories, checks deploy/upgrade execution paths, CI/CD trust boundaries, config drift, secrets/signer operational security, and outputs evidence-backed release verdicts.
git clone --depth 1 https://github.com/quillai-network/quillshield_skills /tmp/defender && cp -r /tmp/defender/plugins/defender/skills/defender ~/.claude/skills/defenderSKILL.md
# Defender A blue-team release-gate skill for smart contract systems. Defender determines whether a repository is safe to deploy or upgrade. It focuses on **release execution risk**, not exploit discovery. ## Use when - deploying smart contracts - preparing upgrades - reviewing deploy scripts - hardening CI/CD - rotating admin roles - validating ownership handoff - enforcing release hygiene ## Non-goals Defender does NOT replace: - full security audits - economic analysis - invariant discovery - deep proxy vulnerability analysis (`proxy-upgrade-safety`) It focuses only on **execution safety of release**. --- ## Core rule **Evidence first.** Only report findings from: - contracts - deploy scripts - CI workflows - dependency manifests - configs / address books - tests / fork scripts - docs / runbooks Separate: - **Detection** → what repo proves - **Policy** → what should be enforced --- ## Execution order (STRICT) 1. Project classification 2. Defence pass 3. Severity scoring 4. Release verdict --- ## Reference packs Always load: - `references/finding-catalog.md` - `references/severity-model.md` - `references/evidence-query-playbook.md` Load contextually: - classification → `project-classification.md` - CI → `ci-supply-chain.md` - deploy drift → `config-drift-checks.md` - upgrade → `upgrade-readiness.md` - signer → `signer-opsec.md` - false confidence → `false-confidence.md` - post-deploy → `post-deploy-validation.md` Templates: - `defender-report-template.md` - checklist templates as needed --- # Phase 1 — Project classification ### Framework Detect: - Foundry / Hardhat / hybrid / other Evidence: - `foundry.toml`, `hardhat.config.*`, scripts ### Language - Solidity / Vyper / Cairo / mixed ### Upgradeability - upgradeable / immutable / mixed Evidence: - OZ upgrade imports - proxies - initializer usage ### Protocol type Infer: - token / vault / AMM / lending / bridge / governance / NFT / staking / other ### Deployment surface - manual / script / CI / multisig / upgrade-task ### CI surface - GitHub Actions / GitLab / other / none Output classification block. --- # Phase 2 — Defence pass ## A. Build integrity Check: - compiler version pinned - optimizer pinned - evmVersion consistency - lockfiles committed - no conflicting configs (Foundry vs Hardhat) - artifacts reproducible from repo - verification metadata aligned Escalate if: - build settings differ from verification - configs produce ambiguous outputs --- ## B. Dependencies, secrets, supply chain Check: - committed secrets - `.env` usage for private keys - floating versions - unpinned git deps - install scripts - dependency confusion risk - abandoned/suspicious packages - OZ version mismatch - unsafe sidecar tooling - unverified binaries ### Secret policy Plaintext `.env` private keys are discouraged. Preferred: - **Foundry keystore-backed accounts** Classify: - private key in repo → BLOCKER/HIGH - deploy scripts using plaintext env keys → HIGH - `.env` for non-sensitive config → acceptable --- ## C. CI/CD trust Check: - unpinned GitHub Actions - secrets in untrusted workflows - deploys from weak branches - no approval gate - excessive secret access - curl/bash installs - unsafe runners - mixed trust zones Escalate if CI can deploy unsafely. --- ## D. Deployment config drift CRITICAL Check: - chain ID matches target - RPC matches chain - deployer is correct - constructor/initializer args final - addresses (oracle/token/admin) valid for chain - no test/stale addresses - decimals correct - verifier settings pinned - no silent fallback logic ### Foundry FFI - default: HIGH - BLOCKER if affecting deploy logic/secrets --- ## E. Deploy-script safety Check: - chain assertions - deployer assertions - env validation - correct initialization order - idempotency assumptions clear - no test config reuse - address outputs reviewable - no opaque branching - verification steps present Escalate if scripts can silently misdeploy. --- ## F. Upgrade readiness (if applicable) Check: - implementation initialized or locked - initializer calldata reviewed - storage diff reviewed - proxy admin correct - multisig/timelock path exists - pause/rollback defined - fork rehearsal exists --- ## G. Signer & admin opsec Check: - deployer is dedicated - secure signer preferred - admin is multisig - roles separated: - deployer / upgrader / pauser / treasury - emergency roles documented - no hot wallet admin unless justified - tx review process exists --- ## H. Address & role mapping Extract: - owner/admin - proxy admin - upgrader - pauser - treasury - oracle - keeper - timelock Flag: - role concentration - EOA-only control - zero addresses - missing transfer flow --- ## I. Fork rehearsal Require evidence of: - deploy scripts tested - initializer tested - role transfers tested - upgrade tested - verification tested - smoke tests run Absence → HIGH (mainnet) --- ## J. Post-deploy readiness Check defined plan for: - verification - ownership assertions - pause test - oracle checks - event expectations - integration smoke tests - monitoring - deployment manifest --- ## K. Unsafe deploy ergonomics Check: - one-command broadcast risk - missing confirmations - hidden env defaults - CREATE/CREATE2 assumptions undocumented - nonce-sensitive flows undocumented --- # Phase 3 — False confidence MANDATORY Passing does NOT imply safety: - unit tests - forge test - static analysis - lint - typecheck Require: - fork rehearsal - permission diff - storage diff - address diff - event checks - role snapshot - post-deploy smoke tests --- # Phase 4 — Severity ### BLOCKER - wrong chain - lost admin - leaked secrets - broken init - broken upgrade - unverifiable deployment ### HIGH - unsafe CI - missing rehearsal - FFI misuse - admin EOA risk - stale config ### MEDIUM - should fix before mainnet ### LOW - hygiene gaps Specify scope: - mainnet-only / all releases / upgrades only --- # Phase 5 — Ve
Token-efficient smart contract security auditing via Behavioral State Analysis (BSA). Scopes analysis to contract type, runs only relevant threat engines, and uses tiered output depth. Use for auditing smart contracts, security reviews, or DeFi threat modeling.
Detects Denial of Service and griefing vulnerabilities in smart contracts. Covers unbounded loop DoS, block gas limit exhaustion, external call failure DoS, insufficient gas griefing (63/64 rule), storage bloat attacks, timestamp griefing, self-destruct force-feeding, and push vs pull payment pattern analysis. Use when auditing contracts with batch operations, loops over user data, reward distribution, dividend systems, or any logic that depends on address(this).balance or iterates over growing collections.
Detects unsafe external call patterns and token integration vulnerabilities in smart contracts. Covers unchecked call/delegatecall/staticcall return values, fee-on-transfer tokens, rebasing tokens, tokens with missing return values (USDT), ERC-777 callback risks, unsafe approve race conditions, return data bombs, gas stipend limitations, and push vs pull payment patterns. Use when auditing contracts that interact with external contracts, integrate arbitrary ERC20 tokens, distribute payments, or make low-level calls.
Detects input validation failures and arithmetic vulnerabilities in smart contracts. Covers missing zero-address and zero-amount checks, division-before-multiplication precision loss, rounding direction exploitation, ERC4626 vault share inflation attacks, unsafe integer casting, dust amount exploitation, and Solidity 0.8+ unchecked block edge cases. Use when auditing contracts with fee calculations, share pricing, exchange rates, unchecked blocks, or any public-facing functions that accept user input.
Detects price oracle manipulation and flash loan attack vectors in DeFi smart contracts. Classifies oracle trust models (Chainlink, TWAP, spot price, custom), identifies stale price risks, circular price dependencies, and flash loan atomicity exploitation patterns. Use when auditing DeFi protocols that depend on price data, oracle integrations, lending protocols, DEXs, derivatives, or any contract where flash loans could manipulate state within a single transaction.
Detects vulnerabilities in upgradeable proxy smart contracts including storage layout collisions, uninitialized implementations, function selector clashing, delegatecall context issues, and upgrade path safety. Covers Transparent Proxy, UUPS (EIP-1822), Beacon, Diamond (EIP-2535), and Minimal Proxy (EIP-1167) patterns. Use when auditing upgradeable contracts, reviewing implementation upgrades, analyzing delegatecall architectures, or verifying proxy pattern compliance.
Systematically detects all reentrancy vulnerability variants in smart contracts — classic, cross-function, cross-contract, and read-only reentrancy. Builds call graphs, verifies CEI (Checks-Effects-Interactions) pattern compliance, traces state changes relative to external calls, and identifies callback vectors through ERC-777/ERC-1155 hooks. Use when auditing contracts that make external calls, transfer ETH or tokens, interact with callback-enabled standards, or have complex multi-contract architectures.
Detects logic vulnerabilities in smart contracts by analyzing guard-state consistency patterns. Identifies functions that bypass security checks (require, modifiers) that other functions consistently apply. Uses the Consistency Principle — a contract is its own specification. Use when auditing smart contracts for missing access controls, inconsistent pause checks, logic bugs, forgotten modifiers, or when traditional tools report no issues but logic errors may exist.