@snovon/solast 0.2.0

package/dist/detectors/s-horizon-bridge-private-key-compromis.js

@@ -0,0 +1,615 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SHorizonBridgePrivateKeyCompromisDetector = void 0;
+const ast_1 = require("./_common/ast");
+const RULE_ID = 's-horizon-bridge-private-key-compromis';
+const SOURCE = 'x-20220624-harmony-s-horizon-bridge-private-key-compromis';
+const MIN_TIMELOCK_SECONDS = 24 * 60 * 60;
+class SHorizonBridgePrivateKeyCompromisDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    scanAst(ast, file, sourceText) {
+        if (!ast || typeof ast !== 'object')
+            return [];
+        const findings = [];
+        const lineOffsets = buildLineOffsets(sourceText);
+        const contexts = collectContracts(ast)
+            .filter(contract => !isInterfaceLike(contract))
+            .map(contract => ({
+            contractName: getName(contract) || '<anonymous>',
+            fixedArrayLengths: collectFixedArrayLengths(contract),
+            numericConstants: collectNumericValues(contract),
+            functions: getContractFunctions(contract),
+        }));
+        for (const ctx of contexts) {
+            if (!isBridgeCustodyShape(ctx))
+                continue;
+            for (const { fn, fnName } of collectBridgeReleaseTargets(ctx)) {
+                const body = getFunctionBody(fn);
+                if (!body)
+                    continue;
+                if (!containsSensitiveAssetSink(body, fnName))
+                    continue;
+                if (hasMeaningfulTimelock(body, ctx))
+                    continue;
+                if (!hasSingleOwnerGate(fn, body) && !hasLowThresholdSignerGate(body, ctx))
+                    continue;
+                findings.push(buildFinding(file, ctx.contractName, fnName, fn, lineOffsets));
+            }
+        }
+        const directFindingKeys = new Set(findings.map(findingKey));
+        const bridgeReleaseTargets = contexts
+            .filter(isBridgeCustodyShape)
+            .flatMap(collectBridgeReleaseTargets)
+            .filter(target => {
+            const body = getFunctionBody(target.fn);
+            return body && containsSensitiveAssetSink(body, target.fnName) && !hasMeaningfulTimelock(body, target.ctx);
+        });
+        const lowThresholdMultisigs = contexts.map(findLowThresholdMultisig).filter(Boolean);
+        if (bridgeReleaseTargets.length > 0 && lowThresholdMultisigs.some(multisig => hasExecutableMultisigFlow(multisig.ctx))) {
+            for (const target of bridgeReleaseTargets) {
+                if (!hasWalletGate(target.fn) && !lowThresholdMultisigs.some(multisig => multisigMentionsBridgeRelease(multisig.ctx, target.fnName))) {
+                    continue;
+                }
+                const finding = buildFinding(file, target.ctx.contractName, target.fnName, target.fn, lineOffsets, describeLowestThreshold(lowThresholdMultisigs));
+                if (!directFindingKeys.has(findingKey(finding))) {
+                    findings.push(finding);
+                    directFindingKeys.add(findingKey(finding));
+                }
+            }
+        }
+        return findings;
+    }
+}
+exports.SHorizonBridgePrivateKeyCompromisDetector = SHorizonBridgePrivateKeyCompromisDetector;
+function buildFinding(file, contractName, fnName, fn, lineOffsets, thresholdDetail) {
+    const loc = (0, ast_1.getLoc)(fn, lineOffsets) || { line: 0, column: 0 };
+    const detail = thresholdDetail ? ` via ${thresholdDetail}` : '';
+    return {
+        file,
+        contract: contractName,
+        'function': fnName,
+        line: loc.line,
+        endLine: loc.line,
+        column: loc.column,
+        pattern: RULE_ID,
+        confidence: 'high',
+        ruleId: RULE_ID,
+        severity: 'high',
+        message: `Bridge custody release path '${contractName}.${fnName}' is controlled by a single owner or low signer threshold${detail} without a >=24h timelock.`,
+        rationale: 'This matches the Horizon-style key-compromise blast radius: a compromised owner key or low-threshold multisig can move bridge-custodied assets immediately.',
+        suggestedFix: 'Require a higher independent signer threshold and/or queue withdrawals behind an explicit timelock of at least 24 hours before releasing custodied assets.',
+        contractName,
+        functionName: fnName,
+        sourceLocation: { line: loc.line, column: loc.column },
+        findingId: '',
+        contractHash: '',
+        source: SOURCE,
+        provenance: SOURCE,
+    };
+}
+function findingKey(finding) {
+    return `${finding.file}:${finding.contractName}:${finding.functionName}:${finding.line}`;
+}
+function collectBridgeReleaseTargets(ctx) {
+    const targets = [];
+    for (const fn of ctx.functions) {
+        const fnName = getName(fn);
+        if (!fnName || !isExternallyReachable(fn))
+            continue;
+        if (!isSensitiveReleaseFunction(fnName))
+            continue;
+        targets.push({ ctx, fn, fnName });
+    }
+    return targets;
+}
+function isBridgeCustodyShape(ctx) {
+    const names = ctx.functions.map(fn => getName(fn)).filter(Boolean);
+    const hasDepositWithdraw = names.some(isDepositName) && names.some(isSensitiveReleaseFunction);
+    const hasLockUnlock = names.some(isCustodyInName) && names.some(isSensitiveReleaseFunction);
+    const hasBurnMint = names.some(isBurnName) && names.some(isMintName);
+    if (!hasDepositWithdraw && !hasLockUnlock && !hasBurnMint)
+        return false;
+    if (hasDepositWithdraw || hasLockUnlock) {
+        const hasCustodyIn = ctx.functions.some(fn => isCustodyInName(getName(fn)) && containsInboundCustody(getFunctionBody(fn)));
+        const hasCustodyOut = ctx.functions.some(fn => isSensitiveReleaseFunction(getName(fn)) && containsSensitiveAssetSink(getFunctionBody(fn), getName(fn)));
+        if (hasCustodyIn && hasCustodyOut)
+            return true;
+    }
+    if (hasBurnMint) {
+        const hasBurn = ctx.functions.some(fn => isBurnName(getName(fn)) && containsBurnSink(getFunctionBody(fn)));
+        const hasMint = ctx.functions.some(fn => isMintName(getName(fn)) && containsMintSink(getFunctionBody(fn)));
+        if (hasBurn && hasMint)
+            return true;
+    }
+    return false;
+}
+function isCustodyInName(name) {
+    const lname = name.toLowerCase();
+    return isDepositName(name) || /^(?:lock|burn)(?:token|native|asset|erc20)?$/i.test(lname);
+}
+function isSensitiveReleaseFunction(name) {
+    const lname = name.toLowerCase();
+    return lname === 'withdraw' ||
+        lname === 'release' ||
+        lname === 'redeem' ||
+        lname === 'exit' ||
+        /^(?:unlock|mint)(?:token|native|asset|erc20)?$/i.test(lname);
+}
+function isDepositName(name) {
+    const lname = name.toLowerCase();
+    return lname === 'deposit' || /^lock(?:token|native|asset|erc20)?$/i.test(lname);
+}
+function isBurnName(name) {
+    return /^burn(?:token|native|asset|erc20)?$/i.test(name);
+}
+function isMintName(name) {
+    return /^mint(?:token|native|asset|erc20)?$/i.test(name);
+}
+function containsInboundCustody(body) {
+    if (!body)
+        return false;
+    let found = false;
+    walk(body, node => {
+        if (found || !isNode(node, 'FunctionCall'))
+            return;
+        const callee = getCallExpressionName(node).toLowerCase();
+        if (callee.endsWith('.transferfrom') || callee === 'transferfrom')
+            found = true;
+    });
+    return found;
+}
+function containsSensitiveAssetSink(body, fnName) {
+    if (!body)
+        return false;
+    if (fnName.toLowerCase() === 'mint')
+        return containsMintSink(body);
+    let found = false;
+    walk(body, node => {
+        if (found || !isNode(node, 'FunctionCall'))
+            return;
+        const callee = getCallExpressionName(node).toLowerCase();
+        const args = getCallArguments(node);
+        if ((callee.endsWith('.transfer') || callee.endsWith('.send')) && args.length >= 1 && !isCallerExpression(args[0])) {
+            found = true;
+            return;
+        }
+        if ((callee.endsWith('.call') || callee === 'call') && args.length >= 0) {
+            found = true;
+        }
+    });
+    return found;
+}
+function containsMintSink(body) {
+    if (!body)
+        return false;
+    let found = false;
+    walk(body, node => {
+        if (found || !isNode(node, 'FunctionCall'))
+            return;
+        const callee = getCallExpressionName(node).toLowerCase();
+        if (callee === '_mint' || callee.endsWith('._mint') || callee === 'mint' || callee.endsWith('.mint')) {
+            found = true;
+        }
+    });
+    return found;
+}
+function containsBurnSink(body) {
+    if (!body)
+        return false;
+    let found = false;
+    walk(body, node => {
+        if (found || !isNode(node, 'FunctionCall'))
+            return;
+        const callee = getCallExpressionName(node).toLowerCase();
+        if (callee === '_burn' || callee.endsWith('._burn') || callee === 'burn' || callee.endsWith('.burn')) {
+            found = true;
+        }
+    });
+    return found;
+}
+function hasSingleOwnerGate(fn, body) {
+    for (const mod of fn.modifiers || []) {
+        const modName = getModifierInvocationName(mod).toLowerCase();
+        if (modName === 'onlyowner' || modName === 'owneronly')
+            return true;
+    }
+    let found = false;
+    walk(body, node => {
+        if (found || !isNode(node, 'FunctionCall'))
+            return;
+        const callee = getCallExpressionName(node).toLowerCase();
+        if (callee !== 'require' && callee !== 'assert')
+            return;
+        if (getCallArguments(node).some(isOwnerSenderEquality))
+            found = true;
+    });
+    return found;
+}
+function hasWalletGate(fn) {
+    for (const mod of fn.modifiers || []) {
+        const modName = getModifierInvocationName(mod).toLowerCase();
+        if (modName === 'onlywallet' || modName === 'onlymultisig' || modName === 'onlymultisigwallet')
+            return true;
+    }
+    return false;
+}
+function hasLowThresholdSignerGate(body, ctx) {
+    let found = false;
+    walk(body, node => {
+        if (found || !isNode(node, 'BinaryOperation'))
+            return;
+        const op = String(node.operator || '');
+        if (!['>=', '>', '<=', '<'].includes(op))
+            return;
+        const left = node.left ?? node.leftExpression;
+        const right = node.right ?? node.rightExpression;
+        const leftCount = isSignerCountExpression(left);
+        const rightCount = isSignerCountExpression(right);
+        const leftValue = evaluateNumericExpression(left, ctx);
+        const rightValue = evaluateNumericExpression(right, ctx);
+        if ((op === '>=' || op === '>') && leftCount && rightValue !== undefined && effectiveThreshold(rightValue, op) <= 2) {
+            found = true;
+            return;
+        }
+        if ((op === '<=' || op === '<') && rightCount && leftValue !== undefined && effectiveThreshold(leftValue, op) <= 2) {
+            found = true;
+        }
+    });
+    return found;
+}
+function effectiveThreshold(value, op) {
+    return op === '>' || op === '<' ? value + 1 : value;
+}
+function findLowThresholdMultisig(ctx) {
+    const required = ctx.numericConstants.get('required') ?? ctx.numericConstants.get('threshold');
+    const ownerCount = ctx.numericConstants.get('ownerCount') ??
+        ctx.numericConstants.get('ownersCount') ??
+        ctx.fixedArrayLengths.get('owners') ??
+        ctx.fixedArrayLengths.get('signers');
+    if (required === undefined)
+        return undefined;
+    if (required === 1 || (ownerCount !== undefined && required <= ownerCount / 2)) {
+        return { ctx, threshold: required, ownerCount };
+    }
+    return undefined;
+}
+function hasExecutableMultisigFlow(ctx) {
+    const names = new Set(ctx.functions.map(fn => getName(fn).toLowerCase()).filter(Boolean));
+    const hasSubmit = names.has('submittransaction') || names.has('submit') || names.has('proposetransaction');
+    const hasConfirm = names.has('confirmtransaction') || names.has('confirm') || names.has('approve');
+    const hasExecute = names.has('executetransaction') || names.has('execute');
+    if (!hasSubmit || (!hasConfirm && !hasExecute))
+        return false;
+    return ctx.functions.some(fn => {
+        const fnName = getName(fn).toLowerCase();
+        if (!['confirmtransaction', 'confirm', 'approve', 'executetransaction', 'execute'].includes(fnName))
+            return false;
+        return containsArbitraryExternalCall(getFunctionBody(fn));
+    });
+}
+function containsArbitraryExternalCall(body) {
+    if (!body)
+        return false;
+    let found = false;
+    walk(body, node => {
+        if (found || !isNode(node, 'FunctionCall'))
+            return;
+        const callee = getCallExpressionName(node).toLowerCase();
+        if (callee.endsWith('.call') || callee.endsWith('.delegatecall'))
+            found = true;
+    });
+    return found;
+}
+function multisigMentionsBridgeRelease(ctx, fnName) {
+    let found = false;
+    walk({ functions: ctx.functions }, node => {
+        if (found || !isNode(node, 'StringLiteral'))
+            return;
+        const value = String(node.value || '');
+        const selectorName = value.split('(')[0];
+        if (selectorName.toLowerCase() === fnName.toLowerCase())
+            found = true;
+    });
+    return found;
+}
+function describeLowestThreshold(multisigs) {
+    const executable = multisigs.filter(multisig => hasExecutableMultisigFlow(multisig.ctx));
+    const lowest = executable.sort((a, b) => a.threshold - b.threshold)[0];
+    if (!lowest)
+        return undefined;
+    return lowest.ownerCount === undefined
+        ? `${lowest.threshold}-signature multisig '${lowest.ctx.contractName}'`
+        : `${lowest.threshold}-of-${lowest.ownerCount} multisig '${lowest.ctx.contractName}'`;
+}
+function isSignerCountExpression(expr) {
+    if (!expr)
+        return false;
+    if (isNode(expr, 'MemberAccess') && String(expr.memberName || '').toLowerCase() === 'length') {
+        const root = getReferenceRoot(expr.expression).toLowerCase();
+        return /sig|signature|approval|validator|signer/.test(root);
+    }
+    if (isNode(expr, 'Identifier')) {
+        return /sig|signature|approval|threshold|count/.test(getName(expr).toLowerCase());
+    }
+    return false;
+}
+function hasMeaningfulTimelock(body, ctx) {
+    let found = false;
+    walk(body, node => {
+        if (found || !isNode(node, 'FunctionCall'))
+            return;
+        const callee = getCallExpressionName(node).toLowerCase();
+        if (callee !== 'require' && callee !== 'assert')
+            return;
+        for (const arg of getCallArguments(node)) {
+            if (!containsBlockTimestamp(arg))
+                continue;
+            if (maxNumericDelay(arg, ctx) >= MIN_TIMELOCK_SECONDS) {
+                found = true;
+                return;
+            }
+        }
+    });
+    return found;
+}
+function maxNumericDelay(node, ctx) {
+    let max = 0;
+    walk(node, child => {
+        const value = evaluateNumericExpression(child, ctx);
+        if (value !== undefined && value > max)
+            max = value;
+    });
+    return max;
+}
+function containsBlockTimestamp(node) {
+    let found = false;
+    walk(node, child => {
+        if (found || !isNode(child, 'MemberAccess'))
+            return;
+        if (String(child.memberName || '') !== 'timestamp')
+            return;
+        const inner = child.expression;
+        if (isNode(inner, 'Identifier') && getName(inner) === 'block')
+            found = true;
+    });
+    return found;
+}
+function evaluateNumericExpression(expr, ctx) {
+    if (!expr)
+        return undefined;
+    if (isNode(expr, 'NumberLiteral')) {
+        const raw = Number(expr.number);
+        if (!Number.isFinite(raw))
+            return undefined;
+        const unit = String(expr.subdenomination || '').toLowerCase();
+        if (unit === 'seconds' || unit === 'second')
+            return raw;
+        if (unit === 'minutes' || unit === 'minute')
+            return raw * 60;
+        if (unit === 'hours' || unit === 'hour')
+            return raw * 60 * 60;
+        if (unit === 'days' || unit === 'day')
+            return raw * 24 * 60 * 60;
+        if (unit === 'weeks' || unit === 'week')
+            return raw * 7 * 24 * 60 * 60;
+        return raw;
+    }
+    if (isNode(expr, 'Identifier'))
+        return ctx.numericConstants.get(getName(expr));
+    if (isNode(expr, 'MemberAccess') && String(expr.memberName || '').toLowerCase() === 'length') {
+        return ctx.fixedArrayLengths.get(getReferenceRoot(expr.expression));
+    }
+    if (isNode(expr, 'BinaryOperation')) {
+        const left = evaluateNumericExpression(expr.left ?? expr.leftExpression, ctx);
+        const right = evaluateNumericExpression(expr.right ?? expr.rightExpression, ctx);
+        if (left === undefined || right === undefined)
+            return undefined;
+        switch (String(expr.operator || '')) {
+            case '+': return left + right;
+            case '-': return left - right;
+            case '*': return left * right;
+            case '/': return right === 0 ? undefined : left / right;
+        }
+    }
+    return undefined;
+}
+function isOwnerSenderEquality(expr) {
+    if (!expr || !isNode(expr, 'BinaryOperation'))
+        return false;
+    const op = String(expr.operator || '');
+    if (op !== '==' && op !== '===')
+        return false;
+    const left = expr.left ?? expr.leftExpression;
+    const right = expr.right ?? expr.rightExpression;
+    return (isMsgSender(left) && isOwnerReference(right)) || (isMsgSender(right) && isOwnerReference(left));
+}
+function isOwnerReference(expr) {
+    const root = getReferenceRoot(expr).toLowerCase();
+    return root === 'owner' || root.endsWith('owner');
+}
+function collectFixedArrayLengths(contractNode) {
+    const out = new Map();
+    for (const decl of getContractMembers(contractNode, 'StateVariableDeclaration')) {
+        for (const variable of decl.variables || []) {
+            const name = getName(variable);
+            const length = variable?.typeName?.length;
+            if (name && length && isNode(length, 'NumberLiteral')) {
+                const value = Number(length.number);
+                if (Number.isFinite(value))
+                    out.set(name, value);
+            }
+        }
+    }
+    return out;
+}
+function collectNumericValues(contractNode) {
+    const out = new Map();
+    const dummy = { contractName: '', fixedArrayLengths: new Map(), numericConstants: out, functions: [] };
+    for (const decl of getContractMembers(contractNode, 'StateVariableDeclaration')) {
+        for (const variable of decl.variables || []) {
+            const name = getName(variable);
+            const value = evaluateNumericExpression(variable.expression ?? decl.initialValue, dummy);
+            if (name && value !== undefined)
+                out.set(name, value);
+        }
+    }
+    return out;
+}
+function collectContracts(node) {
+    const out = [];
+    walk(node, child => {
+        if (isNode(child, 'ContractDefinition'))
+            out.push(child);
+    });
+    return out;
+}
+function isInterfaceLike(contract) {
+    const kind = String(contract.kind || '').toLowerCase();
+    return kind === 'interface' || kind === 'library';
+}
+function getContractFunctions(contractNode) {
+    return getContractMembers(contractNode, 'FunctionDefinition');
+}
+function getContractMembers(contractNode, kind) {
+    const members = [];
+    for (const child of contractNode.subNodes || []) {
+        if (child && child.type === kind)
+            members.push(child);
+    }
+    return members;
+}
+function getFunctionBody(fn) {
+    return fn?.body || null;
+}
+function isExternallyReachable(fn) {
+    const kind = String(fn.kind || (fn.isConstructor ? 'constructor' : '') || 'function').toLowerCase();
+    if (kind === 'constructor')
+        return false;
+    const visibility = String(fn.visibility || '').toLowerCase();
+    return visibility === 'public' || visibility === 'external';
+}
+function getModifierInvocationName(mod) {
+    if (!mod)
+        return '';
+    if (mod.modifierName) {
+        if (typeof mod.modifierName === 'string')
+            return mod.modifierName;
+        if (mod.modifierName.name)
+            return String(mod.modifierName.name);
+    }
+    if (mod.name) {
+        if (typeof mod.name === 'string')
+            return mod.name;
+        if (mod.name.name)
+            return String(mod.name.name);
+        if (mod.name.namePath)
+            return String(mod.name.namePath);
+    }
+    return '';
+}
+function getCallExpressionName(call) {
+    const callee = call?.expression;
+    if (!callee)
+        return '';
+    return getExpressionName(callee);
+}
+function getExpressionName(expr) {
+    if (!expr)
+        return '';
+    if (isNode(expr, 'Identifier'))
+        return getName(expr);
+    if (isNode(expr, 'MemberAccess')) {
+        const inner = getExpressionName(expr.expression);
+        const memberName = String(expr.memberName || '');
+        return inner ? `${inner}.${memberName}` : memberName;
+    }
+    if (isNode(expr, 'FunctionCall') || isNode(expr, 'NameValueExpression') || isNode(expr, 'FunctionCallOptions')) {
+        return getExpressionName(expr.expression);
+    }
+    return '';
+}
+function getCallArguments(call) {
+    return Array.isArray(call?.arguments) ? call.arguments : [];
+}
+function getReferenceRoot(expr) {
+    if (!expr)
+        return '';
+    if (isNode(expr, 'Identifier'))
+        return getName(expr);
+    if (isNode(expr, 'IndexAccess'))
+        return getReferenceRoot(expr.base ?? expr.baseExpression);
+    if (isNode(expr, 'MemberAccess'))
+        return getReferenceRoot(expr.expression);
+    if (isNode(expr, 'FunctionCall'))
+        return getReferenceRoot(expr.expression);
+    return '';
+}
+function isMsgSender(expr) {
+    if (!expr || !isNode(expr, 'MemberAccess'))
+        return false;
+    if (String(expr.memberName || '') !== 'sender')
+        return false;
+    const inner = expr.expression;
+    return isNode(inner, 'Identifier') && getName(inner) === 'msg';
+}
+function isCallerExpression(expr) {
+    if (isMsgSender(expr))
+        return true;
+    if (!expr || !isNode(expr, 'FunctionCall'))
+        return false;
+    const callee = expr.expression;
+    return isNode(callee, 'Identifier') && getName(callee) === 'payable' && getCallArguments(expr).some(isMsgSender);
+}
+function walk(node, visitor) {
+    if (!node || typeof node !== 'object')
+        return;
+    visitor(node);
+    for (const child of childrenOf(node))
+        walk(child, visitor);
+}
+function childrenOf(node) {
+    if (!node || typeof node !== 'object')
+        return [];
+    const children = [];
+    for (const [key, value] of Object.entries(node)) {
+        if (key === 'loc' || key === 'range' || key === 'typeDescriptions')
+            continue;
+        if (Array.isArray(value)) {
+            for (const item of value) {
+                if (item && typeof item === 'object')
+                    children.push(item);
+            }
+        }
+        else if (value && typeof value === 'object') {
+            children.push(value);
+        }
+    }
+    return children;
+}
+function isNode(node, kind) {
+    return node?.type === kind;
+}
+function getName(node) {
+    if (!node)
+        return '';
+    if (typeof node.name === 'string')
+        return node.name;
+    if (node.identifier && typeof node.identifier.name === 'string')
+        return node.identifier.name;
+    return '';
+}
+function buildLineOffsets(sourceText) {
+    if (sourceText === undefined)
+        return undefined;
+    const lineOffsets = [0];
+    let byteOffset = 0;
+    for (const char of sourceText) {
+        byteOffset += Buffer.byteLength(char, 'utf8');
+        if (char === '\n')
+            lineOffsets.push(byteOffset);
+    }
+    return lineOffsets;
+}
+//# sourceMappingURL=s-horizon-bridge-private-key-compromis.js.map

package/dist/detectors/share-price-manipulation.d.ts

@@ -0,0 +1,7 @@
+import type { ScanResult } from '../index';
+export declare class SharePriceManipulationDetector {
+    readonly id = "share-price-manipulation";
+    readonly patternKey = "share-price-manipulation";
+    readonly supportedAstKinds: ("parser" | "solc")[];
+    scanAst(ast: any, file: string, sourceText?: string): ScanResult[];
+}