@snovon/solast 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (738) hide show
  1. package/LICENSE +201 -0
  2. package/README.md +190 -0
  3. package/dist/api.d.ts +89 -0
  4. package/dist/api.js +33 -0
  5. package/dist/ast/resolve-return-names.d.ts +2 -0
  6. package/dist/ast/resolve-return-names.js +199 -0
  7. package/dist/ast/solc-walker.d.ts +17 -0
  8. package/dist/ast/solc-walker.js +497 -0
  9. package/dist/ast/storage-layout.d.ts +21 -0
  10. package/dist/ast/storage-layout.js +64 -0
  11. package/dist/cli.d.ts +65 -0
  12. package/dist/cli.js +755 -0
  13. package/dist/config.d.ts +9 -0
  14. package/dist/config.js +284 -0
  15. package/dist/dedup/files.d.ts +1 -0
  16. package/dist/dedup/files.js +74 -0
  17. package/dist/dedup/findings.d.ts +41 -0
  18. package/dist/dedup/findings.js +211 -0
  19. package/dist/detectors/_common/access-control.d.ts +204 -0
  20. package/dist/detectors/_common/access-control.js +377 -0
  21. package/dist/detectors/_common/ast.d.ts +139 -0
  22. package/dist/detectors/_common/ast.js +239 -0
  23. package/dist/detectors/_common/compiler-profile.d.ts +14 -0
  24. package/dist/detectors/_common/compiler-profile.js +66 -0
  25. package/dist/detectors/_common/dataflow.d.ts +75 -0
  26. package/dist/detectors/_common/dataflow.js +57 -0
  27. package/dist/detectors/_common/fhe.d.ts +7 -0
  28. package/dist/detectors/_common/fhe.js +40 -0
  29. package/dist/detectors/_common/integer-overflow-helpers.d.ts +58 -0
  30. package/dist/detectors/_common/integer-overflow-helpers.js +422 -0
  31. package/dist/detectors/_common/loop-call-stack.d.ts +9 -0
  32. package/dist/detectors/_common/loop-call-stack.js +132 -0
  33. package/dist/detectors/_common/oracle.d.ts +5 -0
  34. package/dist/detectors/_common/oracle.js +64 -0
  35. package/dist/detectors/_common/price-rate.d.ts +116 -0
  36. package/dist/detectors/_common/price-rate.js +446 -0
  37. package/dist/detectors/_common/source-text.d.ts +11 -0
  38. package/dist/detectors/_common/source-text.js +82 -0
  39. package/dist/detectors/_common/weighted-pool-invariant.d.ts +21 -0
  40. package/dist/detectors/_common/weighted-pool-invariant.js +105 -0
  41. package/dist/detectors/aave-v2-reentrancy.d.ts +7 -0
  42. package/dist/detectors/aave-v2-reentrancy.js +286 -0
  43. package/dist/detectors/access-control.d.ts +103 -0
  44. package/dist/detectors/access-control.js +983 -0
  45. package/dist/detectors/add-reentrancy-on-weth-contract.d.ts +7 -0
  46. package/dist/detectors/add-reentrancy-on-weth-contract.js +536 -0
  47. package/dist/detectors/ai-generated-randomness.d.ts +32 -0
  48. package/dist/detectors/ai-generated-randomness.js +239 -0
  49. package/dist/detectors/amm-spot-oracle-manipulation.d.ts +52 -0
  50. package/dist/detectors/amm-spot-oracle-manipulation.js +420 -0
  51. package/dist/detectors/analyzing-the-uniswap-v3-exploit.d.ts +26 -0
  52. package/dist/detectors/analyzing-the-uniswap-v3-exploit.js +279 -0
  53. package/dist/detectors/any-token-is-destroyed.d.ts +34 -0
  54. package/dist/detectors/any-token-is-destroyed.js +527 -0
  55. package/dist/detectors/anyswap-anytoken-permit-allowance-drain.d.ts +7 -0
  56. package/dist/detectors/anyswap-anytoken-permit-allowance-drain.js +524 -0
  57. package/dist/detectors/anyswap-insufficient-token-validation.d.ts +24 -0
  58. package/dist/detectors/anyswap-insufficient-token-validation.js +342 -0
  59. package/dist/detectors/approval-based-drain.d.ts +7 -0
  60. package/dist/detectors/approval-based-drain.js +772 -0
  61. package/dist/detectors/arbitrary-account-balance-transfer.d.ts +7 -0
  62. package/dist/detectors/arbitrary-account-balance-transfer.js +485 -0
  63. package/dist/detectors/arbitrary-address-spoofing-attack.d.ts +7 -0
  64. package/dist/detectors/arbitrary-address-spoofing-attack.js +444 -0
  65. package/dist/detectors/arbitrary-address-spoofing.d.ts +9 -0
  66. package/dist/detectors/arbitrary-address-spoofing.js +657 -0
  67. package/dist/detectors/arbitrary-call-error.d.ts +127 -0
  68. package/dist/detectors/arbitrary-call-error.js +1163 -0
  69. package/dist/detectors/arbitrary-call.d.ts +4 -0
  70. package/dist/detectors/arbitrary-call.js +11 -0
  71. package/dist/detectors/arbitrary-delegatecall-target.d.ts +35 -0
  72. package/dist/detectors/arbitrary-delegatecall-target.js +554 -0
  73. package/dist/detectors/arbitrary-recipient-no-access-control.d.ts +7 -0
  74. package/dist/detectors/arbitrary-recipient-no-access-control.js +638 -0
  75. package/dist/detectors/arbitrary-storage-proof-forgery.d.ts +35 -0
  76. package/dist/detectors/arbitrary-storage-proof-forgery.js +340 -0
  77. package/dist/detectors/arbitrary-transfer-from.d.ts +38 -0
  78. package/dist/detectors/arbitrary-transfer-from.js +339 -0
  79. package/dist/detectors/arbitrum-cross-chain-message-replay.d.ts +22 -0
  80. package/dist/detectors/arbitrum-cross-chain-message-replay.js +477 -0
  81. package/dist/detectors/avs-slashing-without-quorum-check.d.ts +50 -0
  82. package/dist/detectors/avs-slashing-without-quorum-check.js +386 -0
  83. package/dist/detectors/bad-debt-propagation.d.ts +13 -0
  84. package/dist/detectors/bad-debt-propagation.js +480 -0
  85. package/dist/detectors/bad-k-value-verification.d.ts +7 -0
  86. package/dist/detectors/bad-k-value-verification.js +512 -0
  87. package/dist/detectors/bad-randomness-zero-blockhash.d.ts +29 -0
  88. package/dist/detectors/bad-randomness-zero-blockhash.js +115 -0
  89. package/dist/detectors/balancer-flash-loan-manipulation.d.ts +33 -0
  90. package/dist/detectors/balancer-flash-loan-manipulation.js +178 -0
  91. package/dist/detectors/balancer-pause-guard.d.ts +33 -0
  92. package/dist/detectors/balancer-pause-guard.js +307 -0
  93. package/dist/detectors/balancer-weighted-pool-flash-loan.d.ts +42 -0
  94. package/dist/detectors/balancer-weighted-pool-flash-loan.js +275 -0
  95. package/dist/detectors/batch-transfer-overflow.d.ts +7 -0
  96. package/dist/detectors/batch-transfer-overflow.js +465 -0
  97. package/dist/detectors/beneficiary-validation.d.ts +7 -0
  98. package/dist/detectors/beneficiary-validation.js +696 -0
  99. package/dist/detectors/borrow-behalf-consent.d.ts +7 -0
  100. package/dist/detectors/borrow-behalf-consent.js +400 -0
  101. package/dist/detectors/break-continue-scope.d.ts +7 -0
  102. package/dist/detectors/break-continue-scope.js +194 -0
  103. package/dist/detectors/bridge-accounting-bypass.d.ts +65 -0
  104. package/dist/detectors/bridge-accounting-bypass.js +449 -0
  105. package/dist/detectors/bridge-business-logic-flaw-incorrect-acc.d.ts +43 -0
  106. package/dist/detectors/bridge-business-logic-flaw-incorrect-acc.js +394 -0
  107. package/dist/detectors/bridge-collateral-drain.d.ts +7 -0
  108. package/dist/detectors/bridge-collateral-drain.js +630 -0
  109. package/dist/detectors/bridge-forged-proof.d.ts +7 -0
  110. package/dist/detectors/bridge-forged-proof.js +754 -0
  111. package/dist/detectors/bridge-missing-message-nonce.d.ts +57 -0
  112. package/dist/detectors/bridge-missing-message-nonce.js +638 -0
  113. package/dist/detectors/bridge-swap-metapool-attack.d.ts +20 -0
  114. package/dist/detectors/bridge-swap-metapool-attack.js +230 -0
  115. package/dist/detectors/business-logic-flaw-flashloan-price-mani.d.ts +7 -0
  116. package/dist/detectors/business-logic-flaw-flashloan-price-mani.js +353 -0
  117. package/dist/detectors/business-logic-flaw-incorrect-recipient-balance.d.ts +7 -0
  118. package/dist/detectors/business-logic-flaw-incorrect-recipient-balance.js +403 -0
  119. package/dist/detectors/business-logic-flaw.d.ts +21 -0
  120. package/dist/detectors/business-logic-flaw.js +339 -0
  121. package/dist/detectors/business-logic.d.ts +17 -0
  122. package/dist/detectors/business-logic.js +22 -0
  123. package/dist/detectors/bypassed-insolvency-check.d.ts +30 -0
  124. package/dist/detectors/bypassed-insolvency-check.js +232 -0
  125. package/dist/detectors/bytecode-divergence-risk.d.ts +32 -0
  126. package/dist/detectors/bytecode-divergence-risk.js +150 -0
  127. package/dist/detectors/cache-array-length.d.ts +30 -0
  128. package/dist/detectors/cache-array-length.js +177 -0
  129. package/dist/detectors/cache-storage-reads.d.ts +46 -0
  130. package/dist/detectors/cache-storage-reads.js +323 -0
  131. package/dist/detectors/calldata-secret-access-control.d.ts +36 -0
  132. package/dist/detectors/calldata-secret-access-control.js +446 -0
  133. package/dist/detectors/capital-cross-contract-reentrancy.d.ts +34 -0
  134. package/dist/detectors/capital-cross-contract-reentrancy.js +481 -0
  135. package/dist/detectors/cartel-custom-approval-logic.d.ts +7 -0
  136. package/dist/detectors/cartel-custom-approval-logic.js +407 -0
  137. package/dist/detectors/ccip-receiver-missing-replay-guard.d.ts +22 -0
  138. package/dist/detectors/ccip-receiver-missing-replay-guard.js +413 -0
  139. package/dist/detectors/chain-coupling-risk.d.ts +8 -0
  140. package/dist/detectors/chain-coupling-risk.js +203 -0
  141. package/dist/detectors/chainlink-deprecated-function.d.ts +7 -0
  142. package/dist/detectors/chainlink-deprecated-function.js +205 -0
  143. package/dist/detectors/chainlink-tx-origin.d.ts +7 -0
  144. package/dist/detectors/chainlink-tx-origin.js +363 -0
  145. package/dist/detectors/check-effects-interactions.d.ts +39 -0
  146. package/dist/detectors/check-effects-interactions.js +783 -0
  147. package/dist/detectors/check-permit-missing-chainid.d.ts +27 -0
  148. package/dist/detectors/check-permit-missing-chainid.js +456 -0
  149. package/dist/detectors/classic-reentrancy.d.ts +93 -0
  150. package/dist/detectors/classic-reentrancy.js +645 -0
  151. package/dist/detectors/coinbase-morpho-wethloan-policy.d.ts +29 -0
  152. package/dist/detectors/coinbase-morpho-wethloan-policy.js +368 -0
  153. package/dist/detectors/compoundv2-inflation-attack.d.ts +7 -0
  154. package/dist/detectors/compoundv2-inflation-attack.js +675 -0
  155. package/dist/detectors/constructor-address-validation.d.ts +24 -0
  156. package/dist/detectors/constructor-address-validation.js +335 -0
  157. package/dist/detectors/constructor-interface-no-address-validation.d.ts +32 -0
  158. package/dist/detectors/constructor-interface-no-address-validation.js +283 -0
  159. package/dist/detectors/cross-chain-arbitrary-call.d.ts +7 -0
  160. package/dist/detectors/cross-chain-arbitrary-call.js +601 -0
  161. package/dist/detectors/cross-chain-input-validation.d.ts +31 -0
  162. package/dist/detectors/cross-chain-input-validation.js +347 -0
  163. package/dist/detectors/cross-chain-intent-replay.d.ts +38 -0
  164. package/dist/detectors/cross-chain-intent-replay.js +453 -0
  165. package/dist/detectors/cross-chain-intent-stale-resolution.d.ts +7 -0
  166. package/dist/detectors/cross-chain-intent-stale-resolution.js +463 -0
  167. package/dist/detectors/cross-chain-message-order-dependency.d.ts +8 -0
  168. package/dist/detectors/cross-chain-message-order-dependency.js +472 -0
  169. package/dist/detectors/cross-chain-message-replay.d.ts +8 -0
  170. package/dist/detectors/cross-chain-message-replay.js +568 -0
  171. package/dist/detectors/cross-chain-messaging.d.ts +7 -0
  172. package/dist/detectors/cross-chain-messaging.js +663 -0
  173. package/dist/detectors/cross-chain-msg-truncation.d.ts +7 -0
  174. package/dist/detectors/cross-chain-msg-truncation.js +453 -0
  175. package/dist/detectors/cross-chain-truncation.d.ts +7 -0
  176. package/dist/detectors/cross-chain-truncation.js +422 -0
  177. package/dist/detectors/cross-contract-integer-overflow.d.ts +76 -0
  178. package/dist/detectors/cross-contract-integer-overflow.js +554 -0
  179. package/dist/detectors/cross-contract-reentrancy-trusted-callee.d.ts +39 -0
  180. package/dist/detectors/cross-contract-reentrancy-trusted-callee.js +385 -0
  181. package/dist/detectors/cross-contract-reentrancy.d.ts +63 -0
  182. package/dist/detectors/cross-contract-reentrancy.js +631 -0
  183. package/dist/detectors/cross-function-reentrancy.d.ts +37 -0
  184. package/dist/detectors/cross-function-reentrancy.js +648 -0
  185. package/dist/detectors/cross-protocol-contagion.d.ts +20 -0
  186. package/dist/detectors/cross-protocol-contagion.js +445 -0
  187. package/dist/detectors/cross-protocol-oracle-collateral.d.ts +38 -0
  188. package/dist/detectors/cross-protocol-oracle-collateral.js +487 -0
  189. package/dist/detectors/cross-vm-reentrancy.d.ts +7 -0
  190. package/dist/detectors/cross-vm-reentrancy.js +484 -0
  191. package/dist/detectors/decimals-mismatch.d.ts +89 -0
  192. package/dist/detectors/decimals-mismatch.js +451 -0
  193. package/dist/detectors/deferred-state-update.d.ts +16 -0
  194. package/dist/detectors/deferred-state-update.js +35 -0
  195. package/dist/detectors/deflationary-token.d.ts +27 -0
  196. package/dist/detectors/deflationary-token.js +751 -0
  197. package/dist/detectors/delegate-transfer-unrestricted-caller.d.ts +44 -0
  198. package/dist/detectors/delegate-transfer-unrestricted-caller.js +410 -0
  199. package/dist/detectors/delegatecall-fallback-reentrancy-bypass.d.ts +14 -0
  200. package/dist/detectors/delegatecall-fallback-reentrancy-bypass.js +241 -0
  201. package/dist/detectors/delegatecall-in-loops.d.ts +7 -0
  202. package/dist/detectors/delegatecall-in-loops.js +129 -0
  203. package/dist/detectors/delegatecall-init-owner-mutator.d.ts +8 -0
  204. package/dist/detectors/delegatecall-init-owner-mutator.js +655 -0
  205. package/dist/detectors/delegatecall-init.d.ts +7 -0
  206. package/dist/detectors/delegatecall-init.js +769 -0
  207. package/dist/detectors/delegatecall-untrusted-implementation.d.ts +41 -0
  208. package/dist/detectors/delegatecall-untrusted-implementation.js +888 -0
  209. package/dist/detectors/delegated-authorization-bypass.d.ts +7 -0
  210. package/dist/detectors/delegated-authorization-bypass.js +370 -0
  211. package/dist/detectors/denial-of-service.d.ts +117 -0
  212. package/dist/detectors/denial-of-service.js +947 -0
  213. package/dist/detectors/division-before-multiplication.d.ts +7 -0
  214. package/dist/detectors/division-before-multiplication.js +303 -0
  215. package/dist/detectors/dn404-mirror-access-control.d.ts +26 -0
  216. package/dist/detectors/dn404-mirror-access-control.js +315 -0
  217. package/dist/detectors/doge-flashloan.d.ts +29 -0
  218. package/dist/detectors/doge-flashloan.js +329 -0
  219. package/dist/detectors/donate-inflation-exchangerate-roundin.d.ts +7 -0
  220. package/dist/detectors/donate-inflation-exchangerate-roundin.js +621 -0
  221. package/dist/detectors/donation-share-inflation.d.ts +24 -0
  222. package/dist/detectors/donation-share-inflation.js +466 -0
  223. package/dist/detectors/dont-let-eth-get-rekt.d.ts +84 -0
  224. package/dist/detectors/dont-let-eth-get-rekt.js +1151 -0
  225. package/dist/detectors/dos-unbounded-loop-external-call-revert.d.ts +37 -0
  226. package/dist/detectors/dos-unbounded-loop-external-call-revert.js +541 -0
  227. package/dist/detectors/eip1167-proxy-reentrancy.d.ts +7 -0
  228. package/dist/detectors/eip1167-proxy-reentrancy.js +508 -0
  229. package/dist/detectors/eip4626-vault-reentrancy.d.ts +32 -0
  230. package/dist/detectors/eip4626-vault-reentrancy.js +312 -0
  231. package/dist/detectors/eip5792-auth-replay.d.ts +45 -0
  232. package/dist/detectors/eip5792-auth-replay.js +519 -0
  233. package/dist/detectors/eip712-domain-separator.d.ts +42 -0
  234. package/dist/detectors/eip712-domain-separator.js +524 -0
  235. package/dist/detectors/eip712-signature-verification.d.ts +49 -0
  236. package/dist/detectors/eip712-signature-verification.js +689 -0
  237. package/dist/detectors/eip7702-auth-replay.d.ts +7 -0
  238. package/dist/detectors/eip7702-auth-replay.js +768 -0
  239. package/dist/detectors/eip7702-cross-chain-replay.d.ts +27 -0
  240. package/dist/detectors/eip7702-cross-chain-replay.js +307 -0
  241. package/dist/detectors/eip7702-delegated-eoa-approval-race.d.ts +39 -0
  242. package/dist/detectors/eip7702-delegated-eoa-approval-race.js +413 -0
  243. package/dist/detectors/eip7702-delegation-reentrancy.d.ts +21 -0
  244. package/dist/detectors/eip7702-delegation-reentrancy.js +705 -0
  245. package/dist/detectors/eip7702-delegation-risk.d.ts +7 -0
  246. package/dist/detectors/eip7702-delegation-risk.js +745 -0
  247. package/dist/detectors/eip7702-eoa-assumption.d.ts +57 -0
  248. package/dist/detectors/eip7702-eoa-assumption.js +461 -0
  249. package/dist/detectors/erc1155-batch-missing-per-id-approval.d.ts +23 -0
  250. package/dist/detectors/erc1155-batch-missing-per-id-approval.js +343 -0
  251. package/dist/detectors/erc1155-reentrancy.d.ts +31 -0
  252. package/dist/detectors/erc1155-reentrancy.js +217 -0
  253. package/dist/detectors/erc1271-stub-implementation.d.ts +21 -0
  254. package/dist/detectors/erc1271-stub-implementation.js +268 -0
  255. package/dist/detectors/erc20-safe-wrapper-return-unchecked.d.ts +43 -0
  256. package/dist/detectors/erc20-safe-wrapper-return-unchecked.js +368 -0
  257. package/dist/detectors/erc20-unchecked-non-standard-return.d.ts +55 -0
  258. package/dist/detectors/erc20-unchecked-non-standard-return.js +454 -0
  259. package/dist/detectors/erc2612-permit-frontrunning.d.ts +23 -0
  260. package/dist/detectors/erc2612-permit-frontrunning.js +246 -0
  261. package/dist/detectors/erc2771-context-spoofing.d.ts +41 -0
  262. package/dist/detectors/erc2771-context-spoofing.js +510 -0
  263. package/dist/detectors/erc4337-validation-storage-access.d.ts +35 -0
  264. package/dist/detectors/erc4337-validation-storage-access.js +232 -0
  265. package/dist/detectors/erc4626-totalassets-stub.d.ts +17 -0
  266. package/dist/detectors/erc4626-totalassets-stub.js +216 -0
  267. package/dist/detectors/erc6909-balance-overflow.d.ts +7 -0
  268. package/dist/detectors/erc6909-balance-overflow.js +688 -0
  269. package/dist/detectors/erc6909-operator-scope.d.ts +49 -0
  270. package/dist/detectors/erc6909-operator-scope.js +494 -0
  271. package/dist/detectors/erc721-unchecked-transfer.d.ts +38 -0
  272. package/dist/detectors/erc721-unchecked-transfer.js +364 -0
  273. package/dist/detectors/erc7579-module-install-without-threshold.d.ts +40 -0
  274. package/dist/detectors/erc7579-module-install-without-threshold.js +338 -0
  275. package/dist/detectors/erc7683-fill-validation.d.ts +53 -0
  276. package/dist/detectors/erc7683-fill-validation.js +758 -0
  277. package/dist/detectors/erc7683-intent-resolution.d.ts +7 -0
  278. package/dist/detectors/erc7683-intent-resolution.js +457 -0
  279. package/dist/detectors/erc777-callback-reentrancy.d.ts +8 -0
  280. package/dist/detectors/erc777-callback-reentrancy.js +439 -0
  281. package/dist/detectors/erc777-reentrancy.d.ts +7 -0
  282. package/dist/detectors/erc777-reentrancy.js +488 -0
  283. package/dist/detectors/erc777-tokens-to-send-reentrancy.d.ts +47 -0
  284. package/dist/detectors/erc777-tokens-to-send-reentrancy.js +674 -0
  285. package/dist/detectors/estuary-token-flaw.d.ts +16 -0
  286. package/dist/detectors/estuary-token-flaw.js +547 -0
  287. package/dist/detectors/euler-debt-token-manipulation.d.ts +32 -0
  288. package/dist/detectors/euler-debt-token-manipulation.js +347 -0
  289. package/dist/detectors/exploiting-a-vulnerability-in-curve-fina.d.ts +29 -0
  290. package/dist/detectors/exploiting-a-vulnerability-in-curve-fina.js +210 -0
  291. package/dist/detectors/fallback-delegatecall-reentrancy.d.ts +14 -0
  292. package/dist/detectors/fallback-delegatecall-reentrancy.js +236 -0
  293. package/dist/detectors/farm-business-logic-flaw-lack-of-access.d.ts +7 -0
  294. package/dist/detectors/farm-business-logic-flaw-lack-of-access.js +665 -0
  295. package/dist/detectors/fee-mechanism-exploitation.d.ts +20 -0
  296. package/dist/detectors/fee-mechanism-exploitation.js +400 -0
  297. package/dist/detectors/fee-on-transfer-balance-mismatch.d.ts +49 -0
  298. package/dist/detectors/fee-on-transfer-balance-mismatch.js +394 -0
  299. package/dist/detectors/fhe-encrypted-input-validation.d.ts +29 -0
  300. package/dist/detectors/fhe-encrypted-input-validation.js +210 -0
  301. package/dist/detectors/fhe-handle-leakage.d.ts +44 -0
  302. package/dist/detectors/fhe-handle-leakage.js +315 -0
  303. package/dist/detectors/fhe-oz-pattern-misuse.d.ts +26 -0
  304. package/dist/detectors/fhe-oz-pattern-misuse.js +311 -0
  305. package/dist/detectors/fhe-state-leakage.d.ts +8 -0
  306. package/dist/detectors/fhe-state-leakage.js +400 -0
  307. package/dist/detectors/fi-bridges.d.ts +33 -0
  308. package/dist/detectors/fi-bridges.js +428 -0
  309. package/dist/detectors/finance-access-control-price-oracle-man.d.ts +9 -0
  310. package/dist/detectors/finance-access-control-price-oracle-man.js +640 -0
  311. package/dist/detectors/finance-bridge-address0safetransferfrom.d.ts +8 -0
  312. package/dist/detectors/finance-bridge-address0safetransferfrom.js +574 -0
  313. package/dist/detectors/finance-business-logic-in-mint.d.ts +54 -0
  314. package/dist/detectors/finance-business-logic-in-mint.js +687 -0
  315. package/dist/detectors/finance-erc667-reentrancy.d.ts +7 -0
  316. package/dist/detectors/finance-erc667-reentrancy.js +509 -0
  317. package/dist/detectors/finance-flashloan-price-oracle-manipul.d.ts +7 -0
  318. package/dist/detectors/finance-flashloan-price-oracle-manipul.js +546 -0
  319. package/dist/detectors/finance-flashloan-reentrancy.d.ts +7 -0
  320. package/dist/detectors/finance-flashloan-reentrancy.js +547 -0
  321. package/dist/detectors/finance-swap-metapool-attack.d.ts +19 -0
  322. package/dist/detectors/finance-swap-metapool-attack.js +321 -0
  323. package/dist/detectors/flashloan-price-manipulation.d.ts +7 -0
  324. package/dist/detectors/flashloan-price-manipulation.js +950 -0
  325. package/dist/detectors/flashloan-reentrancy-rari.d.ts +28 -0
  326. package/dist/detectors/flashloan-reentrancy-rari.js +577 -0
  327. package/dist/detectors/flashloan-reentrancy.d.ts +7 -0
  328. package/dist/detectors/flashloan-reentrancy.js +383 -0
  329. package/dist/detectors/flashloan-token-migrate.d.ts +7 -0
  330. package/dist/detectors/flashloan-token-migrate.js +274 -0
  331. package/dist/detectors/force-fed-eth-state-corruption.d.ts +32 -0
  332. package/dist/detectors/force-fed-eth-state-corruption.js +293 -0
  333. package/dist/detectors/free-mint-bug.d.ts +41 -0
  334. package/dist/detectors/free-mint-bug.js +483 -0
  335. package/dist/detectors/front-running-orderbook-state-update.d.ts +37 -0
  336. package/dist/detectors/front-running-orderbook-state-update.js +471 -0
  337. package/dist/detectors/front-running-shared-collateral-write.d.ts +41 -0
  338. package/dist/detectors/front-running-shared-collateral-write.js +508 -0
  339. package/dist/detectors/fusion-v1-settlement-arbitrary-yul-calld.d.ts +30 -0
  340. package/dist/detectors/fusion-v1-settlement-arbitrary-yul-calld.js +354 -0
  341. package/dist/detectors/generalized-frontrunning.d.ts +7 -0
  342. package/dist/detectors/generalized-frontrunning.js +836 -0
  343. package/dist/detectors/governance-flash-loan.d.ts +62 -0
  344. package/dist/detectors/governance-flash-loan.js +452 -0
  345. package/dist/detectors/governance-flashloan-vote.d.ts +41 -0
  346. package/dist/detectors/governance-flashloan-vote.js +272 -0
  347. package/dist/detectors/halborn-security-report-aave-v3.d.ts +6 -0
  348. package/dist/detectors/halborn-security-report-aave-v3.js +357 -0
  349. package/dist/detectors/incorrect-access-control.d.ts +26 -0
  350. package/dist/detectors/incorrect-access-control.js +328 -0
  351. package/dist/detectors/incorrect-burn-accounting.d.ts +10 -0
  352. package/dist/detectors/incorrect-burn-accounting.js +387 -0
  353. package/dist/detectors/incorrect-dividends-calculation.d.ts +27 -0
  354. package/dist/detectors/incorrect-dividends-calculation.js +524 -0
  355. package/dist/detectors/incorrect-dividends.d.ts +27 -0
  356. package/dist/detectors/incorrect-dividends.js +485 -0
  357. package/dist/detectors/incorrect-input-validation.d.ts +23 -0
  358. package/dist/detectors/incorrect-input-validation.js +312 -0
  359. package/dist/detectors/incorrect-signature-verification.d.ts +26 -0
  360. package/dist/detectors/incorrect-signature-verification.js +530 -0
  361. package/dist/detectors/infinite-loop.d.ts +7 -0
  362. package/dist/detectors/infinite-loop.js +440 -0
  363. package/dist/detectors/infinite-number-of-loans.d.ts +13 -0
  364. package/dist/detectors/infinite-number-of-loans.js +565 -0
  365. package/dist/detectors/inheritance-override.d.ts +26 -0
  366. package/dist/detectors/inheritance-override.js +320 -0
  367. package/dist/detectors/initialization-access-control.d.ts +8 -0
  368. package/dist/detectors/initialization-access-control.js +659 -0
  369. package/dist/detectors/insecure-randomness.d.ts +73 -0
  370. package/dist/detectors/insecure-randomness.js +610 -0
  371. package/dist/detectors/insufficient-access-control-trusted-param.d.ts +39 -0
  372. package/dist/detectors/insufficient-access-control-trusted-param.js +356 -0
  373. package/dist/detectors/insufficient-dvn-threshold.d.ts +32 -0
  374. package/dist/detectors/insufficient-dvn-threshold.js +585 -0
  375. package/dist/detectors/integer-overflow-detector.d.ts +45 -0
  376. package/dist/detectors/integer-overflow-detector.js +284 -0
  377. package/dist/detectors/integer-overflow.d.ts +95 -0
  378. package/dist/detectors/integer-overflow.js +344 -0
  379. package/dist/detectors/integer-underflow.d.ts +7 -0
  380. package/dist/detectors/integer-underflow.js +422 -0
  381. package/dist/detectors/intent-settlement-balance-manipulation.d.ts +22 -0
  382. package/dist/detectors/intent-settlement-balance-manipulation.js +548 -0
  383. package/dist/detectors/l1-to-l2-message-reentrancy.d.ts +7 -0
  384. package/dist/detectors/l1-to-l2-message-reentrancy.js +545 -0
  385. package/dist/detectors/l2-withdrawal-validation.d.ts +8 -0
  386. package/dist/detectors/l2-withdrawal-validation.js +303 -0
  387. package/dist/detectors/lack-of-access-control.d.ts +7 -0
  388. package/dist/detectors/lack-of-access-control.js +425 -0
  389. package/dist/detectors/lack-of-calldata-validation.d.ts +16 -0
  390. package/dist/detectors/lack-of-calldata-validation.js +914 -0
  391. package/dist/detectors/lack-of-input-validation-reentrancy.d.ts +7 -0
  392. package/dist/detectors/lack-of-input-validation-reentrancy.js +637 -0
  393. package/dist/detectors/lack-of-slippage-control.d.ts +7 -0
  394. package/dist/detectors/lack-of-slippage-control.js +513 -0
  395. package/dist/detectors/lack-of-slippage-protection.d.ts +7 -0
  396. package/dist/detectors/lack-of-slippage-protection.js +474 -0
  397. package/dist/detectors/lack-of-validation-data.d.ts +23 -0
  398. package/dist/detectors/lack-of-validation-data.js +391 -0
  399. package/dist/detectors/lack-of-validation-pool.d.ts +7 -0
  400. package/dist/detectors/lack-of-validation-pool.js +492 -0
  401. package/dist/detectors/lack-of-validation-userdata.d.ts +7 -0
  402. package/dist/detectors/lack-of-validation-userdata.js +583 -0
  403. package/dist/detectors/lack-of-validation.d.ts +27 -0
  404. package/dist/detectors/lack-of-validation.js +609 -0
  405. package/dist/detectors/layerzero-dvn-quorum-missing.d.ts +22 -0
  406. package/dist/detectors/layerzero-dvn-quorum-missing.js +464 -0
  407. package/dist/detectors/layerzero-v2-unverified-origin.d.ts +40 -0
  408. package/dist/detectors/layerzero-v2-unverified-origin.js +368 -0
  409. package/dist/detectors/liquidation-accounting-desync.d.ts +14 -0
  410. package/dist/detectors/liquidation-accounting-desync.js +145 -0
  411. package/dist/detectors/liquidation-gain-manipulation.d.ts +42 -0
  412. package/dist/detectors/liquidation-gain-manipulation.js +606 -0
  413. package/dist/detectors/liquidation-price-rounding-advantage.d.ts +26 -0
  414. package/dist/detectors/liquidation-price-rounding-advantage.js +283 -0
  415. package/dist/detectors/liquidity-poisoning.d.ts +25 -0
  416. package/dist/detectors/liquidity-poisoning.js +339 -0
  417. package/dist/detectors/loans-malicious-proposal-price-oracle.d.ts +44 -0
  418. package/dist/detectors/loans-malicious-proposal-price-oracle.js +813 -0
  419. package/dist/detectors/logic-flaw.d.ts +186 -0
  420. package/dist/detectors/logic-flaw.js +3356 -0
  421. package/dist/detectors/manipulation-of-funds.d.ts +31 -0
  422. package/dist/detectors/manipulation-of-funds.js +304 -0
  423. package/dist/detectors/merkl-unsafe-claim-callback.d.ts +22 -0
  424. package/dist/detectors/merkl-unsafe-claim-callback.js +94 -0
  425. package/dist/detectors/mev-boost-timestamp.d.ts +7 -0
  426. package/dist/detectors/mev-boost-timestamp.js +318 -0
  427. package/dist/detectors/mev-merge-exploit.d.ts +29 -0
  428. package/dist/detectors/mev-merge-exploit.js +397 -0
  429. package/dist/detectors/mev-sandwich-vulnerability.d.ts +24 -0
  430. package/dist/detectors/mev-sandwich-vulnerability.js +648 -0
  431. package/dist/detectors/mev-slot-manipulation.d.ts +36 -0
  432. package/dist/detectors/mev-slot-manipulation.js +691 -0
  433. package/dist/detectors/mevbot-insufficient-validation.d.ts +48 -0
  434. package/dist/detectors/mevbot-insufficient-validation.js +574 -0
  435. package/dist/detectors/migration-rebalance-without-bound.d.ts +7 -0
  436. package/dist/detectors/migration-rebalance-without-bound.js +514 -0
  437. package/dist/detectors/mint-hardcoded-asset-parity.d.ts +31 -0
  438. package/dist/detectors/mint-hardcoded-asset-parity.js +356 -0
  439. package/dist/detectors/miscalculation-on-spendallowance.d.ts +7 -0
  440. package/dist/detectors/miscalculation-on-spendallowance.js +188 -0
  441. package/dist/detectors/misconfiguration.d.ts +27 -0
  442. package/dist/detectors/misconfiguration.js +410 -0
  443. package/dist/detectors/missing-access-control-caller-supplied-auth.d.ts +7 -0
  444. package/dist/detectors/missing-access-control-caller-supplied-auth.js +550 -0
  445. package/dist/detectors/missing-access-control-receiver-payout.d.ts +7 -0
  446. package/dist/detectors/missing-access-control-receiver-payout.js +460 -0
  447. package/dist/detectors/missing-access-control-role-or-transferfrom.d.ts +7 -0
  448. package/dist/detectors/missing-access-control-role-or-transferfrom.js +663 -0
  449. package/dist/detectors/missing-access-control.d.ts +19 -0
  450. package/dist/detectors/missing-access-control.js +781 -0
  451. package/dist/detectors/missing-sequencer-uptime-check.d.ts +30 -0
  452. package/dist/detectors/missing-sequencer-uptime-check.js +348 -0
  453. package/dist/detectors/missing-storage-gap.d.ts +19 -0
  454. package/dist/detectors/missing-storage-gap.js +193 -0
  455. package/dist/detectors/missing-swap-deadline-slippage.d.ts +31 -0
  456. package/dist/detectors/missing-swap-deadline-slippage.js +231 -0
  457. package/dist/detectors/missing-zk-proof-verification.d.ts +60 -0
  458. package/dist/detectors/missing-zk-proof-verification.js +547 -0
  459. package/dist/detectors/my-experience-with-yearn-finance.d.ts +7 -0
  460. package/dist/detectors/my-experience-with-yearn-finance.js +552 -0
  461. package/dist/detectors/network-bridge-ronin.d.ts +7 -0
  462. package/dist/detectors/network-bridge-ronin.js +408 -0
  463. package/dist/detectors/network-bridge.d.ts +7 -0
  464. package/dist/detectors/network-bridge.js +444 -0
  465. package/dist/detectors/network-underflow.d.ts +7 -0
  466. package/dist/detectors/network-underflow.js +517 -0
  467. package/dist/detectors/nft-denial-of-service.d.ts +7 -0
  468. package/dist/detectors/nft-denial-of-service.js +223 -0
  469. package/dist/detectors/nft-marketplace-order-reentrancy.d.ts +7 -0
  470. package/dist/detectors/nft-marketplace-order-reentrancy.js +427 -0
  471. package/dist/detectors/nft-token-standard-access-control.d.ts +7 -0
  472. package/dist/detectors/nft-token-standard-access-control.js +455 -0
  473. package/dist/detectors/oracle-manipulation-amm-spot-price.d.ts +42 -0
  474. package/dist/detectors/oracle-manipulation-amm-spot-price.js +321 -0
  475. package/dist/detectors/oracle-manipulation-liquidity-withdrawal.d.ts +27 -0
  476. package/dist/detectors/oracle-manipulation-liquidity-withdrawal.js +192 -0
  477. package/dist/detectors/oracle-manipulation.d.ts +90 -0
  478. package/dist/detectors/oracle-manipulation.js +1023 -0
  479. package/dist/detectors/oracle-vortex-manipulation.d.ts +30 -0
  480. package/dist/detectors/oracle-vortex-manipulation.js +473 -0
  481. package/dist/detectors/overpriced-asset-in-oracle.d.ts +41 -0
  482. package/dist/detectors/overpriced-asset-in-oracle.js +420 -0
  483. package/dist/detectors/oz-access-control-roles.d.ts +33 -0
  484. package/dist/detectors/oz-access-control-roles.js +359 -0
  485. package/dist/detectors/pair-manipulation-transfer-hook.d.ts +38 -0
  486. package/dist/detectors/pair-manipulation-transfer-hook.js +366 -0
  487. package/dist/detectors/parameter-access-control.d.ts +47 -0
  488. package/dist/detectors/parameter-access-control.js +511 -0
  489. package/dist/detectors/parameter-manipulation.d.ts +7 -0
  490. package/dist/detectors/parameter-manipulation.js +505 -0
  491. package/dist/detectors/parity-multisig-delegatecall.d.ts +7 -0
  492. package/dist/detectors/parity-multisig-delegatecall.js +707 -0
  493. package/dist/detectors/permissionless-claim-amm-spot-pricing.d.ts +7 -0
  494. package/dist/detectors/permissionless-claim-amm-spot-pricing.js +351 -0
  495. package/dist/detectors/permit-future-dated-deadline.d.ts +31 -0
  496. package/dist/detectors/permit-future-dated-deadline.js +339 -0
  497. package/dist/detectors/phishing-attack-bybit.d.ts +37 -0
  498. package/dist/detectors/phishing-attack-bybit.js +513 -0
  499. package/dist/detectors/post-insolvency-check.d.ts +7 -0
  500. package/dist/detectors/post-insolvency-check.js +277 -0
  501. package/dist/detectors/precision-loss-vulnerability.d.ts +7 -0
  502. package/dist/detectors/precision-loss-vulnerability.js +472 -0
  503. package/dist/detectors/precision-truncation.d.ts +8 -0
  504. package/dist/detectors/precision-truncation.js +425 -0
  505. package/dist/detectors/price-dependency-veth.d.ts +41 -0
  506. package/dist/detectors/price-dependency-veth.js +588 -0
  507. package/dist/detectors/price-feed-verification.d.ts +7 -0
  508. package/dist/detectors/price-feed-verification.js +557 -0
  509. package/dist/detectors/price-manipulation-reentrancy.d.ts +32 -0
  510. package/dist/detectors/price-manipulation-reentrancy.js +445 -0
  511. package/dist/detectors/price-manipulation-via-reentranc.d.ts +7 -0
  512. package/dist/detectors/price-manipulation-via-reentranc.js +569 -0
  513. package/dist/detectors/price-oracle-manipulation.d.ts +25 -0
  514. package/dist/detectors/price-oracle-manipulation.js +530 -0
  515. package/dist/detectors/project-instant-rewards-unlocked.d.ts +6 -0
  516. package/dist/detectors/project-instant-rewards-unlocked.js +462 -0
  517. package/dist/detectors/protocol-reentrancy.d.ts +7 -0
  518. package/dist/detectors/protocol-reentrancy.js +457 -0
  519. package/dist/detectors/proxy-init-race.d.ts +11 -0
  520. package/dist/detectors/proxy-init-race.js +634 -0
  521. package/dist/detectors/proxy-storage-slot-collision.d.ts +7 -0
  522. package/dist/detectors/proxy-storage-slot-collision.js +135 -0
  523. package/dist/detectors/public-internal-function.d.ts +39 -0
  524. package/dist/detectors/public-internal-function.js +233 -0
  525. package/dist/detectors/quote-silent-zero.d.ts +25 -0
  526. package/dist/detectors/quote-silent-zero.js +156 -0
  527. package/dist/detectors/readonly-reentrancy.d.ts +9 -0
  528. package/dist/detectors/readonly-reentrancy.js +108 -0
  529. package/dist/detectors/receipt-redemption-missing-validation.d.ts +31 -0
  530. package/dist/detectors/receipt-redemption-missing-validation.js +453 -0
  531. package/dist/detectors/reentrancy-balance.d.ts +36 -0
  532. package/dist/detectors/reentrancy-balance.js +577 -0
  533. package/dist/detectors/reentrancy-business-logic-game.d.ts +36 -0
  534. package/dist/detectors/reentrancy-business-logic-game.js +616 -0
  535. package/dist/detectors/reentrancy-on-sell-nft.d.ts +23 -0
  536. package/dist/detectors/reentrancy-on-sell-nft.js +510 -0
  537. package/dist/detectors/reflection-token-balance-desync.d.ts +28 -0
  538. package/dist/detectors/reflection-token-balance-desync.js +246 -0
  539. package/dist/detectors/registry-engine.d.ts +34 -0
  540. package/dist/detectors/registry-engine.js +388 -0
  541. package/dist/detectors/rollup-unvalidated-state-update.d.ts +35 -0
  542. package/dist/detectors/rollup-unvalidated-state-update.js +286 -0
  543. package/dist/detectors/s-horizon-bridge-private-key-compromis.d.ts +8 -0
  544. package/dist/detectors/s-horizon-bridge-private-key-compromis.js +615 -0
  545. package/dist/detectors/share-price-manipulation.d.ts +7 -0
  546. package/dist/detectors/share-price-manipulation.js +653 -0
  547. package/dist/detectors/signature-replay.d.ts +30 -0
  548. package/dist/detectors/signature-replay.js +367 -0
  549. package/dist/detectors/simpleswap-unverified-approval.d.ts +27 -0
  550. package/dist/detectors/simpleswap-unverified-approval.js +198 -0
  551. package/dist/detectors/single-spot-oracle-collateral-valuation.d.ts +22 -0
  552. package/dist/detectors/single-spot-oracle-collateral-valuation.js +419 -0
  553. package/dist/detectors/skim-token-balance.d.ts +7 -0
  554. package/dist/detectors/skim-token-balance.js +788 -0
  555. package/dist/detectors/sky-oft-governance-payload.d.ts +7 -0
  556. package/dist/detectors/sky-oft-governance-payload.js +515 -0
  557. package/dist/detectors/sky-oft-governance-truncation.d.ts +32 -0
  558. package/dist/detectors/sky-oft-governance-truncation.js +377 -0
  559. package/dist/detectors/solana-evm-bridge-truncation.d.ts +7 -0
  560. package/dist/detectors/solana-evm-bridge-truncation.js +638 -0
  561. package/dist/detectors/solhint-unchecked-low-level-call.d.ts +74 -0
  562. package/dist/detectors/solhint-unchecked-low-level-call.js +463 -0
  563. package/dist/detectors/stablecoin-pair-spot-oracle.d.ts +7 -0
  564. package/dist/detectors/stablecoin-pair-spot-oracle.js +364 -0
  565. package/dist/detectors/staked-rate-as-oracle.d.ts +44 -0
  566. package/dist/detectors/staked-rate-as-oracle.js +497 -0
  567. package/dist/detectors/stale-oracle.d.ts +63 -0
  568. package/dist/detectors/stale-oracle.js +649 -0
  569. package/dist/detectors/starkware-proof-validation-gap.d.ts +18 -0
  570. package/dist/detectors/starkware-proof-validation-gap.js +629 -0
  571. package/dist/detectors/steth-transfer-reentrancy.d.ts +8 -0
  572. package/dist/detectors/steth-transfer-reentrancy.js +317 -0
  573. package/dist/detectors/storage-collision-malicious-proposal.d.ts +27 -0
  574. package/dist/detectors/storage-collision-malicious-proposal.js +386 -0
  575. package/dist/detectors/timestamp-manipulation.d.ts +49 -0
  576. package/dist/detectors/timestamp-manipulation.js +383 -0
  577. package/dist/detectors/token-access-control.d.ts +7 -0
  578. package/dist/detectors/token-access-control.js +544 -0
  579. package/dist/detectors/token-incorrect-signature-verification.d.ts +23 -0
  580. package/dist/detectors/token-incorrect-signature-verification.js +434 -0
  581. package/dist/detectors/token-transfer-logic-flaw.d.ts +33 -0
  582. package/dist/detectors/token-transfer-logic-flaw.js +267 -0
  583. package/dist/detectors/transfer-double-debit-pool-recipient.d.ts +7 -0
  584. package/dist/detectors/transfer-double-debit-pool-recipient.js +542 -0
  585. package/dist/detectors/treasury-reentrancy.d.ts +7 -0
  586. package/dist/detectors/treasury-reentrancy.js +442 -0
  587. package/dist/detectors/tstore-poison.d.ts +32 -0
  588. package/dist/detectors/tstore-poison.js +417 -0
  589. package/dist/detectors/tstore-race-condition.d.ts +7 -0
  590. package/dist/detectors/tstore-race-condition.js +632 -0
  591. package/dist/detectors/types.d.ts +85 -0
  592. package/dist/detectors/types.js +20 -0
  593. package/dist/detectors/unauthorized-payer-transferfrom.d.ts +66 -0
  594. package/dist/detectors/unauthorized-payer-transferfrom.js +339 -0
  595. package/dist/detectors/unauthorized-transferfrom-shell.d.ts +7 -0
  596. package/dist/detectors/unauthorized-transferfrom-shell.js +504 -0
  597. package/dist/detectors/unauthorized-transferfrom.d.ts +16 -0
  598. package/dist/detectors/unauthorized-transferfrom.js +838 -0
  599. package/dist/detectors/unbound-zk-verifier-input.d.ts +7 -0
  600. package/dist/detectors/unbound-zk-verifier-input.js +445 -0
  601. package/dist/detectors/unbounded-share-price-collateral-oracle.d.ts +48 -0
  602. package/dist/detectors/unbounded-share-price-collateral-oracle.js +566 -0
  603. package/dist/detectors/uncapped-reward-emission.d.ts +7 -0
  604. package/dist/detectors/uncapped-reward-emission.js +493 -0
  605. package/dist/detectors/unchecked-call-forwarding.d.ts +31 -0
  606. package/dist/detectors/unchecked-call-forwarding.js +330 -0
  607. package/dist/detectors/unchecked-external-call-unconditional-state-mutation.d.ts +18 -0
  608. package/dist/detectors/unchecked-external-call-unconditional-state-mutation.js +311 -0
  609. package/dist/detectors/unchecked-external-call.d.ts +66 -0
  610. package/dist/detectors/unchecked-external-call.js +389 -0
  611. package/dist/detectors/unchecked-oft-return.d.ts +13 -0
  612. package/dist/detectors/unchecked-oft-return.js +118 -0
  613. package/dist/detectors/unguarded-governance-execution.d.ts +35 -0
  614. package/dist/detectors/unguarded-governance-execution.js +422 -0
  615. package/dist/detectors/unguarded-governance-executor.d.ts +35 -0
  616. package/dist/detectors/unguarded-governance-executor.js +349 -0
  617. package/dist/detectors/unindexed-event-address.d.ts +7 -0
  618. package/dist/detectors/unindexed-event-address.js +268 -0
  619. package/dist/detectors/uninitialized-implementation.d.ts +27 -0
  620. package/dist/detectors/uninitialized-implementation.js +333 -0
  621. package/dist/detectors/uninitialized-storage-pointer.d.ts +7 -0
  622. package/dist/detectors/uninitialized-storage-pointer.js +110 -0
  623. package/dist/detectors/uniswap-skim-token-balance-attack.d.ts +8 -0
  624. package/dist/detectors/uniswap-skim-token-balance-attack.js +331 -0
  625. package/dist/detectors/uniswap-v4-hook-state-manipulation.d.ts +7 -0
  626. package/dist/detectors/uniswap-v4-hook-state-manipulation.js +296 -0
  627. package/dist/detectors/unprotected-admin-or-fund-sink.d.ts +7 -0
  628. package/dist/detectors/unprotected-admin-or-fund-sink.js +643 -0
  629. package/dist/detectors/unprotected-dex-swap.d.ts +43 -0
  630. package/dist/detectors/unprotected-dex-swap.js +334 -0
  631. package/dist/detectors/unprotected-initializer.d.ts +7 -0
  632. package/dist/detectors/unprotected-initializer.js +707 -0
  633. package/dist/detectors/unprotected-pair-initializer.d.ts +22 -0
  634. package/dist/detectors/unprotected-pair-initializer.js +359 -0
  635. package/dist/detectors/unprotected-upgrade-function.d.ts +7 -0
  636. package/dist/detectors/unprotected-upgrade-function.js +180 -0
  637. package/dist/detectors/unreachable-code-0.8.28.d.ts +19 -0
  638. package/dist/detectors/unreachable-code-0.8.28.js +206 -0
  639. package/dist/detectors/unsafe-proxy-storage.d.ts +7 -0
  640. package/dist/detectors/unsafe-proxy-storage.js +436 -0
  641. package/dist/detectors/unsafe-transient-storage.d.ts +7 -0
  642. package/dist/detectors/unsafe-transient-storage.js +1052 -0
  643. package/dist/detectors/unsafe-tx-origin.d.ts +9 -0
  644. package/dist/detectors/unsafe-tx-origin.js +179 -0
  645. package/dist/detectors/unsigned-validity-window.d.ts +20 -0
  646. package/dist/detectors/unsigned-validity-window.js +220 -0
  647. package/dist/detectors/unvalidated-interface-address.d.ts +25 -0
  648. package/dist/detectors/unvalidated-interface-address.js +377 -0
  649. package/dist/detectors/uups-uninitialized-storage.d.ts +9 -0
  650. package/dist/detectors/uups-uninitialized-storage.js +366 -0
  651. package/dist/detectors/v2-error-k-value-attack.d.ts +33 -0
  652. package/dist/detectors/v2-error-k-value-attack.js +276 -0
  653. package/dist/detectors/v2-k-invariant-bypass.d.ts +33 -0
  654. package/dist/detectors/v2-k-invariant-bypass.js +283 -0
  655. package/dist/detectors/v4-hook-reentrancy.d.ts +9 -0
  656. package/dist/detectors/v4-hook-reentrancy.js +488 -0
  657. package/dist/detectors/vault-inflation-rounding.d.ts +23 -0
  658. package/dist/detectors/vault-inflation-rounding.js +477 -0
  659. package/dist/detectors/vault-share-price-manipulation.d.ts +7 -0
  660. package/dist/detectors/vault-share-price-manipulation.js +332 -0
  661. package/dist/detectors/vortex-interaction-guard.d.ts +45 -0
  662. package/dist/detectors/vortex-interaction-guard.js +275 -0
  663. package/dist/detectors/vortex-protocol-reentrancy-guard.d.ts +27 -0
  664. package/dist/detectors/vortex-protocol-reentrancy-guard.js +408 -0
  665. package/dist/detectors/vulnerable-price-dependency.d.ts +41 -0
  666. package/dist/detectors/vulnerable-price-dependency.js +473 -0
  667. package/dist/detectors/weak-random-mint.d.ts +37 -0
  668. package/dist/detectors/weak-random-mint.js +271 -0
  669. package/dist/detectors/withdraw-be-to-withdraw.d.ts +26 -0
  670. package/dist/detectors/withdraw-be-to-withdraw.js +329 -0
  671. package/dist/detectors/wrong-function-visibility.d.ts +29 -0
  672. package/dist/detectors/wrong-function-visibility.js +147 -0
  673. package/dist/detectors/wrong-price-calculation.d.ts +42 -0
  674. package/dist/detectors/wrong-price-calculation.js +387 -0
  675. package/dist/detectors/yearn-vault-v2-share-price-manipulation.d.ts +32 -0
  676. package/dist/detectors/yearn-vault-v2-share-price-manipulation.js +248 -0
  677. package/dist/detectors/zero-fee.d.ts +7 -0
  678. package/dist/detectors/zero-fee.js +596 -0
  679. package/dist/detectors/zetachain-gateway-hack-analysis.d.ts +7 -0
  680. package/dist/detectors/zetachain-gateway-hack-analysis.js +629 -0
  681. package/dist/detectors/zk-rollup-da-gap.d.ts +8 -0
  682. package/dist/detectors/zk-rollup-da-gap.js +322 -0
  683. package/dist/detectors/zksync-batch-validation.d.ts +8 -0
  684. package/dist/detectors/zksync-batch-validation.js +461 -0
  685. package/dist/detectors/zksync-era-rollup-state-update.d.ts +60 -0
  686. package/dist/detectors/zksync-era-rollup-state-update.js +360 -0
  687. package/dist/detectors/zksync-simulation-drift.d.ts +35 -0
  688. package/dist/detectors/zksync-simulation-drift.js +309 -0
  689. package/dist/exit-codes.d.ts +15 -0
  690. package/dist/exit-codes.js +18 -0
  691. package/dist/formatters/github-actions.d.ts +2 -0
  692. package/dist/formatters/github-actions.js +61 -0
  693. package/dist/formatters/sarif.d.ts +24 -0
  694. package/dist/formatters/sarif.js +670 -0
  695. package/dist/formatters/text.d.ts +14 -0
  696. package/dist/formatters/text.js +152 -0
  697. package/dist/fp-rates.json +70 -0
  698. package/dist/identity/diff-baseline.d.ts +16 -0
  699. package/dist/identity/diff-baseline.js +152 -0
  700. package/dist/identity/hashing.d.ts +39 -0
  701. package/dist/identity/hashing.js +96 -0
  702. package/dist/index.d.ts +174 -0
  703. package/dist/index.js +358 -0
  704. package/dist/parallel-scan.d.ts +66 -0
  705. package/dist/parallel-scan.js +227 -0
  706. package/dist/registry.d.ts +17 -0
  707. package/dist/registry.js +118 -0
  708. package/dist/rules/glob.d.ts +5 -0
  709. package/dist/rules/glob.js +76 -0
  710. package/dist/rules/suppressions.d.ts +23 -0
  711. package/dist/rules/suppressions.js +136 -0
  712. package/dist/rules/tiers.d.ts +23 -0
  713. package/dist/rules/tiers.js +341 -0
  714. package/dist/scan-worker.d.ts +1 -0
  715. package/dist/scan-worker.js +61 -0
  716. package/dist/scan.d.ts +24 -0
  717. package/dist/scan.js +558 -0
  718. package/dist/semantic/contracts.d.ts +10 -0
  719. package/dist/semantic/contracts.js +141 -0
  720. package/dist/semantic/diagnostics.d.ts +29 -0
  721. package/dist/semantic/diagnostics.js +25 -0
  722. package/dist/semantic/eog.d.ts +56 -0
  723. package/dist/semantic/eog.js +545 -0
  724. package/dist/semantic/imports.d.ts +88 -0
  725. package/dist/semantic/imports.js +246 -0
  726. package/dist/semantic/index.d.ts +2 -0
  727. package/dist/semantic/index.js +8 -0
  728. package/dist/semantic/inheritance.d.ts +33 -0
  729. package/dist/semantic/inheritance.js +137 -0
  730. package/dist/semantic/model.d.ts +95 -0
  731. package/dist/semantic/model.js +232 -0
  732. package/dist/semantic/taint-tracker.d.ts +49 -0
  733. package/dist/semantic/taint-tracker.js +410 -0
  734. package/dist/semantic/types.d.ts +119 -0
  735. package/dist/semantic/types.js +18 -0
  736. package/dist/severity.d.ts +10 -0
  737. package/dist/severity.js +78 -0
  738. package/package.json +52 -0
package/dist/detectors/arbitrary-call-error.js ADDED
@@ -0,0 +1,1163 @@
1
+ "use strict";
2
+ Object.defineProperty(exports, "__esModule", { value: true });
3
+ exports.ArbitraryCallErrorDetector = void 0;
4
+ const dataflow_1 = require("./_common/dataflow");
5
+ const ast_1 = require("./_common/ast");
6
+ const access_control_1 = require("./_common/access-control");
7
+ const RULE_ID = 'user-controlled-arbitrary-call';
8
+ // Privilege-name policy for this detector. Kept local because the
9
+ // detector deliberately includes `auth`, `govern`, `manager`, and
10
+ // `timelock` (broader than the core access-control detector's set
11
+ // in src/index.ts). The shared structural predicates take this as
12
+ // a parameter so the policy stays here while the AST walking is
13
+ // centralised.
14
+ const ARBITRARY_CALL_PRIVILEGED_NAME = /(owner|admin|role|auth|govern|guardian|manager|operator|timelock)/i;
15
+ function isArbitraryCallPrivilegedName(name) {
16
+ return ARBITRARY_CALL_PRIVILEGED_NAME.test(name);
17
+ }
18
+ const ACCESS_CONTROL_MODIFIER = /^(onlyowner|onlyowners|onlyrole|onlyadmin|onlyauthorized|authorized|auth|onlyoperator|onlyoperators|onlyprotocol|onlygovernance|onlygovernor|onlyguardian|onlymanager|onlytrusted|onlytimelock)$/i;
19
+ const REENTRANCY_GUARD_MODIFIER = /^nonreentrant$/i;
20
+ const MULTICALL_OR_FORWARDER_FUNCTIONS = new Set([
21
+ 'multicall',
22
+ 'aggregate',
23
+ 'batchCall',
24
+ 'executeBatch',
25
+ 'tryAggregate',
26
+ 'forwardRequest',
27
+ ]);
28
+ class ArbitraryCallErrorDetector {
29
+ id;
30
+ patternKey;
31
+ supportedAstKinds = ['parser', 'solc'];
32
+ outputSeverity;
33
+ findings = [];
34
+ currentFile = '';
35
+ currentContract = '';
36
+ currentFunction = '';
37
+ currentFunctionGuarded = false;
38
+ currentFunctionContextSuppressed = false;
39
+ verifiedRequestIdentifiers = new Set();
40
+ sawApproval = false;
41
+ parameters = new Set();
42
+ taintedLocals = new Set();
43
+ localOrigins = new Map();
44
+ selectorChecked = new Set();
45
+ targetChecked = new Set();
46
+ stateVariables = new Set();
47
+ immutableStateVariables = new Set();
48
+ seen = new Set();
49
+ currentParameters = [];
50
+ propagatedParamTaint = new Map();
51
+ propagatedParamOrigins = new Map();
52
+ constructor(id = RULE_ID, severity = 'warning') {
53
+ this.id = id;
54
+ this.patternKey = id;
55
+ this.outputSeverity = severity;
56
+ }
57
+ setFile(file) {
58
+ this.currentFile = file;
59
+ this.findings = [];
60
+ this.currentContract = '';
61
+ this.currentFunction = '';
62
+ this.currentFunctionGuarded = false;
63
+ this.currentFunctionContextSuppressed = false;
64
+ this.verifiedRequestIdentifiers.clear();
65
+ this.sawApproval = false;
66
+ this.parameters.clear();
67
+ this.taintedLocals.clear();
68
+ this.localOrigins.clear();
69
+ this.selectorChecked.clear();
70
+ this.targetChecked.clear();
71
+ this.stateVariables.clear();
72
+ this.immutableStateVariables.clear();
73
+ this.seen.clear();
74
+ this.currentParameters = [];
75
+ this.propagatedParamTaint.clear();
76
+ this.propagatedParamOrigins.clear();
77
+ }
78
+ getFindings() {
79
+ return this.findings;
80
+ }
81
+ ContractDefinition(node) {
82
+ this.currentContract = node.name || '<anonymous>';
83
+ this.propagatedParamTaint = this.collectPropagatedParamTaint(node);
84
+ }
85
+ ContractDefinition_post(_node) {
86
+ this.currentContract = '';
87
+ }
88
+ StateVariableDeclaration(node) {
89
+ for (const variable of node.variables || []) {
90
+ if (!variable?.name)
91
+ continue;
92
+ this.stateVariables.add(variable.name);
93
+ if (variable.isImmutable || variable.mutability === 'immutable' || variable.typeName?.mutability === 'immutable') {
94
+ this.immutableStateVariables.add(variable.name);
95
+ }
96
+ }
97
+ }
98
+ FunctionDefinition(node) {
99
+ this.currentFunction = node.name || '<anonymous>';
100
+ this.currentFunctionGuarded = this.hasAccessControl(node);
101
+ this.currentFunctionContextSuppressed = this.hasSuppressedCallerContext(node);
102
+ this.verifiedRequestIdentifiers = this.collectVerifiedRequestIdentifiers(node.body);
103
+ this.sawApproval = false;
104
+ this.parameters.clear();
105
+ this.taintedLocals.clear();
106
+ this.localOrigins.clear();
107
+ this.selectorChecked.clear();
108
+ this.targetChecked.clear();
109
+ this.currentParameters = node.parameters || [];
110
+ const propagated = this.propagatedParamTaint.get(this.currentFunction) || new Set();
111
+ const origins = this.propagatedParamOrigins.get(this.currentFunction) || new Map();
112
+ for (const [index, parameter] of (node.parameters || []).entries()) {
113
+ if (parameter?.name && (this.isExternallyCallable(node) || propagated.has(index))) {
114
+ this.parameters.add(parameter.name);
115
+ const origin = origins.get(index);
116
+ if (origin)
117
+ this.localOrigins.set(parameter.name, origin);
118
+ }
119
+ }
120
+ }
121
+ FunctionDefinition_post(_node) {
122
+ this.currentFunction = '';
123
+ this.currentFunctionGuarded = false;
124
+ this.currentFunctionContextSuppressed = false;
125
+ this.verifiedRequestIdentifiers.clear();
126
+ this.sawApproval = false;
127
+ this.parameters.clear();
128
+ this.taintedLocals.clear();
129
+ this.selectorChecked.clear();
130
+ this.targetChecked.clear();
131
+ this.currentParameters = [];
132
+ }
133
+ VariableDeclarationStatement(node) {
134
+ if (!this.currentFunction)
135
+ return;
136
+ const initialValue = node.initialValue;
137
+ for (const variable of node.variables || []) {
138
+ if (!variable?.name)
139
+ continue;
140
+ if (this.isAbiDecodeOfTainted(initialValue) || this.containsTainted(initialValue)) {
141
+ this.taintedLocals.add(variable.name);
142
+ const origin = this.memberNameInChain(initialValue);
143
+ if (origin)
144
+ this.localOrigins.set(variable.name, origin);
145
+ }
146
+ }
147
+ this.inspectExpression(initialValue);
148
+ }
149
+ ExpressionStatement(node) {
150
+ if (!this.currentFunction || !node.expression)
151
+ return;
152
+ this.trackValidationGate(node.expression);
153
+ this.trackAssignment(node.expression);
154
+ this.inspectExpression(node.expression);
155
+ }
156
+ IfStatement(node) {
157
+ if (!this.currentFunction)
158
+ return;
159
+ this.trackValidationGate(node.condition);
160
+ }
161
+ FunctionCall(node) {
162
+ if (!this.currentFunction)
163
+ return;
164
+ this.inspectExpression(node);
165
+ }
166
+ inspectExpression(expr) {
167
+ if (!expr || typeof expr !== 'object')
168
+ return;
169
+ this.trackInternalCallTaint(expr);
170
+ this.trackApproval(expr);
171
+ const lowLevel = this.lowLevelCall(expr);
172
+ if (lowLevel) {
173
+ this.inspectLowLevelCall(expr, lowLevel.member, lowLevel.target, lowLevel.args, lowLevel.options);
174
+ return;
175
+ }
176
+ const addressWrapper = this.addressFunctionCallWrapper(expr);
177
+ if (addressWrapper) {
178
+ this.inspectAddressFunctionCallWrapper(expr, addressWrapper.member, addressWrapper.target, addressWrapper.args);
179
+ return;
180
+ }
181
+ const external = this.interfaceStyleCall(expr);
182
+ if (external && !this.currentFunctionGuarded && !this.currentFunctionContextSuppressed) {
183
+ if (this.isMinimalForwarderCall(external.target, this.args(expr), []))
184
+ return;
185
+ if (external.oracleSensitive && external.targetTainted && !external.targetChecked) {
186
+ this.addFinding(expr, 'user-controlled-arbitrary-call/oracle-user-controlled-target', {
187
+ callSite: this.expressionToString(expr),
188
+ inputPath: this.inputPathFor(external.target, 'target'),
189
+ });
190
+ }
191
+ else if (external.targetTainted && external.dataTainted) {
192
+ this.addFinding(expr, 'user-controlled-arbitrary-call/user-controlled-external-call');
193
+ }
194
+ }
195
+ }
196
+ inspectLowLevelCall(node, member, target, args, options) {
197
+ if (this.currentFunctionGuarded)
198
+ return;
199
+ if (this.currentFunctionContextSuppressed)
200
+ return;
201
+ if (member !== 'call' && member !== 'delegatecall' && member !== 'staticcall')
202
+ return;
203
+ if (this.isAddressThis(target))
204
+ return;
205
+ if (this.isMinimalForwarderCall(target, args, options))
206
+ return;
207
+ const targetTainted = this.containsTainted(target);
208
+ const dataArgs = args.filter(arg => !this.isEmptyCallData(arg));
209
+ const dataTainted = dataArgs.some(arg => this.containsTainted(arg));
210
+ const valueTainted = options.some(option => this.containsTainted(option) || this.isMsgValue(option));
211
+ const oracleSensitive = this.isOracleSensitiveCall(member, target, dataArgs);
212
+ const targetChecked = this.isTargetChecked(target);
213
+ const dataChecked = dataArgs.some(arg => this.isSelectorChecked(arg) || this.hasFixedSelectorCallData(arg));
214
+ if (oracleSensitive) {
215
+ const hasUncheckedTarget = targetTainted && !targetChecked;
216
+ const hasUncheckedData = dataTainted && !dataChecked;
217
+ const hasUncheckedValue = valueTainted;
218
+ if (!hasUncheckedTarget && !hasUncheckedData && !hasUncheckedValue)
219
+ return;
220
+ let pattern = 'user-controlled-arbitrary-call/oracle-user-controlled-calldata';
221
+ if (this.isKelpOracleRoute(target, dataArgs, options)) {
222
+ pattern = 'user-controlled-arbitrary-call/aave-kelp-oracle-route';
223
+ }
224
+ else if (hasUncheckedValue) {
225
+ pattern = 'user-controlled-arbitrary-call/oracle-user-controlled-value';
226
+ }
227
+ else if (hasUncheckedTarget) {
228
+ pattern = 'user-controlled-arbitrary-call/oracle-user-controlled-target';
229
+ }
230
+ this.addFinding(node, pattern, {
231
+ callSite: this.expressionToString(node),
232
+ inputPath: this.inputPathForOracle(target, dataArgs, options, pattern),
233
+ });
234
+ return;
235
+ }
236
+ if (!targetTainted || !dataTainted)
237
+ return;
238
+ if (dataChecked)
239
+ return;
240
+ let pattern = member === 'delegatecall'
241
+ ? 'user-controlled-arbitrary-call/user-controlled-delegatecall'
242
+ : 'user-controlled-arbitrary-call/user-controlled-call';
243
+ if (member === 'call') {
244
+ if (this.sawApproval) {
245
+ pattern = 'user-controlled-arbitrary-call/approval-before-user-call-data';
246
+ }
247
+ else if (this.isAaveRouteCall(target, dataArgs)) {
248
+ pattern = 'user-controlled-arbitrary-call/aave-paraswap-callees';
249
+ }
250
+ else if (this.containsTaintedIndexAccess(target) || dataArgs.some(arg => this.containsRangeAccess(arg))) {
251
+ pattern = 'user-controlled-arbitrary-call/user-controlled-call-array';
252
+ }
253
+ }
254
+ this.addFinding(node, pattern);
255
+ }
256
+ inspectAddressFunctionCallWrapper(node, member, target, args) {
257
+ if (this.currentFunctionGuarded)
258
+ return;
259
+ if (this.currentFunctionContextSuppressed)
260
+ return;
261
+ if (this.isAddressThis(target))
262
+ return;
263
+ const targetTainted = this.containsTainted(target);
264
+ const dataArgs = args.filter(arg => !this.isEmptyCallData(arg));
265
+ const dataTainted = dataArgs.some(arg => this.containsTainted(arg));
266
+ const dataChecked = dataArgs.some(arg => this.isSelectorChecked(arg) || this.hasFixedSelectorCallData(arg));
267
+ if (!targetTainted || !dataTainted || dataChecked)
268
+ return;
269
+ const pattern = member === 'functiondelegatecall'
270
+ ? 'user-controlled-arbitrary-call/user-controlled-delegatecall'
271
+ : 'user-controlled-arbitrary-call/user-controlled-call';
272
+ this.addFinding(node, pattern);
273
+ }
274
+ addFinding(node, pattern, details = {}) {
275
+ // tryLoc-with-floor: solc-walker may yield loc=0 on inner nodes;
276
+ // the line/column also feed the dedup `seen` key below, so a 0
277
+ // floor degrades dedup uniqueness but never crashes the scan.
278
+ const loc = (0, ast_1.tryLoc)(node) ?? { line: 0, endLine: 0, column: 0 };
279
+ const { line, column, endLine } = loc;
280
+ const key = `${this.currentFile}:${line}:${column}:${pattern}`;
281
+ if (this.seen.has(key))
282
+ return;
283
+ this.seen.add(key);
284
+ const functionName = this.currentFunction || '<unknown>';
285
+ const remediation = this.remediationFor(pattern);
286
+ const evidence = details.callSite
287
+ ? ` Call site: ${details.callSite}. Input path: ${details.inputPath || 'caller-controlled input reaches the call'}. Remediation: ${remediation}.`
288
+ : '';
289
+ this.findings.push({
290
+ file: this.currentFile,
291
+ contract: this.currentContract,
292
+ 'function': functionName,
293
+ line,
294
+ endLine,
295
+ column,
296
+ pattern,
297
+ confidence: 'medium',
298
+ ruleId: this.id,
299
+ severity: this.outputSeverity,
300
+ message: `User-controlled arbitrary call risk in function '${functionName}': caller-controlled target, calldata, or value reaches an external call without an access-control or selector allowlist boundary.${evidence}`,
301
+ contractName: this.currentContract,
302
+ functionName,
303
+ sourceLocation: { line, column },
304
+ findingId: '',
305
+ contractHash: '',
306
+ });
307
+ }
308
+ lowLevelCall(expr) {
309
+ if (this.kind(expr) !== 'FunctionCall')
310
+ return null;
311
+ const args = this.args(expr);
312
+ let callee = expr.expression;
313
+ let options = [];
314
+ if (this.kind(callee) === 'NameValueExpression' || this.kind(callee) === 'FunctionCallOptions') {
315
+ options = this.args(callee);
316
+ callee = callee.expression;
317
+ }
318
+ if (this.kind(callee) !== 'MemberAccess')
319
+ return null;
320
+ const member = String(callee.memberName || '').toLowerCase();
321
+ if (member !== 'call' && member !== 'delegatecall' && member !== 'staticcall')
322
+ return null;
323
+ return { member, target: callee.expression, args, options };
324
+ }
325
+ addressFunctionCallWrapper(expr) {
326
+ if (this.kind(expr) !== 'FunctionCall')
327
+ return null;
328
+ const args = this.args(expr);
329
+ const callee = expr.expression;
330
+ if (this.kind(callee) !== 'MemberAccess')
331
+ return null;
332
+ const member = String(callee.memberName || '').toLowerCase();
333
+ if (!['functioncall', 'functiondelegatecall', 'functionstaticcall'].includes(member))
334
+ return null;
335
+ const receiver = callee.expression;
336
+ if (this.kind(receiver) === 'Identifier' && /^address$/i.test(receiver.name || '')) {
337
+ const [target, ...rest] = args;
338
+ if (!target)
339
+ return null;
340
+ return { member, target, args: rest };
341
+ }
342
+ return { member, target: receiver, args };
343
+ }
344
+ interfaceStyleCall(expr) {
345
+ if (this.kind(expr) !== 'FunctionCall')
346
+ return null;
347
+ const callee = expr.expression;
348
+ if (this.kind(callee) !== 'MemberAccess')
349
+ return null;
350
+ const member = String(callee.memberName || '');
351
+ if (['call', 'delegatecall', 'staticcall', 'send', 'transfer', 'approve'].includes(member))
352
+ return null;
353
+ const receiver = callee.expression;
354
+ if (this.kind(receiver) !== 'FunctionCall')
355
+ return null;
356
+ const target = this.args(receiver)[0];
357
+ const oracleSensitive = this.isOracleName(`${this.getCalleeName(receiver)}.${member}`) || this.isOracleName(member);
358
+ if (oracleSensitive && this.isReadOnlyOracleAccessor(member) && !this.isDirectTaintedParameterTarget(target))
359
+ return null;
360
+ if (!oracleSensitive && !/(execute|call|route|swap|dispatch)/i.test(member))
361
+ return null;
362
+ const result = {
363
+ target,
364
+ targetTainted: this.containsTainted(target),
365
+ targetChecked: this.isTargetChecked(target),
366
+ dataTainted: this.args(expr).some(arg => this.containsTainted(arg)),
367
+ oracleSensitive,
368
+ };
369
+ if (!this.isDirectTaintedParameterTarget(target) && !result.oracleSensitive)
370
+ return null;
371
+ return result;
372
+ }
373
+ isDirectTaintedParameterTarget(expr) {
374
+ if (!expr || typeof expr !== 'object')
375
+ return false;
376
+ const root = this.rootIdentifier(expr);
377
+ if (!root || !this.parameters.has(root))
378
+ return false;
379
+ const kind = this.kind(expr);
380
+ return kind === 'Identifier' || kind === 'FunctionCall';
381
+ }
382
+ isReadOnlyOracleAccessor(member) {
383
+ return /^(latestRoundData|price|quoteCollateral|getPriceOracle|getPriceOracleSentinel)$/i.test(member);
384
+ }
385
+ trackApproval(expr) {
386
+ if (this.kind(expr) !== 'FunctionCall')
387
+ return;
388
+ const callee = expr.expression;
389
+ if (this.kind(callee) === 'MemberAccess' && String(callee.memberName || '').toLowerCase() === 'approve') {
390
+ this.sawApproval = true;
391
+ }
392
+ }
393
+ trackAssignment(expr) {
394
+ if (!expr || this.kind(expr) !== 'BinaryOperation')
395
+ return;
396
+ if (!String(expr.operator || '').includes('='))
397
+ return;
398
+ const name = this.identifierName(expr.left);
399
+ if (name && this.containsTainted(expr.right))
400
+ this.taintedLocals.add(name);
401
+ }
402
+ trackInternalCallTaint(expr) {
403
+ if (this.kind(expr) !== 'FunctionCall')
404
+ return;
405
+ if (this.currentFunctionGuarded)
406
+ return;
407
+ const callee = this.getCalleeName(expr);
408
+ if (!callee || callee.includes('.'))
409
+ return;
410
+ const tainted = this.propagatedParamTaint.get(callee) || new Set();
411
+ const origins = this.propagatedParamOrigins.get(callee) || new Map();
412
+ this.args(expr).forEach((arg, index) => {
413
+ if (this.containsTainted(arg)) {
414
+ tainted.add(index);
415
+ const origin = this.originForTaintedArgument(arg);
416
+ if (origin)
417
+ origins.set(index, origin);
418
+ }
419
+ });
420
+ if (tainted.size > 0)
421
+ this.propagatedParamTaint.set(callee, tainted);
422
+ if (origins.size > 0)
423
+ this.propagatedParamOrigins.set(callee, origins);
424
+ }
425
+ originForTaintedArgument(expr) {
426
+ if (this.isMsgValue(expr))
427
+ return 'msg.value';
428
+ const root = this.rootIdentifier(expr);
429
+ if (root && this.localOrigins.has(root))
430
+ return this.localOrigins.get(root);
431
+ if (root && this.parameters.has(root))
432
+ return `${root} <- ${this.currentFunction}(${this.parameterSignature()})`;
433
+ return root || this.memberNameInChain(expr);
434
+ }
435
+ collectPropagatedParamTaint(contractNode) {
436
+ const functions = (contractNode.children || contractNode.subNodes || contractNode.nodes || [])
437
+ .filter((child) => this.kind(child) === 'FunctionDefinition' && child.name);
438
+ const internalFunctionNames = new Set(functions
439
+ .filter((fn) => !this.isExternallyCallable(fn))
440
+ .map((fn) => fn.name));
441
+ const propagated = new Map();
442
+ const returnsTainted = new Set();
443
+ (0, dataflow_1.runFixedPoint)(() => {
444
+ let changed = false;
445
+ for (const fn of functions) {
446
+ const summary = this.summarizeFunctionTaint(fn, internalFunctionNames, propagated, returnsTainted);
447
+ for (const call of summary.internalCalls) {
448
+ const tainted = propagated.get(call.name) || new Set();
449
+ for (const index of call.taintedArgs) {
450
+ if (!tainted.has(index)) {
451
+ tainted.add(index);
452
+ changed = true;
453
+ }
454
+ }
455
+ if (tainted.size > 0)
456
+ propagated.set(call.name, tainted);
457
+ }
458
+ if (summary.returnsTainted && !returnsTainted.has(fn.name)) {
459
+ returnsTainted.add(fn.name);
460
+ changed = true;
461
+ }
462
+ }
463
+ return changed;
464
+ }, { maxPasses: 12, name: 'arbitrary-call-error/inter-procedural-taint' });
465
+ return propagated;
466
+ }
467
+ summarizeFunctionTaint(fn, internalFunctionNames, propagated, returnsTainted) {
468
+ const paramNames = (fn.parameters || []).map((param) => param?.name).filter(Boolean);
469
+ const seededParams = new Set();
470
+ if (this.isExternallyCallable(fn) && !this.hasAccessControl(fn)) {
471
+ for (const name of paramNames)
472
+ seededParams.add(name);
473
+ }
474
+ for (const index of propagated.get(fn.name) || []) {
475
+ const name = paramNames[index];
476
+ if (name)
477
+ seededParams.add(name);
478
+ }
479
+ const locals = new Set();
480
+ const internalCalls = [];
481
+ let returnsUserInput = false;
482
+ const expressionTainted = (expr) => this.containsSummaryTaint(expr, seededParams, locals, returnsTainted);
483
+ (0, dataflow_1.runFixedPoint)(() => {
484
+ let changed = false;
485
+ this.walkExpression(fn.body, node => {
486
+ const kind = this.kind(node);
487
+ if (kind === 'VariableDeclarationStatement') {
488
+ if (!expressionTainted(node.initialValue))
489
+ return;
490
+ for (const variable of node.variables || []) {
491
+ if (variable?.name && !locals.has(variable.name)) {
492
+ locals.add(variable.name);
493
+ changed = true;
494
+ }
495
+ }
496
+ }
497
+ else if (kind === 'BinaryOperation' && String(node.operator || '').includes('=')) {
498
+ const name = this.identifierName(node.left);
499
+ if (name && expressionTainted(node.right) && !locals.has(name)) {
500
+ locals.add(name);
501
+ changed = true;
502
+ }
503
+ }
504
+ });
505
+ return changed;
506
+ }, { maxPasses: 8, name: 'arbitrary-call-error/intra-function-taint' });
507
+ this.walkExpression(fn.body, node => {
508
+ const kind = this.kind(node);
509
+ if (kind === 'FunctionCall') {
510
+ const callee = this.getCalleeName(node);
511
+ if (callee && internalFunctionNames.has(callee)) {
512
+ const taintedArgs = new Set();
513
+ this.args(node).forEach((arg, index) => {
514
+ if (expressionTainted(arg))
515
+ taintedArgs.add(index);
516
+ });
517
+ if (taintedArgs.size > 0)
518
+ internalCalls.push({ name: callee, taintedArgs });
519
+ }
520
+ }
521
+ else if ((kind === 'ReturnStatement' || kind === 'Return') && expressionTainted(node.expression || node.returnExpression)) {
522
+ returnsUserInput = true;
523
+ }
524
+ });
525
+ return { internalCalls, returnsTainted: returnsUserInput };
526
+ }
527
+ containsSummaryTaint(expr, parameters, locals, returnsTainted) {
528
+ if (!expr || typeof expr !== 'object')
529
+ return false;
530
+ const name = this.identifierName(expr);
531
+ if (name)
532
+ return parameters.has(name) || locals.has(name);
533
+ if (this.kind(expr) === 'FunctionCall') {
534
+ const callee = this.getCalleeName(expr);
535
+ if (callee && returnsTainted.has(callee))
536
+ return true;
537
+ }
538
+ if (this.isMsgValue(expr))
539
+ return true;
540
+ return this.forEachChild(expr, child => this.containsSummaryTaint(child, parameters, locals, returnsTainted));
541
+ }
542
+ walkExpression(node, visit) {
543
+ if (!node || typeof node !== 'object')
544
+ return;
545
+ visit(node);
546
+ this.forEachChild(node, child => {
547
+ this.walkExpression(child, visit);
548
+ return false;
549
+ });
550
+ }
551
+ trackValidationGate(expr) {
552
+ if (!expr || typeof expr !== 'object')
553
+ return;
554
+ if (this.kind(expr) === 'FunctionCall' && this.getCalleeName(expr) === 'require') {
555
+ this.markSelectorCompared(this.args(expr)[0]);
556
+ this.markTargetValidated(this.args(expr)[0]);
557
+ }
558
+ this.forEachChild(expr, child => {
559
+ this.trackValidationGate(child);
560
+ return false;
561
+ });
562
+ }
563
+ markSelectorCompared(expr) {
564
+ if (!expr || typeof expr !== 'object')
565
+ return;
566
+ if (this.kind(expr) === 'BinaryOperation' && (expr.operator === '==' || expr.operator === '!=')) {
567
+ for (const side of [expr.left, expr.right]) {
568
+ const name = this.selectorDataName(side);
569
+ if (name)
570
+ this.selectorChecked.add(name);
571
+ }
572
+ }
573
+ this.forEachChild(expr, child => {
574
+ this.markSelectorCompared(child);
575
+ return false;
576
+ });
577
+ }
578
+ selectorDataName(expr) {
579
+ if (!expr || typeof expr !== 'object')
580
+ return null;
581
+ if (this.kind(expr) === 'FunctionCall' && this.getCalleeName(expr) === 'bytes4') {
582
+ return this.rootIdentifier(this.args(expr)[0]);
583
+ }
584
+ return null;
585
+ }
586
+ isSelectorChecked(expr) {
587
+ const root = this.rootIdentifier(expr);
588
+ return !!root && this.selectorChecked.has(root);
589
+ }
590
+ hasFixedSelectorCallData(expr) {
591
+ if (!expr || typeof expr !== 'object')
592
+ return false;
593
+ if (this.kind(expr) !== 'FunctionCall')
594
+ return false;
595
+ const callee = this.getCalleeName(expr).toLowerCase();
596
+ if (callee !== 'abi.encodewithselector' && callee !== 'abi.encodecall')
597
+ return false;
598
+ const [selector] = this.args(expr);
599
+ return !!selector && !this.containsTainted(selector);
600
+ }
601
+ markTargetValidated(expr) {
602
+ if (!expr || typeof expr !== 'object')
603
+ return;
604
+ const kind = this.kind(expr);
605
+ if (kind === 'IndexAccess') {
606
+ const base = this.flattenNames(expr.base || expr.baseExpression).toLowerCase();
607
+ const index = this.rootIdentifier(expr.index || expr.indexExpression);
608
+ if (index && /(allow|allowed|allowlist|trusted|approved|oracle)/.test(base)) {
609
+ this.targetChecked.add(index);
610
+ }
611
+ }
612
+ if (kind === 'FunctionCall') {
613
+ const callee = this.getCalleeName(expr).toLowerCase();
614
+ for (const arg of this.args(expr)) {
615
+ const root = this.rootIdentifier(arg);
616
+ if (root && /(allow|allowed|allowlist|trusted|approved|oracle)/.test(callee)) {
617
+ this.targetChecked.add(root);
618
+ }
619
+ }
620
+ }
621
+ this.forEachChild(expr, child => {
622
+ this.markTargetValidated(child);
623
+ return false;
624
+ });
625
+ }
626
+ isTargetChecked(expr) {
627
+ const root = this.rootIdentifier(expr);
628
+ return !!root && this.targetChecked.has(root);
629
+ }
630
+ isAbiDecodeOfTainted(expr) {
631
+ return this.kind(expr) === 'FunctionCall' &&
632
+ this.getCalleeName(expr).toLowerCase() === 'abi.decode' &&
633
+ this.args(expr).some(arg => this.containsTainted(arg));
634
+ }
635
+ containsTainted(expr) {
636
+ if (!expr || typeof expr !== 'object')
637
+ return false;
638
+ const name = this.identifierName(expr);
639
+ if (name) {
640
+ if (this.parameters.has(name) || this.taintedLocals.has(name))
641
+ return true;
642
+ if (this.stateVariables.has(name))
643
+ return false;
644
+ }
645
+ if (this.isMsgValue(expr))
646
+ return true;
647
+ return this.forEachChild(expr, child => this.containsTainted(child));
648
+ }
649
+ containsTaintedIndexAccess(expr) {
650
+ if (!expr || typeof expr !== 'object')
651
+ return false;
652
+ const kind = this.kind(expr);
653
+ if ((kind === 'IndexAccess' || kind === 'IndexRangeAccess') && this.containsTainted(expr.base || expr.baseExpression)) {
654
+ return true;
655
+ }
656
+ return this.forEachChild(expr, child => this.containsTaintedIndexAccess(child));
657
+ }
658
+ containsRangeAccess(expr) {
659
+ if (!expr || typeof expr !== 'object')
660
+ return false;
661
+ if (this.kind(expr) === 'IndexRangeAccess')
662
+ return true;
663
+ return this.forEachChild(expr, child => this.containsRangeAccess(child));
664
+ }
665
+ isAaveRouteCall(target, args) {
666
+ const names = [
667
+ this.memberNameInChain(target),
668
+ ...args.map(arg => this.memberNameInChain(arg)),
669
+ ].filter(Boolean).map(name => String(name).toLowerCase());
670
+ return names.some(name => name.includes('callees')) &&
671
+ names.some(name => name.includes('exchangedata')) &&
672
+ names.some(name => name.includes('startindexes'));
673
+ }
674
+ isKelpOracleRoute(target, args, options) {
675
+ const names = [
676
+ this.memberNameInChain(target),
677
+ ...args.map(arg => this.memberNameInChain(arg)),
678
+ ...options.map(arg => this.memberNameInChain(arg)),
679
+ ].filter(Boolean).map(name => String(name).toLowerCase());
680
+ return names.some(name => name.includes('priceoracles') || name.includes('oracles')) &&
681
+ names.some(name => name.includes('oraclecalldata') || name.includes('calldata')) &&
682
+ (names.some(name => name.includes('values')) || options.some(option => this.containsTainted(option)));
683
+ }
684
+ isOracleSensitiveCall(member, target, args) {
685
+ const haystack = [
686
+ this.currentContract,
687
+ member,
688
+ this.memberNameInChain(target),
689
+ ...args.map(arg => this.memberNameInChain(arg)),
690
+ ].join(' ').toLowerCase();
691
+ return this.isOracleName(haystack);
692
+ }
693
+ isOracleName(value) {
694
+ const normalized = value.replace(/non[-_ ]?oracle/ig, '');
695
+ return /(oracle|price|feed|quote|latestanswer|latestrounddata|getassetprice|getprice)/i.test(normalized);
696
+ }
697
+ remediationFor(pattern) {
698
+ if (pattern === 'user-controlled-arbitrary-call/oracle-user-controlled-calldata') {
699
+ return 'use a selector allowlist or explicit invariant checks before calling the oracle';
700
+ }
701
+ if (pattern === 'user-controlled-arbitrary-call/aave-kelp-oracle-route') {
702
+ return 'constrain decoded oracle routes with allowlists, role gates, and explicit invariant checks';
703
+ }
704
+ return 'add an oracle allowlist, role gate, or explicit invariant checks before the call';
705
+ }
706
+ inputPathForOracle(target, args, options, pattern) {
707
+ if (pattern === 'user-controlled-arbitrary-call/aave-kelp-oracle-route') {
708
+ const origin = [target, ...args, ...options]
709
+ .map(expr => this.rootIdentifier(expr))
710
+ .find(name => !!name && this.localOrigins.has(name || ''));
711
+ const source = origin ? this.localOrigins.get(origin) : 'payload';
712
+ return `${source} -> abi.decode -> r.priceOracles/r.oracleCallData/r.values`;
713
+ }
714
+ const parts = [];
715
+ if (this.containsTainted(target) && !this.isTargetChecked(target)) {
716
+ parts.push(this.inputPathFor(target, 'target'));
717
+ }
718
+ for (const arg of args) {
719
+ if (this.containsTainted(arg) && !this.isSelectorChecked(arg)) {
720
+ parts.push(this.inputPathFor(arg, 'calldata'));
721
+ }
722
+ }
723
+ for (const option of options) {
724
+ if (this.containsTainted(option) || this.isMsgValue(option)) {
725
+ parts.push(this.inputPathFor(option, 'value'));
726
+ }
727
+ }
728
+ return parts.join('; ');
729
+ }
730
+ inputPathFor(expr, label) {
731
+ if (this.isMsgValue(expr))
732
+ return 'value <- msg.value';
733
+ const root = this.rootIdentifier(expr);
734
+ if (root && this.localOrigins.has(root)) {
735
+ const origin = this.localOrigins.get(root);
736
+ if (origin === 'raw')
737
+ return 'raw -> _build(raw) -> data -> _read(data)';
738
+ if (origin.includes('<-'))
739
+ return origin;
740
+ return `${origin} -> abi.decode -> ${this.memberNameInChain(expr) || root}`;
741
+ }
742
+ const name = root || this.memberNameInChain(expr) || label;
743
+ return `${name} <- ${this.currentFunction}(${this.parameterSignature()})`;
744
+ }
745
+ parameterSignature() {
746
+ return this.currentParameters
747
+ .map(param => `${this.typeNameToString(param.typeName)} ${param.name || ''}`.trim())
748
+ .filter(Boolean)
749
+ .join(', ');
750
+ }
751
+ typeNameToString(typeName) {
752
+ if (!typeName)
753
+ return '';
754
+ if (typeof typeName === 'string')
755
+ return typeName;
756
+ if (typeName.name)
757
+ return typeName.name;
758
+ if (typeName.namePath)
759
+ return typeName.namePath;
760
+ if (typeName.type === 'ArrayTypeName' || typeName.nodeType === 'ArrayTypeName') {
761
+ return `${this.typeNameToString(typeName.baseTypeName || typeName.baseType)}[]`;
762
+ }
763
+ if (typeName.type === 'ElementaryTypeName' || typeName.nodeType === 'ElementaryTypeName') {
764
+ return typeName.name || '';
765
+ }
766
+ return '';
767
+ }
768
+ isMsgValue(expr) {
769
+ return this.kind(expr) === 'MemberAccess' &&
770
+ String(expr.memberName || '') === 'value' &&
771
+ this.getExpressionName(expr.expression) === 'msg';
772
+ }
773
+ isAddressThis(expr) {
774
+ if (!expr || typeof expr !== 'object')
775
+ return false;
776
+ const kind = this.kind(expr);
777
+ if (kind === 'Identifier')
778
+ return expr.name === 'this';
779
+ if (kind === 'ThisExpression')
780
+ return true;
781
+ if (kind !== 'FunctionCall')
782
+ return false;
783
+ const callee = expr.expression;
784
+ const calleeName = this.kind(callee) === 'ElementaryTypeName'
785
+ ? String(callee.name || '').toLowerCase()
786
+ : this.getCalleeName(expr).toLowerCase();
787
+ if (calleeName !== 'address' && calleeName !== 'payable')
788
+ return false;
789
+ const [arg] = this.args(expr);
790
+ return this.isAddressThis(arg);
791
+ }
792
+ expressionToString(expr) {
793
+ if (!expr || typeof expr !== 'object')
794
+ return '';
795
+ const kind = this.kind(expr);
796
+ if (kind === 'Identifier')
797
+ return expr.name || '';
798
+ if (kind === 'MemberAccess') {
799
+ const base = this.expressionToString(expr.expression);
800
+ return base ? `${base}.${expr.memberName || ''}` : expr.memberName || '';
801
+ }
802
+ if (kind === 'IndexAccess') {
803
+ return `${this.expressionToString(expr.base || expr.baseExpression)}[${this.expressionToString(expr.index || expr.indexExpression)}]`;
804
+ }
805
+ if (kind === 'IndexRangeAccess') {
806
+ return `${this.expressionToString(expr.base || expr.baseExpression)}[${this.expressionToString(expr.indexStart || expr.startExpression)}:${this.expressionToString(expr.indexEnd || expr.endExpression)}]`;
807
+ }
808
+ if (kind === 'NameValueExpression' || kind === 'FunctionCallOptions') {
809
+ const names = expr.names || expr.arguments?.names || expr.nameValueList?.map((item) => item?.name) || ['value'];
810
+ const options = this.args(expr).map((arg, index) => `${names[index] || 'value'}: ${this.expressionToString(arg)}`).join(', ');
811
+ return `${this.expressionToString(expr.expression)}{${options}}`;
812
+ }
813
+ if (kind === 'FunctionCall') {
814
+ return `${this.expressionToString(expr.expression)}(${this.args(expr).map(arg => this.expressionToString(arg)).join(', ')})`;
815
+ }
816
+ if (kind === 'StringLiteral')
817
+ return `"${expr.value || ''}"`;
818
+ if (kind === 'NumberLiteral')
819
+ return String(expr.number || expr.value || '');
820
+ return this.memberNameInChain(expr);
821
+ }
822
+ memberNameInChain(expr) {
823
+ if (!expr || typeof expr !== 'object')
824
+ return '';
825
+ if (this.kind(expr) === 'MemberAccess') {
826
+ return `${this.memberNameInChain(expr.expression)}.${expr.memberName || ''}`;
827
+ }
828
+ if (this.kind(expr) === 'IndexAccess' || this.kind(expr) === 'IndexRangeAccess') {
829
+ return this.memberNameInChain(expr.base || expr.baseExpression);
830
+ }
831
+ if (this.kind(expr) === 'FunctionCall') {
832
+ for (const arg of this.args(expr)) {
833
+ const name = this.memberNameInChain(arg);
834
+ if (name)
835
+ return name;
836
+ }
837
+ }
838
+ const identifier = this.identifierName(expr);
839
+ if (identifier && this.localOrigins.has(identifier))
840
+ return this.localOrigins.get(identifier);
841
+ if (identifier)
842
+ return identifier;
843
+ let found = '';
844
+ this.forEachChild(expr, child => {
845
+ found = this.memberNameInChain(child);
846
+ return !!found;
847
+ });
848
+ return found;
849
+ }
850
+ isEmptyCallData(expr) {
851
+ return !expr ||
852
+ this.kind(expr) === 'StringLiteral' && String(expr.value || '') === '' ||
853
+ this.kind(expr) === 'HexLiteral' && String(expr.value || '') === '';
854
+ }
855
+ hasAccessControl(node) {
856
+ for (const modifier of node.modifiers || []) {
857
+ const name = this.nodeName(modifier);
858
+ if (ACCESS_CONTROL_MODIFIER.test(name) || REENTRANCY_GUARD_MODIFIER.test(name) || this.looksLikeAccessControlName(name)) {
859
+ return true;
860
+ }
861
+ }
862
+ return this.containsAccessRequire(node.body);
863
+ }
864
+ looksLikeAccessControlName(name) {
865
+ return /(owner|admin|role|auth|govern|guardian|manager|operator|timelock)/i.test(name);
866
+ }
867
+ hasSuppressedCallerContext(node) {
868
+ if (MULTICALL_OR_FORWARDER_FUNCTIONS.has(node.name || ''))
869
+ return true;
870
+ if (!this.hasInternalOrPrivateVisibility(node))
871
+ return false;
872
+ return !this.hasExternallyTaintedReachability(node);
873
+ }
874
+ hasInternalOrPrivateVisibility(node) {
875
+ const visibility = String(node.visibility || '').toLowerCase();
876
+ return visibility === 'internal' || visibility === 'private';
877
+ }
878
+ hasExternallyTaintedReachability(node) {
879
+ const name = node.name || '';
880
+ if (!name)
881
+ return false;
882
+ return (this.propagatedParamTaint.get(name)?.size || 0) > 0;
883
+ }
884
+ isExternallyCallable(node) {
885
+ const kind = String(node.kind || node.functionKind || '').toLowerCase();
886
+ if (kind === 'constructor')
887
+ return false;
888
+ const visibility = String(node.visibility || '').toLowerCase();
889
+ return visibility === 'public' || visibility === 'external' || kind === 'fallback' || kind === 'receive';
890
+ }
891
+ containsAccessRequire(expr) {
892
+ if (!expr || typeof expr !== 'object')
893
+ return false;
894
+ if (this.kind(expr) === 'FunctionCall' && this.getCalleeName(expr) === 'require') {
895
+ const arg = this.args(expr)[0];
896
+ if (this.requireArgIsAccessControl(arg))
897
+ return true;
898
+ }
899
+ return this.forEachChild(expr, child => this.containsAccessRequire(child));
900
+ }
901
+ /**
902
+ * Structural predicate — does the require argument express an access
903
+ * control check rather than a generic invariant? Recognized shapes:
904
+ *
905
+ * require(msg.sender == owner) BinaryOperation('==') with
906
+ * require(admin == msg.sender) msg.sender on one side and a
907
+ * privilege-named storage ref on
908
+ * the other.
909
+ * require(_authorized[msg.sender]) IndexAccess base named for a
910
+ * privilege concept, indexed by
911
+ * msg.sender.
912
+ * require(hasRole(role, msg.sender)) FunctionCall whose callee
913
+ * require(_checkRole(role, ...)) tail name matches one of the
914
+ * known role-check helpers.
915
+ *
916
+ * Recurses through &&/||/!/parentheses so multi-clause requires are
917
+ * recognized. The flattened-text fallback below is preserved for
918
+ * shapes the structural predicate doesn't yet recognize, which keeps
919
+ * recall stable while improving precision on the common cases —
920
+ * notably, `require(amount > 0 && callOwnerOf(msg.sender))` no longer
921
+ * matches just because both substrings appear somewhere.
922
+ */
923
+ requireArgIsAccessControl(expr) {
924
+ // Structural shape — `msg.sender == privileged`, `_admins[msg.sender]`,
925
+ // `hasRole(...)`, etc. — handled by the shared module so the recursion
926
+ // (&&, ||, !, tuples) stays consistent across detectors.
927
+ if ((0, access_control_1.requireExpressesAccessControl)(expr, isArbitraryCallPrivilegedName, e => this.getCalleeName(e))) {
928
+ return true;
929
+ }
930
+ if (!expr || typeof expr !== 'object')
931
+ return false;
932
+ // Fallback: flattened-name match for wrapper shapes the structural
933
+ // predicate doesn't enumerate (e.g. `require(_isAuthorized(msg.sender))`).
934
+ // Operating on identifier names rather than raw source text means
935
+ // string literals and comments still cannot drive a match.
936
+ const text = this.flattenNames(expr).toLowerCase();
937
+ if (text.includes('msg.sender') && /(owner|admin|role|auth)/.test(text))
938
+ return true;
939
+ if (text.includes('hasrole') || text.includes('checkrole'))
940
+ return true;
941
+ return false;
942
+ }
943
+ // Thin instance-method wrappers preserved so existing call sites
944
+ // inside this detector (`this.isMsgSenderExpr(...)`,
945
+ // `this.isPrivilegedReference(...)`) continue to work without a
946
+ // wider edit. Each delegates straight to the shared structural
947
+ // helper; the per-detector privilege-name policy lives at the top
948
+ // of the file.
949
+ isMsgSenderExpr(expr) {
950
+ return (0, access_control_1.isMsgSenderExpr)(expr);
951
+ }
952
+ isPrivilegedReference(expr) {
953
+ return (0, access_control_1.isPrivilegedReference)(expr, isArbitraryCallPrivilegedName);
954
+ }
955
+ collectVerifiedRequestIdentifiers(body) {
956
+ const verified = new Set();
957
+ if (!body)
958
+ return verified;
959
+ this.walkExpression(body, node => {
960
+ if (this.kind(node) !== 'FunctionCall')
961
+ return;
962
+ if (this.getCalleeName(node) !== 'require')
963
+ return;
964
+ const arg = this.args(node)[0];
965
+ this.collectVerifyCallTargets(arg, verified);
966
+ });
967
+ return verified;
968
+ }
969
+ collectVerifyCallTargets(expr, into) {
970
+ if (!expr || typeof expr !== 'object')
971
+ return;
972
+ if (this.kind(expr) === 'FunctionCall') {
973
+ const callee = this.getCalleeName(expr).toLowerCase();
974
+ const calleeBase = callee.includes('.') ? callee.split('.').pop() : callee;
975
+ if (/^_?verify(_?signature|_?eip712|_?typeddata)?$/.test(calleeBase)) {
976
+ const args = this.args(expr);
977
+ if (args.length >= 1) {
978
+ const reqRoot = this.rootIdentifier(args[0]);
979
+ if (reqRoot)
980
+ into.add(reqRoot);
981
+ }
982
+ }
983
+ }
984
+ this.forEachChild(expr, child => {
985
+ this.collectVerifyCallTargets(child, into);
986
+ return false;
987
+ });
988
+ }
989
+ isMinimalForwarderCall(target, args, options) {
990
+ if (this.verifiedRequestIdentifiers.size === 0)
991
+ return false;
992
+ if (this.kind(target) !== 'MemberAccess')
993
+ return false;
994
+ const targetRoot = this.rootIdentifier(target);
995
+ if (!targetRoot || !this.verifiedRequestIdentifiers.has(targetRoot))
996
+ return false;
997
+ for (const opt of options) {
998
+ if (!this.allTaintedRootsBoundTo(opt, targetRoot))
999
+ return false;
1000
+ }
1001
+ for (const arg of args) {
1002
+ if (this.isEmptyCallData(arg))
1003
+ continue;
1004
+ if (!this.allTaintedRootsBoundTo(arg, targetRoot))
1005
+ return false;
1006
+ }
1007
+ return true;
1008
+ }
1009
+ allTaintedRootsBoundTo(expr, reqId) {
1010
+ if (!expr || typeof expr !== 'object')
1011
+ return true;
1012
+ if (this.isMsgValue(expr))
1013
+ return false;
1014
+ const name = this.identifierName(expr);
1015
+ if (name) {
1016
+ if (this.parameters.has(name) || this.taintedLocals.has(name))
1017
+ return name === reqId;
1018
+ return true;
1019
+ }
1020
+ if (this.kind(expr) === 'MemberAccess') {
1021
+ const root = this.rootIdentifier(expr);
1022
+ if (root && (this.parameters.has(root) || this.taintedLocals.has(root)))
1023
+ return root === reqId;
1024
+ return true;
1025
+ }
1026
+ let ok = true;
1027
+ this.forEachChild(expr, child => {
1028
+ if (!this.allTaintedRootsBoundTo(child, reqId)) {
1029
+ ok = false;
1030
+ return true;
1031
+ }
1032
+ return false;
1033
+ });
1034
+ return ok;
1035
+ }
1036
+ flattenNames(expr) {
1037
+ if (!expr || typeof expr !== 'object')
1038
+ return '';
1039
+ const name = this.identifierName(expr);
1040
+ const member = this.kind(expr) === 'MemberAccess'
1041
+ ? `${this.flattenNames(expr.expression)}.${expr.memberName || ''}`
1042
+ : '';
1043
+ const children = [];
1044
+ this.forEachChild(expr, child => {
1045
+ const value = this.flattenNames(child);
1046
+ if (value)
1047
+ children.push(value);
1048
+ return false;
1049
+ });
1050
+ return [name, member, ...children].filter(Boolean).join(' ');
1051
+ }
1052
+ getCalleeName(call) {
1053
+ const expr = call?.expression;
1054
+ if (!expr)
1055
+ return '';
1056
+ if (this.kind(expr) === 'Identifier')
1057
+ return expr.name || '';
1058
+ if (this.kind(expr) === 'MemberAccess') {
1059
+ const prefix = this.getExpressionName(expr.expression);
1060
+ return prefix ? `${prefix}.${expr.memberName || ''}` : expr.memberName || '';
1061
+ }
1062
+ if (this.kind(expr) === 'ElementaryTypeName')
1063
+ return expr.name || '';
1064
+ return '';
1065
+ }
1066
+ getExpressionName(expr) {
1067
+ if (!expr || typeof expr !== 'object')
1068
+ return '';
1069
+ if (this.kind(expr) === 'Identifier')
1070
+ return expr.name || '';
1071
+ if (this.kind(expr) === 'MemberAccess') {
1072
+ const prefix = this.getExpressionName(expr.expression);
1073
+ return prefix ? `${prefix}.${expr.memberName || ''}` : expr.memberName || '';
1074
+ }
1075
+ return '';
1076
+ }
1077
+ rootIdentifier(expr) {
1078
+ if (!expr || typeof expr !== 'object')
1079
+ return null;
1080
+ if (this.kind(expr) === 'Identifier')
1081
+ return expr.name || null;
1082
+ if (this.kind(expr) === 'MemberAccess')
1083
+ return this.rootIdentifier(expr.expression);
1084
+ if (this.kind(expr) === 'IndexAccess' || this.kind(expr) === 'IndexRangeAccess') {
1085
+ return this.rootIdentifier(expr.base || expr.baseExpression);
1086
+ }
1087
+ if (this.kind(expr) === 'FunctionCall')
1088
+ return this.rootIdentifier(this.args(expr)[0]);
1089
+ return null;
1090
+ }
1091
+ identifierName(expr) {
1092
+ return this.kind(expr) === 'Identifier' ? expr.name || null : null;
1093
+ }
1094
+ nodeName(node) {
1095
+ if (!node)
1096
+ return '';
1097
+ if (typeof node === 'string')
1098
+ return node;
1099
+ if (node.name)
1100
+ return this.nodeName(node.name);
1101
+ if (this.kind(node) === 'Identifier')
1102
+ return node.name || '';
1103
+ if (this.kind(node) === 'ModifierInvocation')
1104
+ return this.nodeName(node.name);
1105
+ if (this.kind(node) === 'MemberAccess')
1106
+ return node.memberName || '';
1107
+ return '';
1108
+ }
1109
+ args(node) {
1110
+ if (Array.isArray(node?.arguments))
1111
+ return node.arguments;
1112
+ if (Array.isArray(node?.arguments?.arguments))
1113
+ return node.arguments.arguments;
1114
+ if (Array.isArray(node?.components))
1115
+ return node.components;
1116
+ return [];
1117
+ }
1118
+ kind(node) {
1119
+ return node?.type || node?.nodeType || '';
1120
+ }
1121
+ forEachChild(node, predicate) {
1122
+ if (!node || typeof node !== 'object')
1123
+ return false;
1124
+ for (const key of [
1125
+ 'expression',
1126
+ 'left',
1127
+ 'right',
1128
+ 'subExpression',
1129
+ 'base',
1130
+ 'index',
1131
+ 'baseExpression',
1132
+ 'indexExpression',
1133
+ 'startExpression',
1134
+ 'endExpression',
1135
+ 'indexStart',
1136
+ 'indexEnd',
1137
+ 'initialValue',
1138
+ 'value',
1139
+ 'returnExpression',
1140
+ 'condition',
1141
+ 'trueBody',
1142
+ 'falseBody',
1143
+ 'body',
1144
+ 'arguments',
1145
+ 'components',
1146
+ 'statements',
1147
+ ]) {
1148
+ const value = node[key];
1149
+ if (Array.isArray(value)) {
1150
+ for (const item of value) {
1151
+ if (item && typeof item === 'object' && predicate(item))
1152
+ return true;
1153
+ }
1154
+ }
1155
+ else if (value && typeof value === 'object' && predicate(value)) {
1156
+ return true;
1157
+ }
1158
+ }
1159
+ return false;
1160
+ }
1161
+ }
1162
+ exports.ArbitraryCallErrorDetector = ArbitraryCallErrorDetector;
1163
+ //# sourceMappingURL=arbitrary-call-error.js.map