Solidity
Avoid common Solidity mistakes — reentrancy, gas traps, storage collisions, and security pitfalls.
Best use case
Solidity is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Avoid common Solidity mistakes — reentrancy, gas traps, storage collisions, and security pitfalls.
Teams using Solidity should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/solidity/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How Solidity Compares
| Feature / Agent | Solidity | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Avoid common Solidity mistakes — reentrancy, gas traps, storage collisions, and security pitfalls.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
## Reentrancy
- External calls before state updates — attacker can re-enter before state changes
- Checks-Effects-Interactions pattern — validate, update state, THEN external call
- `ReentrancyGuard` from OpenZeppelin — use `nonReentrant` modifier on vulnerable functions
- `transfer()` and `send()` have 2300 gas limit — but don't rely on this for security
## Integer Handling
- Solidity 0.8+ reverts on overflow — but `unchecked {}` blocks bypass this
- Division truncates toward zero — `5 / 2 = 2`, no decimals
- Use fixed-point math for precision — multiply before divide, or use libraries
- `type(uint256).max` for max value — don't hardcode large numbers
## Gas Gotchas
- Unbounded loops can exceed block gas limit — paginate or limit iterations
- Storage writes cost 20k gas — memory/calldata much cheaper
- `delete` refunds gas but has limits — refund capped, don't rely on it
- Reading storage in loop — cache in memory variable first
## Visibility and Access
- State variables default to `internal` — not `private`, derived contracts see them
- `private` doesn't mean hidden — all blockchain data is public, just not accessible from other contracts
- `tx.origin` is original sender — use `msg.sender`, `tx.origin` enables phishing attacks
- `external` can't be called internally — use `public` or `this.func()` (wastes gas)
## Ether Handling
- `payable` required to receive ether — non-payable functions reject ether
- `selfdestruct` sends ether bypassing fallback — contract can receive ether without receive function
- Check return value of `send()` — returns false on failure, doesn't revert
- `call{value: x}("")` preferred over `transfer()` — forward all gas, check return value
## Storage vs Memory
- `storage` persists, `memory` is temporary — storage costs gas, memory doesn't persist
- Structs/arrays parameter default to `memory` — explicit `storage` to modify state
- `calldata` for external function inputs — read-only, cheaper than memory
- Storage layout matters for upgrades — never reorder or remove storage variables
## Upgradeable Contracts
- Constructors don't run in proxies — use `initialize()` with `initializer` modifier
- Storage collision between proxy and impl — use EIP-1967 storage slots
- Never `selfdestruct` implementation — breaks all proxies pointing to it
- `delegatecall` uses caller's storage — impl contract storage layout must match proxy
## Common Mistakes
- Block timestamp can be manipulated slightly — don't use for randomness or precise timing
- `require` for user errors, `assert` for invariants — assert failures indicate bugs
- String comparison with `==` doesn't work — use `keccak256(abi.encodePacked(a)) == keccak256(abi.encodePacked(b))`
- Events not indexed — first 3 params can be `indexed` for efficient filteringRelated Skills
solidity-audit-agent
Automated smart contract security auditor with ZK-proven assertions (Groth16) and multi-scanner AI synthesis.
8004-skill
ERC-8004 Trustless Agents - Register and manage AI agent identities on TRON and BSC blockchains with on-chain reputation tracking
8004-MCP - Agent Registry Protocol
Multi-chain MCP server for ERC-8004 Agent Registry. Query agents, reputation, and feedback across Solana + EVM chains.
supurr
Backtest, deploy, and monitor trading bots on Hyperliquid. Supports Grid, DCA, and Spot-Perp Arbitrage strategies across Native Perps, Spot markets (USDC/USDH), and HIP-3 sub-DEXes.
senpi-skills
Agent Skills for autonomous crypto trading on Hyperliquid — trailing stops, market scanning, position management, and more.
sdks
Official Azex SDKs — TypeScript, Python, MCP Server, CLI for the crypto-native LLM API gateway
perp-cli
Multi-DEX perpetual futures CLI + MCP server — Pacifica (Solana), Hyperliquid, Lighter (Ethereum). 18 MCP tools for AI-powered trading
okx-exchange-websocket-skill
Subscribe to OKX public exchange WebSocket channels through UXC raw WebSocket mode for ticker, trade, book, and candle events with explicit subscribe frames.
okx-wallet-portfolio
This skill should be used when the user asks to 'check my wallet balance', 'show my token holdings', 'how much OKB do I have', 'what tokens do I have', 'check my portfolio value', 'view my assets', 'how much is my portfolio worth', 'what\'s in my wallet', or mentions checking wallet balance, total assets, token holdings, portfolio value, remaining funds, DeFi positions, or multi-chain balance lookup. Supports XLayer, Solana, Ethereum, Base, BSC, Arbitrum, Polygon, and 20+ other chains. Do NOT use for general programming questions about balance variables or API documentation. Do NOT use when the user is asking how to build or integrate a balance feature into code.
okx-security
Use this skill for security scanning: check transaction safety, is this transaction safe, pre-execution check, security scan, token risk scanning, honeypot detection, DApp/URL phishing detection, message signature safety, malicious transaction detection, approval safety checks, token approval management. Triggers: 'is this token safe', 'check token security', 'honeypot check', 'scan this tx', 'scan this swap tx', 'tx risk check', 'is this URL a scam', 'check if this dapp is safe', 'phishing site check', 'is this signature safe', 'check this signing request', 'check my approvals', 'show risky approvals', 'revoke approval', 'check if this approve is safe', token authorization, ERC20 allowance, Permit2. Covers token-scan, dapp-scan, tx-scan (EVM+Solana pre-execution), sig-scan (EIP-712/personal_sign), approvals (ERC-20/Permit2). Chinese: 安全扫描, 代币安全, 蜜罐检测, 貔貅盘, 钓鱼网站, 交易安全, 签名安全, 代币风险, 授权管理, 授权查询, 风险授权, 代币授权. Do NOT use for wallet balance/send/history — use okx-agentic-wallet.
okx-onchain-gateway
This skill should be used when the user asks to 'broadcast transaction', 'send tx', 'estimate gas', 'simulate transaction', 'check tx status', 'track my transaction', 'get gas price', 'gas limit', 'broadcast signed tx', or mentions broadcasting transactions, sending transactions on-chain, gas estimation, transaction simulation, tracking broadcast orders, or checking transaction status. Covers gas price, gas limit estimation, transaction simulation, transaction broadcasting, and order tracking across XLayer, Solana, Ethereum, Base, BSC, Arbitrum, Polygon, and 20+ other chains. Do NOT use for swap quote or execution - use okx-dex-swap instead. Do NOT use for general programming questions about transaction handling.
okx-x402-payment
This skill should be used when the user encounters an HTTP 402 Payment Required response, wants to pay for a payment-gated API or resource, or mentions 'x402', 'pay for access', '402 payment', 'payment-gated URL', or 'sign x402 payment'. Primary path signs via TEE with a wallet session (JWT); fallback path guides local EIP-3009 signing with the user's own private key if they have no wallet. Returns the payment proof (signature + authorization) that the caller can attach as a payment header to access the resource. Do NOT use for swap or token transfers — use okx-dex-swap instead. Do NOT use for wallet balance or portfolio queries — use okx-agentic-wallet or okx-wallet-portfolio. Do NOT use for security scanning — use okx-security. Do NOT use for transaction broadcasting — use okx-onchain-gateway. Do NOT use for general programming questions.