@snovon/solast 0.2.0

package/dist/detectors/logic-flaw.js

@@ -0,0 +1,3356 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.LogicFlawDetector = void 0;
+const access_control_1 = require("./_common/access-control");
+const ast_1 = require("./_common/ast");
+const price_rate_1 = require("./_common/price-rate");
+const RULE_ID = 'logic-flaw';
+const PATTERN = 'fix-withdrawbe-to-withdraw';
+const PRICE_INFLATE_PATTERN = 'price-manipulation-inflate-attack';
+const COIN_CUT_PATTERN = 'coin-cut-price-manipulation';
+const ZKSYNC_DONATION_PATTERN = 'zksync-donation-attack';
+const ZENTEREST_PATTERN = 'zenterest-price-out-of-date';
+const PENPIE_REWARD_REENTRANCY_PATTERN = 'penpie-io-reentrancy-reward-manipulation';
+const DAO_DAO_BUILD_FINANCE_PATTERN = 'dao-dao-buildfinance-governance-execution';
+const V3_MIGRATOR_PATTERN = 'v3migrator-biswap-unvalidated-pair-token-migration';
+const CELLFRAMENET_PATTERN = 'cellframenet-liquidity-migration-calculation';
+const MISO_UNSPECIFIED_PATTERN = 'miso-unspecified-msg-value-reuse';
+const CS_OUTDATED_GLOBAL_PATTERN = 'cs-outdated-global-variable';
+const LOW_LEVEL_GOVERNANCE_CALLS = new Set(['call', 'delegatecall']);
+const TRANSFER_METHODS = new Set(['transfer', 'send', 'transferFrom', 'safeTransfer', 'safeTransferFrom']);
+const REENTRANCY_GUARD_MODIFIERS = new Set(['nonreentrant', '_nonreentrant', 'noreentrant', 'noreentrancy', 'lock', 'locked']);
+const INTERNAL_VISIBILITIES = new Set(['internal', 'private']);
+const COIN_CUT_VALUE_METHODS = new Set(['transfer', 'transferfrom', 'safetransfer', 'safetransferfrom']);
+const COIN_CUT_ACCOUNTING_NAMES = /balance|balances|share|shares|supply|mint|burn|debt|reserve|asset|total/i;
+const PENPIE_ACCOUNTING_NAMES = /reward|rewards|rewarddebt|pending|share|shares|stake|staked|accreward|rewardpershare|perShare|totalRewards/i;
+const PENPIE_IGNORED_EXTERNAL_METHODS = new Set(['transfer', 'send', 'transferfrom', 'safetransfer', 'safetransferfrom']);
+const PENPIE_LIBRARY_STYLE_METHODS = /^(to[A-Z]|mulDiv|wMul|wDiv|zeroFloorSub|exactlyOneZero|min|max)/;
+const DAO_DAO_EXECUTE_NAMES = /execute|exec|relay|govern/i;
+const DAO_DAO_GOVERNANCE_NAMES = /vote|proposal|propose|passed|queued|state|yes|forvotes/i;
+const DAO_DAO_EXECUTION_CONSUMED_NAMES = /executed|locked|processed|completed|consumed|done/i;
+const DAO_DAO_QUEUE_FLAG_NAMES = /queued/i;
+const MISO_VALUE_ACCOUNTING_NAMES = /commit|committed|commitment|paid|payment|deposit|contribution|credit|balance|share|amount|total/i;
+// Independent reference-price signals: a TWAP, oracle, stored snapshot, or
+// deviation/bound check. Generic cap names (`limit`, `maxPayout`, slippage
+// caps) are deliberately excluded — a max-payout cap is not a price
+// reference, so it must not suppress a Coin Cut finding.
+const COIN_CUT_REFERENCE_NAMES = /twap|oracle|reference|median|trusted|stored|lastrecorded|maxdeviation|deviation|bound/i;
+const OUTDATED_GLOBAL_SOURCE_NAMES = /balance|balances|reserve|reserves|supply|share|shares|liquidity|debt/i;
+const OUTDATED_GLOBAL_SINK_NAMES = /balance|balances|share|shares|supply|mint|burn|debt|reserve|asset|liquidity|reward|claim|withdraw|deposit|amount|total/i;
+// Upper bound on the number of distinct execution paths the price-inflate
+// walk will carry. Forking on every `if` is 2^n in the worst case; the cap
+// keeps deeply nested branch chains from blowing up. Real `transfer` bodies
+// stay far below this.
+const MAX_INFLATE_PATHS = 256;
+// Strict BE-tag: identifier starts with `be` followed by an upper-case
+// boundary, or is one of the canonical BE token-standard names. The
+// stale-renamed-withdraw bug is signalled by a function whose generic
+// (non-BE) accounting differs from a BE-tagged sibling.
+function isBeTaggedName(name) {
+    if (!name)
+        return false;
+    if (/^be(?:[A-Z]|20|721)/.test(name))
+        return true;
+    const lower = name.toLowerCase();
+    return lower === 'be' || lower === 'be20' || lower === 'be721';
+}
+// Names that look like a balance/share/accounting slot, regardless of
+// BE tag. Used to recognise the lvalue/rvalue shapes we care about; the
+// BE-vs-generic split is a separate concern handled by `isBeTaggedName`.
+function isBalanceLikeName(name) {
+    if (!name)
+        return false;
+    const lower = name.toLowerCase();
+    return /balance|balances|share|shares|deposit|deposits|stake|staked|locked/.test(lower);
+}
+// A Zenterest-style cached price is a *stored oracle price* — distinguished
+// from a governance-set config constant by the presence of a companion
+// freshness/update timestamp the contract is meant to consult before use.
+// Without such a state variable, a price/rate-like name alone is too weak a
+// signal: ordinary config rates (`feeRate`, `mintPrice`, ...) would all match.
+function looksLikeFreshnessTrackingName(name) {
+    if (!name)
+        return false;
+    if ((0, price_rate_1.isFreshnessFieldName)(name))
+        return true;
+    const tokens = (0, price_rate_1.splitCamelTokens)(name);
+    if (tokens.includes('timestamp'))
+        return true;
+    const hasAnchor = tokens.some(t => t === 'last' || t === 'prev' || t === 'previous');
+    const hasEvent = tokens.some(t => t === 'update' || t === 'updated' || t === 'sync' || t === 'synced' ||
+        t === 'refresh' || t === 'refreshed' || t === 'time');
+    return hasAnchor && hasEvent;
+}
+function looksLikeCachedOraclePriceName(name) {
+    const tokens = (0, price_rate_1.splitCamelTokens)(name);
+    if (tokens.length === 0)
+        return false;
+    const hasPriceTerm = tokens.some(t => t === 'price' || t === 'rate' || t === 'exchange');
+    if (!hasPriceTerm)
+        return false;
+    // Avoid treating ordinary economic/config knobs as cached oracle prices
+    // merely because the contract also has an unrelated freshness timestamp.
+    if (tokens.some(t => t === 'fee' || t === 'tax' || t === 'mint' || t === 'borrow' || t === 'interest')) {
+        return false;
+    }
+    return tokens.some(t => t === 'cached' || t === 'cache' || t === 'oracle' || t === 'stored' ||
+        t === 'snapshot' || t === 'last' || t === 'recorded');
+}
+class LogicFlawDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    currentFile = '';
+    currentContract = '';
+    contractKindIsAnalysable = false;
+    stateVars = [];
+    contractHasFreshnessTrackingVar = false;
+    contractFunctions = new Map();
+    findings = [];
+    emittedKey = new Set();
+    setFile(file) {
+        this.currentFile = file;
+        this.findings = [];
+        this.currentContract = '';
+        this.contractKindIsAnalysable = false;
+        this.stateVars = [];
+        this.contractHasFreshnessTrackingVar = false;
+        this.contractFunctions = new Map();
+        this.emittedKey = new Set();
+    }
+    getFindings() {
+        return this.findings;
+    }
+    ContractDefinition(node) {
+        if (!(0, ast_1.isNode)(node, 'ContractDefinition'))
+            return;
+        const kind = String(node.kind || '').toLowerCase();
+        if (kind === 'interface' || kind === 'library') {
+            this.currentContract = '';
+            this.contractKindIsAnalysable = false;
+            this.stateVars = [];
+            this.contractHasFreshnessTrackingVar = false;
+            this.contractFunctions = new Map();
+            return;
+        }
+        this.currentContract = node.name || '';
+        this.contractKindIsAnalysable = true;
+        this.stateVars = [];
+        this.contractFunctions = new Map();
+        for (const sub of node.subNodes || []) {
+            if ((0, ast_1.isNode)(sub, 'StateVariableDeclaration')) {
+                for (const v of sub.variables || []) {
+                    if (v?.name)
+                        this.stateVars.push(v.name);
+                }
+            }
+            else if ((0, ast_1.isNode)(sub, 'FunctionDefinition') && sub?.name) {
+                this.contractFunctions.set(sub.name, sub);
+            }
+        }
+        this.contractHasFreshnessTrackingVar = this.stateVars.some(looksLikeFreshnessTrackingName);
+    }
+    ContractDefinition_post() {
+        this.currentContract = '';
+        this.contractKindIsAnalysable = false;
+        this.stateVars = [];
+        this.contractHasFreshnessTrackingVar = false;
+        this.contractFunctions = new Map();
+    }
+    FunctionDefinition(node) {
+        if (!this.contractKindIsAnalysable)
+            return;
+        if (!this.currentContract)
+            return;
+        if (!node.body)
+            return;
+        if (node.isConstructor || node.kind === 'constructor')
+            return;
+        const visibility = String(node.visibility || '').toLowerCase();
+        if (visibility === 'private' || visibility === 'internal')
+            return;
+        const fnName = node.name || '';
+        if (!fnName)
+            return;
+        const zksyncDonation = this.findZksyncDonationAttack(node);
+        if (zksyncDonation) {
+            const key = `${this.currentContract}.${fnName}.${ZKSYNC_DONATION_PATTERN}`;
+            if (!this.emittedKey.has(key)) {
+                this.emittedKey.add(key);
+                this.findings.push({
+                    file: this.currentFile,
+                    contract: this.currentContract,
+                    'function': fnName,
+                    line: zksyncDonation.loc.line,
+                    endLine: zksyncDonation.loc.endLine,
+                    column: zksyncDonation.loc.column,
+                    pattern: ZKSYNC_DONATION_PATTERN,
+                    confidence: 'high',
+                    ruleId: RULE_ID,
+                    severity: 'high',
+                    message: `Function '${fnName}' converts assets to shares using a donation-inflatable live vault balance.`,
+                    rationale: 'Mirrors the Venus zkSync/ERC4626 donation pattern: share conversion multiplies deposited assets by share supply and divides by token.balanceOf(address(this)), directly or through a helper, so unsolicited token transfers can inflate the denominator and round victim shares down.',
+                    suggestedFix: 'Use internal asset accounting, ERC4626 virtual asset/share offsets, or permanent dead-share seeding before exposing share conversion based on vault balances.',
+                    contractName: this.currentContract,
+                    functionName: fnName,
+                    sourceLocation: { line: zksyncDonation.loc.line, column: zksyncDonation.loc.column },
+                    findingId: '',
+                    contractHash: '',
+                });
+            }
+        }
+        const cellframe = this.findCellframeLiquidityMigration(node, fnName);
+        if (cellframe) {
+            const key = `${this.currentContract}.${fnName}.${CELLFRAMENET_PATTERN}`;
+            if (!this.emittedKey.has(key)) {
+                this.emittedKey.add(key);
+                this.findings.push({
+                    file: this.currentFile,
+                    contract: this.currentContract,
+                    'function': fnName,
+                    line: cellframe.sourceLoc.line,
+                    endLine: cellframe.sourceLoc.endLine,
+                    column: cellframe.sourceLoc.column,
+                    pattern: CELLFRAMENET_PATTERN,
+                    confidence: 'high',
+                    ruleId: RULE_ID,
+                    severity: 'high',
+                    message: `Function '${fnName}' derives liquidity-migration output from live ${cellframe.sourceLabel} state and uses it in ${cellframe.sinkLabel} without an ordered access guard, reentrancy guard, min-output check, or independent bound.`,
+                    rationale: 'Mirrors the CellframeNet liquidity-migration calculation issue: a permissionless migration path prices user output from manipulable live pair balances or reserves and moves value or adds liquidity without bounding the computed output against an independent entitlement or slippage constraint.',
+                    suggestedFix: 'Use recorded LP entitlements or fixed-rate snapshot accounting, restrict administrative migrations with recognized access control, and enforce non-zero min-output/deviation bounds before moving value or adding liquidity.',
+                    contractName: this.currentContract,
+                    functionName: fnName,
+                    sourceLocation: { line: cellframe.sourceLoc.line, column: cellframe.sourceLoc.column },
+                    findingId: '',
+                    contractHash: '',
+                });
+            }
+        }
+        if ((0, access_control_1.hasRecognisedAccessControlModifier)(node))
+            return;
+        if (this.hasInlineAccessControl(node.body))
+            return;
+        const stateMutability = String(node.stateMutability || '').toLowerCase();
+        if (stateMutability === 'view' || stateMutability === 'pure')
+            return;
+        const penpieRewardReentrancy = this.findPenpieRewardReentrancy(node);
+        if (penpieRewardReentrancy) {
+            const key = `${this.currentContract}.${fnName}.${PENPIE_REWARD_REENTRANCY_PATTERN}`;
+            if (!this.emittedKey.has(key)) {
+                this.emittedKey.add(key);
+                const loc = (0, ast_1.tryLoc)(penpieRewardReentrancy.callNode) || (0, ast_1.tryLoc)(penpieRewardReentrancy.writeNode) || (0, ast_1.tryLoc)(node);
+                const line = loc?.line ?? 1;
+                this.findings.push({
+                    file: this.currentFile,
+                    contract: this.currentContract,
+                    'function': fnName,
+                    line,
+                    endLine: loc?.endLine ?? line,
+                    column: loc?.column ?? 0,
+                    pattern: PENPIE_REWARD_REENTRANCY_PATTERN,
+                    confidence: 'high',
+                    ruleId: RULE_ID,
+                    severity: 'high',
+                    message: `Function '${fnName}' performs an external interaction before reward/share accounting is finalized.`,
+                    rationale: 'Mirrors the Penpie io reentrancy/reward-manipulation shape: a permissionless reward harvest or callback-capable interaction runs before rewardDebt, shares, pending reward, or per-share accounting is updated, allowing a reentrant path to observe or manipulate stale accounting.',
+                    suggestedFix: 'Apply checks-effects-interactions by finalizing reward/share/debt accounting before the external interaction, or protect the entrypoint with a shared reentrancy guard. Keep admin-only synchronization paths behind recognized access control.',
+                    contractName: this.currentContract,
+                    functionName: fnName,
+                    sourceLocation: { line, column: loc?.column ?? 0 },
+                    findingId: '',
+                    contractHash: '',
+                });
+            }
+        }
+        const zenterest = this.findZenterestPriceOutOfDate(node);
+        if (zenterest) {
+            const key = `${this.currentContract}.${fnName}.${ZENTEREST_PATTERN}`;
+            if (!this.emittedKey.has(key)) {
+                this.emittedKey.add(key);
+                this.findings.push({
+                    file: this.currentFile,
+                    contract: this.currentContract,
+                    'function': fnName,
+                    line: zenterest.sourceLoc.line,
+                    endLine: zenterest.sourceLoc.endLine,
+                    column: zenterest.sourceLoc.column,
+                    pattern: ZENTEREST_PATTERN,
+                    confidence: 'high',
+                    ruleId: RULE_ID,
+                    severity: 'high',
+                    message: `Function '${fnName}' consumes ${zenterest.sourceLabel} in ${zenterest.sinkLabel} without a same-function timestamp freshness guard.`,
+                    rationale: 'Mirrors the Zenterest price-out-of-date pattern: a permissionless value-moving path prices payouts or share accounting from a cached price or latestRoundData answer without proving the price timestamp is recent.',
+                    suggestedFix: 'Check the oracle/cache timestamp against block.timestamp before using the price, or refresh the cached price in the same flow and reject stale values before value movement or share accounting.',
+                    contractName: this.currentContract,
+                    functionName: fnName,
+                    sourceLocation: { line: zenterest.sourceLoc.line, column: zenterest.sourceLoc.column },
+                    findingId: '',
+                    contractHash: '',
+                });
+            }
+        }
+        if (this.hasRecognisedReentrancyGuardModifier(node))
+            return;
+        const misoUnspecified = this.findMisoUnspecifiedMsgValueReuse(node);
+        if (misoUnspecified) {
+            const key = `${this.currentContract}.${fnName}.${MISO_UNSPECIFIED_PATTERN}`;
+            if (!this.emittedKey.has(key)) {
+                this.emittedKey.add(key);
+                const loc = (0, ast_1.tryLoc)(node) ?? { line: 1, endLine: 1, column: 0 };
+                this.findings.push({
+                    file: this.currentFile,
+                    contract: this.currentContract,
+                    'function': fnName,
+                    line: loc.line || 1,
+                    endLine: loc.endLine || loc.line || 1,
+                    column: loc.column || 0,
+                    pattern: MISO_UNSPECIFIED_PATTERN,
+                    confidence: 'high',
+                    ruleId: RULE_ID,
+                    severity: 'high',
+                    message: `Payable batch function '${fnName}' loops over self-delegatecall while delegated value-accounting code can repeatedly observe the same msg.value.`,
+                    rationale: 'Mirrors the SushiSwap MISO unspecified exploit shape: a payable batching entrypoint fans out user-supplied calldata through delegatecall to address(this), so each delegated commit/buy path reuses the original outer msg.value and can credit it multiple times.',
+                    suggestedFix: 'Avoid payable self-delegatecall batching for value-accounting flows. Pass explicit per-call values and verify their sum against msg.value, or protect administrative batching with recognized access control/reentrancy guards.',
+                    contractName: this.currentContract,
+                    functionName: fnName,
+                    sourceLocation: { line: loc.line || 1, column: loc.column || 0 },
+                    findingId: '',
+                    contractHash: '',
+                });
+            }
+        }
+        const outdatedGlobal = this.findCsOutdatedGlobalVariable(node);
+        if (outdatedGlobal) {
+            const key = `${this.currentContract}.${fnName}.${CS_OUTDATED_GLOBAL_PATTERN}`;
+            if (!this.emittedKey.has(key)) {
+                this.emittedKey.add(key);
+                const loc = (0, ast_1.tryLoc)(outdatedGlobal.sinkNode) ?? (0, ast_1.tryLoc)(outdatedGlobal.sourceNode) ?? (0, ast_1.tryLoc)(node);
+                const line = loc?.line ?? 1;
+                this.findings.push({
+                    file: this.currentFile,
+                    contract: this.currentContract,
+                    'function': fnName,
+                    line,
+                    endLine: loc?.endLine ?? line,
+                    column: loc?.column ?? 0,
+                    pattern: CS_OUTDATED_GLOBAL_PATTERN,
+                    confidence: 'medium',
+                    ruleId: RULE_ID,
+                    severity: 'high',
+                    message: `Function '${fnName}' caches ${outdatedGlobal.sourceName} before an external interaction and reuses the stale value in post-call accounting.`,
+                    rationale: 'Mirrors the CS outdated-global-variable shape: a mutable reserve/balance/supply value is snapshotted before a token or low-level interaction that can change the underlying global state, then the old snapshot drives accounting or branch decisions after the interaction.',
+                    suggestedFix: 'Apply checks-effects-interactions, protect the entrypoint with a shared reentrancy guard, or explicitly re-read the reserve/balance/supply value after the external interaction before using it in accounting or decisions.',
+                    contractName: this.currentContract,
+                    functionName: fnName,
+                    sourceLocation: { line, column: loc?.column ?? 0 },
+                    findingId: '',
+                    contractHash: '',
+                });
+            }
+        }
+        const v3migrator = this.findV3MigratorBiswapPattern(node);
+        if (v3migrator) {
+            const key = `${this.currentContract}.${fnName}.${V3_MIGRATOR_PATTERN}`;
+            if (!this.emittedKey.has(key)) {
+                this.emittedKey.add(key);
+                const loc = (0, ast_1.tryLoc)(node);
+                const line = loc?.line ?? 1;
+                this.findings.push({
+                    file: this.currentFile,
+                    contract: this.currentContract,
+                    'function': fnName,
+                    line,
+                    endLine: loc?.endLine ?? line,
+                    column: loc?.column ?? 0,
+                    pattern: V3_MIGRATOR_PATTERN,
+                    confidence: 'high',
+                    ruleId: RULE_ID,
+                    severity: 'high',
+                    message: `Function '${fnName}' migrates tokens via an unvalidated pair and mints without slippage or access control.`,
+                    rationale: 'Mirrors the Biswap V3Migrator exploit shape: user-controlled pair and tokens are used to drain assets without adequate validation or access control.',
+                    suggestedFix: 'Validate the pair address against a trusted registry, verify token addresses match the pair, and enforce minimum slippage bounds.',
+                    contractName: this.currentContract,
+                    functionName: fnName,
+                    sourceLocation: { line, column: loc?.column ?? 0 },
+                    findingId: '',
+                    contractHash: '',
+                });
+            }
+        }
+        const daoDao = this.findDaoDaoBuildFinanceExecutor(node, fnName);
+        if (daoDao) {
+            const key = `${this.currentContract}.${fnName}.${DAO_DAO_BUILD_FINANCE_PATTERN}`;
+            if (!this.emittedKey.has(key)) {
+                this.emittedKey.add(key);
+                const loc = (0, ast_1.tryLoc)(node) ?? (0, ast_1.tryLoc)(daoDao.node);
+                const line = loc?.line ?? 1;
+                this.findings.push({
+                    file: this.currentFile,
+                    contract: this.currentContract,
+                    'function': fnName,
+                    line,
+                    endLine: loc?.endLine ?? line,
+                    column: loc?.column ?? 0,
+                    pattern: DAO_DAO_BUILD_FINANCE_PATTERN,
+                    confidence: 'high',
+                    ruleId: RULE_ID,
+                    severity: 'critical',
+                    message: `Function '${fnName}' executes proposal- or caller-controlled target and calldata after only a weak governance gate.`,
+                    rationale: 'Matches the Build Finance Dao Dao exploit shape: public proposal execution can route arbitrary calldata to an attacker-selected target after a weak vote/proposal gate and before a proposal execution lock is consumed.',
+                    suggestedFix: 'Restrict execution to a recognized governance or timelock authority, validate snapshot/quorum state, and mark proposals executed or consume queued state before the low-level call.',
+                    contractName: this.currentContract,
+                    functionName: fnName,
+                    sourceLocation: { line, column: loc?.column ?? 0 },
+                    findingId: '',
+                    contractHash: '',
+                });
+            }
+        }
+        this.detectPriceManipulationInflate(node, fnName);
+        const priceInflateKey = `${PRICE_INFLATE_PATTERN}:${this.currentContract}.${fnName}`;
+        const cellframeKey = `${this.currentContract}.${fnName}.${CELLFRAMENET_PATTERN}`;
+        const coinCut = (this.emittedKey.has(priceInflateKey) || this.emittedKey.has(cellframeKey))
+            ? null
+            : this.findCoinCutPriceManipulation(node);
+        if (coinCut) {
+            const key = `${this.currentContract}.${fnName}.${COIN_CUT_PATTERN}`;
+            if (!this.emittedKey.has(key)) {
+                this.emittedKey.add(key);
+                this.findings.push({
+                    file: this.currentFile,
+                    contract: this.currentContract,
+                    'function': fnName,
+                    line: coinCut.sourceLoc.line,
+                    endLine: coinCut.sourceLoc.endLine,
+                    column: coinCut.sourceLoc.column,
+                    pattern: COIN_CUT_PATTERN,
+                    confidence: 'high',
+                    ruleId: RULE_ID,
+                    severity: 'high',
+                    message: `Function '${fnName}' derives value-moving accounting from live ${coinCut.sourceLabel} state and uses it in ${coinCut.sinkLabel} without a TWAP, stored snapshot, or deviation bound.`,
+                    rationale: 'Mirrors the Caterpillar Coin CUT price-manipulation pattern: a permissionless mint, redeem, claim, or swap path prices output or share accounting from a same-block balanceOf/getReserves read that an attacker can skew before the value-sensitive calculation.',
+                    suggestedFix: 'Use a TWAP/reference oracle, a stored price snapshot with freshness checks, or bound the live spot value against an independent reference before minting shares, redeeming assets, or transferring the computed output.',
+                    contractName: this.currentContract,
+                    functionName: fnName,
+                    sourceLocation: { line: coinCut.sourceLoc.line, column: coinCut.sourceLoc.column },
+                    findingId: '',
+                    contractHash: '',
+                });
+            }
+        }
+        const localStructVars = this.collectLocalStructVars(node.body);
+        const checked = this.findCheckedBalance(node.body, localStructVars);
+        if (!checked)
+            return;
+        const transferredBase = this.findTransferredBaseName(node.body);
+        if (!transferredBase)
+            return;
+        const debited = this.findDebitedBalance(node.body, localStructVars);
+        if (!debited)
+            return;
+        if (checked.isBe)
+            return;
+        if (checked.name === debited.name)
+            return;
+        const otherSideIsBe = debited.isBe || isBeTaggedName(transferredBase) || this.aliasesBeStateVar(transferredBase, node.body);
+        if (!otherSideIsBe)
+            return;
+        if (this.hasReentrancyGuardBody(node.body))
+            return;
+        const key = `${this.currentContract}.${fnName}`;
+        if (this.emittedKey.has(key))
+            return;
+        this.emittedKey.add(key);
+        const primaryLoc = (0, ast_1.tryLoc)(node);
+        const line = primaryLoc?.line ?? 1;
+        this.findings.push({
+            file: this.currentFile,
+            contract: this.currentContract,
+            'function': fnName,
+            line,
+            endLine: primaryLoc?.endLine ?? line,
+            column: primaryLoc?.column ?? 0,
+            pattern: PATTERN,
+            confidence: 'medium',
+            ruleId: RULE_ID,
+            severity: 'medium',
+            message: `Function '${fnName}' validates balance of '${checked.name}' but transfers '${transferredBase}' and debits '${debited.name}' — a stale renamed-withdraw path.`,
+            contractName: this.currentContract,
+            functionName: fnName,
+            sourceLocation: { line, column: primaryLoc?.column ?? 0 },
+            findingId: '',
+            contractHash: '',
+        });
+    }
+    collectLocalStructVars(body) {
+        const out = new Set();
+        this.walk(body, node => {
+            if ((0, ast_1.isNode)(node, 'VariableDeclarationStatement')) {
+                for (const v of node.variables || []) {
+                    if (!v?.name)
+                        continue;
+                    if ((0, ast_1.isNode)(v.typeName, 'UserDefinedTypeName')) {
+                        out.add(v.name);
+                    }
+                }
+            }
+        });
+        return out;
+    }
+    findCheckedBalance(body, localStructVars) {
+        let found = null;
+        this.walk(body, node => {
+            if (found)
+                return;
+            if (!(0, ast_1.isNode)(node, 'BinaryOperation'))
+                return;
+            if (!/^(>=|>|<=|<|==)$/.test(node.operator || ''))
+                return;
+            const left = node.left || node.leftExpression;
+            const right = node.right || node.rightExpression;
+            for (const expr of [left, right]) {
+                const ref = this.refFromExpr(expr, localStructVars);
+                if (ref) {
+                    found = ref;
+                    return;
+                }
+            }
+        });
+        return found;
+    }
+    findDebitedBalance(body, localStructVars) {
+        let found = null;
+        this.walk(body, node => {
+            if (found)
+                return;
+            if (!(0, ast_1.isNode)(node, 'BinaryOperation'))
+                return;
+            if (!/^[+\-*/]?=$/.test(node.operator || ''))
+                return;
+            const left = node.left || node.leftExpression;
+            const ref = this.refFromExpr(left, localStructVars);
+            if (ref)
+                found = ref;
+        });
+        return found;
+    }
+    refFromExpr(expr, localStructVars) {
+        if (!expr)
+            return null;
+        if ((0, ast_1.isNode)(expr, 'IndexAccess')) {
+            const base = expr.base || expr.baseExpression;
+            const baseName = this.simpleName(base);
+            if (baseName && isBalanceLikeName(baseName)) {
+                return { name: baseName, isBe: isBeTaggedName(baseName) };
+            }
+            return null;
+        }
+        if ((0, ast_1.isNode)(expr, 'MemberAccess')) {
+            const fieldName = expr.memberName || '';
+            if (!fieldName || !isBalanceLikeName(fieldName))
+                return null;
+            const inner = expr.expression;
+            const innerName = this.simpleName(inner);
+            if (!innerName || !localStructVars.has(innerName))
+                return null;
+            return { name: `${innerName}.${fieldName}`, isBe: isBeTaggedName(fieldName) };
+        }
+        if ((0, ast_1.isNode)(expr, 'Identifier')) {
+            const name = expr.name || '';
+            if (name && isBalanceLikeName(name) && this.stateVars.includes(name)) {
+                return { name, isBe: isBeTaggedName(name) };
+            }
+        }
+        return null;
+    }
+    findTransferredBaseName(body) {
+        let found = null;
+        this.walk(body, node => {
+            if (found)
+                return;
+            if (!(0, ast_1.isNode)(node, 'FunctionCall'))
+                return;
+            const callee = node.expression;
+            if (!(0, ast_1.isNode)(callee, 'MemberAccess'))
+                return;
+            const member = String(callee.memberName || '');
+            if (!TRANSFER_METHODS.has(member))
+                return;
+            const baseName = this.memberAccessRoot(callee.expression);
+            if (baseName)
+                found = baseName;
+        });
+        return found;
+    }
+    findMisoUnspecifiedMsgValueReuse(fn) {
+        if (!fn?.body)
+            return false;
+        if (!this.isPayableFunction(fn))
+            return false;
+        if (this.hasReentrancyGuardBody(fn.body))
+            return false;
+        if (!this.hasLoopedSelfDelegatecall(fn.body))
+            return false;
+        return this.contractHasMisoValueAccountingSink(fn);
+    }
+    isPayableFunction(fn) {
+        return String(fn?.stateMutability || '').toLowerCase() === 'payable';
+    }
+    isExternallyCallableFunction(fn) {
+        const visibility = String(fn?.visibility || '').toLowerCase();
+        return visibility === '' || visibility === 'public' || visibility === 'external' || visibility === 'default';
+    }
+    hasLoopedSelfDelegatecall(body) {
+        let found = false;
+        this.walk(body, node => {
+            if (found || !this.isLoopStatement(node))
+                return;
+            this.walk(node.body, child => {
+                if (found || !(0, ast_1.isNode)(child, 'FunctionCall'))
+                    return;
+                if (this.isSelfDelegatecall(child))
+                    found = true;
+            });
+        });
+        return found;
+    }
+    isLoopStatement(node) {
+        return (0, ast_1.isNode)(node, 'ForStatement') || (0, ast_1.isNode)(node, 'WhileStatement') || (0, ast_1.isNode)(node, 'DoWhileStatement');
+    }
+    isSelfDelegatecall(call) {
+        if (!(0, ast_1.isNode)(call, 'FunctionCall'))
+            return false;
+        const callee = this.unwrapCallOptions(call.expression);
+        if (!(0, ast_1.isNode)(callee, 'MemberAccess'))
+            return false;
+        if (String(callee.memberName || '').toLowerCase() !== 'delegatecall')
+            return false;
+        return this.isAddressThis(callee.expression);
+    }
+    contractHasMisoValueAccountingSink(batchFn) {
+        for (const fn of this.contractFunctions.values()) {
+            if (fn === batchFn)
+                continue;
+            if (!fn?.body)
+                continue;
+            if (!this.isExternallyCallableFunction(fn))
+                continue;
+            if (!this.isPayableFunction(fn))
+                continue;
+            if (this.hasRecognisedReentrancyGuardModifier(fn))
+                continue;
+            if (this.hasReentrancyGuardBody(fn.body))
+                continue;
+            if (this.bodyHasMisoMsgValueAccountingWrite(fn.body))
+                return true;
+            if (this.callsMisoMsgValueAccountingHelper(fn.body))
+                return true;
+        }
+        return false;
+    }
+    callsMisoMsgValueAccountingHelper(body) {
+        const internalNames = this.internalCallNames(body);
+        for (const internalName of internalNames) {
+            const helper = this.contractFunctions.get(internalName);
+            if (!helper?.body)
+                continue;
+            if (!INTERNAL_VISIBILITIES.has(String(helper.visibility || '').toLowerCase()))
+                continue;
+            if (this.bodyHasMisoMsgValueAccountingWrite(helper.body))
+                return true;
+        }
+        return false;
+    }
+    bodyHasMisoMsgValueAccountingWrite(body) {
+        let found = false;
+        this.walk(body, node => {
+            if (found || !(0, ast_1.isNode)(node, 'BinaryOperation'))
+                return;
+            const operator = String(node.operator || '');
+            if (!/^[+\-]?=$/.test(operator))
+                return;
+            const left = node.left || node.leftExpression;
+            if (!this.isMisoAccountingWriteTarget(left))
+                return;
+            const right = node.right || node.rightExpression;
+            if (this.exprContainsMsgValue(right))
+                found = true;
+        });
+        return found;
+    }
+    isMisoAccountingWriteTarget(expr) {
+        if (!expr)
+            return false;
+        if ((0, ast_1.isNode)(expr, 'IndexAccess'))
+            return MISO_VALUE_ACCOUNTING_NAMES.test(this.flattenNames(expr.base || expr.baseExpression, true));
+        if ((0, ast_1.isNode)(expr, 'MemberAccess'))
+            return MISO_VALUE_ACCOUNTING_NAMES.test(String(expr.memberName || ''));
+        if ((0, ast_1.isNode)(expr, 'Identifier'))
+            return MISO_VALUE_ACCOUNTING_NAMES.test(String(expr.name || ''));
+        return false;
+    }
+    exprContainsMsgValue(expr) {
+        let found = false;
+        this.walk(expr, node => {
+            if (found)
+                return;
+            if (!(0, ast_1.isNode)(node, 'MemberAccess'))
+                return;
+            if (String(node.memberName || '') !== 'value')
+                return;
+            const base = node.expression;
+            if ((0, ast_1.isNode)(base, 'Identifier') && String(base.name || '') === 'msg')
+                found = true;
+        });
+        return found;
+    }
+    findDaoDaoBuildFinanceExecutor(fn, fnName) {
+        const body = fn?.body;
+        if (!body)
+            return null;
+        if (this.hasRecognisedReentrancyGuardModifier(fn))
+            return null;
+        if (this.hasReentrancyGuardBody(body))
+            return null;
+        if (!DAO_DAO_EXECUTE_NAMES.test(fnName || '') && !this.hasDaoDaoGovernanceSurface())
+            return null;
+        const params = this.collectFunctionParameters(fn);
+        const storageAliases = this.collectDaoDaoStorageAliases(body);
+        const calls = this.collectDaoDaoLowLevelCalls(body);
+        for (const call of calls) {
+            if (!this.isDangerousDaoDaoCall(call, params, storageAliases))
+                continue;
+            if (!this.hasDaoDaoGovernanceGateBefore(body, call.node))
+                continue;
+            if (this.hasDaoDaoExecutionLockBefore(body, call))
+                continue;
+            return call;
+        }
+        return null;
+    }
+    hasDaoDaoGovernanceSurface() {
+        if (this.stateVars.some(name => DAO_DAO_GOVERNANCE_NAMES.test(name)))
+            return true;
+        for (const name of this.contractFunctions.keys()) {
+            if (DAO_DAO_GOVERNANCE_NAMES.test(name))
+                return true;
+        }
+        return false;
+    }
+    collectFunctionParameters(fn) {
+        const params = new Set();
+        for (const param of fn?.parameters || []) {
+            if (param?.name)
+                params.add(String(param.name));
+        }
+        return params;
+    }
+    collectDaoDaoStorageAliases(body) {
+        const aliases = new Set();
+        this.walk(body, node => {
+            if (!(0, ast_1.isNode)(node, 'VariableDeclarationStatement'))
+                return;
+            if (!this.isDaoDaoProposalLikeStorageRead(node.initialValue))
+                return;
+            for (const variable of node.variables || []) {
+                if (variable?.name && String(variable.storageLocation || '').toLowerCase() === 'storage') {
+                    aliases.add(String(variable.name));
+                }
+            }
+        });
+        return aliases;
+    }
+    collectDaoDaoLowLevelCalls(body) {
+        const calls = [];
+        this.walk(body, node => {
+            const call = this.daoDaoLowLevelCall(node);
+            if (call)
+                calls.push(call);
+        });
+        return calls.sort((a, b) => this.nodeStart(a.node) - this.nodeStart(b.node));
+    }
+    daoDaoLowLevelCall(node) {
+        if (!(0, ast_1.isNode)(node, 'FunctionCall'))
+            return null;
+        const callee = this.unwrapCallOptions(node.expression);
+        if (!(0, ast_1.isNode)(callee, 'MemberAccess'))
+            return null;
+        const member = String(callee.memberName || '').toLowerCase();
+        if (!LOW_LEVEL_GOVERNANCE_CALLS.has(member))
+            return null;
+        return {
+            node,
+            member,
+            target: callee.expression,
+            args: Array.isArray(node.arguments) ? node.arguments : [],
+        };
+    }
+    isDangerousDaoDaoCall(call, params, storageAliases) {
+        if (call.args.length === 0)
+            return false;
+        const targetControlled = this.isDaoDaoControlledTarget(call.target, params, storageAliases);
+        const dataControlled = call.args.some(arg => this.isDaoDaoControlledData(arg, params, storageAliases));
+        return targetControlled && dataControlled;
+    }
+    isDaoDaoControlledTarget(expr, params, storageAliases) {
+        if (!expr)
+            return false;
+        if (this.exprUsesNames(expr, params))
+            return true;
+        return this.isDaoDaoProposalMember(expr, storageAliases, /target|implementation|token|to|destination|callee/i);
+    }
+    isDaoDaoControlledData(expr, params, storageAliases) {
+        if (!expr)
+            return false;
+        if (this.exprUsesNames(expr, params))
+            return true;
+        return this.isDaoDaoProposalMember(expr, storageAliases, /data|calldata|payload|callData|selector/i);
+    }
+    isDaoDaoProposalMember(expr, storageAliases, memberPattern) {
+        if (!(0, ast_1.isNode)(expr, 'MemberAccess'))
+            return false;
+        if (!memberPattern.test(String(expr.memberName || '')))
+            return false;
+        const root = this.rootIdentifier(expr.expression);
+        return !!root && storageAliases.has(root);
+    }
+    isDaoDaoProposalLikeStorageRead(expr) {
+        const root = this.rootIdentifier(expr);
+        return !!root && /proposal|queued|passed/i.test(root);
+    }
+    hasDaoDaoGovernanceGateBefore(body, callNode) {
+        let found = false;
+        this.walkBefore(body, callNode, node => {
+            if (found || !(0, ast_1.isNode)(node, 'FunctionCall'))
+                return;
+            const callee = node.expression;
+            if (!(0, ast_1.isNode)(callee, 'Identifier'))
+                return;
+            if (!['require', 'assert'].includes(String(callee.name || '')))
+                return;
+            const condition = node.arguments?.[0];
+            if (this.containsNameMatching(condition, DAO_DAO_GOVERNANCE_NAMES))
+                found = true;
+        });
+        return found;
+    }
+    hasDaoDaoExecutionLockBefore(body, call) {
+        let found = false;
+        const callStorageRoots = this.daoDaoCallStorageRoots(call);
+        this.walkBefore(body, call.node, node => {
+            if (found || !(0, ast_1.isNode)(node, 'BinaryOperation'))
+                return;
+            if (String(node.operator || '') !== '=')
+                return;
+            const left = node.left || node.leftExpression;
+            const right = node.right || node.rightExpression;
+            if (this.isDaoDaoConsumingExecutionWrite(left, right, callStorageRoots))
+                found = true;
+        });
+        return found;
+    }
+    daoDaoCallStorageRoots(call) {
+        const roots = new Set();
+        const targetRoot = this.rootIdentifier(call.target);
+        if (targetRoot)
+            roots.add(targetRoot);
+        for (const arg of call.args) {
+            const argRoot = this.rootIdentifier(arg);
+            if (argRoot)
+                roots.add(argRoot);
+        }
+        return roots;
+    }
+    isDaoDaoConsumingExecutionWrite(left, right, callStorageRoots) {
+        const value = this.booleanLiteralValue(right);
+        if (value === null)
+            return false;
+        if ((0, ast_1.isNode)(left, 'MemberAccess')) {
+            const member = String(left.memberName || '');
+            const root = this.rootIdentifier(left.expression);
+            if (root && callStorageRoots.size > 0 && !callStorageRoots.has(root))
+                return false;
+            return this.isDaoDaoProtectiveLockValue(member, value);
+        }
+        if ((0, ast_1.isNode)(left, 'IndexAccess')) {
+            const root = this.rootIdentifier(left);
+            return this.isDaoDaoProtectiveLockValue(root, value);
+        }
+        return false;
+    }
+    isDaoDaoProtectiveLockValue(name, value) {
+        if (DAO_DAO_EXECUTION_CONSUMED_NAMES.test(name))
+            return value === true;
+        if (DAO_DAO_QUEUE_FLAG_NAMES.test(name))
+            return value === false;
+        return false;
+    }
+    booleanLiteralValue(expr) {
+        if ((0, ast_1.isNode)(expr, 'BooleanLiteral'))
+            return expr.value === true;
+        if ((0, ast_1.isNode)(expr, 'Identifier')) {
+            if (String(expr.name || '') === 'true')
+                return true;
+            if (String(expr.name || '') === 'false')
+                return false;
+        }
+        return null;
+    }
+    walkBefore(root, before, visit) {
+        const stop = this.nodeStart(before);
+        this.walk(root, node => {
+            if (this.nodeStart(node) < stop)
+                visit(node);
+        });
+    }
+    nodeStart(node) {
+        return Array.isArray(node?.range) ? node.range[0] : Number.MAX_SAFE_INTEGER;
+    }
+    rootIdentifier(expr) {
+        let current = expr;
+        while (current) {
+            if ((0, ast_1.isNode)(current, 'Identifier'))
+                return String(current.name || '');
+            if ((0, ast_1.isNode)(current, 'MemberAccess')) {
+                current = current.expression;
+                continue;
+            }
+            if ((0, ast_1.isNode)(current, 'IndexAccess')) {
+                current = current.base || current.baseExpression;
+                continue;
+            }
+            return '';
+        }
+        return '';
+    }
+    containsNameMatching(expr, pattern) {
+        let found = false;
+        this.walk(expr, node => {
+            if (found)
+                return;
+            if ((0, ast_1.isNode)(node, 'Identifier') && pattern.test(String(node.name || '')))
+                found = true;
+            if ((0, ast_1.isNode)(node, 'MemberAccess') && pattern.test(String(node.memberName || '')))
+                found = true;
+        });
+        return found;
+    }
+    // For the alias case: `IERC20 out = beToken;` then `out.transfer(...)`.
+    // If the transferred base is a local alias for a BE-tagged state var,
+    // treat it as BE-tagged.
+    aliasesBeStateVar(baseName, body) {
+        if (!baseName)
+            return false;
+        let aliased = false;
+        this.walk(body, node => {
+            if (aliased)
+                return;
+            if (!(0, ast_1.isNode)(node, 'VariableDeclarationStatement'))
+                return;
+            const variables = node.variables || [];
+            const initialValue = node.initialValue;
+            for (const v of variables) {
+                if (!v || v.name !== baseName)
+                    continue;
+                const initName = this.simpleName(initialValue);
+                if (initName && isBeTaggedName(initName)) {
+                    aliased = true;
+                    return;
+                }
+            }
+        });
+        return aliased;
+    }
+    detectPriceManipulationInflate(fn, fnName) {
+        if (fnName !== 'transfer')
+            return;
+        const paths = this.analyzePriceInflateStatements(fn.body?.statements || [], new Set(), 0);
+        // Emit only when a *single* execution path derives a quote, performs the
+        // quoted payout, and self-mutates afterwards — and that same path is not
+        // bounded. Signals from unrelated `if` arms never satisfy this check.
+        const vulnerablePath = paths.some(p => p.hasQuote && p.hasQuotedPayout && p.hasPostPayoutSelfMutation && !p.hasBoundBeforePayout);
+        if (!vulnerablePath)
+            return;
+        const key = `${PRICE_INFLATE_PATTERN}:${this.currentContract}.${fnName}`;
+        if (this.emittedKey.has(key))
+            return;
+        this.emittedKey.add(key);
+        const primaryLoc = (0, ast_1.tryLoc)(fn);
+        const line = primaryLoc?.line ?? 1;
+        this.findings.push({
+            file: this.currentFile,
+            contract: this.currentContract,
+            'function': fnName,
+            line,
+            endLine: primaryLoc?.endLine ?? line,
+            column: primaryLoc?.column ?? 0,
+            pattern: PRICE_INFLATE_PATTERN,
+            confidence: 'high',
+            ruleId: RULE_ID,
+            severity: 'high',
+            message: `Transfer sell path derives a payout from manipulable live price state, sends value to the seller, then burns or fees self-held balance, enabling price inflation.`,
+            contractName: this.currentContract,
+            functionName: fnName,
+            sourceLocation: { line, column: primaryLoc?.column ?? 0 },
+            findingId: '',
+            contractHash: '',
+        });
+    }
+    // Path-scoped walk: produces one `InflatePathState` per distinct execution
+    // path through `statements`. `initialHasQuotedPayout` seeds the carried
+    // payout state so an internal helper expanded *after* a quoted payout in
+    // the caller can still recognise its own self-balance burn as post-payout.
+    analyzePriceInflateStatements(statements, expandedHelpers, depth, initialState) {
+        const initial = initialState ? this.cloneInflatePathState(initialState) : {
+            quoteVars: new Set(),
+            hasQuote: false,
+            hasQuotedPayout: false,
+            hasPostPayoutSelfMutation: false,
+            hasBoundBeforePayout: false,
+        };
+        return this.walkInflateSequence(statements || [], [initial], expandedHelpers, depth);
+    }
+    // Threads every carried path-state through `statements` in source order.
+    // `IfStatement` forks the paths; all other statement kinds mutate each
+    // carried path in place so signals propagate across loops and blocks too.
+    walkInflateSequence(statements, startStates, expandedHelpers, depth) {
+        let paths = startStates;
+        for (const stmt of statements || []) {
+            paths = this.applyInflateStatement(stmt, paths, expandedHelpers, depth);
+            if (paths.length > MAX_INFLATE_PATHS)
+                paths = paths.slice(0, MAX_INFLATE_PATHS);
+        }
+        return paths;
+    }
+    applyInflateStatement(stmt, paths, expandedHelpers, depth) {
+        if (!stmt)
+            return paths;
+        if ((0, ast_1.isNode)(stmt, 'Block')) {
+            return this.walkInflateSequence(stmt.statements || [], paths, expandedHelpers, depth);
+        }
+        if ((0, ast_1.isNode)(stmt, 'IfStatement')) {
+            const trueStmts = this.inflateBranchStatements(stmt.trueBody);
+            const falseStmts = stmt.falseBody ? this.inflateBranchStatements(stmt.falseBody) : null;
+            const out = [];
+            for (const p of paths) {
+                // Each arm gets an independent copy of the path-state and of the
+                // helper-expansion ledger, so evidence cannot leak between branches.
+                out.push(...this.walkInflateSequence(trueStmts, [this.cloneInflatePathState(p)], new Set(expandedHelpers), depth));
+                if (falseStmts) {
+                    out.push(...this.walkInflateSequence(falseStmts, [this.cloneInflatePathState(p)], new Set(expandedHelpers), depth));
+                }
+                else {
+                    // No `else`: the path that skips the `if` continues unchanged.
+                    out.push(this.cloneInflatePathState(p));
+                }
+            }
+            return out;
+        }
+        if ((0, ast_1.isNode)(stmt, 'WhileStatement') || (0, ast_1.isNode)(stmt, 'ForStatement') || (0, ast_1.isNode)(stmt, 'DoWhileStatement')) {
+            return this.walkInflateSequence(this.inflateBranchStatements(stmt.body), paths, expandedHelpers, depth);
+        }
+        const out = [];
+        for (const p of paths) {
+            out.push(...this.applyInflateLeaf(stmt, p, expandedHelpers, depth));
+        }
+        return out;
+    }
+    inflateBranchStatements(node) {
+        if (!node)
+            return [];
+        if ((0, ast_1.isNode)(node, 'Block'))
+            return node.statements || [];
+        return [node];
+    }
+    cloneInflatePathState(s) {
+        return {
+            quoteVars: new Set(s.quoteVars),
+            hasQuote: s.hasQuote,
+            hasQuotedPayout: s.hasQuotedPayout,
+            hasPostPayoutSelfMutation: s.hasPostPayoutSelfMutation,
+            hasBoundBeforePayout: s.hasBoundBeforePayout,
+        };
+    }
+    // Folds the signals of a single non-branching statement into one path-state.
+    applyInflateLeaf(stmt, state, expandedHelpers, depth) {
+        const observeQuote = (name) => {
+            if (!name)
+                return;
+            state.quoteVars.add(name);
+            state.hasQuote = true;
+        };
+        if ((0, ast_1.isNode)(stmt, 'VariableDeclarationStatement')) {
+            const initialValue = stmt.initialValue;
+            if (this.isGetReservesCall(initialValue)) {
+                for (const v of stmt.variables || []) {
+                    if (v?.name)
+                        observeQuote(v.name);
+                }
+            }
+            else if (this.exprHasManipulablePriceSource(initialValue, state.quoteVars) || this.internalReturnsManipulablePrice(initialValue)) {
+                for (const v of stmt.variables || []) {
+                    if (v?.name)
+                        observeQuote(v.name);
+                }
+            }
+            if (this.isQuotedPayoutCall(initialValue, state.quoteVars)) {
+                state.hasQuotedPayout = true;
+            }
+            return this.expandInflateHelpersFromExpr(initialValue, state, expandedHelpers, depth);
+        }
+        if ((0, ast_1.isNode)(stmt, 'ExpressionStatement')) {
+            const expr = stmt.expression;
+            if ((0, ast_1.isNode)(expr, 'BinaryOperation')) {
+                const left = expr.left || expr.leftExpression;
+                const right = expr.right || expr.rightExpression;
+                const op = String(expr.operator || '');
+                if (op === '=' && (this.exprHasManipulablePriceSource(right, state.quoteVars) || this.internalReturnsManipulablePrice(right))) {
+                    observeQuote(this.simpleName(left));
+                }
+                if (this.isQuotedPayoutCall(right, state.quoteVars)) {
+                    state.hasQuotedPayout = true;
+                }
+                let expanded = this.expandInflateHelpersFromExpr(right, state, expandedHelpers, depth);
+                if (state.hasQuotedPayout) {
+                    expanded = expanded.map(p => {
+                        if (this.isSelfBalanceDecrease(expr)) {
+                            return { ...p, quoteVars: new Set(p.quoteVars), hasPostPayoutSelfMutation: true };
+                        }
+                        return p;
+                    });
+                }
+                return expanded;
+            }
+            // A quote-bound `require` only suppresses the path it lives on, and
+            // only when it precedes the quoted payout on that same path.
+            if (this.isQuotedBoundRequire(expr, state.quoteVars) && !state.hasQuotedPayout) {
+                state.hasBoundBeforePayout = true;
+            }
+            if (this.isQuotedPayoutCall(expr, state.quoteVars)) {
+                state.hasQuotedPayout = true;
+            }
+            if (state.hasQuotedPayout && this.isSelfBalanceDecrease(expr)) {
+                state.hasPostPayoutSelfMutation = true;
+            }
+            return this.expandInflateHelpersFromExpr(expr, state, expandedHelpers, depth);
+        }
+        return [state];
+    }
+    expandInflateHelpersFromExpr(expr, state, expandedHelpers, depth) {
+        const internalNames = this.internalCallNames(expr);
+        let paths = [state];
+        for (const internalName of internalNames) {
+            if (depth >= 2 || expandedHelpers.has(internalName))
+                continue;
+            const helper = this.contractFunctions.get(internalName);
+            if (!helper?.body || !INTERNAL_VISIBILITIES.has(String(helper.visibility || '').toLowerCase()))
+                continue;
+            const nextPaths = [];
+            for (const p of paths) {
+                const helperExpanded = new Set(expandedHelpers);
+                helperExpanded.add(internalName);
+                nextPaths.push(...this.analyzePriceInflateStatements(helper.body.statements || [], helperExpanded, depth + 1, p));
+            }
+            paths = nextPaths.length > MAX_INFLATE_PATHS ? nextPaths.slice(0, MAX_INFLATE_PATHS) : nextPaths;
+        }
+        return paths;
+    }
+    internalCallName(expr) {
+        if (!(0, ast_1.isNode)(expr, 'FunctionCall'))
+            return '';
+        const callee = expr.expression;
+        if (!(0, ast_1.isNode)(callee, 'Identifier'))
+            return '';
+        return callee.name || '';
+    }
+    internalCallNames(expr) {
+        const names = [];
+        const seen = new Set();
+        this.walk(expr, node => {
+            const name = this.internalCallName(node);
+            if (!name || seen.has(name))
+                return;
+            seen.add(name);
+            names.push(name);
+        });
+        return names;
+    }
+    internalReturnsManipulablePrice(expr, returningHelpers = new Set()) {
+        const name = this.internalCallName(expr);
+        if (!name)
+            return false;
+        if (returningHelpers.has(name))
+            return false;
+        const helper = this.contractFunctions.get(name);
+        if (!helper?.body || !INTERNAL_VISIBILITIES.has(String(helper.visibility || '').toLowerCase()))
+            return false;
+        const nestedReturningHelpers = new Set(returningHelpers);
+        nestedReturningHelpers.add(name);
+        const quoteVars = new Set();
+        this.walk(helper.body, node => {
+            if ((0, ast_1.isNode)(node, 'VariableDeclarationStatement')) {
+                const initialValue = node.initialValue;
+                if (this.isGetReservesCall(initialValue) || this.exprHasManipulablePriceSource(initialValue, quoteVars) || this.internalReturnsManipulablePrice(initialValue, nestedReturningHelpers)) {
+                    for (const v of node.variables || []) {
+                        if (v?.name)
+                            quoteVars.add(v.name);
+                    }
+                }
+            }
+            else if ((0, ast_1.isNode)(node, 'BinaryOperation')) {
+                const op = String(node.operator || '');
+                if (op !== '=')
+                    return;
+                const right = node.right || node.rightExpression;
+                if (!this.exprHasManipulablePriceSource(right, quoteVars) && !this.internalReturnsManipulablePrice(right, nestedReturningHelpers))
+                    return;
+                const left = node.left || node.leftExpression;
+                const name = this.simpleName(left);
+                if (name)
+                    quoteVars.add(name);
+            }
+        });
+        let found = false;
+        this.walk(helper.body, node => {
+            if (found)
+                return;
+            if (!(0, ast_1.isNode)(node, 'ReturnStatement'))
+                return;
+            if (this.exprHasManipulablePriceSource(node.expression, quoteVars))
+                found = true;
+        });
+        return found;
+    }
+    isQuotedBoundRequire(expr, quoteVars) {
+        if (!(0, ast_1.isNode)(expr, 'FunctionCall'))
+            return false;
+        const callee = expr.expression;
+        if (!(0, ast_1.isNode)(callee, 'Identifier') || callee.name !== 'require')
+            return false;
+        const condition = expr.arguments?.[0];
+        if (!(0, ast_1.isNode)(condition, 'BinaryOperation'))
+            return false;
+        if (!/^(<=|<|>=|>)$/.test(String(condition.operator || '')))
+            return false;
+        return this.exprReferencesAny(condition, quoteVars);
+    }
+    isQuotedPayoutCall(expr, quoteVars) {
+        if (!(0, ast_1.isNode)(expr, 'FunctionCall'))
+            return false;
+        const callee = expr.expression;
+        if ((0, ast_1.isNode)(callee, 'MemberAccess')) {
+            const member = String(callee.memberName || '');
+            if ((member === 'transfer' || member === 'send') && this.exprReferencesAny(expr.arguments?.[0], quoteVars)) {
+                return true;
+            }
+            if (member === 'call')
+                return false;
+        }
+        if ((0, ast_1.isNode)(callee, 'NameValueExpression')) {
+            const target = callee.expression;
+            if (!(0, ast_1.isNode)(target, 'MemberAccess') || target.memberName !== 'call')
+                return false;
+            return this.nameValueExpressionReferencesQuote(callee, quoteVars);
+        }
+        return false;
+    }
+    nameValueExpressionReferencesQuote(node, quoteVars) {
+        const args = node?.arguments;
+        if (!args)
+            return false;
+        if (Array.isArray(args))
+            return args.some(arg => this.exprReferencesAny(arg, quoteVars));
+        if (Array.isArray(args.arguments))
+            return args.arguments.some((arg) => this.exprReferencesAny(arg, quoteVars));
+        return this.exprReferencesAny(args, quoteVars);
+    }
+    exprHasManipulablePriceSource(expr, quoteVars) {
+        let found = false;
+        this.walk(expr, node => {
+            if (found)
+                return;
+            if ((0, ast_1.isNode)(node, 'Identifier') && quoteVars.has(node.name || '')) {
+                found = true;
+                return;
+            }
+            if (this.isAddressThisBalance(node) || this.isSelfBalanceRef(node) || this.isGetReservesCall(node) || this.isGetAmountsOutCall(node) || this.isTotalSupplyRead(node)) {
+                found = true;
+            }
+        });
+        return found;
+    }
+    exprReferencesAny(expr, names) {
+        if (!expr || names.size === 0)
+            return false;
+        let found = false;
+        this.walk(expr, node => {
+            if (found)
+                return;
+            if ((0, ast_1.isNode)(node, 'Identifier') && names.has(node.name || ''))
+                found = true;
+        });
+        return found;
+    }
+    isSelfBalanceDecrease(expr) {
+        if (!(0, ast_1.isNode)(expr, 'BinaryOperation'))
+            return false;
+        const op = String(expr.operator || '');
+        const left = expr.left || expr.leftExpression;
+        if (!this.isSelfBalanceRef(left))
+            return false;
+        if (op === '-=')
+            return true;
+        if (op !== '=')
+            return false;
+        const right = expr.right || expr.rightExpression;
+        return this.exprContainsSelfBalanceRef(right) && this.exprContainsOperator(right, '-');
+    }
+    exprContainsSelfBalanceRef(expr) {
+        let found = false;
+        this.walk(expr, node => {
+            if (found)
+                return;
+            if (this.isSelfBalanceRef(node))
+                found = true;
+        });
+        return found;
+    }
+    exprContainsOperator(expr, operator) {
+        let found = false;
+        this.walk(expr, node => {
+            if (found)
+                return;
+            if ((0, ast_1.isNode)(node, 'BinaryOperation') && node.operator === operator)
+                found = true;
+        });
+        return found;
+    }
+    isSelfBalanceRef(node) {
+        if (!(0, ast_1.isNode)(node, 'IndexAccess'))
+            return false;
+        const baseName = this.simpleName(node.base || node.baseExpression);
+        if (baseName !== 'balanceOf' && baseName !== 'balances')
+            return false;
+        const index = node.index || node.indexExpression;
+        return this.isAddressThis(index);
+    }
+    isAddressThisBalance(node) {
+        return (0, ast_1.isNode)(node, 'MemberAccess') && node.memberName === 'balance' && this.isAddressThis(node.expression);
+    }
+    isAddressThis(node) {
+        if (!(0, ast_1.isNode)(node, 'FunctionCall'))
+            return false;
+        const callee = node.expression;
+        return (0, ast_1.isNode)(callee, 'Identifier') && callee.name === 'address' &&
+            node.arguments?.length === 1 && (0, ast_1.isNode)(node.arguments[0], 'Identifier') && node.arguments[0].name === 'this';
+    }
+    isGetReservesCall(node) {
+        if (!(0, ast_1.isNode)(node, 'FunctionCall'))
+            return false;
+        const callee = node.expression;
+        return (0, ast_1.isNode)(callee, 'MemberAccess') && String(callee.memberName || '').toLowerCase() === 'getreserves';
+    }
+    isGetAmountsOutCall(node) {
+        if (!(0, ast_1.isNode)(node, 'FunctionCall'))
+            return false;
+        const callee = node.expression;
+        return (0, ast_1.isNode)(callee, 'MemberAccess') && String(callee.memberName || '').toLowerCase() === 'getamountsout';
+    }
+    isTotalSupplyRead(node) {
+        if ((0, ast_1.isNode)(node, 'Identifier'))
+            return String(node.name || '').toLowerCase() === 'totalsupply';
+        if (!(0, ast_1.isNode)(node, 'FunctionCall'))
+            return false;
+        const callee = node.expression;
+        if ((0, ast_1.isNode)(callee, 'Identifier'))
+            return String(callee.name || '').toLowerCase() === 'totalsupply';
+        return (0, ast_1.isNode)(callee, 'MemberAccess') && String(callee.memberName || '').toLowerCase() === 'totalsupply';
+    }
+    memberAccessRoot(node) {
+        if (!node)
+            return '';
+        if ((0, ast_1.isNode)(node, 'Identifier'))
+            return node.name || '';
+        if ((0, ast_1.isNode)(node, 'MemberAccess'))
+            return this.memberAccessRoot(node.expression);
+        return '';
+    }
+    simpleName(node) {
+        if (!node)
+            return '';
+        if ((0, ast_1.isNode)(node, 'Identifier'))
+            return node.name || '';
+        if ((0, ast_1.isNode)(node, 'MemberAccess')) {
+            // For msg.sender style: return the memberName (`sender`) so the
+            // index expression is human-readable in the finding message.
+            return node.memberName || '';
+        }
+        return '';
+    }
+    walk(node, visit) {
+        if (!node || typeof node !== 'object')
+            return;
+        visit(node);
+        for (const child of this.children(node)) {
+            this.walk(child, visit);
+        }
+    }
+    children(node) {
+        const out = [];
+        for (const [key, value] of Object.entries(node)) {
+            if (key === 'loc' || key === 'src' || key === 'range' || key === 'typeDescriptions')
+                continue;
+            if (Array.isArray(value)) {
+                for (const item of value) {
+                    if (item && typeof item === 'object')
+                        out.push(item);
+                }
+            }
+            else if (value && typeof value === 'object') {
+                out.push(value);
+            }
+        }
+        return out;
+    }
+    hasReentrancyGuardBody(body) {
+        if (!body || body.type !== 'Block')
+            return false;
+        const stmts = body.statements || [];
+        const guardNames = new Set();
+        for (const stmt of stmts) {
+            if (!(0, ast_1.isNode)(stmt, 'ExpressionStatement'))
+                continue;
+            const expr = stmt.expression;
+            if (!(0, ast_1.isNode)(expr, 'FunctionCall'))
+                continue;
+            const callee = expr.expression;
+            if (!(0, ast_1.isNode)(callee, 'Identifier'))
+                continue;
+            if ((callee.name || '') !== 'require')
+                continue;
+            const arg0 = expr.arguments?.[0];
+            if (!(0, ast_1.isNode)(arg0, 'UnaryOperation') || arg0.operator !== '!')
+                continue;
+            const g = this.simpleName(arg0.subExpression);
+            if (g)
+                guardNames.add(g);
+        }
+        if (guardNames.size === 0)
+            return false;
+        for (const guardName of guardNames) {
+            let setTrue = false;
+            let setFalse = false;
+            for (const s of stmts) {
+                if (!(0, ast_1.isNode)(s, 'ExpressionStatement'))
+                    continue;
+                const e = s.expression;
+                if (!(0, ast_1.isNode)(e, 'BinaryOperation') || e.operator !== '=')
+                    continue;
+                const lhs = e.left || e.leftHandSide;
+                if (this.simpleName(lhs) !== guardName)
+                    continue;
+                const lit = e.right || e.rightHandSide;
+                if ((0, ast_1.isNode)(lit, 'BooleanLiteral')) {
+                    if (lit.value === true)
+                        setTrue = true;
+                    else if (lit.value === false)
+                        setFalse = true;
+                }
+            }
+            if (setTrue && setFalse)
+                return true;
+        }
+        return false;
+    }
+    hasRecognisedReentrancyGuardModifier(fn) {
+        for (const modifier of fn?.modifiers || []) {
+            const name = this.modifierName(modifier).toLowerCase();
+            if (name && REENTRANCY_GUARD_MODIFIERS.has(name))
+                return true;
+            if (name.includes('nonreentrant'))
+                return true;
+        }
+        return false;
+    }
+    modifierName(modifier) {
+        if (!modifier)
+            return '';
+        if (typeof modifier === 'string')
+            return modifier;
+        if (typeof modifier.name === 'string')
+            return modifier.name;
+        if (modifier.name && typeof modifier.name.name === 'string')
+            return modifier.name.name;
+        if (modifier.modifierName && typeof modifier.modifierName.name === 'string')
+            return modifier.modifierName.name;
+        return '';
+    }
+    hasRecognisedFreshnessModifier(fn) {
+        for (const modifier of fn?.modifiers || []) {
+            const name = this.modifierName(modifier);
+            if (name && (0, price_rate_1.isRecognizedFreshnessModifierName)(name))
+                return true;
+        }
+        return false;
+    }
+    hasInlineAccessControl(body) {
+        if (!body)
+            return false;
+        let found = false;
+        this.walk(body, node => {
+            if (found)
+                return;
+            if (!(0, ast_1.isNode)(node, 'FunctionCall'))
+                return;
+            const callee = node.expression;
+            if (!(0, ast_1.isNode)(callee, 'Identifier'))
+                return;
+            if ((callee.name || '') !== 'require')
+                return;
+            const arg0 = node.arguments?.[0];
+            if (!arg0)
+                return;
+            if ((0, access_control_1.requireExpressesAccessControl)(arg0, name => {
+                const lower = name.toLowerCase();
+                return lower.includes('owner') || lower.includes('admin') || lower.includes('governance') ||
+                    lower.includes('role') || lower.includes('auth') || lower.includes('manager') ||
+                    lower.includes('guardian') || lower.includes('operator');
+            })) {
+                found = true;
+            }
+        });
+        return found;
+    }
+    findCsOutdatedGlobalVariable(fn) {
+        const body = fn?.body;
+        if (!body)
+            return null;
+        if (this.hasInlineAccessControl(body))
+            return null;
+        if (this.hasReentrancyGuardBody(body))
+            return null;
+        const params = this.collectFunctionParameters(fn);
+        const caches = new Map();
+        let sawInteraction = false;
+        for (const stmt of body.statements || []) {
+            const finding = this.applyCsOutdatedGlobalStatement(stmt, caches, sawInteraction, params);
+            if (finding)
+                return finding;
+            if (this.csStatementHasExternalInteraction(stmt))
+                sawInteraction = true;
+        }
+        return null;
+    }
+    applyCsOutdatedGlobalStatement(stmt, caches, sawInteraction, params) {
+        if (!stmt)
+            return null;
+        if ((0, ast_1.isNode)(stmt, 'Block') || (0, ast_1.isNode)(stmt, 'UncheckedStatement')) {
+            for (const child of stmt.statements || []) {
+                const finding = this.applyCsOutdatedGlobalStatement(child, caches, sawInteraction, params);
+                if (finding)
+                    return finding;
+                if (this.csStatementHasExternalInteraction(child))
+                    sawInteraction = true;
+            }
+            return null;
+        }
+        if ((0, ast_1.isNode)(stmt, 'IfStatement')) {
+            const finding = this.applyCsOutdatedGlobalStatement(stmt.trueBody, new Map(caches), sawInteraction, params) ||
+                this.applyCsOutdatedGlobalStatement(stmt.falseBody, new Map(caches), sawInteraction, params);
+            if (finding)
+                return finding;
+            return null;
+        }
+        if (!sawInteraction) {
+            this.collectCsOutdatedGlobalCaches(stmt, caches);
+            return null;
+        }
+        this.refreshCsOutdatedGlobalCaches(stmt, caches);
+        for (const [localName, cache] of caches.entries()) {
+            if (!cache.stale)
+                continue;
+            if (this.csStatementUsesStaleCacheInSink(stmt, localName, params)) {
+                return { sourceName: cache.sourceName, sourceNode: cache.sourceNode, sinkNode: stmt };
+            }
+        }
+        return null;
+    }
+    collectCsOutdatedGlobalCaches(stmt, caches) {
+        const assignment = this.csAssignmentParts(stmt);
+        if (!assignment?.init)
+            return;
+        const sourceName = this.csOutdatedGlobalSourceName(assignment.init);
+        if (!sourceName)
+            return;
+        for (const variable of assignment.variables) {
+            const localName = variable?.name;
+            if (!localName)
+                continue;
+            caches.set(localName, {
+                sourceName,
+                sourceNode: assignment.init,
+                stale: true,
+            });
+        }
+    }
+    refreshCsOutdatedGlobalCaches(stmt, caches) {
+        const assignment = this.csAssignmentParts(stmt);
+        if (!assignment?.init)
+            return;
+        const refreshedName = this.csOutdatedGlobalSourceName(assignment.init);
+        if (!refreshedName)
+            return;
+        for (const variable of assignment.variables) {
+            const cache = variable?.name ? caches.get(variable.name) : undefined;
+            if (cache && cache.sourceName === refreshedName)
+                cache.stale = false;
+        }
+    }
+    csAssignmentParts(node) {
+        if ((0, ast_1.isNode)(node, 'VariableDeclarationStatement')) {
+            return { init: node.initialValue, variables: node.variables || [] };
+        }
+        if (!(0, ast_1.isNode)(node, 'ExpressionStatement'))
+            return null;
+        const expr = node.expression;
+        if (!(0, ast_1.isNode)(expr, 'BinaryOperation') || String(expr.operator || '') !== '=')
+            return null;
+        const left = expr.left || expr.leftExpression;
+        const right = expr.right || expr.rightExpression;
+        if ((0, ast_1.isNode)(left, 'Identifier'))
+            return { init: right, variables: [{ name: left.name }] };
+        return null;
+    }
+    csOutdatedGlobalSourceName(expr) {
+        const directName = this.csStateAccountingName(expr);
+        if (directName)
+            return directName;
+        let found = '';
+        this.walk(expr, node => {
+            if (found)
+                return;
+            if (this.csIsLiveBalanceCall(node)) {
+                found = 'balanceOf';
+                return;
+            }
+            const name = this.csStateAccountingName(node);
+            if (name)
+                found = name;
+        });
+        return found;
+    }
+    csStateAccountingName(expr) {
+        if ((0, ast_1.isNode)(expr, 'Identifier')) {
+            const name = String(expr.name || '');
+            if (this.stateVars.includes(name) && OUTDATED_GLOBAL_SOURCE_NAMES.test(name))
+                return name;
+        }
+        if ((0, ast_1.isNode)(expr, 'IndexAccess')) {
+            const baseName = this.simpleName(expr.base || expr.baseExpression);
+            if (this.stateVars.includes(baseName) && OUTDATED_GLOBAL_SOURCE_NAMES.test(baseName))
+                return baseName;
+        }
+        if ((0, ast_1.isNode)(expr, 'MemberAccess')) {
+            const member = String(expr.memberName || '');
+            if (OUTDATED_GLOBAL_SOURCE_NAMES.test(member) && this.csExpressionIsStateScoped(expr.expression))
+                return member;
+        }
+        return '';
+    }
+    csExpressionIsStateScoped(expr) {
+        const rootName = this.csStateRootName(expr);
+        return !!rootName && this.stateVars.includes(rootName);
+    }
+    csStateRootName(expr) {
+        if (!expr)
+            return '';
+        if ((0, ast_1.isNode)(expr, 'Identifier'))
+            return String(expr.name || '');
+        if ((0, ast_1.isNode)(expr, 'MemberAccess'))
+            return this.csStateRootName(expr.expression);
+        if ((0, ast_1.isNode)(expr, 'IndexAccess'))
+            return this.csStateRootName(expr.base || expr.baseExpression);
+        return '';
+    }
+    csIsLiveBalanceCall(node) {
+        if (!(0, ast_1.isNode)(node, 'FunctionCall'))
+            return false;
+        const callee = node.expression;
+        if (!(0, ast_1.isNode)(callee, 'MemberAccess'))
+            return false;
+        return String(callee.memberName || '').toLowerCase() === 'balanceof';
+    }
+    csStatementHasExternalInteraction(stmt) {
+        let found = false;
+        this.walk(stmt, node => {
+            if (found || !(0, ast_1.isNode)(node, 'FunctionCall'))
+                return;
+            if (this.csIsRiskyExternalInteraction(node))
+                found = true;
+        });
+        return found;
+    }
+    csIsRiskyExternalInteraction(call) {
+        const callee = this.unwrapCallOptions(call.expression);
+        if (!(0, ast_1.isNode)(callee, 'MemberAccess'))
+            return false;
+        const method = String(callee.memberName || '').toLowerCase();
+        if (!['call', 'delegatecall', 'transfer', 'send', 'transferfrom', 'safetransfer', 'safetransferfrom'].includes(method)) {
+            return false;
+        }
+        const root = this.memberAccessRoot(callee.expression).toLowerCase();
+        return root !== 'this' && root !== 'super';
+    }
+    csStatementUsesStaleCacheInSink(stmt, localName, params) {
+        let found = false;
+        this.walk(stmt, node => {
+            if (found)
+                return;
+            if ((0, ast_1.isNode)(node, 'BinaryOperation')) {
+                const op = String(node.operator || '');
+                const left = node.left || node.leftExpression;
+                const right = node.right || node.rightExpression;
+                if (/^[+\-*/]?=$/.test(op) &&
+                    this.csIsAccountingSink(left) &&
+                    this.exprUsesNames(right, new Set([localName]))) {
+                    found = true;
+                    return;
+                }
+            }
+            if ((0, ast_1.isNode)(node, 'FunctionCall') && this.csIsValueMovingSink(node) && this.exprUsesNames(node, new Set([localName]))) {
+                found = true;
+            }
+        });
+        if (found)
+            return true;
+        // Guard-context bound sink: stale local bounds a caller-supplied
+        // parameter in a require/assert argument or if-statement condition.
+        // Pure equality checks and invariant-only bounds (e.g. `cached > 0`)
+        // are too generic to flag.
+        return this.csCacheUsedInGuardBound(stmt, localName, params);
+    }
+    csCacheUsedInGuardBound(stmt, localName, params) {
+        let found = false;
+        this.walk(stmt, node => {
+            if (found)
+                return;
+            let condition = null;
+            if ((0, ast_1.isNode)(node, 'IfStatement')) {
+                condition = node.condition;
+            }
+            else if ((0, ast_1.isNode)(node, 'FunctionCall')) {
+                const callee = node.expression;
+                if ((0, ast_1.isNode)(callee, 'Identifier') && ['require', 'assert'].includes(String(callee.name || ''))) {
+                    condition = node.arguments?.[0];
+                }
+            }
+            if (!condition)
+                return;
+            if (this.csConditionHasBoundOnLocal(condition, localName, params))
+                found = true;
+        });
+        return found;
+    }
+    csConditionHasBoundOnLocal(expr, localName, params) {
+        let found = false;
+        this.walk(expr, node => {
+            if (found)
+                return;
+            if (!(0, ast_1.isNode)(node, 'BinaryOperation'))
+                return;
+            if (!/^(<=|<|>=|>)$/.test(String(node.operator || '')))
+                return;
+            if (!this.exprUsesNames(node, new Set([localName])))
+                return;
+            if (params.size === 0 || !this.exprUsesNames(node, params))
+                return;
+            found = true;
+        });
+        return found;
+    }
+    csIsAccountingSink(expr) {
+        const name = this.csAccountingSinkName(expr);
+        return !!name && OUTDATED_GLOBAL_SINK_NAMES.test(name);
+    }
+    csAccountingSinkName(expr) {
+        if ((0, ast_1.isNode)(expr, 'Identifier'))
+            return String(expr.name || '');
+        if ((0, ast_1.isNode)(expr, 'IndexAccess'))
+            return this.csAccountingSinkName(expr.base || expr.baseExpression);
+        if ((0, ast_1.isNode)(expr, 'MemberAccess'))
+            return String(expr.memberName || '') || this.csAccountingSinkName(expr.expression);
+        return '';
+    }
+    csIsValueMovingSink(call) {
+        const callee = this.unwrapCallOptions(call.expression);
+        if (!(0, ast_1.isNode)(callee, 'MemberAccess'))
+            return false;
+        const method = String(callee.memberName || '').toLowerCase();
+        return ['transfer', 'send', 'safetransfer', 'mint', '_mint', 'burn', '_burn'].includes(method);
+    }
+    findPenpieRewardReentrancy(fn) {
+        const body = fn?.body;
+        if (!body)
+            return null;
+        if (this.hasRecognisedReentrancyGuardModifier(fn))
+            return null;
+        if (this.hasInlineAccessControl(body))
+            return null;
+        if (this.hasReentrancyGuardBody(body))
+            return null;
+        let lastRiskyExternalCall = null;
+        let finding = null;
+        const visit = (node, expandedHelpers = new Set(), depth = 0) => {
+            if (!node || typeof node !== 'object' || finding)
+                return;
+            if ((0, ast_1.isNode)(node, 'VariableDeclarationStatement')) {
+                this.walkPenpieExecution(node.initialValue, child => visit(child, expandedHelpers, depth));
+                return;
+            }
+            if ((0, ast_1.isNode)(node, 'IfStatement')) {
+                this.walkPenpieExecution(node.condition, child => visit(child, expandedHelpers, depth));
+                const saved = lastRiskyExternalCall;
+                this.walkPenpieExecution(node.trueBody, child => visit(child, new Set(expandedHelpers), depth));
+                const afterTrue = lastRiskyExternalCall;
+                lastRiskyExternalCall = saved;
+                this.walkPenpieExecution(node.falseBody, child => visit(child, new Set(expandedHelpers), depth));
+                lastRiskyExternalCall = afterTrue || lastRiskyExternalCall;
+                return;
+            }
+            if ((0, ast_1.isNode)(node, 'BinaryOperation') && /^[+\-*/]?=$/.test(String(node.operator || ''))) {
+                const right = node.right || node.rightExpression;
+                this.walkPenpieExecution(right, child => visit(child, expandedHelpers, depth));
+                const left = node.left || node.leftExpression;
+                if (lastRiskyExternalCall && this.isPenpieAccountingWriteTarget(left)) {
+                    finding = { callNode: lastRiskyExternalCall, writeNode: node };
+                    return;
+                }
+                this.walkPenpieExecution(left, child => visit(child, expandedHelpers, depth));
+                return;
+            }
+            if ((0, ast_1.isNode)(node, 'FunctionCall')) {
+                if (this.isPenpieExternalInteraction(node) && this.isPenpieRiskyExternalAccountingPair(node)) {
+                    lastRiskyExternalCall = node;
+                }
+                this.expandPenpieHelperCall(node, expandedHelpers, depth, visit);
+                if (finding)
+                    return;
+            }
+            for (const child of this.penpieChildren(node)) {
+                visit(child, expandedHelpers, depth);
+                if (finding)
+                    return;
+            }
+        };
+        visit(body);
+        return finding;
+    }
+    expandPenpieHelperCall(call, expandedHelpers, depth, visit) {
+        if (depth >= 2)
+            return;
+        const internalName = this.internalCallName(call);
+        if (!internalName || expandedHelpers.has(internalName))
+            return;
+        const helper = this.contractFunctions.get(internalName);
+        if (!helper?.body || !INTERNAL_VISIBILITIES.has(String(helper.visibility || '').toLowerCase()))
+            return;
+        if (this.hasInlineAccessControl(helper.body))
+            return;
+        if (this.hasReentrancyGuardBody(helper.body))
+            return;
+        const helperExpanded = new Set(expandedHelpers);
+        helperExpanded.add(internalName);
+        for (const stmt of helper.body.statements || []) {
+            visit(stmt, helperExpanded, depth + 1);
+        }
+    }
+    walkPenpieExecution(node, visit) {
+        if (!node || typeof node !== 'object')
+            return;
+        visit(node);
+    }
+    penpieChildren(node) {
+        if (!node || typeof node !== 'object')
+            return [];
+        const out = [];
+        for (const [key, value] of Object.entries(node)) {
+            if (key === 'loc' || key === 'src' || key === 'range' || key === 'typeDescriptions')
+                continue;
+            if ((0, ast_1.isNode)(node, 'BinaryOperation') && /^[+\-*/]?=$/.test(String(node.operator || '')) && (key === 'left' || key === 'leftExpression' || key === 'right' || key === 'rightExpression')) {
+                continue;
+            }
+            if ((0, ast_1.isNode)(node, 'VariableDeclarationStatement') && key === 'initialValue')
+                continue;
+            if (Array.isArray(value)) {
+                for (const item of value) {
+                    if (item && typeof item === 'object')
+                        out.push(item);
+                }
+            }
+            else if (value && typeof value === 'object') {
+                out.push(value);
+            }
+        }
+        return out;
+    }
+    isPenpieExternalInteraction(call) {
+        const callee = this.unwrapCallOptions(call.expression);
+        if (!(0, ast_1.isNode)(callee, 'MemberAccess'))
+            return false;
+        const method = String(callee.memberName || '').toLowerCase();
+        if (!method)
+            return false;
+        if (PENPIE_IGNORED_EXTERNAL_METHODS.has(method))
+            return false;
+        if (PENPIE_LIBRARY_STYLE_METHODS.test(String(callee.memberName || '')))
+            return false;
+        if (['call', 'delegatecall', 'staticcall'].includes(method))
+            return true;
+        const root = this.memberAccessRoot(callee.expression).toLowerCase();
+        if (root === 'this' || root === 'super' || root === 'abi')
+            return false;
+        return true;
+    }
+    unwrapCallOptions(expr) {
+        if (!expr || typeof expr !== 'object')
+            return expr;
+        if ((0, ast_1.isNode)(expr, 'NameValueExpression'))
+            return this.unwrapCallOptions(expr.expression);
+        if ((0, ast_1.isNode)(expr, 'FunctionCallOptions'))
+            return this.unwrapCallOptions(expr.expression);
+        return expr;
+    }
+    isPenpieAccountingWriteTarget(expr) {
+        const name = this.penpieWriteTargetName(expr);
+        return !!name && PENPIE_ACCOUNTING_NAMES.test(name);
+    }
+    isPenpieRiskyExternalAccountingPair(call) {
+        // The interaction itself must be callback-capable: a low-level
+        // call/delegatecall, or a harvest/claim/reward/callback-style method.
+        // A reward-named write target alone is NOT sufficient — an external
+        // *view* getter (price feed read, pendingReward preview) followed by a
+        // reward write is not a reentrancy vector. Accepting it was the
+        // dominant false-positive shape in benchmark runs.
+        const callee = this.unwrapCallOptions(call.expression);
+        if (!(0, ast_1.isNode)(callee, 'MemberAccess'))
+            return false;
+        const method = String(callee.memberName || '').toLowerCase();
+        if (['call', 'delegatecall'].includes(method))
+            return true;
+        if (/preview|pending|calc|view|read/.test(method))
+            return false;
+        return /harvest|reward|claim|callback/.test(method);
+    }
+    penpieWriteTargetName(expr) {
+        if (!expr || typeof expr !== 'object')
+            return '';
+        if ((0, ast_1.isNode)(expr, 'Identifier'))
+            return String(expr.name || '');
+        if ((0, ast_1.isNode)(expr, 'IndexAccess'))
+            return this.penpieWriteTargetName(expr.base || expr.baseExpression);
+        if ((0, ast_1.isNode)(expr, 'MemberAccess'))
+            return String(expr.memberName || '') || this.penpieWriteTargetName(expr.expression);
+        return '';
+    }
+    findZksyncDonationAttack(fn) {
+        if (!fn?.body)
+            return null;
+        const helperNames = this.collectZksyncLiveBalanceHelpers();
+        const thisAliases = this.collectZksyncAddressThisAliases(fn.body);
+        const balanceAliases = this.collectZksyncLiveBalanceAliases(fn.body, thisAliases, helperNames);
+        const ratio = this.findZksyncDonationRatio(fn.body, thisAliases, balanceAliases, helperNames);
+        if (!ratio)
+            return null;
+        // Suppression is per-ratio: only an additive virtual-offset directly on the
+        // numerator/denominator of THIS conversion hardens it. Constructor
+        // dead-share bookkeeping (e.g. `shares[address(0)] = X`) does not, because
+        // donation can still inflate `balanceOf(address(this))` unless the
+        // denominator itself has an additive offset.
+        if (this.zksyncHasVirtualOffset(ratio, thisAliases, balanceAliases, helperNames))
+            return null;
+        const loc = (0, ast_1.tryLoc)(ratio) ?? (0, ast_1.tryLoc)(fn) ?? { line: 1, endLine: 1, column: 0 };
+        return {
+            loc: {
+                line: loc.line || 1,
+                endLine: loc.endLine || loc.line || 1,
+                column: loc.column || 0,
+            },
+        };
+    }
+    collectZksyncLiveBalanceHelpers() {
+        const helpers = new Set();
+        let changed = true;
+        let safety = 0;
+        while (changed && safety < 8) {
+            changed = false;
+            safety += 1;
+            for (const [name, fn] of this.contractFunctions.entries()) {
+                if (helpers.has(name) || !fn?.body)
+                    continue;
+                if (!this.zksyncFunctionReturnsLiveBalance(fn, helpers))
+                    continue;
+                helpers.add(name);
+                changed = true;
+            }
+        }
+        return helpers;
+    }
+    zksyncFunctionReturnsLiveBalance(fn, helperNames) {
+        const thisAliases = this.collectZksyncAddressThisAliases(fn.body);
+        const balanceAliases = this.collectZksyncLiveBalanceAliases(fn.body, thisAliases, helperNames);
+        let returnsLiveBalance = false;
+        this.walk(fn.body, node => {
+            if (returnsLiveBalance || !(0, ast_1.isNode)(node, 'ReturnStatement'))
+                return;
+            if (this.zksyncIsLiveBalanceExpr(node.expression, thisAliases, balanceAliases, helperNames)) {
+                returnsLiveBalance = true;
+            }
+        });
+        return returnsLiveBalance;
+    }
+    collectZksyncAddressThisAliases(body) {
+        const aliases = new Set();
+        let changed = true;
+        let safety = 0;
+        while (changed && safety < 8) {
+            changed = false;
+            safety += 1;
+            this.walk(body, node => {
+                const assignment = this.zksyncAssignmentParts(node);
+                if (!assignment?.init)
+                    return;
+                if (!this.zksyncIsAddressThisExpr(assignment.init, aliases))
+                    return;
+                for (const variable of assignment.variables) {
+                    if (!variable?.name || aliases.has(variable.name))
+                        continue;
+                    aliases.add(variable.name);
+                    changed = true;
+                }
+            });
+        }
+        return aliases;
+    }
+    collectZksyncLiveBalanceAliases(body, thisAliases, helperNames) {
+        const aliases = new Set();
+        let changed = true;
+        let safety = 0;
+        while (changed && safety < 8) {
+            changed = false;
+            safety += 1;
+            this.walk(body, node => {
+                const assignment = this.zksyncAssignmentParts(node);
+                if (!assignment?.init)
+                    return;
+                if (!this.zksyncIsLiveBalanceExpr(assignment.init, thisAliases, aliases, helperNames))
+                    return;
+                for (const variable of assignment.variables) {
+                    if (!variable?.name || aliases.has(variable.name))
+                        continue;
+                    aliases.add(variable.name);
+                    changed = true;
+                }
+            });
+        }
+        return aliases;
+    }
+    findZksyncDonationRatio(body, thisAliases, balanceAliases, helperNames) {
+        let found = null;
+        this.walk(body, node => {
+            if (found)
+                return;
+            if (this.zksyncIsUnsafeMulDiv(node, thisAliases, balanceAliases, helperNames)) {
+                found = node;
+                return;
+            }
+            if (!(0, ast_1.isNode)(node, 'BinaryOperation'))
+                return;
+            if (String(node.operator || '') !== '/')
+                return;
+            if (!this.zksyncIsLiveBalanceExpr(node.right, thisAliases, balanceAliases, helperNames))
+                return;
+            if (!this.zksyncContainsSupply(node.left))
+                return;
+            if (!this.zksyncContainsAssetInput(node.left))
+                return;
+            found = node;
+        });
+        return found;
+    }
+    zksyncIsUnsafeMulDiv(node, thisAliases, balanceAliases, helperNames) {
+        if (!(0, ast_1.isNode)(node, 'FunctionCall'))
+            return false;
+        const callee = node.expression;
+        const method = (0, ast_1.isNode)(callee, 'MemberAccess') ? String(callee.memberName || '') : (0, ast_1.isNode)(callee, 'Identifier') ? String(callee.name || '') : '';
+        if (method.toLowerCase() !== 'muldiv')
+            return false;
+        const args = node.arguments || [];
+        if (args.length < 3)
+            return false;
+        return this.zksyncContainsAssetInput(args[0]) &&
+            this.zksyncContainsSupply(args[1]) &&
+            this.zksyncIsLiveBalanceExpr(args[2], thisAliases, balanceAliases, helperNames);
+    }
+    zksyncIsLiveBalanceExpr(expr, thisAliases, balanceAliases, helperNames) {
+        const node = this.zksyncUnwrap(expr);
+        if (!node)
+            return false;
+        if ((0, ast_1.isNode)(node, 'Identifier'))
+            return balanceAliases.has(String(node.name || ''));
+        if (this.zksyncIsBalanceOfThisCall(node, thisAliases))
+            return true;
+        if ((0, ast_1.isNode)(node, 'FunctionCall')) {
+            const callee = node.expression;
+            const name = (0, ast_1.isNode)(callee, 'Identifier') ? String(callee.name || '') : '';
+            if (helperNames.has(name))
+                return true;
+        }
+        if ((0, ast_1.isNode)(node, 'BinaryOperation') && ['+', '-'].includes(String(node.operator || ''))) {
+            return this.zksyncIsLiveBalanceExpr(node.left, thisAliases, balanceAliases, helperNames) ||
+                this.zksyncIsLiveBalanceExpr(node.right, thisAliases, balanceAliases, helperNames);
+        }
+        return false;
+    }
+    zksyncIsBalanceOfThisCall(node, thisAliases) {
+        if (!(0, ast_1.isNode)(node, 'FunctionCall'))
+            return false;
+        const callee = node.expression;
+        if (!(0, ast_1.isNode)(callee, 'MemberAccess'))
+            return false;
+        if (String(callee.memberName || '').toLowerCase() !== 'balanceof')
+            return false;
+        const arg = node.arguments?.[0];
+        return this.zksyncIsAddressThisExpr(arg, thisAliases);
+    }
+    zksyncIsAddressThisExpr(expr, aliases) {
+        const node = this.zksyncUnwrap(expr);
+        if ((0, ast_1.isNode)(node, 'Identifier'))
+            return node.name === 'this' || aliases.has(String(node.name || ''));
+        if (!(0, ast_1.isNode)(node, 'FunctionCall'))
+            return false;
+        const callee = node.expression;
+        if (!(0, ast_1.isNode)(callee, 'Identifier') || String(callee.name || '') !== 'address')
+            return false;
+        const args = node.arguments || [];
+        return args.length === 1 && (0, ast_1.isNode)(this.zksyncUnwrap(args[0]), 'Identifier') && this.zksyncUnwrap(args[0]).name === 'this';
+    }
+    zksyncContainsSupply(expr) {
+        let found = false;
+        this.walk(expr, node => {
+            if (found)
+                return;
+            if ((0, ast_1.isNode)(node, 'Identifier') && /^_?totalsupply$/i.test(String(node.name || '')))
+                found = true;
+            if ((0, ast_1.isNode)(node, 'FunctionCall')) {
+                const callee = node.expression;
+                const name = (0, ast_1.isNode)(callee, 'Identifier') ? String(callee.name || '') :
+                    (0, ast_1.isNode)(callee, 'MemberAccess') ? String(callee.memberName || '') : '';
+                if (/^totalsupply$/i.test(name))
+                    found = true;
+            }
+        });
+        return found;
+    }
+    zksyncContainsAssetInput(expr) {
+        let found = false;
+        this.walk(expr, node => {
+            if (found || !(0, ast_1.isNode)(node, 'Identifier'))
+                return;
+            const name = String(node.name || '').toLowerCase();
+            if (name === 'assets' || name === 'assetamount' || name === 'amount')
+                found = true;
+        });
+        return found;
+    }
+    // Virtual-offset hardening is only recognised when the conversion ratio
+    // itself carries an additive offset on the supply term in the numerator OR
+    // on the live-balance term in the denominator. Exponentiation alone
+    // (`10 ** decimals`) does NOT count — generic decimal scaling does not
+    // mitigate donation inflation; only `+ <offset>` adjacent to the ratio's
+    // own supply / live-balance terms does.
+    zksyncHasVirtualOffset(ratio, thisAliases, balanceAliases, helperNames) {
+        if ((0, ast_1.isNode)(ratio, 'BinaryOperation') && String(ratio.operator || '') === '/') {
+            return this.zksyncExprHasAdditiveSupplyOffset(ratio.left) ||
+                this.zksyncExprHasAdditiveLiveBalanceOffset(ratio.right, thisAliases, balanceAliases, helperNames);
+        }
+        if ((0, ast_1.isNode)(ratio, 'FunctionCall')) {
+            const args = ratio.arguments || [];
+            if (args.length >= 3) {
+                return this.zksyncExprHasAdditiveSupplyOffset(args[1]) ||
+                    this.zksyncExprHasAdditiveLiveBalanceOffset(args[2], thisAliases, balanceAliases, helperNames);
+            }
+        }
+        return false;
+    }
+    zksyncExprHasAdditiveSupplyOffset(expr) {
+        let found = false;
+        this.walk(expr, node => {
+            if (found)
+                return;
+            if (!(0, ast_1.isNode)(node, 'BinaryOperation') || String(node.operator || '') !== '+')
+                return;
+            const left = this.zksyncUnwrap(node.left);
+            const right = this.zksyncUnwrap(node.right);
+            if (this.zksyncContainsSupply(left) && this.zksyncIsRecognizedOffset(right)) {
+                found = true;
+                return;
+            }
+            if (this.zksyncContainsSupply(right) && this.zksyncIsRecognizedOffset(left)) {
+                found = true;
+            }
+        });
+        return found;
+    }
+    zksyncExprHasAdditiveLiveBalanceOffset(expr, thisAliases, balanceAliases, helperNames) {
+        let found = false;
+        this.walk(expr, node => {
+            if (found)
+                return;
+            if (!(0, ast_1.isNode)(node, 'BinaryOperation') || String(node.operator || '') !== '+')
+                return;
+            const left = this.zksyncUnwrap(node.left);
+            const right = this.zksyncUnwrap(node.right);
+            if (this.zksyncIsLiveBalanceExpr(left, thisAliases, balanceAliases, helperNames) &&
+                this.zksyncIsRecognizedOffset(right)) {
+                found = true;
+                return;
+            }
+            if (this.zksyncIsLiveBalanceExpr(right, thisAliases, balanceAliases, helperNames) &&
+                this.zksyncIsRecognizedOffset(left)) {
+                found = true;
+            }
+        });
+        return found;
+    }
+    // The kinds of offset values that count as virtual-share/virtual-asset
+    // hardening when they appear additively next to the ratio's supply or
+    // live-balance term: a non-zero numeric literal, an identifier whose name
+    // signals virtual-share/offset intent, or `_decimalsOffset()` (including
+    // the `10 ** _decimalsOffset()` form, where `**` is recognized *only*
+    // because it expands a `_decimalsOffset()` call into its offset constant).
+    zksyncIsRecognizedOffset(expr) {
+        const node = this.zksyncUnwrap(expr);
+        if (!node)
+            return false;
+        if ((0, ast_1.isNode)(node, 'NumberLiteral'))
+            return String(node.number ?? node.value ?? '') !== '0';
+        if ((0, ast_1.isNode)(node, 'DecimalNumber'))
+            return String(node.value ?? '') !== '0';
+        if ((0, ast_1.isNode)(node, 'HexNumber')) {
+            const v = String(node.value ?? '').toLowerCase();
+            return v !== '0' && v !== '0x0' && v !== '0x00';
+        }
+        if ((0, ast_1.isNode)(node, 'Identifier')) {
+            const name = String(node.name || '').toLowerCase();
+            return name.includes('virtual') || name.includes('offset');
+        }
+        if ((0, ast_1.isNode)(node, 'FunctionCall')) {
+            const callee = node.expression;
+            const name = (0, ast_1.isNode)(callee, 'Identifier') ? String(callee.name || '') :
+                (0, ast_1.isNode)(callee, 'MemberAccess') ? String(callee.memberName || '') : '';
+            return name.toLowerCase() === '_decimalsoffset';
+        }
+        if ((0, ast_1.isNode)(node, 'BinaryOperation') && String(node.operator || '') === '**') {
+            // `**` only counts when it expands a `_decimalsOffset()`-linked term —
+            // bare `10 ** decimals` is generic scaling, not virtual-offset hardening.
+            return this.zksyncContainsDecimalsOffsetCall(node);
+        }
+        return false;
+    }
+    zksyncContainsDecimalsOffsetCall(expr) {
+        let found = false;
+        this.walk(expr, node => {
+            if (found)
+                return;
+            if (!(0, ast_1.isNode)(node, 'FunctionCall'))
+                return;
+            const callee = node.expression;
+            const name = (0, ast_1.isNode)(callee, 'Identifier') ? String(callee.name || '') :
+                (0, ast_1.isNode)(callee, 'MemberAccess') ? String(callee.memberName || '') : '';
+            if (name.toLowerCase() === '_decimalsoffset')
+                found = true;
+        });
+        return found;
+    }
+    zksyncAssignmentParts(node) {
+        if ((0, ast_1.isNode)(node, 'VariableDeclarationStatement')) {
+            return { init: node.initialValue, variables: node.variables || [] };
+        }
+        if (!(0, ast_1.isNode)(node, 'ExpressionStatement'))
+            return null;
+        const expression = node.expression;
+        if (!(0, ast_1.isNode)(expression, 'BinaryOperation') || String(expression.operator || '') !== '=')
+            return null;
+        const left = expression.left || expression.leftExpression;
+        const right = expression.right || expression.rightExpression;
+        if ((0, ast_1.isNode)(left, 'Identifier'))
+            return { init: right, variables: [{ name: left.name }] };
+        return null;
+    }
+    zksyncUnwrap(node) {
+        let current = node;
+        while ((0, ast_1.isNode)(current, 'TupleExpression') && current.components?.length === 1) {
+            current = current.components[0];
+        }
+        return current;
+    }
+    findCellframeLiquidityMigration(fn, fnName) {
+        const body = fn?.body;
+        if (!body)
+            return null;
+        if (!/migrat|liquidity/i.test(fnName || ''))
+            return null;
+        const stateMutability = String(fn.stateMutability || '').toLowerCase();
+        if (stateMutability === 'view' || stateMutability === 'pure')
+            return null;
+        if ((0, access_control_1.hasRecognisedAccessControlModifier)(fn))
+            return null;
+        if (this.hasRecognisedReentrancyGuardModifier(fn))
+            return null;
+        if (this.hasReentrancyGuardBody(body))
+            return null;
+        const paths = this.analyzeCellframeStatements(body.statements || [], [this.emptyCellframePathState()]);
+        for (const path of paths) {
+            if (!path.finding || path.hasGuardBeforeSink)
+                continue;
+            const source = path.finding.source || path.firstSource;
+            if (!source)
+                continue;
+            return this.coinCutAnalysis(source, path.finding.sinkLabel);
+        }
+        return null;
+    }
+    emptyCellframePathState() {
+        return {
+            tainted: new Set(),
+            sourceByName: new Map(),
+            firstSource: null,
+            hasGuardBeforeSink: false,
+            finding: null,
+        };
+    }
+    cloneCellframePathState(state) {
+        return {
+            tainted: new Set(state.tainted),
+            sourceByName: new Map(state.sourceByName),
+            firstSource: state.firstSource,
+            hasGuardBeforeSink: state.hasGuardBeforeSink,
+            finding: state.finding,
+        };
+    }
+    analyzeCellframeStatements(statements, states) {
+        let paths = states;
+        for (const stmt of statements || []) {
+            paths = this.applyCellframeStatement(stmt, paths);
+            if (paths.length > MAX_INFLATE_PATHS)
+                paths = paths.slice(0, MAX_INFLATE_PATHS);
+        }
+        return paths;
+    }
+    applyCellframeStatement(stmt, states) {
+        if (!stmt)
+            return states;
+        if ((0, ast_1.isNode)(stmt, 'Block')) {
+            return this.analyzeCellframeStatements(stmt.statements || [], states);
+        }
+        if ((0, ast_1.isNode)(stmt, 'UncheckedStatement')) {
+            return this.applyCellframeStatement(stmt.block, states);
+        }
+        if ((0, ast_1.isNode)(stmt, 'IfStatement')) {
+            const trueStmts = this.inflateBranchStatements(stmt.trueBody);
+            const falseStmts = stmt.falseBody ? this.inflateBranchStatements(stmt.falseBody) : null;
+            const out = [];
+            for (const state of states) {
+                out.push(...this.analyzeCellframeStatements(trueStmts, [this.cloneCellframePathState(state)]));
+                if (falseStmts) {
+                    out.push(...this.analyzeCellframeStatements(falseStmts, [this.cloneCellframePathState(state)]));
+                }
+                else {
+                    out.push(this.cloneCellframePathState(state));
+                }
+            }
+            return out;
+        }
+        if ((0, ast_1.isNode)(stmt, 'WhileStatement') || (0, ast_1.isNode)(stmt, 'ForStatement') || (0, ast_1.isNode)(stmt, 'DoWhileStatement')) {
+            return this.analyzeCellframeStatements(this.inflateBranchStatements(stmt.body), states);
+        }
+        return states.map(state => this.applyCellframeLeaf(stmt, this.cloneCellframePathState(state)));
+    }
+    applyCellframeLeaf(stmt, state) {
+        if (state.finding)
+            return state;
+        const rememberSource = (name, node, label) => {
+            if (!name)
+                return;
+            state.tainted.add(name);
+            if (!state.sourceByName.has(name))
+                state.sourceByName.set(name, { node, label });
+            if (!state.firstSource)
+                state.firstSource = { node, label };
+        };
+        const assignment = this.coinCutAssignmentParts(stmt);
+        if (assignment?.init) {
+            const reserveSource = this.cellframeGetReservesSource(assignment.init);
+            if (reserveSource) {
+                for (const variable of assignment.variables) {
+                    if (variable?.name)
+                        rememberSource(variable.name, reserveSource.node, reserveSource.label);
+                }
+            }
+            else {
+                const source = this.cellframeSourceInExpression(assignment.init) ||
+                    this.coinCutTaintSource(assignment.init, state.tainted, state.sourceByName);
+                if (source) {
+                    for (const variable of assignment.variables) {
+                        if (variable?.name)
+                            rememberSource(variable.name, source.node, source.label);
+                    }
+                }
+            }
+        }
+        if ((0, ast_1.isNode)(stmt, 'ExpressionStatement')) {
+            const expr = stmt.expression;
+            if (this.cellframeGuardCall(expr, state.tainted)) {
+                state.hasGuardBeforeSink = true;
+            }
+            const sink = this.cellframeSink(expr, state.tainted, state.sourceByName);
+            if (sink && !state.hasGuardBeforeSink) {
+                state.finding = sink;
+            }
+        }
+        return state;
+    }
+    cellframeGetReservesSource(node) {
+        let found = null;
+        this.walk(node, n => {
+            if (found || !(0, ast_1.isNode)(n, 'FunctionCall'))
+                return;
+            const callee = n.expression;
+            if ((0, ast_1.isNode)(callee, 'MemberAccess') && String(callee.memberName || '') === 'getReserves') {
+                found = { node: n, label: 'getReserves()' };
+            }
+        });
+        return found;
+    }
+    cellframeSourceInExpression(node) {
+        let found = null;
+        this.walk(node, n => {
+            if (found || !(0, ast_1.isNode)(n, 'FunctionCall'))
+                return;
+            const callee = n.expression;
+            if (!(0, ast_1.isNode)(callee, 'MemberAccess'))
+                return;
+            const member = String(callee.memberName || '');
+            if (member === 'getReserves') {
+                found = { node: n, label: 'getReserves()' };
+                return;
+            }
+            if (member !== 'balanceOf')
+                return;
+            const arg = n.arguments?.[0];
+            if (!arg)
+                return;
+            const target = this.flattenNames(arg, true).toLowerCase();
+            if (target.includes('pair') || target.includes('pool')) {
+                found = { node: n, label: 'balanceOf(pair)' };
+            }
+        });
+        return found;
+    }
+    cellframeGuardCall(expr, tainted) {
+        if (!(0, ast_1.isNode)(expr, 'FunctionCall'))
+            return false;
+        const callee = expr.expression;
+        if (!(0, ast_1.isNode)(callee, 'Identifier'))
+            return false;
+        if (!['require', 'assert'].includes(String(callee.name || '')))
+            return false;
+        const condition = expr.arguments?.[0];
+        if (!condition)
+            return false;
+        if ((0, access_control_1.requireExpressesAccessControl)(condition, name => {
+            const lower = name.toLowerCase();
+            return lower.includes('owner') || lower.includes('admin') || lower.includes('governance') ||
+                lower.includes('role') || lower.includes('auth') || lower.includes('manager') ||
+                lower.includes('guardian') || lower.includes('operator');
+        })) {
+            return true;
+        }
+        const scopedToLiveState = this.exprUsesNames(condition, tainted) || !!this.cellframeSourceInExpression(condition);
+        if (!scopedToLiveState)
+            return false;
+        const text = this.flattenNames(condition, true);
+        return /min|trusted|deviation|oracle|twap|reference|bound|snapshot|recorded|fixed/i.test(text);
+    }
+    cellframeSink(expr, tainted, sourceByName) {
+        if (!(0, ast_1.isNode)(expr, 'FunctionCall'))
+            return null;
+        const callee = this.unwrapCallOptions(expr.expression);
+        if (!(0, ast_1.isNode)(callee, 'MemberAccess'))
+            return null;
+        const method = String(callee.memberName || '').toLowerCase();
+        if (COIN_CUT_VALUE_METHODS.has(method)) {
+            for (const arg of expr.arguments || []) {
+                const source = this.cellframeSourceInExpression(arg) || this.coinCutTaintSource(arg, tainted, sourceByName);
+                if (source || this.exprUsesNames(arg, tainted)) {
+                    return { source, sinkLabel: 'value transfer amount', sinkNode: expr };
+                }
+            }
+            return null;
+        }
+        if (method !== 'addliquidity')
+            return null;
+        const args = Array.isArray(expr.arguments) ? expr.arguments : [];
+        const desiredArgs = [args[2], args[3]].filter(Boolean);
+        if (desiredArgs.length === 0)
+            return null;
+        const hasTaintedDesired = desiredArgs.some(arg => !!this.cellframeSourceInExpression(arg) ||
+            !!this.coinCutTaintSource(arg, tainted, sourceByName) ||
+            this.exprUsesNames(arg, tainted));
+        if (!hasTaintedDesired)
+            return null;
+        if (!this.isZeroLiteral(args[4]) || !this.isZeroLiteral(args[5]))
+            return null;
+        let source = null;
+        for (const arg of desiredArgs) {
+            source = this.cellframeSourceInExpression(arg) || this.coinCutTaintSource(arg, tainted, sourceByName);
+            if (source)
+                break;
+        }
+        return { source, sinkLabel: 'zero-slippage addLiquidity amounts', sinkNode: expr };
+    }
+    findCoinCutPriceManipulation(fn) {
+        const body = fn?.body;
+        if (!body)
+            return null;
+        const tainted = new Set();
+        const sourceByName = new Map();
+        let firstSource = null;
+        const rememberSource = (name, node, label) => {
+            if (!name)
+                return;
+            tainted.add(name);
+            if (!sourceByName.has(name))
+                sourceByName.set(name, { node, label });
+            if (!firstSource)
+                firstSource = { node, label };
+        };
+        this.walk(body, node => {
+            const assignment = this.coinCutAssignmentParts(node);
+            if (!assignment)
+                return;
+            const { init, variables } = assignment;
+            if (!init)
+                return;
+            const source = this.coinCutSourceInExpression(init);
+            if (source) {
+                for (const v of variables) {
+                    if (v?.name)
+                        rememberSource(v.name, source.node, source.label);
+                }
+                return;
+            }
+            const taintSource = this.coinCutTaintSource(init, tainted, sourceByName);
+            if (!taintSource)
+                return;
+            for (const v of variables) {
+                if (v?.name)
+                    rememberSource(v.name, taintSource.node, taintSource.label);
+            }
+        });
+        let changed = true;
+        let safety = 0;
+        while (changed && safety < 8) {
+            changed = false;
+            safety += 1;
+            this.walk(body, node => {
+                const assignment = this.coinCutAssignmentParts(node);
+                if (!assignment)
+                    return;
+                const { init, variables } = assignment;
+                if (!init)
+                    return;
+                const source = this.coinCutSourceInExpression(init) || this.coinCutTaintSource(init, tainted, sourceByName);
+                if (!source)
+                    return;
+                for (const v of variables) {
+                    if (!v?.name || tainted.has(v.name))
+                        continue;
+                    rememberSource(v.name, source.node, source.label);
+                    changed = true;
+                }
+            });
+        }
+        if (this.hasCoinCutReferenceGuard(body, tainted))
+            return null;
+        // Simple-sweep exclusion for `address(this)` balance reads: only treat
+        // them as a live-price source if the function body actually does
+        // price arithmetic with the read (split flows like
+        // `bal = balanceOf(address(this)); amt = shares * bal;` qualify).
+        const isSweepOnly = (source) => source.label === 'balanceOf(address(this))' && !this.hasArithmeticOperator(body);
+        const transferSink = this.findCoinCutTransferSink(body, tainted, sourceByName);
+        if (transferSink) {
+            const source = transferSink.source || firstSource;
+            if (!source)
+                return null;
+            if (isSweepOnly(source))
+                return null;
+            return this.coinCutAnalysis(source, 'value transfer amount');
+        }
+        const accountingSink = this.findCoinCutAccountingSink(body, tainted, sourceByName);
+        if (accountingSink) {
+            const source = accountingSink.source || firstSource;
+            if (!source)
+                return null;
+            if (isSweepOnly(source))
+                return null;
+            return this.coinCutAnalysis(source, accountingSink.label);
+        }
+        return null;
+    }
+    findZenterestPriceOutOfDate(fn) {
+        const body = fn?.body;
+        if (!body)
+            return null;
+        if (this.hasRecognisedFreshnessModifier(fn))
+            return null;
+        const tainted = new Set();
+        const freshnessNames = new Set(this.stateVars.filter(looksLikeFreshnessTrackingName));
+        const sourceByName = new Map();
+        let firstSource = null;
+        const rememberSource = (name, node, label) => {
+            if (!name)
+                return;
+            tainted.add(name);
+            if (!sourceByName.has(name))
+                sourceByName.set(name, { node, label });
+            if (!firstSource)
+                firstSource = { node, label };
+        };
+        const propagateAssignments = () => {
+            let changed = false;
+            this.walk(body, node => {
+                const assignment = this.zenterestAssignmentParts(node);
+                if (!assignment)
+                    return;
+                const { init, variables } = assignment;
+                if (!init)
+                    return;
+                const latestRound = this.zenterestLatestRoundDataSource(init);
+                if (latestRound) {
+                    const priceVar = variables[1];
+                    const freshnessVar = variables[3];
+                    if (priceVar?.name && !tainted.has(priceVar.name)) {
+                        rememberSource(priceVar.name, latestRound.node, latestRound.label);
+                        changed = true;
+                    }
+                    if (freshnessVar?.name && !freshnessNames.has(freshnessVar.name)) {
+                        freshnessNames.add(freshnessVar.name);
+                        changed = true;
+                    }
+                    return;
+                }
+                if (this.exprUsesNames(init, freshnessNames)) {
+                    for (const v of variables) {
+                        if (!v?.name || freshnessNames.has(v.name))
+                            continue;
+                        freshnessNames.add(v.name);
+                        changed = true;
+                    }
+                }
+                const source = this.zenterestSourceInExpression(init, tainted, sourceByName);
+                if (!source)
+                    return;
+                for (const v of variables) {
+                    if (!v?.name || tainted.has(v.name))
+                        continue;
+                    rememberSource(v.name, source.node, source.label);
+                    changed = true;
+                }
+            });
+            return changed;
+        };
+        let safety = 0;
+        while (propagateAssignments() && safety < 8)
+            safety += 1;
+        const transferSink = this.findZenterestTransferSink(body, tainted, sourceByName);
+        if (transferSink) {
+            if (this.hasZenterestFreshnessGuard(body, transferSink.sinkNode, freshnessNames))
+                return null;
+            const source = transferSink.source || firstSource;
+            if (!source)
+                return null;
+            return this.zenterestAnalysis(source, 'value transfer amount');
+        }
+        const accountingSink = this.findZenterestAccountingSink(body, tainted, sourceByName);
+        if (accountingSink) {
+            if (this.hasZenterestFreshnessGuard(body, accountingSink.sinkNode, freshnessNames))
+                return null;
+            const source = accountingSink.source || firstSource;
+            if (!source)
+                return null;
+            return this.zenterestAnalysis(source, accountingSink.label);
+        }
+        return null;
+    }
+    hasZenterestFreshnessGuard(body, sinkNode, freshnessNames) {
+        let found = false;
+        let sinkReached = false;
+        this.walk(body, node => {
+            if (found)
+                return;
+            if (node === sinkNode) {
+                sinkReached = true;
+            }
+            if (sinkReached)
+                return;
+            if ((0, ast_1.isNode)(node, 'IfStatement') && this.isZenterestFreshnessGuard(node.condition, freshnessNames)) {
+                if (this.haltsExecution(node.trueBody)) {
+                    found = true;
+                }
+            }
+            else if ((0, ast_1.isNode)(node, 'FunctionCall') &&
+                (0, ast_1.isNode)(node.expression, 'Identifier') &&
+                ['require', 'assert'].includes(String(node.expression.name || '')) &&
+                this.isZenterestFreshnessGuard(node, freshnessNames)) {
+                found = true;
+            }
+        });
+        return found;
+    }
+    isZenterestFreshnessGuard(condition, freshnessNames) {
+        if ((0, price_rate_1.isFreshnessGuard)(condition))
+            return true;
+        if (freshnessNames.size === 0)
+            return false;
+        if ((0, ast_1.isNode)(condition, 'FunctionCall')) {
+            const callee = condition.expression;
+            if ((0, ast_1.isNode)(callee, 'Identifier') && ['require', 'assert'].includes(String(callee.name || ''))) {
+                const arg = condition.arguments?.[0];
+                return this.isZenterestFreshnessGuard(arg, freshnessNames);
+            }
+        }
+        let hasBlockTimestamp = false;
+        let hasFreshnessName = false;
+        let hasFreshnessMath = false;
+        this.walk(condition, node => {
+            if ((0, ast_1.isNode)(node, 'MemberAccess')) {
+                const root = node.expression;
+                if ((0, ast_1.isNode)(root, 'Identifier') && String(root.name || '') === 'block' && String(node.memberName || '') === 'timestamp') {
+                    hasBlockTimestamp = true;
+                }
+                if (freshnessNames.has(String(node.memberName || '')))
+                    hasFreshnessName = true;
+            }
+            else if ((0, ast_1.isNode)(node, 'Identifier') && freshnessNames.has(String(node.name || ''))) {
+                hasFreshnessName = true;
+            }
+            else if ((0, ast_1.isNode)(node, 'BinaryOperation') && ['+', '-'].includes(String(node.operator || ''))) {
+                hasFreshnessMath = true;
+            }
+        });
+        return hasBlockTimestamp && hasFreshnessName && hasFreshnessMath;
+    }
+    haltsExecution(body) {
+        let halts = false;
+        this.walk(body, node => {
+            if (halts)
+                return;
+            if ((0, ast_1.isNode)(node, 'RevertStatement') || (0, ast_1.isNode)(node, 'ReturnStatement')) {
+                halts = true;
+            }
+            else if ((0, ast_1.isNode)(node, 'FunctionCall')) {
+                const callee = node.expression;
+                if ((0, ast_1.isNode)(callee, 'Identifier')) {
+                    const name = String(callee.name || '');
+                    if (name === 'revert')
+                        halts = true;
+                    if ((name === 'require' || name === 'assert') && node.arguments?.length > 0) {
+                        const arg = node.arguments[0];
+                        if ((0, ast_1.isNode)(arg, 'BooleanLiteral') && arg.value === false) {
+                            halts = true;
+                        }
+                    }
+                }
+            }
+        });
+        return halts;
+    }
+    zenterestAnalysis(source, sinkLabel) {
+        const loc = (0, ast_1.tryLoc)(source.node) ?? { line: 1, endLine: 1, column: 0 };
+        return {
+            sourceLoc: { line: loc.line || 1, endLine: loc.endLine || loc.line || 1, column: loc.column || 0 },
+            sourceLabel: source.label,
+            sinkLabel,
+        };
+    }
+    zenterestLatestRoundDataSource(node) {
+        if (!(0, ast_1.isNode)(node, 'FunctionCall'))
+            return null;
+        const callee = node.expression;
+        if (!(0, ast_1.isNode)(callee, 'MemberAccess'))
+            return null;
+        if (String(callee.memberName || '') !== 'latestRoundData')
+            return null;
+        return { node, label: 'latestRoundData() answer' };
+    }
+    zenterestSourceInExpression(node, tainted, sourceByName) {
+        let found = null;
+        this.walk(node, n => {
+            if (found)
+                return;
+            const latestRound = this.zenterestLatestRoundDataSource(n);
+            if (latestRound) {
+                found = latestRound;
+                return;
+            }
+            if (!(0, ast_1.isNode)(n, 'Identifier'))
+                return;
+            const name = String(n.name || '');
+            if (tainted.has(name)) {
+                found = sourceByName.get(name) || { node: n, label: name };
+                return;
+            }
+            if (this.stateVars.includes(name) && looksLikeCachedOraclePriceName(name) && this.contractHasFreshnessTrackingVar) {
+                found = { node: n, label: `cached price state '${name}'` };
+            }
+        });
+        return found;
+    }
+    findZenterestTransferSink(body, tainted, sourceByName) {
+        let found = null;
+        this.walk(body, node => {
+            if (found)
+                return;
+            if (!(0, ast_1.isNode)(node, 'FunctionCall'))
+                return;
+            const callee = node.expression;
+            if (!(0, ast_1.isNode)(callee, 'MemberAccess'))
+                return;
+            const method = String(callee.memberName || '').toLowerCase();
+            if (!COIN_CUT_VALUE_METHODS.has(method))
+                return;
+            for (const arg of node.arguments || []) {
+                const source = this.zenterestSourceInExpression(arg, tainted, sourceByName);
+                if (source || this.exprUsesNames(arg, tainted)) {
+                    found = { source, sinkNode: node };
+                    return;
+                }
+            }
+        });
+        return found;
+    }
+    findZenterestAccountingSink(body, tainted, sourceByName) {
+        let found = null;
+        this.walk(body, node => {
+            if (found)
+                return;
+            if ((0, ast_1.isNode)(node, 'BinaryOperation')) {
+                if (!/^[+\-*/]?=$/.test(String(node.operator || '')))
+                    return;
+                const left = node.left || node.leftExpression;
+                const right = node.right || node.rightExpression;
+                if (!this.isAccountingWriteTarget(left))
+                    return;
+                const source = this.zenterestSourceInExpression(right, tainted, sourceByName);
+                if (source || this.exprUsesNames(right, tainted)) {
+                    found = { source, label: 'share or supply accounting update', sinkNode: node };
+                }
+                return;
+            }
+            if ((0, ast_1.isNode)(node, 'FunctionCall')) {
+                const callee = node.expression;
+                if (!(0, ast_1.isNode)(callee, 'Identifier'))
+                    return;
+                if (!/^(mint|_mint|burn|_burn)$/i.test(String(callee.name || '')))
+                    return;
+                for (const arg of node.arguments || []) {
+                    const source = this.zenterestSourceInExpression(arg, tainted, sourceByName);
+                    if (source || this.exprUsesNames(arg, tainted)) {
+                        found = { source, label: 'mint or burn call', sinkNode: node };
+                        return;
+                    }
+                }
+            }
+        });
+        return found;
+    }
+    zenterestAssignmentParts(node) {
+        if ((0, ast_1.isNode)(node, 'VariableDeclarationStatement')) {
+            return { init: node.initialValue, variables: node.variables || [] };
+        }
+        if (!(0, ast_1.isNode)(node, 'ExpressionStatement'))
+            return null;
+        const expression = node.expression;
+        if (!(0, ast_1.isNode)(expression, 'BinaryOperation'))
+            return null;
+        if (String(expression.operator || '') !== '=')
+            return null;
+        const left = expression.left || expression.leftExpression;
+        const right = expression.right || expression.rightExpression;
+        if ((0, ast_1.isNode)(left, 'Identifier'))
+            return { init: right, variables: [{ name: left.name }] };
+        if ((0, ast_1.isNode)(left, 'TupleExpression')) {
+            const variables = [];
+            for (const comp of left.components || []) {
+                variables.push(comp && (0, ast_1.isNode)(comp, 'Identifier') ? { name: comp.name } : null);
+            }
+            return { init: right, variables };
+        }
+        return null;
+    }
+    coinCutAssignmentParts(node) {
+        if ((0, ast_1.isNode)(node, 'VariableDeclarationStatement')) {
+            return { init: node.initialValue, variables: node.variables || [] };
+        }
+        if (!(0, ast_1.isNode)(node, 'ExpressionStatement'))
+            return null;
+        const expression = node.expression;
+        if (!(0, ast_1.isNode)(expression, 'BinaryOperation'))
+            return null;
+        if (String(expression.operator || '') !== '=')
+            return null;
+        const left = expression.left || expression.leftExpression;
+        const right = expression.right || expression.rightExpression;
+        const variables = [];
+        if ((0, ast_1.isNode)(left, 'Identifier')) {
+            variables.push({ name: left.name });
+        }
+        else if ((0, ast_1.isNode)(left, 'TupleExpression')) {
+            // Split tuple assignment, e.g. `(r0, r1,) = pair.getReserves();`.
+            // Blank/null tuple slots are skipped.
+            for (const comp of left.components || []) {
+                if (comp && (0, ast_1.isNode)(comp, 'Identifier'))
+                    variables.push({ name: comp.name });
+            }
+        }
+        else {
+            return null;
+        }
+        return { init: right, variables };
+    }
+    coinCutAnalysis(source, sinkLabel) {
+        const loc = (0, ast_1.tryLoc)(source.node) ?? { line: 1, endLine: 1, column: 0 };
+        return {
+            sourceLoc: { line: loc.line || 1, endLine: loc.endLine || loc.line || 1, column: loc.column || 0 },
+            sourceLabel: source.label,
+            sinkLabel,
+        };
+    }
+    findCoinCutTransferSink(body, tainted, sourceByName) {
+        let found = null;
+        this.walk(body, node => {
+            if (found)
+                return;
+            if (!(0, ast_1.isNode)(node, 'FunctionCall'))
+                return;
+            const callee = node.expression;
+            if (!(0, ast_1.isNode)(callee, 'MemberAccess'))
+                return;
+            const method = String(callee.memberName || '').toLowerCase();
+            if (!COIN_CUT_VALUE_METHODS.has(method))
+                return;
+            for (const arg of node.arguments || []) {
+                const source = this.coinCutSourceInExpression(arg) || this.coinCutTaintSource(arg, tainted, sourceByName);
+                if (source || this.exprUsesNames(arg, tainted)) {
+                    found = { source };
+                    return;
+                }
+            }
+        });
+        return found;
+    }
+    findCoinCutAccountingSink(body, tainted, sourceByName) {
+        let found = null;
+        this.walk(body, node => {
+            if (found)
+                return;
+            if ((0, ast_1.isNode)(node, 'BinaryOperation')) {
+                if (!/^[+\-*/]?=$/.test(String(node.operator || '')))
+                    return;
+                const left = node.left || node.leftExpression;
+                const right = node.right || node.rightExpression;
+                if (!this.isAccountingWriteTarget(left))
+                    return;
+                const source = this.coinCutSourceInExpression(right) || this.coinCutTaintSource(right, tainted, sourceByName);
+                if (source || this.exprUsesNames(right, tainted)) {
+                    found = { source, label: 'share or supply accounting update' };
+                }
+                return;
+            }
+            if ((0, ast_1.isNode)(node, 'FunctionCall')) {
+                const callee = node.expression;
+                if (!(0, ast_1.isNode)(callee, 'Identifier'))
+                    return;
+                if (!/^(mint|_mint|burn|_burn)$/i.test(String(callee.name || '')))
+                    return;
+                for (const arg of node.arguments || []) {
+                    const source = this.coinCutSourceInExpression(arg) || this.coinCutTaintSource(arg, tainted, sourceByName);
+                    if (source || this.exprUsesNames(arg, tainted)) {
+                        found = { source, label: 'mint or burn call' };
+                        return;
+                    }
+                }
+            }
+        });
+        return found;
+    }
+    coinCutSourceInExpression(node) {
+        let found = null;
+        this.walk(node, n => {
+            if (found)
+                return;
+            if (!(0, ast_1.isNode)(n, 'FunctionCall'))
+                return;
+            const callee = n.expression;
+            if (!(0, ast_1.isNode)(callee, 'MemberAccess'))
+                return;
+            const member = String(callee.memberName || '');
+            if (member === 'getReserves') {
+                found = { node: n, label: 'getReserves()' };
+                return;
+            }
+            if (member !== 'balanceOf')
+                return;
+            const arg = n.arguments?.[0];
+            if (!arg)
+                return;
+            const target = this.flattenNames(arg).toLowerCase();
+            if (target.includes('pair') || target.includes('pool')) {
+                found = { node: n, label: 'balanceOf()' };
+            }
+            else if (target.includes('this')) {
+                // `node` is scoped to the immediate RHS, so arithmetic on a later
+                // line is invisible here. Track the taint and apply the simple-sweep
+                // exclusion at function-body scope in findCoinCutPriceManipulation.
+                found = { node: n, label: 'balanceOf(address(this))' };
+            }
+        });
+        return found;
+    }
+    coinCutTaintSource(node, tainted, sourceByName) {
+        let found = null;
+        this.walk(node, n => {
+            if (found)
+                return;
+            if (!(0, ast_1.isNode)(n, 'Identifier'))
+                return;
+            const name = String(n.name || '');
+            if (!tainted.has(name))
+                return;
+            found = sourceByName.get(name) || { node: n, label: name };
+        });
+        return found;
+    }
+    exprUsesNames(node, names) {
+        let found = false;
+        this.walk(node, n => {
+            if (found)
+                return;
+            if ((0, ast_1.isNode)(n, 'Identifier') && names.has(String(n.name || '')))
+                found = true;
+        });
+        return found;
+    }
+    hasCoinCutReferenceGuard(body, tainted) {
+        // Only recognise guards at the top level of the function body.  A
+        // require/assert or if-revert that is a direct child of the block
+        // dominates all subsequent code.  A guard nested inside a conditional
+        // branch (e.g. `if (check) { require(spot <= trustedRate); }`) does
+        // NOT dominate the sink on every execution path and must not suppress
+        // the finding.
+        if (!body)
+            return false;
+        const stmts = body.statements || body.body || [];
+        for (const stmt of stmts) {
+            // Top-level require/assert
+            if ((0, ast_1.isNode)(stmt, 'ExpressionStatement')) {
+                const expr = stmt.expression;
+                if ((0, ast_1.isNode)(expr, 'FunctionCall')) {
+                    const callee = expr.expression;
+                    if ((0, ast_1.isNode)(callee, 'Identifier') && ['require', 'assert'].includes(String(callee.name || ''))) {
+                        const cond = expr.arguments?.[0];
+                        if (cond && this.coinCutReferenceConditionIsGuard(cond, tainted))
+                            return true;
+                    }
+                }
+            }
+            // Top-level if-revert
+            if ((0, ast_1.isNode)(stmt, 'IfStatement')) {
+                if (this.coinCutBranchContainsRevert(stmt.trueBody) || this.coinCutBranchContainsRevert(stmt.falseBody)) {
+                    const cond = stmt.condition;
+                    if (cond && this.coinCutReferenceConditionIsGuard(cond, tainted))
+                        return true;
+                }
+            }
+        }
+        return false;
+    }
+    coinCutReferenceConditionIsGuard(cond, tainted) {
+        // Decide guard semantics from identifier/member names only — a revert
+        // string literal alone (e.g. "limit") is not proof of a reference check.
+        const text = this.flattenNames(cond, true);
+        if (!COIN_CUT_REFERENCE_NAMES.test(text))
+            return false;
+        if (tainted !== undefined) {
+            const scopedToLivePrice = (tainted.size > 0 && this.exprUsesNames(cond, tainted)) || !!this.coinCutSourceInExpression(cond);
+            if (!scopedToLivePrice)
+                return false;
+        }
+        return true;
+    }
+    coinCutBranchContainsRevert(branch) {
+        let found = false;
+        this.walk(branch, node => {
+            if (found)
+                return;
+            if ((0, ast_1.isNode)(node, 'RevertStatement')) {
+                found = true;
+                return;
+            }
+            if (!(0, ast_1.isNode)(node, 'FunctionCall'))
+                return;
+            const callee = node.expression;
+            if ((0, ast_1.isNode)(callee, 'Identifier') && String(callee.name || '') === 'revert')
+                found = true;
+        });
+        return found;
+    }
+    isAccountingWriteTarget(node) {
+        if (!node)
+            return false;
+        if ((0, ast_1.isNode)(node, 'IndexAccess'))
+            return COIN_CUT_ACCOUNTING_NAMES.test(this.flattenNames(node.base || node.baseExpression));
+        if ((0, ast_1.isNode)(node, 'MemberAccess'))
+            return COIN_CUT_ACCOUNTING_NAMES.test(String(node.memberName || ''));
+        if ((0, ast_1.isNode)(node, 'Identifier'))
+            return COIN_CUT_ACCOUNTING_NAMES.test(String(node.name || ''));
+        return false;
+    }
+    flattenNames(node, skipStrings = false) {
+        const names = [];
+        this.walk(node, n => {
+            if ((0, ast_1.isNode)(n, 'Identifier') && n.name)
+                names.push(String(n.name));
+            else if ((0, ast_1.isNode)(n, 'MemberAccess') && n.memberName)
+                names.push(String(n.memberName));
+            else if (!skipStrings && (0, ast_1.isNode)(n, 'StringLiteral') && n.value)
+                names.push(String(n.value));
+        });
+        return names.join(' ');
+    }
+    hasArithmeticOperator(node) {
+        let found = false;
+        this.walk(node, n => {
+            if (found)
+                return;
+            if ((0, ast_1.isNode)(n, 'BinaryOperation') && ['*', '/'].includes(String(n.operator || '')))
+                found = true;
+        });
+        return found;
+    }
+    findV3MigratorBiswapPattern(fnNode) {
+        const body = fnNode.body;
+        if (!body)
+            return false;
+        let hasTransferFrom = false;
+        let hasBurn = false;
+        let mintCall = null;
+        this.walk(body, node => {
+            if ((0, ast_1.isNode)(node, 'FunctionCall')) {
+                const callee = this.unwrapCallOptions(node.expression);
+                const member = this.extractV3MigratorMethodName(callee);
+                if (member === 'transferFrom')
+                    hasTransferFrom = true;
+                if (member === 'burn')
+                    hasBurn = true;
+                if (member === 'mint')
+                    mintCall = node;
+            }
+        });
+        if (!hasTransferFrom || !hasBurn || !mintCall)
+            return false;
+        const mintMinReferences = this.extractV3MigratorMintMinReferences(mintCall);
+        const checkedTokens = new Set();
+        let hasSlippageValidation = false;
+        this.walk(body, node => {
+            if ((0, ast_1.isNode)(node, 'FunctionCall') && (0, ast_1.isNode)(node.expression, 'Identifier')) {
+                const name = String(node.expression.name || '');
+                if (name === 'require' || name === 'assert') {
+                    const condition = node.arguments?.[0];
+                    for (const token of this.extractV3MigratorPairTokenChecks(condition))
+                        checkedTokens.add(token);
+                    if (this.hasV3MigratorSlippageCheck(condition, mintMinReferences))
+                        hasSlippageValidation = true;
+                }
+            }
+        });
+        const hasValidation = hasSlippageValidation || (checkedTokens.has('token0') && checkedTokens.has('token1'));
+        if (hasValidation)
+            return false;
+        return true;
+    }
+    extractV3MigratorMintMinReferences(mintCall) {
+        const references = new Set();
+        const args = Array.isArray(mintCall?.arguments) ? mintCall.arguments : [];
+        args.forEach((arg, index) => {
+            const fieldName = this.extractV3MigratorNameValueName(arg);
+            const expression = fieldName ? (arg.expression || arg.value || arg) : arg;
+            const fieldLower = fieldName.toLowerCase();
+            if (this.isV3MigratorMinOutputName(fieldLower) || index === 4 || index === 5) {
+                this.collectV3MigratorReferenceNames(expression, references);
+            }
+            this.walk(arg, child => {
+                const childField = this.extractV3MigratorNameValueName(child);
+                if (!childField || !this.isV3MigratorMinOutputName(childField.toLowerCase()))
+                    return;
+                this.collectV3MigratorReferenceNames(child.expression || child.value || child, references);
+            });
+        });
+        return references;
+    }
+    extractV3MigratorPairTokenChecks(condition) {
+        const checked = new Set();
+        this.walk(condition, node => {
+            if (!(0, ast_1.isNode)(node, 'BinaryOperation') || String(node.operator || '') !== '==')
+                return;
+            const leftToken = this.v3MigratorPairTokenMethod(node.left);
+            const rightToken = this.v3MigratorPairTokenMethod(node.right);
+            if (leftToken && this.v3MigratorReferencesTokenName(node.right, leftToken))
+                checked.add(leftToken);
+            if (rightToken && this.v3MigratorReferencesTokenName(node.left, rightToken))
+                checked.add(rightToken);
+        });
+        return checked;
+    }
+    hasV3MigratorSlippageCheck(condition, mintMinReferences) {
+        if (mintMinReferences.size === 0)
+            return false;
+        let amount0Checked = false;
+        let amount1Checked = false;
+        this.walk(condition, node => {
+            if (!(0, ast_1.isNode)(node, 'BinaryOperation'))
+                return;
+            const operator = String(node.operator || '');
+            if (!['>', '>=', '!=', '<', '<=', '=='].includes(operator))
+                return;
+            const leftRef = this.v3MigratorMinReferenceSide(node.left, mintMinReferences);
+            const rightRef = this.v3MigratorMinReferenceSide(node.right, mintMinReferences);
+            if (leftRef && (this.isV3MigratorNonZeroCheck(operator, 'left', node.right) || this.v3MigratorLooksLikeBurnAmount(node.right))) {
+                if (leftRef === 'amount0')
+                    amount0Checked = true;
+                if (leftRef === 'amount1')
+                    amount1Checked = true;
+            }
+            if (rightRef && (this.isV3MigratorNonZeroCheck(operator, 'right', node.left) || this.v3MigratorLooksLikeBurnAmount(node.left))) {
+                if (rightRef === 'amount0')
+                    amount0Checked = true;
+                if (rightRef === 'amount1')
+                    amount1Checked = true;
+            }
+        });
+        return amount0Checked && amount1Checked;
+    }
+    v3MigratorMinReferenceSide(node, mintMinReferences) {
+        let side = null;
+        this.walk(node, child => {
+            if (side)
+                return;
+            const name = this.v3MigratorReferenceName(child);
+            if (!name || !mintMinReferences.has(name))
+                return;
+            if (name.includes('amount0') || name.includes('0min') || name.includes('min0'))
+                side = 'amount0';
+            else if (name.includes('amount1') || name.includes('1min') || name.includes('min1'))
+                side = 'amount1';
+        });
+        return side;
+    }
+    collectV3MigratorReferenceNames(node, out) {
+        this.walk(node, child => {
+            const name = this.v3MigratorReferenceName(child);
+            if (name)
+                out.add(name);
+        });
+    }
+    v3MigratorReferenceName(node) {
+        if ((0, ast_1.isNode)(node, 'Identifier'))
+            return String(node.name || '').toLowerCase();
+        if ((0, ast_1.isNode)(node, 'MemberAccess'))
+            return String(node.memberName || '').toLowerCase();
+        return '';
+    }
+    extractV3MigratorNameValueName(node) {
+        if (!(0, ast_1.isNode)(node, 'NameValueExpression'))
+            return '';
+        const name = node.name || node.key || node.argumentName;
+        if (typeof name === 'string')
+            return name;
+        if (name && typeof name === 'object')
+            return String(name.name || name.memberName || '');
+        return '';
+    }
+    isV3MigratorMinOutputName(name) {
+        return /amount[01]min|minamount[01]|amountoutmin|minout/.test(name);
+    }
+    v3MigratorPairTokenMethod(node) {
+        let token = null;
+        this.walk(node, child => {
+            if (token || !(0, ast_1.isNode)(child, 'FunctionCall'))
+                return;
+            const method = this.extractV3MigratorMethodName(child.expression);
+            if (method === 'token0' || method === 'token1')
+                token = method;
+        });
+        return token;
+    }
+    v3MigratorReferencesTokenName(node, token) {
+        let found = false;
+        this.walk(node, child => {
+            if (found)
+                return;
+            const name = this.v3MigratorReferenceName(child);
+            if (name === token)
+                found = true;
+        });
+        return found;
+    }
+    v3MigratorLooksLikeBurnAmount(node) {
+        let found = false;
+        this.walk(node, child => {
+            if (found)
+                return;
+            const name = this.v3MigratorReferenceName(child);
+            if (/^amount[01]$|burn/.test(name))
+                found = true;
+        });
+        return found;
+    }
+    isV3MigratorNonZeroCheck(operator, minSide, otherSide) {
+        if (!this.isZeroLiteral(otherSide))
+            return false;
+        if (operator === '!=')
+            return true;
+        return (minSide === 'left' && operator === '>') || (minSide === 'right' && operator === '<');
+    }
+    isZeroLiteral(node) {
+        if (!node)
+            return false;
+        if ((0, ast_1.isNode)(node, 'NumberLiteral'))
+            return String(node.number ?? node.value ?? '') === '0';
+        if ((0, ast_1.isNode)(node, 'DecimalNumber'))
+            return String(node.value ?? '') === '0';
+        return false;
+    }
+    extractV3MigratorMethodName(expr) {
+        if (!expr)
+            return null;
+        if ((0, ast_1.isNode)(expr, 'MemberAccess'))
+            return String(expr.memberName || '');
+        if ((0, ast_1.isNode)(expr, 'Identifier'))
+            return String(expr.name || '');
+        return null;
+    }
+}
+exports.LogicFlawDetector = LogicFlawDetector;
+//# sourceMappingURL=logic-flaw.js.map