security-review-web3

Security patterns for Web3 and blockchain applications — Solana wallet signature verification, transaction validation, smart contract interaction security, and checklist for DeFi/NFT features.

8 stars

Best use case

security-review-web3 is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Security patterns for Web3 and blockchain applications — Solana wallet signature verification, transaction validation, smart contract interaction security, and checklist for DeFi/NFT features.

Teams using security-review-web3 should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/security-review-web3/SKILL.md --create-dirs "https://raw.githubusercontent.com/marvinrichter/clarc/main/skills/security-review-web3/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/security-review-web3/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How security-review-web3 Compares

Feature / Agentsecurity-review-web3Standard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Security patterns for Web3 and blockchain applications — Solana wallet signature verification, transaction validation, smart contract interaction security, and checklist for DeFi/NFT features.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Security Review — Web3 & Blockchain

Security patterns for applications that interact with blockchains, wallets, and smart contracts.

## When to Activate

- Implementing wallet-based authentication (Solana, Ethereum, EVM chains)
- Verifying on-chain transaction signatures before processing user actions
- Building smart contract interaction logic (minting, trading, staking)
- Implementing DeFi features with balance checks and transaction limits
- Auditing Web3-specific attack surfaces (replay attacks, reentrancy via callbacks)

> For general security (injection, auth, secrets, OWASP Top 10) — see skill `security-review`.
> For auth patterns (JWT, OAuth, sessions) — see skill `auth-patterns`.

## Solana Wallet Verification

### Wallet Signature Verification

```typescript
import { verify } from '@solana/web3.js'

async function verifyWalletOwnership(
  publicKey: string,
  signature: string,
  message: string
) {
  try {
    const isValid = verify(
      Buffer.from(message),
      Buffer.from(signature, 'base64'),
      Buffer.from(publicKey, 'base64')
    )
    return isValid
  } catch (error) {
    return false
  }
}
```

### Transaction Verification

```typescript
async function verifyTransaction(transaction: Transaction) {
  // Verify recipient
  if (transaction.to !== expectedRecipient) {
    throw new Error('Invalid recipient')
  }

  // Verify amount
  if (transaction.amount > maxAmount) {
    throw new Error('Amount exceeds limit')
  }

  // Verify user has sufficient balance
  const balance = await getBalance(transaction.from)
  if (balance < transaction.amount) {
    throw new Error('Insufficient balance')
  }

  return true
}
```

## Security Checklist (Web3)

- [ ] Wallet signatures verified server-side before trusting identity
- [ ] Transaction details validated (recipient, amount, token)
- [ ] Balance checks performed before executing transactions
- [ ] No blind transaction signing — always validate content before submitting
- [ ] Replay attack protection (nonce or timestamp in signed message)
- [ ] Smart contract addresses pinned — never accept user-supplied contract addresses
- [ ] Amount limits enforced server-side (not just client-side)
- [ ] Rate limiting on transaction submission endpoints

## Common Web3 Attack Vectors

| Attack | Description | Fix |
|--------|-------------|-----|
| Replay attack | Reusing a valid signed message | Include nonce + expiry in signed payload |
| Spoofed recipient | User-supplied destination address | Pin recipient addresses server-side |
| Amount overflow | Integer overflow in token math | Use `BN.js` or `BigInt` for all amounts |
| Reentrancy (EVM) | Callback executes before state update | Update state before external calls |
| Front-running | Transaction ordering manipulation | Use commit-reveal schemes |

## Reentrancy: Vulnerable vs. Safe Pattern

### Vulnerable (Classic Reentrancy)
```solidity
contract VulnerableVault {
    mapping(address => uint256) public balances;

    function withdraw(uint256 amount) external {
        require(balances[msg.sender] >= amount, "Insufficient");
        // ❌ External call BEFORE state update — attacker can re-enter here
        (bool success, ) = msg.sender.call{value: amount}("");
        require(success, "Transfer failed");
        balances[msg.sender] -= amount;  // State updated AFTER call
    }
}
```

**Attack vector:** Malicious contract's `receive()` calls `withdraw()` again before `balances` is decremented. Attacker can drain the vault.

### Safe (Checks-Effects-Interactions)
```solidity
contract SafeVault {
    mapping(address => uint256) public balances;

    function withdraw(uint256 amount) external {
        // ✅ 1. Checks
        require(balances[msg.sender] >= amount, "Insufficient");
        // ✅ 2. Effects (state update BEFORE external call)
        balances[msg.sender] -= amount;
        // ✅ 3. Interactions (external call LAST)
        (bool success, ) = msg.sender.call{value: amount}("");
        require(success, "Transfer failed");
    }
}
```

**Rule:** Always follow Checks → Effects → Interactions order. For complex cases, add `ReentrancyGuard` from OpenZeppelin:
```solidity
import "@openzeppelin/contracts/security/ReentrancyGuard.sol";
contract SafeVault is ReentrancyGuard {
    function withdraw(uint256 amount) external nonReentrant { ... }
}
```

Related Skills

supply-chain-security

8
from marvinrichter/clarc

Software supply chain security: SBOM generation (CycloneDX/SPDX with syft/grype), SLSA framework levels, Sigstore/cosign artifact signing, dependency hash pinning, reproducible builds, VEX documents, and SSDF compliance.

springboot-security

8
from marvinrichter/clarc

Spring Security best practices for authn/authz, validation, CSRF, secrets, headers, rate limiting, and dependency security in Java Spring Boot services.

security-scan

8
from marvinrichter/clarc

Scan your Claude Code configuration (.claude/ directory) for security vulnerabilities, misconfigurations, and injection risks using AgentShield. Checks CLAUDE.md, settings.json, MCP servers, hooks, and agent definitions.

security-review-advanced

8
from marvinrichter/clarc

Security anti-patterns — localStorage token storage (XSS risk), trusting client-side authorization checks, reflecting full error details to clients, blacklist vs whitelist input validation, using npm install instead of npm ci in CI pipelines.

e2e-testing-web3

8
from marvinrichter/clarc

Playwright E2E test patterns for Web3 and blockchain features — mocking wallet providers (MetaMask, Phantom), testing wallet connection flows, and handling async blockchain confirmations.

django-security

8
from marvinrichter/clarc

Django security best practices, authentication, authorization, CSRF protection, SQL injection prevention, XSS prevention, and secure deployment configurations.

django-security-advanced

8
from marvinrichter/clarc

Advanced Django security — file upload validation (extension/size/storage), DRF API security (rate limiting throttles, JWT), Content Security Policy middleware, django-environ secrets management, security event logging, and production deployment checklist.

security-review

8
from marvinrichter/clarc

Use this skill when adding authentication, handling user input, working with secrets, creating API endpoints, or implementing payment/sensitive features. Provides comprehensive security checklist and patterns.

zero-trust-patterns

8
from marvinrichter/clarc

Zero-Trust security patterns — mTLS between microservices (Istio/SPIFFE), SPIRE workload identity, OPA/Envoy authorization, NetworkPolicy default-deny-all, short-lived credentials, service mesh security, and Kubernetes RBAC hardening.

wireframing

8
from marvinrichter/clarc

Wireframing and prototyping workflow: fidelity levels (lo-fi sketch → mid-fi wireframe → hi-fi prototype), tool selection (Figma, Excalidraw, Balsamiq), user flow diagrams, wireframe annotation standards, information architecture (IA) mapping, and the handoff from wireframe to visual design. For developers who need to communicate UI structure before writing code.

webrtc-patterns

8
from marvinrichter/clarc

WebRTC patterns — peer connection setup, ICE/STUN/TURN configuration, signaling server design, SFU vs mesh topology, screen sharing, media track management, and reconnect/ICE restart handling.

webhook-patterns

8
from marvinrichter/clarc

Webhook patterns for receiving, verifying (HMAC), and idempotently processing third-party events. Covers Stripe, GitHub, and generic webhook patterns, delivery guarantees, retry handling, and testing.