@snovon/solast 0.2.0

package/dist/detectors/flashloan-reentrancy-rari.d.ts

@@ -0,0 +1,28 @@
+import type { ScanResult } from '../index';
+export declare class FlashloanReentrancyRariDetector {
+    readonly id = "flashloan-reentrancy";
+    readonly patternKey = "flashloan-reentrancy";
+    readonly supportedAstKinds: "parser"[];
+    scanAst(ast: any, file: string, _sourceText?: string): ScanResult[];
+    private walk;
+    private walkLhsIndices;
+    private isExternalCall;
+    private refersToLendingStateStorage;
+    private getDirectCallName;
+    private locOf;
+    private collectContracts;
+    private isInterfaceLike;
+    private collectStateVariables;
+    private collectLendingStateVars;
+    private getContractFunctions;
+    private isExternallyReachable;
+    private hasReentrancyGuard;
+    private hasAccessControl;
+    private getModifierName;
+    private collectLocalVariables;
+    private harvestLocals;
+    private summarizeInternalFunctions;
+    private getBaseContractName;
+    private containsExternalCall;
+    private childNodes;
+}

package/dist/detectors/flashloan-reentrancy-rari.js

@@ -0,0 +1,577 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.FlashloanReentrancyRariDetector = void 0;
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'flashloan-reentrancy';
+const PATTERN = `${RULE_ID}/fuse-pool-stale-accounting-reentrancy`;
+const ACCOUNTING_NAME_HINTS = [
+    'collateral', 'debt', 'borrow', 'deposit', 'balance', 'principal',
+    'supplied', 'supply', 'liquid', 'reserve', 'frozen',
+];
+const LOW_LEVEL_CALL_MEMBERS = new Set([
+    'call', 'delegatecall', 'staticcall', 'send', 'transfer',
+]);
+const BUILTIN_BASE_IDENTIFIERS = new Set([
+    'msg', 'block', 'tx', 'abi', 'this', 'super', 'address', 'payable',
+    'type', 'bytes', 'string', 'keccak256', 'sha256', 'ripemd160', 'ecrecover',
+    'assert', 'require', 'revert', 'gasleft',
+]);
+const REENTRANCY_GUARD_RE = /^(nonreentrant|noreentrant|reentrancyguard|noreentry|nonreentrantcall)$/i;
+const ACCESS_CONTROL_PREFIX_RE = /^(only|require|restricted)/i;
+const ACCESS_CONTROL_NAMES = new Set([
+    'auth', 'authorized', 'whenauthorized', 'whitelisted', 'onlybridge',
+]);
+const ASSIGN_OPS = new Set([
+    '=', '+=', '-=', '*=', '/=', '%=',
+    '&=', '|=', '^=', '<<=', '>>=', '>>>=',
+]);
+class FlashloanReentrancyRariDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    scanAst(ast, file, _sourceText) {
+        if (!ast || ast.type !== 'SourceUnit')
+            return [];
+        const findings = [];
+        const contractsByName = new Map();
+        for (const c of this.collectContracts(ast)) {
+            if (c?.name)
+                contractsByName.set(String(c.name), c);
+        }
+        for (const contract of this.collectContracts(ast)) {
+            if (this.isInterfaceLike(contract))
+                continue;
+            const lendingStateVars = this.collectLendingStateVars(contract);
+            if (lendingStateVars.size === 0)
+                continue;
+            const stateVars = this.collectStateVariables(contract);
+            const internalSummaries = this.summarizeInternalFunctions(contract, contractsByName);
+            const contractName = contract.name || '<anonymous>';
+            for (const fn of this.getContractFunctions(contract)) {
+                if (!this.isExternallyReachable(fn))
+                    continue;
+                const mutability = String(fn.stateMutability || '').toLowerCase();
+                if (mutability === 'view' || mutability === 'pure')
+                    continue;
+                if (this.hasReentrancyGuard(fn))
+                    continue;
+                if (this.hasAccessControl(fn))
+                    continue;
+                if (!fn.body)
+                    continue;
+                const ctx = {
+                    lendingStateVars,
+                    stateVars,
+                    localVars: this.collectLocalVariables(fn),
+                    internalSummaries,
+                    localVarsCache: new Map(),
+                    visiting: new Set([String(fn.name || '')]),
+                };
+                const state = {
+                    sawAccountingRead: false,
+                    sawCallAfterRead: false,
+                    externalCallNode: null,
+                    findingLoc: null,
+                };
+                this.walk(fn.body, state, ctx);
+                if (state.findingLoc) {
+                    const fnName = fn.name || '<anonymous>';
+                    findings.push({
+                        file,
+                        contract: contractName,
+                        'function': fnName,
+                        line: state.findingLoc.line,
+                        endLine: state.findingLoc.line,
+                        column: state.findingLoc.column,
+                        pattern: PATTERN,
+                        confidence: 'high',
+                        ruleId: RULE_ID,
+                        severity: 'high',
+                        message: `Lending pool entrypoint '${contractName}.${fnName}' reads collateral/debt accounting state, then makes an external call, and finally writes accounting state — exposing the function to a flashloan-amplified reentrancy in the Rari/Fei pattern.`,
+                        rationale: 'The Rari/Fei exploit (2022-04-30) hit a Fuse pool whose collateral/debt accounting was read before an external callback and only settled after the callback returned, letting a flashloan-distorted oracle drive a reentrant withdrawal that drained the pool.',
+                        suggestedFix: 'Finalize all collateral/debt accounting state before any external call (CEI), or guard the entrypoint with a proven nonReentrant modifier, or restrict the function to a trusted role via access control.',
+                        contractName,
+                        functionName: fnName,
+                        sourceLocation: { line: state.findingLoc.line, column: state.findingLoc.column },
+                        externalCallNode: state.externalCallNode,
+                        findingId: '',
+                        contractHash: '',
+                    });
+                }
+            }
+        }
+        return findings;
+    }
+    walk(node, state, ctx) {
+        if (!node || typeof node !== 'object' || state.findingLoc)
+            return;
+        if (node.type === 'EmitStatement')
+            return;
+        if (node.type === 'Block' || node.type === 'UncheckedBlock') {
+            for (const stmt of node.statements || []) {
+                this.walk(stmt, state, ctx);
+                if (state.findingLoc)
+                    return;
+            }
+            return;
+        }
+        if (node.type === 'ExpressionStatement') {
+            this.walk(node.expression, state, ctx);
+            return;
+        }
+        if (node.type === 'VariableDeclarationStatement') {
+            for (const v of node.variables || []) {
+                if (v?.name)
+                    ctx.localVars.add(String(v.name));
+            }
+            if (node.initialValue)
+                this.walk(node.initialValue, state, ctx);
+            return;
+        }
+        if (node.type === 'Return') {
+            if (node.expression)
+                this.walk(node.expression, state, ctx);
+            return;
+        }
+        if (node.type === 'IfStatement') {
+            if (node.condition)
+                this.walk(node.condition, state, ctx);
+            if (state.findingLoc)
+                return;
+            if (node.trueBody)
+                this.walk(node.trueBody, state, ctx);
+            if (state.findingLoc)
+                return;
+            if (node.falseBody)
+                this.walk(node.falseBody, state, ctx);
+            return;
+        }
+        if (node.type === 'ForStatement') {
+            if (node.initExpression)
+                this.walk(node.initExpression, state, ctx);
+            if (node.initializationExpression)
+                this.walk(node.initializationExpression, state, ctx);
+            if (state.findingLoc)
+                return;
+            if (node.conditionExpression)
+                this.walk(node.conditionExpression, state, ctx);
+            if (state.findingLoc)
+                return;
+            if (node.body)
+                this.walk(node.body, state, ctx);
+            if (state.findingLoc)
+                return;
+            if (node.loopExpression)
+                this.walk(node.loopExpression, state, ctx);
+            return;
+        }
+        if (node.type === 'WhileStatement' || node.type === 'DoWhileStatement') {
+            if (node.condition)
+                this.walk(node.condition, state, ctx);
+            if (state.findingLoc)
+                return;
+            if (node.body)
+                this.walk(node.body, state, ctx);
+            return;
+        }
+        if (node.type === 'TryStatement') {
+            if (node.expression)
+                this.walk(node.expression, state, ctx);
+            if (state.findingLoc)
+                return;
+            if (node.body)
+                this.walk(node.body, state, ctx);
+            for (const c of node.catchClauses || []) {
+                if (state.findingLoc)
+                    return;
+                if (c.body)
+                    this.walk(c.body, state, ctx);
+            }
+            return;
+        }
+        if (node.type === 'BinaryOperation' && ASSIGN_OPS.has(node.operator)) {
+            if (node.right)
+                this.walk(node.right, state, ctx);
+            if (state.findingLoc)
+                return;
+            if (this.refersToLendingStateStorage(node.left, ctx)) {
+                if (state.sawCallAfterRead) {
+                    state.findingLoc = this.locOf(node);
+                    return;
+                }
+            }
+            this.walkLhsIndices(node.left, state, ctx);
+            return;
+        }
+        if (node.type === 'UnaryOperation') {
+            const op = String(node.operator || '');
+            if ((op === '++' || op === '--' || op === 'delete') &&
+                this.refersToLendingStateStorage(node.subExpression, ctx)) {
+                if (state.sawCallAfterRead) {
+                    state.findingLoc = this.locOf(node);
+                    return;
+                }
+            }
+            this.walkLhsIndices(node.subExpression, state, ctx);
+            return;
+        }
+        if (node.type === 'FunctionCall') {
+            for (const arg of node.arguments || []) {
+                this.walk(arg, state, ctx);
+                if (state.findingLoc)
+                    return;
+            }
+            const directName = this.getDirectCallName(node.expression);
+            if (directName === 'require' || directName === 'assert' || directName === 'revert') {
+                return;
+            }
+            if (this.isExternalCall(node)) {
+                if (state.sawAccountingRead && !state.sawCallAfterRead) {
+                    state.sawCallAfterRead = true;
+                    state.externalCallNode = node;
+                }
+                return;
+            }
+            if (directName) {
+                const summary = ctx.internalSummaries.get(directName);
+                if (summary?.fn && !ctx.visiting.has(directName)) {
+                    const calleeFn = summary.fn;
+                    let calleeLocals = ctx.localVarsCache.get(calleeFn);
+                    if (!calleeLocals) {
+                        calleeLocals = this.collectLocalVariables(calleeFn);
+                        ctx.localVarsCache.set(calleeFn, calleeLocals);
+                    }
+                    const savedLocals = ctx.localVars;
+                    ctx.localVars = calleeLocals;
+                    ctx.visiting.add(directName);
+                    if (calleeFn.body)
+                        this.walk(calleeFn.body, state, ctx);
+                    ctx.visiting.delete(directName);
+                    ctx.localVars = savedLocals;
+                    return;
+                }
+                if (summary?.performsExternalCall) {
+                    if (state.sawAccountingRead && !state.sawCallAfterRead) {
+                        state.sawCallAfterRead = true;
+                        state.externalCallNode = node;
+                    }
+                    return;
+                }
+            }
+            if (node.expression)
+                this.walk(node.expression, state, ctx);
+            return;
+        }
+        if (node.type === 'IndexAccess' || node.type === 'MemberAccess' || node.type === 'Identifier') {
+            if (this.refersToLendingStateStorage(node, ctx)) {
+                if (!state.sawCallAfterRead)
+                    state.sawAccountingRead = true;
+            }
+            if (node.type === 'IndexAccess') {
+                if (node.base)
+                    this.walk(node.base, state, ctx);
+                if (state.findingLoc)
+                    return;
+                if (node.index)
+                    this.walk(node.index, state, ctx);
+            }
+            else if (node.type === 'MemberAccess') {
+                if (node.expression)
+                    this.walk(node.expression, state, ctx);
+            }
+            return;
+        }
+        for (const child of this.childNodes(node)) {
+            this.walk(child, state, ctx);
+            if (state.findingLoc)
+                return;
+        }
+    }
+    // Walk only the *index* expressions of a write target — never the storage
+    // base — so `arr[stateRead] = foo` still records a read of `stateRead`,
+    // but `debtOf[u] += amount` does not double-count `debtOf` as a read.
+    walkLhsIndices(node, state, ctx) {
+        if (!node || typeof node !== 'object' || state.findingLoc)
+            return;
+        if (node.type === 'IndexAccess') {
+            this.walkLhsIndices(node.base, state, ctx);
+            if (state.findingLoc)
+                return;
+            if (node.index)
+                this.walk(node.index, state, ctx);
+            return;
+        }
+        if (node.type === 'MemberAccess') {
+            this.walkLhsIndices(node.expression, state, ctx);
+            return;
+        }
+        if (node.type === 'TupleExpression') {
+            for (const c of node.components || []) {
+                this.walkLhsIndices(c, state, ctx);
+                if (state.findingLoc)
+                    return;
+            }
+            return;
+        }
+    }
+    isExternalCall(node) {
+        if (!node || typeof node !== 'object')
+            return false;
+        let callee = node.expression;
+        while (callee?.type === 'NameValueExpression' || callee?.type === 'FunctionCallOptions') {
+            callee = callee.expression;
+        }
+        if (callee?.type !== 'MemberAccess')
+            return false;
+        const member = String(callee.memberName || '').toLowerCase();
+        if (LOW_LEVEL_CALL_MEMBERS.has(member))
+            return true;
+        const baseExpr = callee.expression;
+        if (!baseExpr || typeof baseExpr !== 'object')
+            return false;
+        if (baseExpr.type === 'Identifier') {
+            const baseName = String(baseExpr.name || '');
+            if (BUILTIN_BASE_IDENTIFIERS.has(baseName))
+                return false;
+            return true;
+        }
+        return true;
+    }
+    refersToLendingStateStorage(expr, ctx) {
+        if (!expr || typeof expr !== 'object')
+            return false;
+        if (expr.type === 'Identifier') {
+            const name = String(expr.name || '');
+            if (ctx.localVars.has(name))
+                return false;
+            return ctx.lendingStateVars.has(name);
+        }
+        if (expr.type === 'IndexAccess')
+            return this.refersToLendingStateStorage(expr.base, ctx);
+        if (expr.type === 'MemberAccess')
+            return this.refersToLendingStateStorage(expr.expression, ctx);
+        if (expr.type === 'TupleExpression') {
+            for (const c of expr.components || []) {
+                if (this.refersToLendingStateStorage(c, ctx))
+                    return true;
+            }
+        }
+        return false;
+    }
+    getDirectCallName(expr) {
+        if (!expr || typeof expr !== 'object')
+            return '';
+        if (expr.type === 'Identifier')
+            return String(expr.name || '');
+        return '';
+    }
+    locOf(node) {
+        const { line, column } = (0, ast_1.assertLoc)(node);
+        return { line, column };
+    }
+    collectContracts(ast) {
+        const out = [];
+        for (const child of ast.children || []) {
+            if (child?.type === 'ContractDefinition')
+                out.push(child);
+        }
+        return out;
+    }
+    isInterfaceLike(contract) {
+        const kind = String(contract?.kind || contract?.contractKind || '').toLowerCase();
+        return kind === 'interface' || kind === 'library';
+    }
+    collectStateVariables(contract) {
+        const set = new Set();
+        for (const sub of contract.subNodes || []) {
+            if (sub?.type !== 'StateVariableDeclaration')
+                continue;
+            for (const v of sub.variables || []) {
+                if (v?.name)
+                    set.add(String(v.name));
+            }
+        }
+        return set;
+    }
+    collectLendingStateVars(contract) {
+        const set = new Set();
+        for (const sub of contract.subNodes || []) {
+            if (sub?.type !== 'StateVariableDeclaration')
+                continue;
+            for (const v of sub.variables || []) {
+                const name = String(v?.name || '');
+                if (!name)
+                    continue;
+                const lower = name.toLowerCase();
+                for (const hint of ACCOUNTING_NAME_HINTS) {
+                    if (lower.includes(hint)) {
+                        set.add(name);
+                        break;
+                    }
+                }
+            }
+        }
+        return set;
+    }
+    getContractFunctions(contract) {
+        return (contract.subNodes || []).filter((node) => node?.type === 'FunctionDefinition');
+    }
+    isExternallyReachable(fn) {
+        if (!fn)
+            return false;
+        if (fn.isConstructor === true)
+            return false;
+        if (String(fn.kind || '').toLowerCase() === 'constructor')
+            return false;
+        const visibility = String(fn.visibility || '').toLowerCase();
+        if (visibility === 'public' || visibility === 'external')
+            return true;
+        const kind = String(fn.kind || '').toLowerCase();
+        if (kind === 'fallback' || kind === 'receive')
+            return true;
+        return false;
+    }
+    hasReentrancyGuard(fn) {
+        for (const m of fn?.modifiers || []) {
+            if (REENTRANCY_GUARD_RE.test(this.getModifierName(m)))
+                return true;
+        }
+        return false;
+    }
+    hasAccessControl(fn) {
+        for (const m of fn?.modifiers || []) {
+            const name = this.getModifierName(m);
+            if (ACCESS_CONTROL_PREFIX_RE.test(name))
+                return true;
+            if (ACCESS_CONTROL_NAMES.has(name.toLowerCase()))
+                return true;
+        }
+        return false;
+    }
+    getModifierName(modifier) {
+        if (!modifier)
+            return '';
+        if (typeof modifier === 'string')
+            return modifier;
+        if (typeof modifier.name === 'string')
+            return modifier.name;
+        if (modifier.name && typeof modifier.name === 'object') {
+            return String(modifier.name.name || modifier.name.namePath || '');
+        }
+        if (modifier.modifierName) {
+            const m = modifier.modifierName;
+            if (typeof m === 'string')
+                return m;
+            return String(m.name || m.namePath || '');
+        }
+        return '';
+    }
+    collectLocalVariables(fn) {
+        const set = new Set();
+        for (const p of fn.parameters || []) {
+            if (p?.name)
+                set.add(String(p.name));
+        }
+        for (const p of fn.returnParameters || []) {
+            if (p?.name)
+                set.add(String(p.name));
+        }
+        this.harvestLocals(fn.body, set);
+        return set;
+    }
+    harvestLocals(node, set) {
+        if (!node || typeof node !== 'object')
+            return;
+        if (node.type === 'VariableDeclarationStatement') {
+            for (const v of node.variables || []) {
+                if (v?.name)
+                    set.add(String(v.name));
+            }
+        }
+        for (const child of this.childNodes(node))
+            this.harvestLocals(child, set);
+    }
+    summarizeInternalFunctions(contract, contractsByName) {
+        const summaries = new Map();
+        const visitedContracts = new Set();
+        // Walk inheritance: bases first (in declared order, recursively), then self.
+        // This gives the contract's own functions priority over base versions, so the
+        // most-derived override of a transfer hook (e.g. doTransferOut) wins lookup.
+        const visit = (c) => {
+            if (!c)
+                return;
+            const cname = String(c.name || '');
+            if (cname && visitedContracts.has(cname))
+                return;
+            if (cname)
+                visitedContracts.add(cname);
+            for (const inh of c.baseContracts || []) {
+                const baseName = this.getBaseContractName(inh);
+                if (!baseName)
+                    continue;
+                const base = contractsByName.get(baseName);
+                if (base)
+                    visit(base);
+            }
+            for (const sub of c.subNodes || []) {
+                if (sub?.type !== 'FunctionDefinition')
+                    continue;
+                if (!sub.body)
+                    continue;
+                const name = sub.name;
+                if (!name)
+                    continue;
+                summaries.set(name, {
+                    fn: sub,
+                    performsExternalCall: this.containsExternalCall(sub.body),
+                });
+            }
+        };
+        visit(contract);
+        return summaries;
+    }
+    getBaseContractName(inh) {
+        if (!inh)
+            return '';
+        const base = inh.baseName;
+        if (!base)
+            return '';
+        if (typeof base === 'string')
+            return base;
+        if (typeof base.namePath === 'string')
+            return base.namePath;
+        if (typeof base.name === 'string')
+            return base.name;
+        return '';
+    }
+    containsExternalCall(node) {
+        if (!node || typeof node !== 'object')
+            return false;
+        if (node.type === 'FunctionCall' && this.isExternalCall(node))
+            return true;
+        for (const child of this.childNodes(node)) {
+            if (this.containsExternalCall(child))
+                return true;
+        }
+        return false;
+    }
+    childNodes(node) {
+        const out = [];
+        for (const [key, value] of Object.entries(node)) {
+            if (key === 'loc' || key === 'range' || key === 'typeName')
+                continue;
+            if (Array.isArray(value)) {
+                for (const item of value) {
+                    if (item && typeof item === 'object')
+                        out.push(item);
+                }
+            }
+            else if (value && typeof value === 'object') {
+                out.push(value);
+            }
+        }
+        return out;
+    }
+}
+exports.FlashloanReentrancyRariDetector = FlashloanReentrancyRariDetector;
+//# sourceMappingURL=flashloan-reentrancy-rari.js.map

package/dist/detectors/flashloan-reentrancy.d.ts

@@ -0,0 +1,7 @@
+import type { ScanResult } from '../index';
+export declare class FlashloanReentrancyDetector {
+    readonly id = "flashloan-reentrancy";
+    readonly patternKey = "flashloan-reentrancy";
+    readonly supportedAstKinds: "parser"[];
+    scanAst(ast: any, file: string): ScanResult[];
+}