@snovon/solast 0.2.0

package/dist/detectors/lack-of-slippage-protection.js

@@ -0,0 +1,474 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.LackOfSlippageProtectionDetector = void 0;
+const RULE_ID = 'lack-of-slippage-protection';
+const ORACLE_TRANSFER_PATTERN = `${RULE_ID}/oracle-derived-transfer-without-bound`;
+const ZERO_MIN_SWAP_PATTERN = `${RULE_ID}/zero-minimum-swap`;
+const PROVENANCE = 'issue-1191-dcftoken-lack-of-slippage-protection';
+class LackOfSlippageProtectionDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    scanAst(ast, file) {
+        if (!ast || ast.type !== 'SourceUnit')
+            return [];
+        const findings = [];
+        const seen = new Set();
+        for (const contract of collectContracts(ast)) {
+            if (isInterfaceLike(contract))
+                continue;
+            const contractName = getName(contract) || '<anonymous>';
+            for (const fn of getContractFunctions(contract)) {
+                if (!fn.body)
+                    continue;
+                if (!isExternallyCallable(fn))
+                    continue;
+                const functionName = getName(fn) || '<anonymous>';
+                const params = new Set();
+                const boundParams = new Set();
+                for (const param of getParameters(fn)) {
+                    const name = getName(param);
+                    if (!name)
+                        continue;
+                    params.add(name);
+                    if (isBoundName(name))
+                        boundParams.add(name);
+                }
+                const ctx = {
+                    contractName,
+                    functionName,
+                    params,
+                    boundParams,
+                    oracleDerived: new Set(),
+                    zeroValues: new Set(),
+                    guardedOutputs: new Set(),
+                };
+                for (const sink of scanBlock(fn.body, ctx)) {
+                    const loc = locOf(sink.node) || locOf(fn) || { line: 0, column: 0 };
+                    const key = `${contractName}:${functionName}:${loc.line}:${loc.column}:${sink.pattern}`;
+                    if (seen.has(key))
+                        continue;
+                    seen.add(key);
+                    findings.push(makeFinding(file, contractName, functionName, loc, sink.pattern));
+                }
+            }
+        }
+        return findings;
+    }
+}
+exports.LackOfSlippageProtectionDetector = LackOfSlippageProtectionDetector;
+function scanBlock(block, ctx) {
+    const findings = [];
+    for (const stmt of getBlockStatements(block)) {
+        findings.push(...scanStatement(stmt, ctx));
+    }
+    return findings;
+}
+function scanStatement(stmt, ctx) {
+    if (!stmt || typeof stmt !== 'object')
+        return [];
+    if (isNode(stmt, 'Block'))
+        return scanBlock(stmt, ctx);
+    if (isNode(stmt, 'IfStatement')) {
+        const findings = [];
+        const trueCtx = cloneCtx(ctx);
+        collectSlippageGuards(stmt.condition, trueCtx);
+        if (stmt.trueBody)
+            findings.push(...scanStatement(stmt.trueBody, trueCtx));
+        if (stmt.falseBody)
+            findings.push(...scanStatement(stmt.falseBody, cloneCtx(ctx)));
+        return findings;
+    }
+    if (isRequireOrAssertStatement(stmt)) {
+        collectSlippageGuards(stmt.expression?.arguments?.[0], ctx);
+        collectAssignments(stmt, ctx);
+        return [];
+    }
+    const findings = findSinkCandidates(stmt, ctx);
+    collectAssignments(stmt, ctx);
+    return findings;
+}
+function collectAssignments(stmt, ctx) {
+    walk(stmt, node => {
+        if (isNode(node, 'VariableDeclarationStatement')) {
+            const init = node.initialValue ?? node.initialvalue;
+            for (const decl of getVariableDeclarations(node)) {
+                const name = getName(decl);
+                if (!name)
+                    continue;
+                if (isZeroExpression(init, ctx))
+                    ctx.zeroValues.add(name);
+                if (isOracleDerivedExpression(init, ctx))
+                    ctx.oracleDerived.add(name);
+            }
+            return;
+        }
+        if (!isAssignmentNode(node))
+            return;
+        const right = getBinaryRight(node);
+        for (const name of collectAssignTargets(getBinaryLeft(node))) {
+            if (isZeroExpression(right, ctx))
+                ctx.zeroValues.add(name);
+            if (isOracleDerivedExpression(right, ctx))
+                ctx.oracleDerived.add(name);
+        }
+    });
+}
+function collectSlippageGuards(condition, ctx) {
+    walk(condition, node => {
+        if (!isNode(node, 'BinaryOperation'))
+            return;
+        const op = String(node.operator || '');
+        if (!['>', '>=', '<', '<='].includes(op))
+            return;
+        const left = getBinaryLeft(node);
+        const right = getBinaryRight(node);
+        if ((op === '>' || op === '>=') && isOracleDerivedExpression(left, ctx) && isCallerBound(right, ctx)) {
+            addAccessRoot(left, ctx.guardedOutputs);
+        }
+        if ((op === '<' || op === '<=') && isOracleDerivedExpression(right, ctx) && isCallerBound(left, ctx)) {
+            addAccessRoot(right, ctx.guardedOutputs);
+        }
+    });
+}
+function findSinkCandidates(stmt, ctx) {
+    const candidates = [];
+    walk(stmt, node => {
+        if (!isNode(node, 'FunctionCall'))
+            return;
+        const callee = unwrapCallOptions(node.expression);
+        if (!isNode(callee, 'MemberAccess'))
+            return;
+        const method = String(callee.memberName || '');
+        const minArg = getSwapMinimumArgument(method, node);
+        if (minArg && isZeroExpression(minArg, ctx)) {
+            candidates.push({ node, pattern: ZERO_MIN_SWAP_PATTERN });
+            return;
+        }
+        const transferAmount = getTransferAmount(method, node);
+        if (!transferAmount)
+            return;
+        if (!isOracleDerivedExpression(transferAmount, ctx))
+            return;
+        const amountName = accessRoot(transferAmount) || undefined;
+        if (amountName && ctx.guardedOutputs.has(amountName))
+            return;
+        candidates.push({ node, pattern: ORACLE_TRANSFER_PATTERN, amountName });
+    });
+    return candidates;
+}
+function getTransferAmount(method, call) {
+    const args = getCallArguments(call);
+    if (method === 'transfer')
+        return args[1] || null;
+    if (method === 'transferFrom')
+        return args[2] || null;
+    return null;
+}
+function getSwapMinimumArgument(method, call) {
+    const args = getCallArguments(call);
+    if (/^swapExact/i.test(method)) {
+        const namedArg = getNamedCallArgument(call, ['amountoutmin', 'amountoutminimum', 'minout', 'minimumamountout']);
+        return namedArg || args[1] || null;
+    }
+    if (method === 'exactInputSingle' || method === 'exactInput')
+        return getV3MinimumArgument(args[0]);
+    return null;
+}
+function getV3MinimumArgument(arg) {
+    const unwrapped = unwrapCallOptions(arg);
+    if (isNode(unwrapped, 'TupleExpression'))
+        return getTupleComponents(unwrapped)[6] || null;
+    if (isNode(unwrapped, 'FunctionCall')) {
+        const namedArg = getNamedCallArgument(unwrapped, ['amountoutminimum']);
+        if (namedArg)
+            return namedArg;
+        return getCallArguments(unwrapped)[6] || null;
+    }
+    return null;
+}
+function isOracleDerivedExpression(expr, ctx) {
+    if (!expr || typeof expr !== 'object')
+        return false;
+    const root = accessRoot(expr);
+    if (root && ctx.oracleDerived.has(root))
+        return true;
+    return walkAny(expr, node => {
+        const nestedRoot = accessRoot(node);
+        if (nestedRoot && ctx.oracleDerived.has(nestedRoot))
+            return true;
+        if (!isNode(node, 'FunctionCall'))
+            return false;
+        const callee = unwrapCallOptions(node.expression);
+        if (!isNode(callee, 'MemberAccess'))
+            return false;
+        return isOracleLikeMethod(String(callee.memberName || ''));
+    });
+}
+function isOracleLikeMethod(method) {
+    return /(price|quote|latestanswer|latestrounddata|getamountsout|getamountout)/i.test(method);
+}
+function isCallerBound(expr, ctx) {
+    const root = accessRoot(expr);
+    return !!root && ctx.params.has(root) && (ctx.boundParams.has(root) || isBoundName(root));
+}
+function isBoundName(name) {
+    return /(min|minimum|amountoutmin|amountoutminimum|slippage|limit|floor|bound|worst|guaranteed)/i.test(name);
+}
+function isZeroExpression(expr, ctx) {
+    if (isZeroLiteral(expr))
+        return true;
+    const root = accessRoot(expr);
+    return !!root && ctx.zeroValues.has(root);
+}
+function isZeroLiteral(expr) {
+    if (!expr || typeof expr !== 'object')
+        return false;
+    if (isNode(expr, 'NumberLiteral'))
+        return String(expr.number ?? expr.value ?? '') === '0';
+    if (isNode(expr, 'Literal'))
+        return String(expr.value ?? '') === '0';
+    return false;
+}
+function isRequireOrAssertStatement(stmt) {
+    if (!isNode(stmt, 'ExpressionStatement') || !isNode(stmt.expression, 'FunctionCall'))
+        return false;
+    const name = getCalleeIdentifierName(stmt.expression.expression).toLowerCase();
+    return name === 'require' || name === 'assert';
+}
+function makeFinding(file, contractName, functionName, loc, pattern) {
+    return {
+        file,
+        contract: contractName,
+        'function': functionName,
+        line: loc.line,
+        endLine: loc.line,
+        column: loc.column,
+        pattern,
+        confidence: 'high',
+        ruleId: RULE_ID,
+        severity: 'high',
+        message: `Lack of slippage protection in '${contractName}.${functionName}': variable-priced output moves value before a caller-controlled minimum-out or price-bound guard is enforced.`,
+        rationale: 'DCF-token-style flows that use oracle, quote, or exact-input swap outputs without a minimum-out bound can be drained when the price source or route is manipulated.',
+        suggestedFix: 'Require a caller-supplied minOut/amountOutMin or equivalent price limit before the transfer or swap, and reject zero minimum-output values.',
+        contractName,
+        functionName,
+        sourceLocation: { line: loc.line, column: loc.column },
+        findingId: '',
+        contractHash: '',
+        provenance: PROVENANCE,
+        source: PROVENANCE,
+    };
+}
+function cloneCtx(ctx) {
+    return {
+        ...ctx,
+        params: new Set(ctx.params),
+        boundParams: new Set(ctx.boundParams),
+        oracleDerived: new Set(ctx.oracleDerived),
+        zeroValues: new Set(ctx.zeroValues),
+        guardedOutputs: new Set(ctx.guardedOutputs),
+    };
+}
+function getNamedCallArgument(call, targetNames) {
+    const targets = new Set(targetNames.map(name => name.toLowerCase()));
+    const names = getArgumentNames(call).map(name => name.toLowerCase());
+    const args = getCallArguments(call);
+    const index = names.findIndex(name => targets.has(name));
+    if (index >= 0)
+        return args[index] || null;
+    for (const rawArg of getRawCallArguments(call)) {
+        if (!isNode(rawArg, 'NameValueExpression'))
+            continue;
+        const name = nodeName(rawArg.name).toLowerCase();
+        if (targets.has(name))
+            return rawArg.expression ?? rawArg.value ?? null;
+    }
+    return null;
+}
+function getArgumentNames(call) {
+    if (Array.isArray(call?.names))
+        return call.names.map(nodeName);
+    if (Array.isArray(call?.arguments?.names))
+        return call.arguments.names.map(nodeName);
+    if (Array.isArray(call?.identifiers))
+        return call.identifiers.map(nodeName);
+    return [];
+}
+function getCallArguments(node) {
+    return getRawCallArguments(node).map(arg => isNode(arg, 'NameValueExpression') ? (arg.expression ?? arg.value ?? null) : arg);
+}
+function getRawCallArguments(node) {
+    return Array.isArray(node?.arguments) ? node.arguments : [];
+}
+function getTupleComponents(node) {
+    if (Array.isArray(node?.components))
+        return node.components;
+    if (Array.isArray(node?.elements))
+        return node.elements;
+    return [];
+}
+function unwrapCallOptions(expr) {
+    let current = expr;
+    while (current && (isNode(current, 'NameValueExpression') || isNode(current, 'FunctionCallOptions'))) {
+        current = current.expression;
+    }
+    return current;
+}
+function getCalleeIdentifierName(expr) {
+    const unwrapped = unwrapCallOptions(expr);
+    if (isNode(unwrapped, 'Identifier'))
+        return String(unwrapped.name || '');
+    if (isNode(unwrapped, 'MemberAccess'))
+        return String(unwrapped.memberName || '');
+    return '';
+}
+function getVariableDeclarations(stmt) {
+    if (Array.isArray(stmt?.variables))
+        return stmt.variables;
+    if (Array.isArray(stmt?.declarations))
+        return stmt.declarations;
+    return [];
+}
+function collectAssignTargets(node) {
+    if (!node || typeof node !== 'object')
+        return [];
+    if (isNode(node, 'Identifier'))
+        return node.name ? [String(node.name)] : [];
+    if (isNode(node, 'TupleExpression'))
+        return getTupleComponents(node).flatMap(collectAssignTargets);
+    return [];
+}
+function isAssignmentNode(node) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (isNode(node, 'Assignment'))
+        return true;
+    return isNode(node, 'BinaryOperation') && String(node.operator || '') === '=';
+}
+function getBinaryLeft(node) {
+    return node?.left ?? node?.leftExpression ?? node?.leftHandSide;
+}
+function getBinaryRight(node) {
+    return node?.right ?? node?.rightExpression ?? node?.rightHandSide;
+}
+function accessRoot(node) {
+    const path = collectAccessPath(node);
+    return path ? path.split(/[.\[]/)[0] : null;
+}
+function addAccessRoot(node, target) {
+    const root = accessRoot(node);
+    if (root)
+        target.add(root);
+}
+function collectAccessPath(node) {
+    if (!node || typeof node !== 'object')
+        return null;
+    if (isNode(node, 'Identifier'))
+        return node.name ? String(node.name) : null;
+    if (isNode(node, 'MemberAccess')) {
+        const base = collectAccessPath(node.expression);
+        if (!base || !node.memberName)
+            return null;
+        return `${base}.${String(node.memberName)}`;
+    }
+    if (isNode(node, 'IndexAccess')) {
+        const base = collectAccessPath(node.base ?? node.baseExpression);
+        return base ? `${base}[]` : null;
+    }
+    return null;
+}
+function isExternallyCallable(fn) {
+    const visibility = String(fn.visibility || '').toLowerCase();
+    if (visibility === 'private' || visibility === 'internal')
+        return false;
+    const kind = String(fn.kind || '').toLowerCase();
+    return kind !== 'constructor' && !fn.isConstructor;
+}
+function isInterfaceLike(contract) {
+    const kind = String(contract?.kind || contract?.contractKind || '').toLowerCase();
+    return kind === 'interface' || kind === 'library';
+}
+function getParameters(fn) {
+    if (Array.isArray(fn?.parameters))
+        return fn.parameters;
+    if (Array.isArray(fn?.parameters?.parameters))
+        return fn.parameters.parameters;
+    return [];
+}
+function getContractFunctions(contract) {
+    return getContractMembers(contract).filter(node => isNode(node, 'FunctionDefinition'));
+}
+function getContractMembers(contract) {
+    if (Array.isArray(contract?.subNodes))
+        return contract.subNodes;
+    if (Array.isArray(contract?.nodes))
+        return contract.nodes;
+    return [];
+}
+function getBlockStatements(body) {
+    return Array.isArray(body?.statements) ? body.statements : [];
+}
+function collectContracts(ast) {
+    const out = [];
+    walk(ast, node => {
+        if (isNode(node, 'ContractDefinition'))
+            out.push(node);
+    });
+    return out;
+}
+function walk(node, visit) {
+    if (!node || typeof node !== 'object')
+        return;
+    visit(node);
+    for (const child of childrenOf(node))
+        walk(child, visit);
+}
+function walkAny(node, predicate) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (predicate(node))
+        return true;
+    for (const child of childrenOf(node)) {
+        if (walkAny(child, predicate))
+            return true;
+    }
+    return false;
+}
+function childrenOf(node) {
+    if (!node || typeof node !== 'object')
+        return [];
+    const out = [];
+    for (const [key, value] of Object.entries(node)) {
+        if (key === 'loc' || key === 'src' || key === 'range' || key === 'typeDescriptions' || key === 'id')
+            continue;
+        if (Array.isArray(value)) {
+            for (const item of value)
+                if (item && typeof item === 'object')
+                    out.push(item);
+        }
+        else if (value && typeof value === 'object') {
+            out.push(value);
+        }
+    }
+    return out;
+}
+function isNode(node, kind) {
+    return node?.type === kind || node?.nodeType === kind;
+}
+function getName(node) {
+    return typeof node?.name === 'string' ? node.name : '';
+}
+function nodeName(node) {
+    if (typeof node === 'string')
+        return node;
+    if (!node || typeof node !== 'object')
+        return '';
+    return String(node.name || node.namePath || node.memberName || '');
+}
+function locOf(node) {
+    if (!node?.loc?.start)
+        return null;
+    return { line: node.loc.start.line || 0, column: node.loc.start.column || 0 };
+}
+//# sourceMappingURL=lack-of-slippage-protection.js.map

package/dist/detectors/lack-of-validation-data.d.ts

@@ -0,0 +1,23 @@
+import type { ScanResult } from '../index';
+export declare class LackOfValidationDataDetector {
+    readonly id = "lack-of-validation-data";
+    readonly patternKey = "lack-of-validation-data";
+    readonly supportedAstKinds: "parser"[];
+    readonly descriptor: {
+        id: string;
+        shortDescription: string;
+        helpUri: string;
+        defaultSeverity: "high";
+        help: string;
+    };
+    private currentFile;
+    private currentContract;
+    private findings;
+    private seen;
+    setFile(file: string): void;
+    getFindings(): ScanResult[];
+    ContractDefinition(node: any): void;
+    ContractDefinition_post(): void;
+    FunctionDefinition(node: any): void;
+    private emitFinding;
+}