Loccturno/audit-patterns-notes

# Audit Patterns Notes A growing knowledge base of smart contract security patterns, observed through hands-on exploit reconstruction, audit report walkthroughs, and hack post-mortem analysis. Each entry follows the structure: - **Bug** — what the code does wrong, in one sentence - **Trigger** — how the attacker exploits it - **Fix** — specific, actionable mitigation - **Pattern family** — where it sits in the broader taxonomy - **Related** — cross-references to prior entries or real-world incidents - **Severity drivers** — impact × likelihood reasoning - **Bonus insight** — defense-in-depth observations or auditor habit triggered ## Why this exists Smart contract auditing is pattern recognition. The same families of bugs recur across protocols, eras, and chains — a single-function reentrancy in 2016 (The DAO) is structurally identical to a cross-function reentrancy in 2023 (Curve). Building a personal, cross-referenced library compounds over time in a way that consuming individual audit reports does not. This repository is that library. It is updated as I encounter new patterns through audit practice, hack analysis, and code-level exploit reproduction. ## Companion repositories The entries below cross-reference these working PoC implementations: - [reentrancy-classic-vault](https://github.com/Loccturno/reentrancy-classic-vault) — Foundry PoC for DAO-era reentrancy + patched version - [lending-protocol-audit](https://github.com/Loccturno/lending-protocol-audit) — Uncollateralized borrowing exploit with 10 Foundry tests - [staking-rewards-exploit](https://github.com/Loccturno/staking-rewards-exploit) — First depositor dust attack (Cream Finance pattern) - [zk-circuit-audits](https://github.com/Loccturno/zk-circuit-audits) — Circom circuit vulnerability patterns ## Reading order Entries are chronological by date of addition. For topical exploration, search by hashtag at the end of each entry. Common tags: `#access-control` `#reentrancy` `#oracle` `#governance` `#accounting` `#arithmetic` `#flash-loan` `#social-engineering` `#bridge` `#defi` `#supply-chain` `#initialization` ## Status - **Detailed entries:** 8 - **Summary entries (expanding):** 12 - **Last updated:** May 26, 2026 ## License MIT — educational use, attribution appreciated.