Diablo_Rain/Diablo_ClaudeMD_Ricing_example
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
8b47d8e2b8
Diablo_ClaudeMD_Ricing_example/skills/entry-point-analyzer/references/solidity.md
diablo 50fa79407d
Some checks are pending
CI — CoM Config Validation / Validate JSON Configs (push) Waiting to run
Details
CI — CoM Config Validation / Validate YAML Configs (push) Waiting to run
Details
CI — CoM Config Validation / Lint Shell Scripts (push) Waiting to run
Details
CI — CoM Config Validation / Secret Detection (push) Waiting to run
Details
CI — CoM Config Validation / Lint Markdown (push) Waiting to run
Details
CI — CoM Config Validation / Validate CODEOWNERS (push) Waiting to run
Details
CoM Claude Command Center — sanitized public configuration 
Public, sanitized mirror of an AI orchestration command center: agents, skills,
MCP servers, slash-command workflows. All infrastructure identifiers, hostnames,
mesh IPs/subnets, repo paths, maintainer identity, and hardware fleet specifics
scrubbed to <placeholders>; session debug logs and host-specific memory removed.
No live credentials. Verified clean by automated leak sweep. See SANITIZATION.md.

churchofmalware.org . authorized research only
2026-06-10 02:02:03 -04:00

5.0 KiB
Raw Blame History

Solidity Entry Point Detection

Entry Point Identification (State-Changing Only)

Include: State-Changing Functions

function name() external { }           // State-changing entry point
function name() external payable { }   // State-changing, receives ETH
function name() public { }             // State-changing entry point

Exclude: Read-Only Functions

function name() external view { }      // EXCLUDE - cannot modify state
function name() external pure { }      // EXCLUDE - no state access
function name() public view { }        // EXCLUDE - cannot modify state

Visibility and Mutability Matrix

Visibility Mutability Include? Notes
external (none) Yes State-changing entry point
external payable Yes State-changing, receives ETH
external view No Read-only, exclude
external pure No No state access, exclude
public (none) Yes State-changing entry point
public payable Yes State-changing, receives ETH
public view No Read-only, exclude
public pure No No state access, exclude
internal any No Not externally callable
private any No Not externally callable

Special Entry Points

  • receive() external payable — Receives plain ETH transfers
  • fallback() external — Catches unmatched function calls
  • constructor() — One-time initialization (not recurring entry point)

Access Control Patterns

OpenZeppelin Patterns

// Ownable
modifier onlyOwner() { require(msg.sender == owner); }

// AccessControl
modifier onlyRole(bytes32 role) { require(hasRole(role, msg.sender)); }

// Common role constants
bytes32 public constant ADMIN_ROLE = keccak256("ADMIN_ROLE");
bytes32 public constant MINTER_ROLE = keccak256("MINTER_ROLE");
bytes32 public constant PAUSER_ROLE = keccak256("PAUSER_ROLE");

Common Modifier Names → Role Classification

Modifier Pattern Classification
onlyOwner Admin/Owner
onlyAdmin Admin
onlyRole(ADMIN_ROLE) Admin
onlyRole(GOVERNANCE_ROLE) Governance
onlyGovernance Governance
onlyGuardian Guardian
onlyPauser, whenNotPaused Guardian/Pauser
onlyMinter Minter
onlyOperator Operator
onlyKeeper Keeper
onlyRelayer Relayer
onlyStrategy, onlyStrategist Strategist
onlyVault Contract-Only

Inline Access Control (Flag for Review)

require(msg.sender == someAddress, "...");      // Check who someAddress is
require(authorized[msg.sender], "...");         // Dynamic authorization
require(whitelist[msg.sender], "...");          // Whitelist pattern
if (msg.sender != admin) revert();              // Inline admin check

Contract-Only Detection

Callback Functions

// ERC token callbacks
function onERC721Received(...) external returns (bytes4)
function onERC1155Received(...) external returns (bytes4)
function onERC1155BatchReceived(...) external returns (bytes4)

// DeFi callbacks
function uniswapV3SwapCallback(...) external
function uniswapV3MintCallback(...) external
function pancakeV3SwapCallback(...) external
function algebraSwapCallback(...) external

// Flash loan callbacks
function onFlashLoan(...) external returns (bytes32)
function executeOperation(...) external returns (bool)  // Aave
function receiveFlashLoan(...) external                 // Balancer

Contract-Caller Checks

require(msg.sender == address(pool), "...");    // Specific contract
require(msg.sender != tx.origin, "...");        // Must be contract
require(tx.origin != msg.sender);               // No EOA calls

Extraction Strategy

  1. Parse all .sol files
  2. For each contract/interface/abstract:
    • Extract external and public functions
    • Skip functions with view or pure modifiers
    • Record function signature: name(paramTypes)
    • Record line number
    • Extract all modifiers applied
  3. Classify by modifiers:
    • No access modifiers → Public (Unrestricted)
    • Known role modifier → Appropriate role category
    • Inline require(msg.sender...) → Review Required
    • Callback pattern → Contract-Only

Inheritance Considerations

  • Check parent contracts for modifier definitions
  • A function may inherit access control from overridden function
  • Abstract contracts may define modifiers used by children
  • Interfaces define signatures but not access control

Common Gotchas

  1. Initializers: initialize() often has initializer modifier but may be unrestricted on first call
  2. Proxies: Implementation contracts may have different access patterns than proxies
  3. Upgrades: upgradeTo(), upgradeToAndCall() are high-privilege
  4. Multicall: multicall(bytes[]) allows batching—check what it can call
  5. Permit: permit() functions enable gasless approvals—check EIP-2612 compliance