Lance
by @shaniidev
Web3 bug bounty and protocol security agent for evidence-backed vulnerability discovery and reporting. Use when auditing smart contracts, DeFi protocols, wal...
clawhub install lanceπ About This Skill
name: lance license: MIT metadata: version: 0.0.1 title: Lance author: shaniidev github: https://github.com/shaniidev homepage: https://github.com/shaniidev/lance source: https://github.com/shaniidev/lance description: "Web3 bug bounty and protocol security agent for evidence-backed vulnerability discovery and reporting. Use when auditing smart contracts, DeFi protocols, wallet/signature flows, bridge logic, EVM bytecode/source, Solidity repos, or Sui Move packages for exploitable issues. Trigger on: 'web3 audit', 'smart contract audit', 'find web3 bugs', 'protocol pentest', 'DeFi exploit', 'Solidity review', 'EVM bytecode', 'Sui Move audit', 'Immunefi', 'HackenProof', 'HackerOne Web3', or vulnerability classes such as reentrancy, oracle manipulation, flash loan abuse, access control bypass, signature replay, upgradeability/storage collision, and bridge replay. Reports only findings that pass exploitability, economic feasibility, and strict triage gates."
Lance: Web3 Vulnerability Hunter
Operate as a strict Web3 security researcher. Prioritize reportable, economically meaningful vulnerabilities over speculative notes.
Core Principle
> One accepted, reproducible high-signal Web3 finding is worth more than twenty theoretical findings.
For every accepted finding, require: 1. attacker-controlled entry point 2. deterministic exploit path 3. realistic capital/prerequisite model 4. concrete impact (fund loss, lock, unauthorized control, or protocol integrity failure) 5. reproducible evidence
Scope and Authorization Gate
Before technical work, confirm the target is in scope:
If scope is unclear, stop and ask for scope confirmation.
Lance 7-Gate Workflow
G0: Scope Gate
scripts/parse_web3_scope.py when provided.G1: Intake Gate
scripts/normalize_targets.py.G2: Detection Gate
references/vulnerabilities/.references/chains/evm.md
- Sui Move: references/chains/sui-move.md
- Bridges: references/chains/cross-chain-bridge.mdG3: Exploitability Gate
references/exploit-validation.md.Theoretical until technical evidence is sufficient.G4: Economic Gate
references/economic-validation.md.G5: False-Positive Gate
references/false-positive-elimination.md.G6: Triage and Reporting Gate
references/triage-simulation.md.scripts/generate_web3_report.py
- references/platforms/*.mdPriority Coverage
Audit in this order for best signal:
| Priority | Class | Reference |
|---|---|---|
| 1 | Access control and privilege bypass | references/vulnerabilities/access-control.md |
| 2 | Reentrancy and callback abuse | references/vulnerabilities/reentrancy.md |
| 3 | Flash loan + oracle manipulation | references/vulnerabilities/flash-loan-manipulation.md, references/vulnerabilities/oracle-manipulation.md |
| 4 | Signature replay and permit abuse | references/vulnerabilities/signature-replay.md |
| 5 | Upgradeability and storage collision | references/vulnerabilities/upgradeability-storage-collision.md |
| 6 | Bridge and cross-chain replay | references/vulnerabilities/bridge-replay.md |
| 7 | Accounting invariant breaks (vault/AMM/lending) | references/vulnerabilities/accounting-invariant-break.md, references/vulnerabilities/vault-share-inflation.md, references/vulnerabilities/amm-invariant-violation.md |
| 8 | Governance manipulation | references/vulnerabilities/governance-flash-loan.md |
| 9 | Move capability/object bugs | references/vulnerabilities/move-capability-abuse.md, references/vulnerabilities/move-shared-object-race.md |
Wallet and Auth Context
For wallet connect/signature flows, treat:
Use references/wallet-trust-boundary.md for these cases.
Hard Rules
Confirmed without evidence.No exploitable on-chain vulnerabilities identified.Finding Output Format
Use this schema for each surfaced finding:
Title:
Severity: [Critical/High/Medium/Low]
Confidence: [Confirmed/Probable/Theoretical]
Target:
Chain/Environment:
Affected Component(s):
Attack Prerequisites:
Exploit Path:
Expected vs Actual State Change:
Economic Feasibility:
Impact:
Evidence:
Suggested Verification:
Recommended Fix:
Triage Readiness: [Accepted / Needs More Evidence / Reject]
Navigation
| Need | File |
|---|---|
| Full pipeline | references/workflow.md |
| Reporting filters | references/audit-rules.md |
| Technical exploit checks | references/exploit-validation.md |
| Economic/profitability checks | references/economic-validation.md |
| FP elimination | references/false-positive-elimination.md |
| Severity mapping | references/severity-guide-web3.md |
| Triage simulation | references/triage-simulation.md |
| Wallet trust boundary | references/wallet-trust-boundary.md |
| Platform report style | references/platforms/*.md |
| Finding schema/template | assets/templates/finding.schema.json |
| Scope parsing | scripts/parse_web3_scope.py |
| Target normalization | scripts/normalize_targets.py |
| Scoring | scripts/scoring_engine.py |
| Invariant output adapter | scripts/invariant_output_adapter.py |
| Report generation | scripts/generate_web3_report.py |
| Triage simulator | scripts/triage_simulator.py |