@snovon/solast 0.2.0

package/dist/detectors/finance-flashloan-price-oracle-manipul.js

@@ -0,0 +1,546 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.FinanceFlashloanPriceOracleManipulDetector = void 0;
+const RULE_ID = 'finance-flashloan-price-oracle-manipul';
+const PROVENANCE = 'x-20220321-onering-finance-flashloan-price-oracle-manipul';
+const SPOT_SOURCE_CALLS = new Set(['getReserves', 'getAmountOut', 'getAmountsOut']);
+const SINK_CALLS = new Set([
+    'transfer',
+    'transferfrom',
+    'safetransfer',
+    'safetransferfrom',
+    'sendvalue',
+    'mint',
+    '_mint',
+    'borrow',
+    'redeem',
+    'withdraw',
+]);
+const ACCESS_MODIFIERS = /^(onlyowner|onlyrole|onlyadmin|onlygovernance|onlygovernor|onlyguardian|onlyoperator|onlymanager)$/i;
+const REENTRANCY_MODIFIERS = /^(nonreentrant|lock|locked|noReentrant)$/i;
+const REFERENCE_TERMS = /(twap|reference|stored|median|trusted|oracleprice|lastprice|maxdeviation|deviation|circuit|delay)/i;
+const ACCOUNTING_TERMS = /(share|shares|balance|balances|supply|totalsupply|collateral|debt|borrow|credit|amountout|payout|withdraw|redeem|mint)/i;
+class FinanceFlashloanPriceOracleManipulDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    scanAst(ast, file, sourceText) {
+        if (!ast || typeof ast !== 'object')
+            return [];
+        const findings = [];
+        const lineOffsets = buildLineOffsets(sourceText);
+        for (const contractNode of collectContracts(ast)) {
+            if (isInterfaceLike(contractNode))
+                continue;
+            const contractName = getName(contractNode) || '<anonymous>';
+            const spotHelpers = collectSpotHelperNames(contractNode);
+            for (const fn of getContractFunctions(contractNode)) {
+                if (!fn.body || !isExternallyCallable(fn))
+                    continue;
+                if (isReadOnly(fn))
+                    continue;
+                if (hasModifier(fn, ACCESS_MODIFIERS))
+                    continue;
+                const fnName = getName(fn) || '<anonymous>';
+                const sources = collectSources(fn.body, spotHelpers);
+                if (sources.length === 0)
+                    continue;
+                for (const source of sources) {
+                    const tainted = computeTainted(fn.body, source.node, spotHelpers);
+                    if (tainted.size === 0)
+                        continue;
+                    const sink = findSensitiveSink(fn.body, tainted);
+                    if (!sink)
+                        continue;
+                    if (hasSafeReferencePattern(fn.body, tainted))
+                        continue;
+                    if (hasInlineAccessGuardBefore(fn.body, source.node, sink.node))
+                        continue;
+                    const loc = getLoc(source.node, lineOffsets) || getLoc(fn, lineOffsets) || { line: 0, column: 0 };
+                    findings.push({
+                        file,
+                        contract: contractName,
+                        'function': fnName,
+                        line: loc.line,
+                        endLine: loc.line,
+                        column: loc.column,
+                        pattern: RULE_ID,
+                        confidence: 'high',
+                        category: 'vulnerability',
+                        ruleId: RULE_ID,
+                        severity: 'high',
+                        message: `OneRing-style flashloan price oracle manipulation risk in '${contractName}.${fnName}': ` +
+                            `same-transaction AMM spot source ${describeCall(source.node)} flows into ${sink.label}.`,
+                        rationale: 'A user-callable value/accounting path consumes a single AMM pair/router spot quote or reserve ratio. ' +
+                            'A flashloan can manipulate that same-transaction price before withdrawal, minting, redeem, or collateral logic executes.',
+                        suggestedFix: 'Use a TWAP or multi-source median/reference price for the payout or accounting value, bound spot prices against that reference, and keep maintenance-only cache updates access controlled.',
+                        contractName,
+                        functionName: fnName,
+                        sourceLocation: loc,
+                        findingId: '',
+                        contractHash: '',
+                        provenance: PROVENANCE,
+                    });
+                    break;
+                }
+            }
+        }
+        return findings;
+    }
+}
+exports.FinanceFlashloanPriceOracleManipulDetector = FinanceFlashloanPriceOracleManipulDetector;
+function collectSpotHelperNames(contractNode) {
+    const helpers = new Set();
+    let changed = true;
+    let safety = 0;
+    while (changed && safety < 6) {
+        changed = false;
+        safety += 1;
+        for (const fn of getContractFunctions(contractNode)) {
+            const name = getName(fn);
+            if (!name || helpers.has(name) || !fn.body)
+                continue;
+            if (!isInternalLike(fn))
+                continue;
+            if (functionReturnsSpotValue(fn.body, helpers)) {
+                helpers.add(name);
+                changed = true;
+            }
+        }
+    }
+    return helpers;
+}
+function functionReturnsSpotValue(body, helperNames) {
+    const sources = collectSources(body, helperNames);
+    if (sources.length === 0)
+        return false;
+    return sources.some(source => {
+        const tainted = computeTainted(body, source.node, helperNames);
+        return walkAny(body, node => {
+            if (!isNode(node, 'ReturnStatement'))
+                return false;
+            const expr = node.expression;
+            return !!expr && (containsNode(expr, source.node) || expressionIsTainted(expr, tainted));
+        });
+    });
+}
+function collectSources(body, helperNames) {
+    const sources = [];
+    walk(body, node => {
+        if (!isFunctionCall(node))
+            return;
+        const name = getCalleeName(node);
+        if (SPOT_SOURCE_CALLS.has(name) || helperNames.has(name))
+            sources.push({ node, name });
+    });
+    return sources;
+}
+function computeTainted(body, sourceNode, helperNames) {
+    const tainted = new Set();
+    let changed = true;
+    let safety = 0;
+    while (changed && safety < 10) {
+        changed = false;
+        safety += 1;
+        walk(body, node => {
+            if (isNode(node, 'VariableDeclarationStatement')) {
+                const initial = node.initialValue;
+                if (!initial)
+                    return;
+                if (!expressionUsesSource(initial, sourceNode, helperNames, tainted))
+                    return;
+                for (const decl of getDeclaredVariables(node)) {
+                    const name = getName(decl);
+                    if (name && !tainted.has(name)) {
+                        tainted.add(name);
+                        changed = true;
+                    }
+                }
+                return;
+            }
+            if (!isAssignmentNode(node))
+                return;
+            const rhs = getAssignmentRight(node);
+            const lhs = getAssignmentLeft(node);
+            if (!rhs || !lhs)
+                return;
+            if (!expressionUsesSource(rhs, sourceNode, helperNames, tainted))
+                return;
+            const lhsName = getIdentifierBaseName(lhs);
+            if (lhsName && !tainted.has(lhsName)) {
+                tainted.add(lhsName);
+                changed = true;
+            }
+        });
+    }
+    return tainted;
+}
+function expressionUsesSource(expr, sourceNode, helperNames, tainted) {
+    if (containsNode(expr, sourceNode))
+        return true;
+    return walkAny(expr, node => {
+        if (isNode(node, 'Identifier') && tainted.has(String(node.name || '')))
+            return true;
+        return isFunctionCall(node) && helperNames.has(getCalleeName(node));
+    });
+}
+function findSensitiveSink(body, tainted) {
+    let found = null;
+    walk(body, node => {
+        if (found)
+            return;
+        if (isFunctionCall(node)) {
+            const callee = getCalleeName(node).toLowerCase();
+            const args = node.arguments || [];
+            if ((callee === 'require' || callee === 'assert') && args[0] && expressionIsTainted(args[0], tainted)) {
+                const nextSink = nextSinkAfter(body, node, tainted);
+                if (nextSink)
+                    found = { node, label: `collateral/accounting gate before ${nextSink}` };
+                return;
+            }
+            if (!SINK_CALLS.has(callee))
+                return;
+            const taintedArg = args.find((arg) => expressionIsTainted(arg, tainted));
+            if (taintedArg)
+                found = { node, label: `${describeCall(node)} amount` };
+            return;
+        }
+        if (!isAssignmentNode(node))
+            return;
+        const lhs = getAssignmentLeft(node);
+        const rhs = getAssignmentRight(node);
+        if (!lhs || !rhs || !expressionIsTainted(rhs, tainted))
+            return;
+        if (!assignmentTargetIsAccounting(lhs))
+            return;
+        found = { node, label: `${getIdentifierBaseName(lhs) || 'accounting'} accounting write` };
+    });
+    return found;
+}
+function nextSinkAfter(body, marker, tainted) {
+    const statements = collectStatements(body);
+    const index = statements.findIndex(stmt => containsNode(stmt, marker));
+    if (index < 0)
+        return null;
+    for (let i = index + 1; i < statements.length; i += 1) {
+        let label = null;
+        walk(statements[i], node => {
+            if (label)
+                return;
+            if (isFunctionCall(node) && SINK_CALLS.has(getCalleeName(node).toLowerCase())) {
+                label = describeCall(node);
+            }
+            if (!label && isAssignmentNode(node) && expressionIsTainted(getAssignmentRight(node), tainted) && assignmentTargetIsAccounting(getAssignmentLeft(node))) {
+                label = getIdentifierBaseName(getAssignmentLeft(node)) || 'accounting write';
+            }
+        });
+        if (label)
+            return label;
+    }
+    return null;
+}
+function hasSafeReferencePattern(body, tainted) {
+    let hasBoundedSpot = false;
+    let taintedValueUsedInSink = false;
+    walk(body, node => {
+        if (isFunctionCall(node)) {
+            const callee = getCalleeName(node).toLowerCase();
+            const args = node.arguments || [];
+            if ((callee === 'require' || callee === 'assert') && args[0] && conditionBoundsTaintedAgainstReference(args[0], tainted)) {
+                hasBoundedSpot = true;
+            }
+            if (SINK_CALLS.has(callee) && args.some((arg) => expressionIsTainted(arg, tainted))) {
+                taintedValueUsedInSink = true;
+            }
+        }
+    });
+    const names = flattenNames(body);
+    const multiSourceMedian = /\bmedian\b/i.test(names) && countCallsNamed(body, 'price') >= 3;
+    return multiSourceMedian || (hasBoundedSpot && !taintedValueUsedInSink);
+}
+function conditionBoundsTaintedAgainstReference(condition, tainted) {
+    return walkAny(condition, node => {
+        if (!isNode(node, 'BinaryOperation'))
+            return false;
+        const op = String(node.operator || '');
+        if (!['<', '<=', '>', '>='].includes(op))
+            return false;
+        return expressionIsTainted(node, tainted) && REFERENCE_TERMS.test(flattenNames(node));
+    });
+}
+function hasInlineAccessGuardBefore(body, sourceNode, sinkNode) {
+    const statements = collectStatements(body);
+    const sourceIndex = statements.findIndex(stmt => containsNode(stmt, sourceNode));
+    const sinkIndex = statements.findIndex(stmt => containsNode(stmt, sinkNode));
+    if (sourceIndex < 0 || sinkIndex < 0)
+        return false;
+    for (let i = 0; i < Math.min(sourceIndex, sinkIndex); i += 1) {
+        if (statementIsAccessGuard(statements[i]))
+            return true;
+    }
+    return false;
+}
+function statementIsAccessGuard(stmt) {
+    if (isNode(stmt, 'ExpressionStatement') && isFunctionCall(stmt.expression)) {
+        const call = stmt.expression;
+        const callee = getCalleeName(call).toLowerCase();
+        const condition = (call.arguments || [])[0];
+        if ((callee === 'require' || callee === 'assert') && condition)
+            return conditionAuthorizesCaller(condition);
+        return /^(checkowner|_checkowner|checkrole|_checkrole)$/i.test(callee);
+    }
+    return false;
+}
+function conditionAuthorizesCaller(condition) {
+    if (isCallerEquality(condition))
+        return true;
+    if (isFunctionCall(condition) && /^(hasrole|isowner|isadmin|isauthorized)$/i.test(getCalleeName(condition)))
+        return true;
+    return childrenOf(condition).some(conditionAuthorizesCaller);
+}
+function isCallerEquality(node) {
+    if (!isNode(node, 'BinaryOperation'))
+        return false;
+    const op = String(node.operator || '');
+    if (op !== '==' && op !== '===')
+        return false;
+    const left = node.left ?? node.leftExpression;
+    const right = node.right ?? node.rightExpression;
+    return (isMsgSender(left) && isAuthSubject(right)) || (isMsgSender(right) && isAuthSubject(left));
+}
+function isMsgSender(node) {
+    return isNode(node, 'MemberAccess') &&
+        String(node.memberName || '') === 'sender' &&
+        isNode(node.expression, 'Identifier') &&
+        String(node.expression.name || '') === 'msg';
+}
+function isAuthSubject(node) {
+    if (isNode(node, 'Identifier'))
+        return /^(owner|admin|governance|governor|guardian|operator|manager)$/i.test(String(node.name || ''));
+    if (isNode(node, 'MemberAccess'))
+        return /^(owner|admin|governance|governor|guardian|operator|manager)$/i.test(String(node.memberName || ''));
+    return false;
+}
+function assignmentTargetIsAccounting(node) {
+    const name = getIdentifierBaseName(node) || flattenNames(node);
+    return ACCOUNTING_TERMS.test(name);
+}
+function expressionIsTainted(expr, tainted) {
+    if (!expr)
+        return false;
+    return walkAny(expr, node => isNode(node, 'Identifier') && tainted.has(String(node.name || '')));
+}
+function countCallsNamed(node, name) {
+    let count = 0;
+    walk(node, child => {
+        if (isFunctionCall(child) && getCalleeName(child).toLowerCase() === name.toLowerCase())
+            count += 1;
+    });
+    return count;
+}
+function collectStatements(body) {
+    return Array.isArray(body?.statements) ? body.statements.filter((stmt) => stmt && typeof stmt === 'object') : [];
+}
+function containsNode(haystack, needle) {
+    let found = false;
+    walk(haystack, node => {
+        if (node === needle)
+            found = true;
+    });
+    return found;
+}
+function isExternallyCallable(fn) {
+    const visibility = String(fn?.visibility || '').toLowerCase();
+    return visibility === 'public' || visibility === 'external';
+}
+function isInternalLike(fn) {
+    const visibility = String(fn?.visibility || '').toLowerCase();
+    return visibility === 'internal' || visibility === 'private';
+}
+function isReadOnly(fn) {
+    const mutability = String(fn?.stateMutability || '').toLowerCase();
+    return mutability === 'view' || mutability === 'pure';
+}
+function hasModifier(fn, pattern) {
+    const modifiers = fn?.modifiers || fn?.modifierList || [];
+    return Array.isArray(modifiers) && modifiers.some((modifier) => pattern.test(getModifierName(modifier)));
+}
+function getModifierName(modifier) {
+    if (!modifier)
+        return '';
+    if (typeof modifier === 'string')
+        return modifier;
+    if (typeof modifier.name === 'string')
+        return modifier.name;
+    if (modifier.name && typeof modifier.name.name === 'string')
+        return modifier.name.name;
+    if (modifier.modifierName && typeof modifier.modifierName.name === 'string')
+        return modifier.modifierName.name;
+    return '';
+}
+function getDeclaredVariables(node) {
+    if (Array.isArray(node?.variables))
+        return node.variables.filter(Boolean);
+    if (Array.isArray(node?.declarations))
+        return node.declarations.filter(Boolean);
+    return [];
+}
+function isAssignmentNode(node) {
+    return isNode(node, 'Assignment') || (isNode(node, 'BinaryOperation') && /^(=|\+=|-=|\*=|\/=|%=)$/.test(String(node.operator || '')));
+}
+function getAssignmentLeft(node) {
+    if (!node)
+        return null;
+    if (isNode(node, 'Assignment'))
+        return node.leftHandSide;
+    if (isNode(node, 'BinaryOperation'))
+        return node.left;
+    return null;
+}
+function getAssignmentRight(node) {
+    if (!node)
+        return null;
+    if (isNode(node, 'Assignment'))
+        return node.rightHandSide;
+    if (isNode(node, 'BinaryOperation'))
+        return node.right;
+    return null;
+}
+function getIdentifierBaseName(node) {
+    if (!node || typeof node !== 'object')
+        return '';
+    if (isNode(node, 'Identifier'))
+        return String(node.name || '');
+    if (isNode(node, 'MemberAccess'))
+        return getIdentifierBaseName(node.expression);
+    if (isNode(node, 'IndexAccess'))
+        return getIdentifierBaseName(node.baseExpression || node.base);
+    return '';
+}
+function describeCall(call) {
+    const expr = call?.expression;
+    if (isNode(expr, 'Identifier'))
+        return String(expr.name || '');
+    if (isNode(expr, 'MemberAccess')) {
+        const base = flattenCondition(expr.expression);
+        const member = String(expr.memberName || '');
+        return base ? `${base}.${member}` : member;
+    }
+    return getCalleeName(call);
+}
+function getCalleeName(node) {
+    const expr = node?.expression;
+    if (isNode(expr, 'Identifier'))
+        return String(expr.name || '');
+    if (isNode(expr, 'MemberAccess'))
+        return String(expr.memberName || '');
+    return '';
+}
+function collectContracts(ast) {
+    const out = [];
+    walk(ast, node => {
+        if (isNode(node, 'ContractDefinition'))
+            out.push(node);
+    });
+    return out;
+}
+function getContractFunctions(contractNode) {
+    const members = Array.isArray(contractNode?.subNodes) ? contractNode.subNodes : Array.isArray(contractNode?.nodes) ? contractNode.nodes : [];
+    return members.filter((node) => isNode(node, 'FunctionDefinition'));
+}
+function isInterfaceLike(contractNode) {
+    const kind = String(contractNode?.kind || contractNode?.contractKind || '').toLowerCase();
+    return kind === 'interface' || kind === 'library';
+}
+function flattenNames(node) {
+    const names = [];
+    walk(node, child => {
+        if (isNode(child, 'Identifier'))
+            names.push(String(child.name || ''));
+        if (isNode(child, 'MemberAccess'))
+            names.push(String(child.memberName || ''));
+    });
+    return names.join(' ');
+}
+function flattenCondition(node) {
+    if (isNode(node, 'Identifier'))
+        return String(node.name || '');
+    if (isNode(node, 'MemberAccess')) {
+        const base = flattenCondition(node.expression);
+        const member = String(node.memberName || '');
+        return base ? `${base}.${member}` : member;
+    }
+    return '';
+}
+function isFunctionCall(node) {
+    return isNode(node, 'FunctionCall');
+}
+function walkAny(node, predicate) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (predicate(node))
+        return true;
+    return childrenOf(node).some(child => walkAny(child, predicate));
+}
+function walk(node, visit) {
+    if (!node || typeof node !== 'object')
+        return;
+    visit(node);
+    for (const child of childrenOf(node))
+        walk(child, visit);
+}
+function childrenOf(node) {
+    if (!node || typeof node !== 'object')
+        return [];
+    const children = [];
+    for (const [key, value] of Object.entries(node)) {
+        if (key === 'loc' || key === 'src' || key === 'range' || key === 'typeName' || key === 'typeDescriptions')
+            continue;
+        if (Array.isArray(value)) {
+            for (const item of value)
+                if (item && typeof item === 'object')
+                    children.push(item);
+        }
+        else if (value && typeof value === 'object') {
+            children.push(value);
+        }
+    }
+    return children;
+}
+function isNode(node, kind) {
+    return node?.type === kind || node?.nodeType === kind;
+}
+function getName(node) {
+    return typeof node?.name === 'string' ? node.name : '';
+}
+function buildLineOffsets(sourceText) {
+    if (sourceText === undefined)
+        return undefined;
+    const lineOffsets = [0];
+    let byteOffset = 0;
+    for (const char of sourceText) {
+        byteOffset += Buffer.byteLength(char, 'utf8');
+        if (char === '\n')
+            lineOffsets.push(byteOffset);
+    }
+    return lineOffsets;
+}
+function getLoc(node, lineOffsets) {
+    if (node?.loc?.start)
+        return { line: node.loc.start.line || 0, column: node.loc.start.column || 0 };
+    if (!node?.src || !lineOffsets)
+        return undefined;
+    const [offsetRaw] = String(node.src).split(':');
+    const offset = Number(offsetRaw);
+    if (!Number.isFinite(offset) || offset < 0)
+        return undefined;
+    let lineIndex = 0;
+    for (let i = 0; i < lineOffsets.length; i += 1) {
+        if (lineOffsets[i] <= offset)
+            lineIndex = i;
+        else
+            break;
+    }
+    return { line: lineIndex + 1, column: offset - lineOffsets[lineIndex] };
+}
+//# sourceMappingURL=finance-flashloan-price-oracle-manipul.js.map

package/dist/detectors/finance-flashloan-reentrancy.d.ts

@@ -0,0 +1,7 @@
+import type { ScanResult } from '../index';
+export declare class FinanceFlashloanReentrancyDetector {
+    readonly id = "finance-flashloan-reentrancy";
+    readonly patternKey = "finance-flashloan-reentrancy";
+    readonly supportedAstKinds: ("parser" | "solc")[];
+    scanAst(ast: any, file: string, sourceText?: string): ScanResult[];
+}