@elytrasec/engine 0.4.6 → 0.4.8

package/dist/index.js

@@ -3985,7 +3985,9 @@ var performanceRules = [
     title: "Potential N+1 query \u2014 database call inside a loop",
     description: "A database query inside a loop makes N separate round-trips instead of 1 batch query. This causes severe performance degradation at scale.",
     suggestion: "Batch the queries: collect all IDs first, then execute a single WHERE IN query.",
-    multilinePattern: /(?:for|while|\.forEach|\.map)\s*\([\s\S]*?(?:\.find\(|\.findOne\(|\.findUnique\(|\.query\(|\.execute\(|SELECT\b)/,
+    // Tightened: only fire on PROMISE-shaped DB calls. Array.prototype.find/map on a local var
+    // is NOT an N+1 — must be `await ...` OR namespaced like `db.find`/`prisma.user.findUnique`.
+    multilinePattern: /(?:for|while)\s*\([^)]*\)\s*\{[\s\S]{0,500}?(?:await\s+\w+(?:\.\w+)*\.(?:find|findOne|findUnique|query|execute)\s*\(|\b(?:db|prisma|sequelize|knex|mongoose|repo|repository)\.\w+\.\s*(?:find|findOne|findUnique|query|execute)\s*\(|SELECT\b.*FROM)/,
     severity: "high",
     category: "performance",
     confidence: "medium",
@@ -5308,6 +5310,99 @@ var solanaRules = [
     category: "solidity",
     confidence: "medium",
     languages: RUST
+  },
+  {
+    id: "cp-sl-close-account-no-lamport-check",
+    title: "Solana: account closed without verifying lamport destination",
+    description: "Using `#[account(close = destination)]` or manually closing an account transfers its rent-exempt SOL to the destination. If `destination` isn't validated (constrained to the rightful owner), an attacker can drain rent into their own wallet on every close.",
+    suggestion: "Constrain the close destination: `#[account(close = expected_owner, has_one = expected_owner)]`. Or verify with `require_keys_eq!(destination.key(), authority.key())` before transfer.",
+    // Match only when close=X appears in a #[account(...)] block that has NO has_one / constraint
+    // in the same block (tempered greedy excludes those keywords inside the brackets).
+    multilinePattern: /#\[account\s*\((?:(?!has_one|constraint)[^)\n]){0,400}close\s*=\s*\w+(?:(?!has_one|constraint)[^)\n]){0,400}\)\]/,
+    severity: "high",
+    category: "solidity",
+    confidence: "low",
+    languages: RUST
+  },
+  {
+    id: "cp-sl-lamport-overflow",
+    title: "Solana: unchecked lamport arithmetic (overflow / underflow)",
+    description: "Direct mutation of `account.lamports.borrow_mut() += X` or `-= X` without `checked_add` / `checked_sub` can overflow on large mints or underflow on overdraft. Solana's runtime does NOT panic on integer overflow in release mode.",
+    suggestion: "Use `lamports.borrow_mut().checked_add(amount).ok_or(MyError::Overflow)?` and matching `checked_sub`. Or use `**lamports = lamports.checked_add(X)?`.",
+    pattern: /\*\*[\w.]+?\.lamports\s*\.\s*borrow_mut\s*\(\s*\)\s*[+\-]=/,
+    severity: "high",
+    category: "solidity",
+    confidence: "medium",
+    languages: RUST
+  },
+  {
+    id: "cp-sl-sysvar-substitution",
+    title: "Solana: sysvar accepted as AccountInfo (substitution risk)",
+    description: "Accepting `Clock`, `Rent`, `EpochSchedule`, or `SlotHashes` as raw `AccountInfo` allows an attacker to substitute a forged account holding crafted bytes. Type confusion \u2192 wrong clock values \u2192 expiry bypass.",
+    suggestion: "Use typed Anchor sysvar wrappers: `pub clock: Sysvar<'info, Clock>`, `pub rent: Sysvar<'info, Rent>`. The runtime enforces the correct pubkey.",
+    multilinePattern: /pub\s+(?:clock|rent|epoch_schedule|slot_hashes|recent_blockhashes|instructions)\s*:\s*AccountInfo\s*<\s*'info\s*>/,
+    severity: "high",
+    category: "solidity",
+    confidence: "high",
+    languages: RUST
+  },
+  {
+    id: "cp-sl-pda-bump-not-stored",
+    title: "Solana: PDA bump derived but not stored on account",
+    description: "Calling `Pubkey::find_program_address(seeds, program_id)` recomputes the canonical bump every time \u2014 that's 32+ ed25519 ops per call. More critically, if you don't STORE the bump on the account, attackers can derive alternative PDAs with non-canonical bumps and break invariants.",
+    suggestion: "Anchor: declare the seed + bump in the account constraint: `#[account(seeds = [...], bump = state.bump)]`. Store the bump on first init.",
+    pattern: /Pubkey::find_program_address\s*\(/,
+    severity: "low",
+    category: "solidity",
+    confidence: "low",
+    languages: RUST
+  },
+  {
+    id: "cp-sl-multisig-threshold-check",
+    title: "Solana: multisig execution without threshold validation",
+    description: "A function checks individual signer authority but never validates that the count of signers meets the multisig threshold. Squads, Realms, and similar multisig programs must enforce `signers.len() >= threshold` before executing.",
+    suggestion: "Add `require!(approvals.len() as u8 >= multisig.threshold, MyError::QuorumNotReached)` before the dispatch.",
+    // Allow qualified field access like multisig.threshold, state.quorum, etc.
+    multilinePattern: /(?:signers|approvals|approvers|signatures|members)\s*\.\s*len\s*\(\s*\)(?![\s\S]{0,500}?(?:>=|>)\s*(?:\w+\.)?(?:threshold|quorum|min_signers|required_signers|min_approvals|m_of_n))/,
+    severity: "high",
+    category: "solidity",
+    confidence: "low",
+    languages: RUST
+  }
+];
+var modernSolidityV2Rules = [
+  {
+    id: "cp-sol-eip1271-replay",
+    title: "EIP-1271 isValidSignature without nonce / expiry",
+    description: "Smart-contract signatures via `isValidSignature` (ERC-1271) that don't bind to a nonce + expiry can be replayed indefinitely. Permit2 leak-class attacks of 2024 exploited exactly this. Once a signature is leaked, it's valid forever and on every chain.",
+    suggestion: "Bind every accepted signature to: (a) a per-account nonce, (b) a deadline / expiry timestamp, AND (c) `block.chainid` in the typed-data domain. Increment nonce on successful verify.",
+    multilinePattern: /function\s+isValidSignature\s*\([^)]*\)\s*(?:external|public)[^{;]*\{(?![\s\S]{0,1500}?(?:nonce|deadline|expiry|chainid|usedSig|_consumeNonce|_useNonce))/,
+    severity: "high",
+    category: "solidity",
+    confidence: "medium",
+    languages: SOL
+  },
+  {
+    id: "cp-sol-safemint-reentrancy",
+    title: "ERC-721 _safeMint reentrancy via onERC721Received callback",
+    description: "`_safeMint` calls the recipient's `onERC721Received` hook. If state (totalSupply, balances, mint cap) is updated AFTER the safeMint, the recipient contract can re-enter and bypass the cap. Several memecoin / NFT mints have lost their entire whitelist allocation this way.",
+    suggestion: "Apply checks-effects-interactions: update mintCount, totalSupply, whitelist-spent BEFORE calling `_safeMint`. Or use `_mint` (no callback) when you don't need ERC-721-receiver compatibility, or add `nonReentrant`.",
+    multilinePattern: /_safeMint\s*\([^)]*\)\s*;[\s\S]{0,300}?(?:totalSupply|_mintedCount|mintedPerUser|whitelist\s*\[[^\]]*\]\s*=|_balanceOf\s*\[[^\]]*\]\s*=|\.\s*\w+\s*\+=\s*1)/,
+    severity: "high",
+    category: "solidity",
+    confidence: "medium",
+    languages: SOL
+  },
+  {
+    id: "cp-sol-voting-snapshot-bypass",
+    title: "Voting power read from spot balanceOf (snapshot manipulation)",
+    description: "A governance proposal reads voting weight from `balanceOf(voter)` at vote time. Attacker flash-borrows the governance token, votes, returns the loan in the same tx. This is distinct from the Beanstalk same-block execute bug \u2014 here even a 24h timelock won't help because the bad vote is already counted.",
+    suggestion: "Use `getPriorVotes(voter, proposalSnapshotBlock)` (Compound), `ERC20Votes.getPastVotes`, or maintain a delegated-balance snapshot via Comp/OZ Votes. Never use `balanceOf` for voting weight.",
+    multilinePattern: /function\s+(?:castVote|vote|castVoteWithReason|_castVote)\s*\([^)]*\)[^{;]*\{[\s\S]{0,800}?balanceOf\s*\(\s*(?:msg\.sender|voter|\w+)\s*\)(?![\s\S]{0,400}?(?:getPriorVotes|getPastVotes|getVotes|snapshot|_snapshot|checkpoints))/,
+    severity: "critical",
+    category: "solidity",
+    confidence: "medium",
+    languages: SOL
   }
 ];
 var ALL_RULES2 = [
@@ -5327,7 +5422,8 @@ var ALL_RULES2 = [
   ...uniswapV4Rules,
   ...hackReplayRules,
   ...modernDeFiRules,
-  ...solanaRules
+  ...solanaRules,
+  ...modernSolidityV2Rules
 ];
 
 // src/static/pattern-scanner.ts
@@ -5364,7 +5460,7 @@ function isDocsFile(filePath) {
 }
 function isCommentLine(line) {
   const trimmed = line.trim();
-  return /^(?:\/\/|#|\/?\*|<!--)/.test(trimmed);
+  return /^(?!\*\*\w)(?:\/\/|#|\/?\*|<!--)/.test(trimmed);
 }
 function isImportLine(line) {
   const trimmed = line.trim();
@@ -5672,6 +5768,7 @@ function scanFile(relPath, content, rules, changedRanges) {
     if (rule.id === "cp-sl-pyth-staleness" && /(?:get_price_no_older_than|publish_time|MAX_AGE|max_age|stale|clock\.unix_timestamp\s*-)/.test(content)) continue;
     if (rule.id === "cp-sl-arbitrary-cpi" && /Program\s*<\s*'info\s*,/.test(content)) continue;
     if (rule.id === "cp-sl-missing-owner-check" && /(?:require_keys_eq!\s*\([^)]*\.owner|assert_eq!\s*\([^)]*\.owner|Account\s*<\s*'info|AccountLoader\s*<\s*'info)/.test(content)) continue;
+    if (rule.id === "cp-sol-voting-snapshot-bypass" && /(?:getPriorVotes|getPastVotes|getVotes|_snapshot|checkpoints|ERC20Votes|VotesUpgradeable|delegateBySig)/.test(content)) continue;
     rule.multilinePattern.lastIndex = 0;
     const isGlobal = rule.multilinePattern.flags.includes("g");
     let match;

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@elytrasec/engine",
-  "version": "0.4.6",
-  "description": "Core analysis engine for Elytra \u2014 188 detection rules across Solidity, Solana/Anchor (Rust), JS/TS, Python, Go, IaC. Includes 12 famous-hack patterns, 11 rug-surface checks, 5 modern-DeFi detectors, 7 Solana detectors.",
+  "version": "0.4.8",
+  "description": "Core analysis engine for Elytra \u2014 196 detection rules across Solidity, Solana/Anchor (Rust), JS/TS, Python, Go, IaC. 12 famous-hack patterns, 11 rug-surface, 5 modern-DeFi + 3 modern-Solidity-v2, 12 Solana detectors.",
   "license": "MIT",
   "author": "ElytraSec <hello@elytrasec.io>",
   "homepage": "https://elytrasec.io",