@snovon/solast 0.2.0

package/dist/detectors/mev-slot-manipulation.js

@@ -0,0 +1,691 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MevSlotManipulationDetector = void 0;
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'mev-slot-manipulation';
+const TIMESTAMP_PATTERN = `${RULE_ID}/timestamp-controlled-sensitive-path`;
+const BLOCK_NUMBER_PATTERN = `${RULE_ID}/block-number-deadline-no-slack`;
+const COINBASE_PATTERN = `${RULE_ID}/coinbase-proposer-auth`;
+const ASSIGN_OPS = new Set(['=', '+=', '-=', '*=', '/=', '%=', '|=', '&=', '^=', '<<=', '>>=']);
+const MUTATING_UNARY_OPS = new Set(['++', '--', 'delete']);
+const SLACK_NAME_RE = /slack|tolerance|grace|buffer|window|margin|delay/i;
+const TIME_TOLERANCE_NAME_RE = /slack|tolerance|grace|buffer|window|margin|delay|delta|duration|period|cooldown|tenure/i;
+class MevSlotManipulationDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    descriptor = {
+        id: RULE_ID,
+        shortDescription: 'Post-Merge MEV-prone block timestamp, block number, or proposer identity assumptions gate sensitive value or state paths.',
+        helpUri: 'https://snovon.com/',
+        defaultSeverity: 'medium',
+    };
+    currentFile = '';
+    currentContract = '';
+    contractStack = [];
+    currentStateVars = new Set();
+    stateVarStack = [];
+    currentConstants = new Set();
+    constantStack = [];
+    currentModifiers = new Map();
+    modifierStack = [];
+    functionStack = [];
+    findings = [];
+    setFile(file) {
+        this.currentFile = file;
+        this.currentContract = '';
+        this.contractStack = [];
+        this.currentStateVars = new Set();
+        this.stateVarStack = [];
+        this.currentConstants = new Set();
+        this.constantStack = [];
+        this.currentModifiers = new Map();
+        this.modifierStack = [];
+        this.functionStack = [];
+        this.findings = [];
+    }
+    getFindings() {
+        return this.findings;
+    }
+    ContractDefinition(node) {
+        this.contractStack.push(this.currentContract);
+        this.stateVarStack.push(this.currentStateVars);
+        this.constantStack.push(this.currentConstants);
+        this.modifierStack.push(this.currentModifiers);
+        this.currentContract = String(node?.name || '<anonymous>');
+        this.currentStateVars = collectStateVariables(node);
+        this.currentConstants = collectConstantNames(node);
+        this.currentModifiers = collectModifierSummaries(node, this.currentStateVars);
+    }
+    'ContractDefinition:exit'() {
+        this.currentContract = this.contractStack.pop() || '';
+        this.currentStateVars = this.stateVarStack.pop() || new Set();
+        this.currentConstants = this.constantStack.pop() || new Set();
+        this.currentModifiers = this.modifierStack.pop() || new Map();
+    }
+    FunctionDefinition(node) {
+        if (!node?.body || isReadOnlyFunction(node))
+            return;
+        const state = {
+            node,
+            name: functionName(node),
+            aliases: new Map(),
+            emitted: null,
+        };
+        this.functionStack.push(state);
+        this.processAppliedModifiers(node, state);
+    }
+    'FunctionDefinition:exit'(node) {
+        const state = this.currentFunction();
+        if (!state || state.node !== node)
+            return;
+        if (state.emitted)
+            this.findings.push(state.emitted);
+        this.functionStack.pop();
+    }
+    Block(node) {
+        const state = this.currentFunction();
+        if (!state)
+            return;
+        const statements = Array.isArray(node?.statements) ? node.statements : [];
+        for (let i = 0; i < statements.length; i++) {
+            const stmt = statements[i];
+            this.processConditionalStatement(stmt, statements.slice(i + 1), state);
+            this.trackAliases(stmt, state);
+        }
+    }
+    processConditionalStatement(stmt, following, state) {
+        const requireCall = statementRequireCall(stmt);
+        if (requireCall) {
+            this.processGuard(requireCall.arguments?.[0], stmt, following, state, requireCall);
+            return;
+        }
+        if ((0, ast_1.isNode)(stmt, 'IfStatement')) {
+            const guarded = [
+                stmt.trueBody,
+                stmt.falseBody,
+            ].filter(Boolean);
+            // When a branch terminates execution (early return / revert), the
+            // statements after the `if` are only reachable when the guard held —
+            // they are guarded code and must be analyzed as such.
+            if (isTerminal(stmt.trueBody) || isTerminal(stmt.falseBody)) {
+                guarded.push(...following);
+            }
+            this.processGuard(stmt.condition, stmt, guarded, state, stmt.condition || stmt);
+            return;
+        }
+        if ((0, ast_1.isNode)(stmt, 'WhileStatement') || (0, ast_1.isNode)(stmt, 'DoWhileStatement')) {
+            this.processGuard(stmt.condition, stmt, [stmt.body].filter(Boolean), state, stmt.condition || stmt);
+            return;
+        }
+        if ((0, ast_1.isNode)(stmt, 'ForStatement')) {
+            this.processGuard(stmt.conditionExpression || stmt.condition, stmt, [stmt.body].filter(Boolean), state, stmt.conditionExpression || stmt);
+        }
+    }
+    processGuard(condition, statement, guardedStatements, state, locNode) {
+        if (!condition)
+            return;
+        const fields = referencedBlockFields(condition, state.aliases);
+        if (fields.size === 0)
+            return;
+        const summary = summarizeSensitiveStatements(guardedStatements, this.currentStateVars);
+        if (!summary.hasStateMutation && !summary.hasValueTransfer)
+            return;
+        if (fields.has('coinbase')) {
+            this.emitOrUpgrade(state, COINBASE_PATTERN, 'high', (0, ast_1.assertLoc)(locNode, state.node), `MEV slot manipulation risk in '${this.currentContract}.${state.name}': block.coinbase is used as proposer-identity authorization for a sensitive state path.`);
+            return;
+        }
+        if (fields.has('number') && isBlockNumberDeadlineWithoutSlack(condition, state.aliases, this.currentConstants)) {
+            this.emitOrUpgrade(state, BLOCK_NUMBER_PATTERN, summary.hasValueTransfer ? 'high' : 'medium', (0, ast_1.assertLoc)(locNode, state.node), `MEV slot manipulation risk in '${this.currentContract}.${state.name}': block.number is used as a strict deadline for a sensitive path without visible slack or tolerance.`);
+            return;
+        }
+        if (fields.has('timestamp')) {
+            if (!summary.hasValueTransfer && containsTimeToleranceName(condition))
+                return;
+            this.emitOrUpgrade(state, TIMESTAMP_PATTERN, summary.hasValueTransfer ? 'high' : 'medium', (0, ast_1.assertLoc)(locNode, state.node), `MEV slot manipulation risk in '${this.currentContract}.${state.name}': block.timestamp controls a sensitive state or value path that can be influenced at slot boundaries.`);
+        }
+    }
+    trackAliases(stmt, state) {
+        updateAliasesFromStatement(stmt, state.aliases);
+    }
+    processAppliedModifiers(node, state) {
+        const modifiers = Array.isArray(node?.modifiers) ? node.modifiers : [];
+        if (modifiers.length === 0)
+            return;
+        const functionSummary = summarizeSensitiveStatements([node.body], this.currentStateVars);
+        for (const modifier of modifiers) {
+            const name = modifierInvocationName(modifier);
+            if (!name)
+                continue;
+            const summary = this.currentModifiers.get(name);
+            if (!summary?.hasCoinbaseGuard)
+                continue;
+            if (!functionSummary.hasStateMutation && !functionSummary.hasValueTransfer && !summary.sensitive.hasStateMutation && !summary.sensitive.hasValueTransfer) {
+                continue;
+            }
+            this.emitOrUpgrade(state, COINBASE_PATTERN, 'high', (0, ast_1.assertLoc)(summary.coinbaseLocNode || modifier, state.node), `MEV slot manipulation risk in '${this.currentContract}.${state.name}': block.coinbase is used as proposer-identity authorization for a sensitive state path.`);
+        }
+    }
+    emitOrUpgrade(state, pattern, severity, loc, message) {
+        if (state.emitted) {
+            if (state.emitted.severity !== 'high' && severity === 'high') {
+                state.emitted.severity = 'high';
+                state.emitted.pattern = pattern;
+                state.emitted.message = message;
+                state.emitted.rationale = rationaleFor(pattern);
+                state.emitted.suggestedFix = fixFor(pattern);
+            }
+            return;
+        }
+        state.emitted = {
+            file: this.currentFile,
+            contract: this.currentContract,
+            function: state.name,
+            line: loc.line,
+            endLine: loc.endLine,
+            column: loc.column,
+            pattern,
+            confidence: 'medium',
+            ruleId: RULE_ID,
+            severity,
+            message,
+            rationale: rationaleFor(pattern),
+            suggestedFix: fixFor(pattern),
+            contractName: this.currentContract,
+            functionName: state.name,
+            sourceLocation: { line: loc.line, column: loc.column },
+            findingId: '',
+            contractHash: '',
+        };
+    }
+    currentFunction() {
+        return this.functionStack[this.functionStack.length - 1];
+    }
+}
+exports.MevSlotManipulationDetector = MevSlotManipulationDetector;
+function collectStateVariables(contract) {
+    const out = new Set();
+    for (const sub of contract?.subNodes || []) {
+        if ((0, ast_1.isNode)(sub, 'StateVariableDeclaration')) {
+            for (const variable of sub.variables || []) {
+                if (variable?.name)
+                    out.add(variable.name);
+            }
+        }
+        else if (sub?.isStateVar && sub?.name) {
+            out.add(sub.name);
+        }
+    }
+    return out;
+}
+function collectConstantNames(contract) {
+    const out = new Set();
+    for (const sub of contract?.subNodes || []) {
+        if ((0, ast_1.isNode)(sub, 'StateVariableDeclaration')) {
+            for (const variable of sub.variables || []) {
+                if (variable?.name && (variable.isDeclaredConst || variable.isImmutable)) {
+                    out.add(String(variable.name));
+                }
+            }
+        }
+        else if (sub?.name && (sub.isDeclaredConst || sub.isImmutable)) {
+            out.add(String(sub.name));
+        }
+    }
+    return out;
+}
+function collectModifierSummaries(contract, stateVars) {
+    const summaries = new Map();
+    for (const sub of contract?.subNodes || []) {
+        if (!(0, ast_1.isNode)(sub, 'ModifierDefinition') || !sub?.name)
+            continue;
+        summaries.set(String(sub.name), summarizeModifier(sub, stateVars));
+    }
+    return summaries;
+}
+function summarizeModifier(modifier, stateVars) {
+    const statements = Array.isArray(modifier?.body?.statements) ? modifier.body.statements : [];
+    const aliases = new Map();
+    let coinbaseLocNode = null;
+    for (let i = 0; i < statements.length; i++) {
+        const stmt = statements[i];
+        if (!coinbaseLocNode) {
+            coinbaseLocNode = coinbaseGuardLocNode(stmt, aliases);
+        }
+        updateAliasesFromStatement(stmt, aliases);
+    }
+    return {
+        hasCoinbaseGuard: Boolean(coinbaseLocNode),
+        coinbaseLocNode,
+        sensitive: summarizeSensitiveStatements(statements, stateVars),
+    };
+}
+function coinbaseGuardLocNode(stmt, aliases) {
+    const requireCall = statementRequireCall(stmt);
+    if (requireCall && referencedBlockFields(requireCall.arguments?.[0], aliases).has('coinbase')) {
+        return requireCall;
+    }
+    if (!(0, ast_1.isNode)(stmt, 'IfStatement'))
+        return null;
+    if (!referencedBlockFields(stmt.condition, aliases).has('coinbase'))
+        return null;
+    if (isTerminal(stmt.trueBody) || isTerminal(stmt.falseBody))
+        return stmt.condition || stmt;
+    return null;
+}
+function isReadOnlyFunction(node) {
+    const mutability = String(node?.stateMutability || '').toLowerCase();
+    return mutability === 'view' || mutability === 'pure';
+}
+function functionName(node) {
+    if (node?.name)
+        return String(node.name);
+    if (node?.isConstructor || node?.kind === 'constructor')
+        return '<constructor>';
+    if (node?.isFallback || node?.kind === 'fallback')
+        return '<fallback>';
+    if (node?.kind === 'receive')
+        return '<receive>';
+    return '<anonymous>';
+}
+function statementRequireCall(stmt) {
+    const expr = (0, ast_1.isNode)(stmt, 'ExpressionStatement') ? stmt.expression : stmt;
+    if (!(0, ast_1.isNode)(expr, 'FunctionCall'))
+        return null;
+    const callee = unwrapCallOptions(expr.expression);
+    if (!(0, ast_1.isNode)(callee, 'Identifier'))
+        return null;
+    return callee.name === 'require' || callee.name === 'assert' ? expr : null;
+}
+function summarizeSensitiveStatements(statements, stateVars) {
+    const summary = { hasStateMutation: false, hasValueTransfer: false };
+    for (const stmt of statements) {
+        walk(stmt, node => {
+            if (summary.hasStateMutation && summary.hasValueTransfer)
+                return;
+            if (isValueTransfer(node))
+                summary.hasValueTransfer = true;
+            if (isStateMutation(node, stateVars))
+                summary.hasStateMutation = true;
+        });
+    }
+    return summary;
+}
+function isValueTransfer(node) {
+    if (!(0, ast_1.isNode)(node, 'FunctionCall'))
+        return false;
+    const callee = unwrapCallOptions(node.expression);
+    if (!(0, ast_1.isNode)(callee, 'MemberAccess'))
+        return false;
+    const member = String(callee.memberName || '').toLowerCase();
+    if (member === 'transfer' || member === 'send')
+        return true;
+    if (member !== 'call')
+        return false;
+    return callHasValueOption(node);
+}
+function callHasValueOption(call) {
+    const expr = call?.expression;
+    if (!(0, ast_1.isNode)(expr, 'NameValueExpression') && !(0, ast_1.isNode)(expr, 'FunctionCallOptions'))
+        return false;
+    const names = Array.isArray(expr.names)
+        ? expr.names
+        : Array.isArray(expr.arguments?.names)
+            ? expr.arguments.names
+            : [];
+    if (names.some((name) => nodeName(name).toLowerCase() === 'value'))
+        return true;
+    const options = Array.isArray(expr.options)
+        ? expr.options
+        : Array.isArray(expr.arguments?.arguments)
+            ? expr.arguments.arguments
+            : [];
+    if (options.some((option) => nodeName(option?.name || option?.keyName || option).toLowerCase() === 'value'))
+        return true;
+    if (expr.options && !Array.isArray(expr.options) && Object.prototype.hasOwnProperty.call(expr.options, 'value'))
+        return true;
+    return false;
+}
+function isStateMutation(node, stateVars) {
+    if (isAssignmentLike(node)) {
+        const left = rootIdentifier(node.left);
+        return Boolean(left && stateVars.has(left));
+    }
+    if ((0, ast_1.isNode)(node, 'UnaryOperation') && MUTATING_UNARY_OPS.has(String(node.operator || ''))) {
+        const name = rootIdentifier(node.subExpression);
+        return Boolean(name && stateVars.has(name));
+    }
+    return false;
+}
+function isAssignmentLike(node) {
+    if ((0, ast_1.isNode)(node, 'Assignment'))
+        return true;
+    return (0, ast_1.isNode)(node, 'BinaryOperation') && ASSIGN_OPS.has(String(node.operator || ''));
+}
+function updateAliasesFromStatement(stmt, aliases) {
+    if ((0, ast_1.isNode)(stmt, 'VariableDeclarationStatement')) {
+        const field = singleReferencedBlockField(stmt.initialValue, aliases);
+        if (!field)
+            return;
+        for (const variable of stmt.variables || []) {
+            if (variable?.name)
+                aliases.set(variable.name, field);
+        }
+        return;
+    }
+    if (isAssignmentLike(stmt)) {
+        const field = singleReferencedBlockField(stmt.right, aliases);
+        const leftName = rootIdentifier(stmt.left);
+        if (!leftName)
+            return;
+        if (field)
+            aliases.set(leftName, field);
+        else
+            aliases.delete(leftName);
+        return;
+    }
+    if ((0, ast_1.isNode)(stmt, 'ExpressionStatement') && isAssignmentLike(stmt.expression)) {
+        const field = singleReferencedBlockField(stmt.expression.right, aliases);
+        const leftName = rootIdentifier(stmt.expression.left);
+        if (!leftName)
+            return;
+        if (field)
+            aliases.set(leftName, field);
+        else
+            aliases.delete(leftName);
+    }
+}
+function modifierInvocationName(modifier) {
+    if (!modifier)
+        return '';
+    if (modifier.modifierName) {
+        if (typeof modifier.modifierName === 'string')
+            return modifier.modifierName;
+        if (modifier.modifierName.name)
+            return String(modifier.modifierName.name);
+        if (modifier.modifierName.namePath)
+            return String(modifier.modifierName.namePath);
+    }
+    if (modifier.name) {
+        if (typeof modifier.name === 'string')
+            return modifier.name;
+        if (modifier.name.name)
+            return String(modifier.name.name);
+        if (modifier.name.namePath)
+            return String(modifier.name.namePath);
+    }
+    return '';
+}
+function referencedBlockFields(node, aliases) {
+    const out = new Set();
+    walk(node, child => {
+        const field = blockFieldOf(child, aliases);
+        if (field)
+            out.add(field);
+    });
+    return out;
+}
+function singleReferencedBlockField(node, aliases) {
+    const fields = referencedBlockFields(node, aliases);
+    return fields.size === 1 ? Array.from(fields)[0] : null;
+}
+function blockFieldOf(node, aliases) {
+    if ((0, ast_1.isNode)(node, 'MemberAccess') && (0, ast_1.isNode)(node.expression, 'Identifier') && node.expression.name === 'block') {
+        const member = String(node.memberName || '');
+        if (member === 'timestamp' || member === 'number' || member === 'coinbase')
+            return member;
+    }
+    if ((0, ast_1.isNode)(node, 'Identifier')) {
+        return aliases.get(String(node.name || '')) || null;
+    }
+    return null;
+}
+/**
+ * Terminal statements end the current execution path: an early `return`, a
+ * `throw`, a `revert CustomError()` (`RevertStatement`), a `revert(...)` /
+ * `require(...)` expression statement, an `if`/`else` whose both branches are
+ * themselves terminal, or a block whose last statement is itself terminal.
+ * Used to recognise early-return / early-revert if-guards so that statements
+ * following the `if` are analysed as guarded code.
+ */
+function isTerminal(node) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if ((0, ast_1.isNode)(node, 'ReturnStatement') || (0, ast_1.isNode)(node, 'ThrowStatement') || (0, ast_1.isNode)(node, 'RevertStatement')) {
+        return true;
+    }
+    if ((0, ast_1.isNode)(node, 'ExpressionStatement')) {
+        return isRevertOrRequireCall(node.expression);
+    }
+    if ((0, ast_1.isNode)(node, 'IfStatement')) {
+        // Reachable past the `if` only if some branch falls through; an `if`
+        // without an `else` always has a fall-through path.
+        return Boolean(node.trueBody) && isTerminal(node.trueBody)
+            && Boolean(node.falseBody) && isTerminal(node.falseBody);
+    }
+    if ((0, ast_1.isNode)(node, 'Block')) {
+        const statements = Array.isArray(node.statements) ? node.statements : [];
+        if (statements.length === 0)
+            return false;
+        return isTerminal(statements[statements.length - 1]);
+    }
+    return false;
+}
+function isRevertOrRequireCall(expr) {
+    if (!(0, ast_1.isNode)(expr, 'FunctionCall'))
+        return false;
+    const callee = unwrapCallOptions(expr.expression);
+    if (!(0, ast_1.isNode)(callee, 'Identifier'))
+        return false;
+    return callee.name === 'revert' || callee.name === 'require';
+}
+function isBlockNumberDeadlineWithoutSlack(condition, aliases, constants) {
+    // Structural slack first: an explicit numeric or constant-like offset
+    // around block.number is tolerance even when no variable name hints at it.
+    if (hasBlockNumberStructuralSlack(condition, aliases, constants))
+        return false;
+    // Keyword heuristic kept strictly as a secondary fallback.
+    if (containsSlack(condition))
+        return false;
+    let hasStrictComparison = false;
+    walk(condition, node => {
+        if (!(0, ast_1.isNode)(node, 'BinaryOperation'))
+            return;
+        if (!['<', '<=', '>', '>='].includes(String(node.operator || '')))
+            return;
+        const leftHas = referencedBlockFields(node.left, aliases).has('number');
+        const rightHas = referencedBlockFields(node.right, aliases).has('number');
+        if (leftHas !== rightHas)
+            hasStrictComparison = true;
+    });
+    return hasStrictComparison;
+}
+const ADDITIVE_OPS = new Set(['+', '-']);
+const COMPARISON_OPS = new Set(['<', '<=', '>', '>=']);
+/** A numeric literal or an identifier resolvable to a constant/immutable. */
+function isNumericOrConstantOffset(node, constants) {
+    if ((0, ast_1.isNode)(node, 'NumberLiteral'))
+        return true;
+    if ((0, ast_1.isNode)(node, 'Identifier'))
+        return constants.has(String(node.name || ''));
+    return false;
+}
+/** True when `node` references `block.number` (directly or via an alias). */
+function referencesBlockNumber(node, aliases) {
+    return referencedBlockFields(node, aliases).has('number');
+}
+/** True when `node` contains an additive (`+`/`-`) op with block.number on a side. */
+function containsAdditiveBlockNumber(node, aliases) {
+    let found = false;
+    walk(node, child => {
+        if (found)
+            return;
+        if (!(0, ast_1.isNode)(child, 'BinaryOperation') || !ADDITIVE_OPS.has(String(child.operator || '')))
+            return;
+        const leftBn = referencesBlockNumber(child.left, aliases);
+        const rightBn = referencesBlockNumber(child.right, aliases);
+        if (leftBn !== rightBn)
+            found = true;
+    });
+    return found;
+}
+/**
+ * True when `node` is, after unwrapping single-element parentheses, an
+ * additive expression with a numeric-literal or constant/immutable operand —
+ * deadline-side slack such as `deadline + 32` or `deadline - CONFIRMATIONS`.
+ */
+function isAdditiveConstantOffsetExpr(node, constants) {
+    let current = node;
+    while ((0, ast_1.isNode)(current, 'TupleExpression') &&
+        Array.isArray(current.components) &&
+        current.components.length === 1) {
+        current = current.components[0];
+    }
+    if (!(0, ast_1.isNode)(current, 'BinaryOperation') || !ADDITIVE_OPS.has(String(current.operator || ''))) {
+        return false;
+    }
+    return (isNumericOrConstantOffset(current.left, constants) ||
+        isNumericOrConstantOffset(current.right, constants));
+}
+/**
+ * Detect explicit tolerance around a block.number deadline by AST shape:
+ *   (A) an additive offset `block.number ± N` / `N ± block.number` where the
+ *       non-block.number operand is a numeric literal or constant-like id, and
+ *   (B) a comparison whose one operand is a numeric/constant bound and whose
+ *       other operand is an additive expression involving block.number
+ *       (e.g. `deadline - block.number >= N`), and
+ *   (C) a comparison of block.number against a deadline that carries its own
+ *       additive numeric/constant slack (e.g. `block.number <= deadline + N`).
+ * Unresolved identifiers fail safe (treated as non-tolerant).
+ */
+function hasBlockNumberStructuralSlack(condition, aliases, constants) {
+    let tolerant = false;
+    walk(condition, node => {
+        if (tolerant || !(0, ast_1.isNode)(node, 'BinaryOperation'))
+            return;
+        const op = String(node.operator || '');
+        // (A) block.number ± numeric/constant offset.
+        if (ADDITIVE_OPS.has(op)) {
+            const leftBn = referencesBlockNumber(node.left, aliases);
+            const rightBn = referencesBlockNumber(node.right, aliases);
+            if (leftBn !== rightBn) {
+                const offsetSide = leftBn ? node.right : node.left;
+                if (isNumericOrConstantOffset(offsetSide, constants))
+                    tolerant = true;
+            }
+            return;
+        }
+        // (B) numeric/constant bound compared against an additive block.number delta.
+        if (COMPARISON_OPS.has(op)) {
+            const sides = [node.left, node.right];
+            for (let i = 0; i < 2; i++) {
+                if (isNumericOrConstantOffset(sides[i], constants) &&
+                    containsAdditiveBlockNumber(sides[1 - i], aliases)) {
+                    tolerant = true;
+                }
+            }
+            // (C) block.number compared against a deadline that carries its own
+            //     additive numeric/constant slack (e.g. `block.number <= deadline + N`).
+            const leftBn = referencesBlockNumber(node.left, aliases);
+            const rightBn = referencesBlockNumber(node.right, aliases);
+            if (leftBn !== rightBn) {
+                const deadlineSide = leftBn ? node.right : node.left;
+                if (isAdditiveConstantOffsetExpr(deadlineSide, constants))
+                    tolerant = true;
+            }
+        }
+    });
+    return tolerant;
+}
+function containsSlack(node) {
+    let found = false;
+    walk(node, child => {
+        if (found)
+            return;
+        if ((0, ast_1.isNode)(child, 'Identifier') && SLACK_NAME_RE.test(String(child.name || '')))
+            found = true;
+        if ((0, ast_1.isNode)(child, 'MemberAccess') && SLACK_NAME_RE.test(String(child.memberName || '')))
+            found = true;
+    });
+    return found;
+}
+function containsTimeToleranceName(node) {
+    let found = false;
+    walk(node, child => {
+        if (found)
+            return;
+        if ((0, ast_1.isNode)(child, 'Identifier') && TIME_TOLERANCE_NAME_RE.test(String(child.name || '')))
+            found = true;
+        if ((0, ast_1.isNode)(child, 'MemberAccess') && TIME_TOLERANCE_NAME_RE.test(String(child.memberName || '')))
+            found = true;
+    });
+    return found;
+}
+function rootIdentifier(node) {
+    if (!node)
+        return null;
+    if ((0, ast_1.isNode)(node, 'Identifier'))
+        return String(node.name || '') || null;
+    if ((0, ast_1.isNode)(node, 'IndexAccess'))
+        return rootIdentifier(node.base || node.expression);
+    if ((0, ast_1.isNode)(node, 'MemberAccess'))
+        return rootIdentifier(node.expression);
+    if ((0, ast_1.isNode)(node, 'TupleExpression')) {
+        for (const component of node.components || []) {
+            const name = rootIdentifier(component);
+            if (name)
+                return name;
+        }
+    }
+    return null;
+}
+function unwrapCallOptions(expr) {
+    let current = expr;
+    while ((0, ast_1.isNode)(current, 'NameValueExpression') || (0, ast_1.isNode)(current, 'FunctionCallOptions')) {
+        current = current.expression;
+    }
+    return current;
+}
+function nodeName(node) {
+    if (!node)
+        return '';
+    if (typeof node === 'string')
+        return node;
+    return String(node.name || node.memberName || '');
+}
+function walk(node, visit) {
+    if (!node || typeof node !== 'object')
+        return;
+    visit(node);
+    for (const key of Object.keys(node)) {
+        if (key === 'loc' || key === 'range')
+            continue;
+        const value = node[key];
+        if (Array.isArray(value)) {
+            for (const item of value)
+                walk(item, visit);
+        }
+        else if (value && typeof value === 'object') {
+            walk(value, visit);
+        }
+    }
+}
+function rationaleFor(pattern) {
+    if (pattern === COINBASE_PATTERN) {
+        return 'Post-Merge block.coinbase identifies the current proposer or fee recipient, so using it as authorization lets proposer identity determine privileged state changes.';
+    }
+    if (pattern === BLOCK_NUMBER_PATTERN) {
+        return 'Strict block.number deadlines can be crossed by slot timing or short reorgs and provide no tolerance for proposer/builder timing effects.';
+    }
+    return 'Post-Merge slot timing lets proposers and builders influence whether boundary timestamp checks pass, which is risky when the check gates value movement or state mutation.';
+}
+function fixFor(pattern) {
+    if (pattern === COINBASE_PATTERN) {
+        return 'Use explicit owner, role, signer, or governance authorization instead of block.coinbase proposer identity.';
+    }
+    if (pattern === BLOCK_NUMBER_PATTERN) {
+        return 'Add an explicit slack, grace, or tolerance window and avoid letting a single block boundary decide sensitive state transitions.';
+    }
+    return 'Avoid single-slot timestamp boundaries for sensitive paths; use wider windows, explicit settlement phases, or independent authorization/finality checks.';
+}
+//# sourceMappingURL=mev-slot-manipulation.js.map