@snovon/solast 0.2.0

package/dist/detectors/finance-bridge-address0safetransferfrom.js

@@ -0,0 +1,574 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.FinanceBridgeAddress0SafeTransferFromDetector = void 0;
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'finance-bridge-address0safetransferfrom';
+const SAFE_TRANSFER_NAMES = new Set(['safetransferfrom', 'safetransfer']);
+const MINT_CREDIT_NAMES = new Set(['_mint', '_credit', 'mint', 'credit', 'wrap']);
+const ZERO_GUARD_NAMES = new Set(['require', 'assert', 'revert']);
+const ACCESS_CONTROL_MODIFIERS = new Set([
+    'onlyowner',
+    'onlybridge',
+    'onlyrole',
+    'onlyadmin',
+    'onlymanager',
+    'onlyoperator',
+    'onlyguardian',
+    'onlyminter',
+]);
+class FinanceBridgeAddress0SafeTransferFromDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    scanAst(ast, file, sourceText) {
+        if (!ast || ast.type !== 'SourceUnit')
+            return [];
+        const findings = [];
+        const lineOffsets = buildLineOffsets(sourceText);
+        for (const child of ast.children || []) {
+            if (child?.type !== 'ContractDefinition')
+                continue;
+            if (child.kind === 'interface' || child.kind === 'library')
+                continue;
+            const contractName = String(child.name || '');
+            for (const sub of child.subNodes || []) {
+                if (sub?.type !== 'FunctionDefinition')
+                    continue;
+                if (!sub.body)
+                    continue;
+                if (sub.kind === 'constructor')
+                    continue;
+                const visibility = String(sub.visibility || '').toLowerCase();
+                if (visibility !== 'public' && visibility !== 'external')
+                    continue;
+                const result = this.analyzeFunction(sub, contractName, file, lineOffsets);
+                if (result)
+                    findings.push(result);
+            }
+        }
+        return findings;
+    }
+    analyzeFunction(fn, contractName, file, lineOffsets) {
+        const body = fn.body;
+        if (!body)
+            return null;
+        if (hasRecognizedAccessControlModifier(fn))
+            return null;
+        const statements = getBlockStatements(body);
+        if (statements.length === 0)
+            return null;
+        const localVars = collectLocalVars(fn);
+        const aliasMap = buildAliasMap(fn);
+        const fnName = String(fn.name || '<anonymous>');
+        let transferIndex = -1;
+        let transferResult = null;
+        for (let i = 0; i < statements.length; i++) {
+            const tr = findSafeTransferCall(statements[i], localVars);
+            if (tr && tr.isDynamic) {
+                transferIndex = i;
+                transferResult = tr;
+                break;
+            }
+        }
+        if (transferIndex === -1 || !transferResult)
+            return null;
+        const resolvedTokenExpr = resolveAlias(transferResult.tokenExpr, aliasMap);
+        for (let i = 0; i < transferIndex; i++) {
+            if (isTokenSpecificZeroGuard(statements[i], resolvedTokenExpr, aliasMap)) {
+                return null;
+            }
+        }
+        if (transferIndex + 1 >= statements.length)
+            return null;
+        if (!hasDownstreamMintOrCredit(statements.slice(transferIndex + 1), localVars, fnName, contractName)) {
+            return null;
+        }
+        const safeTransferCall = transferResult.call;
+        const { line, column } = (0, ast_1.assertLoc)(safeTransferCall, fn.body);
+        return makeFinding(file, contractName, fnName, { line, column });
+    }
+}
+exports.FinanceBridgeAddress0SafeTransferFromDetector = FinanceBridgeAddress0SafeTransferFromDetector;
+function makeFinding(file, contractName, fnName, loc) {
+    return {
+        file,
+        contract: contractName,
+        'function': fnName,
+        line: loc.line,
+        endLine: loc.line,
+        column: loc.column,
+        pattern: RULE_ID,
+        confidence: 'high',
+        ruleId: RULE_ID,
+        severity: 'critical',
+        message: `Finance bridge address(0) safeTransferFrom in '${contractName}.${fnName}': dynamically-resolved token address reaches a safeTransferFrom/safeTransfer call without a preceding zero-address guard, and a downstream mint/credit operation follows — matching the Qubit 2022-01-28 exploit pattern.`,
+        rationale: 'Qubit bridge deposit: token resolved from a mapping or parameter is passed directly to safeTransferFrom without a `require(token != address(0))` guard, then wrapped value is minted. Calling the function with resourceId mapped to address(0) causes a no-op transfer of native tokens followed by mint of wrapped assets.',
+        suggestedFix: 'Add `require(token != address(0))` or equivalent custom-error revert before the safeTransferFrom call, or validate the token address in a modifier. Ensure the transfer-before-mint ordering is preserved and that CEI ordering is respected.',
+        contractName,
+        functionName: fnName,
+        sourceLocation: loc,
+        findingId: '',
+        contractHash: '',
+        source: 'x-20220128-qubit-finance-bridge-address0safetransferfrom',
+    };
+}
+function isTokenSpecificZeroGuard(stmt, resolvedTransferExpr, aliasMap) {
+    if (!stmt || typeof stmt !== 'object')
+        return false;
+    if (!resolvedTransferExpr)
+        return false;
+    const condition = extractGuardCondition(stmt);
+    if (!condition)
+        return false;
+    const checked = extractZeroAddressGuardCheckedExprs(condition);
+    for (const c of checked) {
+        const resolved = resolveAlias(c, aliasMap);
+        if (structuralEqual(resolved, resolvedTransferExpr))
+            return true;
+    }
+    return false;
+}
+function extractGuardCondition(stmt) {
+    if (isNode(stmt, 'ExpressionStatement') && isNode(stmt.expression, 'FunctionCall')) {
+        const call = stmt.expression;
+        const callee = call.expression;
+        if (isNode(callee, 'Identifier')) {
+            const name = String(callee.name || '').toLowerCase();
+            if (name === 'require' || name === 'assert') {
+                const args = getCallArguments(call);
+                return args.length > 0 ? args[0] : null;
+            }
+        }
+    }
+    if (isNode(stmt, 'IfStatement')) {
+        const condition = stmt.condition;
+        if (!condition)
+            return null;
+        if (isUnaryNotOfEquality(condition)) {
+            const trueBody = stmt.trueBody;
+            if (trueBody && bodyEndsWithRevert(trueBody)) {
+                return condition.subExpression || condition.argument;
+            }
+            return null;
+        }
+        const branches = [stmt.trueBody, stmt.falseBody].filter(Boolean);
+        if (branches.length > 0 && branches.every(b => bodyEndsWithRevert(b))) {
+            return condition;
+        }
+    }
+    return null;
+}
+function extractZeroAddressGuardCheckedExprs(node) {
+    const out = [];
+    walk(node, (n) => {
+        if (!isNode(n, 'BinaryOperation'))
+            return;
+        const op = String(n.operator || '');
+        if (op !== '==' && op !== '!=' && op !== '===' && op !== '!==')
+            return;
+        if (isZeroAddressExpr(n.left) && n.right) {
+            out.push(n.right);
+        }
+        else if (isZeroAddressExpr(n.right) && n.left) {
+            out.push(n.left);
+        }
+    });
+    return out;
+}
+function isZeroAddressExpr(node) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (isNode(node, 'FunctionCall')) {
+        const callee = node.expression;
+        if (isNode(callee, 'Identifier') && String(callee.name || '') === 'address') {
+            const args = getCallArguments(node);
+            if (args.length === 1 && isNode(args[0], 'NumberLiteral')) {
+                const num = String(args[0].number || '');
+                if (num === '0' || /^0x0+$/i.test(num))
+                    return true;
+            }
+        }
+    }
+    if (isNode(node, 'NumberLiteral')) {
+        const num = String(node.number || '');
+        if (/^0x0{40}$/i.test(num))
+            return true;
+    }
+    return false;
+}
+function buildAliasMap(fn) {
+    const map = new Map();
+    const reassigned = new Set();
+    walk(fn?.body, (n) => {
+        if (isNode(n, 'VariableDeclarationStatement')) {
+            const initial = n.initialValue;
+            const vars = n.variables || [];
+            if (initial && vars.length === 1 && vars[0]?.name && isAliasableExpr(initial)) {
+                const name = String(vars[0].name);
+                if (map.has(name)) {
+                    reassigned.add(name);
+                }
+                else {
+                    map.set(name, initial);
+                }
+            }
+        }
+        if (isNode(n, 'ExpressionStatement') && isNode(n.expression, 'BinaryOperation')) {
+            const bin = n.expression;
+            const op = String(bin.operator || '');
+            if (op === '=' || op === '+=' || op === '-=' || op === '*=' || op === '/=' || op === '|=' || op === '&=' || op === '^=') {
+                const lhs = bin.left;
+                if (isNode(lhs, 'Identifier')) {
+                    reassigned.add(String(lhs.name || ''));
+                }
+            }
+        }
+    });
+    for (const r of reassigned)
+        map.delete(r);
+    return map;
+}
+function isAliasableExpr(expr) {
+    if (!expr || typeof expr !== 'object')
+        return false;
+    if (isNode(expr, 'Identifier'))
+        return true;
+    if (isNode(expr, 'IndexAccess'))
+        return true;
+    if (isNode(expr, 'MemberAccess'))
+        return true;
+    if (isNode(expr, 'FunctionCall')) {
+        const callee = expr.expression;
+        if (isNode(callee, 'Identifier')) {
+            const name = String(callee.name || '');
+            if (name === 'IERC20' || name === 'SafeERC20') {
+                const args = getCallArguments(expr);
+                return args.length > 0 && isAliasableExpr(args[0]);
+            }
+        }
+    }
+    return false;
+}
+function resolveAlias(expr, aliasMap, depth = 0) {
+    if (depth > 8)
+        return expr;
+    if (!expr || typeof expr !== 'object')
+        return expr;
+    if (isNode(expr, 'FunctionCall')) {
+        const callee = expr.expression;
+        if (isNode(callee, 'Identifier')) {
+            const name = String(callee.name || '');
+            if (name === 'IERC20' || name === 'SafeERC20') {
+                const args = getCallArguments(expr);
+                if (args.length > 0) {
+                    return resolveAlias(args[0], aliasMap, depth + 1);
+                }
+            }
+        }
+        return expr;
+    }
+    if (isNode(expr, 'Identifier')) {
+        const name = String(expr.name || '');
+        const next = aliasMap.get(name);
+        if (next)
+            return resolveAlias(next, aliasMap, depth + 1);
+        return expr;
+    }
+    return expr;
+}
+function structuralEqual(a, b) {
+    if (a === b)
+        return true;
+    if (!a || !b || typeof a !== 'object' || typeof b !== 'object')
+        return false;
+    if (a.type !== b.type)
+        return false;
+    switch (a.type) {
+        case 'Identifier':
+            return String(a.name || '') === String(b.name || '');
+        case 'IndexAccess':
+            return structuralEqual(a.base, b.base) && structuralEqual(a.index, b.index);
+        case 'MemberAccess':
+            return String(a.memberName || '') === String(b.memberName || '')
+                && structuralEqual(a.expression, b.expression);
+        case 'NumberLiteral':
+            return String(a.number || '') === String(b.number || '')
+                && String(a.subdenomination || '') === String(b.subdenomination || '');
+        case 'StringLiteral':
+            return String(a.value || '') === String(b.value || '');
+        case 'BooleanLiteral':
+            return Boolean(a.value) === Boolean(b.value);
+        case 'FunctionCall': {
+            if (!structuralEqual(a.expression, b.expression))
+                return false;
+            const aArgs = getCallArguments(a);
+            const bArgs = getCallArguments(b);
+            if (aArgs.length !== bArgs.length)
+                return false;
+            for (let i = 0; i < aArgs.length; i++) {
+                if (!structuralEqual(aArgs[i], bArgs[i]))
+                    return false;
+            }
+            return true;
+        }
+        default:
+            return false;
+    }
+}
+function isUnaryNotOfEquality(node) {
+    if (!isNode(node, 'UnaryOperation'))
+        return false;
+    const op = String(node.operator || '');
+    if (op !== '!')
+        return false;
+    const sub = node.subExpression || node.argument;
+    if (!isNode(sub, 'BinaryOperation'))
+        return false;
+    const op2 = String(sub.operator || '');
+    return op2 === '==' || op2 === '===' || op2 === '!=' || op2 === '!==';
+}
+function bodyEndsWithRevert(body) {
+    if (!body || typeof body !== 'object')
+        return false;
+    const stmts = isNode(body, 'Block') ? (body.statements || []) : [body];
+    for (const s of stmts) {
+        if (isNode(s, 'RevertStatement') || isNode(s, 'ThrowStatement'))
+            return true;
+        if (isNode(s, 'ExpressionStatement') && isNode(s.expression, 'FunctionCall')) {
+            const callee = s.expression.expression;
+            if (isNode(callee, 'Identifier') && String(callee.name || '').toLowerCase() === 'revert')
+                return true;
+        }
+    }
+    return false;
+}
+function findSafeTransferCall(node, localVars) {
+    let result = null;
+    walk(node, (n) => {
+        if (result)
+            return;
+        if (!isNode(n, 'FunctionCall'))
+            return;
+        const memberName = getCallMemberName(n).toLowerCase();
+        if (!SAFE_TRANSFER_NAMES.has(memberName))
+            return;
+        const args = getCallArguments(n);
+        let tokenExpr = null;
+        if (memberName === 'safetransferfrom') {
+            if (args.length < 3)
+                return;
+            const calleeExpr = n.expression;
+            if (isNode(calleeExpr, 'MemberAccess')) {
+                tokenExpr = calleeExpr.expression;
+            }
+        }
+        else if (memberName === 'safetransfer') {
+            if (args.length < 2)
+                return;
+            const calleeExpr = n.expression;
+            if (isNode(calleeExpr, 'MemberAccess')) {
+                tokenExpr = calleeExpr.expression;
+            }
+        }
+        if (!tokenExpr)
+            return;
+        const isDynamic = isDynamicTokenExpr(tokenExpr, localVars);
+        result = { call: n, isDynamic, tokenExpr };
+    });
+    return result;
+}
+function isDynamicTokenExpr(expr, localVars) {
+    if (!expr || typeof expr !== 'object')
+        return false;
+    if (isNode(expr, 'Identifier')) {
+        const name = String(expr.name || '');
+        return localVars.has(name);
+    }
+    if (isNode(expr, 'IndexAccess')) {
+        return true;
+    }
+    if (isNode(expr, 'MemberAccess')) {
+        return isDynamicTokenExpr(expr.expression, localVars);
+    }
+    if (isNode(expr, 'FunctionCall')) {
+        const callee = expr.expression;
+        if (isNode(callee, 'Identifier')) {
+            const name = String(callee.name || '');
+            if (name === 'IERC20' || name === 'SafeERC20') {
+                const innerArgs = getCallArguments(expr);
+                if (innerArgs.length > 0)
+                    return isDynamicTokenExpr(innerArgs[0], localVars);
+            }
+        }
+        return true;
+    }
+    return false;
+}
+function hasDownstreamMintOrCredit(statements, localVars, fnName, contractName) {
+    for (const stmt of statements) {
+        let found = false;
+        walk(stmt, (n) => {
+            if (found)
+                return;
+            if (isNode(n, 'FunctionCall')) {
+                const callee = n.expression;
+                let name = '';
+                if (isNode(callee, 'Identifier')) {
+                    name = String(callee.name || '').toLowerCase();
+                }
+                else if (isNode(callee, 'MemberAccess')) {
+                    name = String(callee.memberName || '').toLowerCase();
+                }
+                if (MINT_CREDIT_NAMES.has(name) && name !== 'require' && name !== 'assert' && name !== 'revert') {
+                    found = true;
+                    return;
+                }
+            }
+            if (isNode(n, 'BinaryOperation')) {
+                const op = String(n.operator || '');
+                if (op === '+=' || op === '-=' || op === '=') {
+                    if (n.left && isStateWritingExpression(n.left, localVars)) {
+                        found = true;
+                        return;
+                    }
+                }
+            }
+            if (isNode(n, 'UnaryOperation')) {
+                const op = String(n.operator || '');
+                if (op === '++' || op === '--') {
+                    found = true;
+                    return;
+                }
+            }
+        });
+        if (found)
+            return true;
+    }
+    return false;
+}
+function isStateWritingExpression(expr, localVars) {
+    if (!expr || typeof expr !== 'object')
+        return false;
+    if (isNode(expr, 'Identifier')) {
+        const name = String(expr.name || '');
+        return localVars.has(name);
+    }
+    if (isNode(expr, 'IndexAccess')) {
+        return true;
+    }
+    if (isNode(expr, 'MemberAccess')) {
+        return isStateWritingExpression(expr.expression, localVars);
+    }
+    return false;
+}
+function collectLocalVars(fn) {
+    const set = new Set();
+    for (const p of fn.parameters || []) {
+        if (p?.name)
+            set.add(String(p.name));
+    }
+    for (const p of fn.returnParameters || []) {
+        if (p?.name)
+            set.add(String(p.name));
+    }
+    collectLocalVarsRecursive(fn.body, set);
+    return set;
+}
+function collectLocalVarsRecursive(node, set) {
+    if (!node || typeof node !== 'object')
+        return;
+    if (isNode(node, 'VariableDeclarationStatement')) {
+        for (const v of node.variables || []) {
+            if (v?.name)
+                set.add(String(v.name));
+        }
+    }
+    for (const child of childrenOf(node))
+        collectLocalVarsRecursive(child, set);
+}
+function getBlockStatements(body) {
+    if (!body || typeof body !== 'object')
+        return [];
+    if (Array.isArray(body.statements))
+        return body.statements;
+    return [];
+}
+function getCallArguments(node) {
+    return Array.isArray(node?.arguments) ? node.arguments : [];
+}
+function getCallMemberName(node) {
+    const expr = node?.expression;
+    if (isNode(expr, 'MemberAccess'))
+        return String(expr.memberName || '');
+    return '';
+}
+function childrenOf(node) {
+    if (!node || typeof node !== 'object')
+        return [];
+    const out = [];
+    for (const [key, value] of Object.entries(node)) {
+        if (key === 'loc' || key === 'src' || key === 'range' || key === 'typeDescriptions' || key === 'id')
+            continue;
+        if (Array.isArray(value)) {
+            for (const item of value) {
+                if (item && typeof item === 'object')
+                    out.push(item);
+            }
+        }
+        else if (value && typeof value === 'object') {
+            out.push(value);
+        }
+    }
+    return out;
+}
+function isNode(node, kind) {
+    return node?.type === kind;
+}
+function walk(node, visit) {
+    if (!node || typeof node !== 'object')
+        return;
+    visit(node);
+    for (const child of childrenOf(node))
+        walk(child, visit);
+}
+function hasRecognizedAccessControlModifier(fn) {
+    const modifiers = fn?.modifiers || [];
+    if (!Array.isArray(modifiers))
+        return false;
+    return modifiers.some((m) => ACCESS_CONTROL_MODIFIERS.has(getModifierName(m).toLowerCase()));
+}
+function getModifierName(modifier) {
+    if (!modifier)
+        return '';
+    if (typeof modifier === 'string')
+        return modifier;
+    if (typeof modifier.name === 'string')
+        return modifier.name;
+    if (modifier.name && typeof modifier.name === 'object') {
+        if (typeof modifier.name.name === 'string')
+            return modifier.name.name;
+        if (typeof modifier.name.namePath === 'string')
+            return modifier.name.namePath;
+    }
+    if (modifier.modifierName) {
+        const inner = modifier.modifierName;
+        if (typeof inner === 'string')
+            return inner;
+        if (inner && typeof inner.name === 'string')
+            return inner.name;
+    }
+    return '';
+}
+function buildLineOffsets(sourceText) {
+    if (sourceText === undefined)
+        return undefined;
+    const lineOffsets = [0];
+    let byteOffset = 0;
+    for (const char of sourceText) {
+        byteOffset += Buffer.byteLength(char, 'utf8');
+        if (char === '\n')
+            lineOffsets.push(byteOffset);
+    }
+    return lineOffsets;
+}
+//# sourceMappingURL=finance-bridge-address0safetransferfrom.js.map

package/dist/detectors/finance-business-logic-in-mint.d.ts

@@ -0,0 +1,54 @@
+import type { ScanResult } from '../index';
+export declare class FinanceBusinessLogicInMintDetector {
+    readonly id = "finance-business-logic-in-mint";
+    readonly patternKey = "finance-business-logic-in-mint";
+    readonly supportedAstKinds: "parser"[];
+    readonly descriptor: {
+        id: string;
+        shortDescription: string;
+        helpUri: string;
+        defaultSeverity: "high";
+        help: string;
+    };
+    private currentFile;
+    private findings;
+    private currentContract;
+    private currentContractName;
+    private currentContractSkipped;
+    private stateVarsStack;
+    private functionState;
+    setFile(file: string): void;
+    getFindings(): ScanResult[];
+    ContractDefinition(node: any): void;
+    ContractDefinition_post(_node: any): void;
+    StateVariableDeclaration(node: any): void;
+    VariableDeclaration(node: any): void;
+    FunctionDefinition(node: any): void;
+    FunctionDefinition_post(_node: any): void;
+    IfStatement(node: any): void;
+    IfStatement_post(node: any): void;
+    ForStatement(_node: any): void;
+    ForStatement_post(_node: any): void;
+    WhileStatement(_node: any): void;
+    WhileStatement_post(_node: any): void;
+    DoWhileStatement(_node: any): void;
+    DoWhileStatement_post(_node: any): void;
+    TryStatement(_node: any): void;
+    TryStatement_post(_node: any): void;
+    FunctionCall(node: any): void;
+    BinaryOperation(node: any): void;
+    Assignment(node: any): void;
+    VariableDeclarationStatement(node: any): void;
+    private currentStateVars;
+    private hasAccessControlGuard;
+    private modifierBodyHasIntakeOrAccessGuard;
+    private hasInlineAccessControlGuard;
+    private activeCandidate;
+    private isMintEffectCall;
+    private expressionDependsOnMsgValue;
+    private mintAmountDependsOnMsgValue;
+    private argumentReferencesMsgValueDerivedLocal;
+    private rememberMsgValueDerivedAssignment;
+    private handleAccountingOperation;
+    private emitFinding;
+}