@snovon/solast 0.2.0

package/dist/detectors/project-instant-rewards-unlocked.js

@@ -0,0 +1,462 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ProjectInstantRewardsUnlockedDetector = void 0;
+const RULE_ID = 'project-instant-rewards-unlocked';
+const PROVENANCE = 'x-20231114-okc-project-instant-rewards-unlocked';
+const ACCESS_CONTROL_MODIFIERS = new Set([
+    'onlyowner',
+    'onlyrole',
+    'onlyadmin',
+    'onlyauthorized',
+    'onlyoperator',
+    'onlygovernance',
+    'onlygovernor',
+    'onlyguardian',
+    'onlymanager',
+]);
+const ASSIGNMENT_OPERATORS = new Set([
+    '=', '+=', '-=', '*=', '/=', '%=', '<<=', '>>=', '|=', '&=', '^=',
+]);
+const REWARD_TRANSFER_MEMBERS = new Set(['transfer', 'safeTransfer', 'transferFrom', 'safeTransferFrom']);
+const COMPARISON_OPERATORS = new Set(['<', '<=', '>', '>=', '==', '!=']);
+class ProjectInstantRewardsUnlockedDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    scanAst(ast, file, sourceText) {
+        if (!ast || typeof ast !== 'object')
+            return [];
+        const findings = [];
+        const lineOffsets = buildLineOffsets(sourceText);
+        for (const contract of collectContracts(ast)) {
+            if (isInterfaceLike(contract))
+                continue;
+            const contractName = getName(contract) || '<anonymous>';
+            const functions = new Map();
+            for (const fn of getContractFunctions(contract)) {
+                const body = getFunctionBody(fn);
+                const name = functionDisplayName(fn);
+                functions.set(name, {
+                    node: fn,
+                    name,
+                    body,
+                    externallyCallable: isExternallyCallable(fn) && !isViewOrPure(fn),
+                    hasAccessControl: hasRecognizedAccessControlModifier(fn),
+                    hasHolderHoldingAgeGuard: body ? bodyHasHolderHoldingAgeGuard(body) : false,
+                    hasPerHolderMappingWrite: body ? bodyHasMappingAssignment(body) : false,
+                    hasUnsafeRewardTransfer: body ? bodyHasBalanceDerivedRewardTransfer(body) : false,
+                    internalCallees: body ? collectInternalCallNames(body) : new Set(),
+                });
+            }
+            const intrinsicallyUnsafe = new Set();
+            for (const info of functions.values()) {
+                if (info.hasUnsafeRewardTransfer && !info.hasHolderHoldingAgeGuard && !info.hasPerHolderMappingWrite) {
+                    intrinsicallyUnsafe.add(info.name);
+                }
+            }
+            const reachesUnsafe = computeReachesUnsafe(functions, intrinsicallyUnsafe);
+            const seen = new Set();
+            for (const info of functions.values()) {
+                if (!info.body)
+                    continue;
+                if (!info.externallyCallable)
+                    continue;
+                if (info.hasAccessControl)
+                    continue;
+                if (info.hasHolderHoldingAgeGuard)
+                    continue;
+                if (info.hasPerHolderMappingWrite && !intrinsicallyUnsafe.has(info.name) && !reachesUnsafe.get(info.name))
+                    continue;
+                if (!intrinsicallyUnsafe.has(info.name) && !reachesUnsafe.get(info.name))
+                    continue;
+                const key = `${contractName}:${info.name}`;
+                if (seen.has(key))
+                    continue;
+                seen.add(key);
+                const fnLoc = getLoc(info.node, lineOffsets) || { line: 0, column: 0 };
+                findings.push({
+                    file,
+                    contract: contractName,
+                    'function': info.name,
+                    line: fnLoc.line,
+                    endLine: fnLoc.line,
+                    column: fnLoc.column,
+                    pattern: RULE_ID,
+                    confidence: 'high',
+                    ruleId: RULE_ID,
+                    severity: 'error',
+                    message: `Project-instant-rewards-unlocked path in '${contractName}.${info.name}': reward transfer is derived from current LP balance with no holding-time gate, eligibility snapshot, or access control.`,
+                    rationale: 'Mirrors the 2023-11-14 OKC pattern: a public reward processor pays each LP holder a fraction of their current LP balance with no holding-period or per-holder eligibility lock, letting an attacker temporarily inflate their LP, claim instant rewards, and unwind.',
+                    suggestedFix: 'Snapshot eligible LP balances and join timestamps, gate reward processing on a minimum holding age or admin-controlled snapshot, and update per-holder accounting before transferring rewards.',
+                    contractName,
+                    functionName: info.name,
+                    sourceLocation: { line: fnLoc.line, column: fnLoc.column },
+                    findingId: '',
+                    contractHash: '',
+                    provenance: PROVENANCE,
+                    source: PROVENANCE,
+                });
+            }
+        }
+        return findings;
+    }
+}
+exports.ProjectInstantRewardsUnlockedDetector = ProjectInstantRewardsUnlockedDetector;
+function computeReachesUnsafe(functions, intrinsicallyUnsafe) {
+    const cache = new Map();
+    function compute(info, seen) {
+        const cached = cache.get(info.name);
+        if (cached !== undefined)
+            return cached;
+        if (intrinsicallyUnsafe.has(info.name)) {
+            cache.set(info.name, true);
+            return true;
+        }
+        if (seen.has(info.name))
+            return false;
+        seen.add(info.name);
+        for (const calleeName of info.internalCallees) {
+            const callee = functions.get(calleeName);
+            if (callee && compute(callee, seen)) {
+                cache.set(info.name, true);
+                return true;
+            }
+        }
+        cache.set(info.name, false);
+        return false;
+    }
+    for (const info of functions.values())
+        compute(info, new Set());
+    return cache;
+}
+function bodyHasBalanceDerivedRewardTransfer(body) {
+    const aliases = collectBalanceAliases(body);
+    let found = false;
+    walk(body, node => {
+        if (found)
+            return;
+        if (!isFunctionCall(node))
+            return;
+        const callee = node.expression;
+        if (!isNode(callee, 'MemberAccess'))
+            return;
+        const memberName = String(callee.memberName || '');
+        if (!REWARD_TRANSFER_MEMBERS.has(memberName))
+            return;
+        const args = getCallArguments(node);
+        if (args.length < 2)
+            return;
+        const amountArg = args[args.length - 1];
+        if (expressionContainsBalanceOf(amountArg, aliases))
+            found = true;
+    });
+    return found;
+}
+function collectBalanceAliases(body) {
+    const aliases = new Set();
+    let changed = true;
+    while (changed) {
+        changed = false;
+        walk(body, node => {
+            const decl = extractSingleDeclaration(node);
+            if (!decl)
+                return;
+            if (aliases.has(decl.name))
+                return;
+            if (expressionContainsBalanceOf(decl.init, aliases)) {
+                aliases.add(decl.name);
+                changed = true;
+            }
+        });
+        walk(body, node => {
+            if (!isAssignmentNode(node))
+                return;
+            const lhs = stripTuple(getAssignmentLeft(node));
+            if (!isNode(lhs, 'Identifier'))
+                return;
+            const name = String(lhs.name || '');
+            if (aliases.has(name))
+                return;
+            const rhs = getAssignmentRight(node);
+            if (expressionContainsBalanceOf(rhs, aliases)) {
+                aliases.add(name);
+                changed = true;
+            }
+        });
+    }
+    return aliases;
+}
+function expressionContainsBalanceOf(expr, aliases) {
+    return walkAny(expr, n => {
+        if (isBalanceOfCall(n))
+            return true;
+        if (isNode(n, 'Identifier') && aliases.has(String(n.name || '')))
+            return true;
+        return false;
+    });
+}
+function isBalanceOfCall(node) {
+    if (!isFunctionCall(node))
+        return false;
+    const callee = node.expression;
+    if (isNode(callee, 'MemberAccess'))
+        return String(callee.memberName || '') === 'balanceOf';
+    if (isNode(callee, 'Identifier'))
+        return String(callee.name || '') === 'balanceOf';
+    return false;
+}
+function bodyHasMappingAssignment(body) {
+    return walkAny(body, node => {
+        if (!isAssignmentNode(node))
+            return false;
+        const lhs = stripTuple(getAssignmentLeft(node));
+        return isNode(lhs, 'IndexAccess');
+    });
+}
+// A holder-specific holding-age / eligibility guard is a comparison whose subtree
+// contains both a `block.timestamp` (or `now`) reference AND a holder-keyed mapping
+// read (an `IndexAccess`). This deliberately rejects global processor throttles
+// like `lastProcessTimestamp + 24 hours > block.timestamp`, where the right-hand
+// side is a plain Identifier rather than an IndexAccess — the canonical OKC
+// MinerPool exploit shape was guarded only by such a global cooldown.
+function bodyHasHolderHoldingAgeGuard(body) {
+    return walkAny(body, n => {
+        if (!isComparisonOperation(n))
+            return false;
+        let hasBlockTime = false;
+        let hasHolderKeyedRead = false;
+        walk(n, c => {
+            if (isBlockTimestampOrNow(c))
+                hasBlockTime = true;
+            if (isHolderKeyedMappingRead(c))
+                hasHolderKeyedRead = true;
+        });
+        return hasBlockTime && hasHolderKeyedRead;
+    });
+}
+function isComparisonOperation(n) {
+    if (!isNode(n, 'BinaryOperation'))
+        return false;
+    return COMPARISON_OPERATORS.has(String(n.operator || ''));
+}
+function isBlockTimestampOrNow(n) {
+    if (isNode(n, 'Identifier') && String(n.name || '') === 'now')
+        return true;
+    if (!isNode(n, 'MemberAccess'))
+        return false;
+    if (String(n.memberName || '') !== 'timestamp')
+        return false;
+    const expr = n.expression;
+    return isNode(expr, 'Identifier') && String(expr.name || '') === 'block';
+}
+function isHolderKeyedMappingRead(n) {
+    return isNode(n, 'IndexAccess');
+}
+function collectInternalCallNames(body) {
+    const out = new Set();
+    walk(body, n => {
+        if (!isFunctionCall(n))
+            return;
+        const callee = n.expression;
+        if (isNode(callee, 'Identifier'))
+            out.add(String(callee.name || ''));
+    });
+    return out;
+}
+function extractSingleDeclaration(node) {
+    if (!isNode(node, 'VariableDeclarationStatement'))
+        return null;
+    const decls = (node.variables || node.declarations || []).filter((d) => d && typeof d === 'object');
+    if (decls.length !== 1)
+        return null;
+    const init = node.initialValue || node.initialExpression || null;
+    const name = String(decls[0]?.name || '');
+    return name && init ? { name, init } : null;
+}
+function isAssignmentNode(node) {
+    if (isNode(node, 'Assignment'))
+        return ASSIGNMENT_OPERATORS.has(String(node.operator || ''));
+    if (!isNode(node, 'BinaryOperation'))
+        return false;
+    return ASSIGNMENT_OPERATORS.has(String(node.operator || ''));
+}
+function getAssignmentLeft(node) {
+    return node?.left ?? node?.leftHandSide ?? node?.leftExpression ?? null;
+}
+function getAssignmentRight(node) {
+    return node?.right ?? node?.rightHandSide ?? node?.rightExpression ?? null;
+}
+function getCallArguments(node) {
+    return Array.isArray(node?.arguments) ? node.arguments : [];
+}
+function isFunctionCall(n) {
+    return isNode(n, 'FunctionCall');
+}
+function hasRecognizedAccessControlModifier(fn) {
+    const modifiers = fn?.modifiers || [];
+    if (!Array.isArray(modifiers))
+        return false;
+    return modifiers.some((m) => ACCESS_CONTROL_MODIFIERS.has(getModifierName(m).toLowerCase()));
+}
+function getModifierName(modifier) {
+    if (!modifier)
+        return '';
+    if (typeof modifier === 'string')
+        return modifier;
+    if (typeof modifier.name === 'string')
+        return modifier.name;
+    if (modifier.name && typeof modifier.name === 'object')
+        return String(modifier.name.name || modifier.name.namePath || '');
+    const inner = modifier.modifierName;
+    if (typeof inner === 'string')
+        return inner;
+    return inner && typeof inner.name === 'string' ? inner.name : '';
+}
+function isExternallyCallable(fn) {
+    if (!fn)
+        return false;
+    if (fn.isConstructor === true)
+        return false;
+    const kind = String(fn.kind || '').toLowerCase();
+    if (kind === 'constructor' || kind === 'fallback' || kind === 'receive')
+        return false;
+    if (fn.isFallback === true || fn.isReceiveEther === true)
+        return false;
+    const visibility = String(fn.visibility || '').toLowerCase();
+    return visibility === 'public' || visibility === 'external';
+}
+function isViewOrPure(fn) {
+    const stateMutability = String(fn?.stateMutability || '').toLowerCase();
+    return stateMutability === 'view' || stateMutability === 'pure';
+}
+function isInterfaceLike(contract) {
+    const kind = String(contract?.kind || contract?.contractKind || '').toLowerCase();
+    return kind === 'interface' || kind === 'library';
+}
+function getFunctionBody(node) {
+    return node?.body || null;
+}
+function getContractFunctions(contract) {
+    return getContractMembers(contract).filter(child => isNode(child, 'FunctionDefinition'));
+}
+function getContractMembers(contract) {
+    if (!contract || typeof contract !== 'object')
+        return [];
+    if (Array.isArray(contract.subNodes))
+        return contract.subNodes;
+    if (Array.isArray(contract.nodes))
+        return contract.nodes;
+    return [];
+}
+function collectContracts(ast) {
+    const out = [];
+    walkContracts(ast, n => out.push(n));
+    return out;
+}
+function walkContracts(node, visit) {
+    if (!node || typeof node !== 'object')
+        return;
+    if (isNode(node, 'ContractDefinition')) {
+        visit(node);
+        return;
+    }
+    for (const child of childrenOf(node))
+        walkContracts(child, visit);
+}
+function walkAny(node, predicate) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (predicate(node))
+        return true;
+    return childrenOf(node).some(c => walkAny(c, predicate));
+}
+function walk(node, visit) {
+    if (!node || typeof node !== 'object')
+        return;
+    visit(node);
+    for (const c of childrenOf(node))
+        walk(c, visit);
+}
+function stripTuple(node) {
+    if (!node || typeof node !== 'object')
+        return node;
+    if (isNode(node, 'TupleExpression')) {
+        const components = (node.components || []).filter((c) => c && typeof c === 'object');
+        if (components.length === 1)
+            return stripTuple(components[0]);
+    }
+    return node;
+}
+function childrenOf(node) {
+    if (!node || typeof node !== 'object')
+        return [];
+    const out = [];
+    for (const [key, value] of Object.entries(node)) {
+        if (key === 'loc' || key === 'src' || key === 'range' || key === 'typeDescriptions' || key === 'id' || key === 'typeName')
+            continue;
+        if (Array.isArray(value)) {
+            for (const item of value)
+                if (item && typeof item === 'object')
+                    out.push(item);
+        }
+        else if (value && typeof value === 'object') {
+            out.push(value);
+        }
+    }
+    return out;
+}
+function isNode(node, kind) {
+    return node?.type === kind || node?.nodeType === kind;
+}
+function getName(node) {
+    return typeof node?.name === 'string' ? node.name : '';
+}
+function functionDisplayName(fn) {
+    const kind = String(fn?.kind || '').toLowerCase();
+    if (fn?.isFallback === true || kind === 'fallback')
+        return '<fallback>';
+    if (fn?.isReceiveEther === true || kind === 'receive')
+        return '<receive>';
+    if (fn?.isConstructor === true || kind === 'constructor')
+        return '<constructor>';
+    return getName(fn) || '<anonymous>';
+}
+function buildLineOffsets(sourceText) {
+    if (sourceText === undefined)
+        return undefined;
+    const offsets = [0];
+    let byteOffset = 0;
+    for (const ch of sourceText) {
+        byteOffset += Buffer.byteLength(ch, 'utf8');
+        if (ch === '\n')
+            offsets.push(byteOffset);
+    }
+    return offsets;
+}
+function getLoc(node, lineOffsets) {
+    if (node?.loc?.start)
+        return { line: node.loc.start.line || 0, column: node.loc.start.column || 0 };
+    if (!node?.src || !lineOffsets)
+        return undefined;
+    const [offsetRaw] = String(node.src).split(':');
+    const offset = Number(offsetRaw);
+    if (!Number.isFinite(offset) || offset < 0)
+        return undefined;
+    return byteOffsetToLineColumn(offset, lineOffsets);
+}
+function byteOffsetToLineColumn(byteOffset, lineOffsets) {
+    let low = 0;
+    let high = lineOffsets.length - 1;
+    let lineIdx = 0;
+    while (low <= high) {
+        const mid = Math.floor((low + high) / 2);
+        if (lineOffsets[mid] <= byteOffset) {
+            lineIdx = mid;
+            low = mid + 1;
+        }
+        else {
+            high = mid - 1;
+        }
+    }
+    return { line: lineIdx + 1, column: byteOffset - lineOffsets[lineIdx] };
+}
+//# sourceMappingURL=project-instant-rewards-unlocked.js.map

package/dist/detectors/protocol-reentrancy.d.ts

@@ -0,0 +1,7 @@
+import type { ScanResult } from '../index';
+export declare class ProtocolReentrancyDetector {
+    readonly id = "protocol-reentrancy";
+    readonly patternKey = "protocol-reentrancy";
+    readonly supportedAstKinds: "parser"[];
+    scanAst(ast: any, file: string, sourceText?: string): ScanResult[];
+}