askill
review-contract

review-contractSafety 90Repository

Review Aztec smart contracts for correctness, security, and best practices. Use proactively after writing or modifying Aztec contracts.

review-contractcritesjosh
6 stars
1.2k downloads
Updated 1/21/2026

Package Files

Loading files...
SKILL.md

Aztec Contract Review Skill

Review Noir contracts written for the Aztec Network, focusing on correctness, security, and best practices.

Usage

/review-contract [file-path]

Examples:

/review-contract                              # Review contract in current context
/review-contract contracts/token/src/main.nr  # Review specific file
/review-contract contracts/                   # Review all contracts in directory

Workflow

Step 1: Identify Contract(s) to Review

If file path provided:

  • Use the provided path directly
  • If directory, find all main.nr files within

If no path (use context):

  • Check if a contract file was recently read or edited in conversation
  • If not, search for contracts:
Glob: **/src/main.nr

Step 2: Sync Aztec Version (if needed)

Ensure MCP server has the correct version for accurate pattern matching:

aztec_status()

If repos not synced or version mismatch with project's Nargo.toml, run:

aztec_sync_repos({ version: "<detected-version>" })

Step 3: Read and Understand the Contract

  1. Read the contract file(s)
  2. Identify the contract's purpose from code and any comments
  3. If purpose is unclear, ask the user what the contract is intended to do

Step 4: Verify Patterns Against Current API

Before flagging issues, verify patterns using the MCP server:

aztec_search_code({ query: "<pattern-in-question>", filePattern: "*.nr" })

This prevents false positives from outdated knowledge.

Step 5: Review Against Checklist

Contract Structure

  • Proper use of #[aztec] attribute on contract module
  • Storage struct defined with #[storage] attribute
  • Correct state variable types (PublicMutable, Owned, Map, etc.)
  • Constructor/initializer properly defined with #[initializer]
  • Functions have appropriate visibility attributes

Function Visibility

AttributeUse Case
#[external("private")]Executes in PXE, reads/writes private state
#[external("public")]Executes on sequencer, visible to everyone
#[external("utility")] + unconstrainedOff-chain reads without proofs
#[view]Read-only, doesn't modify state
#[only_self]Only callable by the contract itself

Private State (Notes)

  • Notes are properly created with correct owner
  • Only note owners can nullify their notes (critical!)
  • Nullifiers handled correctly to prevent double-spending
  • No iteration over private state (impossible in Aztec)

Private <> Public Boundary

  • Enqueued public calls used correctly from private functions
  • No unintended information leakage between domains
  • Understand that private-to-public is one-way in a transaction

Access Control

  • Sensitive functions have proper access control
  • context.msg_sender() used correctly with .unwrap() in private
  • Admin functions protected appropriately

Cross-Contract Calls

  • Proper use of #[aztec(interface)] for external contract calls
  • Correct handling of return values
  • Privacy implications understood

Step 6: Flag Issues by Severity

Critical - Could cause loss of funds or privacy breaches:

  • Privacy leaks (private data exposed in public functions)
  • Incorrect note ownership allowing unauthorized spending
  • Missing nullifier checks enabling double-spend

High - Significant bugs or security concerns:

  • Missing access control on sensitive functions
  • Incorrect msg_sender handling
  • State inconsistencies between private and public

Medium - Best practice violations:

  • Inefficient patterns
  • Missing view annotations
  • Unclear function purposes

Low - Code style or minor improvements:

  • Naming conventions
  • Code organization
  • Documentation gaps

Step 7: Provide Recommendations

For each issue:

  1. Explain why it's a problem
  2. Show the current code
  3. Provide corrected code
  4. Reference similar patterns from aztec_search_code if helpful

Output Format

## Contract Review: [ContractName]

### Summary
Brief overview of the contract's purpose and overall quality.

### Issues Found

#### Critical
- **[Issue Title]**: Description
  - Location: `file:line`
  - Current: `code snippet`
  - Suggested: `fixed code`

#### High
...

#### Medium
...

#### Low
...

### Recommendations
Specific suggestions for improving the contract beyond fixing issues.

### What's Done Well
Highlight good practices observed in the contract.

Interactive Review

During review, you may ask the user clarifying questions:

  • "This function transfers notes but has no access control. Is this intentional?"
  • "The sender field on this note cannot be used for authorization. Did you intend for the sender to be able to modify this note?"
  • "This public function exposes the recipient address. Is this privacy tradeoff acceptable for your use case?"

Common Aztec Pitfalls to Check

  1. Storing addresses on notes for "access control" - Only the note owner can nullify. Fields are just data.

  2. Trying to iterate over private state - Notes can't be enumerated. Use different patterns.

  3. Exposing private data in public function parameters - Once public, always public.

  4. Race conditions between private and public state - Private reads stale public state.

  5. Missing .unwrap() on msg_sender() in private - Will fail silently otherwise.

Install

Download ZIP
Requires askill CLI v1.0+

AI Quality Score

95/100Analyzed 2/12/2026

An exceptionally well-documented skill for reviewing Aztec smart contracts. It provides a clear 7-step workflow, specific MCP tool commands for version syncing and pattern verification, a comprehensive security checklist, and a structured output format.

90
98
85
98
95

Metadata

Licenseunknown
Version-
Updated1/21/2026
Publishercritesjosh

Tags

apigithub-actionssecurity