[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-110":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":14,"subscribersCount":14,"size":14,"stars1d":14,"stars7d":14,"stars30d":15,"stars90d":14,"forks30d":14,"starsTrendScore":14,"compositeScore":16,"rankGlobal":9,"rankLanguage":9,"license":17,"archived":18,"fork":18,"defaultBranch":19,"hasWiki":18,"hasPages":18,"topics":20,"createdAt":9,"pushedAt":9,"updatedAt":21,"readmeContent":22,"aiSummary":23,"trendingCount":14,"starSnapshotCount":14,"syncStatus":24,"lastSyncTime":25,"discoverSource":26},110,"solidity-cot-auditor","butthtio\u002Fsolidity-cot-auditor","butthtio","Multi-role chain-of-thought LLM pipeline for Solidity security auditing, layered on top of Slither output.",null,"Python",496,312,8,0,76,55.09,"Other",false,"main",[],"2026-06-11 04:00:17","\u003Cdiv align=\"center\">\n\n# solidity-cot-auditor\n\n**Multi-role chain-of-thought LLM pipeline for Solidity security auditing**\n\n[![Python 3.10+](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Fpython-3.10+-blue.svg?style=for-the-badge)](https:\u002F\u002Fpython.org)\n[![License: Apache 2.0](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FLicense-Apache_2.0-orange.svg?style=for-the-badge)](LICENSE)\n[![Slither](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Fpowered_by-Slither-purple?style=for-the-badge)](https:\u002F\u002Fgithub.com\u002Fcrytic\u002Fslither)\n\n[Install](#install) · [Quick Start](#quick-start) · [How It Works](#how-it-works) · [Configuration](#configuration) · [Results](#results)\n\n\u003C\u002Fdiv>\n\n---\n\nStatic analyzers like Slither are fast and reliable, but their output is terse. A finding like `reentrancy-eth` tells you *what* fired, not *why it matters in this specific contract*, *how an attacker would exploit it*, or *what the minimal fix looks like*. This tool fills that gap.\n\n`solidity-cot-auditor` takes Slither's JSON output and runs each finding through a four-role LLM chain:\n\n```\nSlither finding\n    │\n    ▼\n[Explainer]  — technical explanation + true\u002Ffalse positive verdict\n    │\n    ▼\n[ExploitWriter]  — minimal PoC sketch (for defenders)\n    │\n    ▼\n[Fixer]  — unified diff of the minimal fix\n    │\n    ▼\n[Judge]  — quality score + flags logical errors in the chain\n    │\n    ▼\nMarkdown + JSON report\n```\n\nEach role is a separate LLM call with a focused system prompt. The chain-of-thought is preserved in the output so you can inspect each step.\n\n## Install\n\n```bash\npip install -e \".[dev]\"\n# slither is a separate install (requires solc)\npip install slither-analyzer\n```\n\n## Quick Start\n\n**Audit a .sol file directly:**\n\n```bash\nexport OPENAI_API_KEY=sk-...\nsolidity-cot audit .\u002Fcontracts\u002FMyToken.sol --output reports\u002F\n```\n\n**Audit from a saved Slither JSON (useful in CI):**\n\n```bash\nslither MyToken.sol --json slither_out.json\nsolidity-cot audit-json slither_out.json --project MyToken --source-root .\u002Fcontracts\n```\n\n**Try it on the included example:**\n\n```bash\nsolidity-cot audit examples\u002Fcontracts\u002FSimpleBank.sol --skip-judge\n```\n\n## How It Works\n\n### Role separation\n\nEach role has a narrow, well-defined job. This matters because:\n\n- A single \"audit everything\" prompt hallucinates more and produces generic output.\n- Separating roles lets you swap or skip stages (e.g., skip exploit writing for informational findings).\n- The Judge role catches when earlier roles contradict themselves or miss the point.\n\n### Contested-weighted filtering\n\nFindings are filtered by severity before entering the chain. The default is `--min-severity medium`. Informational findings (pragma version, naming conventions) are skipped unless you explicitly lower the threshold.\n\n### LLM compatibility\n\nAny OpenAI-compatible endpoint works. Point at a local vLLM server, Together AI, or Fireworks:\n\n```bash\nexport LLM_BASE_URL=http:\u002F\u002Flocalhost:8000\u002Fv1\nexport LLM_MODEL=meta-llama\u002FLlama-3-70b-instruct\nexport LLM_API_KEY=dummy\nsolidity-cot audit MyContract.sol\n```\n\nAnthropic Claude is also supported directly:\n\n```bash\nexport LLM_PROVIDER=anthropic\nexport LLM_BASE_URL=https:\u002F\u002Fapi.anthropic.com\nexport LLM_MODEL=claude-sonnet-4-6\nexport ANTHROPIC_API_KEY=sk-ant-...\nsolidity-cot audit MyContract.sol\n```\n\n## Configuration\n\n| Flag | Default | Description |\n|------|---------|-------------|\n| `--min-severity` | `medium` | Skip findings below this level |\n| `--max-findings` | `20` | Cap findings sent to the LLM chain |\n| `--skip-exploit` | off | Skip the ExploitWriter role |\n| `--skip-fix` | off | Skip the Fixer role |\n| `--skip-judge` | off | Skip the Judge quality check |\n| `--slither-args` | `\"\"` | Extra args forwarded to slither |\n\n## Results\n\nOn `SimpleBank.sol` (textbook reentrancy):\n\n| Finding | Severity | Verdict | Judge |\n|---------|----------|---------|------:|\n| reentrancy-eth in `withdraw` | High | TRUE_POSITIVE | 4\u002F5 |\n\nThe Fixer correctly identifies the Checks-Effects-Interactions fix and produces a minimal diff. The Judge flags no logical errors.\n\n\u003Cdetails>\n\u003Csummary>Sample output snippet\u003C\u002Fsummary>\n\n```\n### Explanation\nThe `withdraw` function performs an external call (`msg.sender.call{value: amount}`) before\nupdating `balances[msg.sender]`. An attacker contract can re-enter `withdraw` in its fallback\nfunction, draining the contract before the balance is decremented.\n\nVerdict: TRUE_POSITIVE\n\n### Exploit sketch\nAttacker deploys a contract with a fallback that calls `withdraw()` again. On first entry,\nbalance check passes; on re-entry, balance is still non-zero (not yet decremented).\n\n### Suggested fix\nMove the state update before the external call (Checks-Effects-Interactions pattern):\n```diff\n-        (bool ok, ) = msg.sender.call{value: amount}(\"\");\n-        require(ok, \"transfer failed\");\n-        balances[msg.sender] -= amount;\n+        balances[msg.sender] -= amount;\n+        (bool ok, ) = msg.sender.call{value: amount}(\"\");\n+        require(ok, \"transfer failed\");\n```\n```\n\n\u003C\u002Fdetails>\n\n## Roadmap\n\n- [x] Slither JSON parser\n- [x] Four-role CoT chain (Explainer → Exploit → Fixer → Judge)\n- [x] Markdown + JSON report output\n- [x] OpenAI-compatible endpoint support\n- [ ] Mythril integration (dynamic analysis findings)\n- [ ] Batch mode: audit entire Foundry project\n- [ ] GitHub Actions workflow template\n- [ ] Fine-tuned model support (SFT on DeFi exploit dataset)\n\n## Running Tests\n\n```bash\npytest\n```\n\nTests use a fake LLM client — no API key needed.\n\n## License\n\nApache 2.0\n","solidity-cot-auditor 是一个基于 Slither 输出的多角色链式思维 LLM 管道，用于 Solidity 安全审计。该项目通过将 Slither 的 JSON 输出传递给四个角色（解释者、攻击编写者、修复者和评判者）的 LLM 链来生成详细的审计报告，每个角色负责特定的任务，如技术解释、最小化攻击示例编写、最小修复建议及质量评分等，从而提供比静态分析工具更深入的安全洞察。适用于需要对智能合约进行详尽安全评估的场景，特别是当开发者希望了解潜在漏洞的具体影响、攻击方式以及如何有效修复时。",2,"2026-05-06 17:18:47","CREATED_QUERY"]