@snovon/solast 0.2.0

package/dist/detectors/network-bridge-ronin.js

@@ -0,0 +1,408 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.NetworkBridgeRoninDetector = void 0;
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'network-bridge-ronin';
+const PATTERN = `${RULE_ID}/weak-custody-validation`;
+const SOURCE = 'issue-1099-network-bridge-ronin-pattern';
+const ASSIGN_OPS = new Set(['=', '+=', '-=', '*=', '/=', '%=', '&=', '|=', '^=', '<<=', '>>=', '>>>=']);
+const BRIDGE_CONTRACT_RE = /(bridge|gateway|ronin|cross.*chain|portal|custodian)/i;
+const RELEASE_FN_RE = /(release|claim|mint|bridge|relay|finaliz|execute.*withdraw|process.*withdraw|withdraw)/i;
+const STRONG_RELEASE_FN_RE = /(release|claim|mint|bridge|relay|finaliz|execute.*withdraw|process.*withdraw)/i;
+const STRONG_BRIDGE_STATE_RE = /(signer|validator|committee|quorum|threshold|root|processed|consumed|receipt|relayer)/i;
+const WEAK_ROLE_STATE_RE = /(operator|owner|admin|guardian|manager|governance)/i;
+const BRIDGE_PARAM_RE = /(receipt|withdrawal|message|nonce|hash|proof|root|sig|signature|validator)/i;
+const CROSS_CHAIN_PARAM_RE = /(sourceChain|srcChainId|dstChainId|destChain|targetChain|fromChain|toChain)/i;
+const REPLAY_RE = /(processed|executed|used|claimed|consumed|receipt|replay|nonce)/i;
+const COLLATERAL_RE = /(locked|collateral|reserve|escrow|liquidity)/i;
+const THRESHOLD_RE = /(threshold|required|min|quorum|approval)/i;
+class NetworkBridgeRoninDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    scanAst(ast, file) {
+        if (!ast || ast.type !== 'SourceUnit')
+            return [];
+        const findings = [];
+        for (const contract of ast.children || []) {
+            if (contract?.type !== 'ContractDefinition')
+                continue;
+            if (contract.kind === 'interface' || contract.kind === 'library')
+                continue;
+            const contractName = String(contract.name || '<anonymous>');
+            const stateVars = collectStateVariables(contract);
+            const strongBridgeState = hasStrongBridgeState(stateVars);
+            const weakRoleState = hasWeakRoleState(stateVars);
+            for (const fn of contract.subNodes || []) {
+                if (fn?.type !== 'FunctionDefinition')
+                    continue;
+                if (!fn.body || fn.isConstructor || fn.kind === 'constructor')
+                    continue;
+                if (!isExternallyReachable(fn))
+                    continue;
+                const fnName = String(fn.name || '<anonymous>');
+                if (!isBridgeContext(contractName, file, fn, strongBridgeState, weakRoleState))
+                    continue;
+                const state = {
+                    sawSink: false,
+                    sinkLoc: null,
+                    replayCheckBeforeSink: false,
+                    replayWriteBeforeSink: false,
+                    thresholdBeforeSink: false,
+                    validatorBeforeSink: false,
+                    uniquenessBeforeSink: false,
+                    proofBeforeSink: false,
+                    collateralCheckBeforeSink: false,
+                    collateralWriteBeforeSink: false,
+                };
+                walkSourceOrder(fn.body, node => {
+                    if (state.sawSink)
+                        return;
+                    if (node?.type === 'FunctionCall') {
+                        if (isRequireLike(node)) {
+                            const condition = getCallArguments(node)[0];
+                            state.replayCheckBeforeSink = state.replayCheckBeforeSink || isReplayCheck(condition, stateVars);
+                            state.thresholdBeforeSink = state.thresholdBeforeSink || isThresholdCheck(condition);
+                            state.validatorBeforeSink = state.validatorBeforeSink || isValidatorCheck(condition);
+                            state.uniquenessBeforeSink = state.uniquenessBeforeSink || isUniquenessCheck(condition);
+                            state.collateralCheckBeforeSink = state.collateralCheckBeforeSink || isCollateralBoundCheck(condition, stateVars);
+                        }
+                        state.proofBeforeSink = state.proofBeforeSink || isProofVerification(node, stateVars);
+                        if (isAssetSink(node)) {
+                            state.sawSink = true;
+                            state.sinkLoc = locOf(node);
+                            return;
+                        }
+                    }
+                    state.replayWriteBeforeSink = state.replayWriteBeforeSink || isReplayWrite(node, stateVars);
+                    state.validatorBeforeSink = state.validatorBeforeSink || isValidatorCheck(node);
+                    state.uniquenessBeforeSink = state.uniquenessBeforeSink || isUniquenessCheck(node);
+                    state.collateralWriteBeforeSink = state.collateralWriteBeforeSink || isCollateralDebit(node, stateVars);
+                });
+                if (!state.sawSink || !state.sinkLoc)
+                    continue;
+                const hasQuorum = state.replayCheckBeforeSink &&
+                    state.replayWriteBeforeSink &&
+                    state.thresholdBeforeSink &&
+                    state.validatorBeforeSink &&
+                    state.uniquenessBeforeSink;
+                const hasProof = state.replayCheckBeforeSink &&
+                    state.replayWriteBeforeSink &&
+                    state.proofBeforeSink;
+                const hasCollateralBound = state.collateralCheckBeforeSink &&
+                    state.collateralWriteBeforeSink;
+                if (hasQuorum || hasProof || hasCollateralBound)
+                    continue;
+                findings.push({
+                    file,
+                    contract: contractName,
+                    'function': fnName,
+                    line: state.sinkLoc.line,
+                    endLine: state.sinkLoc.line,
+                    column: state.sinkLoc.column,
+                    pattern: PATTERN,
+                    confidence: 'high',
+                    ruleId: RULE_ID,
+                    severity: 'high',
+                    message: `Bridge custody path '${contractName}.${fnName}' releases or mints assets without a dominating quorum, proof, or locked-collateral bound.`,
+                    rationale: 'Ronin-like bridge failures arise when an externally callable release path can move custody or mint wrapped assets without on-chain validation of validator quorum, source-chain proof, or same-function collateral accounting.',
+                    suggestedFix: 'Require validator membership plus signer uniqueness and threshold, or verify a trusted Merkle/inbound proof, or bound releases by locked collateral before the transfer, mint, or native-value send.',
+                    contractName,
+                    functionName: fnName,
+                    sourceLocation: { line: state.sinkLoc.line, column: state.sinkLoc.column },
+                    findingId: '',
+                    contractHash: '',
+                    source: SOURCE,
+                    provenance: SOURCE,
+                });
+            }
+        }
+        return findings;
+    }
+}
+exports.NetworkBridgeRoninDetector = NetworkBridgeRoninDetector;
+function isExternallyReachable(fn) {
+    const visibility = String(fn.visibility || '').toLowerCase();
+    return visibility === 'external' || visibility === 'public' || visibility === '';
+}
+function isBridgeContext(contractName, file, fn, strongBridgeState, weakRoleState) {
+    const fnName = String(fn.name || '');
+    if (!RELEASE_FN_RE.test(fnName))
+        return false;
+    if (BRIDGE_CONTRACT_RE.test(contractName))
+        return true;
+    const params = getParameters(fn);
+    const paramNames = params.map(p => String(p?.name || ''));
+    const hasBridgeParams = paramNames.some(n => BRIDGE_PARAM_RE.test(n));
+    const hasCrossChainParams = paramNames.some(n => CROSS_CHAIN_PARAM_RE.test(n));
+    if (hasCrossChainParams)
+        return true;
+    // strongBridgeState (processed/root/signer/validator/threshold/receipt/...) is necessary
+    // but not sufficient: it must co-occur with a bridge-shaped parameter so non-bridge
+    // payment processors, vesting queues, allowlist claims, and vaults aren't classified.
+    if (hasBridgeParams && (strongBridgeState || weakRoleState || STRONG_RELEASE_FN_RE.test(fnName)))
+        return true;
+    return false;
+}
+function collectStateVariables(contract) {
+    const out = new Set();
+    for (const sub of contract.subNodes || []) {
+        if (sub?.type !== 'StateVariableDeclaration')
+            continue;
+        for (const variable of sub.variables || []) {
+            if (variable?.name)
+                out.add(String(variable.name));
+        }
+    }
+    return out;
+}
+function hasStrongBridgeState(stateVars) {
+    for (const name of stateVars) {
+        if (STRONG_BRIDGE_STATE_RE.test(name))
+            return true;
+    }
+    return false;
+}
+function hasWeakRoleState(stateVars) {
+    for (const name of stateVars) {
+        if (WEAK_ROLE_STATE_RE.test(name))
+            return true;
+    }
+    return false;
+}
+function isRequireLike(call) {
+    const expr = unwrapCallOptions(call?.expression);
+    return expr?.type === 'Identifier' && /^(require|assert)$/.test(String(expr.name || ''));
+}
+function isAssetSink(call) {
+    const expr = unwrapCallOptions(call?.expression);
+    if (!expr)
+        return false;
+    if (expr.type === 'Identifier' && /^_?mint$/.test(String(expr.name || '')))
+        return true;
+    if (expr.type !== 'MemberAccess')
+        return false;
+    const member = String(expr.memberName || '');
+    if (/^(transfer|safeTransfer|mint|safeMint)$/.test(member))
+        return true;
+    if (/^(call|send)$/.test(member) && callHasValueOption(call))
+        return true;
+    return false;
+}
+function callHasValueOption(call) {
+    let expr = call?.expression;
+    while (expr) {
+        if (expr.type === 'NameValueExpression') {
+            const names = expr.names || [];
+            if (names.some((name) => String(name?.name || name || '').toLowerCase() === 'value'))
+                return true;
+            const argNames = expr.arguments?.names || [];
+            if (argNames.some((name) => String(name?.name || name || '').toLowerCase() === 'value'))
+                return true;
+        }
+        if (expr.type === 'FunctionCallOptions') {
+            const names = expr.names || [];
+            if (names.some((name) => String(name?.name || name || '').toLowerCase() === 'value'))
+                return true;
+        }
+        expr = expr.expression;
+    }
+    return false;
+}
+function isProofVerification(call, stateVars) {
+    const callee = unwrapCallOptions(call?.expression);
+    const name = callee?.type === 'MemberAccess'
+        ? String(callee.memberName || '')
+        : callee?.type === 'Identifier'
+            ? String(callee.name || '')
+            : '';
+    if (!/verify|processProof/i.test(name))
+        return false;
+    const args = getCallArguments(call);
+    return args.some(arg => containsNameLike(arg, /proof/i)) &&
+        args.some(arg => containsNameLike(arg, /root/i) && containsStateVariable(arg, stateVars));
+}
+function isReplayCheck(node, stateVars) {
+    if (!node)
+        return false;
+    if (node.type === 'IndexAccess' && isReplayBase(node.base, stateVars))
+        return true;
+    if (node.type === 'UnaryOperation' && String(node.operator || '') === '!' && isReplayCheck(node.subExpression, stateVars))
+        return true;
+    if (node.type === 'BinaryOperation')
+        return isReplayCheck(node.left, stateVars) || isReplayCheck(node.right, stateVars);
+    return walkAnyChild(node, child => isReplayCheck(child, stateVars));
+}
+function isReplayWrite(node, stateVars) {
+    if (!node)
+        return false;
+    if (node.type === 'BinaryOperation' && ASSIGN_OPS.has(String(node.operator || '')))
+        return isReplayReference(node.left, stateVars);
+    if (node.type === 'UnaryOperation' && /^(delete|\+\+|--)$/.test(String(node.operator || '')))
+        return isReplayReference(node.subExpression, stateVars);
+    return false;
+}
+function isReplayReference(node, stateVars) {
+    if (!node)
+        return false;
+    if (node.type === 'Identifier')
+        return isReplayBase(node, stateVars);
+    if (node.type === 'IndexAccess')
+        return isReplayReference(node.base, stateVars);
+    if (node.type === 'MemberAccess')
+        return isReplayReference(node.expression, stateVars);
+    return false;
+}
+function isReplayBase(node, stateVars) {
+    return node?.type === 'Identifier' && stateVars.has(String(node.name || '')) && REPLAY_RE.test(String(node.name || ''));
+}
+function isThresholdCheck(node) {
+    if (!node)
+        return false;
+    if (node.type === 'BinaryOperation' && /^(>=|>|==)$/.test(String(node.operator || ''))) {
+        return containsNameLike(node.left, THRESHOLD_RE) || containsNameLike(node.right, THRESHOLD_RE);
+    }
+    return walkAnyChild(node, isThresholdCheck);
+}
+function isValidatorCheck(node) {
+    if (!node)
+        return false;
+    if (node.type === 'IndexAccess' && /validator|signer|committee|operator/i.test(rootIdentifierName(node.base)))
+        return true;
+    if (node.type === 'FunctionCall' && /^(isValidator|isSigner|hasRole)$/.test(calleeName(node)))
+        return true;
+    return walkAnyChild(node, isValidatorCheck);
+}
+function isUniquenessCheck(node) {
+    if (!node)
+        return false;
+    if (node.type === 'BinaryOperation') {
+        const op = String(node.operator || '');
+        if (/^(>|<|!=)$/.test(op) && (containsNameLike(node.left, /signer|last|previous|seen/i) || containsNameLike(node.right, /signer|last|previous|seen/i))) {
+            return true;
+        }
+    }
+    if (node.type === 'UnaryOperation' && String(node.operator || '') === '!' && isSeenMapping(node.subExpression))
+        return true;
+    if (isSeenMapping(node))
+        return true;
+    return walkAnyChild(node, isUniquenessCheck);
+}
+function isSeenMapping(node) {
+    return node?.type === 'IndexAccess' && /seen|used|counted|signed|duplicate/i.test(rootIdentifierName(node.base));
+}
+function isCollateralBoundCheck(node, stateVars) {
+    if (!node)
+        return false;
+    if (node.type === 'BinaryOperation' && /^(>=|>|==)$/.test(String(node.operator || ''))) {
+        return (containsCollateralState(node.left, stateVars) || containsCollateralState(node.right, stateVars)) &&
+            (containsNameLike(node.left, /amount|value/i) || containsNameLike(node.right, /amount|value/i));
+    }
+    return walkAnyChild(node, child => isCollateralBoundCheck(child, stateVars));
+}
+function isCollateralDebit(node, stateVars) {
+    if (!node || node.type !== 'BinaryOperation')
+        return false;
+    const op = String(node.operator || '');
+    if (op === '-=' && containsCollateralState(node.left, stateVars))
+        return true;
+    if (op === '=' && containsCollateralState(node.left, stateVars) && containsSubtraction(node.right))
+        return true;
+    return false;
+}
+function containsCollateralState(node, stateVars) {
+    return walkAny(node, child => {
+        if (child?.type !== 'Identifier')
+            return false;
+        const name = String(child.name || '');
+        return stateVars.has(name) && COLLATERAL_RE.test(name);
+    });
+}
+function containsSubtraction(node) {
+    return walkAny(node, child => child?.type === 'BinaryOperation' && String(child.operator || '') === '-');
+}
+function containsStateVariable(node, stateVars) {
+    return walkAny(node, child => child?.type === 'Identifier' && stateVars.has(String(child.name || '')));
+}
+function containsNameLike(node, re) {
+    return walkAny(node, child => {
+        if (child?.type === 'Identifier')
+            return re.test(String(child.name || ''));
+        if (child?.type === 'MemberAccess')
+            return re.test(String(child.memberName || ''));
+        return false;
+    });
+}
+function calleeName(call) {
+    const expr = unwrapCallOptions(call?.expression);
+    if (expr?.type === 'MemberAccess')
+        return String(expr.memberName || '');
+    if (expr?.type === 'Identifier')
+        return String(expr.name || '');
+    return '';
+}
+function rootIdentifierName(node) {
+    let cur = node;
+    while (cur && (cur.type === 'MemberAccess' || cur.type === 'IndexAccess')) {
+        cur = cur.type === 'MemberAccess' ? cur.expression : cur.base;
+    }
+    return cur?.type === 'Identifier' ? String(cur.name || '') : '';
+}
+function getParameters(fn) {
+    return Array.isArray(fn.parameters) ? fn.parameters : [];
+}
+function getCallArguments(call) {
+    return Array.isArray(call?.arguments) ? call.arguments : [];
+}
+function unwrapCallOptions(expr) {
+    let cur = expr;
+    while (cur && (cur.type === 'NameValueExpression' || cur.type === 'FunctionCallOptions')) {
+        cur = cur.expression;
+    }
+    return cur;
+}
+function locOf(node) {
+    const { line, column } = (0, ast_1.assertLoc)(node);
+    return { line, column };
+}
+function walkSourceOrder(node, visit) {
+    if (!node || typeof node !== 'object')
+        return;
+    visit(node);
+    for (const child of childrenOf(node))
+        walkSourceOrder(child, visit);
+}
+function walkAny(node, predicate) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (predicate(node))
+        return true;
+    return walkAnyChild(node, predicate);
+}
+function walkAnyChild(node, predicate) {
+    for (const child of childrenOf(node)) {
+        if (walkAny(child, predicate))
+            return true;
+    }
+    return false;
+}
+function childrenOf(node) {
+    if (!node || typeof node !== 'object')
+        return [];
+    const out = [];
+    for (const [key, value] of Object.entries(node)) {
+        if (key === 'loc' || key === 'range' || key === 'src')
+            continue;
+        if (Array.isArray(value)) {
+            for (const item of value) {
+                if (item && typeof item === 'object')
+                    out.push(item);
+            }
+        }
+        else if (value && typeof value === 'object') {
+            out.push(value);
+        }
+    }
+    return out;
+}
+//# sourceMappingURL=network-bridge-ronin.js.map

package/dist/detectors/network-bridge.d.ts

@@ -0,0 +1,7 @@
+import type { ScanResult } from '../index';
+export declare class NetworkBridgeDetector {
+    readonly id = "network-bridge";
+    readonly patternKey = "network-bridge";
+    readonly supportedAstKinds: "parser"[];
+    scanAst(ast: any, file: string): ScanResult[];
+}