Expand solidity-auditor coverage and attack vectors

[darkty0x]

Pull Request

Type of Change

• Improvement to an existing skill
• Bug fix
• Documentation update
• Other (describe below)

Summary

This PR expands the solidity-auditor skill to improve both bug discovery and exploit validation for protocol security reviews. It adds broader attack-vector coverage and strengthens the guidance for classifying findings as code-level, privileged-only, or truly live and attacker-profitable.

Changes

• expanded solidity-auditor discovery guidance in SKILL.md
• strengthened validation and judging rules in judging.md
• added explicit checks for:
  • large-capital / flashloan / threshold-trigger scenarios
  • weird-path and assumption-inversion analysis
  • helper-contract and indirect value-flow review
  • EIP-7702 / delegated-EOA bypass considerations
  • fork-lineage / inherited issue-class review
  • empty-market / empty-pool / first-depositor attacks
  • Morpho / MetaMorpho-specific issue families
• imported missing upstream attack vectors into attack-vectors.md

Testing

Describe how you tested the skill. Paste a representative input/output pair:

Input:

run the solidity auditor with all the different agents possible on *specified files*

Output:

**Zoo Finance Audit**

**Findings**

1. `[97]` **Custom `VTSwapHook` pricing is profitably exploitable via repeated alternating swaps**
   
   In [VTSwapHookHelper.sol#L291](/Users/dell/Downloads/BB/bb-contract-analyzer/zoo-lnt-vault-public-main/src/market/VTSwapHookHelper.sol#L291) and [VTSwapHookHelper.sol#L330](/Users/dell/Downloads/BB/bb-contract-analyzer/zoo-lnt-vault-public-main/src/market/VTSwapHookHelper.sol#L330), execution price for a nonlinear `ln()` curve is approximated with `(price_before + price_after) / 2`. Then [VTSwapHookHelper.sol#L251](/Users/dell/Downloads/BB/bb-contract-analyzer/zoo-lnt-vault-public-main/src/market/VTSwapHookHelper.sol#L251) prices output from `amountAfterFee`, while [VTSwapHook.sol#L191](/Users/dell/Downloads/BB/bb-contract-analyzer/zoo-lnt-vault-public-main/src/market/VTSwapHook.sol#L191) to [VTSwapHook.sol#L213](/Users/dell/Downloads/BB/bb-contract-analyzer/zoo-lnt-vault-public-main/src/market/VTSwapHook.sol#L213) update reserves using gross `specifiedAmount`. That creates a directional pricing bias plus virtual reserve inflation, so repeated `T -> VT -> T` or `VT -> T -> VT` loops can extract value from the pool.

   This is the primary critical path:
   - [VTSwapHook.sol](/Users/dell/Downloads/BB/bb-contract-analyzer/zoo-lnt-vault-public-main/src/market/VTSwapHook.sol)
   - [VTSwapHookHelper.sol](/Users/dell/Downloads/BB/bb-contract-analyzer/zoo-lnt-vault-public-main/src/market/VTSwapHookHelper.sol)

2. `[91]` **A full final-day zero-burn redemption window exists in Aethir / 0G / 0G Main vaults**
   
   The oracle returns remaining rewards in whole days:
   - [AethiraVTOracle.sol#L18](/Users/dell/Downloads/BB/bb-contract-analyzer/zoo-lnt-vault-public-main/src/thirdparty/aethir/AethiraVTOracle.sol#L18)
   - [ZeroGaVTOracle.sol#L18](/Users/dell/Downloads/BB/bb-contract-analyzer/zoo-lnt-vault-public-main/src/thirdparty/0g/ZeroGaVTOracle.sol#L18)

   During the last 24 hours before the configured end time, `remainingDays` becomes `0`, so `aVT()` returns `0` before rewards actually end. Redeem paths then skip the burn check when `vtBurnAmount == 0`:
   - [LntVaultAethirUpgV3.sol#L234](/Users/dell/Downloads/BB/bb-contract-analyzer/zoo-lnt-vault-public-main/src/thirdparty/aethir/LntVaultAethirUpgV3.sol#L234)
   - [LntVault0GUpg.sol#L247](/Users/dell/Downloads/BB/bb-contract-analyzer/zoo-lnt-vault-public-main/src/thirdparty/0g/LntVault0GUpg.sol#L247)

   So users can mint VT earlier, then redeem the backing NFT for free during the final day.

3. `[88]` **0G Arb trial vaults let one depositor redeem another depositor’s NFT**
   
   In both trial vaults, deposit rights are tracked per user, but redemption pulls from a shared global LIFO queue:
   - [LntVault0GArbTrialUpg.sol#L103](/Users/dell/Downloads/BB/bb-contract-analyzer/zoo-lnt-vault-public-main/src/thirdparty/0garb/trial/LntVault0GArbTrialUpg.sol#L103)
   - [LntVault0GArbTrialUpg.sol#L115](/Users/dell/Downloads/BB/bb-contract-analyzer/zoo-lnt-vault-public-main/src/thirdparty/0garb/trial/LntVault0GArbTrialUpg.sol#L115)
   - [LntVault0GArbTrialUpgV2.sol#L98](/Users/dell/Downloads/BB/bb-contract-analyzer/zoo-lnt-vault-public-main/src/thirdparty/0garb/trial/LntVault0GArbTrialUpgV2.sol#L98)
   - [LntVault0GArbTrialUpgV2.sol#L114](/Users/dell/Downloads/BB/bb-contract-analyzer/zoo-lnt-vault-public-main/src/thirdparty/0garb/trial/LntVault0GArbTrialUpgV2.sol#L114)

   An attacker can sandwich a victim’s deposit with their own cheap NFTs and redeem the victim’s later NFT.

**Leads**

- User-triggered auto-buyback in older Aethir/0G vaults quotes from the same manipulable hook it trades against, and one reverse leg uses zero slippage:
  - [LntVaultAethirUpgV2.sol#L243](/Users/dell/Downloads/BB/bb-contract-analyzer/zoo-lnt-vault-public-main/src/thirdparty/aethir/LntVaultAethirUpgV2.sol#L243)
  - [LntVaultAethirUpgV2.sol#L293](/Users/dell/Downloads/BB/bb-contract-analyzer/zoo-lnt-vault-public-main/src/thirdparty/aethir/LntVaultAethirUpgV2.sol#L293)
  - [LntMarket.sol#L125](/Users/dell/Downloads/BB/bb-contract-analyzer/zoo-lnt-vault-public-main/src/market/LntMarket.sol#L125)

**Conclusion**

This codebase is not safe. The main issue is the market layer itself: [VTSwapHook.sol](/Users/dell/Downloads/BB/bb-contract-analyzer/zoo-lnt-vault-public-main/src/market/VTSwapHook.sol) and [VTSwapHookHelper.sol](/Users/dell/Downloads/BB/bb-contract-analyzer/zoo-lnt-vault-public-main/src/market/VTSwapHookHelper.sol) contain a directly profitable pricing flaw. The vault adapters then add separate redeem/accounting bugs on top.

Checklist

• No API keys, tokens, or sensitive data included
• No fabricated examples — outputs must reflect real model responses
• Skill works with Claude Code CLI, VS Code, and Cursor

[darkty0x]

Audit [TARGET] with x-ray and solidity-auditor in deep exploit-hunting mode.

Requirements:

• Use all relevant sub-agents.
• Automatically expand scope from the starting target to all contracts and dependencies on value-moving, accounting, pricing, settlement, reward, mint, burn, withdraw, liquidation, and sync paths.
• Do full dependency closure. Do not stop at wrappers, proxies, selector-only calls, or unresolved external contracts.
• Prioritize public profitable exploit chains over privileged-only findings.
• Reconstruct exploit paths end-to-end and test unusual sequences, flash loans, helper contracts, cross-contract accounting mismatches, reserve desync, donation inflation, and mutable price paths.
• Only mark coverage incomplete after attempting full scope expansion.
• Output the final result strictly in solidity-auditor report format.

Additional strict requirements:

• Do not finalize while any critical public value path is unresolved.
• If a critical path is blocked by missing live artifacts or unresolved dependencies, ask me for what is missing before producing the final report.
• Do not stop at a dangerous primitive; complete the full public exploit chain from trigger to profit or explicitly mark it blocked.