SOS

Stronghold of Security: Comprehensive adversarial security audit for Solana/Anchor smart contracts. Run /SOS for a getting-started guide, or /SOS:scan to begin an audit.

15 stars

Best use case

SOS is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Stronghold of Security: Comprehensive adversarial security audit for Solana/Anchor smart contracts. Run /SOS for a getting-started guide, or /SOS:scan to begin an audit.

Teams using SOS should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/stronghold-of-security/SKILL.md --create-dirs "https://raw.githubusercontent.com/MetalLegBob/solana-vibes-kit/main/stronghold-of-security/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/stronghold-of-security/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How SOS Compares

Feature / AgentSOSStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Stronghold of Security: Comprehensive adversarial security audit for Solana/Anchor smart contracts. Run /SOS for a getting-started guide, or /SOS:scan to begin an audit.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

<!-- SVK Version Check — runs once per session on first skill invocation -->
<svk-version-check>
**On first invocation this session**, silently perform a version check:

1. Look for `.claude/svk-meta.json` in the current project. If it doesn't exist, skip this check entirely.
2. Read the `svk_repo` path and `installed_version` from the metadata file.
3. Run: `git -C <svk_repo> fetch --tags --quiet 2>/dev/null`
4. Run: `git -C <svk_repo> tag --sort=-v:refname | head -1` to get the latest tag.
5. Compare the installed version against the latest tag (strip the leading `v`).
6. If they match, skip — the user is up to date.
7. If the latest tag is newer, show this message ONCE (never repeat in this session):

> **SVK Update Available:** v{latest} is available (you're on v{installed}).
> - **Update now:** I can pull and reinstall the changed skills in this session
> - **Update later:** Start a new chat and run `/SVK:update`

8. If the git commands fail (offline, repo moved, etc.), skip silently. Never show errors from version checking.

**Important:** Do NOT block or delay the user's actual command. Perform this check, show the notification if needed, then proceed with the command they invoked.
</svk-version-check>

# Stronghold of Security

A comprehensive, multi-agent adversarial security audit pipeline for Solana/Anchor smart contracts.

> *"The best defense is a thorough offense."*

---

## Getting Started

Stronghold of Security runs as a multi-phase pipeline. Each phase is a separate command with its own fresh context window, ensuring maximum quality throughout the entire audit.

### Quick Start

```
/SOS:scan
```

This begins the audit by analyzing your codebase and generating a hot-spots map. Follow the prompts — each phase tells you what was produced and what command to run next.

### Full Pipeline

```
┌─────────────────────────────────────────────────────────────────────┐
│                         STRONGHOLD OF SECURITY v1.0                           │
├─────────────────────────────────────────────────────────────────────┤
│                                                                     │
│  /SOS:scan         Phase 0 + 0.25 + 0.5                    │
│  ═══════════════════        Pre-flight analysis                    │
│  Detect ecosystem, protocols, risk indicators                      │
│  Build codebase INDEX.md, generate KB manifest, run pre-scan       │
│  Output: INDEX.md, KB_MANIFEST.md, HOT_SPOTS.md                    │
│                          │                                          │
│                          ▼                                          │
│  /SOS:analyze      Phase 1 + 1.5                          │
│  ════════════════════       Parallel context building               │
│  8-9 specialized auditors analyze the ENTIRE codebase              │
│  Each through a different security lens                            │
│  Output: .audit/context/ (8-9 deep analysis files)                 │
│                          │                                          │
│                          ▼                                          │
│  /SOS:strategize   Phase 2 + 3                            │
│  ═════════════════════      Synthesis + strategy generation        │
│  Merge context into unified architecture                           │
│  Generate 50-100+ attack hypotheses from KB + novel analysis       │
│  Output: ARCHITECTURE.md, STRATEGIES.md                            │
│                          │                                          │
│                          ▼                                          │
│  /SOS:investigate  Phase 4 + 4.5                          │
│  ══════════════════════     Hypothesis investigation               │
│  Priority-ordered batch investigation                              │
│  Coverage verification against knowledge base                      │
│  Output: .audit/findings/ (one per hypothesis), COVERAGE.md        │
│                          │                                          │
│                          ▼                                          │
│  /SOS:report       Phase 5                                │
│  ═════════════════          Final synthesis                        │
│  Combination matrix, attack trees, severity calibration            │
│  Output: FINAL_REPORT.md                                           │
│                                                                     │
│  /SOS:verify       Post-fix verification                  │
│  ═════════════════          (after developer applies fixes)        │
│  Re-check findings, regression scan                                │
│  Output: VERIFICATION_REPORT.md                                    │
│                                                                     │
└─────────────────────────────────────────────────────────────────────┘
```

---

## Commands

| Command | Description |
|---------|-------------|
| `/SOS` | This help guide |
| `/SOS:scan` | Scan codebase, detect config, generate KB manifest, build index, run static pre-scan |
| `/SOS:index` | Build codebase INDEX.md with per-file metadata and focus relevance |
| `/SOS:analyze` | Deploy 8-9 parallel context auditors + quality gate |
| `/SOS:strategize` | Synthesize context + generate prioritized attack strategies |
| `/SOS:investigate` | Investigate hypotheses in priority-ordered batches + coverage check |
| `/SOS:report` | Generate final report with combination analysis and attack trees |
| `/SOS:status` | Check audit progress and get next-step guidance |
| `/SOS:verify` | Verify fixes after addressing reported vulnerabilities |

### Typical Workflow

Run `/clear` between each phase to give the next phase a fresh context window. This is critical for quality — each phase produces large outputs that would otherwise consume context.

1. **`/SOS:scan`** — Analyze your codebase
2. `/clear`
3. **`/SOS:analyze`** — Deploy auditors
4. `/clear`
5. **`/SOS:strategize`** — Generate attack strategies
6. `/clear`
7. **`/SOS:investigate`** — Run investigations
8. `/clear`
9. **`/SOS:report`** — Generate final report
10. *(Fix vulnerabilities)*
11. **`/SOS:verify`** — Confirm fixes are effective

Check progress anytime with **`/SOS:status`**.

---

## Audit Tiers

| Tier | Focus Areas | Strategies | Best For |
|------|-------------|------------|----------|
| `quick` | 4 | 25-40 | Rapid sanity check, small changes, < 10 files |
| `standard` | 8 | 50-75 | Normal audits, medium codebases, 10-50 files |
| `deep` | 8+ | 100-150 | Pre-mainnet, high-value protocols, 50+ files |

The tier is auto-detected based on codebase size and complexity. Override with:
```
/SOS:scan --tier deep
```

---

## Focus Areas

The 8 parallel context auditors each analyze through one lens:

1. **Access Control & Account Validation** — Authority, signer checks, PDA derivation, type cosplay, ownership
2. **Arithmetic Safety** — Overflow, precision loss, rounding
3. **State Machine & Error Handling** — Transitions, race conditions, invariants, panic paths, error propagation
4. **CPI & External Calls** — Cross-program invocation, program validation, privilege propagation
5. **Token & Economic** — Token flows, economic invariants, MEV
6. **Oracle & External Data** — Price feeds, staleness, manipulation
7. **Upgrade & Admin** — Upgradeability, admin functions, timelocks
8. **Timing & Ordering** — Front-running, transaction ordering, atomicity

Plus a conditional **Economic Model Analyzer** for DeFi protocols.

---

## Knowledge Base

128 exploit patterns across 17 files (~480KB), built from 200+ research searches across 10 waves:

| Category | Files | Content |
|----------|-------|---------|
| **Core** | 7 files | 128 EPs with CVSS, PoC outlines, detection rules, fix patterns |
| **Solana** | 4 files | Anchor gotchas, runtime quirks, vulnerable deps, token extensions |
| **Protocols** | 7 files | AMM/DEX, lending, staking, bridge, NFT, oracle, governance playbooks |
| **Reference** | 2 files | Bug bounty findings, audit firm patterns |

### Key Incidents Covered

Wormhole ($320M), Mango Markets ($114M), Cashio ($52M), Crema Finance ($8.7M), MarginFi ($160M), Solend ($1.26M), Step Finance ($30-40M), Candy Machine V2 CVE, Metaplex pNFT bypasses, pump.fun exploits, Agave validator crashes, Ed25519 offset bypass, and 100+ more.

---

## Output Structure

All audit outputs go to `.audit/`:

```
.audit/
  INDEX.md              — Structured codebase index with focus relevance tags
  KB_MANIFEST.md        — Knowledge base loading manifest
  HOT_SPOTS.md          — Phase 0.5 static pre-scan results
  context/              — 8-9 deep context analyses
  ARCHITECTURE.md       — Unified architecture understanding
  STRATEGIES.md         — Generated attack hypotheses
  findings/             — Individual investigation results
  COVERAGE.md           — Coverage verification report
  FINAL_REPORT.md       — The complete audit report
  VERIFICATION_REPORT.md — Post-fix verification (after /verify)
  PROGRESS.md           — Human-readable progress tracking
  STATE.json            — Machine-readable audit state
```

---

## Why Phase-Based?

Each phase runs as a separate command with a **fresh context window**. This is critical for quality:

- **Phase 1 agents** produce 300-500KB of analysis each (~3-5MB total)
- **No single context window** can hold all of that for synthesis
- Each phase reads only what it needs (e.g., Phase 2 reads ~88KB of condensed summaries, not ~3.7MB of full analysis)
- Investigators in Phase 4 can deep-dive into specific focus areas' full analysis when needed
- **Result:** Higher quality at every stage of the pipeline

---

## Installation

Copy the skill and commands to your project:

```bash
# Option 1: Manual copy
cp -R stronghold-of-security/ your-project/.claude/skills/stronghold-of-security/
cp -R stronghold-of-security/commands/ your-project/.claude/commands/SOS/

# Option 2: Install script
./stronghold-of-security/install.sh your-project/
```

Both the `skills/` and `commands/` directories are required:
- `skills/stronghold-of-security/` — Skill definition, agents, knowledge base, resources
- `commands/SOS/` — Subcommand orchestration files

---

## Requirements

- [Claude Code](https://docs.anthropic.com/en/docs/claude-code) CLI
- A Solana/Anchor codebase to audit
- Optional: [semgrep](https://semgrep.dev/) for enhanced Phase 0.5 scanning

---

## Non-Goals

This skill does NOT:
- Generate exploit code
- Automatically fix vulnerabilities
- Replace human auditor judgment
- Guarantee completeness

The output is a comprehensive starting point for security hardening, not a certification of security. Security is a continuous process, not a one-time event.

Related Skills

We are still matching the closest adjacent skills for this page. In the meantime, continue through the full directory.