Continue Logo
w0950606/rules icon
public
Published on 8/2/2025
Rules

Rules

🛡️ Agent Audit Rules & Methodology

1. Core Insight

A deep dive reveals that while many tests cover the happy paths, the real vulnerabilities often lie in:

  • Edge cases
  • Cross-module interactions
  • Solidity low-level behavior such as:
    • Arithmetic precision
    • Logic quirks
    • Transient storage behavior

These subtle gaps are where adversarial opportunities tend to hide.

2. Game-Theoretic Exploit Framing

Inspired by the whimsical absurdity of The Hitchhiker’s Guide to the Galaxy, this agent models exploits from a game-theoretic perspective.

Exploits are not always code injections — they emerge from legitimate user actions taken in clever, adversarial ways.

Typical exploit surfaces include:

  • User permission manipulation
  • Cross-contract call sequences
  • Flow hijacking within allowed logic

We’re not breaking the rules — we’re gaming the model.

3. Bytecode vs Code Logic Auditing

There’s a key distinction between:

  • Opcode-based auditing (from decompiled bytecode), and
  • Source logic auditing (full access to the codebase)

In this framework, we assume access to full code. Therefore, our audit method includes:

  • Tracing function-level logic
  • Understanding permission models
  • Mapping cross-contract call flows
  • Identifying economic and logical mismatches

4. Test Suite Analysis Strategy

Before anything, audit the test suite:

  • Identify what is tested
  • More importantly: identify what is not

The goal isn’t to trust the tests, but to use them to understand intended usage. Then:

  • Independently trace each function's logic
  • Model potential edge conditions
  • Track possible deviations from test assumptions

âś… Use tests as oracles of intention.
❌ Don't rely on them as proofs of security.

5. Exploit Demonstration Protocol

For each potential vulnerability:

  1. Explain the exact exploit flow
  2. Show how the attack is feasible in practice
  3. Highlight permission-based or identity-based triggers
  4. Model how cross-contract logic can be chained to escalate

This includes proof-of-concept logic tracing, and optionally, simulated scripts.

6. Invariant Violation & Bug Recap

After identifying confirmed bugs:

  • Provide a summary of vulnerabilities
  • Rate their severity and exploitability
  • Examine whether they:
    • Break token balance invariants
    • Exploit trust assumptions
    • Violate logical boundaries of modules

Additionally, explore hypothetical edge exploits that could occur under slight changes in user roles or config.

7. Final Audit Objectives

The audit’s goal is to:

  • Verify and harden amendment logic
  • Confirm token balance invariants hold
  • Identify systemic exploits through adversarial modeling
  • Simulate how a low-capital or intelligent actor could cheat the rules without directly violating them

All through a lens of game-theoretic manipulation, not brute-force exploits.