@snovon/solast 0.2.0

package/dist/detectors/price-manipulation-via-reentranc.js

@@ -0,0 +1,569 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PriceManipulationViaReentrancDetector = void 0;
+const RULE_ID = 'price-manipulation-via-reentranc';
+const PROVENANCE = 'x-20231130-carolprotocol-price-manipulation-via-reentranc';
+const NONREENTRANT_MODIFIERS = new Set([
+    'nonreentrant',
+    'nonreentrantview',
+    'nonreentrantreadonly',
+    'nonreentrantbefore',
+    'nonreentrantafter',
+]);
+const ACCESS_CONTROL_MODIFIERS = new Set([
+    'onlyowner',
+    'onlyrole',
+    'onlyadmin',
+    'onlyauthorized',
+    'onlyoperator',
+    'onlygovernance',
+    'onlygovernor',
+    'onlyguardian',
+    'onlymanager',
+]);
+const BUILTIN_BASE_IDENTIFIERS = new Set([
+    'msg', 'block', 'tx', 'abi', 'super', 'this', 'address', 'payable',
+    'type', 'bytes', 'string', 'keccak256', 'sha256', 'ripemd160', 'ecrecover',
+    'assert', 'require', 'revert', 'gasleft',
+]);
+const LOW_LEVEL_CALL_NAMES = new Set(['call', 'delegatecall']);
+class PriceManipulationViaReentrancDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser', 'solc'];
+    scanAst(ast, file, sourceText) {
+        if (!ast || typeof ast !== 'object')
+            return [];
+        const findings = [];
+        const lineOffsets = buildLineOffsets(sourceText);
+        for (const contract of collectContracts(ast)) {
+            if (isInterfaceLike(contract))
+                continue;
+            const accountingVars = collectAccountingStateNames(contract);
+            if (accountingVars.size === 0)
+                continue;
+            const functions = new Map();
+            for (const fn of getContractFunctions(contract)) {
+                const info = buildFunctionInfo(fn, accountingVars);
+                functions.set(info.name, info);
+            }
+            const transitiveReads = computeTransitiveProperty(functions, info => info.directlyReadsPricing);
+            const transitiveWrites = computeTransitiveProperty(functions, info => info.directlyWritesAccounting);
+            const transitiveCallsRouter = computeTransitiveProperty(functions, info => info.directlyCallsRouter);
+            const allAccountingEntriesGuarded = checkAllAccountingEntriesGuarded(functions, transitiveReads, transitiveWrites);
+            for (const info of functions.values()) {
+                if (!isExternallyCallable(info.node))
+                    continue;
+                if (info.isView)
+                    continue;
+                if (!info.body)
+                    continue;
+                if (info.hasAccessControl)
+                    continue;
+                const result = analyzeEntryFunction(info, functions, accountingVars, transitiveReads, transitiveWrites, transitiveCallsRouter);
+                if (!result)
+                    continue;
+                if (info.hasNonReentrant && allAccountingEntriesGuarded)
+                    continue;
+                const contractName = getName(contract) || '<anonymous>';
+                const fnLoc = getLoc(info.node, lineOffsets) || { line: 0, column: 0 };
+                const callLoc = getLoc(result.callNode, lineOffsets) || fnLoc;
+                findings.push({
+                    file,
+                    contract: contractName,
+                    'function': info.name,
+                    line: fnLoc.line,
+                    endLine: callLoc.line || fnLoc.line,
+                    column: fnLoc.column,
+                    pattern: RULE_ID,
+                    confidence: 'high',
+                    ruleId: RULE_ID,
+                    severity: 'error',
+                    message: `Price manipulation via reentrancy risk in '${contractName}.${info.name}': pricing or reserve state is read before a router ETH-delivery swap and accounting is settled only after the external call.`,
+                    rationale: 'Matches the CarolProtocol-style sequence where a user sell/redemption quotes against reserve/accounting state, yields to a swapExactTokensForETH-style router call that can deliver ETH and trigger reentry, then updates balances or reserves after the callback surface.',
+                    suggestedFix: 'Apply checks-effects-interactions by finalizing user balances and reserve/accounting state before the router call, or protect every externally callable pricing/accounting path with the same reentrancy guard. Restrict maintenance-only rebalance paths with recognized access control.',
+                    contractName,
+                    functionName: info.name,
+                    sourceLocation: { line: fnLoc.line, column: fnLoc.column },
+                    findingId: '',
+                    contractHash: '',
+                    provenance: PROVENANCE,
+                    source: PROVENANCE,
+                });
+            }
+        }
+        return findings;
+    }
+}
+exports.PriceManipulationViaReentrancDetector = PriceManipulationViaReentrancDetector;
+function buildFunctionInfo(fn, accountingVars) {
+    const body = getFunctionBody(fn);
+    const firstDirectRouterCall = body ? findFirstRouterCall(body) : null;
+    return {
+        node: fn,
+        name: functionDisplayName(fn),
+        body,
+        isView: isViewLike(fn),
+        hasNonReentrant: hasNonReentrantModifier(fn),
+        hasAccessControl: hasRecognizedAccessControl(fn, body),
+        internalCalls: body ? collectInternalCallNames(body) : new Set(),
+        directlyReadsPricing: !!body && bodyReadsPricingState(body, accountingVars),
+        directlyWritesAccounting: !!body && bodyWritesAccountingState(body, accountingVars),
+        directlyCallsRouter: !!firstDirectRouterCall,
+        firstDirectRouterCall,
+    };
+}
+function computeTransitiveProperty(functions, prop) {
+    const cache = new Map();
+    function compute(info, seen) {
+        const cached = cache.get(info.name);
+        if (cached !== undefined)
+            return cached;
+        if (prop(info)) {
+            cache.set(info.name, true);
+            return true;
+        }
+        if (seen.has(info.name))
+            return false;
+        seen.add(info.name);
+        for (const callee of info.internalCalls) {
+            const called = functions.get(callee);
+            if (called && compute(called, seen)) {
+                cache.set(info.name, true);
+                return true;
+            }
+        }
+        cache.set(info.name, false);
+        return false;
+    }
+    for (const info of functions.values())
+        compute(info, new Set());
+    return cache;
+}
+function checkAllAccountingEntriesGuarded(functions, transitiveReads, transitiveWrites) {
+    for (const info of functions.values()) {
+        if (!isExternallyCallable(info.node))
+            continue;
+        if (info.isView)
+            continue;
+        if (!(transitiveReads.get(info.name) || transitiveWrites.get(info.name)))
+            continue;
+        if (!info.hasNonReentrant)
+            return false;
+    }
+    return true;
+}
+function analyzeEntryFunction(info, functions, accountingVars, transitiveReads, transitiveWrites, transitiveCallsRouter) {
+    let readBeforeCall = false;
+    let callBeforeSettlement = null;
+    for (const stmt of getBlockStatements(info.body)) {
+        const events = summarizeStatement(stmt, functions, accountingVars, transitiveReads, transitiveWrites, transitiveCallsRouter);
+        if (!callBeforeSettlement && events.readsPricing) {
+            readBeforeCall = true;
+        }
+        if (!callBeforeSettlement && readBeforeCall && events.routerCall) {
+            callBeforeSettlement = events.routerCall;
+        }
+        if (callBeforeSettlement && events.writesAccounting) {
+            return { callNode: callBeforeSettlement };
+        }
+    }
+    return null;
+}
+function summarizeStatement(stmt, functions, accountingVars, transitiveReads, transitiveWrites, transitiveCallsRouter) {
+    let readsPricing = bodyReadsPricingState(stmt, accountingVars);
+    let writesAccounting = bodyWritesAccountingState(stmt, accountingVars);
+    let routerCall = findFirstRouterCall(stmt);
+    for (const calleeName of collectInternalCallNames(stmt)) {
+        const callee = functions.get(calleeName);
+        if (!callee)
+            continue;
+        if (transitiveReads.get(callee.name))
+            readsPricing = true;
+        if (transitiveWrites.get(callee.name))
+            writesAccounting = true;
+        if (transitiveCallsRouter.get(callee.name) && !routerCall)
+            routerCall = callee.firstDirectRouterCall || callee.node;
+    }
+    return { readsPricing, writesAccounting, routerCall };
+}
+function collectAccountingStateNames(contract) {
+    const names = new Set();
+    for (const child of getContractMembers(contract)) {
+        if (isNode(child, 'StateVariableDeclaration')) {
+            for (const variable of child.variables || []) {
+                const name = String(variable?.name || '');
+                if (isAccountingStateName(name))
+                    names.add(name);
+            }
+        }
+        else if (isNode(child, 'VariableDeclaration') && child.stateVariable) {
+            const name = String(child.name || '');
+            if (isAccountingStateName(name))
+                names.add(name);
+        }
+    }
+    return names;
+}
+function isAccountingStateName(name) {
+    return /reserve/i.test(name)
+        || /balance/i.test(name)
+        || /account/i.test(name)
+        || /^_?pool/i.test(name)
+        || /liquidity/i.test(name)
+        || /assets?$/i.test(name)
+        || /shares?$/i.test(name);
+}
+function bodyReadsPricingState(body, accountingVars) {
+    let readsAccounting = false;
+    let usesPriceArithmetic = false;
+    walk(body, node => {
+        if (!node || typeof node !== 'object')
+            return;
+        if (isNode(node, 'Identifier') && accountingVars.has(String(node.name || ''))) {
+            readsAccounting = true;
+        }
+        if (isNode(node, 'MemberAccess') && accountingVars.has(String(node.memberName || ''))) {
+            readsAccounting = true;
+        }
+        if (isNode(node, 'BinaryOperation')) {
+            const op = String(node.operator || '');
+            if (op === '/' || op === '*')
+                usesPriceArithmetic = true;
+        }
+    });
+    return readsAccounting && usesPriceArithmetic;
+}
+function bodyWritesAccountingState(body, accountingVars) {
+    return walkAny(body, node => isAccountingAssignment(node, accountingVars) || isAccountingUnaryMutation(node, accountingVars));
+}
+function isAccountingAssignment(node, accountingVars) {
+    if (!node || typeof node !== 'object')
+        return false;
+    let lhs = null;
+    if (isNode(node, 'BinaryOperation')) {
+        const op = String(node.operator || '');
+        if (!op.includes('=') || ['==', '===', '!=', '!==', '<=', '>='].includes(op))
+            return false;
+        lhs = node.left || node.leftExpression;
+    }
+    else if (isNode(node, 'Assignment')) {
+        if (!String(node.operator || '').includes('='))
+            return false;
+        lhs = node.leftHandSide;
+    }
+    else {
+        return false;
+    }
+    return targetsAccountingState(lhs, accountingVars);
+}
+function isAccountingUnaryMutation(node, accountingVars) {
+    if (!isNode(node, 'UnaryOperation'))
+        return false;
+    const op = String(node.operator || '');
+    if (op !== '++' && op !== '--' && op !== 'delete')
+        return false;
+    return targetsAccountingState(node.subExpression, accountingVars);
+}
+function targetsAccountingState(expr, accountingVars) {
+    if (!expr || typeof expr !== 'object')
+        return false;
+    if (isNode(expr, 'Identifier'))
+        return accountingVars.has(String(expr.name || ''));
+    if (isNode(expr, 'MemberAccess'))
+        return accountingVars.has(String(expr.memberName || ''));
+    if (isNode(expr, 'IndexAccess'))
+        return targetsAccountingState(expr.base || expr.baseExpression, accountingVars);
+    if (isNode(expr, 'TupleExpression'))
+        return (expr.components || []).some((c) => targetsAccountingState(c, accountingVars));
+    return false;
+}
+function findFirstRouterCall(node) {
+    let found = null;
+    walkAny(node, candidate => {
+        if (found)
+            return true;
+        if (isNode(candidate, 'FunctionCall') && isRouterSwapCall(candidate)) {
+            found = candidate;
+            return true;
+        }
+        return false;
+    });
+    return found;
+}
+function isRouterSwapCall(call) {
+    const callee = call?.expression;
+    if (!callee || typeof callee !== 'object')
+        return false;
+    if (isNode(callee, 'MemberAccess')) {
+        const memberName = String(callee.memberName || '');
+        if (/^swapExactTokensForETH/i.test(memberName))
+            return hasExternalReceiver(callee.expression);
+        if (LOW_LEVEL_CALL_NAMES.has(memberName)) {
+            return hasExternalReceiver(callee.expression) && callContainsSwapSignature(call);
+        }
+    }
+    return false;
+}
+function hasExternalReceiver(receiver) {
+    if (!receiver || typeof receiver !== 'object')
+        return false;
+    if (isNode(receiver, 'Identifier')) {
+        const name = String(receiver.name || '');
+        return !!name && !BUILTIN_BASE_IDENTIFIERS.has(name);
+    }
+    if (isNode(receiver, 'MemberAccess')) {
+        const base = flattenNames(receiver).toLowerCase();
+        return !!base && !base.startsWith('msg.') && !base.startsWith('block.') && !base.startsWith('abi.');
+    }
+    if (isNode(receiver, 'FunctionCall')) {
+        const inner = receiver.expression;
+        if (isNode(inner, 'Identifier')) {
+            const name = String(inner.name || '');
+            return /^[A-Z]/.test(name);
+        }
+    }
+    return false;
+}
+function callContainsSwapSignature(call) {
+    return walkAny(call, node => {
+        if (!node || typeof node !== 'object')
+            return false;
+        if (isNode(node, 'StringLiteral'))
+            return String(node.value || '').includes('swapExactTokensForETH');
+        if (isNode(node, 'Literal') && String(node.kind || '').toLowerCase() === 'string') {
+            return String(node.value || node.hexValue || '').includes('swapExactTokensForETH');
+        }
+        return false;
+    });
+}
+function hasRecognizedAccessControl(fn, body) {
+    for (const mod of fn?.modifiers || []) {
+        const name = getModifierName(mod).toLowerCase();
+        if (ACCESS_CONTROL_MODIFIERS.has(name))
+            return true;
+        if (/^only(owner|admin|role|govern|guardian|manager|operator|authorized)/i.test(name))
+            return true;
+    }
+    return !!body && walkAny(body, node => {
+        if (!isNode(node, 'FunctionCall'))
+            return false;
+        const callee = getCalleeName(node).toLowerCase();
+        if (callee !== 'require' && callee !== 'assert')
+            return false;
+        return flattenNames((node.arguments || [])[0]).toLowerCase().includes('msg.sender')
+            && /\b(owner|admin|governor|guardian|manager|operator)\b/i.test(flattenNames((node.arguments || [])[0]));
+    });
+}
+function hasNonReentrantModifier(fn) {
+    for (const mod of fn?.modifiers || []) {
+        const name = getModifierName(mod).toLowerCase();
+        if (NONREENTRANT_MODIFIERS.has(name) || name.includes('nonreentrant'))
+            return true;
+    }
+    return false;
+}
+function getModifierName(modifier) {
+    if (!modifier)
+        return '';
+    if (typeof modifier === 'string')
+        return modifier;
+    if (typeof modifier.name === 'string')
+        return modifier.name;
+    if (modifier.name && typeof modifier.name === 'object') {
+        if (typeof modifier.name.name === 'string')
+            return modifier.name.name;
+        if (typeof modifier.name.namePath === 'string')
+            return modifier.name.namePath;
+    }
+    if (modifier.modifierName) {
+        const inner = modifier.modifierName;
+        if (typeof inner === 'string')
+            return inner;
+        if (inner && typeof inner.name === 'string')
+            return inner.name;
+    }
+    return '';
+}
+function collectInternalCallNames(stmt) {
+    const names = new Set();
+    walk(stmt, node => {
+        if (!isNode(node, 'FunctionCall'))
+            return;
+        const callee = node.expression;
+        if (isNode(callee, 'Identifier')) {
+            const name = String(callee.name || '');
+            if (name && !BUILTIN_BASE_IDENTIFIERS.has(name))
+                names.add(name);
+        }
+    });
+    return names;
+}
+function getCalleeName(call) {
+    const expr = call?.expression;
+    if (isNode(expr, 'Identifier'))
+        return String(expr.name || '');
+    if (isNode(expr, 'MemberAccess'))
+        return String(expr.memberName || '');
+    return '';
+}
+function flattenNames(node) {
+    const parts = [];
+    walk(node, child => {
+        if (isNode(child, 'Identifier') && child.name)
+            parts.push(String(child.name));
+        if (isNode(child, 'MemberAccess') && child.memberName)
+            parts.push(String(child.memberName));
+        if (isNode(child, 'Literal') || isNode(child, 'StringLiteral')) {
+            if (child.value)
+                parts.push(String(child.value));
+        }
+    });
+    return parts.join('.');
+}
+function isInterfaceLike(contract) {
+    const kind = String(contract?.kind || contract?.contractKind || '').toLowerCase();
+    return kind === 'interface' || kind === 'library';
+}
+function isExternallyCallable(fn) {
+    if (!fn)
+        return false;
+    if (fn.isConstructor === true)
+        return false;
+    const kind = String(fn.kind || '').toLowerCase();
+    if (kind === 'constructor' || kind === 'fallback' || kind === 'receive')
+        return false;
+    if (fn.isFallback === true || fn.isReceiveEther === true)
+        return false;
+    const visibility = String(fn.visibility || '').toLowerCase();
+    return visibility === 'public' || visibility === 'external';
+}
+function isViewLike(fn) {
+    const mutability = String(fn?.stateMutability || '').toLowerCase();
+    return mutability === 'view' || mutability === 'pure';
+}
+function functionDisplayName(fn) {
+    if (fn?.isFallback === true)
+        return '<fallback>';
+    if (fn?.isReceiveEther === true)
+        return '<receive>';
+    const kind = String(fn?.kind || '').toLowerCase();
+    if (kind === 'fallback')
+        return '<fallback>';
+    if (kind === 'receive')
+        return '<receive>';
+    if (kind === 'constructor')
+        return '<constructor>';
+    const name = fn?.name;
+    if (typeof name === 'string' && name.length > 0)
+        return name;
+    return '<anonymous>';
+}
+function getName(node) {
+    return typeof node?.name === 'string' ? node.name : '';
+}
+function getFunctionBody(node) {
+    return node?.body || null;
+}
+function getContractFunctions(contract) {
+    return getContractMembers(contract).filter(child => isNode(child, 'FunctionDefinition'));
+}
+function getContractMembers(contract) {
+    if (!contract || typeof contract !== 'object')
+        return [];
+    if (Array.isArray(contract.subNodes))
+        return contract.subNodes;
+    if (Array.isArray(contract.nodes))
+        return contract.nodes;
+    return [];
+}
+function getBlockStatements(body) {
+    if (!body || typeof body !== 'object')
+        return [];
+    return Array.isArray(body.statements) ? body.statements : [];
+}
+function collectContracts(ast) {
+    const out = [];
+    walkContracts(ast, node => out.push(node));
+    return out;
+}
+function walkContracts(node, visit) {
+    if (!node || typeof node !== 'object')
+        return;
+    if (isNode(node, 'ContractDefinition')) {
+        visit(node);
+        return;
+    }
+    for (const child of childrenOf(node))
+        walkContracts(child, visit);
+}
+function isNode(node, kind) {
+    return node?.type === kind || node?.nodeType === kind;
+}
+function walk(node, visit) {
+    if (!node || typeof node !== 'object')
+        return;
+    visit(node);
+    for (const child of childrenOf(node))
+        walk(child, visit);
+}
+function walkAny(node, predicate) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (predicate(node))
+        return true;
+    for (const child of childrenOf(node)) {
+        if (walkAny(child, predicate))
+            return true;
+    }
+    return false;
+}
+function childrenOf(node) {
+    if (!node || typeof node !== 'object')
+        return [];
+    const children = [];
+    for (const [key, value] of Object.entries(node)) {
+        if (key === 'loc' || key === 'src' || key === 'range' || key === 'typeDescriptions' || key === 'id' || key === 'typeName')
+            continue;
+        if (Array.isArray(value)) {
+            for (const item of value) {
+                if (item && typeof item === 'object')
+                    children.push(item);
+            }
+        }
+        else if (value && typeof value === 'object') {
+            children.push(value);
+        }
+    }
+    return children;
+}
+function buildLineOffsets(sourceText) {
+    if (sourceText === undefined)
+        return undefined;
+    const lineOffsets = [0];
+    let byteOffset = 0;
+    for (const char of sourceText) {
+        byteOffset += Buffer.byteLength(char, 'utf8');
+        if (char === '\n')
+            lineOffsets.push(byteOffset);
+    }
+    return lineOffsets;
+}
+function getLoc(node, lineOffsets) {
+    if (node?.loc?.start)
+        return node.loc.start;
+    if (!node?.src || !lineOffsets)
+        return undefined;
+    const offset = Number(String(node.src).split(':')[0]);
+    if (!Number.isFinite(offset) || offset < 0)
+        return undefined;
+    let lineIndex = 0;
+    for (let i = 0; i < lineOffsets.length; i++) {
+        if (lineOffsets[i] <= offset)
+            lineIndex = i;
+        else
+            break;
+    }
+    return { line: lineIndex + 1, column: offset - lineOffsets[lineIndex] };
+}
+//# sourceMappingURL=price-manipulation-via-reentranc.js.map

package/dist/detectors/price-oracle-manipulation.d.ts

@@ -0,0 +1,25 @@
+import type { ScanResult } from '../index';
+export declare class PriceOracleManipulationDetector {
+    readonly id = "price-oracle-manipulation";
+    readonly patternKey = "price-oracle-manipulation";
+    readonly supportedAstKinds: "parser"[];
+    readonly descriptor: {
+        id: string;
+        shortDescription: string;
+        helpUri: string;
+        defaultSeverity: "high";
+        help: string;
+    };
+    private currentFile;
+    private findings;
+    private currentContractName;
+    private currentContractNode;
+    private currentContractConcrete;
+    private spotHelpers;
+    private reportedFunctions;
+    setFile(file: string): void;
+    getFindings(): ScanResult[];
+    ContractDefinition(node: any): void;
+    ContractDefinition_post(node: any): void;
+    FunctionDefinition(node: any): void;
+}