@elytrasec/engine 0.4.1 → 0.4.2

package/dist/index.js

@@ -2921,7 +2921,13 @@ var securityRules = [
     title: "Potential SQL injection",
     description: "SQL query built with template literals or string concatenation. User input may flow into the query unsanitised.",
     suggestion: "Use parameterised queries or prepared statements instead of string interpolation.",
-    pattern: /(?:query|execute|exec|raw)\s*\(\s*(?:`[^`]*\$\{|['"][^'"]*['"]\s*\+)/i,
+    // Catches:
+    //   .query(`SELECT ... ${x}`)             — template literal interpolation
+    //   .query("SELECT '" + x + "'")          — double-quote outer + escaped single inside (the OWASP #1 shape)
+    //   .query('SELECT \\'" + x + "\\'')      — single-quote outer + escaped double inside
+    //   .queryRawUnsafe("SELECT ... " + req.x) — Prisma raw + concat
+    //   .execute("..." + var)                  — plain concat
+    pattern: /(?:query|execute|exec|raw|queryRaw|queryRawUnsafe|executeRaw|executeRawUnsafe)\s*\(\s*(?:`[^`]*\$\{|"(?:[^"\\]|\\.)*"\s*\+|'(?:[^'\\]|\\.)*'\s*\+)/i,
     multilinePattern: /(?:(?:let|const|var)\s+\w+\s*=\s*["'`](?:SELECT|INSERT|UPDATE|DELETE)\b[\s\S]{1,500}?\+\s*(?:req\.|params\.|query\.|body\.|args\.|user)|(?:let|const|var)\s+\w+\s*=\s*`[^`]*(?:SELECT|INSERT|UPDATE|DELETE)\b[^`]*\$\{[^`]*`)/gim,
     severity: "critical",
     category: "security",
@@ -3343,8 +3349,10 @@ var solidityRules2 = [
     title: "Potential reentrancy \u2014 review external call sequencing",
     description: "An external call via `.call{value:...}` is present. The classic reentrancy pattern requires the call to occur BEFORE a state update \u2014 a same-line regex can't verify the order across multiple lines, so this is flagged for manual or AI review. `.send` and `.transfer` are intentionally not flagged because their 2300-gas stipend prevents reentrancy except in pathological cases (post-EIP-1884 gas changes).",
     suggestion: "Follow checks-effects-interactions: update state before external calls. Or use OpenZeppelin's ReentrancyGuard. Confirm by reading the surrounding function or running AI deep-review.",
-    pattern: /\.call\s*\{(?:[^}]*value[^}]*)?\}/,
-    severity: "high",
+    // Only fire when .call{value:} appears AND no reentrancy-guard / OZ helper is visible
+    // in the same file. Reduces FP storm on Governor, ERC7579, ERC4626, etc.
+    multilinePattern: /\.call\s*\{(?:[^}]*value[^}]*)?\}\s*\([\s\S]{0,80}?\)(?![\s\S]{0,3000}?(?:nonReentrant|ReentrancyGuard|_NOT_ENTERED|_REENTRANCY_GUARD|onlyRole|onlyGovernance|_checkAuthorized|Address\.functionCall|Address\.sendValue))/,
+    severity: "medium",
     category: "security",
     confidence: "low",
     languages: SOL
@@ -3354,7 +3362,9 @@ var solidityRules2 = [
     title: "tx.origin used for authorization",
     description: "tx.origin returns the original sender of a transaction. Using it for auth allows phishing attacks via intermediary contracts.",
     suggestion: "Use msg.sender instead of tx.origin for authorization checks.",
-    pattern: /tx\.origin/,
+    // Only flag actual auth use (tx.origin in a require/== check or returned from a getter).
+    // Suppress comments, immutable deployer fingerprints, and Lifebuoy-style "I might add ecrecover" notes.
+    pattern: /(?:require\s*\(\s*tx\.origin\s*==|require\s*\(\s*msg\.sender\s*==\s*tx\.origin|if\s*\(\s*tx\.origin\s*==|return\s+tx\.origin\s*;)/,
     severity: "high",
     category: "security",
     confidence: "high",
@@ -3365,10 +3375,12 @@ var solidityRules2 = [
     title: "Unchecked low-level call return value",
     description: "Low-level call() returns a boolean success flag. Ignoring it can silently swallow failures.",
     suggestion: "Always check the return value: `(bool success, ) = addr.call{...}(...); require(success);`",
-    pattern: /\.call\s*[\({][^)]*\)\s*;/,
-    severity: "high",
+    // Match low-level call result discarded (no return capture). Suppress if (bool,...) = .call() or
+    // .call returned to a variable; suppress if onlyGovernance / onlyOwner / nonReentrant context nearby.
+    multilinePattern: /(?<![\)\]]\s*=\s*[^=])\b\w+\.call\s*[\({][^)]{0,200}?\)\s*;(?![\s\S]{0,500}?(?:onlyGovernance|onlyRole|nonReentrant|onlyOwner))/,
+    severity: "medium",
     category: "security",
-    confidence: "medium",
+    confidence: "low",
     languages: SOL
   },
   {
@@ -3477,10 +3489,12 @@ var solidityRules2 = [
     title: "balanceOf used for pricing without flash loan guards",
     description: "Using balanceOf() for pricing calculations is vulnerable to flash loan manipulation.",
     suggestion: "Use time-weighted average prices (TWAP) or Chainlink oracles instead of spot balanceOf for pricing.",
-    multilinePattern: /balanceOf\s*\([^)]*\)[\s\S]{0,20}(?:\*|\/)/,
+    // Require the balanceOf call to be inside an actual function body (not a docstring/comment block),
+    // and must NOT have TWAP/oracle/Chainlink keywords visible nearby.
+    multilinePattern: /function\s+\w+[^{]*\{[\s\S]{0,2000}?balanceOf\s*\([^)]*\)[\s\S]{0,20}(?:\*|\/)\s*\w(?![\s\S]{0,400}?(?:TWAP|twap|Chainlink|chainlink|oracle\.|priceFeed|latestAnswer|getRoundData|observe\s*\())/,
     severity: "high",
     category: "security",
-    confidence: "medium",
+    confidence: "low",
     languages: SOL
   },
   {
@@ -4648,7 +4662,11 @@ var eip7702Rules = [
     title: "EIP-7702 delegation: unguarded initializer",
     description: "Contracts intended as EIP-7702 delegation targets must guard initializers \u2014 constructors don't run on delegated EOAs. An unguarded `initialize()` can be front-run, letting an attacker take ownership. The pattern also matches generic proxy initializers, which usually ARE guarded (just not by an `initializer` keyword on the same line), so confirm whether this contract is actually a 7702 target before treating as critical.",
     suggestion: "If this is a 7702 delegation target: add `initializer` modifier (OpenZeppelin) or a boolean guard. For regular proxies, confirm the initializer is gated by the proxy factory.",
-    pattern: /function\s+initialize\s*\([^)]*\)\s*(?:external|public)(?!\s+\w*[Ii]nitializer)/,
+    // Suppress: initialize() with explicit access guard (onlyOwner, onlyEntryPoint, noDelegateCall),
+    // initializer modifier, ERC1967/UUPS proxy patterns, or 'once' guard.
+    // Broader suppression: ERC-4337/7579 accounts use _setOwner pattern, OZ uses initializer modifier,
+    // proxies use ERC1967, V4 PoolManager.initialize is permissionless-by-design with noDelegateCall.
+    multilinePattern: /function\s+initialize\s*\([^)]*\)\s*(?:external|public)[^{;]*\{(?![\s\S]{0,800}?(?:initializer|reinitializer|_disableInitializers|require\s*\([^)]*!\s*initialized|require\s*\([^)]*owner\s*==\s*address\s*\(\s*0|noDelegateCall|onlyOwner|onlyEntryPoint|onlyProxy|ERC1967|UUPS|_setOwner|_initialize|EntryPoint|UserOperation|getStorage|StorageSlot))/,
     severity: "high",
     category: "solidity",
     confidence: "low",
@@ -4672,10 +4690,12 @@ var tstoreRules = [
     title: "Transient storage (TSTORE) used \u2014 verify reentrancy safety",
     description: "Transient storage (EIP-1153, live since Cancun) does not impose the 2300 gas minimum of SSTORE-based guards. If this contract also uses `transfer()` or `send()` for ETH, those calls are no longer reentrancy-safe \u2014 the callee has enough gas to re-enter via TLOAD/TSTORE paths.",
     suggestion: 'Audit every ETH transfer in this contract. Replace `transfer()`/`send()` with `call{value:}("")` + explicit reentrancy check. Ensure TSTORE lock is written before any external call.',
-    pattern: /assembly\s*\{[^}]*tstore\s*\(|TransientSlot|tstore\s*\(/i,
-    severity: "high",
+    // Only fire on ACTUAL tstore() use inside inline assembly with no nonReentrant-style guard
+    // visible in the same file. Imports of TransientSlot alone are not a finding.
+    multilinePattern: /assembly\s*\{[^}]{0,400}?\btstore\s*\((?![\s\S]{0,2000}?(?:nonReentrant|ReentrancyGuard|_NOT_ENTERED|_REENTRANCY_GUARD|LockBitmap|onlyByPosm|onlyByPoolManager))/,
+    severity: "medium",
     category: "solidity",
-    confidence: "medium",
+    confidence: "low",
     languages: SOL
   },
   {
@@ -4696,7 +4716,9 @@ var uniswapV4Rules = [
     title: "Uniswap v4 hook: missing PoolManager sender validation",
     description: "Hook callbacks (`beforeSwap`, `afterSwap`, `beforeAddLiquidity`, etc.) must verify `msg.sender == address(poolManager)`. Without this check, any address can call the hook directly and manipulate its state.",
     suggestion: 'Add `require(msg.sender == address(poolManager), "not PoolManager");` as the first line of every hook callback, or inherit from `BaseHook` which enforces this automatically.',
-    pattern: /function\s+(?:before|after)(?:Swap|AddLiquidity|RemoveLiquidity|Initialize|Donate)\s*\(/,
+    // Require function BODY (not interface signature ending in ;) AND missing sender check.
+    // Skip interface files and abstract declarations.
+    multilinePattern: /function\s+(?:before|after)(?:Swap|AddLiquidity|RemoveLiquidity|Initialize|Donate)\s*\([^)]*\)\s*(?:external|public)[^{;]*\{(?![\s\S]{0,300}?(?:msg\.sender\s*==\s*(?:address\s*\()?\s*(?:poolManager|manager|_poolManager|POOL_MANAGER|i_poolManager)|onlyByPoolManager|onlyByManager|onlyPoolManager|BaseHook|_validatePoolManager))/,
     severity: "critical",
     category: "solidity",
     confidence: "medium",
@@ -4719,7 +4741,9 @@ var uniswapV4Rules = [
     title: "Uniswap v4 hook: BalanceDelta returned without settle/take",
     description: "Hooks that return a modified `BalanceDelta` must ensure the delta is fully consumed (settled or taken) within the same unlock cycle. An unconsumed delta causes `CurrencyNotSettled` revert; partial consumption can silently strand tokens.",
     suggestion: "Ensure `poolManager.settle()` or `poolManager.take()` is called for both currency0 and currency1 before returning from the unlock callback.",
-    multilinePattern: /returns\s*\([^)]*BalanceDelta[^)]*\)(?![\s\S]{0,800}?(?:settle|\.take)\s*\()/,
+    // Only fire on hook callbacks specifically (before/after-Swap etc.) — not interface decls,
+    // not PoolManager itself (which is the singleton, returns deltas BY DESIGN).
+    multilinePattern: /function\s+(?:before|after)(?:Swap|AddLiquidity|RemoveLiquidity|Donate)\s*\([^)]*\)\s*(?:external|public)[^{;]*returns\s*\([^)]*BalanceDelta[^)]*\)[^{;]*\{(?![\s\S]{0,800}?(?:settle|\.take\s*\(|poolManager\.))/,
     severity: "high",
     category: "solidity",
     confidence: "low",
@@ -4741,7 +4765,9 @@ var uniswapV4Rules = [
     title: "Uniswap v4 hook: spot sqrtPriceX96 used for pricing without limit",
     description: "Using spot `sqrtPriceX96` read from pool state inside a hook callback for pricing decisions without a `sqrtPriceLimitX96` bound is sandwich-attackable. The price reflects post-swap state which may be manipulated.",
     suggestion: "Pass `sqrtPriceLimitX96` to all swap calls from hooks. Use a TWAP oracle for pricing rather than spot price.",
-    pattern: /sqrtPriceX96\s*[*/+-]\s*\w|sqrtPriceX96\s*=\s*(?!.*[Ll]imit)/,
+    // Only fire inside hook callback functions (before/after Swap/AddLiquidity), not library files
+    // (Pool.sol, TickMath.sol, etc.) which legitimately work with raw sqrt prices.
+    multilinePattern: /function\s+(?:before|after)(?:Swap|AddLiquidity|RemoveLiquidity|Donate)\s*\([^)]*\)\s*(?:external|public)[^{;]*\{[\s\S]{0,1500}?sqrtPriceX96\s*[*/+\-]\s*\w(?![\s\S]{0,300}?(?:TWAP|twap|sqrtPriceLimitX96|observe\s*\())/,
     severity: "high",
     category: "solidity",
     confidence: "low",
@@ -4773,7 +4799,9 @@ var hackReplayRules = [
     title: "Euler hack pattern \u2014 donate function reachable from liquidation path",
     description: "A donate/donateTo* function in a lending or vault context can be weaponized to artificially worsen the caller's health factor, then trigger self-liquidation at a profit. This is the exact vector that drained $197M from Euler Finance in March 2023.",
     suggestion: "Either remove the donate function, or (a) require donations to come from accounts with no active borrows, (b) recompute health AFTER the donation as if the donated assets remained the donor's, and (c) prevent same-block liquidation of the donor.",
-    pattern: /function\s+donate[A-Za-z]*\s*\(/,
+    // Only flag donate functions in lending/health/liquidation contexts. Skip pure liquidity-pool
+    // donate functions (Uniswap V4 PoolManager.donate gives fees to LPs — different semantics).
+    multilinePattern: /function\s+donate[A-Za-z]*\s*\([^)]*\)[^{;]*\{[\s\S]{0,2000}?(?:healthFactor|accountHealth|isHealthy|borrow|collateral|liquidat|debt|vault|reserves)/,
     severity: "high",
     category: "hack-replay",
     confidence: "medium",
@@ -4841,7 +4869,13 @@ var hackReplayRules = [
     title: "Beanstalk hack pattern \u2014 governance execute() with no timelock between vote and call",
     description: "A governance contract exposes an execute() / executeProposal() / propose() function callable in the same block as voting. This is the exact $182M Beanstalk vector (April 2022): an attacker flash-loaned the governance token, voted yes on a self-draining proposal, and called execute() in the same transaction. A timelock between successful vote and execution would have made the flash-loan economically pointless.",
     suggestion: "Add a queue/execute split: successful proposals enter a TimelockController with a minimum delay (24-48h is standard). Require execute() to verify block.timestamp >= queuedAt + delay. Never let voting power, proposal acceptance, and code execution happen atomically.",
-    multilinePattern: /function\s+(?:execute(?:Proposal)?|propose(?:AndExecute)?)\s*\([^)]*\)\s*(?:external|public)(?:\s+payable)?(?:\s+returns)?[^{]*\{(?![\s\S]{0,600}?(?:timelock|Timelock|TimelockController|queued|block\.timestamp\s*[><]=?\s*\w+\s*\+))/,
+    // Expanded negative lookahead to suppress OZ Governor/AccessManager/AccessControl
+    // patterns that use proper auth/delay even if "timelock" keyword isn't right next to execute().
+    // Suppress: ERC-4337/7579 account abstraction execute(mode, data), OZ Governor, AccessManager,
+    // anything with auth modifiers. Real Beanstalk-shape is execute(proposalId) on a governance contract.
+    // Suppress: interface signatures (ending in ;), OZ Governor/IGovernor, AccessManager, account
+    // abstraction execute() patterns, anything with proper auth. Requires actual function BODY.
+    multilinePattern: /function\s+(?:execute(?:Proposal)?|propose(?:AndExecute)?)\s*\([^)]*\)\s*(?:external|public)(?:\s+payable)?(?:\s+returns)?[^{;]*\{(?![\s\S]{0,1500}?(?:timelock|Timelock|TimelockController|queued|block\.timestamp\s*[><]=?\s*\w+\s*\+|onlyRole|onlyGovernance|onlyEntryPoint|onlyEntryPointOrSelf|_checkAuthorized|_authorizeUpgrade|AccessControl|AccessManager|Governor|IGovernor|hasRole|getMinDelay|delay\s*\(|_executeOperations|hashOperation|isOperationReady|EntryPoint|ERC7579|ERC4337|ERC7821|IAccount|_validateUserOp|UserOperation|state\s*\(\s*proposalId|_castVote|votingDelay))/,
     severity: "critical",
     category: "hack-replay",
     confidence: "low",
@@ -4909,8 +4943,11 @@ var hackReplayRules = [
     title: "Wormhole hack pattern \u2014 guardian/validator signature accepted without strict set verification",
     description: "A function verifies a signature against a validator/guardian set but does not strictly check that the set hash matches the expected current set (or compares against a default/empty value). The $325M Wormhole hack (Feb 2022) exploited a stub `verify_signatures` path that accepted forged signatures because the validator set comparison was missing/insecure. ecrecover-based signature schemes need every validator set rotation tracked by an explicit hash check.",
     suggestion: "Verify the signed message includes a strict hash of the current validator set. Reject signatures where the recovered signer is not in the active set. Never use `default!()` or zero-initialized guardian arrays in signature paths.",
-    multilinePattern: /(?:ecrecover|recover)\s*\([\s\S]{0,400}?\)(?![\s\S]{0,300}?(?:guardianSet|validatorSet|currentSetHash|setHash|require\s*\([^)]*==\s*expected))/,
-    severity: "critical",
+    // Suppress legitimate EIP-712 / Permit / typed-data signature flows (OZ ECDSA, EIP-2612 permits,
+    // ERC-4337 user-op validation) which use ecrecover correctly. Only fire on bridge/oracle-shaped
+    // contexts where signer-set verification matters.
+    multilinePattern: /(?:ecrecover|ECDSA\.recover|\.recover)\s*\([\s\S]{0,400}?\)(?![\s\S]{0,800}?(?:guardianSet|validatorSet|currentSetHash|setHash|_hashTypedDataV4|EIP712|DOMAIN_SEPARATOR|PERMIT_TYPEHASH|DELEGATION_TYPEHASH|ERC1271|isValidSignature|nonces\s*\[|require\s*\([^)]*==\s*expected))/,
+    severity: "high",
     category: "hack-replay",
     confidence: "low",
     languages: SOL
@@ -5035,7 +5072,9 @@ var rugSurfaceRules = [
     title: "Role admin can grant itself any role",
     description: "DEFAULT_ADMIN_ROLE or a self-managed role can call grantRole() on itself or on other privileged roles. Single admin compromise = full takeover.",
     suggestion: "Use AccessControlEnumerable + revoke admin's ability to manage its own role. Move sensitive roles to a separate multisig.",
-    pattern: /_setupRole\s*\(\s*DEFAULT_ADMIN_ROLE|_grantRole\s*\(\s*DEFAULT_ADMIN_ROLE|grantRole\s*\([^,]+,\s*msg\.sender\s*\)/,
+    // Only flag PUBLIC/EXTERNAL grantRole(role, msg.sender) or non-constructor _grantRole.
+    // OZ AccessControl's constructor _grantRole(DEFAULT_ADMIN_ROLE, initialAdmin) is legit setup.
+    multilinePattern: /function\s+\w+\s*\([^)]*\)\s*(?:external|public)[^{]*\{[\s\S]{0,400}?(?:_setupRole\s*\(\s*DEFAULT_ADMIN_ROLE|_grantRole\s*\(\s*DEFAULT_ADMIN_ROLE|grantRole\s*\([^,]+,\s*msg\.sender\s*\))/,
     severity: "high",
     category: "rug-surface",
     confidence: "medium",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@elytrasec/engine",
-  "version": "0.4.1",
+  "version": "0.4.2",
   "description": "Core analysis engine for Elytra \u2014 173 detection rules including 12 famous-hack patterns and 11 rug-surface checks, static + AI scanning, scoring.",
   "license": "MIT",
   "author": "ElytraSec <hello@elytrasec.io>",