@snovon/solast 0.2.0

package/dist/detectors/price-feed-verification.js

@@ -0,0 +1,557 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PriceFeedVerificationDetector = void 0;
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'oracle/price-feed-verification';
+const PYTH_UNCHECKED_CONFIDENCE = 'pyth-unchecked-confidence';
+const PYTH_UNCHECKED_PUBLISH_TIME = 'pyth-unchecked-publish-time';
+const PYTH_UNCHECKED_PRICE = 'pyth-unchecked-price';
+const CHRONICLE_UNCHECKED_PRICE = 'chronicle-unchecked-price';
+const CHRONICLE_UNCHECKED_FRESHNESS = 'chronicle-unchecked-freshness';
+class PriceFeedVerificationDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser', 'solc'];
+    scanAst(ast, file, sourceText) {
+        if (!ast || typeof ast !== 'object')
+            return [];
+        const findings = [];
+        const lineOffsets = buildLineOffsets(sourceText);
+        for (const contract of collectContracts(ast)) {
+            if (isInterfaceLike(contract))
+                continue;
+            const contractName = getName(contract) || '<anonymous>';
+            for (const fn of getContractFunctions(contract)) {
+                const body = getFunctionBody(fn);
+                if (!body)
+                    continue;
+                const reads = collectOracleReads(body);
+                if (reads.length === 0)
+                    continue;
+                const fnName = functionDisplayName(fn);
+                for (const read of reads) {
+                    const pattern = classifyRead(read, body);
+                    if (!pattern)
+                        continue;
+                    findings.push(buildFinding(file, contractName, fnName, read.callNode, fn, pattern, lineOffsets));
+                }
+            }
+        }
+        return findings;
+    }
+}
+exports.PriceFeedVerificationDetector = PriceFeedVerificationDetector;
+function classifyRead(read, body) {
+    if (read.kind === 'pyth') {
+        if (!isPythPriceConsumed(body, read.priceStruct))
+            return null;
+        const hasConfidence = hasPythConfidenceGuard(body, read.priceStruct);
+        const hasPublishTime = read.freshnessByCall || hasPythPublishTimeGuard(body, read.priceStruct);
+        if (hasConfidence && hasPublishTime)
+            return null;
+        if (!hasConfidence && !hasPublishTime)
+            return PYTH_UNCHECKED_PRICE;
+        if (!hasConfidence)
+            return PYTH_UNCHECKED_CONFIDENCE;
+        return PYTH_UNCHECKED_PUBLISH_TIME;
+    }
+    if (!isChroniclePriceConsumed(body, read))
+        return null;
+    const hasValidity = !read.okName || hasValidityGuard(body, read.okName);
+    const hasFreshness = !!read.ageName && hasFreshnessGuard(body, read.ageName);
+    if (read.method === 'read')
+        return CHRONICLE_UNCHECKED_PRICE;
+    if (read.method === 'tryRead')
+        return CHRONICLE_UNCHECKED_FRESHNESS;
+    if (read.method === 'readWithAge')
+        return hasFreshness ? null : CHRONICLE_UNCHECKED_FRESHNESS;
+    if (read.method === 'tryReadWithAge') {
+        if (hasValidity && hasFreshness)
+            return null;
+        return hasFreshness ? CHRONICLE_UNCHECKED_PRICE : CHRONICLE_UNCHECKED_FRESHNESS;
+    }
+    return null;
+}
+function collectOracleReads(body) {
+    const reads = [];
+    const collectedCalls = new WeakSet();
+    walk(body, node => {
+        if (!isNode(node, 'VariableDeclarationStatement'))
+            return;
+        const init = node.initialValue ?? node.initialValueExpression ?? null;
+        if (!isFunctionCall(init))
+            return;
+        const method = getMemberName(unwrapCallOptions(init.expression));
+        if (isPythReadMethod(method)) {
+            const priceStruct = firstDeclaredName(node);
+            if (priceStruct) {
+                reads.push({
+                    kind: 'pyth',
+                    priceStruct,
+                    callNode: init,
+                    freshnessByCall: method === 'getPriceNoOlderThan',
+                });
+                collectedCalls.add(init);
+            }
+            return;
+        }
+        if (isChronicleReadMethod(method) && isChronicleTargetCall(init)) {
+            const names = declaredNames(node);
+            const read = buildChronicleRead(method, names, init);
+            if (read) {
+                reads.push(read);
+                collectedCalls.add(init);
+            }
+        }
+    });
+    walkWithParent(body, (node, parent) => {
+        if (!isFunctionCall(node) || collectedCalls.has(node))
+            return;
+        const method = getMemberName(unwrapCallOptions(node.expression));
+        if (method !== 'read' || !isInlineChronicleReadConsumed(node, parent))
+            return;
+        if (!isChronicleTargetCall(node))
+            return;
+        reads.push({
+            kind: 'chronicle',
+            method,
+            priceName: '',
+            callNode: node,
+            consumedInline: true,
+        });
+        collectedCalls.add(node);
+    });
+    return reads;
+}
+// Chronicle's reader-style methods (`read`, `tryRead`, `readWithAge`,
+// `tryReadWithAge`) collide with names commonly used by non-oracle reader
+// APIs (`vault.read()`, `reader.read()`, ...). Gate Chronicle collection on
+// AST evidence that the call target is plausibly a Chronicle/oracle source:
+// the receiver expression's identifiers, member names, or apparent type info
+// must mention an oracle term or a known Chronicle-style interface. Generic
+// names like `reader` or `vault` are intentionally not in this list.
+const ORACLE_RECEIVER_PATTERN = /chronicle|oracle|feed|scribe|selfkisser|\bwat\b/i;
+function isChronicleTargetCall(call) {
+    const memberAccess = unwrapCallOptions(call?.expression);
+    if (!isNode(memberAccess, 'MemberAccess'))
+        return false;
+    const receiver = memberAccess.expression;
+    if (!receiver || typeof receiver !== 'object')
+        return false;
+    return ORACLE_RECEIVER_PATTERN.test(collectReceiverContextText(receiver));
+}
+function collectReceiverContextText(node) {
+    const parts = [];
+    walk(node, n => {
+        if (!n || typeof n !== 'object')
+            return;
+        if (isNode(n, 'Identifier')) {
+            const name = String(n.name || '');
+            if (name)
+                parts.push(name);
+        }
+        else if (isNode(n, 'MemberAccess')) {
+            const memberName = String(n.memberName || '');
+            if (memberName)
+                parts.push(memberName);
+        }
+        else if (isNode(n, 'UserDefinedTypeName') || isNode(n, 'ElementaryTypeName')) {
+            const name = String(n.name || n.namePath || '');
+            if (name)
+                parts.push(name);
+        }
+        const typeString = n?.typeDescriptions?.typeString;
+        if (typeof typeString === 'string' && typeString)
+            parts.push(typeString);
+    });
+    return parts.join(' ');
+}
+function buildChronicleRead(method, names, callNode) {
+    if (method === 'read') {
+        const priceName = names[0];
+        return priceName ? { kind: 'chronicle', method, priceName, callNode } : null;
+    }
+    if (method === 'tryRead') {
+        const [okName, priceName] = names;
+        return priceName ? { kind: 'chronicle', method, okName, priceName, callNode } : null;
+    }
+    if (method === 'readWithAge') {
+        const [priceName, ageName] = names;
+        return priceName ? { kind: 'chronicle', method, priceName, ageName, callNode } : null;
+    }
+    if (method === 'tryReadWithAge') {
+        const [okName, priceName, ageName] = names;
+        return priceName ? { kind: 'chronicle', method, okName, priceName, ageName, callNode } : null;
+    }
+    return null;
+}
+function isPythPriceConsumed(body, priceStruct) {
+    return hasUseOutsideKnownGuards(body, node => isStructFieldRef(node, priceStruct, 'price'), condition => isPythKnownGuardCondition(condition, priceStruct));
+}
+function isChroniclePriceConsumed(body, read) {
+    if (read.consumedInline)
+        return true;
+    const isKnownGuard = (condition) => isChronicleKnownGuardCondition(condition, read);
+    if (hasUseOutsideKnownGuards(body, n => isIdentifier(n, read.priceName), isKnownGuard))
+        return true;
+    for (const derived of derivedLocalNames(body, read.priceName)) {
+        if (hasUseOutsideKnownGuards(body, n => isIdentifier(n, derived), isKnownGuard))
+            return true;
+    }
+    return false;
+}
+function isPythKnownGuardCondition(condition, priceStruct) {
+    if (containsComparisonWith(condition, n => isStructFieldRef(n, priceStruct, 'conf')))
+        return true;
+    if (hasFreshnessPredicate(condition, n => isStructFieldRef(n, priceStruct, 'publishTime')))
+        return true;
+    return false;
+}
+function isChronicleKnownGuardCondition(condition, read) {
+    if (read.okName && references(condition, n => isIdentifier(n, read.okName)))
+        return true;
+    if (read.ageName && hasFreshnessPredicate(condition, n => isIdentifier(n, read.ageName)))
+        return true;
+    return false;
+}
+function hasUseOutsideKnownGuards(body, matcher, isKnownGuard) {
+    let found = false;
+    function visit(node, inGuard) {
+        if (found || !node || typeof node !== 'object')
+            return;
+        if (!inGuard && matcher(node)) {
+            found = true;
+            return;
+        }
+        if (isNode(node, 'IfStatement')) {
+            const condition = node.condition;
+            if (condition && typeof condition === 'object') {
+                visit(condition, inGuard || isKnownGuard(condition));
+            }
+            const trueBody = node.trueBody ?? node.TrueBody;
+            const falseBody = node.falseBody ?? node.FalseBody;
+            if (trueBody)
+                visit(trueBody, inGuard);
+            if (falseBody)
+                visit(falseBody, inGuard);
+            return;
+        }
+        if (isFunctionCall(node) && isRequireOrAssert(node)) {
+            const args = getCallArguments(node);
+            const first = args[0];
+            if (first && typeof first === 'object') {
+                visit(first, inGuard || isKnownGuard(first));
+            }
+            for (let i = 1; i < args.length; i++) {
+                if (args[i] && typeof args[i] === 'object')
+                    visit(args[i], inGuard);
+            }
+            return;
+        }
+        for (const child of childrenOf(node))
+            visit(child, inGuard);
+    }
+    visit(body, false);
+    return found;
+}
+function derivedLocalNames(body, sourceName) {
+    const out = [];
+    walk(body, node => {
+        if (!isNode(node, 'VariableDeclarationStatement'))
+            return;
+        const init = node.initialValue ?? node.initialValueExpression ?? null;
+        if (!init || !references(init, n => isIdentifier(n, sourceName)))
+            return;
+        for (const name of declaredNames(node)) {
+            if (name && name !== sourceName && !out.includes(name))
+                out.push(name);
+        }
+    });
+    return out;
+}
+function hasPythConfidenceGuard(body, priceStruct) {
+    return hasGuard(body, condition => containsComparisonWith(condition, node => isStructFieldRef(node, priceStruct, 'conf')));
+}
+function hasPythPublishTimeGuard(body, priceStruct) {
+    return hasGuard(body, condition => hasFreshnessPredicate(condition, node => isStructFieldRef(node, priceStruct, 'publishTime')));
+}
+function hasValidityGuard(body, okName) {
+    return hasGuard(body, condition => references(condition, node => isIdentifier(node, okName)));
+}
+function hasFreshnessGuard(body, ageName) {
+    return hasGuard(body, condition => hasFreshnessPredicate(condition, node => isIdentifier(node, ageName)));
+}
+function hasGuard(body, predicate) {
+    let found = false;
+    walk(body, node => {
+        if (found || !node || typeof node !== 'object')
+            return;
+        if (isNode(node, 'IfStatement') && predicate(node.condition)) {
+            found = true;
+            return;
+        }
+        if (isFunctionCall(node) && isRequireOrAssert(node) && predicate(getCallArguments(node)[0])) {
+            found = true;
+        }
+    });
+    return found;
+}
+function containsComparisonWith(node, matcher) {
+    let found = false;
+    walk(node, n => {
+        if (found || !isNode(n, 'BinaryOperation'))
+            return;
+        if (!isComparisonOperator(String(n.operator || '')))
+            return;
+        const left = getBinaryLeft(n);
+        const right = getBinaryRight(n);
+        found = references(left, matcher) || references(right, matcher);
+    });
+    return found;
+}
+function hasFreshnessPredicate(node, matcher) {
+    let found = false;
+    walk(node, n => {
+        if (found || !isNode(n, 'BinaryOperation'))
+            return;
+        if (!isComparisonOperator(String(n.operator || '')))
+            return;
+        const left = getBinaryLeft(n);
+        const right = getBinaryRight(n);
+        found =
+            (references(left, matcher) && references(right, isTimestampOrThreshold)) ||
+                (references(right, matcher) && references(left, isTimestampOrThreshold)) ||
+                references(left, sub => isTimestampMinusMatched(sub, matcher)) ||
+                references(right, sub => isTimestampMinusMatched(sub, matcher));
+    });
+    return found;
+}
+function isTimestampMinusMatched(node, matcher) {
+    if (!isNode(node, 'BinaryOperation') || String(node.operator || '') !== '-')
+        return false;
+    return references(getBinaryLeft(node), isBlockTimestampRef) && references(getBinaryRight(node), matcher);
+}
+function isTimestampOrThreshold(node) {
+    if (isBlockTimestampRef(node))
+        return true;
+    if (isNode(node, 'BinaryOperation')) {
+        return references(getBinaryLeft(node), isBlockTimestampRef) || references(getBinaryRight(node), isBlockTimestampRef);
+    }
+    return isNode(node, 'NumberLiteral') || (isNode(node, 'Literal') && node.kind === 'number') || isNode(node, 'Identifier');
+}
+function references(node, matcher) {
+    let found = false;
+    walk(node, n => {
+        if (!found && matcher(n))
+            found = true;
+    });
+    return found;
+}
+function buildFinding(file, contractName, functionName, node, fn, pattern, lineOffsets) {
+    const loc = (0, ast_1.getLoc)(node, lineOffsets) || (0, ast_1.getLoc)(fn, lineOffsets) || { line: 0, column: 0 };
+    return {
+        file,
+        contract: contractName,
+        'function': functionName,
+        line: loc.line,
+        endLine: loc.line,
+        column: loc.column,
+        pattern,
+        confidence: 'high',
+        ruleId: RULE_ID,
+        severity: 'warning',
+        message: `Oracle price feed verification issue in '${contractName}.${functionName}': ${messageForPattern(pattern)}`,
+        rationale: 'Pyth and Chronicle feeds expose confidence, validity, and freshness metadata that must be checked before the returned price is consumed.',
+        suggestedFix: 'Check Pyth conf and publishTime before using price, or use getPriceNoOlderThan plus a confidence bound. For Chronicle, prefer readWithAge/tryReadWithAge and require validity plus bounded age.',
+        contractName,
+        functionName,
+        sourceLocation: { line: loc.line, column: loc.column },
+        trace: pattern,
+        findingId: '',
+        contractHash: '',
+    };
+}
+function messageForPattern(pattern) {
+    if (pattern === PYTH_UNCHECKED_CONFIDENCE)
+        return 'Pyth price is consumed without bounding conf.';
+    if (pattern === PYTH_UNCHECKED_PUBLISH_TIME)
+        return 'Pyth price is consumed without a publishTime freshness check.';
+    if (pattern === PYTH_UNCHECKED_PRICE)
+        return 'Pyth price is consumed without confidence or publishTime validation.';
+    if (pattern === CHRONICLE_UNCHECKED_FRESHNESS)
+        return 'Chronicle price is consumed without a freshness check.';
+    return 'Chronicle price is consumed without validity or freshness metadata.';
+}
+function isPythReadMethod(name) {
+    return name === 'getPrice' || name === 'getPriceUnsafe' || name === 'getPriceNoOlderThan';
+}
+function isChronicleReadMethod(name) {
+    return name === 'read' || name === 'tryRead' || name === 'readWithAge' || name === 'tryReadWithAge';
+}
+function isRequireOrAssert(node) {
+    const expr = unwrapCallOptions(node?.expression);
+    return isNode(expr, 'Identifier') && (expr.name === 'require' || expr.name === 'assert');
+}
+function isStructFieldRef(node, structName, fieldName) {
+    if (!isNode(node, 'MemberAccess'))
+        return false;
+    if (String(node.memberName || '') !== fieldName)
+        return false;
+    return isIdentifier(node.expression, structName);
+}
+function isBlockTimestampRef(node) {
+    return isNode(node, 'MemberAccess') &&
+        String(node.memberName || '') === 'timestamp' &&
+        isIdentifier(node.expression, 'block');
+}
+function isIdentifier(node, name) {
+    return isNode(node, 'Identifier') && String(node.name || '') === name;
+}
+function isComparisonOperator(op) {
+    return op === '>' || op === '>=' || op === '<' || op === '<=' || op === '==' || op === '!=';
+}
+function firstDeclaredName(stmt) {
+    return declaredNames(stmt)[0] || '';
+}
+function declaredNames(stmt) {
+    return getVariableDeclarations(stmt).map(getName).filter(Boolean);
+}
+function getVariableDeclarations(stmt) {
+    if (Array.isArray(stmt?.variables))
+        return stmt.variables.filter(Boolean);
+    if (Array.isArray(stmt?.declarations))
+        return stmt.declarations.filter(Boolean);
+    return [];
+}
+function getContractFunctions(contract) {
+    return getContractMembers(contract).filter(child => isNode(child, 'FunctionDefinition'));
+}
+function getContractMembers(contract) {
+    if (!contract || typeof contract !== 'object')
+        return [];
+    if (Array.isArray(contract.subNodes))
+        return contract.subNodes;
+    if (Array.isArray(contract.nodes))
+        return contract.nodes;
+    return [];
+}
+function collectContracts(ast) {
+    const out = [];
+    walk(ast, node => {
+        if (isNode(node, 'ContractDefinition'))
+            out.push(node);
+    });
+    return out;
+}
+function isInterfaceLike(contract) {
+    const kind = String(contract?.kind || contract?.contractKind || '').toLowerCase();
+    return kind === 'interface' || kind === 'library';
+}
+function getFunctionBody(fn) {
+    return fn?.body || null;
+}
+function functionDisplayName(fn) {
+    const kind = String(fn?.kind || '').toLowerCase();
+    if (fn?.isFallback === true || kind === 'fallback')
+        return '<fallback>';
+    if (fn?.isReceiveEther === true || kind === 'receive')
+        return '<receive>';
+    if (fn?.isConstructor === true || kind === 'constructor')
+        return '<constructor>';
+    return getName(fn) || '<anonymous>';
+}
+function getName(node) {
+    return typeof node?.name === 'string' ? node.name : '';
+}
+function isFunctionCall(node) {
+    return isNode(node, 'FunctionCall');
+}
+function isInlineChronicleReadConsumed(call, parent) {
+    if (!parent || typeof parent !== 'object')
+        return false;
+    if (isNode(parent, 'ReturnStatement') || isNode(parent, 'Return'))
+        return true;
+    if (isNode(parent, 'Assignment'))
+        return true;
+    if (isNode(parent, 'BinaryOperation'))
+        return true;
+    if (isNode(parent, 'UnaryOperation'))
+        return true;
+    if (isNode(parent, 'Conditional'))
+        return true;
+    if (isFunctionCall(parent) && getCallArguments(parent).includes(call))
+        return true;
+    if (isNode(parent, 'VariableDeclarationStatement')) {
+        const init = parent.initialValue ?? parent.initialValueExpression ?? null;
+        return init === call;
+    }
+    return false;
+}
+function unwrapCallOptions(expr) {
+    if (!expr || typeof expr !== 'object')
+        return expr;
+    if (isNode(expr, 'NameValueExpression') || isNode(expr, 'FunctionCallOptions')) {
+        return unwrapCallOptions(expr.expression);
+    }
+    return expr;
+}
+function getMemberName(expr) {
+    return isNode(expr, 'MemberAccess') ? String(expr.memberName || '') : '';
+}
+function getCallArguments(node) {
+    return Array.isArray(node?.arguments) ? node.arguments : [];
+}
+function getBinaryLeft(node) {
+    return node?.left ?? node?.leftExpression ?? node?.leftHandSide;
+}
+function getBinaryRight(node) {
+    return node?.right ?? node?.rightExpression ?? node?.rightHandSide;
+}
+function isNode(node, kind) {
+    return node?.type === kind || node?.nodeType === kind;
+}
+function walk(node, visit) {
+    if (!node || typeof node !== 'object')
+        return;
+    visit(node);
+    for (const child of childrenOf(node))
+        walk(child, visit);
+}
+function walkWithParent(node, visit, parent = null) {
+    if (!node || typeof node !== 'object')
+        return;
+    visit(node, parent);
+    for (const child of childrenOf(node))
+        walkWithParent(child, visit, node);
+}
+function childrenOf(node) {
+    if (!node || typeof node !== 'object')
+        return [];
+    const out = [];
+    for (const [key, value] of Object.entries(node)) {
+        if (key === 'loc' || key === 'src' || key === 'range' || key === 'typeDescriptions' || key === 'id' || key === 'typeName')
+            continue;
+        if (Array.isArray(value)) {
+            for (const item of value)
+                if (item && typeof item === 'object')
+                    out.push(item);
+        }
+        else if (value && typeof value === 'object') {
+            out.push(value);
+        }
+    }
+    return out;
+}
+function buildLineOffsets(sourceText) {
+    if (sourceText === undefined)
+        return undefined;
+    const offsets = [0];
+    let byteOffset = 0;
+    for (const ch of sourceText) {
+        byteOffset += Buffer.byteLength(ch, 'utf8');
+        if (ch === '\n')
+            offsets.push(byteOffset);
+    }
+    return offsets;
+}
+//# sourceMappingURL=price-feed-verification.js.map

package/dist/detectors/price-manipulation-reentrancy.d.ts

@@ -0,0 +1,32 @@
+import type { ScanResult } from '../index';
+export declare class PriceManipulationReentrancyDetector {
+    readonly id = "price-manipulation-reentrancy";
+    readonly patternKey = "price-manipulation-reentrancy";
+    readonly supportedAstKinds: "parser"[];
+    readonly descriptor: {
+        id: string;
+        shortDescription: string;
+        helpUri: string;
+        defaultSeverity: "high";
+        help: string;
+    };
+    private currentFile;
+    private findings;
+    private contracts;
+    private currentFunction;
+    setFile(file: string): void;
+    getFindings(): ScanResult[];
+    ContractDefinition(node: any): void;
+    ['ContractDefinition:exit'](): void;
+    StateVariableDeclaration(node: any): void;
+    FunctionDefinition(node: any): void;
+    ['FunctionDefinition:exit'](): void;
+    VariableDeclarationStatement(node: any): void;
+    ExpressionStatement(node: any): void;
+    ReturnStatement(node: any): void;
+    EmitStatement(node: any): void;
+    private recordStatement;
+    private finalizeContract;
+    private buildFinding;
+    private currentContract;
+}