Skip to content

Add real-world hardening patterns to existing skills#34

Open
claucondor wants to merge 10 commits into
onflow:mainfrom
claucondor:feature/skill-hardening
Open

Add real-world hardening patterns to existing skills#34
claucondor wants to merge 10 commits into
onflow:mainfrom
claucondor:feature/skill-hardening

Conversation

@claucondor

@claucondor claucondor commented May 11, 2026

Copy link
Copy Markdown

Summary

Adds reference content to five existing skills, based on hitting real walls
with Flow/Cadence:

  • cadence-lang: new cu-optimization.md (CU cost per operation, dict
    vs array trade-offs, resource inlining, composite key packing, sweep
    methodology for MAX_SAFE_N, EVM CU interaction); 2 new entries in
    anti-patterns.md (access(account) in multi-contract accounts;
    Burner.burn() on external token vaults)
  • cadence-audit: new "Cross-VM and DeFi Advanced Checks" section in
    audit-checklist.md covering 11 vuln classes from real exploits (Cetus
    fixed-point overflow, bridge precision loss, the Dec 2025 init-arg
    smuggling, access(account) co-deploy escalation, use-after-free)
  • flow-defi: new "Cross-VM Failure Modes" section in
    protocol-architecture.md (atomicity guarantees, EVM.Status values,
    gas exhaustion, partial batch failures, CU interaction)
  • flow-dev-setup: new testing-patterns.md (decision tree, adversarial
    categories, coverage interpretation) plus a "Common Mistakes That
    Silently Drop Tests" section in testing.md. Caught a case where 11
    tests disappeared from the runner because of a heredoc string.
  • flow-project-setup: new upgrade-strategies.md (what Cadence
    allows/forbids, new-contract-name strategy, rollback, multi-contract
    coordinated deploy)

claucondor added 10 commits May 10, 2026 20:30
…-patterns

audit-checklist.md — new Cross-VM and DeFi Advanced Checks section:
- Stuck state / missing emergency exit (burnCallback + external dependency)
- Cross-VM timing races (stale timelock snapshot)
- Lingering EVM approvals after claimRedeem
- EVM call result not validated (coa.call unchecked)
- Bridge precision loss UFix64↔uint256 (HackenProof Critical)
- Fixed-point overflow in AMM liquidity (Cetus $223M pattern)
- access(account) co-deploy privilege escalation (Dec 2025 exploit)
- Burnable.burnCallback() griefing via external token
- Cross-VM bridge as exploit exit with no rate limit
- Contract initializer argument type smuggling (Dec 2025 infinite mint)
- Use-after-free via retained reference after resource destroy (Halborn 2021)

anti-patterns.md — two new anti-patterns:
- AP6: access(account) in multi-contract accounts (co-deploy risk)
- AP7: Burner.burn() on external token vaults without type validation
…-patterns

audit-checklist.md — new Cross-VM and DeFi Advanced Checks section:
- Stuck state / missing emergency exit
- Cross-VM timing races (stale deadline in deferred operations)
- Lingering EVM approvals after redemption
- EVM call result not validated
- Bridge precision loss UFix64↔uint256 (HackenProof Critical)
- Fixed-point overflow in AMM liquidity (Cetus $223M pattern)
- access(account) co-deploy privilege escalation (Dec 2025 exploit)
- Burnable.burnCallback() griefing via external token
- Cross-VM bridge as exploit exit with no rate limit
- Contract initializer argument type smuggling (Dec 2025 infinite mint)
- Use-after-free via retained reference after resource destroy (Halborn 2021)

anti-patterns.md — two new anti-patterns:
- AP6: access(account) in multi-contract accounts (co-deploy escalation)
- AP7: Burner.burn() on external token vaults without type validation

All patterns are general-purpose — no references to specific project code.
testing.md — new section documenting three patterns that silently drop
tests from flow test output: Test.newBlockchain() (non-existent API),
triple-quoted heredoc strings (unsupported in Cadence), and wrong
module-level account variable types. Includes count-match rule.

testing-patterns.md — hard constraints table at the top of the CDC
native section; explicit count check before proceeding.
@claucondor claucondor requested a review from a team as a code owner May 11, 2026 02:08
@Aliserag Aliserag requested a review from peterargue May 19, 2026 17:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant