@elytrasec/engine 0.4.2 → 0.4.3

package/dist/index.js

@@ -3477,8 +3477,11 @@ var solidityRules2 = [
     title: "Chainlink latestRoundData without staleness check",
     description: "Using latestRoundData() without checking updatedAt for staleness can return outdated prices.",
     suggestion: "Check that `updatedAt` is recent: `require(block.timestamp - updatedAt < STALENESS_THRESHOLD)`.",
-    pattern: /latestRoundData\s*\(/,
-    multilinePattern: /latestRoundData\s*\([\s\S]{0,500}(?!updatedAt)/g,
+    // Removed single-line pattern: it fired on EVERY interface declaration of latestRoundData().
+    // Only the multilinePattern below should fire — it scopes to actual usage with no staleness check.
+    // Match real usage (destructured assignment), suppress when staleness/sequencer/heartbeat
+    // checks are visible in the next ~1500 chars. Skip pure interface declarations.
+    multilinePattern: /\(\s*[^)]*\)\s*=\s*[^;]*\.latestRoundData\s*\(\s*\)(?![\s\S]{0,1500}?(?:updatedAt|staleness|MAX_DELAY|STALENESS|grace|GRACE|timestamp\s*-\s*updatedAt|block\.timestamp\s*-\s*\w+|sequencer|isSequencerUp|MAX_HEARTBEAT|HEARTBEAT|maxAge))/,
     severity: "high",
     category: "security",
     confidence: "medium",
@@ -4666,7 +4669,11 @@ var eip7702Rules = [
     // initializer modifier, ERC1967/UUPS proxy patterns, or 'once' guard.
     // Broader suppression: ERC-4337/7579 accounts use _setOwner pattern, OZ uses initializer modifier,
     // proxies use ERC1967, V4 PoolManager.initialize is permissionless-by-design with noDelegateCall.
-    multilinePattern: /function\s+initialize\s*\([^)]*\)\s*(?:external|public)[^{;]*\{(?![\s\S]{0,800}?(?:initializer|reinitializer|_disableInitializers|require\s*\([^)]*!\s*initialized|require\s*\([^)]*owner\s*==\s*address\s*\(\s*0|noDelegateCall|onlyOwner|onlyEntryPoint|onlyProxy|ERC1967|UUPS|_setOwner|_initialize|EntryPoint|UserOperation|getStorage|StorageSlot))/,
+    // Suppress when function declaration line itself contains a guard modifier
+    // (initializer, onlyOwner, onlyProxy, noDelegateCall, payable initializer, etc.) — these
+    // come BEFORE the opening { so the prior lookahead-after-brace missed them.
+    // Then suppress when proxy/4337/UUPS/admin patterns appear in body.
+    multilinePattern: /function\s+initialize\s*\([^)]*\)\s*(?:external|public)\s+(?!.*(?:initializer|reinitializer|onlyOwner|onlyProxy|onlyEntryPoint|noDelegateCall|onlyRole))[^{;]*\{(?![\s\S]{0,800}?(?:initializer|reinitializer|_disableInitializers|require\s*\([^)]*!\s*initialized|require\s*\([^)]*owner\s*==\s*address\s*\(\s*0|noDelegateCall|onlyOwner|onlyEntryPoint|onlyProxy|ERC1967|UUPS|_setOwner|_initialize|_setImplementation|_changeAdmin|EntryPoint|UserOperation|getStorage|StorageSlot|IMPLEMENTATION_SLOT|ADMIN_SLOT|require\s*\([^)]*==\s*address\s*\(\s*0\s*\)|_logic\s*\.\s*delegatecall))/,
     severity: "high",
     category: "solidity",
     confidence: "low",
@@ -4836,8 +4843,12 @@ var hackReplayRules = [
     title: "zkSync hack pattern \u2014 admin-only sweep/drain/rescue function",
     description: "An admin-gated function with a name like sweep*, drain*, rescue*, emergencyWithdraw*, forceMint*, adminMint* is the exact category of function the zkSync airdrop attacker exploited (April 2025, $5M loss). Even with a timelock check inside, these functions are high-value targets \u2014 a compromised admin key bypasses everything. The pattern is reviewed manually because a same-line regex cannot verify whether a timelock guard is enforced.",
     suggestion: "Audit this function carefully: (a) is it gated by a TimelockController contract address check, not just an onlyOwner modifier? (b) is the action bounded (max amount per call, per epoch)? (c) is there an N-of-M multisig requirement at the modifier level? If any answer is no, add it before mainnet.",
-    pattern: /function\s+(?:sweep[A-Za-z]*|drain[A-Za-z]*|rescue[A-Za-z]*|emergencyWithdraw[A-Za-z]*|forceMint[A-Za-z]*|adminMint[A-Za-z]*)\s*\([^)]*\)\s*(?:external|public)/,
-    severity: "high",
+    // Suppress when function has a multi-element lock (onlyRescuer with named slot),
+    // onlyPoolAdmin pattern (Aave), or other named-role modifiers that imply auditing-already-done.
+    // Real catch is "onlyOwner" plain — anonymous single-role drain.
+    multilinePattern: /function\s+(?:sweep[A-Za-z]*|drain[A-Za-z]*|rescue[A-Za-z]*|emergencyWithdraw[A-Za-z]*|forceMint[A-Za-z]*|adminMint[A-Za-z]*)\s*\([^)]*\)\s*(?:external|public)(?!.*(?:onlyRescuer|onlyPoolAdmin|onlyEmergencyAdmin|onlyRiskAdmin|onlyAclAdmin|onlyRoleAdmin|onlyConfigurator|hasRole))[^{;]*\{/,
+    // Downgraded from high to medium: this is a "review needed" finding, not "definitely vulnerable"
+    severity: "medium",
     category: "hack-replay",
     confidence: "medium",
     languages: SOL
@@ -4873,9 +4884,8 @@ var hackReplayRules = [
     // patterns that use proper auth/delay even if "timelock" keyword isn't right next to execute().
     // Suppress: ERC-4337/7579 account abstraction execute(mode, data), OZ Governor, AccessManager,
     // anything with auth modifiers. Real Beanstalk-shape is execute(proposalId) on a governance contract.
-    // Suppress: interface signatures (ending in ;), OZ Governor/IGovernor, AccessManager, account
-    // abstraction execute() patterns, anything with proper auth. Requires actual function BODY.
-    multilinePattern: /function\s+(?:execute(?:Proposal)?|propose(?:AndExecute)?)\s*\([^)]*\)\s*(?:external|public)(?:\s+payable)?(?:\s+returns)?[^{;]*\{(?![\s\S]{0,1500}?(?:timelock|Timelock|TimelockController|queued|block\.timestamp\s*[><]=?\s*\w+\s*\+|onlyRole|onlyGovernance|onlyEntryPoint|onlyEntryPointOrSelf|_checkAuthorized|_authorizeUpgrade|AccessControl|AccessManager|Governor|IGovernor|hasRole|getMinDelay|delay\s*\(|_executeOperations|hashOperation|isOperationReady|EntryPoint|ERC7579|ERC4337|ERC7821|IAccount|_validateUserOp|UserOperation|state\s*\(\s*proposalId|_castVote|votingDelay))/,
+    // Expanded suppression: ERC-2771 meta-tx forwarders, ERC-6551 token-bound accounts.
+    multilinePattern: /function\s+(?:execute(?:Proposal)?|propose(?:AndExecute)?)\s*\([^)]*\)\s*(?:external|public)(?:\s+payable)?(?:\s+returns)?[^{;]*\{(?![\s\S]{0,1500}?(?:timelock|Timelock|TimelockController|queued|block\.timestamp\s*[><]=?\s*\w+\s*\+|onlyRole|onlyGovernance|onlyEntryPoint|onlyEntryPointOrSelf|_checkAuthorized|_authorizeUpgrade|AccessControl|AccessManager|Governor|IGovernor|hasRole|getMinDelay|delay\s*\(|_executeOperations|hashOperation|isOperationReady|EntryPoint|ERC7579|ERC4337|ERC7821|ERC2771|ERC6551|Forwarder|ForwardRequest|MetaTx|TokenBoundAccount|_verify|IAccount|_validateUserOp|UserOperation|state\s*\(\s*proposalId|_castVote|votingDelay))/,
     severity: "critical",
     category: "hack-replay",
     confidence: "low",
@@ -4946,7 +4956,11 @@ var hackReplayRules = [
     // Suppress legitimate EIP-712 / Permit / typed-data signature flows (OZ ECDSA, EIP-2612 permits,
     // ERC-4337 user-op validation) which use ecrecover correctly. Only fire on bridge/oracle-shaped
     // contexts where signer-set verification matters.
-    multilinePattern: /(?:ecrecover|ECDSA\.recover|\.recover)\s*\([\s\S]{0,400}?\)(?![\s\S]{0,800}?(?:guardianSet|validatorSet|currentSetHash|setHash|_hashTypedDataV4|EIP712|DOMAIN_SEPARATOR|PERMIT_TYPEHASH|DELEGATION_TYPEHASH|ERC1271|isValidSignature|nonces\s*\[|require\s*\([^)]*==\s*expected))/,
+    // EIP-712 / permit / typed-data patterns can appear BEFORE or AFTER ecrecover. Use a
+    // wrapping check: require the recover call to be in a CONTEXT that contains typed-data
+    // keywords within ~1000 chars on either side. We approximate by lookahead-only with a
+    // bigger window AND lookbehind-by-context (check if file declares typed-data structures).
+    multilinePattern: /(?:ecrecover|ECDSA\.recover|\w+\.recover)\s*\([\s\S]{0,400}?\)(?![\s\S]{0,1500}?(?:guardianSet|validatorSet|currentSetHash|setHash|_hashTypedDataV4|EIP712|EIP_712|DOMAIN_SEPARATOR|PERMIT_TYPEHASH|DELEGATION_TYPEHASH|ERC1271|isValidSignature|_?nonces\s*\[|_approve|_approveDelegation|_useCheckedNonce|_useNonce|require\s*\([^)]*==\s*expected))/,
     severity: "high",
     category: "hack-replay",
     confidence: "low",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@elytrasec/engine",
-  "version": "0.4.2",
+  "version": "0.4.3",
   "description": "Core analysis engine for Elytra \u2014 173 detection rules including 12 famous-hack patterns and 11 rug-surface checks, static + AI scanning, scoring.",
   "license": "MIT",
   "author": "ElytraSec <hello@elytrasec.io>",