@snovon/solast 0.2.0

package/dist/detectors/oracle-vortex-manipulation.d.ts

@@ -0,0 +1,30 @@
+import type { ScanResult } from '../index';
+export declare class OracleVortexManipulationDetector {
+    readonly id = "oracle-vortex-manipulation";
+    readonly patternKey = "oracle-vortex-manipulation";
+    readonly supportedAstKinds: "parser"[];
+    private currentFile;
+    private currentContract;
+    private findings;
+    private seen;
+    private stateVars;
+    private currentFunction;
+    setFile(file: string): void;
+    getFindings(): ScanResult[];
+    ContractDefinition(node: any): void;
+    ContractDefinition_post(): void;
+    FunctionDefinition(node: any): void;
+    FunctionDefinition_post(): void;
+    VariableDeclarationStatement(node: any): void;
+    BinaryOperation(node: any): void;
+    FunctionCall(node: any): void;
+    IfStatement(node: any): void;
+    private propagateTaint;
+    private isTaintConsumed;
+    private isOracleRead;
+    private getOracleBase;
+    private expressionUsesTainted;
+    private isStorageWrite;
+    private walk;
+    private childNodes;
+}

package/dist/detectors/oracle-vortex-manipulation.js

@@ -0,0 +1,473 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OracleVortexManipulationDetector = void 0;
+const ast_1 = require("./_common/ast");
+const price_rate_1 = require("./_common/price-rate");
+const RULE_ID = 'oracle-vortex-manipulation';
+const PATTERN = RULE_ID;
+const CRITICAL_FUNCTION_RE = /^(mint|burn|swap|redeem|liquidate|borrow|repay)/i;
+const ORACLE_CALLEE_NAMES = new Set([
+    'latestAnswer',
+    'latestRoundData',
+    'getPrice',
+    'getPriceUnsafe',
+]);
+const PAUSE_MODIFIER_RE = /paused|pause|whennotpaused|notpaused|ispaused/i;
+class OracleVortexManipulationDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    currentFile = '';
+    currentContract = '';
+    findings = [];
+    seen = new Set();
+    stateVars = new Set();
+    currentFunction = null;
+    setFile(file) {
+        this.currentFile = file;
+        this.currentContract = '';
+        this.findings = [];
+        this.seen.clear();
+        this.stateVars.clear();
+        this.currentFunction = null;
+    }
+    getFindings() {
+        return this.findings;
+    }
+    ContractDefinition(node) {
+        this.currentContract = node?.name || '<anonymous>';
+        this.stateVars.clear();
+        for (const sub of node?.subNodes || []) {
+            if (sub?.type === 'StateVariableDeclaration') {
+                for (const v of sub?.variables || []) {
+                    if (v?.name)
+                        this.stateVars.add(v.name);
+                }
+            }
+        }
+    }
+    ContractDefinition_post() {
+        this.currentContract = '';
+    }
+    FunctionDefinition(node) {
+        const name = node?.name || '';
+        if (!node?.body || !CRITICAL_FUNCTION_RE.test(name)) {
+            this.currentFunction = null;
+            return;
+        }
+        const hasPauseModifier = (node.modifiers || []).some((mod) => {
+            const modName = extractModifierName(mod);
+            return PAUSE_MODIFIER_RE.test(modName);
+        });
+        this.currentFunction = {
+            node,
+            name,
+            oracleReads: [],
+            oracleBases: new Set(),
+            tainted: new Set(),
+            freshnessCheck: false,
+            multiSource: false,
+            pauseGuard: hasPauseModifier,
+            emitted: false,
+        };
+    }
+    FunctionDefinition_post() {
+        const state = this.currentFunction;
+        this.currentFunction = null;
+        if (!state || state.emitted || state.oracleReads.length === 0)
+            return;
+        // If any mitigation is present, do not emit.
+        if (state.freshnessCheck || state.multiSource || state.pauseGuard)
+            return;
+        // Propagate taint and check consumption.
+        this.propagateTaint(state);
+        if (!this.isTaintConsumed(state))
+            return;
+        const read = state.oracleReads[0];
+        // Bind primaryLoc separately so endLine stays sourced from `read`
+        // only (matches legacy `read?.loc?.end?.line || line` semantics).
+        const primaryLoc = (0, ast_1.tryLoc)(read);
+        const loc = primaryLoc ?? (0, ast_1.tryLoc)(state.node) ?? { line: 0, endLine: 0, column: 0 };
+        const { line, column } = loc;
+        const endLine = primaryLoc?.endLine ?? line;
+        const key = `${this.currentFile}:${state.name}`;
+        if (this.seen.has(key))
+            return;
+        this.seen.add(key);
+        this.findings.push({
+            file: this.currentFile,
+            contract: this.currentContract,
+            'function': state.name,
+            line,
+            endLine,
+            column,
+            pattern: PATTERN,
+            confidence: 'high',
+            ruleId: RULE_ID,
+            severity: 'high',
+            message: `Oracle manipulation risk in function '${state.name}': external price feed is consumed without freshness check, multi-source validation, or circuit-breaker guard.`,
+            contractName: this.currentContract,
+            functionName: state.name,
+            sourceLocation: { line, column },
+            findingId: '',
+            contractHash: '',
+        });
+        state.emitted = true;
+    }
+    VariableDeclarationStatement(node) {
+        const state = this.currentFunction;
+        if (!state)
+            return;
+        const initial = node?.initialValue;
+        if (!initial)
+            return;
+        const declared = getDeclaredNames(node);
+        if (this.isOracleRead(initial)) {
+            state.oracleReads.push(initial);
+            const base = this.getOracleBase(initial);
+            if (base) {
+                state.oracleBases.add(base);
+                if (state.oracleBases.size >= 2)
+                    state.multiSource = true;
+            }
+            for (const name of declared) {
+                if (name)
+                    state.tainted.add(name);
+            }
+            return;
+        }
+        if (this.expressionUsesTainted(initial, state)) {
+            for (const name of declared) {
+                if (name)
+                    state.tainted.add(name);
+            }
+        }
+    }
+    BinaryOperation(node) {
+        const state = this.currentFunction;
+        if (!state)
+            return;
+        if (isAssignmentOperator(node?.operator)) {
+            const leftName = identifierBaseName(node?.left);
+            const right = node?.right;
+            if (leftName && right) {
+                if (this.isOracleRead(right)) {
+                    state.oracleReads.push(right);
+                    const base = this.getOracleBase(right);
+                    if (base) {
+                        state.oracleBases.add(base);
+                        if (state.oracleBases.size >= 2)
+                            state.multiSource = true;
+                    }
+                    state.tainted.add(leftName);
+                }
+                else if (this.expressionUsesTainted(right, state)) {
+                    state.tainted.add(leftName);
+                }
+            }
+        }
+    }
+    FunctionCall(node) {
+        const state = this.currentFunction;
+        if (!state || state.emitted)
+            return;
+        const callee = getCalleeName(node);
+        if ((callee === 'require' || callee === 'assert') && node?.arguments?.[0]) {
+            const condition = node.arguments[0];
+            if ((0, price_rate_1.isFreshnessGuard)(condition)) {
+                state.freshnessCheck = true;
+            }
+            if (isPauseGuard(condition)) {
+                state.pauseGuard = true;
+            }
+        }
+        if (this.isOracleRead(node)) {
+            state.oracleReads.push(node);
+            const base = this.getOracleBase(node);
+            if (base) {
+                state.oracleBases.add(base);
+                if (state.oracleBases.size >= 2)
+                    state.multiSource = true;
+            }
+        }
+    }
+    IfStatement(node) {
+        const state = this.currentFunction;
+        if (!state || state.emitted)
+            return;
+        const condition = node?.condition;
+        if (!condition)
+            return;
+        if ((0, price_rate_1.isFreshnessGuard)(condition)) {
+            state.freshnessCheck = true;
+        }
+        if (isPauseGuard(condition) && statementContainsRevert(node?.trueBody)) {
+            state.pauseGuard = true;
+        }
+    }
+    propagateTaint(state) {
+        const body = state.node.body;
+        if (!body)
+            return;
+        let changed = true;
+        while (changed) {
+            changed = false;
+            this.walk(body, (n) => {
+                if (n.type === 'VariableDeclarationStatement' && n.initialValue) {
+                    if (this.expressionUsesTainted(n.initialValue, state)) {
+                        for (const name of getDeclaredNames(n)) {
+                            if (name && !state.tainted.has(name)) {
+                                state.tainted.add(name);
+                                changed = true;
+                            }
+                        }
+                    }
+                }
+                if (n.type === 'BinaryOperation' && isAssignmentOperator(n.operator)) {
+                    const leftName = identifierBaseName(n.left);
+                    const right = n.right;
+                    if (leftName && right && this.expressionUsesTainted(right, state)) {
+                        if (!state.tainted.has(leftName)) {
+                            state.tainted.add(leftName);
+                            changed = true;
+                        }
+                    }
+                }
+            });
+        }
+    }
+    isTaintConsumed(state) {
+        const body = state.node.body;
+        if (!body)
+            return false;
+        let consumed = false;
+        this.walk(body, (n) => {
+            if (consumed)
+                return;
+            if (n.type === 'ReturnStatement') {
+                if (this.expressionUsesTainted(n.expression, state))
+                    consumed = true;
+            }
+            if (n.type === 'ExpressionStatement' && n.expression?.type === 'BinaryOperation' && isAssignmentOperator(n.expression.operator)) {
+                const left = n.expression.left;
+                const right = n.expression.right;
+                if (this.isStorageWrite(left, state) && this.expressionUsesTainted(right, state)) {
+                    consumed = true;
+                }
+            }
+            if (n.type === 'FunctionCall') {
+                const callee = getCalleeName(n);
+                if (callee !== 'require' && callee !== 'assert') {
+                    for (const arg of n.arguments || []) {
+                        if (this.expressionUsesTainted(arg, state, false))
+                            consumed = true;
+                    }
+                }
+            }
+        });
+        return consumed;
+    }
+    isOracleRead(node) {
+        if (!node || node.type !== 'FunctionCall')
+            return false;
+        const callee = getCalleeName(node);
+        if (ORACLE_CALLEE_NAMES.has(callee)) {
+            // Require MemberAccess for well-known oracle methods.
+            return node.expression?.type === 'MemberAccess';
+        }
+        if (callee === 'price') {
+            const expr = node.expression;
+            if (expr?.type === 'MemberAccess') {
+                const baseName = getBaseIdentifierName(expr.expression);
+                return this.stateVars.has(baseName);
+            }
+            return false;
+        }
+        return false;
+    }
+    getOracleBase(node) {
+        if (!node || node.type !== 'FunctionCall')
+            return '';
+        const expr = node.expression;
+        if (expr?.type === 'MemberAccess') {
+            return getBaseIdentifierName(expr.expression);
+        }
+        return '';
+    }
+    expressionUsesTainted(expr, state, includeOracleReads = true) {
+        let found = false;
+        this.walk(expr, (child) => {
+            if (found)
+                return;
+            if (child?.type === 'Identifier' && state.tainted.has(child.name))
+                found = true;
+            if (includeOracleReads && child?.type === 'FunctionCall' && this.isOracleRead(child))
+                found = true;
+        });
+        return found;
+    }
+    isStorageWrite(node, state) {
+        if (!node)
+            return false;
+        if (node.type === 'IndexAccess')
+            return true;
+        if (node.type === 'MemberAccess') {
+            const base = getBaseIdentifierName(node.expression);
+            return this.stateVars.has(base);
+        }
+        if (node.type === 'Identifier') {
+            return this.stateVars.has(node.name);
+        }
+        return false;
+    }
+    walk(node, visitor) {
+        if (!node || typeof node !== 'object')
+            return;
+        visitor(node);
+        for (const child of this.childNodes(node)) {
+            this.walk(child, visitor);
+        }
+    }
+    childNodes(node) {
+        const children = [];
+        for (const [key, value] of Object.entries(node)) {
+            if (key === 'loc' || key === 'range' || key === 'typeName')
+                continue;
+            if (Array.isArray(value)) {
+                for (const item of value) {
+                    if (item && typeof item === 'object')
+                        children.push(item);
+                }
+            }
+            else if (value && typeof value === 'object') {
+                children.push(value);
+            }
+        }
+        return children;
+    }
+}
+exports.OracleVortexManipulationDetector = OracleVortexManipulationDetector;
+// Post-visit hook aliases for parser :exit compatibility.
+const _proto = OracleVortexManipulationDetector.prototype;
+_proto['ContractDefinition:exit'] = _proto.ContractDefinition_post;
+_proto['FunctionDefinition:exit'] = _proto.FunctionDefinition_post;
+function extractModifierName(modifier) {
+    if (!modifier)
+        return '';
+    if (typeof modifier === 'string')
+        return modifier;
+    if (typeof modifier.name === 'string')
+        return modifier.name;
+    if (modifier.name && typeof modifier.name.name === 'string')
+        return modifier.name.name;
+    if (modifier.modifierName && typeof modifier.modifierName.name === 'string')
+        return modifier.modifierName.name;
+    return '';
+}
+function getCalleeName(node) {
+    if (!node)
+        return '';
+    if ((0, ast_1.isNode)(node, 'FunctionCall'))
+        return getCalleeName(node.expression);
+    if ((0, ast_1.isNode)(node, 'Identifier'))
+        return node.name || '';
+    if ((0, ast_1.isNode)(node, 'MemberAccess'))
+        return node.memberName || '';
+    return '';
+}
+function getBaseIdentifierName(expr) {
+    if (!expr)
+        return '';
+    if ((0, ast_1.isNode)(expr, 'Identifier'))
+        return expr.name || '';
+    if ((0, ast_1.isNode)(expr, 'MemberAccess'))
+        return getBaseIdentifierName(expr.expression);
+    return '';
+}
+function getDeclaredNames(node) {
+    const vars = Array.isArray(node?.variables) ? node.variables : Array.isArray(node?.declarations) ? node.declarations : [];
+    const names = [];
+    for (const variable of vars) {
+        if (variable?.name)
+            names.push(String(variable.name));
+    }
+    return names;
+}
+function identifierBaseName(node) {
+    if (!node || typeof node !== 'object')
+        return '';
+    if ((0, ast_1.isNode)(node, 'Identifier'))
+        return String(node.name || '');
+    if ((0, ast_1.isNode)(node, 'MemberAccess'))
+        return identifierBaseName(node.expression);
+    if ((0, ast_1.isNode)(node, 'IndexAccess'))
+        return identifierBaseName(node.base || node.baseExpression);
+    return '';
+}
+function isAssignmentOperator(operator) {
+    return ['=', '+=', '-=', '*=', '/=', '%=', '|=', '&=', '^=', '<<=', '>>='].includes(operator);
+}
+function isPauseGuard(node) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if ((0, ast_1.isNode)(node, 'FunctionCall')) {
+        const callee = getCalleeName(node);
+        if (callee === 'require' || callee === 'assert') {
+            const arg = (node.arguments || [])[0];
+            return isPauseGuard(arg);
+        }
+    }
+    if ((0, ast_1.isNode)(node, 'UnaryOperation') && node.operator === '!') {
+        const name = getIdentifierName(node.subExpression);
+        return /paused/i.test(name);
+    }
+    if ((0, ast_1.isNode)(node, 'BinaryOperation') && (node.operator === '==' || node.operator === '!=')) {
+        const leftName = getIdentifierName(node.left);
+        const rightName = getIdentifierName(node.right);
+        if (/paused/i.test(leftName) && (rightName === 'false' || rightName === 'true'))
+            return true;
+        if (/paused/i.test(rightName) && (leftName === 'false' || leftName === 'true'))
+            return true;
+    }
+    if ((0, ast_1.isNode)(node, 'BinaryOperation') && (node.operator === '&&' || node.operator === '||')) {
+        return isPauseGuard(node.left) || isPauseGuard(node.right);
+    }
+    return false;
+}
+function getIdentifierName(node) {
+    if (!node || typeof node !== 'object')
+        return '';
+    if ((0, ast_1.isNode)(node, 'Identifier'))
+        return node.name || '';
+    if ((0, ast_1.isNode)(node, 'MemberAccess'))
+        return node.memberName || '';
+    return '';
+}
+function statementContainsRevert(statement) {
+    let found = false;
+    function walk(node) {
+        if (found || !node || typeof node !== 'object')
+            return;
+        if ((0, ast_1.isNode)(node, 'RevertStatement'))
+            found = true;
+        if ((0, ast_1.isNode)(node, 'FunctionCall')) {
+            const callee = getCalleeName(node);
+            if (callee === 'revert')
+                found = true;
+        }
+        for (const child of Object.values(node)) {
+            if (!child || typeof child !== 'object')
+                continue;
+            if (Array.isArray(child)) {
+                for (const item of child)
+                    walk(item);
+            }
+            else {
+                walk(child);
+            }
+        }
+    }
+    walk(statement);
+    return found;
+}
+//# sourceMappingURL=oracle-vortex-manipulation.js.map

package/dist/detectors/overpriced-asset-in-oracle.d.ts

@@ -0,0 +1,41 @@
+import type { ScanResult } from '../index';
+export declare class OverpricedAssetInOracleDetector {
+    readonly id = "overpriced-asset-in-oracle";
+    readonly patternKey = "overpriced-asset-in-oracle";
+    readonly supportedAstKinds: "parser"[];
+    private currentFile;
+    private currentContract;
+    private currentContractKind;
+    private findings;
+    setFile(file: string): void;
+    getFindings(): ScanResult[];
+    ContractDefinition(node: any): void;
+    ContractDefinition_post(): void;
+    FunctionDefinition_post(node: any): void;
+    private processNode;
+    private processVariableDeclaration;
+    private processAssignment;
+    private processIfStatement;
+    private processFunctionCall;
+    private markSinkIfVulnerable;
+    private hasUnboundedTaintedMultiplication;
+    private isAccountingOperand;
+    private isRequireUpperBound;
+    private isIfRevertUpperBound;
+    private markBoundedNamesFromRequire;
+    private markBoundedNamesFromIfRevert;
+    private markBoundedIdentifiers;
+    private isMinClampOfTaintedValue;
+    private statementAlwaysReverts;
+    private declaredNamesForInitializer;
+    private containsTaintOrOracleSource;
+    private containsUnboundedTaintOrOracleSource;
+    private isOracleSourceCall;
+    private oracleMethodName;
+    private unwrapCallOptions;
+    private callName;
+    private collectIdentifiers;
+    private walk;
+    private childNodes;
+    private makeFinding;
+}