# DeFi 安全事件调查技能
### 一种用于多阶段 DeFi 事件调查的 coding-agent 技能,可生成经过对抗性验证且基于链上数据的事件报告

LLM 生成的事件报告都有一个致命缺陷:**幻觉生成的链上数据**。
伪造的交易哈希、错误的损失数字、捏造的地址——所有这些都包裹在看起来可信的、充满自信的行文中。
该技能通过在区块链 RPC 节点上对每一项声明进行两次验证来解决此问题。
1. 一次由主调查 agent 在报告起草期间进行;
2. 另一次由独立的对抗性 agent 进行,该 agent 假设调查 agent 在撒谎。
## 工作流架构
```
flowchart LR
A["
Intel gatheringParallel extraction from N reference URLs"]
G["
Context enrichmentParallel autonomous web search when sources insufficient"]
B["
Schema draftMap intel into structured JSON schema"]
C["
On-chain verifyVerify every hash, address, and amount in parallel"]
D["
Report generationWrite results to JSON and validate format"]
E["
Adversarial validationRe-validate, assume all claims are false"]
F["
FinalizePresent report and await human confirmation"]
A --> G --> B --> C --> D --> E --> F
E -- fail --> D
style E fill:#f7c1c1,stroke:#A32D2D,color:#501313
style C fill:#C1F7F3,stroke:#2DA39D,color:#134C50
style G fill:#c1e1c1,stroke:#2D8A32,color:#135013
```
## 核心功能
- **结构化输出** — 一份结构严谨的事件报告不应是自由文本。报告为严格的 JSON 格式,符合包含必填字段、可扩展词汇表和枚举验证的正式 schema。每个 tx hash、地址和金额在报告最终确定前均经过链上验证。
- **并行 agent 委派** — 情报收集、上下文充实和链上验证作为独立的子 agent 运行,具有隔离的上下文,可防止主对话带来的偏差渗透。
- **自主来源充实** — 当用户提供的来源不足或不匹配时,agent 会使用从用户 prompt 和提供的 URL 中提取的关键词,自主通过网络(Browser、Search Engine)进行搜索。它会寻找审计报告、安全警报、攻击分析和事后分析报告。
- **对抗性验证** — 第二个独立的 agent 会从磁盘(而非内存)重新读取最终的 JSON,假设每一项声明都是错误的,对每个 tx hash / 地址 / 金额重新发起 RPC 调用,并按严重程度标记差异。如果裁定为 FAIL,pipeline 会循环返回以进行修复并重新运行。
- **可恢复的检查点** — 长时间运行的调查任务可能会遇到 token 限制、超时或中断。每个阶段都会将检查点 JSON 写入 `/tmp/defi-incident-
/`,捕获输入、输出和状态。从最后完成的阶段恢复。不会丢失工作成果,无需重新验证,也不浪费时间。
- **自我改进** — 每次完成的调查都会将特定案例中的陷阱补充到 `references/pitfalls/` 中。每个文件都记录了出现了什么问题、是如何检测到的以及应用的修复措施。未来的调查在开始前会阅读这些内容,从而避免重复犯错。真实调查中的一些常见陷阱已有记录,涵盖了幻觉生成的 tx hash、EIP-7702 账户类型混淆、截断的终端输出、API 速率限制等内容。
- **Human-in-the-loop** — 调查绝不应完全因为缺少 API key 而受阻。当该技能需要 API key 来获取外部资源时,如果在环境变量中找不到,它会要求用户提供。如果用户无法提供或不响应,它会自动回退到无密钥的替代解决方案。
## 安装说明
```
# 为所有 agent 全局安装
npx skills add DeFiHackLabs/defi-incident-investigation-skill --all -g
# 为特定 agent 安装
npx skills add DeFiHackLabs/defi-incident-investigation-skill --agent claude-code -g
npx skills add DeFiHackLabs/defi-incident-investigation-skill --agent opencode -g
npx skills add DeFiHackLabs/defi-incident-investigation-skill --agent codex -g
npx skills add DeFiHackLabs/defi-incident-investigation-skill --agent hermes-agent -g
# 列出可用 skills 而不安装
npx skills add DeFiHackLabs/defi-incident-investigation-skill -l
```
## 快速开始
示例案例:2026 年 6 月 Taiko Bridge SGX Enclave 密钥泄露
将 X.com 推文、安全警报、事后分析报告甚至原始 txhash 提供给 AI agent,然后让它们去处理。
```
Hey GLM 5.2,
Help me get a clear view of the attack against Taiko.xyz that occurred in June 2026.
Here are some references I just saw:
- https://x.com/taikoxyz/status/2068858818352865626
- https://x.com/taikoxyz/status/2068939060631003213
- https://x.com/taikoxyz/status/2071836286541774894
- https://x.com/Defi_Nerd_sec/status/2068897756446626258
- https://x.com/PeckShieldAlert/status/2068868035805638670
- https://x.com/Phalcon_xyz/status/2068924424238321854
- https://x.com/QuillAudits_AI/status/2069041275211530673
- https://www.quillaudits.com/blog/hack-analysis/taiko-leaked-sgx-enclave-key
- https://x.com/P3b7_/status/2069045986236695020
- https://x.com/GoPlusSecurity/status/2069092975867728139
- https://x.com/GoPlusZH/status/2069013778788999239
- https://x.com/BlockTempo/status/2068909505849766119
- https://x.com/MEXC_CST/status/2068896592053284972
- https://x.com/Arisk_io/status/2068869101725049115
- https://www.halborn.com/blog/post/explained-the-taiko-bridge-hack-june-2026
Some of these references might just be security alerts; I don't care.
I just want to get a clear picture about the attack.
```
如果调查过程被意外中断,你可以说诸如“Resume your work”之类的话来恢复未完成的任务。
```
I hit the LLM token quota limit.
Please continue from where you left off.
```
由 hermes-agent v0.17.0 提供的推理过程(仅供参考)
以下内容仅供说明。推理结果可能会因 LLM 模型或技能的更改而有所不同。
参见 [example/reasoning_process.md](example/reasoning_process.md)。
最终输出:
参见报告:[example/20260621-Taiko.json](example/20260621-Taiko.json)
```
All 7 phases complete. Here's the final summary.
============================================================
INVESTIGATION COMPLETE — Taiko Bridge SGX Exploit (June 2026)
============================================================
Report file: /tmp/defi-incident-Taiko-20260628/report.json
File size: ~13KB, schema-validated, all 19 required fields present
ADVERSARIAL VALIDATION VERDICT: PASS_WITH_NOTES
- 0 Critical discrepancies
- 0 High discrepancies
- 3 Medium discrepancies (all fixed)
- 21 on-chain verifications passed (4 txs + 5 addresses)
- All tx hashes confirmed: status=0x1 (SUCCESS), selectors match, block timestamps match
- All address accountTypes confirmed via eth_getCode at both latest and attack block
REPORT SUMMARY
Protocol: Taiko
Date: 2026-06-21
Category: key_compromise, bridge
Blockchain: ethereum
Ecosystem: evm
Language: solidity, rust
Estimated loss: ~$1,700,000
Attack timeline:
Setup phase: 2026-06-21 19:03:59 UTC (block 25367938)
Drain phase: 2026-06-21 22:07:23 – 22:28:11 UTC (blocks 25368853–25368955)
Root cause:
RSA-3072 private key (enclave-key.pem) used to sign all Taiko SGX enclaves
was committed to the public taikoxyz/raiko GitHub repository on a hotfix
branch. The attacker extracted it, derived MrSigner, confirmed it matched
the on-chain trustedUserMrSigner, and signed a malicious enclave.
Attack vector (6 steps):
1. Key extraction from public GitHub repo
2. Malicious enclave signed with leaked key
3. SgxVerifier.registerInstance() — 2 fake instances (IDs 5, 6) registered
4. SignalService.saveCheckpoint() — fake Taiko block 1805600 saved
5. Bridge.processMessage() x10 — 10 forged messages set to RETRIABLE
6. retryMessage()/processMessage() — L1 assets drained from Bridge + ERC20Vault
Attacker addresses (3):
0x7506DeA0c38ca0B55364B22424374c5A1ae1B76a (EOA, primary attacker)
0xa98035081fb739ebe9c8f80904668fb11438a846 (EOA, second wallet)
0xe0df6fc36deb38dd11dc53d327475c2b2b0ab98a (Contract, executor)
Victim contracts (2):
0xd60247c6848B7Ca29eDdF63AA924E53dB6Ddd8EC (Bridge Proxy)
0x996282cA11E5DEb6B5D122CC3B9A1FcAAD4415Ab (ERC20Vault Proxy)
Transactions (4, all verified on-chain):
0x2f44dc1b... (setup) block 25367938, selector 0x09c5eabe, SUCCESS
0x017292a7... (USDC drain) block 25368853, selector 0x0432873c, SUCCESS
0xb8befb01... (ETH drain) block 25368908, selector 0x2035065e, SUCCESS
0x45142392... (drain) block 25368955, selector 0x2035065e, SUCCESS
Assets stolen (10 token types):
675,761 USDC, 138,139 USDT, 156,832 crvUSD, 130 ETH, 20.7 WETH,
0.43 WBTC, 0.53 weETH, 126,160 CRV, 2,140,403 iZi, 1,990,000 TAIKO
Post-attack:
Bridge paused, chain halted, MEXC froze TAIKO deposits
Taiko replenished bridge 1:1 from own resources — no user lost funds
Chain back online by June 30, 2026
metadata.human_verified: false
(set to true only after you confirm)
The report is ready at /tmp/defi-incident-Taiko-20260628/report.json.
Would you like to review it, or should I flip human_verified to true?
```