@snovon/solast 0.2.0

package/dist/detectors/oracle-manipulation.js

@@ -0,0 +1,1023 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OracleManipulationDetector = void 0;
+const oracle_1 = require("./_common/oracle");
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'oracle-manipulation';
+const DEFAULT_MAX_AGE_S = 60;
+const SENSITIVE_SINK_NAMES = new Set([
+    'liquidate',
+    '_liquidate',
+    'swap',
+    '_swap',
+    'mint',
+    '_mint',
+    'borrow',
+    '_borrow',
+    'redeem',
+    '_redeem',
+    'seize',
+    '_seize',
+    'close',
+    '_close',
+    'forceLiquidation',
+    '_forceLiquidation',
+    'flashLoan',
+    '_flashLoan',
+]);
+const FRESHNESS_FIELD_TERMS = [
+    'updatedAt',
+    'updated_at',
+    'publishTime',
+    'publish_time',
+    'roundTimestamp',
+    'lastUpdate',
+    'lastupdate',
+];
+class OracleManipulationDetector {
+    maxAgeSeconds;
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser', 'solc'];
+    findings = [];
+    currentFile = '';
+    currentContract = '';
+    seen = new Set();
+    ctx;
+    constructor(maxAgeSeconds = DEFAULT_MAX_AGE_S) {
+        this.maxAgeSeconds = maxAgeSeconds;
+    }
+    setFile(file) {
+        this.currentFile = file;
+        this.findings = [];
+        this.currentContract = '';
+        this.seen.clear();
+    }
+    setContext(ctx) {
+        this.ctx = ctx;
+        ctx.taint?.registerSource('oracle-amm-spot', (node) => {
+            if (node?.type !== 'FunctionCall')
+                return false;
+            return this.isAmmSpotSourceCall(node);
+        });
+    }
+    getFindings() {
+        return this.findings;
+    }
+    ContractDefinition(node) {
+        this.currentContract = node.name || '<anonymous>';
+    }
+    ContractDefinition_post(_node) {
+        this.currentContract = '';
+    }
+    FunctionDefinition(node) {
+        if (!node?.body)
+            return;
+        const state = this.analyzeFunction(node.body, node.name);
+        if (this.hasAmmPriceProvenance(state) && (state.sinkCalls.length > 0 || state.enclosingSink || state.storageMutations.length > 0)) {
+            const sink = this.findUnprotectedAmmSink(state) ||
+                (state.enclosingSink && state.sinkCalls.length === 0 && state.sinkRequires.length === 0 && state.storageMutations.length === 0
+                    ? this.findUnprotectedAmmUse(state)
+                    : null);
+            if (sink) {
+                const fnName = node.name || '<anonymous>';
+                const loc = sink?.loc?.start || node.loc?.start || { line: 0, column: 0 };
+                this.addAmFinding(this.currentFile, this.currentContract, fnName, loc.line, loc.column, sink);
+            }
+        }
+        if (state.reads.length === 0)
+            return;
+        const hasFreshness = state.hasFreshnessGuard ||
+            state.reads.some(read => read.freshnessChecked) ||
+            (state.reads.some(read => read.kind === 'generic') && state.hasGenericFreshnessGuard);
+        const confidence = state.validatesPrice || state.validatesConf ? 'medium' : 'high';
+        let subFinding;
+        const hasPythRead = state.reads.some(read => read.kind === 'pyth');
+        if (!hasFreshness) {
+            subFinding = 'stale-feed';
+        }
+        else if (hasPythRead && (state.hasRiskyRawPriceArithmetic || !state.hasDeviationBound)) {
+            subFinding = 'unbounded-deviation';
+        }
+        if (!subFinding)
+            return;
+        const read = state.reads.find(candidate => !candidate.freshnessChecked) || state.reads[0];
+        this.addFinding(read.node, node, subFinding, confidence);
+    }
+    isPriceUsedInSensitiveContext(state) {
+        if (state.sinkCalls.length === 0 && state.sinkRequires.length === 0 && !state.enclosingSink && state.storageMutations.length === 0)
+            return false;
+        const priceNodes = [];
+        for (const read of state.ammReads) {
+            priceNodes.push(read);
+        }
+        for (const sink of state.sinkCalls) {
+            if (this.sinkUsesPrice(sink, state))
+                return true;
+        }
+        for (const req of state.sinkRequires) {
+            if (this.requireUsesPrice(req, state))
+                return true;
+        }
+        if (state.enclosingSink && state.sinkCalls.length === 0) {
+            if (this.functionBodyUsesPriceVariables(state))
+                return true;
+        }
+        for (const mutation of state.storageMutations) {
+            if (this.mutationUsesPriceVariables(mutation, state))
+                return true;
+        }
+        return false;
+    }
+    sinkUsesPrice(sink, state) {
+        const args = sink.arguments || [];
+        for (const arg of args) {
+            if (this.expressionUsesVariables(arg, state.priceVariables))
+                return true;
+        }
+        return false;
+    }
+    requireUsesPrice(req, state) {
+        const condition = req.arguments?.[0];
+        if (!condition)
+            return false;
+        return this.expressionUsesVariables(condition, state.priceVariables);
+    }
+    expressionUsesVariables(expr, variables) {
+        if (!expr || typeof expr !== 'object')
+            return false;
+        let found = false;
+        this.walk(expr, node => {
+            if (found)
+                return;
+            if (node.type === 'Identifier' && variables.has(node.name)) {
+                found = true;
+            }
+        });
+        return found;
+    }
+    hasTwapProtection(state) {
+        return state.twapCalls.length > 0;
+    }
+    hasChainlinkFreshnessGuard(state) {
+        if (state.hasGenericFreshnessGuard)
+            return true;
+        for (const read of state.reads) {
+            if (read.kind === 'generic' && read.freshnessChecked)
+                return true;
+        }
+        return false;
+    }
+    hasMultiSourceAggregation(state) {
+        return state.ammReads.length >= 2;
+    }
+    addAmFinding(file, contract, fnName, line, column, sinkNode) {
+        const key = `${file}:${line}:${column}:amm-spot`;
+        if (this.seen.has(key))
+            return;
+        this.seen.add(key);
+        this.findings.push({
+            file,
+            contract,
+            'function': fnName,
+            line,
+            endLine: (0, ast_1.tryLoc)(sinkNode)?.endLine ?? line,
+            column,
+            pattern: RULE_ID,
+            confidence: 'high',
+            ruleId: RULE_ID,
+            severity: 'high',
+            message: `Oracle manipulation risk in function '${fnName}': manipulable AMM spot price source drives sensitive operation without a TWAP or deviation check.`,
+            contractName: contract,
+            functionName: fnName,
+            sourceLocation: { line, column },
+            findingId: '',
+            contractHash: '',
+        });
+    }
+    analyzeFunction(body, fnName = '') {
+        const state = {
+            reads: [],
+            hasFreshnessGuard: false,
+            hasGenericFreshnessGuard: false,
+            hasDeviationBound: false,
+            validatesPrice: false,
+            validatesConf: false,
+            hasRiskyRawPriceArithmetic: false,
+            ammReads: [],
+            twapCalls: [],
+            sinkCalls: [],
+            storageMutations: [],
+            enclosingSink: false,
+            priceVariables: new Set(),
+            priceProvenance: new Map(),
+            sinkRequires: [],
+            functionBody: body,
+        };
+        this.collectAmminformation(body, state);
+        this.trackDerivedPriceVariables(state);
+        this.trackTwapDeviationChecks(state);
+        this.trackDerivedPriceVariables(state);
+        this.analyzePythChainlink(body, state);
+        state.hasRiskyRawPriceArithmetic = this.hasRiskyRawPriceArithmetic(body);
+        if (fnName && SENSITIVE_SINK_NAMES.has(fnName)) {
+            state.enclosingSink = true;
+        }
+        this.collectStorageMutations(state);
+        return state;
+    }
+    collectAmminformation(body, state) {
+        this.walk(body, node => {
+            if (!node || typeof node !== 'object')
+                return;
+            if (node.type === 'FunctionCall') {
+                const name = this.getCalleeName(node.expression);
+                if (this.isAmmSpotSourceCall(node)) {
+                    state.ammReads.push({ node, kind: 'amm-spot' });
+                }
+                if (oracle_1.TWAP_CALLS.has(name)) {
+                    state.twapCalls.push(node);
+                }
+                const nameLower = name.toLowerCase();
+                if (oracle_1.SINK_CALL_NAMES.has(nameLower) || oracle_1.SINK_CALL_NAMES.has(name)) {
+                    state.sinkCalls.push(node);
+                }
+                if (name === 'require' || name === 'assert') {
+                    state.sinkRequires.push(node);
+                }
+            }
+        });
+    }
+    findUnprotectedAmmSink(state) {
+        for (const sink of state.sinkCalls) {
+            for (const arg of sink.arguments || []) {
+                const provenance = this.getExpressionProvenance(arg, state);
+                if (this.isUnprotectedSpotProvenance(provenance))
+                    return sink;
+            }
+        }
+        for (const req of state.sinkRequires) {
+            const condition = req.arguments?.[0];
+            const provenance = this.getExpressionProvenance(condition, state);
+            if (this.isUnprotectedSpotProvenance(provenance))
+                return req;
+        }
+        for (const mutation of state.storageMutations) {
+            const right = mutation.rightHandSide || mutation.right;
+            const provenance = this.getExpressionProvenance(right, state);
+            if (this.isUnprotectedSpotProvenance(provenance))
+                return mutation;
+        }
+        return null;
+    }
+    findUnprotectedAmmUse(state) {
+        if (!state.functionBody)
+            return null;
+        let result = null;
+        this.walk(state.functionBody, node => {
+            if (result)
+                return;
+            const provenance = this.getExpressionProvenance(node, state);
+            if (this.isUnprotectedSpotProvenance(provenance))
+                result = node;
+        });
+        return result;
+    }
+    isUnprotectedSpotProvenance(provenance) {
+        if (provenance.ammSources.size === 0)
+            return false;
+        if (provenance.twapDerived || provenance.twapChecked)
+            return false;
+        return true;
+    }
+    hasAmmPriceProvenance(state) {
+        if (state.ammReads.length > 0)
+            return true;
+        for (const provenance of state.priceProvenance.values()) {
+            if (provenance.ammSources.size > 0)
+                return true;
+        }
+        return false;
+    }
+    conditionUsesAmmspotPrice(condition, state) {
+        if (state.priceVariables.size === 0)
+            return false;
+        return this.expressionUsesVariables(condition, state.priceVariables);
+    }
+    trackPriceVariablesFromAmmsource(callNode, state) {
+        let found = false;
+        const search = (node, parent) => {
+            if (found)
+                return;
+            if (!node || typeof node !== 'object')
+                return;
+            if (node === callNode && parent) {
+                if (parent.type === 'VariableDeclarationStatement') {
+                    for (const decl of this.getDeclaredVariables(parent)) {
+                        if (decl?.name && typeof decl.name === 'string') {
+                            state.priceVariables.add(decl.name);
+                            this.mergeVariableProvenance(decl.name, this.getExpressionProvenance(callNode, state), state);
+                        }
+                    }
+                    found = true;
+                    return;
+                }
+                if (this.isAssignmentLikeNode(parent) && this.getAssignmentRight(parent) === callNode) {
+                    const left = this.getAssignmentLeft(parent);
+                    if (left) {
+                        this.collectAssignmentTargets(left, state.priceVariables);
+                        this.mergeAssignmentTargetProvenance(left, this.getExpressionProvenance(callNode, state), state);
+                    }
+                    found = true;
+                    return;
+                }
+            }
+            for (const [key, value] of Object.entries(node)) {
+                if (key === 'loc' || key === 'range')
+                    continue;
+                if (Array.isArray(value)) {
+                    for (const item of value) {
+                        if (item && typeof item === 'object') {
+                            search(item, node);
+                            if (found)
+                                return;
+                        }
+                    }
+                }
+                else if (value && typeof value === 'object') {
+                    search(value, node);
+                    if (found)
+                        return;
+                }
+            }
+        };
+        const root = state.functionBody;
+        if (root)
+            search(root, null);
+    }
+    isAssignmentLikeNode(node) {
+        if (!node || typeof node !== 'object')
+            return false;
+        if (node.type === 'Assignment')
+            return true;
+        if (node.type === 'BinaryOperation' && node.operator === '=')
+            return true;
+        return false;
+    }
+    getAssignmentLeft(node) {
+        if (!node)
+            return null;
+        return node.leftHandSide ?? node.left ?? null;
+    }
+    getAssignmentRight(node) {
+        if (!node)
+            return null;
+        return node.rightHandSide ?? node.right ?? null;
+    }
+    collectAssignmentTargets(node, set) {
+        if (!node || typeof node !== 'object')
+            return;
+        if (node.type === 'Identifier' && typeof node.name === 'string') {
+            set.add(node.name);
+            return;
+        }
+        if (node.type === 'VariableDeclaration' && typeof node.name === 'string') {
+            set.add(node.name);
+            return;
+        }
+        if (node.type === 'TupleExpression') {
+            const components = node.components || [];
+            for (const comp of components) {
+                if (comp)
+                    this.collectAssignmentTargets(comp, set);
+            }
+        }
+    }
+    trackDerivedPriceVariables(state) {
+        if (!state.functionBody)
+            return;
+        const maxIterations = 100;
+        let iterations = 0;
+        let changed = true;
+        while (changed && iterations < maxIterations) {
+            changed = false;
+            iterations++;
+            const search = (node) => {
+                if (!node || typeof node !== 'object')
+                    return;
+                if (node.type === 'VariableDeclarationStatement') {
+                    const initial = node.initialValue;
+                    if (initial) {
+                        const provenance = this.getExpressionProvenance(initial, state);
+                        if (this.hasPriceProvenance(provenance)) {
+                            for (const decl of this.getDeclaredVariables(node)) {
+                                if (decl?.name && typeof decl.name === 'string') {
+                                    if (this.mergeVariableProvenance(decl.name, provenance, state))
+                                        changed = true;
+                                }
+                            }
+                        }
+                    }
+                }
+                if (this.isAssignmentLikeNode(node)) {
+                    const left = this.getAssignmentLeft(node);
+                    const right = this.getAssignmentRight(node);
+                    if (right) {
+                        const provenance = this.getExpressionProvenance(right, state);
+                        if (this.hasPriceProvenance(provenance)) {
+                            if (this.mergeAssignmentTargetProvenance(left, provenance, state))
+                                changed = true;
+                        }
+                    }
+                }
+                for (const [key, value] of Object.entries(node)) {
+                    if (key === 'loc' || key === 'range')
+                        continue;
+                    if (Array.isArray(value)) {
+                        for (const item of value) {
+                            if (item && typeof item === 'object')
+                                search(item);
+                        }
+                    }
+                    else if (value && typeof value === 'object') {
+                        search(value);
+                    }
+                }
+            };
+            search(state.functionBody);
+        }
+    }
+    trackTwapDeviationChecks(state) {
+        if (!state.functionBody)
+            return;
+        this.walk(state.functionBody, node => {
+            if (!node || typeof node !== 'object')
+                return;
+            let condition = null;
+            if (node.type === 'FunctionCall' && this.isRequireOrAssert(node)) {
+                condition = (node.arguments || [])[0];
+            }
+            else if (node.type === 'IfStatement') {
+                condition = node.condition;
+            }
+            if (!condition)
+                return;
+            this.markTwapComparedSpotVariables(condition, state);
+        });
+    }
+    markTwapComparedSpotVariables(node, state) {
+        if (!node || typeof node !== 'object')
+            return;
+        if (node.type === 'BinaryOperation' && ['<', '<=', '>', '>=', '==', '!='].includes(node.operator)) {
+            const left = this.getExpressionProvenance(node.left, state);
+            const right = this.getExpressionProvenance(node.right, state);
+            if (this.hasAmmSpot(left) && this.isTwapOrReference(right)) {
+                this.markIdentifiersTwapChecked(node.left, state);
+            }
+            if (this.hasAmmSpot(right) && this.isTwapOrReference(left)) {
+                this.markIdentifiersTwapChecked(node.right, state);
+            }
+        }
+        for (const child of this.childNodes(node)) {
+            this.markTwapComparedSpotVariables(child, state);
+        }
+    }
+    markIdentifiersTwapChecked(node, state) {
+        this.walk(node, child => {
+            if (child?.type !== 'Identifier' || typeof child.name !== 'string')
+                return;
+            const provenance = state.priceProvenance.get(child.name);
+            if (provenance && provenance.ammSources.size > 0) {
+                provenance.twapChecked = true;
+            }
+        });
+    }
+    isTwapOrReference(provenance) {
+        return provenance.twapDerived;
+    }
+    hasAmmSpot(provenance) {
+        return provenance.ammSources.size > 0;
+    }
+    hasPriceProvenance(provenance) {
+        return provenance.ammSources.size > 0 || provenance.twapDerived || provenance.twapChecked;
+    }
+    emptyProvenance() {
+        return {
+            ammSources: new Set(),
+            twapDerived: false,
+            twapChecked: false,
+        };
+    }
+    cloneProvenance(provenance) {
+        return {
+            ammSources: new Set(provenance.ammSources),
+            twapDerived: provenance.twapDerived,
+            twapChecked: provenance.twapChecked,
+        };
+    }
+    unionProvenance(...items) {
+        const result = this.emptyProvenance();
+        for (const item of items) {
+            for (const source of item.ammSources)
+                result.ammSources.add(source);
+            result.twapDerived = result.twapDerived || item.twapDerived;
+            result.twapChecked = result.twapChecked || item.twapChecked;
+        }
+        return result;
+    }
+    getExpressionProvenance(expr, state) {
+        if (!expr || typeof expr !== 'object')
+            return this.emptyProvenance();
+        if (expr.type === 'Identifier' && typeof expr.name === 'string') {
+            return this.cloneProvenance(state.priceProvenance.get(expr.name) || this.emptyProvenance());
+        }
+        if (expr.type === 'FunctionCall') {
+            const name = this.getCalleeName(expr.expression);
+            let provenance = this.emptyProvenance();
+            if (this.isAmmSpotSourceCall(expr)) {
+                provenance.ammSources.add(this.getAmmSourceIdentity(expr));
+            }
+            if (this.ctx?.taint?.isTainted(expr, expr, { source: 'oracle-amm-spot' })) {
+                const path = this.ctx.taint.explain(expr, expr, { source: 'oracle-amm-spot' });
+                if (path.length > 1) {
+                    provenance.ammSources.add(this.getAmmSourceIdentity(expr));
+                }
+            }
+            if (oracle_1.TWAP_CALLS.has(name)) {
+                provenance.twapDerived = true;
+            }
+            const childProvenance = (expr.arguments || []).map((arg) => this.getExpressionProvenance(arg, state));
+            return this.unionProvenance(provenance, ...childProvenance);
+        }
+        const childProvenance = this.childNodes(expr).map(child => this.getExpressionProvenance(child, state));
+        return this.unionProvenance(...childProvenance);
+    }
+    mergeVariableProvenance(name, provenance, state) {
+        const current = state.priceProvenance.get(name) || this.emptyProvenance();
+        const merged = this.unionProvenance(current, provenance);
+        const changed = merged.ammSources.size !== current.ammSources.size ||
+            merged.twapDerived !== current.twapDerived ||
+            merged.twapChecked !== current.twapChecked;
+        if (changed) {
+            state.priceProvenance.set(name, merged);
+            if (merged.ammSources.size > 0)
+                state.priceVariables.add(name);
+        }
+        return changed;
+    }
+    mergeAssignmentTargetProvenance(target, provenance, state) {
+        const names = new Set();
+        this.collectAssignmentTargets(target, names);
+        let changed = false;
+        for (const name of names) {
+            changed = this.mergeVariableProvenance(name, provenance, state) || changed;
+        }
+        return changed;
+    }
+    getAmmSourceIdentity(callNode) {
+        const callee = callNode?.expression;
+        if (callee?.type === 'MemberAccess') {
+            return this.expressionKey(callee.expression);
+        }
+        const args = callNode?.arguments || [];
+        if (args.length > 0)
+            return `${this.getCalleeName(callee)}:${this.expressionKey(args[0])}`;
+        return this.getCalleeName(callee) || '<amm-source>';
+    }
+    expressionKey(node) {
+        if (!node || typeof node !== 'object')
+            return '<unknown>';
+        if (node.type === 'Identifier')
+            return `id:${node.name || '<anonymous>'}`;
+        if (node.type === 'MemberAccess')
+            return `${this.expressionKey(node.expression)}.${node.memberName || '<member>'}`;
+        if (node.type === 'IndexAccess')
+            return `${this.expressionKey(node.base)}[${this.expressionKey(node.index)}]`;
+        if (node.type === 'NumberLiteral')
+            return `num:${node.number ?? node.value ?? ''}`;
+        return node.type || '<expr>';
+    }
+    collectStorageMutations(state) {
+        if (state.priceVariables.size === 0 || !state.functionBody)
+            return;
+        this.walk(state.functionBody, node => {
+            if (!node || typeof node !== 'object')
+                return;
+            let assignmentNode = null;
+            if (node.type === 'Assignment') {
+                assignmentNode = node;
+            }
+            else if (node.type === 'ExpressionStatement' && node.expression?.type === 'BinaryOperation') {
+                const op = node.expression.operator;
+                if (op === '=' || op === '+=' || op === '-=' || op === '*=' || op === '/=' || op === '%=' || op === '|=' || op === '&=' || op === '^=') {
+                    assignmentNode = {
+                        leftHandSide: node.expression.left,
+                        rightHandSide: node.expression.right,
+                        loc: node.expression.loc,
+                    };
+                }
+            }
+            if (!assignmentNode)
+                return;
+            const left = assignmentNode.leftHandSide || assignmentNode.left;
+            const right = assignmentNode.rightHandSide || assignmentNode.right;
+            if (!right)
+                return;
+            const isStorageWrite = left && (left.type === 'IndexAccess' ||
+                left.type === 'MemberAccess' ||
+                (left.type === 'Identifier' && !state.priceVariables.has(left.name)));
+            if (isStorageWrite && this.expressionUsesVariables(right, state.priceVariables)) {
+                state.storageMutations.push(assignmentNode);
+            }
+        });
+    }
+    functionBodyUsesPriceVariables(state) {
+        if (!state.functionBody || state.priceVariables.size === 0)
+            return false;
+        let found = false;
+        this.walk(state.functionBody, node => {
+            if (found)
+                return;
+            if (node.type === 'FunctionCall') {
+                const name = this.getCalleeName(node.expression);
+                if (oracle_1.SINK_CALL_NAMES.has(name))
+                    return;
+            }
+            if (this.expressionUsesVariables(node, state.priceVariables)) {
+                found = true;
+            }
+        });
+        return found;
+    }
+    mutationUsesPriceVariables(mutation, state) {
+        const right = mutation.rightHandSide || mutation.right;
+        if (!right)
+            return false;
+        return this.expressionUsesVariables(right, state.priceVariables);
+    }
+    getIdentifierName(node) {
+        if (!node || typeof node !== 'object')
+            return null;
+        if (node.type === 'Identifier')
+            return node.name || null;
+        if (node.type === 'VariableDeclaration')
+            return node.name || null;
+        return null;
+    }
+    getDeclaredVariables(node) {
+        if (!node)
+            return [];
+        if (Array.isArray(node.variables))
+            return node.variables;
+        if (Array.isArray(node.declarations))
+            return node.declarations;
+        return [];
+    }
+    analyzePythChainlink(body, state) {
+        this.walk(body, node => {
+            if (!node || typeof node !== 'object')
+                return;
+            if (node.type === 'FunctionCall') {
+                const name = this.getCalleeName(node.expression);
+                if (name === 'getPrice' || name === 'getPriceUnsafe') {
+                    state.reads.push({ node, kind: 'pyth', freshnessChecked: false });
+                }
+                else if (name === 'getPriceNoOlderThan') {
+                    state.reads.push({
+                        node,
+                        kind: 'pyth',
+                        freshnessChecked: this.literalNumber((node.arguments || [])[1]) <= this.maxAgeSeconds,
+                    });
+                }
+                else if (name === 'latestRoundData' || name === 'latestAnswer') {
+                    state.reads.push({ node, kind: 'generic', freshnessChecked: false });
+                }
+                if (this.isRequireOrAssert(node)) {
+                    const condition = (node.arguments || [])[0];
+                    state.hasFreshnessGuard = state.hasFreshnessGuard || this.isFreshnessGuard(condition);
+                    state.hasGenericFreshnessGuard = state.hasGenericFreshnessGuard || this.isGenericFreshnessGuard(condition);
+                    state.hasDeviationBound = state.hasDeviationBound || this.isDeviationBound(condition);
+                    state.validatesPrice = state.validatesPrice || this.isFieldValidation(condition, ['price', 'answer']);
+                    state.validatesConf = state.validatesConf || this.isFieldValidation(condition, ['conf']);
+                }
+            }
+            if (node.type === 'IfStatement') {
+                state.hasFreshnessGuard = state.hasFreshnessGuard || this.isFreshnessGuard(node.condition);
+                state.hasGenericFreshnessGuard = state.hasGenericFreshnessGuard || this.isGenericFreshnessGuard(node.condition);
+                state.hasDeviationBound = state.hasDeviationBound || this.isDeviationBound(node.condition);
+                state.validatesPrice = state.validatesPrice || this.isFieldValidation(node.condition, ['price', 'answer']);
+                state.validatesConf = state.validatesConf || this.isFieldValidation(node.condition, ['conf']);
+            }
+        });
+    }
+    addFinding(node, fn, subFinding, confidence) {
+        // tryLoc-with-floor: solc-walker may yield loc=0 on inner nodes.
+        // Bind primaryLoc separately so endLine is sourced only from `node`
+        // (matching the legacy `node?.loc?.end?.line || line` semantics);
+        // a single nested loc would leak endLine from `fn` when node lacks loc.
+        const primaryLoc = (0, ast_1.tryLoc)(node);
+        const loc = primaryLoc ?? (0, ast_1.tryLoc)(fn) ?? { line: 0, endLine: 0, column: 0 };
+        const { line, column } = loc;
+        const endLine = primaryLoc?.endLine ?? line;
+        const functionName = fn?.name || '<anonymous>';
+        const key = `${this.currentFile}:${line}:${column}:${subFinding}`;
+        if (this.seen.has(key))
+            return;
+        this.seen.add(key);
+        const message = subFinding === 'stale-feed'
+            ? `Oracle manipulation risk in function '${functionName}': price feed is consumed without an accepted freshness check.`
+            : `Oracle manipulation risk in function '${functionName}': price feed is consumed without a bounded deviation check or safe exponent-scaled arithmetic.`;
+        this.findings.push({
+            file: this.currentFile,
+            contract: this.currentContract,
+            'function': functionName,
+            line,
+            endLine,
+            column,
+            pattern: RULE_ID,
+            confidence,
+            ruleId: RULE_ID,
+            severity: 'warning',
+            message,
+            contractName: this.currentContract,
+            functionName,
+            sourceLocation: { line, column },
+            trace: subFinding,
+            findingId: '',
+            contractHash: '',
+            ...{ subFinding },
+        });
+    }
+    isRequireOrAssert(node) {
+        const name = this.getCalleeName(node?.expression);
+        return name === 'require' || name === 'assert';
+    }
+    isAmmSpotSourceCall(node) {
+        if (!node || node.type !== 'FunctionCall')
+            return false;
+        const name = this.getCalleeName(node.expression);
+        if (oracle_1.AMM_SPOT_SOURCES.has(name))
+            return true;
+        return name === 'balanceOf' && this.isPoolBalanceRead(node);
+    }
+    isPoolBalanceRead(node) {
+        const [account] = node.arguments || [];
+        if (!account)
+            return false;
+        return this.expressionContainsPoolReference(account);
+    }
+    expressionContainsPoolReference(node) {
+        const names = this.flattenNames(node)
+            .split(/\s+/)
+            .map(name => name.toLowerCase())
+            .filter(Boolean);
+        return names.some(name => {
+            const compact = name.replace(/[^a-z0-9]/g, '');
+            return compact === 'pair' ||
+                compact === 'pool' ||
+                compact === 'amm' ||
+                compact.startsWith('pair') ||
+                compact.startsWith('pool') ||
+                compact.startsWith('amm') ||
+                compact.endsWith('pair') ||
+                compact.endsWith('pool') ||
+                compact.endsWith('amm') ||
+                compact.includes('uniswap') ||
+                compact.includes('sushiswap') ||
+                compact.includes('pancake') ||
+                compact.startsWith('lp') ||
+                compact.endsWith('lp');
+        });
+    }
+    getCalleeName(expr) {
+        if (!expr || typeof expr !== 'object')
+            return '';
+        if (expr.type === 'Identifier')
+            return expr.name || '';
+        if (expr.type === 'MemberAccess')
+            return expr.memberName || '';
+        return '';
+    }
+    isFreshnessGuard(node) {
+        return this.hasBoundedAgeComparison(node, ['publishTime', 'publish_time', 'updatedAt', 'updated_at'], this.maxAgeSeconds);
+    }
+    isGenericFreshnessGuard(node) {
+        return this.hasBoundedAgeComparison(node, ['updatedAt', 'updated_at', 'roundTimestamp', 'lastUpdate', 'lastupdate'], Number.POSITIVE_INFINITY);
+    }
+    hasBoundedAgeComparison(node, freshnessFields, maxLiteralBound) {
+        if (!node || typeof node !== 'object')
+            return false;
+        if (node.type === 'BinaryOperation' && ['<', '<=', '>', '>='].includes(node.operator)) {
+            if (this.isMaxAgeComparison(node, freshnessFields, maxLiteralBound))
+                return true;
+        }
+        return this.anyChild(node, child => this.hasBoundedAgeComparison(child, freshnessFields, maxLiteralBound));
+    }
+    isMaxAgeComparison(node, freshnessFields, maxLiteralBound) {
+        if (!node || node.type !== 'BinaryOperation')
+            return false;
+        if (!['<', '<=', '>', '>='].includes(node.operator))
+            return false;
+        const a = node.left;
+        const b = node.right;
+        if (this.isAgeDifference(a, freshnessFields) && this.isPositiveBoundOperand(b, freshnessFields, maxLiteralBound))
+            return true;
+        if (this.isAgeDifference(b, freshnessFields) && this.isPositiveBoundOperand(a, freshnessFields, maxLiteralBound))
+            return true;
+        if (this.isFreshnessFieldRef(a, freshnessFields) && this.isOffsetTimestamp(b, freshnessFields, maxLiteralBound))
+            return true;
+        if (this.isFreshnessFieldRef(b, freshnessFields) && this.isOffsetTimestamp(a, freshnessFields, maxLiteralBound))
+            return true;
+        return false;
+    }
+    isAgeDifference(node, freshnessFields) {
+        if (!node || node.type !== 'BinaryOperation' || node.operator !== '-')
+            return false;
+        return (this.isBlockTimestampNode(node.left) && this.isFreshnessFieldRef(node.right, freshnessFields)) ||
+            (this.isBlockTimestampNode(node.right) && this.isFreshnessFieldRef(node.left, freshnessFields));
+    }
+    isOffsetTimestamp(node, freshnessFields, maxLiteralBound) {
+        if (!node || node.type !== 'BinaryOperation')
+            return false;
+        if (node.operator !== '-' && node.operator !== '+')
+            return false;
+        return (this.isBlockTimestampNode(node.left) && this.isPositiveBoundOperand(node.right, freshnessFields, maxLiteralBound)) ||
+            (this.isBlockTimestampNode(node.right) && this.isPositiveBoundOperand(node.left, freshnessFields, maxLiteralBound));
+    }
+    isBlockTimestampNode(node) {
+        return !!node && node.type === 'MemberAccess' && node.memberName === 'timestamp' &&
+            node.expression?.type === 'Identifier' && node.expression.name === 'block';
+    }
+    isFreshnessFieldRef(node, freshnessFields) {
+        if (!node || typeof node !== 'object')
+            return false;
+        if (node.type === 'Identifier' && freshnessFields.includes(node.name))
+            return true;
+        if (node.type === 'MemberAccess' && freshnessFields.includes(node.memberName))
+            return true;
+        return false;
+    }
+    isPositiveBoundOperand(node, freshnessFields, maxLiteralBound) {
+        if (!node || typeof node !== 'object')
+            return false;
+        if (this.isFreshnessFieldRef(node, freshnessFields))
+            return false;
+        if (this.isBlockTimestampNode(node))
+            return false;
+        if (node.type === 'NumberLiteral') {
+            const value = this.literalNumber(node);
+            return Number.isFinite(value) && value > 0 && value <= maxLiteralBound;
+        }
+        if (node.type === 'Identifier' || node.type === 'MemberAccess')
+            return true;
+        return false;
+    }
+    isDeviationBound(node) {
+        if (!node || typeof node !== 'object')
+            return false;
+        if (node.type === 'BinaryOperation' && ['<', '<=', '>', '>='].includes(node.operator)) {
+            const left = this.flattenNames(node.left);
+            const right = this.flattenNames(node.right);
+            const names = `${left} ${right}`.toLowerCase();
+            const hasPriceSide = names.includes('price') || names.includes('answer') || names.includes('delta') || names.includes('deviation');
+            const hasReference = ['last', 'old', 'prior', 'twap', 'median', 'reference', 'trusted', 'maxdeviation', 'delta', 'deviation']
+                .some(term => names.includes(term));
+            if (hasPriceSide && hasReference)
+                return true;
+        }
+        return this.anyChild(node, child => this.isDeviationBound(child));
+    }
+    isFieldValidation(node, fields) {
+        if (!node || typeof node !== 'object')
+            return false;
+        if (node.type === 'BinaryOperation' && ['<', '<=', '>', '>=', '==', '!='].includes(node.operator)) {
+            return this.containsMember(node, fields);
+        }
+        return this.anyChild(node, child => this.isFieldValidation(child, fields));
+    }
+    isRiskyRawPriceArithmetic(node) {
+        if (!node || node.type !== 'BinaryOperation')
+            return false;
+        if (node.operator !== '*' && node.operator !== '/')
+            return false;
+        if (!this.containsMember(node, ['price', 'answer']))
+            return false;
+        return !this.containsMember(node, ['expo']);
+    }
+    hasRiskyRawPriceArithmetic(node) {
+        if (!node || typeof node !== 'object')
+            return false;
+        if (node.type === 'FunctionCall' && this.isRequireOrAssert(node))
+            return false;
+        if (this.isRiskyRawPriceArithmetic(node))
+            return true;
+        return this.anyChild(node, child => this.hasRiskyRawPriceArithmetic(child));
+    }
+    containsTimestamp(node) {
+        if (!node || typeof node !== 'object')
+            return false;
+        if (node.type === 'MemberAccess' &&
+            node.memberName === 'timestamp' &&
+            node.expression?.type === 'Identifier' &&
+            node.expression.name === 'block') {
+            return true;
+        }
+        return this.anyChild(node, child => this.containsTimestamp(child));
+    }
+    containsMember(node, members) {
+        if (!node || typeof node !== 'object')
+            return false;
+        if (node.type === 'MemberAccess' && members.includes(node.memberName))
+            return true;
+        if (node.type === 'Identifier' && members.includes(node.name))
+            return true;
+        return this.anyChild(node, child => this.containsMember(child, members));
+    }
+    containsBoundedNumber(node, max) {
+        const value = this.literalNumber(node);
+        if (value !== Number.POSITIVE_INFINITY && value <= max)
+            return true;
+        return this.anyChild(node, child => this.containsBoundedNumber(child, max));
+    }
+    containsAnyNumber(node) {
+        const value = this.literalNumber(node);
+        if (value !== Number.POSITIVE_INFINITY)
+            return true;
+        return this.anyChild(node, child => this.containsAnyNumber(child));
+    }
+    literalNumber(node) {
+        if (!node || typeof node !== 'object')
+            return Number.POSITIVE_INFINITY;
+        if (node.type === 'NumberLiteral') {
+            const raw = String(node.number ?? node.value ?? '').replace(/_/g, '');
+            const parsed = Number(raw);
+            if (!Number.isFinite(parsed))
+                return Number.POSITIVE_INFINITY;
+            return parsed * this.timeUnitMultiplier(node.subdenomination);
+        }
+        return Number.POSITIVE_INFINITY;
+    }
+    timeUnitMultiplier(unit) {
+        switch (unit) {
+            case undefined:
+            case null:
+            case '':
+            case 'seconds':
+                return 1;
+            case 'minutes':
+                return 60;
+            case 'hours':
+                return 60 * 60;
+            case 'days':
+                return 24 * 60 * 60;
+            case 'weeks':
+                return 7 * 24 * 60 * 60;
+            default:
+                return Number.POSITIVE_INFINITY;
+        }
+    }
+    flattenNames(node) {
+        const names = [];
+        this.walk(node, child => {
+            if (child?.type === 'Identifier')
+                names.push(child.name || '');
+            if (child?.type === 'MemberAccess')
+                names.push(child.memberName || '');
+        });
+        return names.join(' ');
+    }
+    walk(node, visit) {
+        if (!node || typeof node !== 'object')
+            return;
+        visit(node);
+        for (const child of this.childNodes(node)) {
+            this.walk(child, visit);
+        }
+    }
+    anyChild(node, predicate) {
+        for (const child of this.childNodes(node)) {
+            if (predicate(child))
+                return true;
+        }
+        return false;
+    }
+    childNodes(node) {
+        const children = [];
+        for (const [key, value] of Object.entries(node)) {
+            if (key === 'loc' || key === 'range' || key === 'typeName')
+                continue;
+            if (Array.isArray(value)) {
+                for (const item of value) {
+                    if (item && typeof item === 'object')
+                        children.push(item);
+                }
+            }
+            else if (value && typeof value === 'object') {
+                children.push(value);
+            }
+        }
+        return children;
+    }
+}
+exports.OracleManipulationDetector = OracleManipulationDetector;
+//# sourceMappingURL=oracle-manipulation.js.map