@snovon/solast 0.2.0

package/dist/detectors/finance-flashloan-reentrancy.js

@@ -0,0 +1,547 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.FinanceFlashloanReentrancyDetector = void 0;
+const RULE_ID = 'finance-flashloan-reentrancy';
+const PATTERN_GRIM = `${RULE_ID}/grim-depositfor-token-callback`;
+const SOURCE = 'x-2026-05-04-grim-finance-flashloan-reentrancy';
+const TOKEN_PARAM_NAME = /^(token|asset|tokenaddr|tokenaddress|tokenin|inputtoken|srctoken|currency|coin|erc20)$/i;
+const SHARE_STATE_NAME = /^(shares?|totalshares?|balances?)$/i;
+const TRANSFER_FROM_MEMBERS = new Set(['transferFrom', 'safeTransferFrom']);
+const SHARE_MINT_CALL_NAMES = new Set(['_mint', '_mintShares', 'mintShares']);
+const REENTRANCY_GUARD_MODIFIER = /^(nonreentrant|noreentrant|reentrancyguard|noreentry|nonreentrantcall)$/i;
+const ACCESS_CONTROL_MODIFIER = /^(only|require|restricted)/i;
+const ACCESS_CONTROL_MODIFIER_NAMES = new Set([
+    'auth', 'authorized', 'whenauthorized', 'whitelisted', 'onlybridge',
+]);
+const MUTATION_OPERATORS = new Set([
+    '=', '+=', '-=', '*=', '/=', '%=', '&=', '|=', '^=', '<<=', '>>=', '>>>=',
+]);
+class FinanceFlashloanReentrancyDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser', 'solc'];
+    scanAst(ast, file, sourceText) {
+        if (!ast || typeof ast !== 'object')
+            return [];
+        const findings = [];
+        const lineOffsets = buildLineOffsets(sourceText);
+        for (const contract of collectContracts(ast)) {
+            if (isInterfaceLike(contract))
+                continue;
+            const shareStateNames = collectShareStateNames(contract);
+            const contractName = getName(contract) || '<anonymous>';
+            for (const fn of getContractFunctions(contract)) {
+                if (!isExternallyReachable(fn))
+                    continue;
+                const mutability = String(fn.stateMutability || '').toLowerCase();
+                if (mutability === 'view' || mutability === 'pure')
+                    continue;
+                if (hasReentrancyGuard(fn))
+                    continue;
+                if (hasAccessControl(fn))
+                    continue;
+                const body = getFunctionBody(fn);
+                if (!body)
+                    continue;
+                const tokenParams = getTokenParams(fn);
+                if (tokenParams.size === 0)
+                    continue;
+                const validatedTokens = collectValidatedTokens(body, tokenParams);
+                const stillCallerControlled = setDifference(tokenParams, validatedTokens);
+                if (stillCallerControlled.size === 0)
+                    continue;
+                const ctx = {
+                    tokenParams: stillCallerControlled,
+                    shareStateNames,
+                    localVarNames: new Set(),
+                    callLoc: null,
+                    callNode: null,
+                    mutatesShareAfterCall: false,
+                };
+                walkOrdered(body, ctx, false, lineOffsets);
+                if (!ctx.callLoc)
+                    continue;
+                if (!ctx.mutatesShareAfterCall)
+                    continue;
+                const fnName = getName(fn) || '<anonymous>';
+                const loc = ctx.callLoc;
+                findings.push({
+                    file,
+                    contract: contractName,
+                    'function': fnName,
+                    line: loc.line,
+                    endLine: loc.line,
+                    column: loc.column,
+                    pattern: PATTERN_GRIM,
+                    confidence: 'high',
+                    ruleId: RULE_ID,
+                    severity: 'error',
+                    message: `Finance vault entrypoint '${contractName}.${fnName}' invokes transferFrom on a caller-supplied token before share accounting is finalized, mirroring the 2021-12-18 Grim Finance flashloan reentrancy.`,
+                    rationale: 'Mirrors the Grim Finance 2021-12-18 exploit: a public deposit accepts an arbitrary ERC20, performs transferFrom on it before finalizing share-mint accounting, and the attacker-controlled token re-enters the vault from inside the transfer to mint additional shares against stale pool state.',
+                    suggestedFix: 'Validate the token parameter against a trusted state variable (e.g., `require(token == want)`), wrap the entrypoint in an established `nonReentrant` guard, restrict the function to a trusted role, or finalize share accounting before the external transfer.',
+                    contractName,
+                    functionName: fnName,
+                    sourceLocation: { line: loc.line, column: loc.column },
+                    externalCallNode: ctx.callNode,
+                    callbackEdge: 'caller-controlled-token-transferfrom',
+                    findingId: '',
+                    contractHash: '',
+                    source: SOURCE,
+                });
+            }
+        }
+        return findings;
+    }
+}
+exports.FinanceFlashloanReentrancyDetector = FinanceFlashloanReentrancyDetector;
+function walkOrdered(node, ctx, isWriteContext, lineOffsets) {
+    if (!node || typeof node !== 'object')
+        return;
+    if (isNode(node, 'EmitStatement'))
+        return;
+    if (isNode(node, 'Block') || isNode(node, 'UncheckedBlock')) {
+        for (const stmt of node.statements || [])
+            walkOrdered(stmt, ctx, false, lineOffsets);
+        return;
+    }
+    if (isNode(node, 'ExpressionStatement')) {
+        walkOrdered(node.expression, ctx, false, lineOffsets);
+        return;
+    }
+    if (isNode(node, 'IfStatement')) {
+        walkOrdered(node.condition, ctx, false, lineOffsets);
+        if (node.trueBody)
+            walkOrdered(node.trueBody, ctx, false, lineOffsets);
+        if (node.falseBody)
+            walkOrdered(node.falseBody, ctx, false, lineOffsets);
+        return;
+    }
+    if (isNode(node, 'ForStatement')) {
+        walkOrdered(node.initExpression || node.initializationExpression, ctx, false, lineOffsets);
+        walkOrdered(node.conditionExpression || node.condition, ctx, false, lineOffsets);
+        walkOrdered(node.body, ctx, false, lineOffsets);
+        walkOrdered(node.loopExpression, ctx, false, lineOffsets);
+        return;
+    }
+    if (isNode(node, 'WhileStatement') || isNode(node, 'DoWhileStatement')) {
+        walkOrdered(node.condition, ctx, false, lineOffsets);
+        walkOrdered(node.body, ctx, false, lineOffsets);
+        return;
+    }
+    if (isNode(node, 'VariableDeclarationStatement')) {
+        for (const name of getDeclaredLocalNames(node))
+            ctx.localVarNames.add(name);
+        walkOrdered(node.initialValue, ctx, false, lineOffsets);
+        return;
+    }
+    if (isNode(node, 'Return')) {
+        walkOrdered(node.expression, ctx, false, lineOffsets);
+        return;
+    }
+    if (isNode(node, 'TryStatement')) {
+        walkOrdered(node.expression || node.externalCall, ctx, false, lineOffsets);
+        if (node.body)
+            walkOrdered(node.body, ctx, false, lineOffsets);
+        for (const c of node.catchClauses || [])
+            walkOrdered(c, ctx, false, lineOffsets);
+        return;
+    }
+    if (isNode(node, 'CatchClause')) {
+        if (node.body)
+            walkOrdered(node.body, ctx, false, lineOffsets);
+        return;
+    }
+    if ((isNode(node, 'BinaryOperation') || isNode(node, 'Assignment')) &&
+        MUTATION_OPERATORS.has(String(node.operator || ''))) {
+        const left = node.left || node.leftExpression || node.leftHandSide;
+        const right = node.right || node.rightExpression || node.rightHandSide;
+        walkOrdered(right, ctx, false, lineOffsets);
+        walkOrdered(left, ctx, true, lineOffsets);
+        return;
+    }
+    if (isNode(node, 'UnaryOperation') && String(node.operator || '') === 'delete') {
+        walkOrdered(node.subExpression || node.expression, ctx, true, lineOffsets);
+        return;
+    }
+    if (isNode(node, 'FunctionCall')) {
+        if (!ctx.callLoc && isCallerControlledTransferFrom(node, ctx.tokenParams)) {
+            const computed = getLoc(node, lineOffsets);
+            if (computed) {
+                ctx.callLoc = computed;
+                ctx.callNode = node;
+            }
+        }
+        if (ctx.callLoc && !ctx.mutatesShareAfterCall && isShareMintCall(node, ctx.localVarNames)) {
+            ctx.mutatesShareAfterCall = true;
+        }
+        for (const arg of getCallArguments(node))
+            walkOrdered(arg, ctx, false, lineOffsets);
+        walkOrdered(node.expression, ctx, false, lineOffsets);
+        return;
+    }
+    if (isNode(node, 'IndexAccess')) {
+        const rootName = rootIdentifierName(node);
+        if (rootName && ctx.shareStateNames.has(rootName)) {
+            if (isWriteContext && ctx.callLoc)
+                ctx.mutatesShareAfterCall = true;
+        }
+        let cur = node;
+        while (cur && isNode(cur, 'IndexAccess')) {
+            walkOrdered(cur.index || cur.indexExpression, ctx, false, lineOffsets);
+            cur = cur.base || cur.baseExpression;
+        }
+        if (cur && !isNode(cur, 'Identifier'))
+            walkOrdered(cur, ctx, false, lineOffsets);
+        return;
+    }
+    if (isNode(node, 'Identifier')) {
+        if (isWriteContext && ctx.callLoc && ctx.shareStateNames.has(String(node.name || ''))) {
+            ctx.mutatesShareAfterCall = true;
+        }
+        return;
+    }
+    for (const child of childrenOf(node)) {
+        walkOrdered(child, ctx, isWriteContext, lineOffsets);
+    }
+}
+function isCallerControlledTransferFrom(node, tokenParams) {
+    if (!isNode(node, 'FunctionCall'))
+        return false;
+    const callee = unwrapCallOptions(node.expression);
+    if (!isNode(callee, 'MemberAccess'))
+        return false;
+    const member = String(callee.memberName || '');
+    if (!TRANSFER_FROM_MEMBERS.has(member))
+        return false;
+    const receiverIdent = findIdentifierName(callee.expression);
+    if (!receiverIdent)
+        return false;
+    return tokenParams.has(receiverIdent);
+}
+function isShareMintCall(node, localVarNames) {
+    if (!isNode(node, 'FunctionCall'))
+        return false;
+    const callee = unwrapCallOptions(node.expression);
+    const name = mintCalleeName(callee);
+    if (!name || !SHARE_MINT_CALL_NAMES.has(name))
+        return false;
+    for (const arg of getCallArguments(node)) {
+        if (isNode(arg, 'Identifier') && localVarNames.has(String(arg.name || '')))
+            return true;
+    }
+    return false;
+}
+function mintCalleeName(callee) {
+    if (!callee || typeof callee !== 'object')
+        return '';
+    if (isNode(callee, 'Identifier'))
+        return String(callee.name || '');
+    if (isNode(callee, 'MemberAccess')) {
+        const receiver = callee.expression;
+        if (isNode(receiver, 'Identifier') && String(receiver.name || '') === 'super') {
+            return String(callee.memberName || '');
+        }
+    }
+    return '';
+}
+function getDeclaredLocalNames(stmt) {
+    const out = [];
+    const decls = Array.isArray(stmt?.variables)
+        ? stmt.variables
+        : (Array.isArray(stmt?.declarations) ? stmt.declarations : []);
+    for (const d of decls) {
+        if (d && typeof d.name === 'string' && d.name)
+            out.push(d.name);
+    }
+    return out;
+}
+function findIdentifierName(expr) {
+    if (!expr || typeof expr !== 'object')
+        return null;
+    if (isNode(expr, 'Identifier'))
+        return String(expr.name || '');
+    if (isNode(expr, 'TupleExpression')) {
+        const components = expr.components || [];
+        if (components.length === 1)
+            return findIdentifierName(components[0]);
+    }
+    if (isNode(expr, 'FunctionCall')) {
+        if (isTypeConversionLike(expr)) {
+            const args = getCallArguments(expr);
+            if (args.length === 1)
+                return findIdentifierName(args[0]);
+        }
+    }
+    return null;
+}
+function isTypeConversionLike(call) {
+    if (!call)
+        return false;
+    if (call.kind === 'typeConversion')
+        return true;
+    const expr = call.expression;
+    if (!expr)
+        return false;
+    if (isNode(expr, 'ElementaryTypeName'))
+        return true;
+    if (isNode(expr, 'ElementaryTypeNameExpression'))
+        return true;
+    if (isNode(expr, 'UserDefinedTypeName'))
+        return true;
+    if (isNode(expr, 'Identifier')) {
+        const name = String(expr.name || '');
+        return /^[A-Z]/.test(name);
+    }
+    return false;
+}
+function getCallArguments(node) {
+    if (Array.isArray(node?.arguments))
+        return node.arguments;
+    return [];
+}
+function unwrapCallOptions(expr) {
+    let current = expr;
+    while (current && (isNode(current, 'NameValueExpression') || isNode(current, 'FunctionCallOptions'))) {
+        current = current.expression;
+    }
+    return current;
+}
+function rootIdentifierName(node) {
+    let cur = node;
+    while (cur && isNode(cur, 'IndexAccess')) {
+        cur = cur.base || cur.baseExpression;
+    }
+    if (cur && isNode(cur, 'Identifier'))
+        return String(cur.name || '');
+    return '';
+}
+function collectValidatedTokens(body, tokenParams) {
+    const validated = new Set();
+    walkValidations(body, tokenParams, validated);
+    return validated;
+}
+function walkValidations(node, tokenParams, validated) {
+    if (!node || typeof node !== 'object')
+        return;
+    if (isNode(node, 'FunctionCall')) {
+        const callee = node.expression;
+        const name = isNode(callee, 'Identifier') ? String(callee.name || '') : '';
+        if (name === 'require' || name === 'assert') {
+            const args = getCallArguments(node);
+            if (args[0])
+                collectEqualityValidatedTokens(args[0], tokenParams, validated);
+        }
+    }
+    for (const child of childrenOf(node))
+        walkValidations(child, tokenParams, validated);
+}
+function collectEqualityValidatedTokens(expr, tokenParams, validated) {
+    if (!expr || typeof expr !== 'object')
+        return;
+    if (isNode(expr, 'BinaryOperation')) {
+        const op = String(expr.operator || '');
+        if (op === '&&') {
+            collectEqualityValidatedTokens(expr.left || expr.leftExpression, tokenParams, validated);
+            collectEqualityValidatedTokens(expr.right || expr.rightExpression, tokenParams, validated);
+            return;
+        }
+        if (op === '==') {
+            const left = expr.left || expr.leftExpression;
+            const right = expr.right || expr.rightExpression;
+            checkSideForToken(left, tokenParams, validated);
+            checkSideForToken(right, tokenParams, validated);
+        }
+    }
+}
+function checkSideForToken(side, tokenParams, validated) {
+    if (isNode(side, 'Identifier') && tokenParams.has(String(side.name || ''))) {
+        validated.add(String(side.name));
+    }
+}
+function getTokenParams(fn) {
+    const out = new Set();
+    for (const p of getParameters(fn)) {
+        const name = getName(p);
+        if (name && TOKEN_PARAM_NAME.test(name))
+            out.add(name);
+    }
+    return out;
+}
+function getParameters(fn) {
+    if (Array.isArray(fn?.parameters))
+        return fn.parameters;
+    if (fn?.parameters && Array.isArray(fn.parameters.parameters))
+        return fn.parameters.parameters;
+    return [];
+}
+function collectShareStateNames(contract) {
+    const out = new Set();
+    for (const member of getContractMembers(contract)) {
+        if (isNode(member, 'StateVariableDeclaration')) {
+            for (const v of member.variables || [])
+                collectShareStateName(v, out);
+        }
+        else if (isNode(member, 'VariableDeclaration') && member.stateVariable === true) {
+            collectShareStateName(member, out);
+        }
+    }
+    return out;
+}
+function collectShareStateName(variable, out) {
+    if (!variable || !variable.name)
+        return;
+    const name = String(variable.name);
+    if (SHARE_STATE_NAME.test(name))
+        out.add(name);
+}
+function hasReentrancyGuard(fn) {
+    for (const m of fn?.modifiers || []) {
+        if (REENTRANCY_GUARD_MODIFIER.test(getModifierName(m)))
+            return true;
+    }
+    return false;
+}
+function hasAccessControl(fn) {
+    for (const m of fn?.modifiers || []) {
+        const name = getModifierName(m);
+        if (ACCESS_CONTROL_MODIFIER.test(name))
+            return true;
+        if (ACCESS_CONTROL_MODIFIER_NAMES.has(name.toLowerCase()))
+            return true;
+    }
+    return false;
+}
+function getModifierName(modifier) {
+    if (!modifier)
+        return '';
+    if (typeof modifier === 'string')
+        return modifier;
+    if (typeof modifier.name === 'string')
+        return modifier.name;
+    if (modifier.name && typeof modifier.name === 'object')
+        return String(modifier.name.name || modifier.name.namePath || '');
+    if (modifier.modifierName) {
+        const m = modifier.modifierName;
+        if (typeof m === 'string')
+            return m;
+        return String(m.name || m.namePath || '');
+    }
+    return '';
+}
+function isExternallyReachable(fn) {
+    if (!fn)
+        return false;
+    if (fn.isConstructor === true)
+        return false;
+    if (String(fn.kind || '').toLowerCase() === 'constructor')
+        return false;
+    const visibility = String(fn.visibility || '').toLowerCase();
+    if (visibility === 'public' || visibility === 'external')
+        return true;
+    const kind = String(fn.kind || '').toLowerCase();
+    if (kind === 'fallback' || kind === 'receive')
+        return true;
+    return false;
+}
+function isInterfaceLike(contract) {
+    const kind = String(contract?.kind || contract?.contractKind || '').toLowerCase();
+    return kind === 'interface' || kind === 'library';
+}
+function getFunctionBody(fn) { return fn?.body || null; }
+function getName(node) { return typeof node?.name === 'string' ? node.name : ''; }
+function getContractFunctions(contract) {
+    return getContractMembers(contract).filter(node => isNode(node, 'FunctionDefinition'));
+}
+function getContractMembers(contract) {
+    if (!contract || typeof contract !== 'object')
+        return [];
+    if (Array.isArray(contract.subNodes))
+        return contract.subNodes;
+    if (Array.isArray(contract.nodes))
+        return contract.nodes;
+    return [];
+}
+function collectContracts(ast) {
+    const out = [];
+    walkContracts(ast, out);
+    return out;
+}
+function walkContracts(node, out) {
+    if (!node || typeof node !== 'object')
+        return;
+    if (isNode(node, 'ContractDefinition')) {
+        out.push(node);
+        return;
+    }
+    for (const child of childrenOf(node))
+        walkContracts(child, out);
+}
+function childrenOf(node) {
+    if (!node || typeof node !== 'object')
+        return [];
+    const out = [];
+    for (const [key, value] of Object.entries(node)) {
+        if (key === 'loc' || key === 'src' || key === 'range' || key === 'typeDescriptions' || key === 'id' || key === 'scope')
+            continue;
+        if (Array.isArray(value)) {
+            for (const item of value)
+                if (item && typeof item === 'object')
+                    out.push(item);
+        }
+        else if (value && typeof value === 'object') {
+            out.push(value);
+        }
+    }
+    return out;
+}
+function isNode(node, kind) {
+    return node?.type === kind || node?.nodeType === kind;
+}
+function setDifference(a, b) {
+    const out = new Set();
+    for (const x of a)
+        if (!b.has(x))
+            out.add(x);
+    return out;
+}
+function buildLineOffsets(sourceText) {
+    if (sourceText === undefined)
+        return undefined;
+    const offsets = [0];
+    let byteOffset = 0;
+    for (const ch of sourceText) {
+        byteOffset += Buffer.byteLength(ch, 'utf8');
+        if (ch === '\n')
+            offsets.push(byteOffset);
+    }
+    return offsets;
+}
+function getLoc(node, lineOffsets) {
+    if (node?.loc?.start) {
+        return { line: node.loc.start.line || 0, column: node.loc.start.column || 0 };
+    }
+    if (!node?.src || !lineOffsets)
+        return undefined;
+    const [offsetRaw] = String(node.src).split(':');
+    const offset = Number(offsetRaw);
+    if (!Number.isFinite(offset) || offset < 0)
+        return undefined;
+    return byteOffsetToLineColumn(offset, lineOffsets);
+}
+function byteOffsetToLineColumn(byteOffset, lineOffsets) {
+    let low = 0;
+    let high = lineOffsets.length - 1;
+    let lineIdx = 0;
+    while (low <= high) {
+        const mid = Math.floor((low + high) / 2);
+        if (lineOffsets[mid] <= byteOffset) {
+            lineIdx = mid;
+            low = mid + 1;
+        }
+        else {
+            high = mid - 1;
+        }
+    }
+    return { line: lineIdx + 1, column: byteOffset - lineOffsets[lineIdx] };
+}
+//# sourceMappingURL=finance-flashloan-reentrancy.js.map

package/dist/detectors/finance-swap-metapool-attack.d.ts

@@ -0,0 +1,19 @@
+import type { ScanResult } from '../index';
+export declare class FinanceSwapMetapoolAttackDetector {
+    readonly id = "finance-swap-metapool-attack";
+    readonly patternKey = "finance-swap-metapool-attack";
+    readonly supportedAstKinds: "parser"[];
+    scanAst(ast: any, file: string): ScanResult[];
+    private hasMetapoolSignal;
+    private analyzeSwapFunction;
+    private findMetapoolPriceCacheVars;
+    private isMetapoolPriceCall;
+    private scanForVulnerability;
+    private exprContainsVar;
+    private isExternalCall;
+    private nodeNameText;
+    private walk;
+    private locOf;
+    private childNodes;
+    private makeFinding;
+}