@snovon/solast 0.2.0

package/dist/detectors/amm-spot-oracle-manipulation.js

@@ -0,0 +1,420 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AmmSpotOracleManipulationDetector = void 0;
+function tryLoc(node) {
+    return node?.loc || node?.range ? { line: node.loc?.start?.line || 0, column: node.loc?.start?.column || 0, endLine: node.loc?.end?.line || 0 } : { line: 0, column: 0, endLine: 0 };
+}
+const AMM_SPOT_NAMES = new Set(['getReserves', 'reserve0', 'reserve1']);
+const SINK_NAMES = new Set(['mint', '_mint', 'redeem', '_redeem', 'swap', '_swap', 'borrow', '_borrow', 'liquidate', '_liquidate', 'transfer', 'transferFrom', 'safeTransfer', 'safeTransferFrom', '_transferOut']);
+const SAFE_ORACLE_NAMES = new Set(['consult', 'latestRoundData', 'latestAnswer']);
+class AmmSpotOracleManipulationDetector {
+    id = 'amm-spot-oracle-manipulation';
+    patternKey = 'amm-spot-oracle-manipulation';
+    // Parser-only: taint propagation keys on parser visitor object identity and
+    // on Identifier/MemberAccess/TypeConversion events the solc walker does not
+    // dispatch, so solc ASTs would silently yield zero findings. Do not advertise
+    // solc support until a dataflow path independent of parser node identity exists.
+    supportedAstKinds = ['parser'];
+    descriptor = {
+        id: 'amm-spot-oracle-manipulation',
+        shortDescription: 'AMM spot reserve or pair-balance price feeds sensitive value movement without a TWAP, reference-price, or freshness guard.',
+        helpUri: 'https://snovon.com/',
+        defaultSeverity: 'high',
+    };
+    findings = [];
+    currentFile = '';
+    currentContract = '';
+    currentFunction = '';
+    currentFunctionNode = null;
+    // Function-level state
+    taintedVars = new Set();
+    nodeTaint = new Set();
+    oracleVars = new Set();
+    nodeOracleTaint = new Set();
+    safeCheckFound = false;
+    vulnerableSinks = [];
+    hasAmmSpotRead = false;
+    setFile(file) {
+        this.currentFile = file;
+        this.findings = [];
+    }
+    getFindings() {
+        return this.findings;
+    }
+    ContractDefinition(node) {
+        this.currentContract = node.name || '<anonymous>';
+    }
+    ContractDefinition_post(_node) {
+        this.currentContract = '';
+    }
+    FunctionDefinition(node) {
+        this.currentFunction = node.name || '<anonymous>';
+        this.currentFunctionNode = node;
+        this.taintedVars.clear();
+        this.nodeTaint.clear();
+        this.oracleVars.clear();
+        this.nodeOracleTaint.clear();
+        this.safeCheckFound = false;
+        this.vulnerableSinks = [];
+        this.hasAmmSpotRead = false;
+    }
+    FunctionDefinition_post(node) {
+        if (this.currentFunctionNode === node) {
+            if (this.hasAmmSpotRead && this.vulnerableSinks.length > 0 && !this.safeCheckFound) {
+                // Report finding
+                const sinkNode = this.vulnerableSinks[0];
+                const loc = tryLoc(node) || { line: 0, column: 0 };
+                this.findings.push({
+                    file: this.currentFile,
+                    contract: this.currentContract,
+                    function: this.currentFunction,
+                    line: loc.line,
+                    endLine: loc.endLine || loc.line,
+                    column: loc.column,
+                    pattern: this.id,
+                    confidence: 'high',
+                    ruleId: this.id,
+                    severity: 'high',
+                    message: `Oracle manipulation risk in function '${this.currentFunction}': AMM spot price source drives sensitive operation without a TWAP or freshness check.`,
+                    contractName: this.currentContract,
+                    functionName: this.currentFunction,
+                    sourceLocation: { line: loc.line, column: loc.column },
+                    findingId: '',
+                    contractHash: '',
+                });
+            }
+            this.currentFunctionNode = null;
+            this.currentFunction = '';
+        }
+    }
+    Identifier(node) {
+        if (!this.currentFunctionNode)
+            return;
+        if (node.name && this.taintedVars.has(node.name)) {
+            this.nodeTaint.add(node);
+        }
+        if (node.name && this.oracleVars.has(node.name)) {
+            this.nodeOracleTaint.add(node);
+        }
+    }
+    FunctionCall(node) {
+        if (!this.currentFunctionNode)
+            return;
+        const name = this.getCalleeName(node.expression);
+        if (AMM_SPOT_NAMES.has(name) || (name === 'balanceOf' && this.isPairBalanceOf(node))) {
+            this.nodeTaint.add(node);
+            this.hasAmmSpotRead = true;
+        }
+    }
+    FunctionCall_post(node) {
+        if (!this.currentFunctionNode)
+            return;
+        const name = this.getCalleeName(node.expression);
+        // If it's an AMM read, the node is tainted
+        if (AMM_SPOT_NAMES.has(name) || (name === 'balanceOf' && this.isPairBalanceOf(node))) {
+            this.nodeTaint.add(node);
+        }
+        if (SAFE_ORACLE_NAMES.has(name)) {
+            this.nodeOracleTaint.add(node);
+        }
+        // Check if it's a sink call
+        if (SINK_NAMES.has(name)) {
+            let isTainted = false;
+            const args = node.arguments || [];
+            for (const arg of args) {
+                if (this.nodeTaint.has(arg)) {
+                    isTainted = true;
+                    break;
+                }
+            }
+            if (isTainted) {
+                this.vulnerableSinks.push(node);
+                this.nodeTaint.add(node);
+            }
+        }
+        // Pass taint up for regular function calls
+        const args = node.arguments || [];
+        for (const arg of args) {
+            if (this.nodeTaint.has(arg)) {
+                this.nodeTaint.add(node);
+            }
+            if (this.nodeOracleTaint.has(arg)) {
+                this.nodeOracleTaint.add(node);
+            }
+        }
+        if ((name === 'require' || name === 'assert') && args.length > 0 && this.containsBoundComparison(args[0])) {
+            this.safeCheckFound = true;
+        }
+    }
+    MemberAccess_post(node) {
+        if (!this.currentFunctionNode)
+            return;
+        if (this.nodeTaint.has(node.expression)) {
+            this.nodeTaint.add(node);
+        }
+        if (this.nodeOracleTaint.has(node.expression)) {
+            this.nodeOracleTaint.add(node);
+        }
+    }
+    IndexAccess_post(node) {
+        if (!this.currentFunctionNode)
+            return;
+        if (this.nodeTaint.has(node.base) || this.nodeTaint.has(node.index)) {
+            this.nodeTaint.add(node);
+        }
+        if (this.nodeOracleTaint.has(node.base) || this.nodeOracleTaint.has(node.index)) {
+            this.nodeOracleTaint.add(node);
+        }
+    }
+    TupleExpression_post(node) {
+        if (!this.currentFunctionNode)
+            return;
+        const components = node.components || [];
+        for (const comp of components) {
+            if (comp && this.nodeTaint.has(comp)) {
+                this.nodeTaint.add(node);
+            }
+            if (comp && this.nodeOracleTaint.has(comp)) {
+                this.nodeOracleTaint.add(node);
+            }
+        }
+    }
+    BinaryOperation_post(node) {
+        if (!this.currentFunctionNode)
+            return;
+        const left = node.left || node.leftExpression || node.leftHandSide;
+        const right = node.right || node.rightExpression || node.rightHandSide;
+        if (this.isAssignmentOperator(node.operator)) {
+            if (right && this.nodeTaint.has(right)) {
+                this.extractTaintedNames(left);
+            }
+            if (right && this.nodeOracleTaint.has(right)) {
+                this.extractOracleNames(left);
+            }
+        }
+        if (this.nodeTaint.has(left) || this.nodeTaint.has(right)) {
+            this.nodeTaint.add(node);
+        }
+        if (this.nodeOracleTaint.has(left) || this.nodeOracleTaint.has(right)) {
+            this.nodeOracleTaint.add(node);
+        }
+    }
+    UnaryOperation_post(node) {
+        if (!this.currentFunctionNode)
+            return;
+        if (this.nodeTaint.has(node.subExpression)) {
+            this.nodeTaint.add(node);
+        }
+        if (this.nodeOracleTaint.has(node.subExpression)) {
+            this.nodeOracleTaint.add(node);
+        }
+    }
+    TypeConversion_post(node) {
+        if (!this.currentFunctionNode)
+            return;
+        const args = node.arguments || [];
+        for (const arg of args) {
+            if (this.nodeTaint.has(arg)) {
+                this.nodeTaint.add(node);
+            }
+            if (this.nodeOracleTaint.has(arg)) {
+                this.nodeOracleTaint.add(node);
+            }
+        }
+    }
+    VariableDeclarationStatement_post(node) {
+        if (!this.currentFunctionNode)
+            return;
+        const initialValue = node.initialValue;
+        const vars = node.variables || node.declarations || [];
+        if (initialValue && this.nodeTaint.has(initialValue)) {
+            for (const v of vars) {
+                if (v && v.name) {
+                    this.taintedVars.add(v.name);
+                }
+            }
+            this.nodeTaint.add(node);
+        }
+        if (initialValue && this.nodeOracleTaint.has(initialValue)) {
+            for (const v of vars) {
+                if (v && v.name) {
+                    this.oracleVars.add(v.name);
+                }
+            }
+            this.nodeOracleTaint.add(node);
+        }
+    }
+    Assignment_post(node) {
+        if (!this.currentFunctionNode)
+            return;
+        const right = node.rightHandSide || node.right;
+        const left = node.leftHandSide || node.left;
+        if (right && this.nodeTaint.has(right)) {
+            this.nodeTaint.add(node);
+            this.extractTaintedNames(left);
+        }
+        if (right && this.nodeOracleTaint.has(right)) {
+            this.nodeOracleTaint.add(node);
+            this.extractOracleNames(left);
+        }
+    }
+    extractTaintedNames(node) {
+        if (!node)
+            return;
+        if (node.type === 'Identifier' && node.name) {
+            this.taintedVars.add(node.name);
+        }
+        else if (node.type === 'TupleExpression') {
+            const components = node.components || [];
+            for (const comp of components) {
+                this.extractTaintedNames(comp);
+            }
+        }
+    }
+    extractOracleNames(node) {
+        if (!node)
+            return;
+        if (node.type === 'Identifier' && node.name) {
+            this.oracleVars.add(node.name);
+        }
+        else if (node.type === 'TupleExpression') {
+            const components = node.components || [];
+            for (const comp of components) {
+                this.extractOracleNames(comp);
+            }
+        }
+    }
+    isAssignmentOperator(operator) {
+        return operator === '=' || operator === '+=' || operator === '-=' || operator === '*=' || operator === '/=' || operator === '%=';
+    }
+    containsBoundComparison(node) {
+        if (!node || typeof node !== 'object')
+            return false;
+        if (node.type === 'BinaryOperation') {
+            const left = node.left || node.leftExpression || node.leftHandSide;
+            const right = node.right || node.rightExpression || node.rightHandSide;
+            if (this.isRelationalOperator(node.operator)) {
+                return this.isPriceBoundComparison(left, right);
+            }
+            if (node.operator === '&&' || node.operator === '||') {
+                return this.containsBoundComparison(left) || this.containsBoundComparison(right);
+            }
+        }
+        if (node.type === 'UnaryOperation') {
+            return this.containsBoundComparison(node.subExpression);
+        }
+        if (node.type === 'TupleExpression') {
+            const components = node.components || [];
+            return components.some((component) => this.containsBoundComparison(component));
+        }
+        return false;
+    }
+    isPriceBoundComparison(left, right) {
+        if (!left || !right)
+            return false;
+        if (this.isZeroLiteral(left) || this.isZeroLiteral(right))
+            return false;
+        if (this.containsTimestampReference(left) || this.containsTimestampReference(right))
+            return false;
+        return ((this.nodeTaint.has(left) && this.nodeOracleTaint.has(right)) ||
+            (this.nodeOracleTaint.has(left) && this.nodeTaint.has(right)));
+    }
+    isRelationalOperator(operator) {
+        return operator === '<' || operator === '>' || operator === '<=' || operator === '>=' || operator === '==' || operator === '!=';
+    }
+    isZeroLiteral(node) {
+        if (!node || typeof node !== 'object')
+            return false;
+        if (node.type === 'NumberLiteral') {
+            return node.number === '0' || node.value === '0';
+        }
+        if (node.type === 'Literal') {
+            return node.value === 0 || node.value === '0';
+        }
+        return false;
+    }
+    containsTimestampReference(node) {
+        if (!node || typeof node !== 'object')
+            return false;
+        if (node.type === 'Identifier') {
+            return /timestamp|updatedAt/i.test(node.name || '');
+        }
+        if (node.type === 'MemberAccess') {
+            const expression = node.expression;
+            if (node.memberName === 'timestamp' && expression?.type === 'Identifier' && expression.name === 'block') {
+                return true;
+            }
+            return this.containsTimestampReference(expression);
+        }
+        if (node.type === 'BinaryOperation') {
+            const left = node.left || node.leftExpression || node.leftHandSide;
+            const right = node.right || node.rightExpression || node.rightHandSide;
+            return this.containsTimestampReference(left) || this.containsTimestampReference(right);
+        }
+        if (node.type === 'UnaryOperation') {
+            return this.containsTimestampReference(node.subExpression);
+        }
+        if (node.type === 'TupleExpression') {
+            const components = node.components || [];
+            return components.some((component) => this.containsTimestampReference(component));
+        }
+        if (node.type === 'FunctionCall' || node.type === 'TypeConversion') {
+            const args = node.arguments || [];
+            return args.some((arg) => this.containsTimestampReference(arg));
+        }
+        return false;
+    }
+    getCalleeName(expr) {
+        if (!expr || typeof expr !== 'object')
+            return '';
+        if (expr.type === 'Identifier')
+            return expr.name || '';
+        if (expr.type === 'MemberAccess')
+            return expr.memberName || '';
+        return '';
+    }
+    // Unwrap `address(...)` type-conversion calls so `balanceOf(address(pair))`
+    // reads through to the inner `pair` identifier. Recurses for nested casts
+    // and passes any non-cast node through unchanged.
+    unwrapAddressCast(node) {
+        if (!node || typeof node !== 'object' || node.type !== 'FunctionCall') {
+            return node;
+        }
+        const callee = node.expression;
+        // `address(x)` parses with the callee as an `Identifier` named `address`
+        // in the @solidity-parser AST, and as an `ElementaryTypeName(Expression)`
+        // in normalized solc-shaped ASTs — accept either.
+        const calleeName = callee?.type === 'Identifier' ||
+            callee?.type === 'ElementaryTypeName' ||
+            callee?.type === 'ElementaryTypeNameExpression'
+            ? callee.name
+            : undefined;
+        const args = node.arguments || [];
+        if (calleeName === 'address' && args.length === 1) {
+            return this.unwrapAddressCast(args[0]);
+        }
+        return node;
+    }
+    isPairBalanceOf(node) {
+        const expr = node?.expression;
+        const firstArg = (node?.arguments || [])[0];
+        if (!expr || expr.type !== 'MemberAccess' || expr.memberName !== 'balanceOf') {
+            return false;
+        }
+        const unwrapped = this.unwrapAddressCast(firstArg);
+        return unwrapped?.type === 'Identifier' && /pair|pool/i.test(unwrapped.name || '');
+    }
+}
+exports.AmmSpotOracleManipulationDetector = AmmSpotOracleManipulationDetector;
+const _ammSpotProto = AmmSpotOracleManipulationDetector.prototype;
+_ammSpotProto['FunctionDefinition:exit'] = _ammSpotProto.FunctionDefinition_post;
+_ammSpotProto['FunctionCall:exit'] = _ammSpotProto.FunctionCall_post;
+_ammSpotProto['MemberAccess:exit'] = _ammSpotProto.MemberAccess_post;
+_ammSpotProto['IndexAccess:exit'] = _ammSpotProto.IndexAccess_post;
+_ammSpotProto['TupleExpression:exit'] = _ammSpotProto.TupleExpression_post;
+_ammSpotProto['BinaryOperation:exit'] = _ammSpotProto.BinaryOperation_post;
+_ammSpotProto['UnaryOperation:exit'] = _ammSpotProto.UnaryOperation_post;
+_ammSpotProto['TypeConversion:exit'] = _ammSpotProto.TypeConversion_post;
+_ammSpotProto['VariableDeclarationStatement:exit'] = _ammSpotProto.VariableDeclarationStatement_post;
+_ammSpotProto['Assignment:exit'] = _ammSpotProto.Assignment_post;
+//# sourceMappingURL=amm-spot-oracle-manipulation.js.map

package/dist/detectors/analyzing-the-uniswap-v3-exploit.d.ts

@@ -0,0 +1,26 @@
+import type { ScanResult } from '../index';
+export declare class AnalyzingTheUniswapV3ExploitDetector {
+    readonly id = "analyzing-the-uniswap-v3-exploit";
+    readonly patternKey = "analyzing-the-uniswap-v3-exploit";
+    readonly supportedAstKinds: "parser"[];
+    scanAst(ast: any, file: string, sourceText?: string): ScanResult[];
+    private collectContracts;
+    private summarizeFunction;
+    private collectCallbackAuthSlots;
+    private isExternalEntry;
+    private hasRecognizedAuthorizationModifier;
+    private modifierName;
+    private flattenEvents;
+    private findTransientCollision;
+    private tstoreEvent;
+    private tloadSlot;
+    private slotKey;
+    private assemblyValueName;
+    private internalCallName;
+    private isPoolLike;
+    private referencesMsgSender;
+    private identifierNames;
+    private walkInOrder;
+    private createFinding;
+    private locOf;
+}