Crew: Smart Contract Analysis

[whoabuddy]

AIBTCdev Bounty

Enhance blockchain security and trust by thoroughly analyzing smart contracts using specialized agents. This bounty incentivizes identifying vulnerabilities and ensuring best practices, promoting a secure and innovative decentralized ecosystem.

Prize

$2,000 in BTC

Criteria

Agents

Below are some ideas that we'd like to see implemented, however modifications to their prompts and/or additional agents and roles are welcome!

Agent 1

• Role: Contract Retriever
• Goal: Retrieve and save the source code of the smart contract
• Backstory: You are an expert in blockchain technology and smart contract retrieval.
• Tools: [get_contract]

Agent 2

• Role: Contract Summarizer
• Goal: Provide a comprehensive summary of the smart contract's purpose
• Backstory: You are a blockchain analyst with expertise in understanding smart contract functionality in the Clarity language on the Stacks blockchain.
• Tools: []

Agent 3

• Role: Function Analyzer
• Goal: Identify and summarize all functions in the smart contract
• Backstory: You are a smart contract developer with deep knowledge of function analysis in the Clarity language on the Stacks blockchain.
• Tools: []

Agent 4

• Role: Diagram Creator
• Goal: Create mermaidjs diagrams for contract control flow
• Backstory: You are a visualization expert specializing in creating clear and informative diagrams of smart contract structures in the Clarity language on the Stacks blockchain.
• Tools: []

Agent 5

• Role: Updateability Analyzer
• Goal: Assess if any parts of the contract can be updated and by whom
• Backstory: You are a smart contract auditor with expertise in contract governance and upgrade mechanisms in the Clarity language on the Stacks blockchain.
• Tools: []

Agent 6

• Role: Security Analyzer
• Goal: Identify and explain potential security vulnerabilities in the contract
• Backstory: You are a blockchain security expert with a keen eye for detecting potential vulnerabilities in smart contracts in the Clarity language on the Stacks blockchain.
• Tools: []

Agent 7

• Role: Report Compiler
• Goal: Compile all analyses into a comprehensive final report
• Backstory: You are a technical writer with expertise in creating clear and concise reports on complex blockchain topics in the Clarity language on the Stacks blockchain.
• Tools: []

Tasks

Same as the agents, these tasks represent the flow we'd like to see, but feel free to modify the description, expected output, and add more tasks as needed.

[!NOTE] Tasks can be passed to other tasks as dependencies, so that the result of a prior task is passed into the next one.

Task 1

• Description: Retrieve and save the source code of the smart contract
• Expected Output: A ContractInfo object containing the contract address, name, and source code
• Tools: [get_contract]
• Agent: Contract Retriever
• Context: None

Task 2

• Description: Provide a comprehensive summary of the smart contract's purpose
• Expected Output: A detailed paragraph explaining the main purpose and functionality of the contract
• Tools: []
• Agent: Contract Summarizer
• Context: Task 1

Task 3

• Description: Identify all public, private, and read-only functions, summarize them, and indicate if they move funds
• Expected Output: A list of FunctionInfo objects, each containing the function name, visibility, description, and whether it moves funds
• Tools: []
• Agent: Function Analyzer
• Context: Task 1, Task 2

Task 4

• Description: Create mermaidjs diagrams showing control flow within the contract and between contracts
• Expected Output: A string containing mermaidjs code for two diagrams: one showing internal control flow and another showing inter-contract interactions
• Tools: []
• Agent: Diagram Creator
• Context: Task 1, Task 3

Task 5

• Description: Assess if any parts of the contract can be updated and by whom
• Expected Output: A detailed explanation of which parts of the contract are upgradeable, if any, and who has the authority to make updates
• Tools: []
• Agent: Updateability Analyzer
• Context: Task 1, Task 2

Task 6

• Description: Identify and explain any potential security vulnerabilities in the contract
• Expected Output: A list of SecurityVulnerability objects, each containing a description of the vulnerability, potential exploit, and potential issues
• Tools: []
• Agent: Security Analyzer
• Context: Task 1, Task 3, Task 5

Task 7

• Description: Compile all analyses into a comprehensive final report
• Expected Output: An AnalysisReport object containing all the information gathered from previous tasks, formatted in a clear and organized manner
• Tools: []
• Agent: Report Compiler
• Context: Task 2, Task 3, Task 4, Task 5, Task 6

Execution Loop

The execution loop is sequential as we expect the agents to complete all of the tasks, then provide a finalized report.

• Execution Process: sequential
• Details: This is expected to be an end-to-end comprehensive run, completed once then saved.

Additional Information

The final output would be great in markdown, if we provide a template to the final writer they can fill it in based on the other agent's outputs.

Example prompt for the report compiler:

Using the provided markdown template, compile a comprehensive report of the smart contract analysis. Fill in the placeholders with the corresponding information from the previous tasks. Ensure that all sections are completed with the relevant details from each analysis step. If any section lacks information, indicate that the analysis for that part was inconclusive or not performed.

Example markdown for the final report:

# Smart Contract Analysis Report

Contract Address: {CONTRACT_ADDRESS.CONTRACT_NAME}

## Summary

{SUMMARY_RESULT}

## Function Analysis

{FUNCTION_ANALYSIS_RESULT}

## Diagrams

{DIAGRAM_RESULT}

## Updateability

{UPDATEABILITY_RESULT}

## Security Vulnerabilities

{SECURITY_VULNERABILITIES_RESULT}

The final agent's report should be saved to a markdown file.

If the context window gets too large during the process tasks can be further broken down into smaller pieces.

[whoabuddy]

hey, how do i provide poc?

We're going to cover the new bounty in the meeting today - general process is first to submit a working PR gets the bounty, and we demo the result in the next weekly meeting.

Would you be available to join us?

[biwasbhandari]

How do i Submit the code?

[whoabuddy]

How do i Submit the code?

My original intent was to have anyone completing it take our code and send a PR with the updates, but I don't think I spelled that out in the issue.