web3-bug-classeslisted

Complete reference for all 10 DeFi smart contract bug classes. Use this when hunting for specific vulnerability types, need attack patterns for accounting desync, access control, incomplete path, off-by-one, oracle manipulation, ERC4626 vaults, reentrancy, flash loans, signature replay, or proxy/upgrade bugs.
Olaradiallysymmetrical491/web3-bug-bounty-hunting-ai-skills · ★ 0 · AI & Automation · score 72

Install: claude install-skill Olaradiallysymmetrical491/web3-bug-bounty-hunting-ai-skills

# BUG CLASSES — DeFi Smart Contract Vulnerabilities 10 bug classes. Each one with root cause, vulnerable code, fix, grep patterns, and real paid examples. --- ## 1. ACCOUNTING STATE DESYNCHRONIZATION > #1 Critical bug class — 28% of all Criticals on Immunefi. > Real protocols: Yeet, Alchemix V3, Folks Finance, ResupplyFi, MetaPool ### What It Is Two state variables are supposed to stay in sync. One code path updates variable A but forgets variable B. Later code reads both and makes decisions based on the stale B. ``` Real Value = A - B If A is updated but B isn't → Real Value appears larger than it is → phantom value ``` ### Root Cause Pattern ```solidity // BEFORE (correct state): // aToken.balanceOf(this) = 1000 (principal + yield) // totalSupply = 1000 (only principal) // yield = 1000 - 1000 = 0 ✓ correct // Attacker triggers startUnstake: totalSupply -= amount; // decremented BEFORE transfer // totalSupply = 900 now // aToken.balanceOf still = 1000 // yield appears = 1000 - 900 = 100 (PHANTOM) // Now harvest(): yieldAmount = aToken.balanceOf(this) - totalSupply; // = 1000 - 900 = 100 (phantom yield — no real yield was earned) // Protocol harvests 100 of principal and distributes as "yield" ``` ### Variants **Variant 1: Phantom Yield** — totalSupply decremented before transfer ```solidity // Yeet protocol (35 duplicate reports): function startUnstake(uint256 amount) external { totalSupply -= amount; // decremented here, transfer happe