@snovon/solast 0.2.0

package/dist/detectors/manipulation-of-funds.d.ts

@@ -0,0 +1,31 @@
+import type { ScanResult } from '../index';
+export declare class ManipulationOfFundsDetector {
+    readonly id = "manipulation-of-funds";
+    readonly patternKey = "manipulation-of-funds";
+    readonly supportedAstKinds: "parser"[];
+    readonly descriptor: {
+        id: string;
+        shortDescription: string;
+        helpUri: string;
+        defaultSeverity: "high";
+    };
+    private currentFile;
+    private currentContract;
+    private contractStack;
+    private executableContract;
+    private executableStack;
+    private findings;
+    private fn;
+    setFile(file: string): void;
+    getFindings(): ScanResult[];
+    ContractDefinition(node: any): void;
+    ContractDefinition_post(_node: any): void;
+    ['ContractDefinition:exit'](node: any): void;
+    FunctionDefinition(node: any): void;
+    FunctionDefinition_post(_node: any): void;
+    ['FunctionDefinition:exit'](node: any): void;
+    VariableDeclarationStatement(node: any): void;
+    BinaryOperation(node: any): void;
+    FunctionCall(node: any): void;
+    private makeFinding;
+}

package/dist/detectors/manipulation-of-funds.js

@@ -0,0 +1,304 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ManipulationOfFundsDetector = void 0;
+const ast_1 = require("./_common/ast");
+const access_control_1 = require("./_common/access-control");
+const RULE_ID = 'manipulation-of-funds';
+const PROVENANCE = 'issue-2546-compounderfinance-manipulation-of-funds';
+const BALANCE_CONSUMING_CALLS = new Set([
+    'add_liquidity',
+    'addliquidity',
+    'deposit',
+    'exchange',
+    'exchange_underlying',
+    'joinpool',
+    'mint',
+    'rebalance',
+    'swap',
+    'transfer',
+    'withdraw',
+]);
+class ManipulationOfFundsDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    descriptor = {
+        id: RULE_ID,
+        shortDescription: 'Public fund movement consumes a live token balance of this contract that can be inflated by direct transfer.',
+        helpUri: 'https://snovon.com/',
+        defaultSeverity: 'high',
+    };
+    currentFile = '';
+    currentContract = '';
+    contractStack = [];
+    executableContract = true;
+    executableStack = [];
+    findings = [];
+    fn = null;
+    setFile(file) {
+        this.currentFile = file;
+        this.currentContract = '';
+        this.contractStack = [];
+        this.executableContract = true;
+        this.executableStack = [];
+        this.findings = [];
+        this.fn = null;
+    }
+    getFindings() {
+        return this.findings;
+    }
+    ContractDefinition(node) {
+        this.contractStack.push(this.currentContract);
+        this.executableStack.push(this.executableContract);
+        this.currentContract = String(node?.name || '<anonymous>');
+        const kind = String(node?.kind || '').toLowerCase();
+        this.executableContract = kind !== 'interface' && kind !== 'library';
+    }
+    ContractDefinition_post(_node) {
+        this.currentContract = this.contractStack.pop() || '';
+        this.executableContract = this.executableStack.pop() ?? true;
+    }
+    ['ContractDefinition:exit'](node) {
+        this.ContractDefinition_post(node);
+    }
+    FunctionDefinition(node) {
+        if (!this.executableContract || !node?.body) {
+            this.fn = null;
+            return;
+        }
+        const visibility = String(node?.visibility || '').toLowerCase();
+        const reachable = !node?.isConstructor && (visibility === 'public' || visibility === 'external');
+        const mutability = String(node?.stateMutability || '').toLowerCase();
+        const readOnly = mutability === 'view' || mutability === 'pure';
+        this.fn = {
+            node,
+            name: functionDisplayName(node),
+            reachable,
+            readOnly,
+            accessControlled: (0, access_control_1.hasRecognisedAccessControlModifier)(node),
+            addressThisAliases: new Set(),
+            liveBalanceAliases: new Set(),
+            liveBalanceLoc: null,
+            consumingLoc: null,
+        };
+    }
+    FunctionDefinition_post(_node) {
+        if (!this.fn)
+            return;
+        const state = this.fn;
+        if (state.reachable &&
+            !state.readOnly &&
+            !state.accessControlled &&
+            state.liveBalanceLoc &&
+            state.consumingLoc) {
+            this.findings.push(this.makeFinding(state, state.consumingLoc));
+        }
+        this.fn = null;
+    }
+    ['FunctionDefinition:exit'](node) {
+        this.FunctionDefinition_post(node);
+    }
+    VariableDeclarationStatement(node) {
+        if (!this.fn)
+            return;
+        const name = singleDeclaredName(node);
+        if (!name)
+            return;
+        const initialValue = node?.initialValue;
+        if (isAddressThisExpression(initialValue, this.fn.addressThisAliases)) {
+            this.fn.addressThisAliases.add(name);
+            return;
+        }
+        if (isLiveBalanceExpression(initialValue, this.fn.addressThisAliases, this.fn.liveBalanceAliases)) {
+            this.fn.liveBalanceAliases.add(name);
+            this.fn.liveBalanceLoc ||= initialValue;
+        }
+    }
+    BinaryOperation(node) {
+        if (!this.fn)
+            return;
+        if (!isAssignmentOperator(node?.operator))
+            return;
+        const left = node?.left;
+        const right = node?.right;
+        const assignedIdentifier = (0, ast_1.isNode)(left, 'Identifier') ? String(left.name || '') : '';
+        if (assignedIdentifier) {
+            if (isAddressThisExpression(right, this.fn.addressThisAliases)) {
+                this.fn.addressThisAliases.add(assignedIdentifier);
+            }
+            if (isLiveBalanceExpression(right, this.fn.addressThisAliases, this.fn.liveBalanceAliases)) {
+                this.fn.liveBalanceAliases.add(assignedIdentifier);
+                this.fn.liveBalanceLoc ||= right;
+            }
+        }
+        const indexedBase = indexedAssignmentBaseName(left);
+        if (indexedBase && isLiveBalanceExpression(right, this.fn.addressThisAliases, this.fn.liveBalanceAliases)) {
+            this.fn.liveBalanceAliases.add(indexedBase);
+            this.fn.liveBalanceLoc ||= right;
+        }
+    }
+    FunctionCall(node) {
+        if (!this.fn)
+            return;
+        const calleeName = (0, access_control_1.getCalleeNameDefault)(node);
+        const tail = calleeTail(calleeName);
+        if ((tail === 'require' || tail === 'assert') && node?.arguments?.[0]) {
+            if ((0, access_control_1.requireExpressesAccessControl)(node.arguments[0], isPrivilegedName)) {
+                this.fn.accessControlled = true;
+            }
+            return;
+        }
+        if (isLiveBalanceExpression(node, this.fn.addressThisAliases, this.fn.liveBalanceAliases)) {
+            this.fn.liveBalanceLoc ||= node;
+        }
+        if (!this.fn.reachable || this.fn.readOnly || this.fn.consumingLoc)
+            return;
+        if (!isBalanceConsumingCall(node, tail))
+            return;
+        if (!callConsumesLiveBalance(node, this.fn.addressThisAliases, this.fn.liveBalanceAliases))
+            return;
+        this.fn.consumingLoc = node;
+    }
+    makeFinding(state, node) {
+        const loc = (0, ast_1.assertLoc)(node, state.node);
+        const contractName = this.currentContract || '<anonymous>';
+        const functionName = state.name;
+        return {
+            file: this.currentFile,
+            contract: contractName,
+            'function': functionName,
+            line: loc.line,
+            endLine: loc.endLine,
+            column: loc.column,
+            pattern: RULE_ID,
+            confidence: 'high',
+            category: 'vulnerability',
+            ruleId: RULE_ID,
+            severity: 'high',
+            message: `Manipulable fund accounting in '${contractName}.${functionName}': a public function moves assets using token.balanceOf(address(this)).`,
+            rationale: 'The function consumes this contract live token balance in a deposit, transfer, withdraw, or liquidity action. Attackers can inflate that balance by direct transfer before calling the public action, changing the amount of exchangeable assets used by the strategy.',
+            suggestedFix: 'Use explicit user-supplied or received amounts, internal accounting, or restrict balance-sweeping strategy operations to a trusted keeper/owner path.',
+            contractName,
+            functionName,
+            sourceLocation: { line: loc.line, column: loc.column },
+            findingId: '',
+            contractHash: '',
+            provenance: PROVENANCE,
+        };
+    }
+}
+exports.ManipulationOfFundsDetector = ManipulationOfFundsDetector;
+function functionDisplayName(fn) {
+    if (fn?.name)
+        return String(fn.name);
+    if (fn?.isConstructor || String(fn?.kind || '').toLowerCase() === 'constructor')
+        return '<constructor>';
+    if (String(fn?.kind || '').toLowerCase() === 'receive')
+        return '<receive>';
+    return '<fallback>';
+}
+function singleDeclaredName(node) {
+    const variables = node?.variables || node?.declarations || [];
+    if (!Array.isArray(variables) || variables.length !== 1)
+        return '';
+    return String(variables[0]?.name || variables[0]?.identifier?.name || '');
+}
+function indexedAssignmentBaseName(node) {
+    if (!(0, ast_1.isNode)(node, 'IndexAccess'))
+        return '';
+    const base = node.base || node.baseExpression;
+    return (0, ast_1.isNode)(base, 'Identifier') ? String(base.name || '') : '';
+}
+function isAssignmentOperator(op) {
+    return typeof op === 'string' && ['=', '+=', '-=', '*=', '/='].includes(op);
+}
+function isBalanceConsumingCall(node, tail) {
+    if (!BALANCE_CONSUMING_CALLS.has(tail))
+        return false;
+    return (0, ast_1.isNode)(node?.expression, 'MemberAccess');
+}
+function callConsumesLiveBalance(node, addressThisAliases, liveBalanceAliases) {
+    return (node?.arguments || []).some((arg) => isLiveBalanceExpression(arg, addressThisAliases, liveBalanceAliases));
+}
+function isLiveBalanceExpression(expr, addressThisAliases, liveBalanceAliases) {
+    if (!expr || typeof expr !== 'object')
+        return false;
+    if ((0, ast_1.isNode)(expr, 'Identifier'))
+        return liveBalanceAliases.has(String(expr.name || ''));
+    if (isBalanceOfThisCall(expr, addressThisAliases))
+        return true;
+    if ((0, ast_1.isNode)(expr, 'TupleExpression')) {
+        return (expr.components || []).some((child) => isLiveBalanceExpression(child, addressThisAliases, liveBalanceAliases));
+    }
+    if ((0, ast_1.isNode)(expr, 'BinaryOperation')) {
+        return isLiveBalanceExpression(expr.left, addressThisAliases, liveBalanceAliases)
+            || isLiveBalanceExpression(expr.right, addressThisAliases, liveBalanceAliases);
+    }
+    if ((0, ast_1.isNode)(expr, 'UnaryOperation')) {
+        return isLiveBalanceExpression(expr.subExpression, addressThisAliases, liveBalanceAliases);
+    }
+    return false;
+}
+function isBalanceOfThisCall(node, addressThisAliases) {
+    if (!(0, ast_1.isNode)(node, 'FunctionCall'))
+        return false;
+    const callee = unwrapCallOptions(node.expression);
+    if (!(0, ast_1.isNode)(callee, 'MemberAccess'))
+        return false;
+    if (String(callee.memberName || '').toLowerCase() !== 'balanceof')
+        return false;
+    const [subject] = node.arguments || [];
+    return isAddressThisExpression(subject, addressThisAliases);
+}
+function isAddressThisExpression(expr, aliases) {
+    if (!expr || typeof expr !== 'object')
+        return false;
+    if ((0, ast_1.isNode)(expr, 'Identifier')) {
+        const name = String(expr.name || '');
+        return name === 'this' || aliases.has(name);
+    }
+    if (!(0, ast_1.isNode)(expr, 'FunctionCall'))
+        return false;
+    const callee = unwrapCallOptions(expr.expression);
+    if (!(0, ast_1.isNode)(callee, 'Identifier'))
+        return false;
+    const name = String(callee.name || '').toLowerCase();
+    if (name !== 'address' && name !== 'payable')
+        return false;
+    const args = expr.arguments || [];
+    return args.length === 1 && isAddressThisExpression(args[0], aliases);
+}
+function unwrapCallOptions(expr) {
+    let cur = expr;
+    while ((0, ast_1.isNode)(cur, 'FunctionCallOptions')) {
+        cur = cur.expression;
+    }
+    return cur;
+}
+function calleeTail(name) {
+    const raw = String(name || '').toLowerCase();
+    const parts = raw.split('.').filter(Boolean);
+    return parts[parts.length - 1] || raw;
+}
+function isPrivilegedName(name) {
+    return (0, access_control_1.isPrivilegedIdentifier)(name, {
+        keywords: [
+            'admin',
+            'authority',
+            'authorized',
+            'controller',
+            'governance',
+            'governor',
+            'guardian',
+            'keeper',
+            'manager',
+            'operator',
+            'owner',
+            'role',
+            'timelock',
+            'treasury',
+        ],
+        mode: 'word-boundary',
+    });
+}
+//# sourceMappingURL=manipulation-of-funds.js.map

package/dist/detectors/merkl-unsafe-claim-callback.d.ts

@@ -0,0 +1,22 @@
+import type { ScanResult } from '../index';
+export declare class MerklUnsafeClaimCallbackDetector {
+    readonly id = "merkl-unsafe-claim-callback";
+    readonly patternKey = "merkl-unsafe-claim-callback";
+    readonly supportedAstKinds: "parser"[];
+    private findings;
+    private currentContract;
+    private currentFunction;
+    private currentFile;
+    private inClaimFunction;
+    private inTryStatement;
+    setFile(file: string): void;
+    getFindings(): ScanResult[];
+    ContractDefinition(node: any): void;
+    'ContractDefinition:exit'(): void;
+    FunctionDefinition(node: any): void;
+    'FunctionDefinition:exit'(node: any): void;
+    TryStatement(): void;
+    'TryStatement:exit'(): void;
+    FunctionCall(node: any): void;
+    private getCalledFunctionName;
+}

package/dist/detectors/merkl-unsafe-claim-callback.js

@@ -0,0 +1,94 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MerklUnsafeClaimCallbackDetector = void 0;
+const ast_1 = require("./_common/ast");
+class MerklUnsafeClaimCallbackDetector {
+    id = 'merkl-unsafe-claim-callback';
+    patternKey = this.id;
+    supportedAstKinds = ['parser'];
+    findings = [];
+    currentContract = '';
+    currentFunction = '';
+    currentFile = '';
+    inClaimFunction = 0;
+    inTryStatement = 0;
+    setFile(file) {
+        this.currentFile = file;
+        this.findings = [];
+        this.currentContract = '';
+        this.currentFunction = '';
+        this.inClaimFunction = 0;
+        this.inTryStatement = 0;
+    }
+    getFindings() {
+        return this.findings;
+    }
+    ContractDefinition(node) {
+        this.currentContract = node.name || '';
+    }
+    'ContractDefinition:exit'() {
+        this.currentContract = '';
+    }
+    FunctionDefinition(node) {
+        this.currentFunction = node.name || '';
+        if (node.name && /claim|distribute/i.test(node.name)) {
+            this.inClaimFunction++;
+        }
+    }
+    'FunctionDefinition:exit'(node) {
+        this.currentFunction = '';
+        if (node.name && /claim|distribute/i.test(node.name)) {
+            this.inClaimFunction--;
+        }
+    }
+    TryStatement() {
+        this.inTryStatement++;
+    }
+    'TryStatement:exit'() {
+        this.inTryStatement--;
+    }
+    FunctionCall(node) {
+        if (this.inClaimFunction === 0 || this.inTryStatement > 0) {
+            return;
+        }
+        const fnName = this.getCalledFunctionName(node.expression);
+        if (fnName === 'onClaim') {
+            const line = node.loc?.start?.line || 0;
+            const endLine = node.loc?.end?.line || line;
+            const column = node.loc?.start?.column || 0;
+            const endColumn = node.loc?.end?.column || column;
+            this.findings.push({
+                file: this.currentFile,
+                contract: this.currentContract,
+                function: this.currentFunction,
+                line,
+                endLine,
+                column,
+                endColumn,
+                pattern: this.id,
+                ruleId: this.id,
+                severity: 'medium',
+                confidence: 'high',
+                message: 'Unsafe onClaim callback in claim/distribution flow without revert isolation.',
+                findingId: '',
+                contractHash: ''
+            });
+        }
+    }
+    getCalledFunctionName(expr) {
+        if (!expr)
+            return null;
+        if ((0, ast_1.isNode)(expr, 'Identifier')) {
+            return expr.name;
+        }
+        if ((0, ast_1.isNode)(expr, 'MemberAccess')) {
+            return expr.memberName;
+        }
+        if ((0, ast_1.isNode)(expr, 'NameValueExpression')) {
+            return this.getCalledFunctionName(expr.expression);
+        }
+        return null;
+    }
+}
+exports.MerklUnsafeClaimCallbackDetector = MerklUnsafeClaimCallbackDetector;
+//# sourceMappingURL=merkl-unsafe-claim-callback.js.map

package/dist/detectors/mev-boost-timestamp.d.ts

@@ -0,0 +1,7 @@
+import type { ScanResult } from '../index';
+export declare class MevBoostTimestampDetector {
+    readonly id = "mev-boost-timestamp";
+    readonly patternKey = "mev-boost-timestamp";
+    readonly supportedAstKinds: ("parser" | "solc")[];
+    scanAst(ast: any, file: string, sourceText?: string): ScanResult[];
+}