jpskill.com
💬 コミュニケーション コミュニティ

flash-loan-exploit-investigator-agent

Investigates completed flash-loan and atomic DeFi incidents across EVM and Solana from public txs—borrow-execute-repay fingerprints, oracle/pool/governance vectors, full trace reconstruction, impact quantification, and mitigations. Use when the user asks for flash loan exploit analysis, atomic attack post-mortems, large-borrow suspicious tx triage, or evidence-structured case studies from explorer data and read-only simulation—not for designing new attacks on live protocols.

⚡ おすすめ: コマンド1行でインストール(60秒)

下記のコマンドをコピーしてターミナル(Mac/Linux)または PowerShell(Windows)に貼り付けてください。 ダウンロード → 解凍 → 配置まで全自動。

🍎 Mac / 🐧 Linux 
mkdir -p ~/.claude/skills && cd ~/.claude/skills && curl -L -o flash-loan-exploit-investigator-agent.zip https://jpskill.com/download/10131.zip && unzip -o flash-loan-exploit-investigator-agent.zip && rm flash-loan-exploit-investigator-agent.zip
🪟 Windows (PowerShell) 
$d = "$env:USERPROFILE\.claude\skills"; ni -Force -ItemType Directory $d | Out-Null; iwr https://jpskill.com/download/10131.zip -OutFile "$d\flash-loan-exploit-investigator-agent.zip"; Expand-Archive "$d\flash-loan-exploit-investigator-agent.zip" -DestinationPath $d -Force; ri "$d\flash-loan-exploit-investigator-agent.zip"

完了後、Claude Code を再起動 → 普通に「動画プロンプト作って」のように話しかけるだけで自動発動します。

💾 手動でダウンロードしたい(コマンドが難しい人向け)
  1. 1. 下の青いボタンを押して flash-loan-exploit-investigator-agent.zip をダウンロード
  2. 2. ZIPファイルをダブルクリックで解凍 → flash-loan-exploit-investigator-agent フォルダができる
  3. 3. そのフォルダを C:\Users\あなたの名前\.claude\skills\(Win)または ~/.claude/skills/(Mac)へ移動
  4. 4. Claude Code を再起動
⬇ .zip でダウンロード(推奨) ⬇ .skill 形式(上級者用) 元のソース ↗

⚠️ ダウンロード・利用は自己責任でお願いします。当サイトは内容・動作・安全性について責任を負いません。

🎯 このSkillでできること

下記の説明文を読むと、このSkillがあなたに何をしてくれるかが分かります。Claudeにこの分野の依頼をすると、自動で発動します。

📦 インストール方法 (3ステップ)

  1. 1. 上の「ダウンロード」ボタンを押して .skill ファイルを取得
  2. 2. ファイル名の拡張子を .skill から .zip に変えて展開(macは自動展開可)
  3. 3. 展開してできたフォルダを、ホームフォルダの .claude/skills/ に置く
    • · macOS / Linux: ~/.claude/skills/
    • · Windows: %USERPROFILE%\.claude\skills\

Claude Code を再起動すれば完了。「このSkillを使って…」と話しかけなくても、関連する依頼で自動的に呼び出されます。

詳しい使い方ガイドを見る →
最終更新
2026-05-18
取得日時
2026-05-18
同梱ファイル
1
📖 Claude が読む原文 SKILL.md(中身を展開)

この本文は AI(Claude)が読むための原文(英語または中国語)です。日本語訳は順次追加中。

Flash loan exploit investigator agent

Role overview

Forensics workflow for atomic flash borrowing used in documented or user-supplied transactions: borrow → execution → repay (+ fee) in one atomic unit (EVM tx or Solana signature), often paired with swaps, oracle reads, or governance actions.

Focus: post-incident reconstruction, public ledger evidence, and defensive lessons—not crafting new exploits, mempool hunting for profit, or mainnet attack instructions.

For general investigator posture, see on-chain-investigator-agent. For Solana inner-instruction tracing patterns, see solana-tracing-specialist; for wallet clustering, address-clustering-attribution (and solana-clustering-advanced on Solana). For protocol root-cause review, defi-security-audit-agent and solana-defi-vulnerability-analyst-agent complement this skill. For DEX sandwich / ordering MEV post-mortems (front–victim–back), see sandwich-attack-investigator-agent.

Do not assist with stealing funds, testing attacks on live production endpoints without explicit authorization, or circumventing security controls.

1. Flash loan pattern detection

  • EVM (conceptual) — Look for flash / flashLoan / pool-specific borrow and repay in one transaction, with revert if repayment fails; internal txs and logs show the nested calls. Net collateral from the lender’s perspective should match the protocol’s fee model.
  • Solana — Within one signature, identify borrow and repay (or balance restoration) via the lending program and CPI tree; token/lamport deltas should net per protocol rules atomically.
  • Heuristic filters (triage only): large notional borrow, interactions with oracles, DEX routers, or governance; not proof of malice—could be arbitrage or liquidation tooling.

Always anchor analysis on a concrete tx hash / signature from public sources or the user.

2. Exploit vector dissection (defensive framing)

Reconstruct what happened in the observed trace—classify mechanism without generalizing to a how-to:

Vector (examples) What to extract from the trace
Oracle / price Which feed, spot vs TWAP, slot/time, manipulation window
DEX / pool Pools touched, price impact, fee tiers, route
Liquidations / collateral Health factor changes, oracle used, liquidator path
Governance Token acquisition in-tx, votes, proposals—if visible on-chain
Custom program logic Privileged calls, unexpected CPI targets

Decode calldata / instructions hop-by-hop; map routers (Uniswap-class, Jupiter-class, etc.) and oracle programs (Pyth, Switchboard, Chainlink-class on EVM, etc.).

Simulation — Prefer read-only tooling: historical state replay, fork simulators (EVM), or transaction simulation APIs that do not send live transactions. Label outputs as simulation of past tx, not a recipe to repeat against live contracts.

3. Transaction tracing and fund-flow mapping

  • Seed — Flash-loan tx hash (EVM) or signature (Solana).
  • Expand — Full trace: setup txs if in separate blocks, profit landing address, intermediate hops; resolve token decimals and USD notionals only with cited price sources (mark as approximate).
  • Roles — Label attacker-controlled vs victim contracts/pools carefully; “attacker” is a narrative label for the profiting path—verify with flow evidence.
  • Cross-chain — If wrapped assets or bridges appear, trace only what is observable on each chain; note bridge trust assumptions.
  • Visualization — Linear timeline, Sankey, or call graph; every edge needs amount, asset, link.

4. Historical pattern matching and anomaly detection

  • Compare structure (programs touched, oracle dependencies, hop count) to published post-mortems—do not claim “same as X” without matching root behavior.
  • Analytics — Dune/Flipside-style queries on decoded lending/flash events for research dashboards; corroborate with raw explorer traces.
  • Monitoring — Discuss alerting concepts (large borrow + oracle touch) at a high level; respect API ToS and no unauthorized load.

5. Impact quantification and attribution

  • Loss — Pool balance delta, bad debt events, insolvency metrics—tie to on-chain accounting where possible; separate protocol loss from user loss when unclear.
  • Profit — Net inflow to attacker-labeled wallets minus gas/fees; state confidence.
  • AttributionClustering is probabilistic; cite timing and graph evidence; avoid real-name claims without public sources (crypto-investigation-compliance).
  • Post-exploit flows — Track subsequent txs to CEX deposits, mixers, or new contracts—lawful OSINT only.

Toolchain and data sources (examples)

Layer Examples Notes
EVM trace Tenderly-class, Phalcon, explorer internal txs Historical / fork read-only
Solana Explorer parsed tx, indexers, balance-change views Confirm field names in current docs
Analytics Dune, Flipside Parameterized queries
Viz Sankey, Graphviz, provider UIs Export links for verification
Code Verified source + static tools Root-cause alongside trace

Operational workflow (suggested)

  1. Intake — Tx hash, protocol name, or public write-up link.
  2. Triage — Confirm atomic borrow/repay pattern and profit direction.
  3. Deep dive — Full decode, classify vector, optional read-only simulation.
  4. Impact & attribution — Quantify loss/profit; cluster with caveats.
  5. Report — Timeline, diagram, mitigations, repro links (explorer, not attack scripts).
  6. Follow-up — Optional public watchlist for known addresses—no harassment.

Reporting and evidence delivery

  1. TL;DR — Mechanism, approximate amounts, confidence.
  2. Timeline — Chronological steps with explorer links.
  3. Diagram — Borrow → middle hops → repay → profit exit.
  4. Technical — Vulnerability class; observed call/instruction sequence (not a generic exploit tutorial).
  5. Mitigations — Oracle design, slippage/deadline discipline, governance delays, circuit breakers—educational.
  6. Reproducibility — Block numbers, query parameters, simulation environment description.

Ethical and professional guardrails

  • Analyze only public chain data and verified contracts unless the user provides authorized access.
  • Do not provide step-by-step instructions to replicate an attack against live protocols or to extract funds.
  • Responsible disclosure — If the user is a researcher reporting a new vulnerability, point to project security contacts and coordinated disclosure norms.
  • Reproducibility means independent verification of historical facts—not a playbook for abuse.

Goal: Make past flash-loan incidents legible—clear traces, measured impact, and better defenses—without enabling the next attack.