@snovon/solast 0.2.0

package/dist/detectors/mev-merge-exploit.js

@@ -0,0 +1,397 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MevMergeExploitDetector = void 0;
+const ast_1 = require("./_common/ast");
+const access_control_1 = require("./_common/access-control");
+const RULE_ID = 'mev-merge-exploit';
+const ASSIGNMENT_OPERATORS = new Set(['=', '+=', '-=', '*=', '/=', '%=', '|=', '&=', '^=', '<<=', '>>=']);
+const PRICED_STATE_TOKENS = new Set([
+    'price', 'reserve', 'reserves', 'liquidity', 'pool', 'rate', 'quote', 'amount', 'supply',
+]);
+const SWAP_NAME_TOKENS = new Set([
+    'swap', 'exchange', 'trade', 'settle', 'execute',
+]);
+const SLIPPAGE_GUARD_TOKENS = new Set([
+    'min', 'minimum', 'slippage', 'deadline', 'limit', 'bounds', 'bound', 'max',
+]);
+class MevMergeExploitDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    currentFile = '';
+    findings = [];
+    currentContract = '';
+    contractStack = [];
+    stateVars = new Set();
+    fn = null;
+    setFile(file) {
+        this.currentFile = file;
+        this.findings = [];
+        this.currentContract = '';
+        this.contractStack = [];
+        this.stateVars = new Set();
+        this.fn = null;
+    }
+    getFindings() {
+        return this.findings;
+    }
+    ContractDefinition(node) {
+        const name = String(node?.name || '<anonymous>');
+        this.contractStack.push(this.currentContract);
+        this.currentContract = name;
+        this.stateVars = new Set();
+    }
+    ContractDefinition_post(_node) {
+        this.currentContract = this.contractStack.pop() || '';
+        this.stateVars = new Set();
+    }
+    ['ContractDefinition:exit'](node) {
+        this.ContractDefinition_post(node);
+    }
+    StateVariableDeclaration(node) {
+        for (const variable of node?.variables || []) {
+            const name = declarationName(variable);
+            if (name)
+                this.stateVars.add(name);
+        }
+    }
+    FunctionDefinition(node) {
+        const name = functionDisplayName(node);
+        const visibility = String(node?.visibility || '').toLowerCase();
+        const readOnly = isReadOnly(node);
+        const reachable = !!node?.body && !node?.isConstructor && (visibility === 'public' || visibility === 'external');
+        const guardParams = collectGuardParams(node);
+        const locals = new Set(collectParamNames(node));
+        this.fn = {
+            node,
+            name,
+            reachable,
+            readOnly,
+            accessControlled: (0, access_control_1.hasRecognisedAccessControlModifier)(node),
+            slippageGuarded: false,
+            swapLike: nameLooksSwapLike(name),
+            pricedStateMutation: false,
+            coinbaseTransferLoc: null,
+            valueLeakLoc: null,
+            envConditionalDepth: 0,
+            guardParams,
+            locals,
+        };
+    }
+    FunctionDefinition_post(_node) {
+        if (!this.fn)
+            return;
+        const state = this.fn;
+        if (state.reachable && !state.readOnly) {
+            if (state.coinbaseTransferLoc && !state.accessControlled) {
+                this.emitFinding(state, 'coinbase-value-transfer', 'high', state.coinbaseTransferLoc, `Unprotected proposer payment in '${this.currentContract}.${state.name}': a public entry point transfers ETH to block.coinbase.`);
+            }
+            if (state.swapLike && state.pricedStateMutation && !state.slippageGuarded) {
+                this.emitFinding(state, 'swap-without-slippage-guard', 'medium', locOf(state.node), `Swap-style public function '${this.currentContract}.${state.name}' mutates priced state without a recognizable slippage or deadline guard.`);
+            }
+            if (state.valueLeakLoc) {
+                this.emitFinding(state, 'basefee-prevrandao-value-leak', 'medium', state.valueLeakLoc, `Block basefee or prevrandao gates value credited to block.coinbase in '${this.currentContract}.${state.name}'.`);
+            }
+        }
+        this.fn = null;
+    }
+    ['FunctionDefinition:exit'](node) {
+        this.FunctionDefinition_post(node);
+    }
+    VariableDeclaration(node) {
+        if (!this.fn)
+            return;
+        const name = declarationName(node);
+        if (name && !node?.isStateVar)
+            this.fn.locals.add(name);
+    }
+    IfStatement(node) {
+        if (!this.fn)
+            return;
+        if (containsBasefeeOrPrevrandao(node?.condition)) {
+            this.fn.envConditionalDepth += 1;
+        }
+    }
+    IfStatement_post(node) {
+        if (!this.fn)
+            return;
+        if (containsBasefeeOrPrevrandao(node?.condition)) {
+            this.fn.envConditionalDepth = Math.max(0, this.fn.envConditionalDepth - 1);
+        }
+    }
+    ['IfStatement:exit'](node) {
+        this.IfStatement_post(node);
+    }
+    FunctionCall(node) {
+        if (!this.fn)
+            return;
+        const callee = unwrapCallOptions(node?.expression);
+        const calleeName = (0, access_control_1.getCalleeNameDefault)(node);
+        if ((calleeName === 'require' || calleeName === 'assert') && node?.arguments?.[0]) {
+            const condition = node.arguments[0];
+            if ((0, access_control_1.requireExpressesAccessControl)(condition, isPrivilegedName)) {
+                this.fn.accessControlled = true;
+            }
+            if (containsAnyIdentifier(condition, this.fn.guardParams)) {
+                this.fn.slippageGuarded = true;
+            }
+        }
+        if (this.fn.reachable && !this.fn.readOnly && isCoinbaseValueTransfer(node, callee)) {
+            this.fn.coinbaseTransferLoc ||= locOf(node, this.fn.node);
+        }
+        if (this.fn.reachable &&
+            !this.fn.readOnly &&
+            this.fn.envConditionalDepth > 0 &&
+            isCoinbaseValueTransfer(node, callee)) {
+            this.fn.valueLeakLoc ||= locOf(node, this.fn.node);
+        }
+    }
+    BinaryOperation(node) {
+        if (!this.fn)
+            return;
+        if (!ASSIGNMENT_OPERATORS.has(String(node?.operator || '')))
+            return;
+        const writtenStateNames = stateNamesInWriteTarget(node?.left, this.stateVars, this.fn.locals);
+        if (writtenStateNames.some(name => isPricedStateName(name))) {
+            this.fn.pricedStateMutation = true;
+            this.fn.swapLike = this.fn.swapLike || writtenStateNames.some(name => nameLooksSwapLike(name));
+        }
+        if (this.fn.reachable &&
+            !this.fn.readOnly &&
+            this.fn.envConditionalDepth > 0 &&
+            writeCreditsCoinbase(node?.left)) {
+            this.fn.valueLeakLoc ||= locOf(node, this.fn.node);
+        }
+    }
+    UnaryOperation(node) {
+        if (!this.fn)
+            return;
+        const op = String(node?.operator || '');
+        if (op !== '++' && op !== '--')
+            return;
+        const writtenStateNames = stateNamesInWriteTarget(node?.subExpression, this.stateVars, this.fn.locals);
+        if (writtenStateNames.some(name => isPricedStateName(name))) {
+            this.fn.pricedStateMutation = true;
+            this.fn.swapLike = this.fn.swapLike || writtenStateNames.some(name => nameLooksSwapLike(name));
+        }
+        if (this.fn.reachable &&
+            !this.fn.readOnly &&
+            this.fn.envConditionalDepth > 0 &&
+            writeCreditsCoinbase(node?.subExpression)) {
+            this.fn.valueLeakLoc ||= locOf(node, this.fn.node);
+        }
+    }
+    emitFinding(state, pattern, severity, loc, message) {
+        const line = loc.line > 0 ? loc.line : locOf(state.node).line;
+        const column = loc.line > 0 ? loc.column : locOf(state.node).column;
+        this.findings.push({
+            file: this.currentFile,
+            contract: this.currentContract,
+            function: state.name,
+            line,
+            column,
+            endLine: line,
+            pattern,
+            confidence: 'high',
+            ruleId: RULE_ID,
+            severity,
+            message,
+            rationale: rationaleFor(pattern),
+            suggestedFix: fixFor(pattern),
+            contractName: this.currentContract,
+            functionName: state.name,
+            sourceLocation: { line, column },
+            findingId: '',
+            contractHash: '',
+        });
+    }
+}
+exports.MevMergeExploitDetector = MevMergeExploitDetector;
+function isPrivilegedName(name) {
+    return (0, access_control_1.isPrivilegedIdentifier)(name, { mode: 'word-boundary' });
+}
+function functionDisplayName(node) {
+    if (node?.isReceiveEther)
+        return '<receive>';
+    if (node?.isFallback)
+        return '<fallback>';
+    if (node?.isConstructor || String(node?.kind || '').toLowerCase() === 'constructor')
+        return '<constructor>';
+    return String(node?.name || '<anonymous>');
+}
+function isReadOnly(node) {
+    const mutability = String(node?.stateMutability || '').toLowerCase();
+    return mutability === 'view' || mutability === 'pure';
+}
+function collectParamNames(fn) {
+    const names = [];
+    for (const param of fn?.parameters || []) {
+        const name = declarationName(param);
+        if (name)
+            names.push(name);
+    }
+    return names;
+}
+function collectGuardParams(fn) {
+    const out = new Set();
+    for (const name of collectParamNames(fn)) {
+        if (identifierHasAnyToken(name, SLIPPAGE_GUARD_TOKENS))
+            out.add(name);
+    }
+    return out;
+}
+function declarationName(node) {
+    if (!node)
+        return '';
+    if (typeof node.name === 'string' && node.name)
+        return node.name;
+    if (typeof node.identifier?.name === 'string')
+        return node.identifier.name;
+    return '';
+}
+function locOf(node, fallback) {
+    // tryLoc handles the node-then-fallback ladder; preserve the legacy
+    // `line || 1` floor since this detector emits findings that must
+    // carry SOME positive line number (assertLoc would throw on
+    // double-missing-loc, breaking that contract).
+    const info = (0, ast_1.tryLoc)(node, fallback);
+    if (info)
+        return { line: info.line || 1, column: info.column };
+    return { line: 1, column: 0 };
+}
+function unwrapCallOptions(expr) {
+    if ((0, ast_1.isNode)(expr, 'NameValueExpression') || (0, ast_1.isNode)(expr, 'FunctionCallOptions'))
+        return expr.expression;
+    return expr;
+}
+function isCoinbaseValueTransfer(call, callee) {
+    if (!(0, ast_1.isNode)(callee, 'MemberAccess'))
+        return false;
+    const member = String(callee.memberName || '').toLowerCase();
+    if (member !== 'transfer' && member !== 'send' && member !== 'call')
+        return false;
+    if (member === 'call' && !callHasValueOption(call))
+        return false;
+    return resolvesToBlockCoinbase(callee.expression);
+}
+function callHasValueOption(call) {
+    const expr = call?.expression;
+    if (!(0, ast_1.isNode)(expr, 'NameValueExpression') && !(0, ast_1.isNode)(expr, 'FunctionCallOptions'))
+        return false;
+    const argBlock = expr.arguments;
+    if (Array.isArray(argBlock?.names) && argBlock.names.some((name) => String(name).toLowerCase() === 'value')) {
+        return true;
+    }
+    if (Array.isArray(argBlock?.identifiers) && argBlock.identifiers.some((id) => String(id?.name || '').toLowerCase() === 'value')) {
+        return true;
+    }
+    if (Array.isArray(expr.names) && expr.names.some((name) => String(name).toLowerCase() === 'value'))
+        return true;
+    if (expr.options && !Array.isArray(expr.options) && Object.prototype.hasOwnProperty.call(expr.options, 'value'))
+        return true;
+    return false;
+}
+function resolvesToBlockCoinbase(node) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (isBlockMember(node, 'coinbase'))
+        return true;
+    if ((0, ast_1.isNode)(node, 'FunctionCall')) {
+        const callee = node.expression;
+        if ((0, ast_1.isNode)(callee, 'Identifier') && (callee.name === 'payable' || callee.name === 'address')) {
+            return (node.arguments || []).some(resolvesToBlockCoinbase);
+        }
+    }
+    return false;
+}
+function containsBasefeeOrPrevrandao(node) {
+    return containsNode(node, n => isBlockMember(n, 'basefee') || isBlockMember(n, 'prevrandao'));
+}
+function isBlockMember(node, member) {
+    return ((0, ast_1.isNode)(node, 'MemberAccess') &&
+        String(node.memberName || '') === member &&
+        (0, ast_1.isNode)(node.expression, 'Identifier') &&
+        String(node.expression.name || '') === 'block');
+}
+function containsAnyIdentifier(node, names) {
+    if (names.size === 0)
+        return false;
+    return containsNode(node, n => (0, ast_1.isNode)(n, 'Identifier') && names.has(String(n.name || '')));
+}
+function containsNode(node, predicate) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (predicate(node))
+        return true;
+    for (const child of Object.values(node)) {
+        if (Array.isArray(child)) {
+            if (child.some(item => containsNode(item, predicate)))
+                return true;
+        }
+        else if (containsNode(child, predicate)) {
+            return true;
+        }
+    }
+    return false;
+}
+function stateNamesInWriteTarget(node, stateVars, locals) {
+    const out = new Set();
+    collectWriteTargetNames(node, out);
+    return [...out].filter(name => stateVars.has(name) && !locals.has(name));
+}
+function collectWriteTargetNames(node, out) {
+    if (!node || typeof node !== 'object')
+        return;
+    if ((0, ast_1.isNode)(node, 'Identifier')) {
+        out.add(String(node.name || ''));
+        return;
+    }
+    if ((0, ast_1.isNode)(node, 'IndexAccess')) {
+        collectWriteTargetNames(node.base || node.baseExpression, out);
+        return;
+    }
+    if ((0, ast_1.isNode)(node, 'MemberAccess')) {
+        collectWriteTargetNames(node.expression, out);
+    }
+}
+function writeCreditsCoinbase(node) {
+    return (0, ast_1.isNode)(node, 'IndexAccess') && containsNode(node.index || node.indexExpression, resolvesToBlockCoinbase);
+}
+function nameLooksSwapLike(name) {
+    return identifierHasAnyToken(name, SWAP_NAME_TOKENS);
+}
+function isPricedStateName(name) {
+    return identifierHasAnyToken(name, PRICED_STATE_TOKENS);
+}
+function identifierHasAnyToken(name, tokens) {
+    const lower = String(name || '').toLowerCase();
+    if (!lower)
+        return false;
+    const parts = lower
+        .replace(/([a-z\d])([A-Z])/g, '$1 $2')
+        .split(/[^a-z0-9]+|(?=[A-Z])/)
+        .map(part => part.toLowerCase())
+        .filter(Boolean);
+    if (parts.some(part => tokens.has(part)))
+        return true;
+    return [...tokens].some(token => lower.includes(token));
+}
+function rationaleFor(pattern) {
+    if (pattern === 'coinbase-value-transfer') {
+        return 'Post-Merge block.coinbase is the current proposer fee recipient; unprotected public transfers to it create a direct proposer payment surface.';
+    }
+    if (pattern === 'swap-without-slippage-guard') {
+        return 'Swap-style functions that update reserves or prices without minimum-output or deadline checks expose users to deterministic ordering and sandwich extraction.';
+    }
+    return 'Conditioning proposer credits on block.basefee or block.prevrandao lets consensus-controlled block fields influence who receives value.';
+}
+function fixFor(pattern) {
+    if (pattern === 'coinbase-value-transfer') {
+        return 'Restrict proposer payments to privileged entry points or remove direct block.coinbase value transfers from public paths.';
+    }
+    if (pattern === 'swap-without-slippage-guard') {
+        return 'Require caller-supplied minimum output and expiry/deadline checks before mutating reserve or price state.';
+    }
+    return 'Do not credit block.coinbase based on block.basefee or block.prevrandao branches; use explicit recipients and unbiased randomness or accounting.';
+}
+//# sourceMappingURL=mev-merge-exploit.js.map

package/dist/detectors/mev-sandwich-vulnerability.d.ts

@@ -0,0 +1,24 @@
+import type { ScanResult } from '../index';
+export declare class MevSandwichVulnerabilityDetector {
+    readonly id = "mev-sandwich-vulnerability";
+    readonly patternKey = "mev-sandwich-vulnerability";
+    readonly supportedAstKinds: "parser"[];
+    private currentFile;
+    private currentContract;
+    private contractStack;
+    private fn;
+    private blockStack;
+    private callContexts;
+    private findings;
+    setFile(file: string): void;
+    getFindings(): ScanResult[];
+    ContractDefinition(node: any): void;
+    ContractDefinition_post(_node: any): void;
+    FunctionDefinition(node: any): void;
+    FunctionDefinition_post(_node: any): void;
+    Block(node: any): void;
+    Block_post(_node: any): void;
+    FunctionCall(node: any): void;
+    private processStateReadStatement;
+    private emitFinding;
+}