npm - @elytrasec/engine - Versions diffs - 0.4.6 → 0.4.7 - Mend

@elytrasec/engine 0.4.6 → 0.4.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/index.js +97 -2
package/package.json +2 -2

package/dist/index.js CHANGED Viewed

@@ -5308,6 +5308,99 @@ var solanaRules = [
     category: "solidity",
     confidence: "medium",
     languages: RUST
+  },
+  {
+    id: "cp-sl-close-account-no-lamport-check",
+    title: "Solana: account closed without verifying lamport destination",
+    description: "Using `#[account(close = destination)]` or manually closing an account transfers its rent-exempt SOL to the destination. If `destination` isn't validated (constrained to the rightful owner), an attacker can drain rent into their own wallet on every close.",
+    suggestion: "Constrain the close destination: `#[account(close = expected_owner, has_one = expected_owner)]`. Or verify with `require_keys_eq!(destination.key(), authority.key())` before transfer.",
+    // Match only when close=X appears in a #[account(...)] block that has NO has_one / constraint
+    // in the same block (tempered greedy excludes those keywords inside the brackets).
+    multilinePattern: /#\[account\s*\((?:(?!has_one|constraint)[^)\n]){0,400}close\s*=\s*\w+(?:(?!has_one|constraint)[^)\n]){0,400}\)\]/,
+    severity: "high",
+    category: "solidity",
+    confidence: "low",
+    languages: RUST
+  },
+  {
+    id: "cp-sl-lamport-overflow",
+    title: "Solana: unchecked lamport arithmetic (overflow / underflow)",
+    description: "Direct mutation of `account.lamports.borrow_mut() += X` or `-= X` without `checked_add` / `checked_sub` can overflow on large mints or underflow on overdraft. Solana's runtime does NOT panic on integer overflow in release mode.",
+    suggestion: "Use `lamports.borrow_mut().checked_add(amount).ok_or(MyError::Overflow)?` and matching `checked_sub`. Or use `**lamports = lamports.checked_add(X)?`.",
+    pattern: /\*\*[\w.]+?\.lamports\s*\.\s*borrow_mut\s*\(\s*\)\s*[+\-]=/,
+    severity: "high",
+    category: "solidity",
+    confidence: "medium",
+    languages: RUST
+  },
+  {
+    id: "cp-sl-sysvar-substitution",
+    title: "Solana: sysvar accepted as AccountInfo (substitution risk)",
+    description: "Accepting `Clock`, `Rent`, `EpochSchedule`, or `SlotHashes` as raw `AccountInfo` allows an attacker to substitute a forged account holding crafted bytes. Type confusion \u2192 wrong clock values \u2192 expiry bypass.",
+    suggestion: "Use typed Anchor sysvar wrappers: `pub clock: Sysvar<'info, Clock>`, `pub rent: Sysvar<'info, Rent>`. The runtime enforces the correct pubkey.",
+    multilinePattern: /pub\s+(?:clock|rent|epoch_schedule|slot_hashes|recent_blockhashes|instructions)\s*:\s*AccountInfo\s*<\s*'info\s*>/,
+    severity: "high",
+    category: "solidity",
+    confidence: "high",
+    languages: RUST
+  },
+  {
+    id: "cp-sl-pda-bump-not-stored",
+    title: "Solana: PDA bump derived but not stored on account",
+    description: "Calling `Pubkey::find_program_address(seeds, program_id)` recomputes the canonical bump every time \u2014 that's 32+ ed25519 ops per call. More critically, if you don't STORE the bump on the account, attackers can derive alternative PDAs with non-canonical bumps and break invariants.",
+    suggestion: "Anchor: declare the seed + bump in the account constraint: `#[account(seeds = [...], bump = state.bump)]`. Store the bump on first init.",
+    pattern: /Pubkey::find_program_address\s*\(/,
+    severity: "low",
+    category: "solidity",
+    confidence: "low",
+    languages: RUST
+  },
+  {
+    id: "cp-sl-multisig-threshold-check",
+    title: "Solana: multisig execution without threshold validation",
+    description: "A function checks individual signer authority but never validates that the count of signers meets the multisig threshold. Squads, Realms, and similar multisig programs must enforce `signers.len() >= threshold` before executing.",
+    suggestion: "Add `require!(approvals.len() as u8 >= multisig.threshold, MyError::QuorumNotReached)` before the dispatch.",
+    // Allow qualified field access like multisig.threshold, state.quorum, etc.
+    multilinePattern: /(?:signers|approvals|approvers|signatures|members)\s*\.\s*len\s*\(\s*\)(?![\s\S]{0,500}?(?:>=|>)\s*(?:\w+\.)?(?:threshold|quorum|min_signers|required_signers|min_approvals|m_of_n))/,
+    severity: "high",
+    category: "solidity",
+    confidence: "low",
+    languages: RUST
+  }
+];
+var modernSolidityV2Rules = [
+  {
+    id: "cp-sol-eip1271-replay",
+    title: "EIP-1271 isValidSignature without nonce / expiry",
+    description: "Smart-contract signatures via `isValidSignature` (ERC-1271) that don't bind to a nonce + expiry can be replayed indefinitely. Permit2 leak-class attacks of 2024 exploited exactly this. Once a signature is leaked, it's valid forever and on every chain.",
+    suggestion: "Bind every accepted signature to: (a) a per-account nonce, (b) a deadline / expiry timestamp, AND (c) `block.chainid` in the typed-data domain. Increment nonce on successful verify.",
+    multilinePattern: /function\s+isValidSignature\s*\([^)]*\)\s*(?:external|public)[^{;]*\{(?![\s\S]{0,1500}?(?:nonce|deadline|expiry|chainid|usedSig|_consumeNonce|_useNonce))/,
+    severity: "high",
+    category: "solidity",
+    confidence: "medium",
+    languages: SOL
+  },
+  {
+    id: "cp-sol-safemint-reentrancy",
+    title: "ERC-721 _safeMint reentrancy via onERC721Received callback",
+    description: "`_safeMint` calls the recipient's `onERC721Received` hook. If state (totalSupply, balances, mint cap) is updated AFTER the safeMint, the recipient contract can re-enter and bypass the cap. Several memecoin / NFT mints have lost their entire whitelist allocation this way.",
+    suggestion: "Apply checks-effects-interactions: update mintCount, totalSupply, whitelist-spent BEFORE calling `_safeMint`. Or use `_mint` (no callback) when you don't need ERC-721-receiver compatibility, or add `nonReentrant`.",
+    multilinePattern: /_safeMint\s*\([^)]*\)\s*;[\s\S]{0,300}?(?:totalSupply|_mintedCount|mintedPerUser|whitelist\s*\[[^\]]*\]\s*=|_balanceOf\s*\[[^\]]*\]\s*=|\.\s*\w+\s*\+=\s*1)/,
+    severity: "high",
+    category: "solidity",
+    confidence: "medium",
+    languages: SOL
+  },
+  {
+    id: "cp-sol-voting-snapshot-bypass",
+    title: "Voting power read from spot balanceOf (snapshot manipulation)",
+    description: "A governance proposal reads voting weight from `balanceOf(voter)` at vote time. Attacker flash-borrows the governance token, votes, returns the loan in the same tx. This is distinct from the Beanstalk same-block execute bug \u2014 here even a 24h timelock won't help because the bad vote is already counted.",
+    suggestion: "Use `getPriorVotes(voter, proposalSnapshotBlock)` (Compound), `ERC20Votes.getPastVotes`, or maintain a delegated-balance snapshot via Comp/OZ Votes. Never use `balanceOf` for voting weight.",
+    multilinePattern: /function\s+(?:castVote|vote|castVoteWithReason|_castVote)\s*\([^)]*\)[^{;]*\{[\s\S]{0,800}?balanceOf\s*\(\s*(?:msg\.sender|voter|\w+)\s*\)(?![\s\S]{0,400}?(?:getPriorVotes|getPastVotes|getVotes|snapshot|_snapshot|checkpoints))/,
+    severity: "critical",
+    category: "solidity",
+    confidence: "medium",
+    languages: SOL
   }
 ];
 var ALL_RULES2 = [
@@ -5327,7 +5420,8 @@ var ALL_RULES2 = [
   ...uniswapV4Rules,
   ...hackReplayRules,
   ...modernDeFiRules,
-  ...solanaRules
+  ...solanaRules,
+  ...modernSolidityV2Rules
 ];
 // src/static/pattern-scanner.ts
@@ -5364,7 +5458,7 @@ function isDocsFile(filePath) {
 }
 function isCommentLine(line) {
   const trimmed = line.trim();
-  return /^(?:\/\/|#|\/?\*|<!--)/.test(trimmed);
+  return /^(?!\*\*\w)(?:\/\/|#|\/?\*|<!--)/.test(trimmed);
 }
 function isImportLine(line) {
   const trimmed = line.trim();
@@ -5672,6 +5766,7 @@ function scanFile(relPath, content, rules, changedRanges) {
     if (rule.id === "cp-sl-pyth-staleness" && /(?:get_price_no_older_than|publish_time|MAX_AGE|max_age|stale|clock\.unix_timestamp\s*-)/.test(content)) continue;
     if (rule.id === "cp-sl-arbitrary-cpi" && /Program\s*<\s*'info\s*,/.test(content)) continue;
     if (rule.id === "cp-sl-missing-owner-check" && /(?:require_keys_eq!\s*\([^)]*\.owner|assert_eq!\s*\([^)]*\.owner|Account\s*<\s*'info|AccountLoader\s*<\s*'info)/.test(content)) continue;
+    if (rule.id === "cp-sol-voting-snapshot-bypass" && /(?:getPriorVotes|getPastVotes|getVotes|_snapshot|checkpoints|ERC20Votes|VotesUpgradeable|delegateBySig)/.test(content)) continue;
     rule.multilinePattern.lastIndex = 0;
     const isGlobal = rule.multilinePattern.flags.includes("g");
     let match;

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@elytrasec/engine",
-  "version": "0.4.6",
-  "description": "Core analysis engine for Elytra \u2014 188 detection rules across Solidity, Solana/Anchor (Rust), JS/TS, Python, Go, IaC. Includes 12 famous-hack patterns, 11 rug-surface checks, 5 modern-DeFi detectors, 7 Solana detectors.",
+  "version": "0.4.7",
+  "description": "Core analysis engine for Elytra \u2014 196 detection rules across Solidity, Solana/Anchor (Rust), JS/TS, Python, Go, IaC. 12 famous-hack patterns, 11 rug-surface, 5 modern-DeFi + 3 modern-Solidity-v2, 12 Solana detectors.",
   "license": "MIT",
   "author": "ElytraSec <hello@elytrasec.io>",
   "homepage": "https://elytrasec.io",