@snovon/solast 0.2.0

package/dist/detectors/intent-settlement-balance-manipulation.js

@@ -0,0 +1,548 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.IntentSettlementBalanceManipulationDetector = void 0;
+const ast_1 = require("./_common/ast");
+const access_control_1 = require("./_common/access-control");
+const RULE_ID = 'intent-settlement-balance-manipulation';
+const PATTERN = `${RULE_ID}/solver-controlled-live-balance-settlement`;
+const ASSIGN_OPS = new Set(['=', '+=', '-=', '*=', '/=', '%=', '&=', '|=', '^=', '<<=', '>>=', '>>>=']);
+const ENTRY_NAMES = new Set(['execute', 'executebatch', 'settle', 'fill', 'fillorder']);
+const LOW_LEVEL_CALLS = new Set(['call', 'delegatecall']);
+const SETTLEMENT_MEMBERS = new Set(['transfer', 'safetransfer', 'transferfrom', 'safetransferfrom']);
+const INTENT_PARAM_NAMES = new Set(['order', 'orders', 'trade', 'trades', 'intent', 'intents']);
+const INTENT_TYPE_PARTS = ['order', 'trade', 'intent'];
+const TOKEN_FIELD_PARTS = ['token', 'asset'];
+const BOUND_FIELD_PARTS = ['minamountout', 'amountoutminimum', 'minimumamountout', 'buyamount', 'outputamount', 'minout'];
+const ACCOUNTING_NAME_PARTS = ['filled', 'fill', 'balance', 'amount', 'out', 'received', 'credit', 'settled'];
+class IntentSettlementBalanceManipulationDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    descriptor = {
+        id: RULE_ID,
+        shortDescription: 'Intent settlement uses solver-controlled live token balances for payout or accounting.',
+        helpUri: 'https://snovon.com/',
+        defaultSeverity: 'high',
+        help: 'Flags intent-style settlement functions that execute solver-controlled calls and then settle from live token balanceOf state without validating a pre/post delta against signed intent bounds.',
+    };
+    currentFile = '';
+    findings = [];
+    contractStack = [];
+    setFile(file) {
+        this.currentFile = file;
+        this.findings = [];
+        this.contractStack = [];
+    }
+    getFindings() {
+        return this.findings;
+    }
+    ContractDefinition(node) {
+        const kind = String(node?.kind || '').toLowerCase();
+        this.contractStack.push({
+            name: node?.name || '<anonymous>',
+            node,
+            executable: kind !== 'interface' && kind !== 'library',
+            stateVars: collectStateVars(node),
+        });
+    }
+    'ContractDefinition:exit'() {
+        this.contractStack.pop();
+    }
+    FunctionDefinition(node) {
+        const contract = this.currentContract();
+        if (!contract?.executable)
+            return;
+        if (!node?.body)
+            return;
+        if (!isExternallyCallable(node))
+            return;
+        if (isViewOrPure(node))
+            return;
+        const state = {
+            contract,
+            node,
+            name: node.name || '<fallback>',
+            entryNamed: ENTRY_NAMES.has(String(node.name || '').toLowerCase()),
+            intentParams: collectIntentParams(node),
+            tokenAliases: new Set(),
+            snapshotVars: new Set(),
+            liveBalanceVars: new Set(),
+            deltaVars: new Set(),
+            sawSolverControlledCall: false,
+            accessControlled: (0, access_control_1.hasRecognisedAccessControlModifier)(node),
+            hasIntentBoundValidation: false,
+            candidate: null,
+        };
+        analyzeNode(node.body, state);
+        if (!shouldReport(state))
+            return;
+        const candidate = state.candidate;
+        const loc = (0, ast_1.tryLoc)(candidate.node, node) || (0, ast_1.tryLoc)(node, contract.node);
+        if (!loc)
+            return;
+        this.findings.push({
+            file: this.currentFile,
+            contract: contract.name,
+            'function': state.name,
+            line: loc.line,
+            endLine: loc.endLine,
+            column: loc.column,
+            endColumn: loc.endColumn,
+            pattern: PATTERN,
+            confidence: 'medium',
+            category: 'vulnerability',
+            ruleId: RULE_ID,
+            severity: 'high',
+            message: `Intent settlement '${contract.name}.${state.name}' settles from a live token balance after solver-controlled execution.`,
+            rationale: candidate.reason === 'accounting-write'
+                ? 'Solver-controlled calls can perturb live token balances before settlement accounting is written, so the write must be based on an intent-bound delta invariant.'
+                : 'Solver-controlled calls can perturb live token balances before payout, so settlement transfers must be bounded by signed intent constraints instead of raw balanceOf state.',
+            suggestedFix: 'Snapshot the relevant token balance before solver execution, compute the post-execution delta, and require that delta to satisfy signed intent bounds such as minAmountOut before writing accounting or transferring funds.',
+            contractName: contract.name,
+            functionName: state.name,
+            sourceLocation: { line: loc.line, column: loc.column },
+            findingId: '',
+            contractHash: '',
+        });
+    }
+    currentContract() {
+        return this.contractStack.length > 0 ? this.contractStack[this.contractStack.length - 1] : null;
+    }
+}
+exports.IntentSettlementBalanceManipulationDetector = IntentSettlementBalanceManipulationDetector;
+function analyzeNode(node, state) {
+    if (!node || typeof node !== 'object')
+        return;
+    if (state.candidate && !state.candidate.hasValidatedDeltaBound)
+        return;
+    if ((0, ast_1.isNode)(node, 'Block')) {
+        for (const stmt of node.statements || [])
+            analyzeNode(stmt, state);
+        return;
+    }
+    if ((0, ast_1.isNode)(node, 'VariableDeclarationStatement')) {
+        const names = declaredNames(node);
+        const init = node.initialValue;
+        recordTokenAliases(names, init, state);
+        const read = balanceReadFromExpression(init, state);
+        if (read) {
+            for (const name of names) {
+                if (state.sawSolverControlledCall) {
+                    state.liveBalanceVars.add(name);
+                    if (read.usesSnapshotDelta)
+                        state.deltaVars.add(name);
+                }
+                else {
+                    state.snapshotVars.add(name);
+                }
+            }
+        }
+        analyzeNode(init, state);
+        return;
+    }
+    if ((0, ast_1.isNode)(node, 'ExpressionStatement')) {
+        analyzeNode(node.expression, state);
+        return;
+    }
+    if ((0, ast_1.isNode)(node, 'BinaryOperation')) {
+        if (ASSIGN_OPS.has(String(node.operator || ''))) {
+            const assigned = assignedName(node.left);
+            if (assigned)
+                recordTokenAliases([assigned], node.right, state);
+            const read = balanceReadFromExpression(node.right, state);
+            if (read && state.sawSolverControlledCall) {
+                if (assigned) {
+                    state.liveBalanceVars.add(assigned);
+                    if (read.usesSnapshotDelta)
+                        state.deltaVars.add(assigned);
+                }
+            }
+            if (state.sawSolverControlledCall && isAccountingWrite(node.left, state)) {
+                if (read || refersToLiveBalance(node.right, state)) {
+                    recordCandidate(state, {
+                        node,
+                        reason: 'accounting-write',
+                        hasValidatedDeltaBound: state.hasIntentBoundValidation && refersToDelta(node.right, state),
+                    });
+                }
+            }
+            analyzeNode(node.right, state);
+            return;
+        }
+        analyzeNode(node.left, state);
+        analyzeNode(node.right, state);
+        return;
+    }
+    if ((0, ast_1.isNode)(node, 'FunctionCall')) {
+        handleFunctionCall(node, state);
+        analyzeNode(callExpression(node), state);
+        for (const arg of node.arguments || [])
+            analyzeNode(arg, state);
+        return;
+    }
+    if ((0, ast_1.isNode)(node, 'IfStatement')) {
+        analyzeNode(node.condition, state);
+        const trueState = cloneFunctionState(state);
+        const falseState = cloneFunctionState(state);
+        analyzeNode(node.trueBody, trueState);
+        analyzeNode(node.falseBody, falseState);
+        mergeBranchStates(state, trueState, falseState);
+        return;
+    }
+    if ((0, ast_1.isNode)(node, 'ForStatement')) {
+        analyzeNode(node.initExpression, state);
+        analyzeNode(node.conditionExpression, state);
+        analyzeNode(node.loopExpression, state);
+        analyzeNode(node.body, state);
+        return;
+    }
+    for (const child of childNodes(node))
+        analyzeNode(child, state);
+}
+function handleFunctionCall(node, state) {
+    const callee = callExpression(node);
+    const member = memberName(callee).toLowerCase();
+    const direct = directCallName(callee).toLowerCase();
+    if (direct === 'require' || direct === 'assert') {
+        const condition = node.arguments?.[0];
+        if ((0, access_control_1.requireExpressesAccessControl)(condition, name => (0, access_control_1.isPrivilegedIdentifier)(name), access_control_1.getCalleeNameDefault)) {
+            state.accessControlled = true;
+        }
+        if (conditionExpressesIntentBound(condition, state)) {
+            state.hasIntentBoundValidation = true;
+        }
+        return;
+    }
+    if (LOW_LEVEL_CALLS.has(member) && !isSelfCallTarget(callee)) {
+        state.sawSolverControlledCall = true;
+        return;
+    }
+    if (!state.sawSolverControlledCall)
+        return;
+    if (SETTLEMENT_MEMBERS.has(member)) {
+        const amountArg = settlementAmountArg(member, node.arguments || []);
+        if (amountArg && (refersToLiveBalance(amountArg, state) || !!balanceReadFromExpression(amountArg, state))) {
+            recordCandidate(state, {
+                node,
+                reason: 'transfer',
+                hasValidatedDeltaBound: state.hasIntentBoundValidation && refersToDelta(amountArg, state),
+            });
+        }
+    }
+}
+function shouldReport(state) {
+    if (!state.candidate)
+        return false;
+    if (!state.sawSolverControlledCall)
+        return false;
+    if (state.accessControlled)
+        return false;
+    if (state.candidate.hasValidatedDeltaBound)
+        return false;
+    return state.entryNamed || state.intentParams.size > 0;
+}
+function recordCandidate(state, candidate) {
+    if (!state.candidate || (state.candidate.hasValidatedDeltaBound && !candidate.hasValidatedDeltaBound)) {
+        state.candidate = candidate;
+    }
+}
+function cloneFunctionState(state) {
+    return {
+        ...state,
+        intentParams: new Set(state.intentParams),
+        tokenAliases: new Set(state.tokenAliases),
+        snapshotVars: new Set(state.snapshotVars),
+        liveBalanceVars: new Set(state.liveBalanceVars),
+        deltaVars: new Set(state.deltaVars),
+        candidate: state.candidate ? { ...state.candidate } : null,
+    };
+}
+function mergeBranchStates(parent, trueState, falseState) {
+    if (shouldReport(trueState)) {
+        parent.candidate = trueState.candidate ? { ...trueState.candidate } : null;
+    }
+    else if (shouldReport(falseState)) {
+        parent.candidate = falseState.candidate ? { ...falseState.candidate } : null;
+    }
+    else {
+        parent.candidate = null;
+    }
+    unionInto(parent.tokenAliases, trueState.tokenAliases, falseState.tokenAliases);
+    unionInto(parent.snapshotVars, trueState.snapshotVars, falseState.snapshotVars);
+    unionInto(parent.liveBalanceVars, trueState.liveBalanceVars, falseState.liveBalanceVars);
+    unionInto(parent.deltaVars, trueState.deltaVars, falseState.deltaVars);
+    parent.sawSolverControlledCall = trueState.sawSolverControlledCall || falseState.sawSolverControlledCall;
+    parent.accessControlled = trueState.accessControlled && falseState.accessControlled;
+    parent.hasIntentBoundValidation = trueState.hasIntentBoundValidation && falseState.hasIntentBoundValidation;
+}
+function unionInto(target, ...sources) {
+    for (const source of sources) {
+        for (const item of source)
+            target.add(item);
+    }
+}
+function collectStateVars(contract) {
+    const vars = new Set();
+    for (const sub of contract?.subNodes || []) {
+        if (!(0, ast_1.isNode)(sub, 'StateVariableDeclaration'))
+            continue;
+        for (const variable of sub.variables || []) {
+            if (variable?.name)
+                vars.add(String(variable.name));
+        }
+    }
+    return vars;
+}
+function collectIntentParams(fn) {
+    const names = new Set();
+    for (const param of fn?.parameters || []) {
+        const name = String(param?.name || '');
+        const lower = name.toLowerCase();
+        if (INTENT_PARAM_NAMES.has(lower) || typeNameContains(param?.typeName, INTENT_TYPE_PARTS)) {
+            if (name)
+                names.add(name);
+        }
+    }
+    return names;
+}
+function isExternallyCallable(fn) {
+    const visibility = String(fn?.visibility || '').toLowerCase();
+    return visibility === 'external' || visibility === 'public';
+}
+function isViewOrPure(fn) {
+    const mutability = String(fn?.stateMutability || '').toLowerCase();
+    return mutability === 'view' || mutability === 'pure';
+}
+function declaredNames(node) {
+    const names = [];
+    for (const variable of node?.variables || []) {
+        if (variable?.name)
+            names.push(String(variable.name));
+    }
+    return names;
+}
+function recordTokenAliases(names, expr, state) {
+    if (names.length === 0)
+        return;
+    if (!isOrderAssetCast(expr, state))
+        return;
+    for (const name of names)
+        state.tokenAliases.add(name);
+}
+function balanceReadFromExpression(expr, state) {
+    if (!expr || typeof expr !== 'object')
+        return null;
+    if (isBalanceOfOrderAsset(expr, state)) {
+        return { node: expr, usesSnapshotDelta: false };
+    }
+    if ((0, ast_1.isNode)(expr, 'BinaryOperation') && String(expr.operator || '') === '-') {
+        const left = balanceReadFromExpression(expr.left, state);
+        if (left && refersToSnapshot(expr.right, state)) {
+            return { node: left.node, usesSnapshotDelta: true };
+        }
+        const right = balanceReadFromExpression(expr.right, state);
+        if (right && refersToSnapshot(expr.left, state)) {
+            return { node: right.node, usesSnapshotDelta: true };
+        }
+    }
+    return null;
+}
+function isBalanceOfOrderAsset(call, state) {
+    if (!(0, ast_1.isNode)(call, 'FunctionCall'))
+        return false;
+    const callee = callExpression(call);
+    if (memberName(callee) !== 'balanceOf')
+        return false;
+    if (!isSelfBalanceRead(call))
+        return false;
+    const assetExpr = callee?.expression;
+    return isOrderAssetExpression(assetExpr, state);
+}
+function isSelfBalanceRead(call) {
+    const arg = call.arguments?.[0];
+    if (!arg)
+        return true;
+    if ((0, ast_1.isNode)(arg, 'Identifier') && String(arg.name || '') === 'this')
+        return true;
+    if (!(0, ast_1.isNode)(arg, 'FunctionCall'))
+        return false;
+    if (directCallName(callExpression(arg)) !== 'address')
+        return false;
+    const inner = arg.arguments?.[0];
+    return (0, ast_1.isNode)(inner, 'Identifier') && String(inner.name || '') === 'this';
+}
+function isOrderAssetExpression(expr, state) {
+    if (!expr || typeof expr !== 'object')
+        return false;
+    if ((0, ast_1.isNode)(expr, 'Identifier'))
+        return state.tokenAliases.has(String(expr.name || ''));
+    if (isOrderAssetCast(expr, state))
+        return true;
+    return false;
+}
+function isOrderAssetCast(expr, state) {
+    if (!(0, ast_1.isNode)(expr, 'FunctionCall'))
+        return false;
+    const args = expr.arguments || [];
+    if (args.length !== 1)
+        return false;
+    return isIntentAssetReference(args[0], state);
+}
+function isIntentAssetReference(expr, state) {
+    if (!expr || typeof expr !== 'object')
+        return false;
+    if ((0, ast_1.isNode)(expr, 'MemberAccess')) {
+        const field = String(expr.memberName || '').toLowerCase();
+        if (!TOKEN_FIELD_PARTS.some(part => field.includes(part)))
+            return false;
+        return referencesIntentParam(expr.expression, state);
+    }
+    return false;
+}
+function referencesIntentParam(expr, state) {
+    if (!expr || typeof expr !== 'object')
+        return false;
+    if ((0, ast_1.isNode)(expr, 'Identifier'))
+        return state.intentParams.has(String(expr.name || ''));
+    if ((0, ast_1.isNode)(expr, 'IndexAccess'))
+        return referencesIntentParam(expr.base || expr.baseExpression, state);
+    if ((0, ast_1.isNode)(expr, 'MemberAccess'))
+        return referencesIntentParam(expr.expression, state);
+    return false;
+}
+function refersToSnapshot(expr, state) {
+    if ((0, ast_1.isNode)(expr, 'Identifier'))
+        return state.snapshotVars.has(String(expr.name || ''));
+    return false;
+}
+function refersToLiveBalance(expr, state) {
+    if (!expr || typeof expr !== 'object')
+        return false;
+    if ((0, ast_1.isNode)(expr, 'Identifier'))
+        return state.liveBalanceVars.has(String(expr.name || ''));
+    if ((0, ast_1.isNode)(expr, 'BinaryOperation')) {
+        return refersToLiveBalance(expr.left, state) || refersToLiveBalance(expr.right, state);
+    }
+    if ((0, ast_1.isNode)(expr, 'TupleExpression')) {
+        return (expr.components || []).some((child) => refersToLiveBalance(child, state));
+    }
+    return false;
+}
+function conditionExpressesIntentBound(expr, state) {
+    if (!expr || typeof expr !== 'object')
+        return false;
+    if ((0, ast_1.isNode)(expr, 'BinaryOperation')) {
+        const op = String(expr.operator || '');
+        if (op === '&&' || op === '||') {
+            return conditionExpressesIntentBound(expr.left, state) || conditionExpressesIntentBound(expr.right, state);
+        }
+        if (['>=', '>', '<=', '<', '==', '==='].includes(op)) {
+            return ((refersToDelta(expr.left, state) && isIntentBoundReference(expr.right, state)) ||
+                (refersToDelta(expr.right, state) && isIntentBoundReference(expr.left, state)));
+        }
+    }
+    return false;
+}
+function refersToDelta(expr, state) {
+    if (!expr || typeof expr !== 'object')
+        return false;
+    if ((0, ast_1.isNode)(expr, 'Identifier'))
+        return state.deltaVars.has(String(expr.name || ''));
+    const read = balanceReadFromExpression(expr, state);
+    if (read && read.usesSnapshotDelta)
+        return true;
+    return false;
+}
+function isIntentBoundReference(expr, state) {
+    if (!expr || typeof expr !== 'object')
+        return false;
+    if ((0, ast_1.isNode)(expr, 'MemberAccess')) {
+        const field = String(expr.memberName || '').toLowerCase();
+        if (!BOUND_FIELD_PARTS.some(part => field.includes(part)))
+            return false;
+        return referencesIntentParam(expr.expression, state);
+    }
+    return false;
+}
+function isAccountingWrite(left, state) {
+    const root = rootIdentifier(left);
+    if (!root || !state.contract.stateVars.has(root))
+        return false;
+    return ACCOUNTING_NAME_PARTS.some(part => root.toLowerCase().includes(part));
+}
+function assignedName(left) {
+    if ((0, ast_1.isNode)(left, 'Identifier'))
+        return String(left.name || '');
+    return '';
+}
+function rootIdentifier(expr) {
+    if (!expr || typeof expr !== 'object')
+        return '';
+    if ((0, ast_1.isNode)(expr, 'Identifier'))
+        return String(expr.name || '');
+    if ((0, ast_1.isNode)(expr, 'IndexAccess'))
+        return rootIdentifier(expr.base || expr.baseExpression);
+    if ((0, ast_1.isNode)(expr, 'MemberAccess'))
+        return rootIdentifier(expr.expression);
+    return '';
+}
+function settlementAmountArg(member, args) {
+    if (member === 'transfer' || member === 'safetransfer')
+        return args[1];
+    if (member === 'transferfrom' || member === 'safetransferfrom')
+        return args[2];
+    return null;
+}
+function isSelfCallTarget(callee) {
+    if (!(0, ast_1.isNode)(callee, 'MemberAccess'))
+        return false;
+    const target = callee.expression;
+    return (0, ast_1.isNode)(target, 'Identifier') && String(target.name || '') === 'this';
+}
+function callExpression(call) {
+    const expr = call?.expression;
+    if ((0, ast_1.isNode)(expr, 'NameValueExpression'))
+        return expr.expression;
+    return expr;
+}
+function memberName(expr) {
+    return (0, ast_1.isNode)(expr, 'MemberAccess') ? String(expr.memberName || '') : '';
+}
+function directCallName(expr) {
+    return (0, ast_1.isNode)(expr, 'Identifier') ? String(expr.name || '') : memberName(expr);
+}
+function typeNameContains(typeName, parts) {
+    const text = typeNameText(typeName).toLowerCase();
+    return parts.some(part => text.includes(part));
+}
+function typeNameText(typeName) {
+    if (!typeName || typeof typeName !== 'object')
+        return '';
+    if (typeof typeName.name === 'string')
+        return typeName.name;
+    if (typeof typeName.namePath === 'string')
+        return typeName.namePath;
+    if (typeName.baseTypeName)
+        return typeNameText(typeName.baseTypeName);
+    if (typeName.typeName)
+        return typeNameText(typeName.typeName);
+    return '';
+}
+function childNodes(node) {
+    const children = [];
+    for (const [key, value] of Object.entries(node || {})) {
+        if (key === 'loc' || key === 'range' || key === 'type')
+            continue;
+        if (Array.isArray(value)) {
+            for (const item of value) {
+                if (item && typeof item === 'object' && typeof item.type === 'string')
+                    children.push(item);
+            }
+        }
+        else if (value && typeof value === 'object' && typeof value.type === 'string') {
+            children.push(value);
+        }
+    }
+    return children;
+}
+//# sourceMappingURL=intent-settlement-balance-manipulation.js.map

package/dist/detectors/l1-to-l2-message-reentrancy.d.ts

@@ -0,0 +1,7 @@
+import type { ScanResult } from '../index';
+export declare class L1ToL2MessageReentrancyDetector {
+    readonly id = "l1-to-l2-message-reentrancy";
+    readonly patternKey = "l1-to-l2-message-reentrancy";
+    readonly supportedAstKinds: ("parser" | "solc")[];
+    scanAst(ast: any, file: string, sourceText?: string): ScanResult[];
+}