@snovon/solast 0.2.0

package/dist/detectors/estuary-token-flaw.js

@@ -0,0 +1,547 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EstuaryTokenFlawDetector = void 0;
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'estuary-token-flaw';
+const ASSIGN_OPS = new Set(['=', '+=', '-=', '*=', '/=', '%=', '&=', '|=', '^=', '<<=', '>>=', '>>>=']);
+const TOKEN_ENTRYPOINTS = new Set(['transfer', 'transferfrom', 'approve']);
+function isTokenEntrypoint(name) {
+    return TOKEN_ENTRYPOINTS.has(name.toLowerCase());
+}
+function childNodes(node) {
+    const out = [];
+    for (const [key, value] of Object.entries(node)) {
+        if (key === 'loc' || key === 'range' || key === 'typeName' || key === 'src')
+            continue;
+        if (Array.isArray(value)) {
+            for (const item of value) {
+                if (item && typeof item === 'object')
+                    out.push(item);
+            }
+        }
+        else if (value && typeof value === 'object') {
+            out.push(value);
+        }
+    }
+    return out;
+}
+function walk(node, visit) {
+    if (!node || typeof node !== 'object')
+        return;
+    visit(node);
+    for (const child of childNodes(node))
+        walk(child, visit);
+}
+function isStateMutation(node, stateVars, localVars) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (node.type === 'BinaryOperation' && ASSIGN_OPS.has(node.operator)) {
+        return refersToStateStorage(node.left, stateVars, localVars);
+    }
+    if (node.type === 'UnaryOperation' && (node.operator === '++' || node.operator === '--')) {
+        return refersToStateStorage(node.subExpression, stateVars, localVars);
+    }
+    return false;
+}
+function expressionKey(expr) {
+    if (!expr || typeof expr !== 'object')
+        return '<unknown>';
+    if (expr.type === 'Identifier')
+        return String(expr.name || '<identifier>');
+    if (expr.type === 'MemberAccess') {
+        return `${expressionKey(expr.expression)}.${String(expr.memberName || '<member>')}`;
+    }
+    if (expr.type === 'IndexAccess') {
+        return `${expressionKey(expr.base)}[${expressionKey(expr.index)}]`;
+    }
+    if (expr.type === 'FunctionCall') {
+        const args = (expr.arguments || []).map((arg) => expressionKey(arg)).join(',');
+        return `${expressionKey(expr.expression)}(${args})`;
+    }
+    if (expr.type === 'NumberLiteral')
+        return String(expr.number || expr.value || '<number>');
+    if (expr.type === 'BooleanLiteral')
+        return String(expr.value);
+    if (expr.type === 'StringLiteral')
+        return JSON.stringify(expr.value || '');
+    return expr.type || '<expr>';
+}
+function mutationKey(node) {
+    if (node?.type === 'BinaryOperation' && ASSIGN_OPS.has(node.operator)) {
+        return `${String(node.operator)}:${expressionKey(node.left)}`;
+    }
+    if (node?.type === 'UnaryOperation' && (node.operator === '++' || node.operator === '--')) {
+        return `${String(node.operator)}:${expressionKey(node.subExpression)}`;
+    }
+    return `${node?.type || '<mutation>'}:${(0, ast_1.tryLoc)(node)?.line ?? 0}`;
+}
+function refersToStateStorage(expr, stateVars, localVars) {
+    if (!expr || typeof expr !== 'object')
+        return false;
+    if (expr.type === 'Identifier') {
+        const name = String(expr.name || '');
+        if (localVars.has(name))
+            return false;
+        return stateVars.has(name);
+    }
+    if (expr.type === 'IndexAccess')
+        return refersToStateStorage(expr.base, stateVars, localVars);
+    if (expr.type === 'MemberAccess')
+        return refersToStateStorage(expr.expression, stateVars, localVars);
+    return false;
+}
+function newMutationSet() {
+    return { all: new Set(), core: new Set() };
+}
+function indexUsesActor(expr, actorVars) {
+    if (!expr || typeof expr !== 'object')
+        return false;
+    if (expr.type === 'Identifier') {
+        return actorVars.has(String(expr.name || ''));
+    }
+    if (expr.type === 'MemberAccess') {
+        if (expr.expression?.type === 'Identifier') {
+            const obj = String(expr.expression.name || '');
+            const member = String(expr.memberName || '');
+            if ((obj === 'msg' && member === 'sender') || (obj === 'tx' && member === 'origin')) {
+                return true;
+            }
+        }
+        return indexUsesActor(expr.expression, actorVars);
+    }
+    if (expr.type === 'IndexAccess') {
+        return indexUsesActor(expr.base, actorVars) || indexUsesActor(expr.index, actorVars);
+    }
+    if (expr.type === 'FunctionCall') {
+        return (expr.arguments || []).some((a) => indexUsesActor(a, actorVars));
+    }
+    return false;
+}
+function isCoreMutationTarget(target, actorVars) {
+    if (!target || typeof target !== 'object')
+        return false;
+    if (target.type === 'IndexAccess') {
+        if (indexUsesActor(target.index, actorVars))
+            return true;
+        return isCoreMutationTarget(target.base, actorVars);
+    }
+    if (target.type === 'MemberAccess') {
+        return isCoreMutationTarget(target.expression, actorVars);
+    }
+    return false;
+}
+function isCoreMutation(node, actorVars) {
+    if (node?.type === 'BinaryOperation' && ASSIGN_OPS.has(node.operator)) {
+        return isCoreMutationTarget(node.left, actorVars);
+    }
+    if (node?.type === 'UnaryOperation' && (node.operator === '++' || node.operator === '--')) {
+        return isCoreMutationTarget(node.subExpression, actorVars);
+    }
+    return false;
+}
+function collectMutations(body, stateVars, localVars, actorVars) {
+    const mutations = newMutationSet();
+    if (!body)
+        return mutations;
+    const nodes = body.type === 'Block' ? (body.statements || []) : [body];
+    for (const stmt of nodes) {
+        collectMutationsFromNode(stmt, stateVars, localVars, actorVars, mutations);
+    }
+    return mutations;
+}
+function collectMutationsFromNode(node, stateVars, localVars, actorVars, mutations) {
+    if (!node || typeof node !== 'object')
+        return;
+    if (node.type === 'ExpressionStatement' && node.expression) {
+        collectMutationsFromNode(node.expression, stateVars, localVars, actorVars, mutations);
+        return;
+    }
+    if (isStateMutation(node, stateVars, localVars)) {
+        const key = mutationKey(node);
+        mutations.all.add(key);
+        if (isCoreMutation(node, actorVars))
+            mutations.core.add(key);
+        return;
+    }
+    if (node.type === 'IfStatement') {
+        if (node.trueBody)
+            collectMutationsFromNode(node.trueBody, stateVars, localVars, actorVars, mutations);
+        if (node.falseBody)
+            collectMutationsFromNode(node.falseBody, stateVars, localVars, actorVars, mutations);
+        return;
+    }
+    if (node.type === 'Block') {
+        for (const s of node.statements || []) {
+            collectMutationsFromNode(s, stateVars, localVars, actorVars, mutations);
+        }
+        return;
+    }
+    if (node.type === 'ForStatement') {
+        if (node.body)
+            collectMutationsFromNode(node.body, stateVars, localVars, actorVars, mutations);
+        return;
+    }
+    if (node.type === 'WhileStatement') {
+        if (node.body)
+            collectMutationsFromNode(node.body, stateVars, localVars, actorVars, mutations);
+        return;
+    }
+    if (node.type === 'DoWhileStatement') {
+        if (node.body)
+            collectMutationsFromNode(node.body, stateVars, localVars, actorVars, mutations);
+        return;
+    }
+    if (node.type === 'UncheckedStatement') {
+        if (node.body)
+            collectMutationsFromNode(node.body, stateVars, localVars, actorVars, mutations);
+        return;
+    }
+}
+function isLiteralFalse(expr) {
+    if (!expr || typeof expr !== 'object')
+        return false;
+    if (expr.type === 'BooleanLiteral')
+        return expr.value === false;
+    if (expr.type === 'UnaryOperation' &&
+        expr.operator === '!' &&
+        expr.subExpression?.type === 'BooleanLiteral') {
+        return expr.subExpression.value === true;
+    }
+    return false;
+}
+function branchTerminates(branch) {
+    if (!branch || typeof branch !== 'object')
+        return false;
+    const stmts = branch.type === 'Block' ? (branch.statements || []) : [branch];
+    for (const stmt of stmts) {
+        if (!stmt || typeof stmt !== 'object')
+            continue;
+        if (stmt.type === 'ReturnStatement')
+            return true;
+        if (stmt.type === 'RevertStatement')
+            return true;
+        if (stmt.type === 'ThrowStatement')
+            return true;
+        if (stmt.type === 'ExpressionStatement' && stmt.expression) {
+            const expr = stmt.expression;
+            if (expr.type === 'FunctionCall') {
+                const callee = expr.expression;
+                if (callee?.type === 'Identifier') {
+                    const name = String(callee.name || '').toLowerCase();
+                    if (name === 'revert')
+                        return true;
+                    if ((name === 'require' || name === 'assert') && isLiteralFalse(expr.arguments?.[0])) {
+                        return true;
+                    }
+                }
+                if (callee?.type === 'MemberAccess') {
+                    const member = String(callee.memberName || '').toLowerCase();
+                    if (member === 'revert')
+                        return true;
+                }
+            }
+        }
+        if (stmt.type === 'IfStatement') {
+            const trueTerm = branchTerminates(stmt.trueBody);
+            const falseTerm = stmt.falseBody ? branchTerminates(stmt.falseBody) : false;
+            if (trueTerm && falseTerm)
+                return true;
+        }
+    }
+    return false;
+}
+function branchReturns(branch) {
+    if (!branch || typeof branch !== 'object')
+        return false;
+    const stmts = branch.type === 'Block' ? (branch.statements || []) : [branch];
+    for (const stmt of stmts) {
+        if (!stmt || typeof stmt !== 'object')
+            continue;
+        if (stmt.type === 'ReturnStatement')
+            return true;
+        if (stmt.type === 'IfStatement') {
+            if (branchReturns(stmt.trueBody))
+                return true;
+            if (branchReturns(stmt.falseBody))
+                return true;
+        }
+    }
+    return false;
+}
+function isMeaningfulConditional(node) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (node.type !== 'Conditional')
+        return false;
+    const trueExpr = node.trueExpression;
+    const falseExpr = node.falseExpression;
+    if (!trueExpr || !falseExpr)
+        return false;
+    if (trueExpr.type === 'BinaryOperation' || falseExpr.type === 'BinaryOperation')
+        return true;
+    return false;
+}
+function collectConditionalMutations(expr, stateVars, localVars, actorVars) {
+    const mutations = newMutationSet();
+    if (!expr || typeof expr !== 'object')
+        return mutations;
+    if (isStateMutation(expr, stateVars, localVars)) {
+        const key = 'cond:' + mutationKey(expr);
+        mutations.all.add(key);
+        if (isCoreMutation(expr, actorVars))
+            mutations.core.add(key);
+    }
+    return mutations;
+}
+function compareMutations(trueMutations, falseMutations, trueBody, falseBody) {
+    const trueTerminates = branchTerminates(trueBody);
+    const falseTerminates = branchTerminates(falseBody);
+    const trueReturns = branchReturns(trueBody);
+    const falseReturns = branchReturns(falseBody);
+    // Compare only on core token-movement mutations (sender debit, recipient credit, allowance writes).
+    // Extra accounting mutations (fee/burn/treasury credits keyed by state-vars) are intentionally
+    // excluded so that legitimate fee-on-transfer branches with balanced sender/recipient flows
+    // are not flagged. See docs/detectors/estuary-token-flaw.md for the rationale.
+    const trueCore = trueMutations.core;
+    const falseCore = falseMutations.core;
+    if (trueTerminates && falseTerminates) {
+        if (trueReturns && !falseReturns) {
+            const falseOnly = [...falseCore].filter(m => !trueCore.has(m));
+            if (falseOnly.length > 0)
+                return 'true';
+        }
+        if (falseReturns && !trueReturns) {
+            const trueOnly = [...trueCore].filter(m => !falseCore.has(m));
+            if (trueOnly.length > 0)
+                return 'false';
+        }
+        if (trueReturns && falseReturns) {
+            const trueOnly = [...trueCore].filter(m => !falseCore.has(m));
+            const falseOnly = [...falseCore].filter(m => !trueCore.has(m));
+            if (trueOnly.length > 0 && falseOnly.length > 0)
+                return 'both';
+            if (trueOnly.length > 0)
+                return 'false';
+            if (falseOnly.length > 0)
+                return 'true';
+        }
+        return null;
+    }
+    if (trueTerminates && !falseTerminates) {
+        if (falseCore.size === 0)
+            return null;
+        if (trueCore.size === 0)
+            return null;
+        const trueOnly = [...trueCore].filter(m => !falseCore.has(m));
+        const falseOnly = [...falseCore].filter(m => !trueCore.has(m));
+        if (trueOnly.length > 0 || falseOnly.length > 0)
+            return 'true';
+        return null;
+    }
+    if (falseTerminates && !trueTerminates) {
+        if (trueCore.size === 0)
+            return null;
+        if (falseCore.size === 0)
+            return null;
+        const trueOnly = [...trueCore].filter(m => !falseCore.has(m));
+        const falseOnly = [...falseCore].filter(m => !trueCore.has(m));
+        if (trueOnly.length > 0 || falseOnly.length > 0)
+            return 'false';
+        return null;
+    }
+    const trueOnly = [...trueCore].filter(m => !falseCore.has(m));
+    const falseOnly = [...falseCore].filter(m => !trueCore.has(m));
+    if (trueOnly.length > 0 && falseOnly.length > 0)
+        return 'both';
+    if (trueOnly.length > 0)
+        return 'true';
+    if (falseOnly.length > 0)
+        return 'false';
+    return null;
+}
+class EstuaryTokenFlawDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    currentFile = '';
+    stateVars = new Set();
+    localVars = new Set();
+    scanAst(ast, file, _sourceText) {
+        this.currentFile = file;
+        const findings = [];
+        if (!ast || ast.type !== 'SourceUnit')
+            return findings;
+        for (const child of ast.children || []) {
+            if (child?.type !== 'ContractDefinition')
+                continue;
+            if (child.kind === 'interface' || child.kind === 'library')
+                continue;
+            this.stateVars = this.collectStateVariables(child);
+            this.localVars = new Set();
+            for (const sub of child.subNodes || []) {
+                if (sub?.type !== 'FunctionDefinition')
+                    continue;
+                if (!sub.body)
+                    continue;
+                if (sub.isConstructor || sub.kind === 'constructor')
+                    continue;
+                if (sub.stateMutability === 'view' || sub.stateMutability === 'pure')
+                    continue;
+                const fnName = sub.name || '';
+                if (!isTokenEntrypoint(fnName))
+                    continue;
+                this.localVars = this.collectLocals(sub);
+                const fnFindings = this.analyzeTokenFunction(child, sub);
+                findings.push(...fnFindings);
+            }
+        }
+        return findings;
+    }
+    analyzeTokenFunction(contract, fn) {
+        const findings = [];
+        const fnName = fn.name || '<anonymous>';
+        const body = fn.body;
+        if (!body)
+            return findings;
+        const ifFindings = this.checkIfStatements(body, contract, fnName);
+        findings.push(...ifFindings);
+        const condFindings = this.checkConditionalExpressions(body, contract, fnName);
+        findings.push(...condFindings);
+        return findings;
+    }
+    checkIfStatements(body, contract, fnName) {
+        const findings = [];
+        walk(body, (node) => {
+            if (node.type !== 'IfStatement')
+                return;
+            const trueBody = node.trueBody;
+            const falseBody = node.falseBody;
+            if (!trueBody && !falseBody)
+                return;
+            if (!trueBody || !falseBody) {
+                const present = trueBody || falseBody;
+                const missing = trueBody ? falseBody : trueBody;
+                if (missing && !branchTerminates(present) && !branchTerminates(missing)) {
+                    const presentMutations = collectMutations(present, this.stateVars, this.localVars, this.localVars);
+                    const missingMutations = collectMutations(missing, this.stateVars, this.localVars, this.localVars);
+                    const hasMutationsInPresent = presentMutations.core.size > 0;
+                    const hasMutationInMissing = missingMutations.core.size > 0;
+                    if (hasMutationsInPresent && hasMutationInMissing) {
+                        findings.push(this.makeFinding(contract, fnName, node, 'Skipped state mutation in conditional branch'));
+                    }
+                }
+                return;
+            }
+            const trueMutations = collectMutations(trueBody, this.stateVars, this.localVars, this.localVars);
+            const falseMutations = collectMutations(falseBody, this.stateVars, this.localVars, this.localVars);
+            const comparison = compareMutations(trueMutations, falseMutations, trueBody, falseBody);
+            if (comparison) {
+                const { line, column } = (0, ast_1.assertLoc)(node);
+                findings.push({
+                    file: this.currentFile,
+                    contract: contract.name || '',
+                    'function': fnName,
+                    line,
+                    column,
+                    pattern: RULE_ID,
+                    confidence: 'high',
+                    ruleId: RULE_ID,
+                    severity: 'high',
+                    message: `Branch-skipping token flaw in '${fnName}': state mutation present in one conditional branch is absent or reordered in its sibling.`,
+                    contractName: contract.name || '',
+                    functionName: fnName,
+                    sourceLocation: { line, column },
+                    findingId: '',
+                    contractHash: '',
+                });
+            }
+        });
+        return findings;
+    }
+    checkConditionalExpressions(body, contract, fnName) {
+        const findings = [];
+        walk(body, (node) => {
+            if (node.type !== 'Conditional')
+                return;
+            const trueExpr = node.trueExpression;
+            const falseExpr = node.falseExpression;
+            if (!trueExpr || !falseExpr)
+                return;
+            const trueMutations = collectConditionalMutations(trueExpr, this.stateVars, this.localVars, this.localVars);
+            const falseMutations = collectConditionalMutations(falseExpr, this.stateVars, this.localVars, this.localVars);
+            if (trueMutations.core.size === 0 && falseMutations.core.size === 0)
+                return;
+            const trueOnly = [...trueMutations.core].filter(m => !falseMutations.core.has(m));
+            const falseOnly = [...falseMutations.core].filter(m => !trueMutations.core.has(m));
+            if (trueOnly.length > 0 || falseOnly.length > 0) {
+                const { line, column } = (0, ast_1.assertLoc)(node);
+                findings.push({
+                    file: this.currentFile,
+                    contract: contract.name || '',
+                    'function': fnName,
+                    line,
+                    column,
+                    pattern: RULE_ID,
+                    confidence: 'high',
+                    ruleId: RULE_ID,
+                    severity: 'high',
+                    message: `Branch-skipping token flaw in '${fnName}': state mutation present in one ternary branch is absent or reordered in its sibling.`,
+                    contractName: contract.name || '',
+                    functionName: fnName,
+                    sourceLocation: { line, column },
+                    findingId: '',
+                    contractHash: '',
+                });
+            }
+        });
+        return findings;
+    }
+    collectStateVariables(contract) {
+        const set = new Set();
+        for (const sub of contract.subNodes || []) {
+            if (sub?.type === 'StateVariableDeclaration') {
+                for (const v of sub.variables || []) {
+                    if (v?.name)
+                        set.add(v.name);
+                }
+            }
+        }
+        return set;
+    }
+    collectLocals(fn) {
+        const set = new Set();
+        for (const p of fn.parameters || []) {
+            if (p?.name)
+                set.add(p.name);
+        }
+        for (const p of fn.returnParameters || []) {
+            if (p?.name)
+                set.add(p.name);
+        }
+        return set;
+    }
+    makeFinding(contract, fnName, node, message) {
+        const loc = (0, ast_1.tryLoc)(node) ?? { line: 0, endLine: 0, column: 0 };
+        const line = loc.line;
+        const column = loc.column;
+        return {
+            file: this.currentFile,
+            contract: contract.name || '',
+            'function': fnName,
+            line,
+            column,
+            pattern: RULE_ID,
+            confidence: 'high',
+            ruleId: RULE_ID,
+            severity: 'high',
+            message,
+            contractName: contract.name || '',
+            functionName: fnName,
+            sourceLocation: { line, column },
+            findingId: '',
+            contractHash: '',
+        };
+    }
+}
+exports.EstuaryTokenFlawDetector = EstuaryTokenFlawDetector;
+//# sourceMappingURL=estuary-token-flaw.js.map

package/dist/detectors/euler-debt-token-manipulation.d.ts

@@ -0,0 +1,32 @@
+import type { ScanResult } from '../index';
+export declare class EulerDebtTokenManipulationDetector {
+    readonly id = "euler-debt-token-manipulation";
+    readonly patternKey = "euler-debt-token-manipulation";
+    readonly supportedAstKinds: "parser"[];
+    scanAst(ast: any, file: string): ScanResult[];
+    private scanContract;
+    private summarizeFunction;
+    private propagateInternalSummaries;
+    private collectDebtStateVariables;
+    private collectDebtTokenVariables;
+    private collectDebtTokenLocalVariables;
+    private isExternallyReachable;
+    private isFlashLoanCall;
+    private isDebtTokenMutationCall;
+    private isDebtStateMutation;
+    private isDebtHelperName;
+    private hasDebtContext;
+    private hasDebtAccountingName;
+    private isDebtTokenHandle;
+    private isDTokenIdentifierName;
+    private isDTokenTypeName;
+    private unwrapCallOptions;
+    private callName;
+    private isMemberCall;
+    private buildFinding;
+    private typeNameText;
+    private expressionText;
+    private collectIdentifiers;
+    private walk;
+    private childNodes;
+}