@snovon/solast 0.2.0

package/dist/detectors/governance-flash-loan.d.ts

@@ -0,0 +1,62 @@
+import type { ScanResult } from '../index';
+import type { DetectorContext } from './types';
+export declare class GovernanceFlashLoanDetector {
+    readonly id = "governance-flash-loan";
+    readonly patternKey = "governance-flash-loan";
+    readonly supportedAstKinds: "parser"[];
+    readonly descriptor: {
+        id: string;
+        shortDescription: string;
+        helpUri: string;
+        defaultSeverity: "critical";
+    };
+    private currentFile;
+    private findings;
+    private currentContractName;
+    private currentContractIsConcrete;
+    private currentContractInfo;
+    private functionStack;
+    private semantic;
+    private taint;
+    setFile(file: string): void;
+    setContext(ctx: DetectorContext): void;
+    getFindings(): ScanResult[];
+    ContractDefinition(node: any): void;
+    'ContractDefinition:exit'(): void;
+    FunctionDefinition(node: any): void;
+    'FunctionDefinition:exit'(node: any): void;
+    VariableDeclarationStatement(node: any): void;
+    Assignment(node: any): void;
+    BinaryOperation(node: any): void;
+    FunctionCall(node: any): void;
+    private currentFunction;
+    private observeAssignment;
+    private observeExpression;
+    private emitFinding;
+    private isProposalCreationCall;
+    private isGovernanceExecutionCall;
+    private isDangerousPrivilegedCall;
+    private isDelegationCall;
+    private hasAcquisitionEvidence;
+    private isAcquisitionExpression;
+    private expressionHasTaint;
+    private isResolvableAcquisitionCall;
+    private sourceContextForState;
+    private findContractInfo;
+    private isLargeBulkAcquisitionCall;
+    private numericMagnitude;
+    private hasConcreteReceiver;
+    private lookupVariableType;
+    private userDefinedTypeName;
+    private callName;
+    private memberAccessForCall;
+    private callArguments;
+    private unwrapCallOptions;
+    private unwrap;
+    private assignmentLeft;
+    private assignmentRight;
+    private assignmentTargetNames;
+    private expressionReferencesAny;
+    private expressionChildren;
+    private walkExpression;
+}

package/dist/detectors/governance-flash-loan.js

@@ -0,0 +1,452 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GovernanceFlashLoanDetector = void 0;
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'governance-flash-loan';
+const TAINT_SOURCE = `${RULE_ID}:acquisition`;
+const PATTERN = `${RULE_ID}/transient-vote-power-privileged-execution`;
+const FLASH_ACQUISITION_CALLS = new Set([
+    'flash',
+    'flashloan',
+    'flashloansimple',
+    'flashborrow',
+]);
+const BULK_ACQUISITION_CALLS = new Set([
+    'transfer',
+    'transferfrom',
+    'deposit',
+]);
+const PROPOSAL_CREATION_CALLS = new Set([
+    'propose',
+    'submitproposal',
+    'createproposal',
+]);
+const GOVERNANCE_EXECUTION_CALLS = new Set([
+    'execute',
+    'executeproposal',
+    'executetransaction',
+]);
+const DANGEROUS_CALLS = new Set([
+    'setgovernance',
+    'setgovernor',
+    'setadmin',
+    'setowner',
+    'grantrole',
+    'transferownership',
+    'acceptownership',
+    'mint',
+    'drain',
+    'sweep',
+    'withdraw',
+    'rescue',
+]);
+class GovernanceFlashLoanDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    descriptor = {
+        id: RULE_ID,
+        shortDescription: 'Transient flash-loan or bulk voting power flows into governance execution and privileged role or treasury mutation.',
+        helpUri: 'https://snovon.com/',
+        defaultSeverity: 'critical',
+    };
+    currentFile = '';
+    findings = [];
+    currentContractName = '';
+    currentContractIsConcrete = false;
+    currentContractInfo;
+    functionStack = [];
+    semantic;
+    taint;
+    setFile(file) {
+        this.currentFile = file;
+        this.findings = [];
+        this.currentContractName = '';
+        this.currentContractIsConcrete = false;
+        this.currentContractInfo = undefined;
+        this.functionStack = [];
+    }
+    setContext(ctx) {
+        this.semantic = ctx.semantic;
+        this.taint = ctx.taint;
+        this.taint?.registerSource(TAINT_SOURCE, (node, sourceCtx) => this.isResolvableAcquisitionCall(node, sourceCtx));
+    }
+    getFindings() {
+        return this.findings;
+    }
+    ContractDefinition(node) {
+        this.currentContractName = node?.name || '';
+        this.currentContractIsConcrete = node?.kind !== 'interface' && node?.kind !== 'library';
+        this.currentContractInfo = this.findContractInfo(this.currentContractName);
+    }
+    'ContractDefinition:exit'() {
+        this.currentContractName = '';
+        this.currentContractIsConcrete = false;
+        this.currentContractInfo = undefined;
+    }
+    FunctionDefinition(node) {
+        if (!this.currentContractIsConcrete || !node?.body)
+            return;
+        const name = node?.name || (node?.isConstructor ? '<constructor>' : '<anonymous>');
+        const functionInfo = this.currentContractInfo?.functions.find(fn => fn.node === node || fn.name === name);
+        this.functionStack.push({
+            node,
+            name,
+            contractInfo: this.currentContractInfo,
+            functionInfo,
+            acquiredVars: new Set(),
+            proposalVars: new Set(),
+            sawAcquisition: false,
+            sawDelegation: false,
+            sawGovernanceExecution: false,
+            emitted: false,
+        });
+    }
+    'FunctionDefinition:exit'(node) {
+        const state = this.currentFunction();
+        if (state?.node === node)
+            this.functionStack.pop();
+    }
+    VariableDeclarationStatement(node) {
+        const state = this.currentFunction();
+        if (!state)
+            return;
+        const init = node?.initialValue || node?.expression;
+        this.observeExpression(init, state);
+        if (this.isAcquisitionExpression(init, state)) {
+            state.sawAcquisition = true;
+            for (const variable of node?.variables || []) {
+                if (variable?.name)
+                    state.acquiredVars.add(variable.name);
+            }
+        }
+        if (this.isProposalCreationCall(init) && this.hasAcquisitionEvidence(init, state)) {
+            for (const variable of node?.variables || []) {
+                if (variable?.name)
+                    state.proposalVars.add(variable.name);
+            }
+        }
+    }
+    Assignment(node) {
+        this.observeAssignment(this.assignmentLeft(node), this.assignmentRight(node), node);
+    }
+    BinaryOperation(node) {
+        if (node?.operator !== '=')
+            return;
+        this.observeAssignment(node?.left, node?.right, node);
+    }
+    FunctionCall(node) {
+        const state = this.currentFunction();
+        if (!state)
+            return;
+        this.observeExpression(node, state);
+        if (this.isGovernanceExecutionCall(node, state)) {
+            state.sawGovernanceExecution = true;
+            return;
+        }
+        if (!state.sawGovernanceExecution || state.emitted || !this.isDangerousPrivilegedCall(node))
+            return;
+        this.emitFinding(state, node);
+    }
+    currentFunction() {
+        return this.functionStack[this.functionStack.length - 1];
+    }
+    observeAssignment(left, right, atNode) {
+        const state = this.currentFunction();
+        if (!state)
+            return;
+        this.observeExpression(right, state);
+        const names = this.assignmentTargetNames(left);
+        if (this.isAcquisitionExpression(right, state)) {
+            state.sawAcquisition = true;
+            for (const name of names)
+                state.acquiredVars.add(name);
+        }
+        if (this.isProposalCreationCall(right) && this.hasAcquisitionEvidence(right, state, atNode)) {
+            for (const name of names)
+                state.proposalVars.add(name);
+        }
+    }
+    observeExpression(node, state) {
+        if (!node || typeof node !== 'object')
+            return;
+        if (this.isAcquisitionExpression(node, state))
+            state.sawAcquisition = true;
+        if (this.isDelegationCall(node) && state.sawAcquisition)
+            state.sawDelegation = true;
+    }
+    emitFinding(state, node) {
+        const loc = (0, ast_1.assertLoc)(node, state.node);
+        state.emitted = true;
+        this.findings.push({
+            file: this.currentFile,
+            contract: this.currentContractName || '<anonymous>',
+            'function': state.name,
+            contractName: this.currentContractName || '<anonymous>',
+            functionName: state.name,
+            line: loc.line,
+            column: loc.column,
+            endLine: loc.endLine,
+            endColumn: loc.endColumn,
+            ruleId: RULE_ID,
+            pattern: PATTERN,
+            severity: 'critical',
+            confidence: 'medium',
+            category: 'vulnerability',
+            message: `Governance execution in '${state.name}' follows transient voting-power acquisition and reaches a privileged role, mint, or treasury-drain action.`,
+            findingId: '',
+            contractHash: '',
+        });
+    }
+    isProposalCreationCall(node) {
+        return PROPOSAL_CREATION_CALLS.has(this.callName(node).toLowerCase());
+    }
+    isGovernanceExecutionCall(node, state) {
+        const name = this.callName(node).toLowerCase();
+        if (!GOVERNANCE_EXECUTION_CALLS.has(name))
+            return false;
+        return this.callArguments(node).some(arg => this.expressionReferencesAny(arg, state.proposalVars))
+            || this.hasAcquisitionEvidence(node, state);
+    }
+    isDangerousPrivilegedCall(node) {
+        return DANGEROUS_CALLS.has(this.callName(node).toLowerCase());
+    }
+    isDelegationCall(node) {
+        const name = this.callName(node).toLowerCase();
+        return name === 'delegate' || name === 'delegatebysig';
+    }
+    hasAcquisitionEvidence(node, state, atNode = node) {
+        if (!state.sawAcquisition)
+            return false;
+        if (state.sawDelegation)
+            return true;
+        if (this.expressionReferencesAny(node, state.acquiredVars))
+            return true;
+        return this.expressionHasTaint(node, atNode);
+    }
+    isAcquisitionExpression(node, state) {
+        if (!node || typeof node !== 'object')
+            return false;
+        if ((0, ast_1.isNode)(node, 'FunctionCall') && this.isResolvableAcquisitionCall(node, this.sourceContextForState(state)))
+            return true;
+        if (state && this.expressionHasTaint(node, node))
+            return true;
+        return false;
+    }
+    expressionHasTaint(node, atNode) {
+        if (!this.taint || !node || typeof node !== 'object')
+            return false;
+        if (this.taint.isTainted(node, atNode, { source: TAINT_SOURCE })) {
+            const path = this.taint.explain(node, atNode, { source: TAINT_SOURCE });
+            if (path.length > 1 || path.some(segment => /flash|borrow|loan/i.test(segment)))
+                return true;
+        }
+        return this.expressionChildren(node).some(child => this.expressionHasTaint(child, atNode));
+    }
+    isResolvableAcquisitionCall(node, sourceCtx) {
+        if (!(0, ast_1.isNode)(node, 'FunctionCall'))
+            return false;
+        const name = this.callName(node).toLowerCase();
+        if (!FLASH_ACQUISITION_CALLS.has(name) && !this.isLargeBulkAcquisitionCall(node, name))
+            return false;
+        return this.hasConcreteReceiver(node, sourceCtx);
+    }
+    sourceContextForState(state) {
+        return state.functionInfo && state.contractInfo
+            ? { functionInfo: state.functionInfo, contract: state.contractInfo }
+            : undefined;
+    }
+    findContractInfo(name) {
+        if (!this.semantic || !name)
+            return undefined;
+        const direct = this.semantic.contracts.get(`${this.currentFile}::${name}`);
+        if (direct)
+            return direct;
+        for (const contract of this.semantic.contracts.values()) {
+            if (contract.name === name && contract.sourcePath === this.currentFile)
+                return contract;
+        }
+        return undefined;
+    }
+    isLargeBulkAcquisitionCall(node, name) {
+        if (!BULK_ACQUISITION_CALLS.has(name))
+            return false;
+        return this.callArguments(node).some(arg => this.numericMagnitude(arg) >= 100000);
+    }
+    numericMagnitude(node) {
+        if (!node || typeof node !== 'object')
+            return 0;
+        if ((0, ast_1.isNode)(node, 'NumberLiteral')) {
+            const raw = String(node.number ?? node.value ?? '').replace(/_/g, '');
+            const parsed = Number.parseFloat(raw);
+            return Number.isFinite(parsed) ? parsed : 0;
+        }
+        if ((0, ast_1.isNode)(node, 'BinaryOperation')) {
+            const left = this.numericMagnitude(node.left);
+            const right = this.numericMagnitude(node.right);
+            if (node.operator === '*')
+                return left * Math.max(1, right);
+            if (node.operator === '+')
+                return left + right;
+            return Math.max(left, right);
+        }
+        return Math.max(0, ...this.expressionChildren(node).map(child => this.numericMagnitude(child)));
+    }
+    hasConcreteReceiver(node, sourceCtx) {
+        const member = this.memberAccessForCall(node);
+        if (!member)
+            return false;
+        const receiver = this.unwrap(member.expression);
+        if (!(0, ast_1.isNode)(receiver, 'Identifier'))
+            return false;
+        if (receiver.name === 'this' || receiver.name === 'super')
+            return true;
+        const semantic = this.semantic;
+        const contractInfo = sourceCtx?.contract;
+        const fnInfo = sourceCtx?.functionInfo;
+        if (!semantic || !contractInfo || !fnInfo)
+            return true;
+        const receiverType = this.lookupVariableType(receiver.name, contractInfo, fnInfo);
+        if (!receiverType)
+            return false;
+        const target = semantic.resolveContract(contractInfo.sourcePath, receiverType);
+        if (!target)
+            return false;
+        if (target.kind !== 'interface')
+            return true;
+        let matches = 0;
+        for (const candidate of semantic.contracts.values()) {
+            if (candidate.kind === 'interface')
+                continue;
+            if (candidate.bases.some(base => base.resolved === target.id || base.name === target.name))
+                matches++;
+        }
+        return matches === 1;
+    }
+    lookupVariableType(name, contractInfo, fnInfo) {
+        for (const variable of contractInfo.stateVariables) {
+            if (variable.name === name)
+                return this.userDefinedTypeName(variable.node?.typeName);
+        }
+        for (const parameter of fnInfo.node?.parameters || []) {
+            if (parameter?.name === name)
+                return this.userDefinedTypeName(parameter?.typeName);
+        }
+        let found = '';
+        this.walkExpression(fnInfo.node?.body, child => {
+            if (found || !(0, ast_1.isNode)(child, 'VariableDeclaration'))
+                return;
+            if (child?.name === name)
+                found = this.userDefinedTypeName(child?.typeName);
+        });
+        return found;
+    }
+    userDefinedTypeName(typeName) {
+        if (!typeName || typeof typeName !== 'object')
+            return '';
+        if ((0, ast_1.isNode)(typeName, 'UserDefinedTypeName'))
+            return typeName.namePath || typeName.name || '';
+        return '';
+    }
+    callName(node) {
+        const callee = this.unwrapCallOptions(node?.expression);
+        if ((0, ast_1.isNode)(callee, 'Identifier'))
+            return callee?.name || '';
+        if ((0, ast_1.isNode)(callee, 'MemberAccess'))
+            return callee?.memberName || '';
+        return '';
+    }
+    memberAccessForCall(node) {
+        const callee = this.unwrapCallOptions(node?.expression);
+        return (0, ast_1.isNode)(callee, 'MemberAccess') ? callee : null;
+    }
+    callArguments(node) {
+        const args = node?.arguments || [];
+        if (args.length === 1 && (0, ast_1.isNode)(args[0], 'NameValueList'))
+            return args[0].arguments || [];
+        return args;
+    }
+    unwrapCallOptions(node) {
+        return (0, ast_1.isNode)(node, 'FunctionCallOptions') || (0, ast_1.isNode)(node, 'NameValueExpression') ? node.expression : node;
+    }
+    unwrap(expr) {
+        while ((0, ast_1.isNode)(expr, 'TupleExpression') && Array.isArray(expr.components) && expr.components.length === 1) {
+            expr = expr.components[0];
+        }
+        return expr;
+    }
+    assignmentLeft(node) {
+        return node?.leftHandSide ?? node?.left ?? null;
+    }
+    assignmentRight(node) {
+        return node?.rightHandSide ?? node?.right ?? null;
+    }
+    assignmentTargetNames(node) {
+        node = this.unwrap(node);
+        if (!node || typeof node !== 'object')
+            return [];
+        if ((0, ast_1.isNode)(node, 'Identifier') && typeof node.name === 'string')
+            return [node.name];
+        if ((0, ast_1.isNode)(node, 'VariableDeclaration') && typeof node.name === 'string')
+            return [node.name];
+        if ((0, ast_1.isNode)(node, 'TupleExpression'))
+            return (node.components || []).flatMap((item) => this.assignmentTargetNames(item));
+        return [];
+    }
+    expressionReferencesAny(node, names) {
+        if (names.size === 0 || !node || typeof node !== 'object')
+            return false;
+        if ((0, ast_1.isNode)(node, 'Identifier') && names.has(String(node.name || '')))
+            return true;
+        return this.expressionChildren(node).some(child => this.expressionReferencesAny(child, names));
+    }
+    expressionChildren(node) {
+        if (!node || typeof node !== 'object')
+            return [];
+        switch (node.type) {
+            case 'BinaryOperation':
+                return [node.left, node.right];
+            case 'UnaryOperation':
+                return [node.subExpression];
+            case 'TupleExpression':
+                return node.components || [];
+            case 'IndexAccess':
+                return [node.base, node.index];
+            case 'IndexRangeAccess':
+                return [node.base, node.start, node.end];
+            case 'MemberAccess':
+                return [node.expression];
+            case 'FunctionCall':
+                return [node.expression, ...this.callArguments(node)];
+            case 'FunctionCallOptions':
+                return [node.expression, ...(node.options || [])];
+            case 'NameValueExpression':
+                return [node.expression];
+            case 'NameValueList':
+                return node.arguments || [];
+            case 'Conditional':
+                return [node.condition, node.trueExpression, node.falseExpression];
+            default:
+                return [];
+        }
+    }
+    walkExpression(node, visit) {
+        if (!node || typeof node !== 'object')
+            return;
+        visit(node);
+        for (const child of this.expressionChildren(node))
+            this.walkExpression(child, visit);
+        for (const key of ['statements', 'body', 'variables']) {
+            const value = node[key];
+            if (Array.isArray(value)) {
+                for (const item of value)
+                    this.walkExpression(item, visit);
+            }
+            else if (value && typeof value === 'object') {
+                this.walkExpression(value, visit);
+            }
+        }
+    }
+}
+exports.GovernanceFlashLoanDetector = GovernanceFlashLoanDetector;
+//# sourceMappingURL=governance-flash-loan.js.map

package/dist/detectors/governance-flashloan-vote.d.ts

@@ -0,0 +1,41 @@
+import type { ScanResult } from '../index';
+export declare class GovernanceFlashloanVoteDetector {
+    readonly id = "governance-flashloan-vote";
+    readonly patternKey = "governance-flashloan-vote";
+    readonly supportedAstKinds: "parser"[];
+    readonly descriptor: {
+        id: string;
+        shortDescription: string;
+        helpUri: string;
+        defaultSeverity: "high";
+    };
+    private currentFile;
+    private findings;
+    private currentContractName;
+    private currentContractIsConcrete;
+    private functionStack;
+    setFile(file: string): void;
+    getFindings(): ScanResult[];
+    ContractDefinition(node: any): void;
+    'ContractDefinition:exit'(): void;
+    FunctionDefinition(node: any): void;
+    'FunctionDefinition:exit'(node: any): void;
+    VariableDeclarationStatement(node: any): void;
+    Assignment(node: any): void;
+    BinaryOperation(node: any): void;
+    FunctionCall(node: any): void;
+    IfStatement(node: any): void;
+    private currentFunction;
+    private recordAssignment;
+    private emitFinding;
+    private isGovernanceFunctionName;
+    private isRequireLikeCall;
+    private findUnsafeVoteRead;
+    private classifyUnsafeVoteCall;
+    private classifyBlockExpression;
+    private isBlockNumber;
+    private callName;
+    private identifierName;
+    private unwrapCallOptions;
+    private expressionChildren;
+}