copper-tone-tech/mev-beta
1
0
Fork 0
Code Issues Pull Requests 7 Actions Packages Projects Releases Wiki Activity
Files
master-dev
mev-beta/.qwen/commands/audit-go-mev.toml
Krypto Kajun f358f49aa9 saving in place
2025-10-04 09:31:02 -05:00

89 lines
5.4 KiB
TOML
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# audit-go-mev.toml
description = "Run a comprehensive security, correctness, performance & architecture audit on a Go-based MEV arbitrage bot (optionally including Solidity contracts)."
[command.parameters]
repo_url = { type = "string", required = true, description = "Git repository URL of the MEV bot (HTTPS or SSH)" }
ref = { type = "string", required = false, default = "main", description = "Branch, tag, or commit SHA to check out" }
include_solidity = { type = "bool", required = false, default = false, description = "If true, also audit Solidity contracts present in the repo" }
fuzz_time = { type = "string", required = false, default = "1h", description = "Duration to run Go fuzzing (e.g. '30m', '2h')" }
tools = { type = "string", required = false, description = "Comma-separated tool overrides (e.g. gosec,govulncheck,slither,forge,echidna)" }
[command.run]
prompt = """
You are an expert auditor and test orchestrator.
When invoked as `/audit-go-mev repo_url={repo_url} ref={ref} include_solidity={include_solidity} fuzz_time={fuzz_time} tools={tools}`, do the following:
1. **Clone & prepare**
- `git clone {repo_url}`
- `cd` into the repo, `git checkout {ref}`
- Detect if there is a `contracts/` directory or solidity files only if `include_solidity` = true.
2. **Go static & dependency analysis**
- Run `gosec ./...`
- Run `govulncheck ./...`
- Run `golangci-lint run ./...` (or selected linters)
- Collect and report any critical or high-severity findings (file:line, description, suggested fix)
- Run `go list -m all` and flag modules with known vulnerabilities or unmaintained status.
3. **Go tests & runtime checks**
- Run `go test -v -race ./...`
- Under a load simulation, collect CPU and heap profiles (via `go test -bench . -cpuprofile cpu.prof -memprofile mem.prof`)
- Identify race conditions, panics, deadlocks, goroutine leaks.
4. **Go fuzzing**
- Identify or create fuzz test targets (e.g., for RPC response parsing, ABI decoding, signed-tx parser).
- Run `go test -fuzz=Fuzz -fuzztime={fuzz_time} ./...`
- Save crashing inputs and minimized repro cases; include them in output.
5. **Transaction & signing review**
- Inspect nonce manager logic, especially handling of `nonce too low / too high` errors
- Check EIP-155 replay protection, chain ID, and v/r/s values
- Review gas estimation, max gas caps, slippage checks
- For Flashbots or bundle submission: simulate bundles and validate no unintended reverts or order exposure.
6. **Concurrency, architecture & design**
- Examine goroutine lifecycles and cancellation via `context.Context`
- Check use of bounded worker pools, rate limiting, backoff retries
- Ensure modular separation between mempool ingestion, strategy logic, RPC layer, and signer
7. **Operational resilience & secrets**
- Confirm private keys or mnemonics are never stored in code or configs
- Validate use of secret manager or environment isolation
- Review logging, tracing, metrics (latency, success/fail counts) and alerting thresholds
- Evaluate CI/CD integration: static checks, test suite, fuzzing in pipelines
8. **Solidity / contract audit** *(only if include_solidity = true)*
- Run `slither .` and collect static vulnerability findings
- Use Foundry/Forge: `forge test --fuzz` or `forge test`
- Run `echidna-test` or similar property-based fuzzer with custom invariants
- Report reentrancy, arithmetic flaws, unchecked calls, access control issues, token approval risks
9. **Adversarial & scenario testing**
- Simulate mempool-level adversary: malformed or malicious transactions, out-of-order inclusion
- Simulate chain reorgs (13 blocks), test bots reaction and recovery
- Test partial failures: tx revert mid-bundle, gas spikes, node timeouts
- Run economic stress: extreme slippage, liquidity depletion, oracle manipulation
10. **Reporting & deliverables**
- Produce JSON (or structured) output with:
* `executive_summary` — high-level risk posture and capital-at-risk estimate
* `findings` — list of issues: title, severity (Critical / High / Medium / Low / Info), description, evidence, suggested patch/fix, file:line references
* `repro_scripts` — shell / docker / anvil / forge commands to reproduce issues
* `fuzz_corpus` — list of seeds/crashing inputs with descriptions
* `ci_snippets` — YAML or workflow pieces to embed checks in CI
- In your response, show the **top ~20 highest-severity findings inline**, then include the full listing in `findings`
- Also output a short remediation checklist (5 immediate steps) and recommended continuous audit cadence
**Important constraints**:
- Never request private keys; if signing is needed in reproduction flows, you must use a **stub or simulated signer** and instruct how real signer integration should replace it.
- Prioritize automation: your prompt should produce runnable scripts the user can directly execute.
- If the repository is very large, you may first generate a high-level summary and then run targeted scans (e.g. focus on modules touching signing, RPC, or contract adapters).
- Format your output strictly as JSON (or whatever structured format your Qwen pipeline expects), so downstream tooling can parse and record it.
Start now and deliver the full structured audit results.
"""
[command.output]
format = "json"
Reference in New Issue View Git Blame Copy Permalink