aibtcdev · whoabuddy · Sep 25, 2024 · Sep 25, 2024 · Sep 25, 2024 · Sep 25, 2024
diff --git a/aibtc-v1/crews/smart_contract_analyzer_v2.py b/aibtc-v1/crews/smart_contract_analyzer_v2.py
@@ -10,13 +10,15 @@
 ### Clarity Hints
 
 - all Clarity code blocks should start with ```clarity
-- reentrancy is not possible at the language level, transactions are atomic
-- traits are a defined interface that can be implemented by contracts
+- transactions are atomic, state changes do not happen unless the contract succeeds
+- reentrancy is not possible at the language level
+- traits are a defined interface that can be implemented or used by contracts
 - `contract-caller` represents the principal that called the contract
 - `tx-sender` represents the principal that initiated the transaction and can be another contract
 - `as-contract` is used to switch calling context from user to contract
 - `contract-call?` is used to interact with other contracts
 - `try!`, `unwrap!`, `unwrap-err!` are used to handle control flow
+- built-in Clarity functions do not need to be reviewed by themselves
 """
 
 taskListFormat = """
@@ -129,6 +131,10 @@
 ### Edge Cases
 
 {{analysis of edge cases}}
+
+### Security Vulnerabilities
+
+{{analysis of security vulnerabilities}}
 """
 
 
@@ -143,9 +149,9 @@ def setup_agents(self, llm):
             goal="To retrieve the contract code for analysis.",
             backstory=dedent(
                 """
-                You are a contract retrieval agent with expertise in fetching contract code and functions for analysis.,
-                Your role is crucial in providing the necessary data for the audit team to perform their tasks effectively.,
-                You always use the fully qualified contract name (ADDRESS.CONTRACT_NAME) to ensure accurate retrieval.,
+                You are a contract retrieval agent with expertise in fetching contract code and functions for analysis.
+                Your role is crucial in providing the necessary data for the audit team to perform their tasks effectively.
+                You always use the fully qualified contract name (ADDRESS.CONTRACT_NAME) to ensure accurate retrieval.
                 """
             ),
             tools=[AgentTools.get_contract_source_code],
@@ -155,6 +161,25 @@ def setup_agents(self, llm):
         )
         self.add_agent(contract_retrieval_agent)
 
+        # contract sanitizer agent
+        # contract_sanitizer_agent = Agent(
+        #    role="Contract Sanitizer",
+        #    goal="To review the contract code and help reduce the size of the context for the contract without removing any pertinent information.",
+        #    backstory=dedent(
+        #        """
+        #        You are an expert in detecting a specific pattern within contracts where the contract calls it's own functions repeatedly.
+        #        For example, a contract that airdrops an FT or NFT to a list of users by calling it's own mint function.
+        #        If you detect this pattern, you will replace the all but the first and last contract call lines with a single comment indicating the change.
+        #        If you do not detect this pattern or are unsure, you return only the raw contract code without any modifications.
+        #        """
+        #    ),
+        #    tools=[],
+        #    verbose=True,
+        #    allow_delegation=False,
+        #    llm=llm,
+        # )
+        # self.add_agent(contract_sanitizer_agent)
+
         # contract analysis agent
         contract_analysis_agent = Agent(
             role="Contract Analysis Expert",
@@ -163,6 +188,9 @@ def setup_agents(self, llm):
                 f"""
                 You are a contract analysis agent with expertise in dissecting smart contract codebases and identifying potential risks. 
                 Your role is critical in assessing the security and functionality of the contracts under audit.
+                You are an expert in detecting a specific pattern within contracts where the contract calls it's own functions repeatedly.
+                Example 1: A contract that airdrops an FT or NFT to a list of users by calling it's own mint function.
+                Example 2: A contract that provides a long list of users to one of its own functions to perform an action.
                 {clarityHints}
                 """
             ),
@@ -178,9 +206,10 @@ def setup_agents(self, llm):
             role="Contract Report Writer",
             goal="To compile the findings from the contract analysis into a comprehensive audit report.",
             backstory=dedent(
-                """
+                f"""
                 You are a contract report writer with experience in summarizing complex technical information into clear and concise reports.,
                 Your role is essential in documenting the audit results and recommendations for the contract developers.,
+                {clarityHints}
                 """
             ),
             tools=[],
@@ -199,13 +228,29 @@ def setup_tasks(self, contract_identifier):
 
         # get the contract code
         get_contract_code = Task(
-            description=f"Retrieve the contract code for analysis. User Input: {contract_identifier}",
-            expected_output="The contract code for analysis in raw format with no modifications or additional output.",
+            description=dedent(
+                f"""
+                Retrieve the contract code for further analysis based on the provided user input using your tools: {contract_identifier}
+                If you detect a specific pattern within the contract where the contract calls its own functions repeatedly, you will sanitize the code.
+                If you sanitize the code, you will include a single comment indicating the change in place of the removed lines and preserve the first and last line for context.
+                If you do not detect this pattern or are unsure, you will return only the raw contract code without any modifications.
+                """
+            ),
+            expected_output="The contract code for further analysis in raw format with no additional output.",
             agent=self.agents[0],  # contract retrieval agent
             context=[],
         )
         self.add_task(get_contract_code)
 
+        # sanitize the contract code
+        # sanitize_contract_code = Task(
+        #    description="Sanitize the contract code to reduce the size of the context.",
+        #    expected_output="The contract code with the specific pattern removed or the raw contract code if the pattern is not detected.",
+        #    agent=self.agents[1],  # contract sanitizer agent
+        #    context=[get_contract_code],
+        # )
+        # self.add_task(sanitize_contract_code)
+
         # what is the general purpose of the contract
         general_concept = Task(
             description="Given the contract code, what is the general concept of the contract?",
@@ -627,6 +672,29 @@ def setup_tasks(self, contract_identifier):
         )
         self.add_task(review_edge_cases)
 
+        review_security_vulnerabilities = Task(
+            description=dedent(
+                f"""
+                Review the contract for potential security vulnerabilities and consider the following:
+                - does this contract have any potential unintended side effects?
+                - does this contract have a potential malicious outcome?
+                - does this contract have any vulnerabilities that could be exploited by a user?
+                - does this contract have any vulnerabilities that could be exploited by another contract?
+                """
+            ),
+            expected_output=dedent(
+                f"""
+                An analysis of security vulnerabilities with any reported issues and recommended fixes.
+                Do not include any new or modified contract code, only the analysis and recommendations.
+                This should follow the strict Markdown format defined below:
+                {taskReportFormat}
+                """
+            ),
+            agent=self.agents[1],  # contract analysis agent
+            context=[get_contract_code],
+        )
+        self.add_task(review_security_vulnerabilities)
+
         #
         # STAGE 4 - ASSEMBLE THE FINAL ANALYSIS
         #
@@ -676,6 +744,7 @@ def setup_tasks(self, contract_identifier):
                 review_input_validation,
                 review_pause_resume,
                 review_edge_cases,
+                review_security_vulnerabilities,
             ],
         )
         self.add_task(compile_review)
@@ -691,6 +760,8 @@ def setup_tasks(self, contract_identifier):
                 # Report for {contract_identifier}
                 {analysisFormat}
                 {reviewFormat}
+                ## Recommondation
+                {{is contract safe to interact with and use?}}
                 ## Additional Comments
                 """
             ),