@snovon/solast 0.2.0

package/dist/detectors/governance-flashloan-vote.js

@@ -0,0 +1,272 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GovernanceFlashloanVoteDetector = void 0;
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'governance-flashloan-vote';
+const PATTERN = `${RULE_ID}/current-block-voting-power`;
+class GovernanceFlashloanVoteDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    descriptor = {
+        id: RULE_ID,
+        shortDescription: 'Governance proposal or voting eligibility reads current-block voting power instead of a prior checkpoint.',
+        helpUri: 'https://snovon.com/',
+        defaultSeverity: 'high',
+    };
+    currentFile = '';
+    findings = [];
+    currentContractName = '';
+    currentContractIsConcrete = false;
+    functionStack = [];
+    setFile(file) {
+        this.currentFile = file;
+        this.findings = [];
+        this.currentContractName = '';
+        this.currentContractIsConcrete = false;
+        this.functionStack = [];
+    }
+    getFindings() {
+        return this.findings;
+    }
+    ContractDefinition(node) {
+        this.currentContractName = node?.name || '';
+        this.currentContractIsConcrete = node?.kind !== 'interface' && node?.kind !== 'library';
+    }
+    'ContractDefinition:exit'() {
+        this.currentContractName = '';
+        this.currentContractIsConcrete = false;
+    }
+    FunctionDefinition(node) {
+        if (!this.currentContractIsConcrete || !node?.body)
+            return;
+        const name = node?.name || (node?.isConstructor ? '<constructor>' : '<anonymous>');
+        if (!this.isGovernanceFunctionName(name))
+            return;
+        this.functionStack.push({
+            node,
+            name,
+            unsafeVoteVars: new Set(),
+            blockAliases: new Map(),
+            emittedNodes: new WeakSet(),
+        });
+    }
+    'FunctionDefinition:exit'(node) {
+        const state = this.currentFunction();
+        if (state?.node === node)
+            this.functionStack.pop();
+    }
+    VariableDeclarationStatement(node) {
+        const state = this.currentFunction();
+        if (!state)
+            return;
+        const aliasKind = this.classifyBlockExpression(node?.initialValue, state);
+        const voteRead = this.findUnsafeVoteRead(node?.initialValue, state);
+        for (const variable of node?.variables || []) {
+            if (!variable?.name)
+                continue;
+            if (aliasKind)
+                state.blockAliases.set(variable.name, aliasKind);
+            if (voteRead)
+                state.unsafeVoteVars.add(variable.name);
+        }
+    }
+    Assignment(node) {
+        this.recordAssignment(node?.left, node?.right);
+    }
+    BinaryOperation(node) {
+        if (node?.operator !== '=')
+            return;
+        this.recordAssignment(node?.left, node?.right);
+    }
+    FunctionCall(node) {
+        const state = this.currentFunction();
+        if (!state || !this.isRequireLikeCall(node))
+            return;
+        const condition = node?.arguments?.[0];
+        const voteRead = this.findUnsafeVoteRead(condition, state);
+        if (!voteRead)
+            return;
+        this.emitFinding(state, voteRead, node);
+    }
+    IfStatement(node) {
+        const state = this.currentFunction();
+        if (!state)
+            return;
+        const voteRead = this.findUnsafeVoteRead(node?.condition, state);
+        if (!voteRead)
+            return;
+        this.emitFinding(state, voteRead, node);
+    }
+    currentFunction() {
+        return this.functionStack[this.functionStack.length - 1];
+    }
+    recordAssignment(left, right) {
+        const state = this.currentFunction();
+        if (!state)
+            return;
+        const name = this.identifierName(left);
+        if (!name)
+            return;
+        const aliasKind = this.classifyBlockExpression(right, state);
+        if (aliasKind)
+            state.blockAliases.set(name, aliasKind);
+        const voteRead = this.findUnsafeVoteRead(right, state);
+        if (voteRead)
+            state.unsafeVoteVars.add(name);
+    }
+    emitFinding(state, voteRead, gateNode) {
+        if (gateNode && typeof gateNode === 'object') {
+            if (state.emittedNodes.has(gateNode))
+                return;
+            state.emittedNodes.add(gateNode);
+        }
+        const loc = (0, ast_1.assertLoc)(voteRead.node, state.node);
+        this.findings.push({
+            file: this.currentFile,
+            contract: this.currentContractName || '<anonymous>',
+            'function': state.name,
+            contractName: this.currentContractName || '<anonymous>',
+            functionName: state.name,
+            line: loc.line,
+            column: loc.column,
+            endLine: loc.endLine,
+            endColumn: loc.endColumn,
+            ruleId: RULE_ID,
+            pattern: PATTERN,
+            severity: 'high',
+            confidence: 'high',
+            category: 'vulnerability',
+            message: `Governance ${state.name} gate uses current-block voting power via ${voteRead.source}; use a prior-block checkpoint or proposal snapshot instead.`,
+            findingId: '',
+            contractHash: '',
+        });
+    }
+    isGovernanceFunctionName(name) {
+        const lower = name.toLowerCase();
+        return lower.startsWith('propose') || lower.startsWith('castvote') || lower.startsWith('queue');
+    }
+    isRequireLikeCall(node) {
+        const callee = this.unwrapCallOptions(node?.expression);
+        return (0, ast_1.isNode)(callee, 'Identifier') && (callee?.name === 'require' || callee?.name === 'assert');
+    }
+    findUnsafeVoteRead(node, state) {
+        if (!node || typeof node !== 'object')
+            return null;
+        if ((0, ast_1.isNode)(node, 'Identifier') && state.unsafeVoteVars.has(node.name)) {
+            return { node, source: node.name };
+        }
+        if ((0, ast_1.isNode)(node, 'FunctionCall')) {
+            const direct = this.classifyUnsafeVoteCall(node, state);
+            if (direct)
+                return direct;
+        }
+        for (const child of this.expressionChildren(node)) {
+            const nested = this.findUnsafeVoteRead(child, state);
+            if (nested)
+                return nested;
+        }
+        return null;
+    }
+    classifyUnsafeVoteCall(node, state) {
+        const callee = this.unwrapCallOptions(node?.expression);
+        const name = this.callName(callee);
+        if (!name)
+            return null;
+        if (name === 'balanceOf' || name === 'getVotes') {
+            return { node, source: `${name}(...)` };
+        }
+        if ((name === 'getPriorVotes' || name === 'getPastVotes') && (node?.arguments || []).length >= 2) {
+            const blockArg = node.arguments[1];
+            if (this.classifyBlockExpression(blockArg, state) === 'current') {
+                return { node, source: `${name}(..., block.number)` };
+            }
+        }
+        return null;
+    }
+    classifyBlockExpression(node, state) {
+        if (!node || typeof node !== 'object')
+            return null;
+        if (this.isBlockNumber(node))
+            return 'current';
+        if ((0, ast_1.isNode)(node, 'Identifier')) {
+            const existing = state.blockAliases.get(node.name);
+            if (existing)
+                return existing;
+            const lower = node.name.toLowerCase();
+            if (lower.includes('snapshot') || lower.includes('checkpoint'))
+                return 'snapshot';
+            return null;
+        }
+        if ((0, ast_1.isNode)(node, 'MemberAccess')) {
+            const member = String(node?.memberName || '').toLowerCase();
+            if (member.includes('snapshot') || member.includes('checkpoint'))
+                return 'snapshot';
+            return null;
+        }
+        if ((0, ast_1.isNode)(node, 'BinaryOperation')) {
+            const left = this.classifyBlockExpression(node.left, state);
+            const right = this.classifyBlockExpression(node.right, state);
+            if (node.operator === '-' && (left === 'current' || right === 'current'))
+                return 'prior';
+            if (left === 'snapshot' || right === 'snapshot')
+                return 'snapshot';
+        }
+        if ((0, ast_1.isNode)(node, 'FunctionCall')) {
+            const args = node?.arguments || [];
+            if (args.length === 1) {
+                return this.classifyBlockExpression(args[0], state);
+            }
+        }
+        return null;
+    }
+    isBlockNumber(node) {
+        return ((0, ast_1.isNode)(node, 'MemberAccess') &&
+            node?.memberName === 'number' &&
+            (0, ast_1.isNode)(node?.expression, 'Identifier') &&
+            node.expression.name === 'block');
+    }
+    callName(callee) {
+        if ((0, ast_1.isNode)(callee, 'Identifier'))
+            return callee?.name || '';
+        if ((0, ast_1.isNode)(callee, 'MemberAccess'))
+            return callee?.memberName || '';
+        return '';
+    }
+    identifierName(node) {
+        if ((0, ast_1.isNode)(node, 'Identifier'))
+            return node?.name || '';
+        return '';
+    }
+    unwrapCallOptions(node) {
+        return (0, ast_1.isNode)(node, 'FunctionCallOptions') ? node.expression : node;
+    }
+    expressionChildren(node) {
+        if (!node || typeof node !== 'object')
+            return [];
+        switch (node.type) {
+            case 'BinaryOperation':
+                return [node.left, node.right];
+            case 'UnaryOperation':
+                return [node.subExpression];
+            case 'TupleExpression':
+                return node.components || [];
+            case 'IndexAccess':
+                return [node.base, node.index];
+            case 'IndexRangeAccess':
+                return [node.base, node.start, node.end];
+            case 'MemberAccess':
+                return [node.expression];
+            case 'FunctionCall':
+                return [node.expression, ...(node.arguments || [])];
+            case 'FunctionCallOptions':
+                return [node.expression, ...(node.options || [])];
+            case 'Conditional':
+                return [node.condition, node.trueExpression, node.falseExpression];
+            default:
+                return [];
+        }
+    }
+}
+exports.GovernanceFlashloanVoteDetector = GovernanceFlashloanVoteDetector;
+//# sourceMappingURL=governance-flashloan-vote.js.map

package/dist/detectors/halborn-security-report-aave-v3.d.ts

@@ -0,0 +1,6 @@
+import type { ScanResult } from '../index';
+export declare class HalbornSecurityReportAaveV3Detector {
+    readonly id = "halborn-security-report-aave-v3";
+    readonly patternKey = "halborn-security-report-aave-v3";
+    scanAst(ast: any, file: string, sourceText?: string): ScanResult[];
+}

package/dist/detectors/halborn-security-report-aave-v3.js

@@ -0,0 +1,357 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.HalbornSecurityReportAaveV3Detector = void 0;
+const dataflow_1 = require("./_common/dataflow");
+const RULE_ID = 'halborn-security-report-aave-v3';
+const PATTERN_ID = `${RULE_ID}/allowance-not-reset-after-external-call`;
+const PROVENANCE = 'x-2026-05-03-halborn-security-report-aave-v3';
+class HalbornSecurityReportAaveV3Detector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    scanAst(ast, file, sourceText) {
+        if (!ast || typeof ast !== 'object')
+            return [];
+        const findings = [];
+        const lineOffsets = buildLineOffsets(sourceText);
+        for (const contract of collectContracts(ast)) {
+            if (isInterfaceLike(contract))
+                continue;
+            const contractName = getName(contract) || '<anonymous>';
+            const fnMap = buildFunctionMap(contract);
+            const helpersWithNonZeroApprove = computeTransitive(fnMap, info => info.hasNonZeroApprove);
+            const helpersWithZeroApprove = computeTransitive(fnMap, info => info.hasZeroApprove);
+            for (const info of fnMap.values()) {
+                if (!info.body)
+                    continue;
+                if (!info.isExternallyCallable)
+                    continue;
+                const events = [];
+                collectEvents(info.body, helpersWithNonZeroApprove, helpersWithZeroApprove, events);
+                if (!isHalbornAllowanceLeak(events))
+                    continue;
+                const loc = getLoc(info.node, lineOffsets) || { line: 0, column: 0 };
+                findings.push({
+                    file,
+                    contract: contractName,
+                    'function': info.name,
+                    line: loc.line,
+                    endLine: loc.line,
+                    column: loc.column,
+                    pattern: PATTERN_ID,
+                    confidence: 'high',
+                    ruleId: RULE_ID,
+                    severity: 'warning',
+                    message: `Halborn Aave V3 allowance-not-reset pattern in '${contractName}.${info.name}': function grants an ERC20 allowance and then performs an external call into the spender (or a transferFrom-capable router) without resetting the allowance to 0 after the interaction.`,
+                    rationale: 'Mirrors the Halborn Aave V3 finding: granting an ERC20 allowance and then calling into a spender that can pull tokens (e.g. liquidationCall, a transferFrom-capable router) without a post-call approve(spender, 0) leaves a residual allowance that an attacker can drain via a follow-up transferFrom.',
+                    suggestedFix: 'After the external interaction, reset the allowance with approve(spender, 0) (or the SafeERC20 forceApprove(spender, 0) idiom) so no residual allowance survives the call.',
+                    contractName,
+                    functionName: info.name,
+                    sourceLocation: { line: loc.line, column: loc.column },
+                    findingId: '',
+                    contractHash: '',
+                    provenance: PROVENANCE,
+                    source: PROVENANCE,
+                });
+            }
+        }
+        return findings;
+    }
+}
+exports.HalbornSecurityReportAaveV3Detector = HalbornSecurityReportAaveV3Detector;
+function isHalbornAllowanceLeak(events) {
+    let approvedNonZero = false;
+    let externalAfterApprove = false;
+    let zeroResetAfterExternal = false;
+    for (const ev of events) {
+        if (ev === 'approve-nonzero') {
+            approvedNonZero = true;
+        }
+        else if (ev === 'external-call') {
+            if (approvedNonZero)
+                externalAfterApprove = true;
+        }
+        else if (ev === 'approve-zero') {
+            if (externalAfterApprove)
+                zeroResetAfterExternal = true;
+        }
+    }
+    return approvedNonZero && externalAfterApprove && !zeroResetAfterExternal;
+}
+function collectEvents(node, helpersWithNonZeroApprove, helpersWithZeroApprove, out) {
+    if (!node || typeof node !== 'object')
+        return;
+    if (isFunctionCall(node)) {
+        const callee = node.expression;
+        if (isNode(callee, 'MemberAccess')) {
+            const memberName = String(callee.memberName || '');
+            if (memberName === 'approve' || memberName === 'forceApprove' || memberName === 'safeApprove') {
+                const args = getCallArguments(node);
+                if (args.length >= 2) {
+                    if (isLiteralZero(args[1]))
+                        out.push('approve-zero');
+                    else
+                        out.push('approve-nonzero');
+                }
+                return;
+            }
+            out.push('external-call');
+            return;
+        }
+        if (isNode(callee, 'Identifier')) {
+            const name = String(callee.name || '');
+            if (helpersWithZeroApprove.has(name))
+                out.push('approve-zero');
+            if (helpersWithNonZeroApprove.has(name))
+                out.push('approve-nonzero');
+            for (const c of childrenOf(node)) {
+                collectEvents(c, helpersWithNonZeroApprove, helpersWithZeroApprove, out);
+            }
+            return;
+        }
+        for (const c of childrenOf(node)) {
+            collectEvents(c, helpersWithNonZeroApprove, helpersWithZeroApprove, out);
+        }
+        return;
+    }
+    for (const c of childrenOf(node)) {
+        collectEvents(c, helpersWithNonZeroApprove, helpersWithZeroApprove, out);
+    }
+}
+function buildFunctionMap(contract) {
+    const map = new Map();
+    for (const fn of getContractFunctions(contract)) {
+        const body = getFunctionBody(fn);
+        const internalCallees = body ? collectInternalCallNames(body) : new Set();
+        const fnName = functionDisplayName(fn);
+        map.set(fnName, {
+            node: fn,
+            name: fnName,
+            body,
+            isExternallyCallable: isExternallyCallable(fn),
+            hasNonZeroApprove: body ? bodyHasApproveOfKind(body, false) : false,
+            hasZeroApprove: body ? bodyHasApproveOfKind(body, true) : false,
+            internalCallees,
+        });
+    }
+    return map;
+}
+function bodyHasApproveOfKind(body, expectZeroAmount) {
+    return walkAny(body, n => {
+        if (!isFunctionCall(n))
+            return false;
+        const callee = n.expression;
+        if (!isNode(callee, 'MemberAccess'))
+            return false;
+        const memberName = String(callee.memberName || '');
+        if (memberName !== 'approve' && memberName !== 'forceApprove' && memberName !== 'safeApprove')
+            return false;
+        const args = getCallArguments(n);
+        if (args.length < 2)
+            return false;
+        const isZero = isLiteralZero(args[1]);
+        return expectZeroAmount ? isZero : !isZero;
+    });
+}
+function computeTransitive(fnMap, predicate) {
+    const out = new Set();
+    for (const info of fnMap.values()) {
+        if (predicate(info))
+            out.add(info.name);
+    }
+    // Lattice is monotone over a finite set of function names, so the
+    // loop is bounded by the call-graph size. The shared `runFixedPoint`
+    // primitive enforces a generous default cap; passing
+    // `throwOnNonConvergence: true` so any future change that breaks
+    // monotonicity surfaces immediately rather than silently capping.
+    (0, dataflow_1.runFixedPoint)(() => {
+        let changed = false;
+        for (const info of fnMap.values()) {
+            if (out.has(info.name))
+                continue;
+            for (const callee of info.internalCallees) {
+                if (out.has(callee)) {
+                    out.add(info.name);
+                    changed = true;
+                    break;
+                }
+            }
+        }
+        return changed;
+    }, {
+        maxPasses: Math.max(32, fnMap.size + 1),
+        name: 'halborn-security-report-aave-v3/transitive-callee-closure',
+        throwOnNonConvergence: true,
+    });
+    return out;
+}
+function isLiteralZero(node) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (isNode(node, 'NumberLiteral')) {
+        const raw = String(node.number ?? node.value ?? '').trim();
+        return raw === '0' || raw === '0x0' || raw === '0x00';
+    }
+    if (isNode(node, 'Literal')) {
+        if (node.kind && node.kind !== 'number')
+            return false;
+        const raw = String(node.value ?? '').trim();
+        return raw === '0' || raw === '0x0' || raw === '0x00';
+    }
+    return false;
+}
+function collectInternalCallNames(body) {
+    const out = new Set();
+    walk(body, n => {
+        if (!isFunctionCall(n))
+            return;
+        const callee = n.expression;
+        if (callee && isNode(callee, 'Identifier')) {
+            const name = String(callee.name || '');
+            if (name)
+                out.add(name);
+        }
+    });
+    return out;
+}
+function getCallArguments(node) {
+    return Array.isArray(node?.arguments) ? node.arguments : [];
+}
+function isFunctionCall(n) {
+    return isNode(n, 'FunctionCall');
+}
+function isExternallyCallable(fn) {
+    if (!fn)
+        return false;
+    if (fn.isConstructor === true)
+        return false;
+    const kind = String(fn.kind || '').toLowerCase();
+    if (kind === 'constructor' || kind === 'fallback' || kind === 'receive')
+        return false;
+    if (fn.isFallback === true || fn.isReceiveEther === true)
+        return false;
+    const visibility = String(fn.visibility || '').toLowerCase();
+    return visibility === 'public' || visibility === 'external';
+}
+function isInterfaceLike(contract) {
+    const kind = String(contract?.kind || contract?.contractKind || '').toLowerCase();
+    return kind === 'interface' || kind === 'library';
+}
+function getFunctionBody(node) {
+    return node?.body || null;
+}
+function getContractFunctions(contract) {
+    return getContractMembers(contract).filter(child => isNode(child, 'FunctionDefinition'));
+}
+function getContractMembers(contract) {
+    if (!contract || typeof contract !== 'object')
+        return [];
+    if (Array.isArray(contract.subNodes))
+        return contract.subNodes;
+    if (Array.isArray(contract.nodes))
+        return contract.nodes;
+    return [];
+}
+function collectContracts(ast) {
+    const out = [];
+    walkContracts(ast, n => out.push(n));
+    return out;
+}
+function walkContracts(node, visit) {
+    if (!node || typeof node !== 'object')
+        return;
+    if (isNode(node, 'ContractDefinition')) {
+        visit(node);
+        return;
+    }
+    for (const child of childrenOf(node))
+        walkContracts(child, visit);
+}
+function walkAny(node, predicate) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (predicate(node))
+        return true;
+    return childrenOf(node).some(c => walkAny(c, predicate));
+}
+function walk(node, visit) {
+    if (!node || typeof node !== 'object')
+        return;
+    visit(node);
+    for (const c of childrenOf(node))
+        walk(c, visit);
+}
+function childrenOf(node) {
+    if (!node || typeof node !== 'object')
+        return [];
+    const out = [];
+    for (const [key, value] of Object.entries(node)) {
+        if (key === 'loc' || key === 'src' || key === 'range' || key === 'typeDescriptions' || key === 'id')
+            continue;
+        if (Array.isArray(value)) {
+            for (const item of value) {
+                if (item && typeof item === 'object')
+                    out.push(item);
+            }
+        }
+        else if (value && typeof value === 'object') {
+            out.push(value);
+        }
+    }
+    return out;
+}
+function isNode(node, kind) {
+    return node?.type === kind || node?.nodeType === kind;
+}
+function getName(node) {
+    return typeof node?.name === 'string' ? node.name : '';
+}
+function functionDisplayName(fn) {
+    const kind = String(fn?.kind || '').toLowerCase();
+    if (fn?.isFallback === true || kind === 'fallback')
+        return '<fallback>';
+    if (fn?.isReceiveEther === true || kind === 'receive')
+        return '<receive>';
+    if (fn?.isConstructor === true || kind === 'constructor')
+        return '<constructor>';
+    return getName(fn) || '<anonymous>';
+}
+function buildLineOffsets(sourceText) {
+    if (sourceText === undefined)
+        return undefined;
+    const offsets = [0];
+    let byteOffset = 0;
+    for (const ch of sourceText) {
+        byteOffset += Buffer.byteLength(ch, 'utf8');
+        if (ch === '\n')
+            offsets.push(byteOffset);
+    }
+    return offsets;
+}
+function getLoc(node, lineOffsets) {
+    if (node?.loc?.start)
+        return { line: node.loc.start.line || 0, column: node.loc.start.column || 0 };
+    if (!node?.src || !lineOffsets)
+        return undefined;
+    const [offsetRaw] = String(node.src).split(':');
+    const offset = Number(offsetRaw);
+    if (!Number.isFinite(offset) || offset < 0)
+        return undefined;
+    return byteOffsetToLineColumn(offset, lineOffsets);
+}
+function byteOffsetToLineColumn(byteOffset, lineOffsets) {
+    let low = 0;
+    let high = lineOffsets.length - 1;
+    let lineIdx = 0;
+    while (low <= high) {
+        const mid = Math.floor((low + high) / 2);
+        if (lineOffsets[mid] <= byteOffset) {
+            lineIdx = mid;
+            low = mid + 1;
+        }
+        else {
+            high = mid - 1;
+        }
+    }
+    return { line: lineIdx + 1, column: byteOffset - lineOffsets[lineIdx] };
+}
+//# sourceMappingURL=halborn-security-report-aave-v3.js.map

package/dist/detectors/incorrect-access-control.d.ts

@@ -0,0 +1,26 @@
+import type { ScanResult } from '../index';
+export declare class IncorrectAccessControlDetector {
+    readonly id = "incorrect-access-control";
+    readonly patternKey = "incorrect-access-control";
+    readonly supportedAstKinds: "parser"[];
+    readonly descriptor: {
+        id: string;
+        shortDescription: string;
+        helpUri: string;
+        defaultSeverity: "critical";
+        help: string;
+    };
+    private currentFile;
+    private currentContract;
+    private executableContract;
+    private contractStack;
+    private stateVars;
+    private findings;
+    setFile(file: string): void;
+    getFindings(): ScanResult[];
+    ContractDefinition(node: any): void;
+    ContractDefinition_post(_node: any): void;
+    ['ContractDefinition:exit'](node: any): void;
+    FunctionDefinition(node: any): void;
+    private makeFinding;
+}