@snovon/solast 0.2.0

package/dist/detectors/price-oracle-manipulation.js

@@ -0,0 +1,530 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PriceOracleManipulationDetector = void 0;
+const access_control_1 = require("./_common/access-control");
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'price-oracle-manipulation';
+const PROVENANCE = 'x-20250623-gradientmakerpool-price-oracle-manipulation';
+const SPOT_SOURCE_CALLS = new Set(['getReserves', 'getAmountOut', 'getAmountsOut']);
+const SINK_CALLS = new Set([
+    'transfer',
+    'transferfrom',
+    'safetransfer',
+    'safetransferfrom',
+    'sendvalue',
+    'mint',
+    '_mint',
+    'borrow',
+    'redeem',
+    'withdraw',
+]);
+const REFERENCE_TERMS = /(twap|reference|stored|median|trusted|oracleprice|lastprice|maxdeviation|deviation|circuit|delay)/i;
+const ACCOUNTING_TERMS = /(share|shares|balance|balances|supply|totalsupply|collateral|debt|borrow|credit|amountout|payout|withdraw|redeem|mint)/i;
+const REENTRANCY_MODIFIER = /^(nonreentrant|lock|locked|noreentrant)$/i;
+class PriceOracleManipulationDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    descriptor = {
+        id: RULE_ID,
+        shortDescription: 'Same-transaction AMM spot reserves or pool balances directly size a user payout or accounting mutation.',
+        helpUri: 'https://snovon.com/',
+        defaultSeverity: 'high',
+        help: 'Flags GradientMakerPool-style price oracle manipulation where getReserves, router spot quotes, or token.balanceOf(pool) reserve reads flow into user-callable value movement or share/accounting updates without TWAP/reference bounds.',
+    };
+    currentFile = '';
+    findings = [];
+    currentContractName = '';
+    currentContractNode = null;
+    currentContractConcrete = false;
+    spotHelpers = new Set();
+    reportedFunctions = new Set();
+    setFile(file) {
+        this.currentFile = file;
+        this.findings = [];
+        this.currentContractName = '';
+        this.currentContractNode = null;
+        this.currentContractConcrete = false;
+        this.spotHelpers = new Set();
+        this.reportedFunctions = new Set();
+    }
+    getFindings() {
+        return this.findings;
+    }
+    ContractDefinition(node) {
+        this.currentContractNode = node;
+        this.currentContractName = getName(node) || '<anonymous>';
+        this.currentContractConcrete = !isInterfaceLike(node);
+        this.spotHelpers = this.currentContractConcrete ? collectSpotHelperNames(node) : new Set();
+    }
+    ContractDefinition_post(node) {
+        if (this.currentContractNode === node) {
+            this.currentContractNode = null;
+            this.currentContractName = '';
+            this.currentContractConcrete = false;
+            this.spotHelpers = new Set();
+        }
+    }
+    FunctionDefinition(node) {
+        if (!this.currentContractConcrete || !this.currentContractNode)
+            return;
+        if (this.reportedFunctions.has(node))
+            return;
+        this.reportedFunctions.add(node);
+        if (!node.body || !isExternallyCallable(node))
+            return;
+        if (isReadOnly(node))
+            return;
+        if ((0, access_control_1.hasRecognisedAccessControlModifier)(node) || hasModifier(node, REENTRANCY_MODIFIER))
+            return;
+        const sources = collectSources(node.body, this.spotHelpers);
+        if (sources.length === 0)
+            return;
+        for (const source of sources) {
+            const tainted = computeTainted(node.body, source.node, this.spotHelpers);
+            if (tainted.size === 0)
+                continue;
+            const sink = findSensitiveSink(node.body, tainted);
+            if (!sink)
+                continue;
+            if (hasSafeReferencePattern(node.body, tainted))
+                continue;
+            if (hasInlineAccessGuardBefore(node.body, source.node, sink.node))
+                continue;
+            const fnName = getName(node) || '<anonymous>';
+            const loc = (0, ast_1.tryLoc)(source.node, node) || { line: 1, endLine: 1, column: 0, endColumn: 0 };
+            this.findings.push({
+                file: this.currentFile,
+                contract: this.currentContractName,
+                'function': fnName,
+                line: loc.line,
+                endLine: loc.endLine || loc.line,
+                column: loc.column,
+                pattern: RULE_ID,
+                confidence: 'high',
+                category: 'oracle-manipulation',
+                ruleId: RULE_ID,
+                severity: 'high',
+                message: `Price oracle manipulation risk in '${this.currentContractName}.${fnName}': ` +
+                    `same-transaction spot source ${describeCall(source.node)} flows into ${sink.label}.`,
+                rationale: 'A user-callable value or accounting path consumes an AMM pair/router spot quote or pool balance reserve read. ' +
+                    'The value can be manipulated in the same transaction before withdrawal, redeem, mint, or share accounting executes.',
+                suggestedFix: 'Use a TWAP, external reference oracle, or multi-source median for value sizing; if spot reads are retained, bound them against the independent reference and keep cache maintenance access controlled.',
+                contractName: this.currentContractName,
+                functionName: fnName,
+                sourceLocation: { line: loc.line, column: loc.column },
+                findingId: '',
+                contractHash: '',
+                provenance: PROVENANCE,
+            });
+            return;
+        }
+    }
+}
+exports.PriceOracleManipulationDetector = PriceOracleManipulationDetector;
+function collectSpotHelperNames(contractNode) {
+    const helpers = new Set();
+    let changed = true;
+    let safety = 0;
+    while (changed && safety < 6) {
+        changed = false;
+        safety += 1;
+        for (const fn of getContractFunctions(contractNode)) {
+            const name = getName(fn);
+            if (!name || helpers.has(name) || !fn.body)
+                continue;
+            if (!isInternalLike(fn))
+                continue;
+            if (functionReturnsSpotValue(fn.body, helpers)) {
+                helpers.add(name);
+                changed = true;
+            }
+        }
+    }
+    return helpers;
+}
+function functionReturnsSpotValue(body, helperNames) {
+    const sources = collectSources(body, helperNames);
+    if (sources.length === 0)
+        return false;
+    return sources.some(source => {
+        const tainted = computeTainted(body, source.node, helperNames);
+        return walkAny(body, node => {
+            if (!(0, ast_1.isNode)(node, 'ReturnStatement'))
+                return false;
+            const expr = node.expression;
+            return !!expr && (containsNode(expr, source.node) || expressionIsTainted(expr, tainted));
+        });
+    });
+}
+function collectSources(body, helperNames) {
+    const sources = [];
+    walk(body, node => {
+        if (!isFunctionCall(node))
+            return;
+        const name = getCalleeName(node);
+        if (SPOT_SOURCE_CALLS.has(name) || helperNames.has(name) || isPoolBalanceOf(node)) {
+            sources.push({ node, name });
+        }
+    });
+    return sources;
+}
+function computeTainted(body, sourceNode, helperNames) {
+    const tainted = new Set();
+    let changed = true;
+    let safety = 0;
+    while (changed && safety < 10) {
+        changed = false;
+        safety += 1;
+        walk(body, node => {
+            if ((0, ast_1.isNode)(node, 'VariableDeclarationStatement')) {
+                const initial = node.initialValue;
+                if (!initial || !expressionUsesSource(initial, sourceNode, helperNames, tainted))
+                    return;
+                for (const decl of getDeclaredVariables(node)) {
+                    const name = getName(decl);
+                    if (name && !tainted.has(name)) {
+                        tainted.add(name);
+                        changed = true;
+                    }
+                }
+                return;
+            }
+            if (!isAssignmentNode(node))
+                return;
+            const rhs = getAssignmentRight(node);
+            const lhs = getAssignmentLeft(node);
+            if (!rhs || !lhs || !expressionUsesSource(rhs, sourceNode, helperNames, tainted))
+                return;
+            const lhsName = getIdentifierBaseName(lhs);
+            if (lhsName && !tainted.has(lhsName)) {
+                tainted.add(lhsName);
+                changed = true;
+            }
+        });
+    }
+    return tainted;
+}
+function expressionUsesSource(expr, sourceNode, helperNames, tainted) {
+    if (containsNode(expr, sourceNode))
+        return true;
+    return walkAny(expr, node => {
+        if ((0, ast_1.isNode)(node, 'Identifier') && tainted.has(String(node.name || '')))
+            return true;
+        return isFunctionCall(node) && helperNames.has(getCalleeName(node));
+    });
+}
+function findSensitiveSink(body, tainted) {
+    let found = null;
+    walk(body, node => {
+        if (found)
+            return;
+        if (isFunctionCall(node)) {
+            const callee = getCalleeName(node).toLowerCase();
+            const args = node.arguments || [];
+            if ((callee === 'require' || callee === 'assert') && args[0] && expressionIsTainted(args[0], tainted)) {
+                const nextSink = nextSinkAfter(body, node, tainted);
+                if (nextSink)
+                    found = { node, label: `collateral/accounting gate before ${nextSink}` };
+                return;
+            }
+            if (!SINK_CALLS.has(callee))
+                return;
+            if (args.some((arg) => expressionIsTainted(arg, tainted))) {
+                found = { node, label: `${describeCall(node)} amount` };
+            }
+            return;
+        }
+        if (!isAssignmentNode(node))
+            return;
+        const lhs = getAssignmentLeft(node);
+        const rhs = getAssignmentRight(node);
+        if (!lhs || !rhs || !expressionIsTainted(rhs, tainted))
+            return;
+        if (!assignmentTargetIsAccounting(lhs))
+            return;
+        found = { node, label: `${getIdentifierBaseName(lhs) || 'accounting'} accounting write` };
+    });
+    return found;
+}
+function nextSinkAfter(body, marker, tainted) {
+    const statements = collectStatements(body);
+    const index = statements.findIndex(stmt => containsNode(stmt, marker));
+    if (index < 0)
+        return null;
+    for (let i = index + 1; i < statements.length; i += 1) {
+        let label = null;
+        walk(statements[i], node => {
+            if (label)
+                return;
+            if (isFunctionCall(node) && SINK_CALLS.has(getCalleeName(node).toLowerCase())) {
+                label = describeCall(node);
+            }
+            if (!label && isAssignmentNode(node) && expressionIsTainted(getAssignmentRight(node), tainted) && assignmentTargetIsAccounting(getAssignmentLeft(node))) {
+                label = getIdentifierBaseName(getAssignmentLeft(node)) || 'accounting write';
+            }
+        });
+        if (label)
+            return label;
+    }
+    return null;
+}
+function hasSafeReferencePattern(body, tainted) {
+    let hasBoundedSpot = false;
+    let taintedValueUsedInSink = false;
+    walk(body, node => {
+        if (!isFunctionCall(node))
+            return;
+        const callee = getCalleeName(node).toLowerCase();
+        const args = node.arguments || [];
+        if ((callee === 'require' || callee === 'assert') && args[0] && conditionBoundsTaintedAgainstReference(args[0], tainted)) {
+            hasBoundedSpot = true;
+        }
+        if (SINK_CALLS.has(callee) && args.some((arg) => expressionIsTainted(arg, tainted))) {
+            taintedValueUsedInSink = true;
+        }
+    });
+    const names = flattenNames(body);
+    const multiSourceMedian = /\bmedian\b/i.test(names) && countCallsNamed(body, 'price') >= 3;
+    return multiSourceMedian || (hasBoundedSpot && !taintedValueUsedInSink);
+}
+function conditionBoundsTaintedAgainstReference(condition, tainted) {
+    return walkAny(condition, node => {
+        if (!(0, ast_1.isNode)(node, 'BinaryOperation'))
+            return false;
+        const op = String(node.operator || '');
+        if (!['<', '<=', '>', '>='].includes(op))
+            return false;
+        return expressionIsTainted(node, tainted) && REFERENCE_TERMS.test(flattenNames(node));
+    });
+}
+function hasInlineAccessGuardBefore(body, sourceNode, sinkNode) {
+    const statements = collectStatements(body);
+    const sourceIndex = statements.findIndex(stmt => containsNode(stmt, sourceNode));
+    const sinkIndex = statements.findIndex(stmt => containsNode(stmt, sinkNode));
+    if (sourceIndex < 0 || sinkIndex < 0)
+        return false;
+    for (let i = 0; i < Math.min(sourceIndex, sinkIndex); i += 1) {
+        if (statementIsAccessGuard(statements[i]))
+            return true;
+    }
+    return false;
+}
+function statementIsAccessGuard(stmt) {
+    if (!(0, ast_1.isNode)(stmt, 'ExpressionStatement') || !isFunctionCall(stmt.expression))
+        return false;
+    const call = stmt.expression;
+    const callee = getCalleeName(call).toLowerCase();
+    const condition = (call.arguments || [])[0];
+    if ((callee === 'require' || callee === 'assert') && condition) {
+        return (0, access_control_1.requireExpressesAccessControl)(condition, name => (0, access_control_1.isPrivilegedIdentifier)(name, { mode: 'word-boundary' }), getCalleeName);
+    }
+    return /^(checkowner|_checkowner|checkrole|_checkrole)$/i.test(callee);
+}
+function assignmentTargetIsAccounting(node) {
+    const name = getIdentifierBaseName(node) || flattenNames(node);
+    return ACCOUNTING_TERMS.test(name);
+}
+function expressionIsTainted(expr, tainted) {
+    if (!expr)
+        return false;
+    return walkAny(expr, node => (0, ast_1.isNode)(node, 'Identifier') && tainted.has(String(node.name || '')));
+}
+function countCallsNamed(node, name) {
+    let count = 0;
+    walk(node, child => {
+        if (isFunctionCall(child) && getCalleeName(child).toLowerCase() === name.toLowerCase())
+            count += 1;
+    });
+    return count;
+}
+function collectStatements(body) {
+    return Array.isArray(body?.statements) ? body.statements.filter((stmt) => stmt && typeof stmt === 'object') : [];
+}
+function containsNode(haystack, needle) {
+    let found = false;
+    walk(haystack, node => {
+        if (node === needle)
+            found = true;
+    });
+    return found;
+}
+function isExternallyCallable(fn) {
+    const visibility = String(fn?.visibility || '').toLowerCase();
+    return visibility === 'public' || visibility === 'external';
+}
+function isInternalLike(fn) {
+    const visibility = String(fn?.visibility || '').toLowerCase();
+    return visibility === 'internal' || visibility === 'private';
+}
+function isReadOnly(fn) {
+    const mutability = String(fn?.stateMutability || '').toLowerCase();
+    return mutability === 'view' || mutability === 'pure';
+}
+function hasModifier(fn, pattern) {
+    const modifiers = fn?.modifiers || fn?.modifierList || [];
+    return Array.isArray(modifiers) && modifiers.some((modifier) => pattern.test(getModifierName(modifier)));
+}
+function getModifierName(modifier) {
+    if (!modifier)
+        return '';
+    if (typeof modifier === 'string')
+        return modifier;
+    if (typeof modifier.name === 'string')
+        return modifier.name;
+    if (modifier.name && typeof modifier.name.name === 'string')
+        return modifier.name.name;
+    if (modifier.modifierName && typeof modifier.modifierName.name === 'string')
+        return modifier.modifierName.name;
+    return '';
+}
+function getDeclaredVariables(node) {
+    if (Array.isArray(node?.variables))
+        return node.variables.filter(Boolean);
+    if (Array.isArray(node?.declarations))
+        return node.declarations.filter(Boolean);
+    return [];
+}
+function isAssignmentNode(node) {
+    return (0, ast_1.isNode)(node, 'Assignment') || ((0, ast_1.isNode)(node, 'BinaryOperation') && /^(=|\+=|-=|\*=|\/=|%=)$/.test(String(node.operator || '')));
+}
+function getAssignmentLeft(node) {
+    if (!node)
+        return null;
+    if ((0, ast_1.isNode)(node, 'Assignment'))
+        return node.leftHandSide;
+    if ((0, ast_1.isNode)(node, 'BinaryOperation'))
+        return node.left;
+    return null;
+}
+function getAssignmentRight(node) {
+    if (!node)
+        return null;
+    if ((0, ast_1.isNode)(node, 'Assignment'))
+        return node.rightHandSide;
+    if ((0, ast_1.isNode)(node, 'BinaryOperation'))
+        return node.right;
+    return null;
+}
+function getIdentifierBaseName(node) {
+    if (!node || typeof node !== 'object')
+        return '';
+    if ((0, ast_1.isNode)(node, 'Identifier'))
+        return String(node.name || '');
+    if ((0, ast_1.isNode)(node, 'MemberAccess'))
+        return getIdentifierBaseName(node.expression);
+    if ((0, ast_1.isNode)(node, 'IndexAccess'))
+        return getIdentifierBaseName(node.baseExpression || node.base);
+    return '';
+}
+function describeCall(call) {
+    const expr = call?.expression;
+    if ((0, ast_1.isNode)(expr, 'Identifier'))
+        return String(expr.name || '');
+    if ((0, ast_1.isNode)(expr, 'MemberAccess')) {
+        const base = flattenCondition(expr.expression);
+        const member = String(expr.memberName || '');
+        return base ? `${base}.${member}` : member;
+    }
+    return getCalleeName(call);
+}
+function getCalleeName(node) {
+    const expr = isFunctionCall(node) ? node.expression : node;
+    if ((0, ast_1.isNode)(expr, 'Identifier'))
+        return String(expr.name || '');
+    if ((0, ast_1.isNode)(expr, 'MemberAccess'))
+        return String(expr.memberName || '');
+    return '';
+}
+function getContractFunctions(contractNode) {
+    const members = Array.isArray(contractNode?.subNodes) ? contractNode.subNodes : Array.isArray(contractNode?.nodes) ? contractNode.nodes : [];
+    return members.filter((node) => (0, ast_1.isNode)(node, 'FunctionDefinition'));
+}
+function isInterfaceLike(contractNode) {
+    const kind = String(contractNode?.kind || contractNode?.contractKind || '').toLowerCase();
+    return kind === 'interface' || kind === 'library';
+}
+function flattenNames(node) {
+    const names = [];
+    walk(node, child => {
+        if ((0, ast_1.isNode)(child, 'Identifier'))
+            names.push(String(child.name || ''));
+        if ((0, ast_1.isNode)(child, 'MemberAccess'))
+            names.push(String(child.memberName || ''));
+    });
+    return names.join(' ');
+}
+function flattenCondition(node) {
+    if ((0, ast_1.isNode)(node, 'Identifier'))
+        return String(node.name || '');
+    if ((0, ast_1.isNode)(node, 'MemberAccess')) {
+        const base = flattenCondition(node.expression);
+        const member = String(node.memberName || '');
+        return base ? `${base}.${member}` : member;
+    }
+    return '';
+}
+function isFunctionCall(node) {
+    return (0, ast_1.isNode)(node, 'FunctionCall');
+}
+function isPoolBalanceOf(node) {
+    if (!isFunctionCall(node) || getCalleeName(node) !== 'balanceOf')
+        return false;
+    const firstArg = (node.arguments || [])[0];
+    const unwrapped = unwrapAddressCast(firstArg);
+    if ((0, ast_1.isNode)(unwrapped, 'Identifier'))
+        return /^(pool|pair|amm|vault)$/i.test(String(unwrapped.name || ''));
+    if ((0, ast_1.isNode)(unwrapped, 'MemberAccess'))
+        return /^(pool|pair|amm|vault)$/i.test(String(unwrapped.memberName || ''));
+    return false;
+}
+function unwrapAddressCast(node) {
+    if (!isFunctionCall(node))
+        return node;
+    const callee = node.expression;
+    const calleeName = (0, ast_1.isNode)(callee, 'Identifier') || (0, ast_1.isNode)(callee, 'ElementaryTypeName') || (0, ast_1.isNode)(callee, 'ElementaryTypeNameExpression')
+        ? callee.name
+        : undefined;
+    const args = node.arguments || [];
+    if (calleeName === 'address' && args.length === 1)
+        return unwrapAddressCast(args[0]);
+    return node;
+}
+function walkAny(node, predicate) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (predicate(node))
+        return true;
+    return childrenOf(node).some(child => walkAny(child, predicate));
+}
+function walk(node, visit) {
+    if (!node || typeof node !== 'object')
+        return;
+    visit(node);
+    for (const child of childrenOf(node))
+        walk(child, visit);
+}
+function childrenOf(node) {
+    if (!node || typeof node !== 'object')
+        return [];
+    const children = [];
+    for (const [key, value] of Object.entries(node)) {
+        if (key === 'loc' || key === 'src' || key === 'range' || key === 'typeName' || key === 'typeDescriptions')
+            continue;
+        if (Array.isArray(value)) {
+            for (const item of value)
+                if (item && typeof item === 'object')
+                    children.push(item);
+        }
+        else if (value && typeof value === 'object') {
+            children.push(value);
+        }
+    }
+    return children;
+}
+function getName(node) {
+    return typeof node?.name === 'string' ? node.name : '';
+}
+const proto = PriceOracleManipulationDetector.prototype;
+proto['ContractDefinition:exit'] = proto.ContractDefinition_post;
+//# sourceMappingURL=price-oracle-manipulation.js.map

package/dist/detectors/project-instant-rewards-unlocked.d.ts

@@ -0,0 +1,6 @@
+import type { ScanResult } from '../index';
+export declare class ProjectInstantRewardsUnlockedDetector {
+    readonly id = "project-instant-rewards-unlocked";
+    readonly patternKey = "project-instant-rewards-unlocked";
+    scanAst(ast: any, file: string, sourceText?: string): ScanResult[];
+}