@snovon/solast 0.2.0

package/dist/detectors/loans-malicious-proposal-price-oracle.js

@@ -0,0 +1,813 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.LoansMaliciousProposalPriceOracleDetector = void 0;
+const RULE_ID = 'loans-malicious-proposal-price-oracle';
+const ACCESS_CONTROL_MODIFIER_NAMES = new Set([
+    'onlyowner',
+    'onlyadmin',
+    'onlyrole',
+    'onlyoperator',
+    'onlygovernance',
+    'onlygovernor',
+    'onlyguardian',
+    'onlymanager',
+    'onlytreasury',
+    'onlydao',
+    'onlytimelock',
+    'onlyminter',
+    'onlypauser',
+    'onlyauthorized',
+    'onlytrusted',
+]);
+const ADMIN_VARIABLE_TOKENS = [
+    'owner',
+    'admin',
+    'governance',
+    'governor',
+    'guardian',
+    'manager',
+    'treasury',
+    'dao',
+    'timelock',
+    'authorized',
+    'trusted',
+    'pendingadmin',
+    'controller',
+    'operator',
+];
+const ADMIN_AUTH_HELPER_EXACT = new Set([
+    'hasrole',
+    'onlyrole',
+    'checkrole',
+    '_checkrole',
+    'requirerole',
+    '_requirerole',
+]);
+const ADMIN_AUTH_HELPER_PREFIXES = ['_check', '_require', 'check', 'require', 'only', 'is', 'assert'];
+const SINK_ORACLE_METHOD_NAMES = new Set([
+    'price',
+    'getprice',
+    'getpriceunsafe',
+    'getunderlyingprice',
+    'latestanswer',
+    'latestrounddata',
+    'getreserves',
+    'spotprice',
+]);
+const LENDING_SINK_METHOD_NAMES = new Set([
+    'borrow',
+    'lend',
+    'redeem',
+    'liquidate',
+    'withdraw',
+    'flashloan',
+    'mint',
+    'swap',
+    'deposit',
+]);
+class LoansMaliciousProposalPriceOracleDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    scanAst(ast, file, _sourceText) {
+        if (!ast || typeof ast !== 'object')
+            return [];
+        const findings = [];
+        const contracts = this.collectContracts(ast);
+        for (const contract of contracts.values()) {
+            if (this.isInterfaceOrLibrary(contract))
+                continue;
+            const oracleVars = this.collectOracleStateVariables(contract);
+            const structOracleFields = this.collectStructOracleFields(contract);
+            if (oracleVars.length === 0 && structOracleFields.size === 0)
+                continue;
+            const functions = this.getContractFunctions(contract);
+            const externallyCallableFunctions = functions.filter(fn => this.isExternallyCallable(fn) &&
+                !this.hasAccessControlModifier(fn) &&
+                fn.body);
+            const setterFunctions = externallyCallableFunctions.filter(fn => {
+                const paramNames = this.collectParameterNames(fn);
+                if (this.hasInlineOracleAllowlistGuard(fn, paramNames))
+                    return false;
+                if (this.hasInlineAccessControlGuard(fn.body, oracleVars, structOracleFields))
+                    return false;
+                const writes = this.findOracleStateVariableWrites(fn.body, oracleVars, structOracleFields, paramNames);
+                return writes.length > 0;
+            });
+            const borrowerFunctions = externallyCallableFunctions.filter(fn => fn.stateMutability !== 'view' &&
+                fn.stateMutability !== 'pure' &&
+                this.findLendingSinkOrOracleConsumption(fn.body, oracleVars, structOracleFields));
+            if (setterFunctions.length === 0 || borrowerFunctions.length === 0)
+                continue;
+            const seen = new Set();
+            for (const setterFn of setterFunctions) {
+                const setterParamNames = this.collectParameterNames(setterFn);
+                const setterWrites = this.findOracleStateVariableWrites(setterFn.body, oracleVars, structOracleFields, setterParamNames);
+                if (setterWrites.length === 0)
+                    continue;
+                const setterFnName = this.getName(setterFn) || '<anonymous>';
+                const contractName = this.getName(contract) || '<anonymous>';
+                for (const borrowerFn of borrowerFunctions) {
+                    const borrowerFnName = this.getName(borrowerFn) || '<anonymous>';
+                    const key = `${contractName}:${setterFnName}:${borrowerFnName}`;
+                    if (seen.has(key))
+                        continue;
+                    seen.add(key);
+                    const setterLoc = this.getLoc(setterFn) || { line: 0, column: 0 };
+                    const borrowerLoc = this.getLoc(borrowerFn) || { line: 0, column: 0 };
+                    findings.push({
+                        file,
+                        contract: contractName,
+                        'function': borrowerFnName,
+                        line: setterLoc.line,
+                        endLine: setterLoc.line,
+                        column: setterLoc.column,
+                        pattern: RULE_ID,
+                        confidence: 'high',
+                        ruleId: RULE_ID,
+                        severity: 'high',
+                        message: setterFn === borrowerFn
+                            ? `Malicious oracle proposal risk in '${contractName}.${setterFnName}': ` +
+                                `an attacker-controlled address parameter is assigned to a price oracle state variable ` +
+                                `without access control, and the oracle value flows into a lending/collateral calculation ` +
+                                `within the same function or an atomic transaction window.`
+                            : `Malicious oracle proposal risk in '${contractName}.${setterFnName}': ` +
+                                `an attacker-controlled address parameter is assigned to a price oracle state variable ` +
+                                `without access control, and the oracle value flows into a lending/collateral calculation ` +
+                                `in '${contractName}.${borrowerFnName}' within the same contract.`,
+                        rationale: setterFn === borrowerFn
+                            ? `The function writes to an oracle state variable using an external address parameter ` +
+                                `(propose/proposal/oracle-setter pattern) and immediately reads the oracle value ` +
+                                `to determine collateral or borrow amounts, allowing flash-loan amplified price manipulation ` +
+                                `in the same transaction (Fortress/hundred-capital pattern).`
+                            : `The function writes to an oracle state variable using an external address parameter ` +
+                                `(propose/proposal/oracle-setter pattern) and the oracle value is consumed by lending logic ` +
+                                `in '${contractName}.${borrowerFnName}', allowing flash-loan amplified price manipulation ` +
+                                `in the same transaction (Fortress/hundred-capital pattern).`,
+                        suggestedFix: `Restrict the oracle setter to an owner/admin/timelock role via onlyOwner or onlyRole, ` +
+                            `use an oracle allowlist, or apply a timelock delay before the new oracle takes effect. ` +
+                            `Alternatively, use a TWAP or reference price that cannot be manipulated within a single transaction.`,
+                        contractName,
+                        functionName: setterFnName,
+                        sourceLocation: { line: setterLoc.line, column: setterLoc.column },
+                        findingId: '',
+                        contractHash: '',
+                    });
+                }
+            }
+        }
+        return findings;
+    }
+    collectStructOracleFields(contract) {
+        const mappingToStructOracleFields = new Map();
+        const structDefinitions = new Map();
+        for (const sub of contract.subNodes || []) {
+            if (sub?.type === 'StructDefinition' && sub.name) {
+                structDefinitions.set(sub.name, sub);
+            }
+        }
+        for (const sub of contract.subNodes || []) {
+            if (sub?.type !== 'StateVariableDeclaration')
+                continue;
+            for (const variable of sub.variables || []) {
+                if (!variable?.name)
+                    continue;
+                const typeName = variable.typeName;
+                if (typeName?.type !== 'Mapping')
+                    continue;
+                const valueType = typeName.valueType;
+                if (valueType?.type !== 'UserDefinedTypeName')
+                    continue;
+                const structName = valueType.namePath || valueType.name;
+                if (!structName)
+                    continue;
+                const structDef = structDefinitions.get(structName);
+                if (!structDef)
+                    continue;
+                for (const field of structDef.members || []) {
+                    if (!field?.name)
+                        continue;
+                    const fieldLower = field.name.toLowerCase();
+                    if (fieldLower.includes('oracle') || fieldLower.includes('price') || fieldLower.includes('feed') || fieldLower.includes('rater')) {
+                        let fields = mappingToStructOracleFields.get(variable.name);
+                        if (!fields) {
+                            fields = new Set();
+                            mappingToStructOracleFields.set(variable.name, fields);
+                        }
+                        fields.add(field.name);
+                    }
+                }
+            }
+        }
+        return mappingToStructOracleFields;
+    }
+    collectContracts(ast) {
+        const contracts = new Map();
+        for (const child of ast.children || []) {
+            if (child?.type === 'ContractDefinition' && child.name) {
+                contracts.set(child.name, child);
+            }
+        }
+        return contracts;
+    }
+    collectOracleStateVariables(contract) {
+        const vars = [];
+        for (const sub of contract.subNodes || []) {
+            if (sub?.type !== 'StateVariableDeclaration')
+                continue;
+            for (const variable of sub.variables || []) {
+                if (!variable?.name)
+                    continue;
+                const nameLower = variable.name.toLowerCase();
+                const typeNameStr = this.getTypeNameString(variable.typeName);
+                const typeNameLower = typeNameStr.toLowerCase();
+                if (nameLower.includes('oracle') ||
+                    nameLower.includes('price') ||
+                    nameLower.includes('feed') ||
+                    nameLower.includes('rater') ||
+                    typeNameLower.includes('oracle') ||
+                    typeNameLower.includes('price') ||
+                    typeNameLower.includes('feed') ||
+                    typeNameLower.includes('rater')) {
+                    vars.push(variable.name);
+                }
+            }
+        }
+        return vars;
+    }
+    getTypeNameString(typeName) {
+        if (!typeName)
+            return '';
+        if (typeof typeName === 'string')
+            return typeName;
+        if (typeName.type === 'UserDefinedTypeName') {
+            return typeName.name || '';
+        }
+        if (typeName.type === 'ElementaryTypeName') {
+            return typeName.name || '';
+        }
+        return '';
+    }
+    getContractFunctions(contract) {
+        return (contract.subNodes || []).filter((sub) => sub?.type === 'FunctionDefinition');
+    }
+    isInterfaceOrLibrary(contract) {
+        const kind = String(contract?.kind || '').toLowerCase();
+        return kind === 'interface' || kind === 'library';
+    }
+    isExternallyCallable(fn) {
+        const visibility = String(fn.visibility || '').toLowerCase();
+        return visibility === 'public' || visibility === 'external';
+    }
+    hasAccessControlModifier(fn) {
+        for (const modifier of fn.modifiers || []) {
+            const name = this.getModifierInvocationName(modifier).toLowerCase();
+            if (ACCESS_CONTROL_MODIFIER_NAMES.has(name))
+                return true;
+        }
+        return false;
+    }
+    hasInlineAccessControlGuard(body, oracleVars, structOracleFields) {
+        if (!body || body.type !== 'Block')
+            return false;
+        const statements = body.statements || [];
+        for (const stmt of statements) {
+            if (this.isAdminGuardStatement(stmt))
+                return true;
+            if (this.statementContainsOracleWrite(stmt, oracleVars, structOracleFields))
+                return false;
+        }
+        return false;
+    }
+    isAdminGuardStatement(stmt) {
+        if (!stmt || typeof stmt !== 'object')
+            return false;
+        if (stmt.type === 'ExpressionStatement') {
+            return this.isAdminGuardExpression(stmt.expression);
+        }
+        if (stmt.type === 'IfStatement') {
+            const cond = stmt.condition;
+            if (this.isMsgSenderInequalityToAdmin(cond) && this.bodyContainsRevert(stmt.trueBody)) {
+                return true;
+            }
+            if (this.isMsgSenderEqualityToAdmin(cond) && this.bodyContainsRevert(stmt.falseBody)) {
+                return true;
+            }
+        }
+        return false;
+    }
+    isAdminGuardExpression(expr) {
+        if (!expr || typeof expr !== 'object')
+            return false;
+        if (expr.type !== 'FunctionCall')
+            return false;
+        const callee = this.getCalleeName(expr.expression).toLowerCase();
+        if (callee === 'require' || callee === 'assert' || callee === 'saferequire') {
+            const cond = (expr.arguments || [])[0];
+            return this.isAdminAccessCheck(cond);
+        }
+        if (this.isAdminAuthHelperName(callee))
+            return true;
+        return false;
+    }
+    isAdminAccessCheck(expr) {
+        if (!expr || typeof expr !== 'object')
+            return false;
+        if (expr.type === 'BinaryOperation') {
+            const op = String(expr.operator || '');
+            if (op === '&&' || op === '||') {
+                return this.isAdminAccessCheck(expr.left) || this.isAdminAccessCheck(expr.right);
+            }
+            if (op === '==') {
+                return this.isMsgSenderEqualityToAdmin(expr);
+            }
+        }
+        if (expr.type === 'FunctionCall') {
+            const callee = this.getCalleeName(expr.expression).toLowerCase();
+            if (this.isAdminAuthHelperName(callee))
+                return true;
+        }
+        return false;
+    }
+    isMsgSenderEqualityToAdmin(expr) {
+        if (!expr || expr.type !== 'BinaryOperation')
+            return false;
+        if (String(expr.operator || '') !== '==')
+            return false;
+        if (this.isMsgSenderExpression(expr.left) && this.isAdminVariableName(this.getIdentifierRootName(expr.right)))
+            return true;
+        if (this.isMsgSenderExpression(expr.right) && this.isAdminVariableName(this.getIdentifierRootName(expr.left)))
+            return true;
+        return false;
+    }
+    isMsgSenderInequalityToAdmin(expr) {
+        if (!expr || expr.type !== 'BinaryOperation')
+            return false;
+        if (String(expr.operator || '') !== '!=')
+            return false;
+        if (this.isMsgSenderExpression(expr.left) && this.isAdminVariableName(this.getIdentifierRootName(expr.right)))
+            return true;
+        if (this.isMsgSenderExpression(expr.right) && this.isAdminVariableName(this.getIdentifierRootName(expr.left)))
+            return true;
+        return false;
+    }
+    isMsgSenderExpression(expr) {
+        if (!expr || typeof expr !== 'object')
+            return false;
+        if (expr.type === 'MemberAccess') {
+            const baseName = this.getIdentifierRootName(expr.expression);
+            if (baseName === 'msg' && String(expr.memberName || '') === 'sender')
+                return true;
+        }
+        if (expr.type === 'FunctionCall') {
+            const callee = this.getCalleeName(expr.expression);
+            if (callee === '_msgSender' || callee === 'msgSender')
+                return true;
+        }
+        return false;
+    }
+    isAdminVariableName(name) {
+        if (!name)
+            return false;
+        const lower = name.toLowerCase();
+        return ADMIN_VARIABLE_TOKENS.some(token => lower.includes(token));
+    }
+    isAdminAuthHelperName(name) {
+        if (!name)
+            return false;
+        const lower = name.toLowerCase();
+        if (ADMIN_AUTH_HELPER_EXACT.has(lower))
+            return true;
+        if (ACCESS_CONTROL_MODIFIER_NAMES.has(lower))
+            return true;
+        for (const prefix of ADMIN_AUTH_HELPER_PREFIXES) {
+            if (lower.startsWith(prefix) && lower.length > prefix.length) {
+                const remainder = lower.slice(prefix.length);
+                if (this.isAdminVariableName(remainder))
+                    return true;
+            }
+        }
+        return false;
+    }
+    bodyContainsRevert(body) {
+        if (!body)
+            return false;
+        let foundRevert = false;
+        this.walk(body, node => {
+            if (foundRevert)
+                return;
+            if (!node || typeof node !== 'object')
+                return;
+            if (node.type === 'RevertStatement') {
+                foundRevert = true;
+                return;
+            }
+            if (node.type === 'FunctionCall') {
+                const callee = this.getCalleeName(node.expression).toLowerCase();
+                if (callee === 'revert')
+                    foundRevert = true;
+            }
+        });
+        return foundRevert;
+    }
+    statementContainsOracleWrite(stmt, oracleVars, structOracleFields) {
+        let found = false;
+        this.walk(stmt, node => {
+            if (found)
+                return;
+            if (!node || typeof node !== 'object')
+                return;
+            if (node.type !== 'Assignment' && node.type !== 'BinaryOperation')
+                return;
+            const operator = String(node.operator || '');
+            if (!['=', '+=', '-=', '*=', '/=', '%=', '&=', '|=', '^='].includes(operator))
+                return;
+            const target = node.type === 'Assignment' ? node.leftHandSide : node.left;
+            if (!target)
+                return;
+            if (this.targetReferencesOracle(target, oracleVars, structOracleFields)) {
+                found = true;
+            }
+        });
+        return found;
+    }
+    hasInlineOracleAllowlistGuard(fn, paramNames) {
+        let guarded = false;
+        this.walk(fn.body, node => {
+            if (guarded || !node || typeof node !== 'object')
+                return;
+            if (node.type !== 'FunctionCall')
+                return;
+            const callee = this.getCalleeName(node.expression).toLowerCase();
+            if (callee !== 'require' && callee !== 'assert' && callee !== 'saferequire')
+                return;
+            const condition = (node.arguments || [])[0];
+            if (condition && this.isOracleAllowlistMembershipCheck(condition, paramNames)) {
+                guarded = true;
+            }
+        });
+        return guarded;
+    }
+    isOracleAllowlistMembershipCheck(expr, paramNames) {
+        if (!expr || typeof expr !== 'object')
+            return false;
+        if (expr.type === 'UnaryOperation' && expr.operator === '!')
+            return false;
+        if (expr.type === 'IndexAccess') {
+            const baseName = this.getIdentifierRootName(expr.base ?? expr.baseExpression).toLowerCase();
+            const indexExpr = expr.index ?? expr.indexExpression;
+            if (this.isOracleAllowlistName(baseName) && this.hasParameterDerivedValue(indexExpr, paramNames)) {
+                return true;
+            }
+        }
+        if (expr.type === 'BinaryOperation') {
+            const operator = String(expr.operator || '');
+            if (operator === '&&') {
+                return this.isOracleAllowlistMembershipCheck(expr.left, paramNames) ||
+                    this.isOracleAllowlistMembershipCheck(expr.right, paramNames);
+            }
+            if (operator === '==') {
+                return this.isOracleAllowlistMembershipCheck(expr.left, paramNames) ||
+                    this.isOracleAllowlistMembershipCheck(expr.right, paramNames);
+            }
+            return false;
+        }
+        if (expr.type === 'FunctionCall') {
+            const calleeName = this.getCalleeName(expr.expression).toLowerCase();
+            if (this.isOracleAllowlistName(calleeName)) {
+                return (expr.arguments || []).some((arg) => this.hasParameterDerivedValue(arg, paramNames));
+            }
+        }
+        return false;
+    }
+    isOracleAllowlistName(name) {
+        return /(approved|allowed|allowlist|whitelist|trusted|valid).*(oracle|feed)|(?:oracle|feed).*(approved|allowed|allowlist|whitelist|trusted|valid)/.test(name);
+    }
+    getModifierInvocationName(mod) {
+        if (!mod)
+            return '';
+        if (typeof mod === 'string')
+            return mod;
+        if (mod.modifierName) {
+            if (typeof mod.modifierName === 'string')
+                return mod.modifierName;
+            if (typeof mod.modifierName.name === 'string')
+                return mod.modifierName.name;
+            if (typeof mod.modifierName.namePath === 'string')
+                return mod.modifierName.namePath;
+        }
+        if (mod.name) {
+            if (typeof mod.name === 'string')
+                return mod.name;
+            if (mod.name.name)
+                return String(mod.name.name);
+            if (mod.name.namePath)
+                return String(mod.name.namePath);
+        }
+        return '';
+    }
+    collectParameterNames(fn) {
+        const params = new Set();
+        for (const p of fn.parameters || []) {
+            if (p?.name)
+                params.add(p.name);
+        }
+        for (const p of fn.returnParameters || []) {
+            if (p?.name)
+                params.add(p.name);
+        }
+        return params;
+    }
+    findLendingSinkOrOracleConsumption(body, oracleVars, structOracleFields) {
+        const localTainted = new Set();
+        let found = false;
+        this.walk(body, node => {
+            if (found)
+                return;
+            if (!node || typeof node !== 'object')
+                return;
+            if (node.type === 'VariableDeclarationStatement') {
+                const initial = node.initialValue;
+                if (initial && this.referencesOracle(initial, oracleVars, structOracleFields)) {
+                    for (const decl of node.variables || []) {
+                        if (decl?.name)
+                            localTainted.add(decl.name);
+                    }
+                }
+                return;
+            }
+            if (node.type === 'FunctionCall') {
+                const calleeName = this.getCalleeName(node.expression);
+                const calleeLower = calleeName.toLowerCase();
+                if (LENDING_SINK_METHOD_NAMES.has(calleeLower)) {
+                    const hasOracleArg = (node.arguments || []).some((arg) => arg && this.referencesOracle(arg, oracleVars, structOracleFields));
+                    if (hasOracleArg) {
+                        found = true;
+                        return;
+                    }
+                }
+                if (SINK_ORACLE_METHOD_NAMES.has(calleeLower)) {
+                    if (this.referencesOracle(node, oracleVars, structOracleFields)) {
+                        found = true;
+                        return;
+                    }
+                }
+                if (calleeLower === 'require' ||
+                    calleeLower === 'assert' ||
+                    calleeLower === 'saferequire') {
+                    const condition = (node.arguments || [])[0];
+                    if (condition && this.referencesOracleOrTainted(condition, oracleVars, localTainted, structOracleFields)) {
+                        found = true;
+                        return;
+                    }
+                }
+            }
+        });
+        return found;
+    }
+    referencesOracleOrTainted(expr, oracleVars, tainted, structOracleFields) {
+        if (expr.type === 'Identifier' && tainted.has(expr.name))
+            return true;
+        if (this.referencesOracle(expr, oracleVars, structOracleFields))
+            return true;
+        for (const child of this.childNodes(expr)) {
+            if (this.referencesOracleOrTainted(child, oracleVars, tainted, structOracleFields))
+                return true;
+        }
+        return false;
+    }
+    referencesOracle(expr, oracleVars, structOracleFields) {
+        if (!expr || typeof expr !== 'object')
+            return false;
+        if (expr.type === 'Identifier') {
+            return oracleVars.includes(expr.name);
+        }
+        if (expr.type === 'MemberAccess') {
+            const baseName = this.getIdentifierRootName(expr.expression);
+            if (baseName && oracleVars.includes(baseName))
+                return true;
+            const memberName = String(expr.memberName || '');
+            const memberNameLower = memberName.toLowerCase();
+            if (structOracleFields.size > 0) {
+                if (memberNameLower.includes('oracle') || memberNameLower.includes('price') || memberNameLower.includes('feed') || memberNameLower.includes('rater')) {
+                    for (const fields of structOracleFields.values()) {
+                        if (fields.has(memberName))
+                            return true;
+                    }
+                }
+            }
+            if (SINK_ORACLE_METHOD_NAMES.has(memberNameLower) && structOracleFields.size > 0) {
+                const fullExprPath = this.buildFullExpressionPath(expr);
+                for (const [mappingName, fields] of structOracleFields) {
+                    if (fullExprPath.startsWith(mappingName + '[') || fullExprPath.startsWith(mappingName + '.')) {
+                        for (const field of fields) {
+                            if (fullExprPath.includes('.' + field + '.') || fullExprPath.endsWith('.' + field)) {
+                                return true;
+                            }
+                        }
+                    }
+                }
+            }
+        }
+        if (expr.type === 'IndexAccess') {
+            if (structOracleFields.size > 0) {
+                const baseName = this.getIdentifierRootName(expr.base ?? expr.baseExpression);
+                const structFields = structOracleFields.get(baseName);
+                if (structFields) {
+                    const indexExpr = expr.index ?? expr.indexExpression;
+                    if (indexExpr && indexExpr.type === 'Identifier') {
+                        if (structFields.has(indexExpr.name))
+                            return true;
+                    }
+                }
+            }
+            return this.referencesOracle(expr.base, oracleVars, structOracleFields) || this.referencesOracle(expr.index, oracleVars, structOracleFields);
+        }
+        if (expr.type === 'FunctionCall') {
+            if (this.referencesOracle(expr.expression, oracleVars, structOracleFields))
+                return true;
+            for (const arg of expr.arguments || []) {
+                if (this.referencesOracle(arg, oracleVars, structOracleFields))
+                    return true;
+            }
+        }
+        return false;
+    }
+    buildFullExpressionPath(expr) {
+        if (!expr || typeof expr !== 'object')
+            return '';
+        if (expr.type === 'Identifier') {
+            return String(expr.name || '');
+        }
+        if (expr.type === 'IndexAccess') {
+            const base = this.buildFullExpressionPath(expr.base ?? expr.baseExpression);
+            const index = this.buildFullExpressionPath(expr.index ?? expr.indexExpression);
+            return base + '[' + index + ']';
+        }
+        if (expr.type === 'MemberAccess') {
+            const base = this.buildFullExpressionPath(expr.expression);
+            const member = String(expr.memberName || '');
+            return base ? base + '.' + member : member;
+        }
+        if (expr.type === 'FunctionCall') {
+            return this.buildFullExpressionPath(expr.expression);
+        }
+        return '';
+    }
+    findOracleStateVariableWrites(body, oracleVars, structOracleFields, paramNames) {
+        const writes = [];
+        this.walk(body, node => {
+            if (!node || typeof node !== 'object')
+                return;
+            if (node.type !== 'Assignment' && node.type !== 'BinaryOperation')
+                return;
+            const operator = String(node.operator || '');
+            if (!['=', '+=', '-=', '*=', '/=', '%=', '&=', '|=', '^='].includes(operator))
+                return;
+            const target = node.type === 'Assignment' ? node.leftHandSide : node.left;
+            if (!target)
+                return;
+            if (!this.targetReferencesOracle(target, oracleVars, structOracleFields))
+                return;
+            const rightSide = node.type === 'Assignment' ? node.rightHandSide : node.right;
+            if (rightSide && this.hasParameterDerivedValue(rightSide, paramNames)) {
+                writes.push(node);
+            }
+        });
+        return writes;
+    }
+    targetReferencesOracle(target, oracleVars, structOracleFields) {
+        if (!target || typeof target !== 'object')
+            return false;
+        if (target.type === 'Identifier') {
+            return oracleVars.includes(target.name);
+        }
+        if (target.type === 'IndexAccess') {
+            const base = target.base ?? target.baseExpression;
+            const index = target.index ?? target.indexExpression;
+            if (base && index) {
+                const baseName = this.getIdentifierRootName(base);
+                const structFields = structOracleFields.get(baseName);
+                if (structFields) {
+                    if (index.type === 'Identifier' && structFields.has(index.name))
+                        return true;
+                    if (index.type === 'FunctionCall') {
+                        const indexName = this.getCalleeName(index);
+                        if (structFields.has(indexName))
+                            return true;
+                    }
+                }
+            }
+            return this.targetReferencesOracle(base, oracleVars, structOracleFields) ||
+                this.targetReferencesOracle(index, oracleVars, structOracleFields);
+        }
+        if (target.type === 'MemberAccess') {
+            const baseName = this.getIdentifierRootName(target.expression);
+            if (baseName && oracleVars.includes(baseName))
+                return true;
+            if (target.memberName) {
+                const memberLower = String(target.memberName).toLowerCase();
+                if (oracleVars.some(v => v === target.memberName || memberLower === v.toLowerCase()))
+                    return true;
+                if (memberLower.includes('oracle') || memberLower.includes('price') || memberLower.includes('feed') || memberLower.includes('rater'))
+                    return true;
+            }
+        }
+        return false;
+    }
+    hasParameterDerivedValue(expr, paramNames) {
+        if (!expr || typeof expr !== 'object')
+            return false;
+        if (expr.type === 'Identifier') {
+            const name = String(expr.name || '');
+            return paramNames.has(name);
+        }
+        if (expr.type === 'FunctionCall') {
+            for (const arg of expr.arguments || []) {
+                if (this.hasParameterDerivedValue(arg, paramNames))
+                    return true;
+            }
+        }
+        if (expr.type === 'IndexAccess') {
+            const indexExpr = expr.index ?? expr.indexExpression;
+            if (indexExpr && this.hasParameterDerivedValue(indexExpr, paramNames))
+                return true;
+        }
+        for (const child of this.childNodes(expr)) {
+            if (this.hasParameterDerivedValue(child, paramNames))
+                return true;
+        }
+        return false;
+    }
+    getIdentifierRootName(expr) {
+        if (!expr)
+            return '';
+        if (expr.type === 'Identifier')
+            return String(expr.name || '');
+        if (expr.type === 'MemberAccess')
+            return this.getIdentifierRootName(expr.expression);
+        if (expr.type === 'IndexAccess')
+            return this.getIdentifierRootName(expr.base ?? expr.baseExpression);
+        return '';
+    }
+    getCalleeName(expr) {
+        if (!expr || typeof expr !== 'object')
+            return '';
+        if (expr.type === 'Identifier')
+            return String(expr.name || '');
+        if (expr.type === 'MemberAccess')
+            return String(expr.memberName || '');
+        if (expr.type === 'NameValueExpression')
+            return this.getCalleeName(expr.expression);
+        if (expr.type === 'FunctionCallOptions')
+            return this.getCalleeName(expr.expression);
+        return '';
+    }
+    getName(node) {
+        if (!node)
+            return '';
+        if (typeof node.name === 'string')
+            return node.name;
+        return '';
+    }
+    getLoc(node) {
+        if (node?.loc?.start) {
+            return { line: node.loc.start.line || 0, column: node.loc.start.column || 0 };
+        }
+        return null;
+    }
+    walk(node, visit) {
+        if (!node || typeof node !== 'object')
+            return;
+        visit(node);
+        for (const child of this.childNodes(node)) {
+            this.walk(child, visit);
+        }
+    }
+    childNodes(node) {
+        if (!node || typeof node !== 'object')
+            return [];
+        const children = [];
+        for (const [key, value] of Object.entries(node)) {
+            if (key === 'loc' ||
+                key === 'src' ||
+                key === 'range' ||
+                key === 'id' ||
+                key === 'typeDescriptions') {
+                continue;
+            }
+            if (Array.isArray(value)) {
+                for (const item of value) {
+                    if (item && typeof item === 'object')
+                        children.push(item);
+                }
+            }
+            else if (value && typeof value === 'object') {
+                children.push(value);
+            }
+        }
+        return children;
+    }
+}
+exports.LoansMaliciousProposalPriceOracleDetector = LoansMaliciousProposalPriceOracleDetector;
+//# sourceMappingURL=loans-malicious-proposal-price-oracle.js.map