@snovon/solast 0.2.0

package/dist/detectors/transfer-double-debit-pool-recipient.js

@@ -0,0 +1,542 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TransferDoubleDebitPoolRecipientDetector = void 0;
+const access_control_1 = require("./_common/access-control");
+const RULE_ID = 'transfer-double-debit-pool-recipient';
+const PATTERN = 'transfer-double-debit-pool-recipient/uwerx-extra-pool-sender-debit';
+const PROVENANCE = 'x-20230802-uwerx-fault-logic';
+const RESERVED_KEYS = new Set([
+    'loc', 'src', 'range', 'typeDescriptions', 'id', 'scope',
+    'memberLocation', 'nameLocation',
+    'argumentTypes', 'commonType', 'isConstant', 'isLValue', 'isPure', 'lValueRequested',
+    'overloadedDeclarations', 'referencedDeclaration',
+]);
+// Detector-local keyword set (post roadmap 1.2.2 migration). The
+// list matches the pre-extraction inline regex exactly;
+// behaviour is preserved.
+const ACCESS_CONTROL_KEYWORDS = ['owner', 'admin', 'role', 'auth', 'govern', 'guardian', 'operator'];
+class TransferDoubleDebitPoolRecipientDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser', 'solc'];
+    scanAst(ast, file, sourceText) {
+        if (!ast || typeof ast !== 'object')
+            return [];
+        const findings = [];
+        const lineOffsets = buildLineOffsets(sourceText);
+        const seen = new Set();
+        for (const contract of collectContracts(ast)) {
+            if (isInterfaceLike(contract))
+                continue;
+            const contractName = getName(contract) || '<anonymous>';
+            const functions = getContractFunctions(contract).filter(fn => getFunctionBody(fn));
+            const byName = new Map();
+            for (const fn of functions) {
+                const name = getName(fn);
+                if (name)
+                    byName.set(name, fn);
+            }
+            const helperSummaries = buildHelperSummaries(functions);
+            for (const fn of functions) {
+                const fnName = getName(fn);
+                if (fnName !== 'transfer')
+                    continue;
+                if (!isExternallyCallable(fn) || hasAccessControl(fn))
+                    continue;
+                const reachable = collectReachableFunctions(fn, byName);
+                const unsafe = reachable.find(candidate => isUnsafeTransferAccounting(candidate, byName, helperSummaries));
+                if (!unsafe)
+                    continue;
+                const loc = getLoc(fn, lineOffsets) || getLoc(unsafe, lineOffsets) || { line: 0, column: 0 };
+                const key = `${file}:${contractName}:${fnName}:${loc.line}:${loc.column}`;
+                if (seen.has(key))
+                    continue;
+                seen.add(key);
+                findings.push({
+                    file,
+                    contract: contractName,
+                    'function': fnName,
+                    line: loc.line,
+                    endLine: loc.line,
+                    column: loc.column,
+                    pattern: PATTERN,
+                    confidence: 'high',
+                    ruleId: RULE_ID,
+                    severity: 'error',
+                    message: `Faulty token accounting in '${contractName}.${fnName}': transfer applies an additional sender debit when the recipient is a pool or sink address.`,
+                    rationale: 'Mirrors the 2023-08-02 uwerx exploit shape: a normal token transfer debits the sender and credits the recipient, then a recipient-to-pool branch charges a second burn/penalty from the sender instead of taking it from the credited transfer amount.',
+                    suggestedFix: 'Deduct pool-triggered burn or fee amounts from the credited transfer amount, or restrict any administrative balance adjustment to an access-controlled maintenance function outside the public transfer path.',
+                    contractName,
+                    functionName: fnName,
+                    sourceLocation: { line: loc.line, column: loc.column },
+                    trace: 'transfer-extra-sender-debit-on-pool-recipient',
+                    findingId: '',
+                    contractHash: '',
+                    provenance: PROVENANCE,
+                });
+            }
+        }
+        return findings;
+    }
+}
+exports.TransferDoubleDebitPoolRecipientDetector = TransferDoubleDebitPoolRecipientDetector;
+function collectReachableFunctions(entry, byName) {
+    const out = [];
+    const seen = new Set();
+    function visit(fn) {
+        if (!fn || seen.has(fn))
+            return;
+        seen.add(fn);
+        out.push(fn);
+        walk(getFunctionBody(fn), node => {
+            if (!isNode(node, 'FunctionCall'))
+                return;
+            const callee = getCallExpression(node);
+            if (!isNode(callee, 'Identifier'))
+                return;
+            const target = byName.get(getName(callee));
+            if (target)
+                visit(target);
+        });
+    }
+    visit(entry);
+    return out;
+}
+function isUnsafeTransferAccounting(fn, byName, helperSummaries) {
+    const body = getFunctionBody(fn);
+    if (!body)
+        return false;
+    const params = getFunctionParameters(fn).map(param => getName(param)).filter(Boolean);
+    if (params.length < 2)
+        return false;
+    const paramNames = new Set(params);
+    const locals = collectLocalAssignments(body);
+    const summary = summarizeAccounting(body, paramNames, locals, byName, helperSummaries);
+    if (!summary.unsafeNode)
+        return false;
+    return summary.debits.some(debit => summary.credits.some(credit => sameAccount(debit.target, summary.unsafeNode?.target) &&
+        !sameAccount(debit.target, credit.target) &&
+        amountReferencesAny(debit.amount, paramNames, locals) &&
+        amountReferencesAny(credit.amount, paramNames, locals)));
+}
+function summarizeAccounting(body, paramNames, locals, byName, helperSummaries) {
+    const summary = { debits: [], credits: [], unsafeNode: null };
+    walk(body, node => {
+        if (!isAssignment(node))
+            return;
+        const left = getAssignmentLeft(node);
+        if (!isBalanceAccess(left))
+            return;
+        const target = getBalanceIndex(left);
+        const right = getAssignmentRight(node);
+        const delta = extractDelta(node, left, right);
+        if (!delta)
+            return;
+        if (delta.kind === 'debit')
+            summary.debits.push({ target, amount: delta.amount, node });
+        if (delta.kind === 'credit')
+            summary.credits.push({ target, amount: delta.amount });
+    });
+    walk(body, node => {
+        if (summary.unsafeNode || !isNode(node, 'IfStatement'))
+            return;
+        if (!hasRecipientSinkCondition(node.condition, paramNames))
+            return;
+        walk(node.trueBody, child => {
+            if (summary.unsafeNode)
+                return;
+            if (isAssignment(child)) {
+                const left = getAssignmentLeft(child);
+                if (!isBalanceAccess(left))
+                    return;
+                const target = getBalanceIndex(left);
+                const delta = extractDelta(child, left, getAssignmentRight(child));
+                if (delta?.kind !== 'debit')
+                    return;
+                if (!amountReferencesAny(delta.amount, paramNames, locals))
+                    return;
+                if (!summary.debits.some(debit => sameAccount(debit.target, target)))
+                    return;
+                summary.unsafeNode = { ...child, target };
+                return;
+            }
+            if (isNode(child, 'FunctionCall')) {
+                const target = unsafeHelperCallTarget(child, summary.debits, byName, helperSummaries);
+                if (target)
+                    summary.unsafeNode = { ...child, target };
+            }
+        });
+    });
+    return summary;
+}
+function unsafeHelperCallTarget(call, callerDebits, byName, helperSummaries) {
+    const callee = getCallExpression(call);
+    if (!isNode(callee, 'Identifier'))
+        return null;
+    const calleeName = getName(callee);
+    const calleeFn = byName.get(calleeName);
+    if (!calleeFn)
+        return null;
+    const helper = helperSummaries.get(calleeName);
+    if (!helper || !helper.paramDebits.length)
+        return null;
+    const args = getCallArguments(call);
+    for (const debit of helper.paramDebits) {
+        const arg = args[debit.paramIndex];
+        if (!arg)
+            continue;
+        if (callerDebits.some(d => sameAccount(d.target, arg)))
+            return arg;
+    }
+    return null;
+}
+function buildHelperSummaries(functions) {
+    const summaries = new Map();
+    for (const fn of functions) {
+        const name = getName(fn);
+        if (!name)
+            continue;
+        const body = getFunctionBody(fn);
+        if (!body)
+            continue;
+        const params = getFunctionParameters(fn).map(param => getName(param)).filter(Boolean);
+        if (!params.length)
+            continue;
+        const paramIndex = new Map();
+        params.forEach((paramName, index) => paramIndex.set(paramName, index));
+        const paramDebits = [];
+        walk(body, node => {
+            if (!isAssignment(node))
+                return;
+            const left = getAssignmentLeft(node);
+            if (!isBalanceAccess(left))
+                return;
+            const target = getBalanceIndex(left);
+            if (!isNode(target, 'Identifier'))
+                return;
+            const idx = paramIndex.get(getName(target));
+            if (idx === undefined)
+                return;
+            const delta = extractDelta(node, left, getAssignmentRight(node));
+            if (delta?.kind !== 'debit')
+                return;
+            if (paramDebits.some(existing => existing.paramIndex === idx))
+                return;
+            paramDebits.push({ paramIndex: idx });
+        });
+        if (paramDebits.length)
+            summaries.set(name, { paramDebits });
+    }
+    return summaries;
+}
+function hasRecipientSinkCondition(node, paramNames) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (isBinary(node, '==') || isBinary(node, '!=')) {
+        const left = getLeft(node);
+        const right = getRight(node);
+        return (isRecipientParam(left, paramNames) && isSinkLike(right, paramNames)) ||
+            (isRecipientParam(right, paramNames) && isSinkLike(left, paramNames));
+    }
+    return childrenOf(node).some(child => hasRecipientSinkCondition(child, paramNames));
+}
+function isRecipientParam(node, paramNames) {
+    return isNode(node, 'Identifier') && paramNames.has(getName(node)) && /to|recipient|receiver|dst|destination/i.test(getName(node));
+}
+function isSinkLike(node, paramNames) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (isNode(node, 'Identifier'))
+        return !paramNames.has(getName(node));
+    if (isNode(node, 'MemberAccess'))
+        return true;
+    if (isNode(node, 'FunctionCall') && getCalleeName(node) === 'address')
+        return true;
+    return false;
+}
+function collectLocalAssignments(body) {
+    const locals = new Map();
+    const localNames = new Set();
+    walk(body, node => {
+        if (isNode(node, 'VariableDeclarationStatement')) {
+            const init = node.initialValue ?? null;
+            for (const name of getVariableDeclarationNames(node)) {
+                if (!name)
+                    continue;
+                localNames.add(name);
+                if (init)
+                    locals.set(name, init);
+            }
+            return;
+        }
+        if (isAssignment(node)) {
+            const name = getIdentifierName(getAssignmentLeft(node));
+            if (name && localNames.has(name))
+                locals.set(name, getAssignmentRight(node));
+        }
+    });
+    return locals;
+}
+function extractDelta(node, left, right) {
+    const operator = getOperator(node);
+    if (operator === '-=')
+        return { kind: 'debit', amount: right };
+    if (operator === '+=')
+        return { kind: 'credit', amount: right };
+    if (operator !== '=')
+        return null;
+    if (isBinary(right, '-')) {
+        if (sameExpression(getLeft(right), left))
+            return { kind: 'debit', amount: getRight(right) };
+        if (sameExpression(getRight(right), left))
+            return { kind: 'credit', amount: getLeft(right) };
+    }
+    if (isBinary(right, '+')) {
+        if (sameExpression(getLeft(right), left))
+            return { kind: 'credit', amount: getRight(right) };
+        if (sameExpression(getRight(right), left))
+            return { kind: 'credit', amount: getLeft(right) };
+    }
+    return null;
+}
+function isBalanceAccess(node) {
+    if (!isNode(node, 'IndexAccess'))
+        return false;
+    const base = node.base ?? node.baseExpression;
+    return isNode(base, 'Identifier') && /balance/i.test(getName(base));
+}
+function getBalanceIndex(node) {
+    return node.index ?? node.indexExpression;
+}
+function amountReferencesAny(node, paramNames, locals, seen = new Set()) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (isNode(node, 'Identifier')) {
+        const name = getName(node);
+        if (paramNames.has(name))
+            return true;
+        const replacement = locals.get(name);
+        if (!replacement || seen.has(name))
+            return false;
+        return amountReferencesAny(replacement, paramNames, locals, new Set([...seen, name]));
+    }
+    return childrenOf(node).some(child => amountReferencesAny(child, paramNames, locals, seen));
+}
+function sameAccount(a, b) {
+    return sameExpression(a, b);
+}
+function sameExpression(a, b) {
+    return canonicalize(a) === canonicalize(b);
+}
+function hasAccessControl(fn) {
+    if (getModifierNames(fn).some(name => (0, access_control_1.isPrivilegedIdentifier)(name, { keywords: ACCESS_CONTROL_KEYWORDS })))
+        return true;
+    let guarded = false;
+    walk(getFunctionBody(fn), node => {
+        if (guarded || !isNode(node, 'FunctionCall'))
+            return;
+        const calleeName = getCalleeName(node);
+        if (/onlyOwner|onlyRole|hasRole|checkRole/i.test(calleeName)) {
+            guarded = true;
+            return;
+        }
+        if (calleeName !== 'require' && calleeName !== 'assert')
+            return;
+        if (getCallArguments(node).some(arg => comparesMsgSenderToPrivileged(arg)))
+            guarded = true;
+    });
+    return guarded;
+}
+function comparesMsgSenderToPrivileged(node) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (isBinary(node, '==') || isBinary(node, '!=')) {
+        const left = getLeft(node);
+        const right = getRight(node);
+        return (isMsgSender(left) && containsPrivilegedName(right)) || (isMsgSender(right) && containsPrivilegedName(left));
+    }
+    return childrenOf(node).some(comparesMsgSenderToPrivileged);
+}
+function containsPrivilegedName(node) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (isNode(node, 'Identifier') && (0, access_control_1.isPrivilegedIdentifier)(getName(node), { keywords: ACCESS_CONTROL_KEYWORDS }))
+        return true;
+    if (isNode(node, 'MemberAccess') && (0, access_control_1.isPrivilegedIdentifier)(getMemberName(node), { keywords: ACCESS_CONTROL_KEYWORDS }))
+        return true;
+    return childrenOf(node).some(containsPrivilegedName);
+}
+function isExternallyCallable(fn) {
+    const visibility = String(fn.visibility || '').toLowerCase();
+    return visibility === 'external' || visibility === 'public' || visibility === '';
+}
+function getFunctionParameters(fn) {
+    const params = fn.parameters;
+    if (Array.isArray(params))
+        return params;
+    if (Array.isArray(params?.parameters))
+        return params.parameters;
+    return [];
+}
+function getVariableDeclarationNames(node) {
+    const variables = node.variables || node.declarations || [];
+    return variables.map((v) => getName(v)).filter(Boolean);
+}
+function getModifierNames(fn) {
+    const modifiers = fn.modifiers || [];
+    return modifiers.map((modifier) => {
+        const name = modifier.name || modifier.modifierName;
+        if (typeof name === 'string')
+            return name;
+        return getName(name);
+    }).filter(Boolean);
+}
+function getContractFunctions(contract) {
+    return getContractMembers(contract).filter(node => isNode(node, 'FunctionDefinition'));
+}
+function getContractMembers(contract) {
+    if (!contract || typeof contract !== 'object')
+        return [];
+    if (Array.isArray(contract.subNodes))
+        return contract.subNodes;
+    if (Array.isArray(contract.nodes))
+        return contract.nodes;
+    return [];
+}
+function getFunctionBody(fn) {
+    return fn?.body || null;
+}
+function collectContracts(ast) {
+    const contracts = [];
+    walk(ast, node => {
+        if (isNode(node, 'ContractDefinition'))
+            contracts.push(node);
+    });
+    return contracts;
+}
+function isInterfaceLike(contract) {
+    const kind = String(contract?.kind || contract?.contractKind || '').toLowerCase();
+    return kind === 'interface' || kind === 'library';
+}
+function walk(node, visitor) {
+    if (!node || typeof node !== 'object')
+        return;
+    visitor(node);
+    for (const child of childrenOf(node))
+        walk(child, visitor);
+}
+function childrenOf(node) {
+    if (!node || typeof node !== 'object')
+        return [];
+    const children = [];
+    for (const [key, value] of Object.entries(node)) {
+        if (RESERVED_KEYS.has(key))
+            continue;
+        if (Array.isArray(value)) {
+            children.push(...value.filter(item => item && typeof item === 'object'));
+        }
+        else if (value && typeof value === 'object') {
+            children.push(value);
+        }
+    }
+    return children;
+}
+function isAssignment(node) {
+    return (isNode(node, 'BinaryOperation') || isNode(node, 'Assignment')) &&
+        typeof getOperator(node) === 'string' &&
+        getOperator(node).includes('=');
+}
+function isBinary(node, operator) {
+    return (isNode(node, 'BinaryOperation') || isNode(node, 'Assignment')) && getOperator(node) === operator;
+}
+function getAssignmentLeft(node) {
+    return node.left ?? node.leftExpression ?? node.leftHandSide;
+}
+function getAssignmentRight(node) {
+    return node.right ?? node.rightExpression ?? node.rightHandSide;
+}
+function getLeft(node) {
+    return node.left ?? node.leftExpression;
+}
+function getRight(node) {
+    return node.right ?? node.rightExpression;
+}
+function getOperator(node) {
+    return node?.operator || '';
+}
+function getCallExpression(node) {
+    return node.expression;
+}
+function getCallArguments(node) {
+    return Array.isArray(node?.arguments) ? node.arguments : [];
+}
+function getCalleeName(node) {
+    const expr = getCallExpression(node);
+    if (isNode(expr, 'Identifier'))
+        return getName(expr);
+    if (isNode(expr, 'MemberAccess'))
+        return getMemberName(expr);
+    if (isNode(expr, 'ElementaryTypeName') || isNode(expr, 'ElementaryTypeNameExpression')) {
+        return expr.name || expr.typeName?.name || '';
+    }
+    return '';
+}
+function getIdentifierName(node) {
+    return isNode(node, 'Identifier') ? getName(node) : '';
+}
+function getMemberName(node) {
+    return node?.memberName || '';
+}
+function isMsgSender(node) {
+    return isNode(node, 'MemberAccess') &&
+        getMemberName(node) === 'sender' &&
+        isNode(node.expression, 'Identifier') &&
+        getName(node.expression) === 'msg';
+}
+function isNode(node, kind) {
+    return node?.type === kind || node?.nodeType === kind;
+}
+function getName(node) {
+    return typeof node?.name === 'string' ? node.name : '';
+}
+function canonicalize(node) {
+    if (node === null || node === undefined)
+        return 'null';
+    if (typeof node !== 'object')
+        return JSON.stringify(node);
+    if (Array.isArray(node))
+        return '[' + node.map(canonicalize).join(',') + ']';
+    const keys = Object.keys(node).filter(key => !RESERVED_KEYS.has(key)).sort();
+    return '{' + keys.map(key => `${key}:${canonicalize(node[key])}`).join(',') + '}';
+}
+function buildLineOffsets(sourceText) {
+    if (sourceText === undefined)
+        return undefined;
+    const offsets = [0];
+    let byteOffset = 0;
+    for (const ch of sourceText) {
+        byteOffset += Buffer.byteLength(ch, 'utf8');
+        if (ch === '\n')
+            offsets.push(byteOffset);
+    }
+    return offsets;
+}
+function getLoc(node, lineOffsets) {
+    if (node?.loc?.start) {
+        return { line: node.loc.start.line || 0, column: node.loc.start.column || 0 };
+    }
+    if (!node?.src || !lineOffsets)
+        return undefined;
+    const offset = Number(String(node.src).split(':')[0]);
+    if (!Number.isFinite(offset) || offset < 0)
+        return undefined;
+    let lineIndex = 0;
+    for (let i = 0; i < lineOffsets.length; i++) {
+        if (lineOffsets[i] <= offset)
+            lineIndex = i;
+        else
+            break;
+    }
+    return { line: lineIndex + 1, column: offset - lineOffsets[lineIndex] };
+}
+//# sourceMappingURL=transfer-double-debit-pool-recipient.js.map

package/dist/detectors/treasury-reentrancy.d.ts

@@ -0,0 +1,7 @@
+import type { ScanResult } from '../index';
+export declare class TreasuryReentrancyDetector {
+    readonly id = "treasury-reentrancy";
+    readonly patternKey = "treasury-reentrancy";
+    readonly supportedAstKinds: ("parser" | "solc")[];
+    scanAst(ast: any, file: string, sourceText?: string): ScanResult[];
+}