@snovon/solast 0.2.0

package/dist/detectors/mev-sandwich-vulnerability.js

@@ -0,0 +1,648 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MevSandwichVulnerabilityDetector = void 0;
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'mev-sandwich-vulnerability';
+const ZERO_MIN_PATTERN = `${RULE_ID}/zero-minimum-output`;
+const MAX_DEADLINE_PATTERN = `${RULE_ID}/unbounded-deadline`;
+const STATE_READ_PATTERN = `${RULE_ID}/preceding-state-read`;
+const DEX_SIGNATURES = {
+    swapExactTokensForTokens: { minOutIndex: 1, deadlineIndex: 4 },
+    swapExactETHForTokens: { minOutIndex: 0, deadlineIndex: 3 },
+    swapExactTokensForETH: { minOutIndex: 1, deadlineIndex: 4 },
+    swapExactTokensForTokensSupportingFeeOnTransferTokens: { minOutIndex: 1, deadlineIndex: 4 },
+    swapExactETHForTokensSupportingFeeOnTransferTokens: { minOutIndex: 0, deadlineIndex: 3 },
+    swapExactTokensForETHSupportingFeeOnTransferTokens: { minOutIndex: 1, deadlineIndex: 4 },
+    exactInputSingle: {
+        isStructMinout: true,
+        structMinoutIndex: 6,
+        structDeadlineIndex: 4,
+        deadlineIndex: -1, // signal that deadline extraction is struct-based
+    },
+    exactInput: {
+        isStructMinout: true,
+        structMinoutIndex: 4,
+        structDeadlineIndex: 2, // v3 ExactInputParams: {bytes path, address recipient, uint deadline, uint amountIn, uint amountOutMinimum}
+        deadlineIndex: -1,
+    },
+    exchange: { minOutIndex: 3 },
+    exchange_underlying: { minOutIndex: 3 },
+};
+const STATE_READ_METHODS = new Set(['getreserves', 'balanceof', 'slot0', 'getpoolstate']);
+const ASSIGN_OPS = new Set(['=', '+=', '-=', '*=', '/=', '%=', '|=', '&=', '^=', '<<=', '>>=']);
+const MINOUT_NAMED = ['amountoutmin', 'amountoutminimum', 'minout', 'minreturn', 'minimumamountout'];
+const DEADLINE_NAMED = ['deadline'];
+class MevSandwichVulnerabilityDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    currentFile = '';
+    currentContract = '';
+    contractStack = [];
+    fn = null;
+    blockStack = [];
+    callContexts = new WeakMap();
+    findings = [];
+    setFile(file) {
+        this.currentFile = file;
+        this.currentContract = '';
+        this.contractStack = [];
+        this.fn = null;
+        this.blockStack = [];
+        this.callContexts = new WeakMap();
+        this.findings = [];
+    }
+    getFindings() {
+        return this.findings;
+    }
+    ContractDefinition(node) {
+        this.contractStack.push(this.currentContract);
+        this.currentContract = String(node?.name || '<anonymous>');
+    }
+    ContractDefinition_post(_node) {
+        this.currentContract = this.contractStack.pop() || '';
+    }
+    FunctionDefinition(node) {
+        if (!node?.body)
+            return;
+        this.fn = {
+            node,
+            name: fnDisplayName(node),
+            zeroValues: new Set(),
+            maxValues: new Set(),
+        };
+    }
+    FunctionDefinition_post(_node) {
+        this.fn = null;
+    }
+    Block(node) {
+        if (!this.fn)
+            return;
+        const statements = Array.isArray(node?.statements) ? node.statements : [];
+        this.blockStack.push({ lastStateRead: false });
+        // Process the current block in statement order for local constants and
+        // immediate state-read-to-swap adjacency.
+        for (const stmt of statements) {
+            trackResolvedLocals(stmt, this.fn);
+            this.processStateReadStatement(stmt);
+        }
+    }
+    Block_post(_node) {
+        this.blockStack.pop();
+    }
+    FunctionCall(node) {
+        if (!this.fn)
+            return;
+        // Track local variable assignments within this call's expression context
+        // (e.g., variables declared inside the call itself)
+        trackResolvedLocalsContaining(node, this.fn);
+        const callee = unwrapCallee(node?.expression);
+        const methodLower = String((0, ast_1.isNode)(callee, 'MemberAccess') ? callee.memberName || ''
+            : (0, ast_1.isNode)(callee, 'Identifier') ? callee.name || ''
+                : '').toLowerCase();
+        if (!(0, ast_1.isNode)(callee, 'MemberAccess'))
+            return;
+        if (STATE_READ_METHODS.has(methodLower))
+            return;
+        // Check if this is a known DEX swap method
+        const method = String(callee.memberName || '');
+        const sig = DEX_SIGNATURES[method];
+        if (!sig)
+            return;
+        // --- DEX swap call detected — check signals ---
+        const ctx = this.callContexts.get(node) || this.fn;
+        const loc = locOf(node, this.fn.node);
+        // Signal 1: Zero/minimum output
+        if (checkZeroMinout(node, sig, ctx)) {
+            this.emitFinding(ZERO_MIN_PATTERN, loc, `MEV sandwich vulnerability in '${this.currentContract}.${this.fn.name}': DEX swap with zero or missing minimum output exposes the transaction to sandwich attacks.`);
+        }
+        // Signal 2: Unbounded deadline
+        if (checkMaxDeadline(node, sig, ctx)) {
+            this.emitFinding(MAX_DEADLINE_PATTERN, loc, `MEV sandwich vulnerability in '${this.currentContract}.${this.fn.name}': DEX swap uses an unbounded deadline (type(uint256).max), allowing builders to hold the transaction indefinitely.`);
+        }
+    }
+    processStateReadStatement(stmt) {
+        if (!this.fn || this.blockStack.length === 0)
+            return;
+        const block = this.blockStack[this.blockStack.length - 1];
+        const calls = getStatementFunctionCalls(stmt);
+        const swapCalls = calls.filter(isDexSwapCall);
+        for (const swapCall of swapCalls) {
+            this.callContexts.set(swapCall, cloneFnCtx(this.fn));
+        }
+        if (swapCalls.length > 0) {
+            if (block.lastStateRead) {
+                const loc = locOf(swapCalls[0], this.fn.node);
+                this.emitFinding(STATE_READ_PATTERN, loc, `MEV sandwich vulnerability in '${this.currentContract}.${this.fn.name}': a pool state read immediately precedes a DEX swap without intervening validation, leaking trade intent before execution.`);
+            }
+            block.lastStateRead = false;
+            return;
+        }
+        if (calls.some(isStateReadCall)) {
+            block.lastStateRead = true;
+            return;
+        }
+        if (isValidatorStatementCall(calls))
+            return;
+        block.lastStateRead = false;
+    }
+    emitFinding(pattern, loc, message) {
+        this.findings.push({
+            file: this.currentFile,
+            contract: this.currentContract,
+            function: this.fn?.name || '',
+            line: loc.line,
+            column: loc.column,
+            endLine: loc.line,
+            pattern,
+            confidence: 'medium',
+            ruleId: RULE_ID,
+            severity: 'medium',
+            message,
+            rationale: RATIONALE[pattern] || '',
+            suggestedFix: FIXES[pattern] || '',
+            contractName: this.currentContract,
+            functionName: this.fn?.name || '',
+            sourceLocation: { line: loc.line, column: loc.column },
+            findingId: '',
+            contractHash: '',
+        });
+    }
+}
+exports.MevSandwichVulnerabilityDetector = MevSandwichVulnerabilityDetector;
+function cloneFnCtx(ctx) {
+    return {
+        node: ctx.node,
+        name: ctx.name,
+        zeroValues: new Set(ctx.zeroValues),
+        maxValues: new Set(ctx.maxValues),
+    };
+}
+const _mevSandwichProto = MevSandwichVulnerabilityDetector.prototype;
+_mevSandwichProto['ContractDefinition:exit'] = _mevSandwichProto.ContractDefinition_post;
+_mevSandwichProto['FunctionDefinition:exit'] = _mevSandwichProto.FunctionDefinition_post;
+_mevSandwichProto['Block:exit'] = _mevSandwichProto.Block_post;
+// --- Signal check helpers ---
+function checkZeroMinout(call, sig, ctx) {
+    if (sig.isStructMinout) {
+        return checkV3StructZeroMinout(call, sig, ctx);
+    }
+    if (sig.minOutIndex === undefined)
+        return false;
+    const args = getCallArgs(call);
+    // Check named args first
+    const named = getNamedCallArg(call, MINOUT_NAMED);
+    if (named !== null && isZeroExpr(named, ctx))
+        return true;
+    // Check positional arg
+    const posArg = args[sig.minOutIndex];
+    if (posArg !== undefined && posArg !== null && isZeroExpr(posArg, ctx))
+        return true;
+    // Check if missing (omitted)
+    if (sig.minOutIndex >= args.length)
+        return true;
+    return false;
+}
+function isNamedCall(call) {
+    if (Array.isArray(call?.names) && call.names.length > 0)
+        return true;
+    if (Array.isArray(call?.identifiers) && call.identifiers.length > 0)
+        return true;
+    const rawArgs = getRawCallArgs(call);
+    if (rawArgs.length > 0 && rawArgs.some((arg) => (0, ast_1.isNode)(arg, 'NameValueExpression')))
+        return true;
+    return false;
+}
+function checkV3StructZeroMinout(call, sig, ctx) {
+    const args = getCallArgs(call);
+    const structArg = args[0];
+    if (!structArg)
+        return false;
+    const unwrappedStruct = unwrapCallee(structArg);
+    const isNamed = (0, ast_1.isNode)(unwrappedStruct, 'FunctionCall') && isNamedCall(unwrappedStruct);
+    if (isNamed) {
+        const named = getStructNamedArg(structArg, ['amountoutminimum', 'amountoutmin']);
+        if (named !== null)
+            return isZeroExpr(named, ctx);
+        // If it's a named construction but amountOutMinimum is not present, it's 0 (omitted).
+        return true;
+    }
+    // Positional fallback
+    if (!isRecognizedV3ParamsStructConstructor(structArg, sig))
+        return false;
+    const components = getStructComponents(structArg);
+    if (components !== null) {
+        let minoutIdx = sig.structMinoutIndex;
+        const isV3ExactInputSingle = sig === DEX_SIGNATURES['exactInputSingle'];
+        const isV3ExactInput = sig === DEX_SIGNATURES['exactInput'];
+        if (isV3ExactInputSingle) {
+            if (components.length === 8) {
+                minoutIdx = 6;
+            }
+            else if (components.length === 7) {
+                minoutIdx = 5;
+            }
+            else {
+                return false; // ambiguous
+            }
+        }
+        else if (isV3ExactInput) {
+            if (components.length === 5) {
+                minoutIdx = 4;
+            }
+            else if (components.length === 4) {
+                minoutIdx = 3;
+            }
+            else {
+                return false; // ambiguous
+            }
+        }
+        if (minoutIdx !== undefined && minoutIdx >= 0) {
+            if (components.length > minoutIdx) {
+                const minoutExpr = components[minoutIdx];
+                if (minoutExpr !== undefined && minoutExpr !== null && isZeroExpr(minoutExpr, ctx))
+                    return true;
+            }
+            else {
+                return true;
+            }
+        }
+    }
+    return false;
+}
+function checkMaxDeadline(call, sig, ctx) {
+    let deadlineExpr = null;
+    if (sig.isStructMinout) {
+        const args = getCallArgs(call);
+        const structArg = args[0];
+        if (!structArg)
+            return false;
+        const unwrappedStruct = unwrapCallee(structArg);
+        const isNamed = (0, ast_1.isNode)(unwrappedStruct, 'FunctionCall') && isNamedCall(unwrappedStruct);
+        if (isNamed) {
+            deadlineExpr = getStructNamedArg(structArg, DEADLINE_NAMED);
+            if (deadlineExpr === null)
+                return false; // Not max
+        }
+        else {
+            if (!isRecognizedV3ParamsStructConstructor(structArg, sig))
+                return false;
+            const components = getStructComponents(structArg);
+            if (components !== null) {
+                let deadlineIdx = sig.structDeadlineIndex;
+                const isV3ExactInputSingle = sig === DEX_SIGNATURES['exactInputSingle'];
+                const isV3ExactInput = sig === DEX_SIGNATURES['exactInput'];
+                if (isV3ExactInputSingle) {
+                    if (components.length === 8) {
+                        deadlineIdx = 4;
+                    }
+                    else if (components.length === 7) {
+                        return false; // no deadline
+                    }
+                    else {
+                        return false; // ambiguous
+                    }
+                }
+                else if (isV3ExactInput) {
+                    if (components.length === 5) {
+                        deadlineIdx = 2;
+                    }
+                    else if (components.length === 4) {
+                        return false; // no deadline
+                    }
+                    else {
+                        return false; // ambiguous
+                    }
+                }
+                if (deadlineIdx !== undefined && deadlineIdx >= 0) {
+                    if (components.length > deadlineIdx) {
+                        deadlineExpr = components[deadlineIdx];
+                    }
+                    else {
+                        return true; // missing -> max/unbounded
+                    }
+                }
+            }
+        }
+    }
+    else if (sig.deadlineIndex !== undefined && sig.deadlineIndex >= 0) {
+        const named = getNamedCallArg(call, DEADLINE_NAMED);
+        if (named !== null) {
+            deadlineExpr = named;
+        }
+        else {
+            const isNamed = isNamedCall(call);
+            if (isNamed)
+                return false;
+            const args = getCallArgs(call);
+            if (sig.deadlineIndex < args.length) {
+                deadlineExpr = args[sig.deadlineIndex];
+            }
+            else {
+                return true;
+            }
+        }
+    }
+    if (!deadlineExpr)
+        return false;
+    return isMaxUint256Expr(deadlineExpr, ctx);
+}
+function getStructComponents(arg) {
+    const unwrapped = unwrapCallee(arg);
+    if ((0, ast_1.isNode)(unwrapped, 'TupleExpression')) {
+        return Array.isArray(unwrapped.components) ? unwrapped.components
+            : Array.isArray(unwrapped.elements) ? unwrapped.elements
+                : null;
+    }
+    if ((0, ast_1.isNode)(unwrapped, 'FunctionCall')) {
+        // Struct constructor call: StructName({...}) or StructName(pos1, pos2, ...)
+        return getCallArgs(unwrapped);
+    }
+    return null;
+}
+function isRecognizedV3ParamsStructConstructor(arg, sig) {
+    const unwrapped = unwrapCallee(arg);
+    if (!(0, ast_1.isNode)(unwrapped, 'FunctionCall'))
+        return false;
+    const callee = unwrapCallee(unwrapped.expression);
+    const typeName = nodeName(callee).toLowerCase();
+    if (sig === DEX_SIGNATURES['exactInputSingle'])
+        return typeName === 'exactinputsingleparams';
+    if (sig === DEX_SIGNATURES['exactInput'])
+        return typeName === 'exactinputparams';
+    return false;
+}
+function getStructNamedArg(structArg, names) {
+    const unwrapped = unwrapCallee(structArg);
+    if ((0, ast_1.isNode)(unwrapped, 'FunctionCall')) {
+        return getNamedCallArg(unwrapped, names);
+    }
+    return null;
+}
+function getStatementFunctionCalls(stmt) {
+    const roots = [];
+    if ((0, ast_1.isNode)(stmt, 'ExpressionStatement')) {
+        roots.push(stmt.expression);
+    }
+    else if ((0, ast_1.isNode)(stmt, 'VariableDeclarationStatement')) {
+        roots.push(stmt.initialValue ?? stmt.initialvalue);
+    }
+    else if ((0, ast_1.isNode)(stmt, 'ReturnStatement')) {
+        roots.push(stmt.expression);
+    }
+    else if ((0, ast_1.isNode)(stmt, 'EmitStatement')) {
+        roots.push(stmt.eventCall ?? stmt.expression);
+    }
+    const calls = [];
+    for (const root of roots) {
+        walkAny(root, (child) => {
+            if ((0, ast_1.isNode)(child, 'FunctionCall'))
+                calls.push(child);
+            return false;
+        });
+    }
+    return calls;
+}
+function isStateReadCall(call) {
+    const callee = unwrapCallee(call?.expression);
+    if (!(0, ast_1.isNode)(callee, 'MemberAccess'))
+        return false;
+    return STATE_READ_METHODS.has(String(callee.memberName || '').toLowerCase());
+}
+function isDexSwapCall(call) {
+    const callee = unwrapCallee(call?.expression);
+    return (0, ast_1.isNode)(callee, 'MemberAccess') && DEX_SIGNATURES[String(callee.memberName || '')] !== undefined;
+}
+function isValidatorStatementCall(calls) {
+    return calls.some((call) => {
+        const callee = unwrapCallee(call?.expression);
+        if (!(0, ast_1.isNode)(callee, 'Identifier'))
+            return false;
+        const name = String(callee.name || '').toLowerCase();
+        return name === 'require' || name === 'assert';
+    });
+}
+// --- Expression testing ---
+function isZeroExpr(expr, ctx) {
+    if (!expr || typeof expr !== 'object')
+        return false;
+    if ((0, ast_1.isNode)(expr, 'NumberLiteral'))
+        return String(expr.number ?? expr.value ?? '') === '0';
+    if ((0, ast_1.isNode)(expr, 'Literal'))
+        return String(expr.value ?? '') === '0';
+    if ((0, ast_1.isNode)(expr, 'Identifier')) {
+        const name = String(expr.name || '');
+        return ctx.zeroValues.has(name);
+    }
+    return false;
+}
+function isMaxUint256Expr(expr, ctx) {
+    if (!expr || typeof expr !== 'object')
+        return false;
+    if ((0, ast_1.isNode)(expr, 'Identifier')) {
+        return ctx.maxValues.has(String(expr.name || ''));
+    }
+    // type(uint256).max  (parser represents uint256 as ElementaryTypeName, not Identifier)
+    if ((0, ast_1.isNode)(expr, 'MemberAccess') && String(expr.memberName || '').toLowerCase() === 'max') {
+        const inner = unwrapCallee(expr.expression);
+        if ((0, ast_1.isNode)(inner, 'FunctionCall')) {
+            const callee = unwrapCallee(inner.expression);
+            if ((0, ast_1.isNode)(callee, 'Identifier') && String(callee.name || '').toLowerCase() === 'type') {
+                const typeArg = getCallArgs(inner)[0];
+                if (typeArg) {
+                    const t = String(typeArg.name || '').toLowerCase();
+                    if (t === 'uint256' || t === 'uint')
+                        return true;
+                }
+            }
+        }
+    }
+    return false;
+}
+// --- AST helpers ---
+function unwrapCallee(expr) {
+    let current = expr;
+    while (current && ((0, ast_1.isNode)(current, 'NameValueExpression') || (0, ast_1.isNode)(current, 'FunctionCallOptions'))) {
+        current = current.expression;
+    }
+    return current;
+}
+function getCallArgs(node) {
+    const raw = Array.isArray(node?.arguments) ? node.arguments : [];
+    return raw.map((arg) => (0, ast_1.isNode)(arg, 'NameValueExpression') ? (arg.expression ?? arg.value ?? null) : arg);
+}
+function getRawCallArgs(node) {
+    return Array.isArray(node?.arguments) ? node.arguments : [];
+}
+function getNamedCallArg(call, targetNames) {
+    const targets = new Set(targetNames.map(n => n.toLowerCase()));
+    // Check names array on the call
+    const names = (Array.isArray(call?.names) ? call.names : [])
+        .map((n) => String(n.name || n || '').toLowerCase());
+    const args = getCallArgs(call);
+    const idx = names.findIndex((n) => targets.has(n));
+    if (idx >= 0)
+        return args[idx] || null;
+    // Check NameValueExpression raw args
+    for (const rawArg of getRawCallArgs(call)) {
+        if (!(0, ast_1.isNode)(rawArg, 'NameValueExpression'))
+            continue;
+        const argName = nodeName(rawArg.name).toLowerCase();
+        if (targets.has(argName))
+            return rawArg.expression ?? rawArg.value ?? null;
+    }
+    // Check identifiers array
+    const identifiers = Array.isArray(call?.identifiers) ? call.identifiers : [];
+    const argsList = getCallArgs(call);
+    for (let i = 0; i < identifiers.length && i < argsList.length; i++) {
+        const idName = nodeName(identifiers[i]).toLowerCase();
+        if (targets.has(idName))
+            return argsList[i] || null;
+    }
+    return null;
+}
+function nodeName(node) {
+    if (typeof node === 'string')
+        return node;
+    if (!node || typeof node !== 'object')
+        return '';
+    return String(node.name || node.namePath || node.memberName || '');
+}
+// --- Local-variable taint tracking ---
+function trackResolvedLocals(stmt, ctx) {
+    if (!stmt || typeof stmt !== 'object')
+        return;
+    if ((0, ast_1.isNode)(stmt, 'ExpressionStatement')) {
+        trackResolvedLocals(stmt.expression, ctx);
+        return;
+    }
+    if ((0, ast_1.isNode)(stmt, 'VariableDeclarationStatement')) {
+        const init = stmt.initialValue ?? stmt.initialvalue;
+        for (const decl of getVarDecls(stmt)) {
+            const name = String(decl?.name || '');
+            if (!name)
+                continue;
+            if (init && isZeroExpr(init, ctx))
+                ctx.zeroValues.add(name);
+            else
+                ctx.zeroValues.delete(name);
+            if (init && isMaxUint256Expr(init, ctx))
+                ctx.maxValues.add(name);
+            else
+                ctx.maxValues.delete(name);
+        }
+        return;
+    }
+    if (isAssignment(stmt)) {
+        const right = getBinaryRight(stmt);
+        for (const name of collectTargets(getBinaryLeft(stmt))) {
+            if (right && isZeroExpr(right, ctx))
+                ctx.zeroValues.add(name);
+            else
+                ctx.zeroValues.delete(name);
+            if (right && isMaxUint256Expr(right, ctx))
+                ctx.maxValues.add(name);
+            else
+                ctx.maxValues.delete(name);
+        }
+        return;
+    }
+}
+function trackResolvedLocalsContaining(node, ctx) {
+    // Walk the node tree looking for assignments/declarations embedded in
+    // non-statement positions (e.g. inside a struct constructor argument)
+    walkAny(node, (child) => {
+        trackResolvedLocals(child, ctx);
+        return false; // don't short-circuit; visit all children
+    });
+}
+function walkAny(node, visit) {
+    if (!node || typeof node !== 'object')
+        return false;
+    const result = visit(node);
+    if (result === true)
+        return true;
+    for (const child of childrenOf(node)) {
+        if (walkAny(child, visit))
+            return true;
+    }
+    return false;
+}
+function childrenOf(node) {
+    if (!node || typeof node !== 'object')
+        return [];
+    const out = [];
+    for (const [key, value] of Object.entries(node)) {
+        if (key === 'loc' || key === 'src' || key === 'range' || key === 'typeDescriptions' || key === 'id')
+            continue;
+        if (Array.isArray(value)) {
+            for (const item of value)
+                if (item && typeof item === 'object')
+                    out.push(item);
+        }
+        else if (value && typeof value === 'object') {
+            out.push(value);
+        }
+    }
+    return out;
+}
+function getVarDecls(stmt) {
+    if (Array.isArray(stmt?.variables))
+        return stmt.variables;
+    if (Array.isArray(stmt?.declarations))
+        return stmt.declarations;
+    return [];
+}
+function isAssignment(node) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if ((0, ast_1.isNode)(node, 'Assignment'))
+        return true;
+    if ((0, ast_1.isNode)(node, 'BinaryOperation'))
+        return ASSIGN_OPS.has(String(node.operator || ''));
+    return false;
+}
+function getBinaryLeft(node) {
+    return node?.left ?? node?.leftExpression ?? node?.leftHandSide;
+}
+function getBinaryRight(node) {
+    return node?.right ?? node?.rightExpression ?? node?.rightHandSide;
+}
+function collectTargets(node) {
+    if (!node || typeof node !== 'object')
+        return [];
+    if ((0, ast_1.isNode)(node, 'Identifier'))
+        return node.name ? [String(node.name)] : [];
+    if ((0, ast_1.isNode)(node, 'TupleExpression')) {
+        const comps = Array.isArray(node.components) ? node.components
+            : Array.isArray(node.elements) ? node.elements : [];
+        return comps.flatMap(collectTargets);
+    }
+    return [];
+}
+function fnDisplayName(node) {
+    if (node?.isReceiveEther)
+        return '<receive>';
+    if (node?.isFallback)
+        return '<fallback>';
+    if (node?.isConstructor || String(node?.kind || '').toLowerCase() === 'constructor')
+        return '<constructor>';
+    return String(node?.name || '<anonymous>');
+}
+function locOf(node, fallback) {
+    const info = (0, ast_1.tryLoc)(node, fallback);
+    if (info)
+        return { line: info.line || 1, column: info.column };
+    return { line: 1, column: 0 };
+}
+const RATIONALE = {
+    [ZERO_MIN_PATTERN]: 'DEX swap with zero or omitted minimum output lets searchers sandwich or front-run the trade, extracting value at user expense.',
+    [MAX_DEADLINE_PATTERN]: 'An unbounded or type(uint256).max deadline removes time-pressure from the swap, letting miners/builders hold the transaction indefinitely for extraction.',
+    [STATE_READ_PATTERN]: 'Reading pool state immediately before a swap leaks intent to MEV searchers who can observe and front-run the read-then-swap pattern.',
+};
+const FIXES = {
+    [ZERO_MIN_PATTERN]: 'Require a caller-supplied non-zero amountOutMin/minReturn before the swap call.',
+    [MAX_DEADLINE_PATTERN]: 'Use a bounded deadline (e.g. block.timestamp + 300) rather than type(uint256).max.',
+    [STATE_READ_PATTERN]: 'Insert require or validation statements between the pool state read and the swap, or batch state reads and swaps atomically.',
+};
+//# sourceMappingURL=mev-sandwich-vulnerability.js.map

package/dist/detectors/mev-slot-manipulation.d.ts

@@ -0,0 +1,36 @@
+import type { ScanResult } from '../index';
+export declare class MevSlotManipulationDetector {
+    readonly id = "mev-slot-manipulation";
+    readonly patternKey = "mev-slot-manipulation";
+    readonly supportedAstKinds: "parser"[];
+    readonly descriptor: {
+        id: string;
+        shortDescription: string;
+        helpUri: string;
+        defaultSeverity: "medium";
+    };
+    private currentFile;
+    private currentContract;
+    private contractStack;
+    private currentStateVars;
+    private stateVarStack;
+    private currentConstants;
+    private constantStack;
+    private currentModifiers;
+    private modifierStack;
+    private functionStack;
+    private findings;
+    setFile(file: string): void;
+    getFindings(): ScanResult[];
+    ContractDefinition(node: any): void;
+    'ContractDefinition:exit'(): void;
+    FunctionDefinition(node: any): void;
+    'FunctionDefinition:exit'(node: any): void;
+    Block(node: any): void;
+    private processConditionalStatement;
+    private processGuard;
+    private trackAliases;
+    private processAppliedModifiers;
+    private emitOrUpgrade;
+    private currentFunction;
+}