@snovon/solast 0.2.0

package/dist/detectors/layerzero-v2-unverified-origin.js

@@ -0,0 +1,368 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.LayerZeroV2UnverifiedOriginDetector = void 0;
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'layerzero-v2-unverified-origin';
+const RECEIVE_HANDLERS = new Set(['_lzReceive', 'lzReceive']);
+const COMPOSE_HANDLERS = new Set(['_lzCompose', 'lzCompose']);
+const ENDPOINT_MODIFIER_NAMES = new Set(['onlyEndpoint', 'onlyLzEndpoint', 'onlyLayerZeroEndpoint']);
+const ENDPOINT_AUTH_CALLS = new Set(['_authorizeEndpoint', '_checkEndpoint', '_requireEndpoint']);
+const REVERT_CALLS = new Set(['revert', 'require', 'assert']);
+class LayerZeroV2UnverifiedOriginDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    scan(ast, ctx = {}) {
+        return this.scanAst(ast, ctx.file || ctx.filename || '<ast>');
+    }
+    scanAst(ast, file) {
+        if (!ast || ast.type !== 'SourceUnit')
+            return [];
+        const findings = [];
+        for (const contract of ast.children || []) {
+            if (contract?.type !== 'ContractDefinition')
+                continue;
+            if (contract.kind === 'interface' || contract.kind === 'library')
+                continue;
+            const modifiers = this.collectModifiers(contract);
+            for (const fn of contract.subNodes || []) {
+                if (fn?.type !== 'FunctionDefinition')
+                    continue;
+                if (!this.isLayerZeroHandler(fn))
+                    continue;
+                if (!fn.body)
+                    continue;
+                if (this.isEmptyBody(fn.body))
+                    continue;
+                if (this.delegatesToSuper(fn.body, fn.name))
+                    continue;
+                const requiredPeer = RECEIVE_HANDLERS.has(String(fn.name || ''));
+                const guards = this.collectDominatingGuards(fn, modifiers);
+                if (guards.endpoint && (!requiredPeer || guards.peer))
+                    continue;
+                findings.push(this.makeFinding(file, contract, fn, requiredPeer, guards));
+            }
+        }
+        return findings;
+    }
+    collectModifiers(contract) {
+        const out = new Map();
+        for (const sub of contract.subNodes || []) {
+            if (sub?.type === 'ModifierDefinition' && sub.name)
+                out.set(String(sub.name), sub);
+        }
+        return out;
+    }
+    isLayerZeroHandler(fn) {
+        const name = String(fn?.name || '');
+        return RECEIVE_HANDLERS.has(name) || COMPOSE_HANDLERS.has(name);
+    }
+    collectDominatingGuards(fn, modifiers) {
+        const guards = { endpoint: false, peer: false };
+        const originContext = this.collectOriginContext(fn);
+        for (const inv of fn.modifiers || []) {
+            const name = String(inv?.name || '');
+            if (ENDPOINT_MODIFIER_NAMES.has(name) || /endpoint/i.test(name)) {
+                guards.endpoint = true;
+            }
+            const modifier = modifiers.get(name);
+            if (modifier?.body)
+                this.merge(guards, this.collectTopLevelGuards(modifier.body, true, this.cloneOriginContext(originContext)));
+        }
+        this.merge(guards, this.collectTopLevelGuards(fn.body, false, originContext));
+        return guards;
+    }
+    collectOriginContext(fn) {
+        const context = {
+            srcIdNames: new Set(),
+            senderNames: new Set(),
+            peerAliases: new Set(),
+        };
+        for (const param of fn?.parameters || []) {
+            const name = String(param?.name || param?.identifier?.name || '');
+            if (/^(srcEid|srcChainId|sourceEid|sourceChainId|srcChain|sourceChain)$/i.test(name)) {
+                context.srcIdNames.add(name);
+            }
+            if (/^(srcSender|srcAddress|sourceSender|sourceAddress|sender)$/i.test(name)) {
+                context.senderNames.add(name);
+            }
+        }
+        return context;
+    }
+    cloneOriginContext(context) {
+        return {
+            srcIdNames: new Set(context.srcIdNames),
+            senderNames: new Set(context.senderNames),
+            peerAliases: new Set(context.peerAliases),
+        };
+    }
+    collectTopLevelGuards(body, allowPlaceholder, originContext) {
+        const guards = { endpoint: false, peer: false };
+        const statements = Array.isArray(body?.statements) ? body.statements : [];
+        for (const stmt of statements) {
+            if (allowPlaceholder && stmt?.type === 'PlaceholderStatement')
+                continue;
+            const stmtGuards = this.guardsFromTopLevelStatement(stmt, originContext);
+            if (!stmtGuards)
+                break;
+            this.merge(guards, stmtGuards);
+        }
+        return guards;
+    }
+    guardsFromTopLevelStatement(stmt, originContext) {
+        if (!stmt || typeof stmt !== 'object')
+            return null;
+        if (stmt.type === 'ExpressionStatement') {
+            const expr = stmt.expression;
+            if (this.isEndpointAuthCall(expr))
+                return { endpoint: true, peer: false };
+            if (expr?.type === 'FunctionCall') {
+                const name = this.callName(expr.expression);
+                if ((name === 'require' || name === 'assert') && expr.arguments?.[0]) {
+                    return this.guardsFromCondition(expr.arguments[0], false, originContext);
+                }
+            }
+        }
+        if (stmt.type === 'VariableDeclarationStatement' && this.recordPeerAlias(stmt, originContext)) {
+            return { endpoint: false, peer: false };
+        }
+        if (stmt.type === 'IfStatement' && this.branchAlwaysReverts(stmt.trueBody)) {
+            return this.guardsFromCondition(stmt.condition, true, originContext);
+        }
+        return null;
+    }
+    guardsFromCondition(node, inverted, originContext) {
+        if (!node || typeof node !== 'object')
+            return { endpoint: false, peer: false };
+        if (node.type === 'BinaryOperation') {
+            if (node.operator === '&&') {
+                const left = this.guardsFromCondition(node.left, inverted, originContext);
+                const right = this.guardsFromCondition(node.right, inverted, originContext);
+                return { endpoint: left.endpoint || right.endpoint, peer: left.peer || right.peer };
+            }
+            if (node.operator === '||')
+                return { endpoint: false, peer: false };
+            const expectedOp = inverted ? '!=' : '==';
+            if (node.operator !== expectedOp)
+                return { endpoint: false, peer: false };
+            return {
+                endpoint: this.isEndpointComparison(node.left, node.right),
+                peer: this.isPeerComparison(node.left, node.right, originContext),
+            };
+        }
+        return { endpoint: false, peer: false };
+    }
+    isEndpointComparison(left, right) {
+        return (this.isMsgSender(left) && this.isEndpointLike(right))
+            || (this.isMsgSender(right) && this.isEndpointLike(left));
+    }
+    isPeerComparison(left, right, originContext) {
+        return (this.isPeerSender(left, originContext) && this.isTrustedPeerLookup(right, originContext))
+            || (this.isPeerSender(right, originContext) && this.isTrustedPeerLookup(left, originContext));
+    }
+    isMsgSender(node) {
+        return node?.type === 'MemberAccess'
+            && String(node.memberName || '') === 'sender'
+            && node.expression?.type === 'Identifier'
+            && String(node.expression.name || '') === 'msg';
+    }
+    isEndpointLike(node) {
+        const unwrapped = this.unwrapCall(node);
+        if (unwrapped?.type === 'Identifier')
+            return /endpoint/i.test(String(unwrapped.name || ''));
+        if (unwrapped?.type === 'MemberAccess')
+            return /endpoint/i.test(String(unwrapped.memberName || ''));
+        return false;
+    }
+    isPeerSender(node, originContext) {
+        if (node?.type === 'Identifier') {
+            const name = String(node.name || '');
+            return originContext.senderNames.has(name) || originContext.peerAliases.has(name);
+        }
+        return node?.type === 'MemberAccess'
+            && String(node.memberName || '') === 'sender'
+            && this.originBaseName(node.expression) !== null;
+    }
+    isOriginSrcEid(node, originContext) {
+        if (node?.type === 'Identifier')
+            return originContext.srcIdNames.has(String(node.name || ''));
+        return node?.type === 'MemberAccess'
+            && String(node.memberName || '') === 'srcEid'
+            && this.originBaseName(node.expression) !== null;
+    }
+    originBaseName(node) {
+        if (node?.type !== 'Identifier')
+            return null;
+        const name = String(node.name || '');
+        return /origin/i.test(name) ? name : null;
+    }
+    isTrustedPeerLookup(node, originContext) {
+        const unwrapped = this.unwrapCall(node);
+        if (!unwrapped || unwrapped.type !== 'IndexAccess')
+            return false;
+        if (!this.isTrustedPeerStore(unwrapped.base))
+            return false;
+        return this.contains(unwrapped.index, n => this.isOriginSrcEid(n, originContext));
+    }
+    isTrustedPeerStore(node) {
+        if (node?.type === 'Identifier')
+            return /peer|trusted|remote/i.test(String(node.name || ''));
+        if (node?.type === 'MemberAccess')
+            return /peer|trusted|remote/i.test(String(node.memberName || ''));
+        return false;
+    }
+    branchAlwaysReverts(node) {
+        if (!node)
+            return false;
+        if (node.type === 'Block') {
+            const statements = Array.isArray(node.statements) ? node.statements : [];
+            return statements.some((stmt) => this.statementReverts(stmt));
+        }
+        return this.statementReverts(node);
+    }
+    statementReverts(stmt) {
+        if (stmt?.type === 'RevertStatement' || stmt?.type === 'ThrowStatement')
+            return true;
+        if (stmt?.type !== 'ExpressionStatement')
+            return false;
+        const expr = stmt.expression;
+        if (expr?.type !== 'FunctionCall')
+            return false;
+        const name = this.callName(expr.expression);
+        return !!name && REVERT_CALLS.has(name);
+    }
+    delegatesToSuper(body, fnName) {
+        let found = false;
+        this.walk(body, node => {
+            if (found || node?.type !== 'FunctionCall')
+                return;
+            const expr = node.expression;
+            if (expr?.type !== 'MemberAccess' || String(expr.memberName || '') !== fnName)
+                return;
+            const base = expr.expression;
+            if (base?.type === 'Identifier' && String(base.name || '') === 'super')
+                found = true;
+        });
+        return found;
+    }
+    isEmptyBody(body) {
+        return Array.isArray(body?.statements) && body.statements.length === 0;
+    }
+    isEndpointAuthCall(node) {
+        if (node?.type !== 'FunctionCall')
+            return false;
+        const name = this.callName(node.expression);
+        return !!name && ENDPOINT_AUTH_CALLS.has(name);
+    }
+    recordPeerAlias(stmt, originContext) {
+        if (!this.isPeerAliasInitializer(stmt.initialValue, originContext))
+            return false;
+        let recorded = false;
+        for (const variable of stmt.variables || []) {
+            const name = String(variable?.name || variable?.identifier?.name || '');
+            if (!name)
+                continue;
+            originContext.peerAliases.add(name);
+            recorded = true;
+        }
+        return recorded;
+    }
+    isPeerAliasInitializer(node, originContext) {
+        if (!node || typeof node !== 'object')
+            return false;
+        if (this.isPeerSender(node, originContext))
+            return true;
+        if (node.type === 'FunctionCall' && this.callName(node.expression) === 'decode') {
+            return Array.isArray(node.arguments) && node.arguments.some((arg) => this.isPeerSender(arg, originContext));
+        }
+        return false;
+    }
+    callName(expr) {
+        if (!expr)
+            return null;
+        if (expr.type === 'Identifier')
+            return expr.name || null;
+        if (expr.type === 'MemberAccess')
+            return expr.memberName || null;
+        if (expr.type === 'NameValueExpression')
+            return this.callName(expr.expression);
+        return null;
+    }
+    unwrapCall(node) {
+        let current = node;
+        while (current?.type === 'FunctionCall' && Array.isArray(current.arguments) && current.arguments.length === 1) {
+            current = current.arguments[0];
+        }
+        return current;
+    }
+    contains(node, predicate) {
+        let found = false;
+        this.walk(node, child => {
+            if (!found && predicate(child))
+                found = true;
+        });
+        return found;
+    }
+    walk(node, visit) {
+        if (!node || typeof node !== 'object')
+            return;
+        visit(node);
+        for (const child of this.childNodes(node))
+            this.walk(child, visit);
+    }
+    childNodes(node) {
+        const out = [];
+        for (const [key, value] of Object.entries(node)) {
+            if (key === 'loc' || key === 'range')
+                continue;
+            if (Array.isArray(value)) {
+                for (const item of value) {
+                    if (item && typeof item === 'object')
+                        out.push(item);
+                }
+            }
+            else if (value && typeof value === 'object') {
+                out.push(value);
+            }
+        }
+        return out;
+    }
+    merge(target, source) {
+        target.endpoint = target.endpoint || source.endpoint;
+        target.peer = target.peer || source.peer;
+    }
+    makeFinding(file, contract, fn, requiredPeer, guards) {
+        const loc = this.locOf(fn);
+        const contractName = String(contract.name || '<anonymous>');
+        const functionName = String(fn.name || '<anonymous>');
+        const missing = !guards.endpoint
+            ? 'endpoint caller check'
+            : requiredPeer && !guards.peer
+                ? 'trusted-peer origin check'
+                : 'LayerZero origin validation';
+        return {
+            file,
+            contract: contractName,
+            'function': functionName,
+            line: loc.line,
+            column: loc.column,
+            ruleId: RULE_ID,
+            pattern: RULE_ID,
+            severity: 'high',
+            confidence: 'high',
+            category: 'vulnerability',
+            message: `LayerZero v2 handler '${contractName}.${functionName}' is missing a dominating ${missing} before processing a cross-chain payload.`,
+            contractName,
+            functionName,
+            sourceLocation: loc,
+            findingId: '',
+            contractHash: '',
+        };
+    }
+    locOf(node) {
+        const { line, column } = (0, ast_1.assertLoc)(node);
+        return { line, column };
+    }
+}
+exports.LayerZeroV2UnverifiedOriginDetector = LayerZeroV2UnverifiedOriginDetector;
+//# sourceMappingURL=layerzero-v2-unverified-origin.js.map

package/dist/detectors/liquidation-accounting-desync.d.ts

@@ -0,0 +1,14 @@
+import type { ScanResult } from '../api';
+export declare class LiquidationAccountingDesyncDetector {
+    readonly id = "liquidation-accounting-desync";
+    readonly patternKey = "liquidation-accounting-desync";
+    readonly supportedAstKinds: "parser"[];
+    private currentFile;
+    private currentContract;
+    private findings;
+    setFile(file: string): void;
+    getFindings(): ScanResult[];
+    ContractDefinition(node: any): void;
+    ContractDefinition_post(): void;
+    FunctionDefinition(node: any): void;
+}

package/dist/detectors/liquidation-accounting-desync.js

@@ -0,0 +1,145 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.LiquidationAccountingDesyncDetector = void 0;
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'liquidation-accounting-desync';
+function childNodes(node) {
+    const out = [];
+    if (!node || typeof node !== 'object')
+        return out;
+    for (const key of Object.keys(node)) {
+        if (key === 'loc' || key === 'range' || key === 'typeName')
+            continue;
+        const value = node[key];
+        if (Array.isArray(value)) {
+            for (const item of value) {
+                if (item && typeof item === 'object')
+                    out.push(item);
+            }
+        }
+        else if (value && typeof value === 'object') {
+            out.push(value);
+        }
+    }
+    return out;
+}
+function getDirectCallName(expr) {
+    if (!expr)
+        return '';
+    if (expr.type === 'Identifier')
+        return expr.name || '';
+    return '';
+}
+function getMemberName(expr) {
+    if (!expr)
+        return '';
+    if (expr.type === 'MemberAccess')
+        return expr.memberName || '';
+    return '';
+}
+class LiquidationAccountingDesyncDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    currentFile = '';
+    currentContract = '';
+    findings = [];
+    setFile(file) {
+        this.currentFile = file;
+        this.currentContract = '';
+        this.findings = [];
+    }
+    getFindings() {
+        return this.findings;
+    }
+    ContractDefinition(node) {
+        this.currentContract = node.name || '';
+    }
+    ContractDefinition_post() {
+        this.currentContract = '';
+    }
+    FunctionDefinition(node) {
+        if (!node.body)
+            return;
+        const name = (node.name || '').toLowerCase();
+        if (!(name.includes('liquidat') || name.includes('redeem') || name.includes('close')))
+            return;
+        const events = [];
+        const w = (n) => {
+            if (!n || typeof n !== 'object')
+                return;
+            if (n.type === 'FunctionCall') {
+                const cname = getDirectCallName(n.expression);
+                if (cname === 'require' || cname === 'assert') {
+                    let hasUpdateAt = false;
+                    const w2 = (n2) => {
+                        if (!n2 || typeof n2 !== 'object')
+                            return;
+                        if (n2.type === 'Identifier' && n2.name === 'updatedAt')
+                            hasUpdateAt = true;
+                        for (const child of childNodes(n2))
+                            w2(child);
+                    };
+                    w2(n);
+                    if (hasUpdateAt)
+                        events.push({ type: 'accountingCheck', loc: n });
+                }
+                const mname = getMemberName(n.expression).toLowerCase();
+                if (['decreasedebt', 'burndebt', 'reinsert'].includes(mname))
+                    events.push({ type: 'debtMutation', loc: n });
+                if (['releaseto', 'sendcollateral', 'collateralof', 'getcollateral', 'latestrounddata'].includes(mname))
+                    events.push({ type: 'collateralInteraction', loc: n });
+                if (['isliquidatable', 'validliquidation', 'reconcile', 'check', 'validafter'].includes(mname))
+                    events.push({ type: 'accountingCheck', loc: n });
+            }
+            if (n.type === 'BinaryOperation' && n.operator === '=') {
+                if (n.left?.type === 'IndexAccess' && n.left.base?.name === 'closed') {
+                    events.push({ type: 'positionFinalize', loc: n });
+                }
+            }
+            for (const child of childNodes(n))
+                w(child);
+        };
+        w(node.body);
+        let firstMutationIdx = -1;
+        let firstCheckIdx = -1;
+        let hasCollateral = false;
+        let findingLocNode = null;
+        for (let i = 0; i < events.length; i++) {
+            const e = events[i];
+            if ((e.type === 'debtMutation' || e.type === 'positionFinalize') && firstMutationIdx === -1) {
+                firstMutationIdx = i;
+                findingLocNode = e.loc;
+            }
+            if (e.type === 'accountingCheck' && firstCheckIdx === -1) {
+                firstCheckIdx = i;
+            }
+            if (e.type === 'collateralInteraction') {
+                hasCollateral = true;
+            }
+        }
+        if (firstMutationIdx !== -1 && hasCollateral) {
+            if (firstCheckIdx === -1 || firstMutationIdx < firstCheckIdx) {
+                const { line, column } = (0, ast_1.assertLoc)(node);
+                this.findings.push({
+                    file: this.currentFile,
+                    contract: this.currentContract,
+                    function: node.name || '<anonymous>',
+                    line,
+                    column,
+                    pattern: RULE_ID,
+                    confidence: 'high',
+                    ruleId: RULE_ID,
+                    severity: 'high',
+                    message: `Suspicious liquidation/redemption ordering in '${node.name || '<anonymous>'}': debt mutation or position finalization occurs before cross-contract accounting reconciliation is complete.`,
+                    contractName: this.currentContract,
+                    functionName: node.name || '<anonymous>',
+                    findingId: '',
+                    contractHash: ''
+                });
+            }
+        }
+    }
+}
+exports.LiquidationAccountingDesyncDetector = LiquidationAccountingDesyncDetector;
+//# sourceMappingURL=liquidation-accounting-desync.js.map

package/dist/detectors/liquidation-gain-manipulation.d.ts

@@ -0,0 +1,42 @@
+import type { ScanResult } from '../index';
+export declare class LiquidationGainManipulationDetector {
+    readonly id = "liquidation-gain-manipulation";
+    readonly patternKey = "liquidation-gain-manipulation";
+    readonly supportedAstKinds: "parser"[];
+    readonly descriptor: {
+        id: string;
+        shortDescription: string;
+        helpUri: string;
+        defaultSeverity: "high";
+    };
+    private currentFile;
+    private currentContract;
+    private findings;
+    private stateVars;
+    setFile(file: string): void;
+    getFindings(): ScanResult[];
+    ContractDefinition(node: any): void;
+    ContractDefinition_post(): void;
+    FunctionDefinition(node: any): void;
+    private detectSkippedAccounting;
+    private detectTransferBeforeAccounting;
+    private analyzeFunction;
+    private scanStatements;
+    private detectSnapshotReadBeforeWrite;
+    private collectStateReadsWrites;
+    private stateTargetName;
+    private isStateVarName;
+    private fieldFromAssignment;
+    private accountingFieldFromLhs;
+    private baseIdentifierName;
+    private isExternalCallExpression;
+    private collectExprEffects;
+    private functionHasInlineAccessControl;
+    private collectLocals;
+    private bodyStatements;
+    private simpleIdentifierName;
+    private locOf;
+    private childNodes;
+    private walkAst;
+    private emit;
+}