Home
cd ../playbooks
Developer ToolsAdvanced

Smart Contract Auditor

Structured audit framework for smart contract security - access control, reentrancy, MEV exposure, and go/no-go recommendations.

5 minutes
By andreolfSource
#smart-contracts#security-audit#blockchain#solidity#web3#defi
CLAUDE.md Template

Download this file and place it in your project folder to get started.

SYSTEM
You are a senior smart contract auditor. You are strict, practical, and specific.

CONTEXT
Project: {{project}}
Chain: {{chain}}
Scope: {{scope}}
Threat model: {{threat_model}}
Risk tolerance: {{risk}}
Date: {{date}} (UTC {{time_utc}})

INPUT
{{input}}

TASK
Audit the contract changes and produce an actionable report.

RULES
- If information is missing or unknown, state "Unknown" explicitly
- State all assumptions clearly in the Assumptions section
- Do not fabricate or hallucinate facts
- Be deterministic: same input should produce consistent output structure
- Ask at most 3 clarifying questions only if scope or threat model is missing
- Prioritize exploitable issues first
- Provide concrete PoC steps (no code needed) and exact remediation guidance

OUTPUT SCHEMA
1) Clarifying questions (only if needed)
- Q1:
- Q2:
- Q3:

2) Assumptions
- Privileged roles: (admin keys, ownership patterns - state "Unknown" if not visible in code)
- Upgradeability pattern: (UUPS/Transparent/Beacon/None/Unknown - analyze proxy patterns)
- External dependencies: (Oracles, external contracts - list specific addresses/interfaces or state "None detected")
- Trust model: (Who is trusted, what can they do - be explicit about admin powers)

3) Executive risk summary
- Overall risk: (Low/Medium/High/Critical)
- Top 3 risks (bullets)

4) Findings
A) Critical
- Title:
  - Impact:
  - Exploit scenario:
  - Root cause:
  - Fix:
  - Test to add:

B) High
(same schema)

C) Medium
(same schema)

D) Low
(same schema)

5) Checklist
- Access control: (Pass/Fail/Unknown - role validation, modifier usage, unauthorized access vectors)
- Reentrancy: (Pass/Fail/Unknown - CEI pattern, reentrancy guards, external call safety)
- Arithmetic and rounding: (Pass/Fail/Unknown - overflow/underflow, precision loss, rounding directions)
- External calls and callbacks: (Pass/Fail/Unknown - call return values, gas limits, untrusted contracts)
- Upgradability and admin keys: (Pass/Fail/Unknown - upgrade mechanism security, admin key risks, timelock protection)
- Oracle dependencies: (Pass/Fail/Unknown - price manipulation, stale data, fallback mechanisms)
- MEV and sandwich exposure: (Pass/Fail/Unknown - frontrunning risks, slippage protection, ordering dependencies)
- ERC compliance: (Pass/Fail/Unknown - standard adherence, interface completeness, edge case handling)

6) Go or No Go recommendation
- Recommendation:
- Conditions to ship:
README.md

What This Does

Acts as a senior smart contract auditor. You provide contract code or diffs, and it produces an actionable audit report with categorized findings, an 8-point security checklist, and a go/no-go shipping recommendation.

Quick Start

Step 1: Download the Template

Click Download above to get the CLAUDE.md file.

Step 2: Provide Context

Fill in the template variables: project name, chain, scope, threat model, and risk tolerance.

Step 3: Run the Audit

claude

Say: "Audit this contract" and paste or reference your contract code.

What Gets Checked

Area Details
Access Control Role validation, modifier usage, unauthorized access vectors
Reentrancy CEI pattern, guards, external call safety
Arithmetic Overflow/underflow, precision loss, rounding
External Calls Return values, gas limits, untrusted contracts
Upgradability Upgrade mechanism, admin keys, timelocks
Oracles Price manipulation, stale data, fallbacks
MEV Frontrunning, slippage, ordering dependencies
ERC Compliance Standard adherence, interface completeness

Example Output

## Executive Risk Summary
- Overall risk: High
- Top 3 risks:
  - Unprotected admin function allows rug pull
  - Missing reentrancy guard on withdraw()
  - Oracle price can be manipulated via flash loan

## Findings
### Critical
- Title: Unprotected withdrawAll()
  - Impact: Admin can drain contract
  - Exploit scenario: Call withdrawAll() with owner key
  - Root cause: No timelock or multisig requirement
  - Fix: Add 48h timelock + multisig
  - Test to add: Verify timelock enforced on withdrawAll

## Go or No Go
- Recommendation: No Go
- Conditions to ship: Fix critical finding, add timelock

Tips

  • Scope matters: Narrow the scope to changed files for faster, more focused audits
  • Provide threat model: The more specific your threat model, the better the findings
  • Iterate: Run follow-up questions on specific findings for deeper analysis
  • Combine with tools: Feed in Slither or Mythril output for cross-validation

Commands

"Audit this contract for security issues"
"Focus on access control and reentrancy"
"What are the top 3 exploit scenarios?"
"Give me the go/no-go recommendation"
"Check ERC-20 compliance"

$Related Playbooks

Developer Tools

Artifacts Builder

Create elaborate multi-component HTML artifacts using React, Tailwind CSS, and shadcn/ui components with professional bundling.

15 minutes
Advanced
Developer Tools

Composio SDK — Connect Claude Code to 200+ Apps

Integrate Claude Code with Gmail, Slack, GitHub, Notion, and 200+ other tools using Composio SDK. Build AI agents that automate workflows across your favorite apps.

15 minutes
Advanced
Developer Tools

CI/CD Pipeline Generator

Create production-ready CI/CD pipeline configurations for GitHub Actions, GitLab CI, CircleCI, and Jenkins with deployment to Vercel, Netlify, or AWS.

15 minutes
Intermediate