@snovon/solast 0.2.0

package/dist/detectors/uniswap-skim-token-balance-attack.js

@@ -0,0 +1,331 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.UniswapSkimTokenBalanceAttackDetector = void 0;
+const RULE_ID = 'uniswap-skim-token-balance-attack';
+const PATTERN = `${RULE_ID}/transfer-into-pair-then-skim`;
+const SOURCE = 'x-20230615-cfc-uniswap-skim-token-balance-attack';
+const ACCESS_CONTROL_MODIFIERS = new Set([
+    'onlyowner', 'onlyrole', 'onlyadmin', 'onlyauthorized', 'authorized', 'auth',
+    'onlyoperator', 'onlygovernance', 'onlygovernor', 'onlyguardian', 'onlymanager',
+    'onlytrusted', 'onlytimelock', 'onlykeeper',
+]);
+const REENTRANCY_GUARD_MODIFIERS = new Set([
+    'nonreentrant', 'noreentrant', 'noreentry', 'reentrancyguard', 'lock', 'locked', 'mutex',
+]);
+class UniswapSkimTokenBalanceAttackDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    scanAst(ast, file, sourceText) {
+        if (!ast || typeof ast !== 'object' || Object.keys(ast).length === 0)
+            return [];
+        const findings = [];
+        const lineOffsets = buildLineOffsets(sourceText);
+        for (const contract of collectContracts(ast)) {
+            if (isInterfaceLike(contract))
+                continue;
+            const contractName = getName(contract) || '<anonymous>';
+            for (const fn of getContractFunctions(contract)) {
+                if (!isExternallyReachable(fn))
+                    continue;
+                if (hasTrustedGuard(fn))
+                    continue;
+                const body = fn.body;
+                if (!body)
+                    continue;
+                const hit = findTransferThenSkim(body);
+                if (!hit)
+                    continue;
+                const loc = getLoc(hit, lineOffsets) || getLoc(fn, lineOffsets) || { line: 0, column: 0 };
+                const fnName = getName(fn) || '<fallback>';
+                findings.push({
+                    file,
+                    contract: contractName,
+                    'function': fnName,
+                    line: loc.line,
+                    endLine: loc.line,
+                    column: loc.column,
+                    pattern: PATTERN,
+                    confidence: 'high',
+                    ruleId: RULE_ID,
+                    severity: 'high',
+                    category: 'vulnerability',
+                    message: `Function '${contractName}.${fnName}' transfers tokens into a Uniswap V2-style pair and then calls skim(address) on that same pair.`,
+                    rationale: 'This matches the CFC exploit use-site: an attacker-reachable callback or attack function pushes token balance into an AMM pair, then skims the balance-vs-reserve excess from that pair.',
+                    suggestedFix: 'Remove permissionless transfer-into-pair-then-skim flows. Restrict rescue or maintenance skim paths behind owner/role checks or a reentrancy guard, and avoid exposing exploit-reproduction callbacks.',
+                    contractName,
+                    functionName: fnName,
+                    sourceLocation: { line: loc.line, column: loc.column },
+                    findingId: '',
+                    contractHash: '',
+                    source: SOURCE,
+                    provenance: SOURCE,
+                });
+            }
+        }
+        return findings;
+    }
+}
+exports.UniswapSkimTokenBalanceAttackDetector = UniswapSkimTokenBalanceAttackDetector;
+function findTransferThenSkim(body) {
+    const transferTargets = new Set();
+    let foundNode = null;
+    function visit(node) {
+        if (foundNode || !node || typeof node !== 'object')
+            return;
+        if (isFunctionCall(node)) {
+            const callee = unwrapCallOptions(node.expression);
+            if (isMemberAccess(callee)) {
+                const args = getCallArguments(node);
+                const memberName = String(callee.memberName || '');
+                if (isTokenTransferMember(memberName) && args.length >= 2) {
+                    const target = pairNameFromExpression(unwrapAddressCast(args[0]));
+                    if (target)
+                        transferTargets.add(target);
+                }
+                else if (memberName === 'skim' && args.length >= 1) {
+                    const pair = pairNameFromExpression(callee.expression);
+                    if (pair && transferTargets.has(pair))
+                        foundNode = node;
+                }
+                else if (memberName === 'call' && args.length >= 1) {
+                    const pair = pairNameFromExpression(callee.expression);
+                    if (pair && transferTargets.has(pair) && isSkimSelectorPayload(args[0]))
+                        foundNode = node;
+                }
+            }
+        }
+        for (const child of childrenOf(node))
+            visit(child);
+    }
+    visit(body);
+    return foundNode;
+}
+function isTokenTransferMember(memberName) {
+    return memberName === 'transfer' || memberName === 'safeTransfer';
+}
+function isSkimSelectorPayload(expr) {
+    if (!isFunctionCall(expr))
+        return false;
+    const callee = unwrapCallOptions(expr.expression);
+    if (!isMemberAccess(callee))
+        return false;
+    if (!isIdentifier(callee.expression, 'abi'))
+        return false;
+    const memberName = String(callee.memberName || '');
+    if (memberName !== 'encodeWithSelector' && memberName !== 'encodeWithSignature')
+        return false;
+    const selectorArg = getSelectorArgument(expr);
+    if (!selectorArg)
+        return false;
+    if (memberName === 'encodeWithSignature') {
+        return isStringLiteral(selectorArg, 'skim(address)');
+    }
+    return isSkimSelector(selectorArg);
+}
+function getSelectorArgument(call) {
+    const args = getCallArguments(call);
+    if (Array.isArray(call?.names)) {
+        const idx = call.names.findIndex((name) => String(name?.name || name) === 'selector');
+        if (idx >= 0)
+            return args[idx];
+    }
+    return args[0] || null;
+}
+function isSkimSelector(node) {
+    if (!isMemberAccess(node) || String(node.memberName || '') !== 'selector')
+        return false;
+    const inner = node.expression;
+    return isMemberAccess(inner) && String(inner.memberName || '') === 'skim';
+}
+function pairNameFromExpression(expr) {
+    const unwrapped = unwrapInterfaceCast(unwrapAddressCast(expr));
+    if (isNode(unwrapped, 'Identifier'))
+        return String(unwrapped.name || '');
+    return '';
+}
+function unwrapAddressCast(expr) {
+    if (!isFunctionCall(expr))
+        return expr;
+    const args = getCallArguments(expr);
+    if (args.length !== 1)
+        return expr;
+    const callee = expr.expression;
+    if (isIdentifier(callee, 'address'))
+        return args[0];
+    if (isNode(callee, 'ElementaryTypeNameExpression')) {
+        const tn = callee.typeName;
+        if (tn === 'address' || tn?.name === 'address')
+            return args[0];
+    }
+    return expr;
+}
+function unwrapInterfaceCast(expr) {
+    if (!isFunctionCall(expr))
+        return expr;
+    const args = getCallArguments(expr);
+    if (args.length !== 1)
+        return expr;
+    const callee = expr.expression;
+    if (isNode(callee, 'Identifier') || isNode(callee, 'UserDefinedTypeName'))
+        return args[0];
+    return expr;
+}
+function hasTrustedGuard(fn) {
+    for (const modifier of fn?.modifiers || []) {
+        const name = getModifierName(modifier).toLowerCase();
+        if (!name)
+            continue;
+        if (ACCESS_CONTROL_MODIFIERS.has(name) || REENTRANCY_GUARD_MODIFIERS.has(name))
+            return true;
+        if (/^only/.test(name))
+            return true;
+    }
+    return false;
+}
+function getModifierName(modifier) {
+    if (!modifier)
+        return '';
+    if (typeof modifier === 'string')
+        return modifier;
+    if (typeof modifier.name === 'string')
+        return modifier.name;
+    if (modifier.name?.name)
+        return String(modifier.name.name);
+    if (modifier.name?.namePath)
+        return String(modifier.name.namePath);
+    if (typeof modifier.modifierName === 'string')
+        return modifier.modifierName;
+    if (modifier.modifierName?.name)
+        return String(modifier.modifierName.name);
+    return '';
+}
+function isExternallyReachable(fn) {
+    if (!fn)
+        return false;
+    if (fn.isConstructor === true)
+        return false;
+    const kind = String(fn.kind || '').toLowerCase();
+    if (kind === 'constructor')
+        return false;
+    const visibility = String(fn.visibility || '').toLowerCase();
+    if (visibility === 'public' || visibility === 'external')
+        return true;
+    return kind === 'fallback' || kind === 'receive';
+}
+function isInterfaceLike(contract) {
+    const kind = String(contract?.kind || contract?.contractKind || '').toLowerCase();
+    return kind === 'interface' || kind === 'library';
+}
+function collectContracts(ast) {
+    const out = [];
+    walkContracts(ast, out);
+    return out;
+}
+function walkContracts(node, out) {
+    if (!node || typeof node !== 'object')
+        return;
+    if (isNode(node, 'ContractDefinition')) {
+        out.push(node);
+        return;
+    }
+    for (const child of childrenOf(node))
+        walkContracts(child, out);
+}
+function getContractFunctions(contract) {
+    const members = Array.isArray(contract?.subNodes) ? contract.subNodes : [];
+    return members.filter((node) => isNode(node, 'FunctionDefinition'));
+}
+function childrenOf(node) {
+    if (!node || typeof node !== 'object')
+        return [];
+    const out = [];
+    for (const [key, value] of Object.entries(node)) {
+        if (key === 'loc' || key === 'range' || key === 'typeDescriptions')
+            continue;
+        if (Array.isArray(value)) {
+            for (const item of value)
+                if (item && typeof item === 'object')
+                    out.push(item);
+        }
+        else if (value && typeof value === 'object') {
+            out.push(value);
+        }
+    }
+    return out;
+}
+function getCallArguments(call) {
+    if (Array.isArray(call?.arguments))
+        return call.arguments;
+    return [];
+}
+function unwrapCallOptions(expr) {
+    let cur = expr;
+    while (cur && (isNode(cur, 'NameValueExpression') || isNode(cur, 'FunctionCallOptions'))) {
+        cur = cur.expression;
+    }
+    return cur;
+}
+function isFunctionCall(node) {
+    return isNode(node, 'FunctionCall');
+}
+function isMemberAccess(node) {
+    return isNode(node, 'MemberAccess');
+}
+function isIdentifier(node, name) {
+    return isNode(node, 'Identifier') && String(node.name || '') === name;
+}
+function isStringLiteral(node, value) {
+    if (!isNode(node, 'StringLiteral'))
+        return false;
+    if (String(node.value || '') === value)
+        return true;
+    return Array.isArray(node.parts) && node.parts.includes(value);
+}
+function isNode(node, kind) {
+    return node?.type === kind || node?.nodeType === kind;
+}
+function getName(node) {
+    return typeof node?.name === 'string' ? node.name : '';
+}
+function buildLineOffsets(sourceText) {
+    if (sourceText === undefined)
+        return undefined;
+    const offsets = [0];
+    let byteOffset = 0;
+    for (const ch of sourceText) {
+        byteOffset += Buffer.byteLength(ch, 'utf8');
+        if (ch === '\n')
+            offsets.push(byteOffset);
+    }
+    return offsets;
+}
+function getLoc(node, lineOffsets) {
+    if (node?.loc?.start) {
+        return { line: node.loc.start.line || 0, column: node.loc.start.column || 0 };
+    }
+    if (!node?.src || !lineOffsets)
+        return undefined;
+    const [offsetRaw] = String(node.src).split(':');
+    const offset = Number(offsetRaw);
+    if (!Number.isFinite(offset) || offset < 0)
+        return undefined;
+    return byteOffsetToLineColumn(offset, lineOffsets);
+}
+function byteOffsetToLineColumn(byteOffset, lineOffsets) {
+    let low = 0;
+    let high = lineOffsets.length - 1;
+    let lineIdx = 0;
+    while (low <= high) {
+        const mid = Math.floor((low + high) / 2);
+        if (lineOffsets[mid] <= byteOffset) {
+            lineIdx = mid;
+            low = mid + 1;
+        }
+        else {
+            high = mid - 1;
+        }
+    }
+    return { line: lineIdx + 1, column: byteOffset - lineOffsets[lineIdx] };
+}
+//# sourceMappingURL=uniswap-skim-token-balance-attack.js.map

package/dist/detectors/uniswap-v4-hook-state-manipulation.d.ts

@@ -0,0 +1,7 @@
+import type { ScanResult } from '../index';
+export declare class UniswapV4HookStateManipulationDetector {
+    readonly id = "v4-hook-state-manipulation";
+    readonly patternKey = "v4-hook-state-manipulation";
+    readonly supportedAstKinds: ('parser')[];
+    scanAst(ast: any, file: string, sourceText?: string): ScanResult[];
+}

package/dist/detectors/uniswap-v4-hook-state-manipulation.js

@@ -0,0 +1,296 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.UniswapV4HookStateManipulationDetector = void 0;
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'v4-hook-state-manipulation';
+const SUPPORTED_HOOKS = new Set([
+    'hookBeforeSwap',
+    'hookAfterSwap',
+    'hookBeforeTransfer',
+    'hookAfterTransfer',
+]);
+class UniswapV4HookStateManipulationDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    scanAst(ast, file, sourceText) {
+        if (!ast || typeof ast !== 'object' || ast.type !== 'SourceUnit')
+            return [];
+        if (sourceText && !containsSupportedHookName(sourceText))
+            return [];
+        const findings = [];
+        for (const contract of collectContracts(ast)) {
+            const functionsByName = new Map(contract.functions.map(fn => [fn.name, fn]));
+            for (const hook of contract.functions.filter(fn => SUPPORTED_HOOKS.has(fn.name))) {
+                for (const write of hook.writes) {
+                    const dependency = findLaterDependency(hook, write, functionsByName);
+                    if (!dependency)
+                        continue;
+                    findings.push(createFinding(file, sourceText, hook, write, dependency));
+                }
+            }
+        }
+        return findings;
+    }
+}
+exports.UniswapV4HookStateManipulationDetector = UniswapV4HookStateManipulationDetector;
+function containsSupportedHookName(sourceText) {
+    return /\b(hookBeforeSwap|hookAfterSwap|hookBeforeTransfer|hookAfterTransfer)\b/.test(sourceText);
+}
+function collectContracts(ast) {
+    const contracts = [];
+    for (const node of ast.children || []) {
+        if (node?.type !== 'ContractDefinition')
+            continue;
+        const contract = {
+            name: node.name || '<anonymous>',
+            stateVariables: new Set(),
+            functions: [],
+        };
+        for (const subNode of node.subNodes || []) {
+            if (subNode?.type !== 'StateVariableDeclaration')
+                continue;
+            for (const variable of subNode.variables || []) {
+                if (variable?.name)
+                    contract.stateVariables.add(variable.name);
+            }
+        }
+        for (const subNode of node.subNodes || []) {
+            if (subNode?.type === 'FunctionDefinition') {
+                contract.functions.push(summarizeFunction(subNode, contract));
+            }
+        }
+        contracts.push(contract);
+    }
+    return contracts;
+}
+function summarizeFunction(node, contract) {
+    const loc = (0, ast_1.tryLoc)(node) ?? { line: 0, endLine: 0, column: 0 };
+    const summary = {
+        contractName: contract.name,
+        name: node.name || '',
+        line: loc.line,
+        column: loc.column,
+        parameters: new Set(),
+        locals: new Set(),
+        reads: [],
+        writes: [],
+        internalCalls: [],
+    };
+    for (const parameter of node.parameters || []) {
+        if (parameter?.name)
+            summary.parameters.add(parameter.name);
+    }
+    for (const parameter of node.returnParameters || []) {
+        if (parameter?.name)
+            summary.parameters.add(parameter.name);
+    }
+    let order = 0;
+    visitStatement(node.body, summary, contract, () => ++order);
+    return summary;
+}
+function visitStatement(statement, summary, contract, nextOrder) {
+    if (!statement || typeof statement !== 'object')
+        return;
+    if (statement.type === 'Block') {
+        for (const child of statement.statements || [])
+            visitStatement(child, summary, contract, nextOrder);
+        return;
+    }
+    if (statement.type === 'VariableDeclarationStatement') {
+        for (const variable of statement.variables || []) {
+            if (variable?.name)
+                summary.locals.add(variable.name);
+        }
+        visitExpression(statement.initialValue, summary, contract, nextOrder);
+        return;
+    }
+    if (statement.type === 'ExpressionStatement') {
+        visitExpression(statement.expression, summary, contract, nextOrder, statement);
+        return;
+    }
+    if (statement.type === 'ReturnStatement') {
+        visitExpression(statement.expression, summary, contract, nextOrder, statement);
+        return;
+    }
+    if (statement.type === 'IfStatement') {
+        visitExpression(statement.condition, summary, contract, nextOrder, statement.condition);
+        visitStatement(statement.trueBody, summary, contract, nextOrder);
+        visitStatement(statement.falseBody, summary, contract, nextOrder);
+        return;
+    }
+    for (const child of objectChildren(statement)) {
+        if (child?.type && String(child.type).endsWith('Statement')) {
+            visitStatement(child, summary, contract, nextOrder);
+        }
+        else {
+            visitExpression(child, summary, contract, nextOrder);
+        }
+    }
+}
+function visitExpression(expr, summary, contract, nextOrder, readContext) {
+    if (!expr || typeof expr !== 'object')
+        return;
+    if (expr.type === 'BinaryOperation' && isAssignmentOperator(expr.operator)) {
+        if (expr.operator !== '=')
+            recordRead(expr.left, summary, contract, nextOrder);
+        visitExpression(expr.right, summary, contract, nextOrder, expr.right);
+        recordWrite(expr.left, summary, contract, nextOrder);
+        return;
+    }
+    if (expr.type === 'UnaryOperation' && (expr.operator === '++' || expr.operator === '--' || expr.operator === 'delete')) {
+        if (expr.operator !== 'delete')
+            recordRead(expr.subExpression, summary, contract, nextOrder);
+        recordWrite(expr.subExpression, summary, contract, nextOrder);
+        return;
+    }
+    if (expr.type === 'FunctionCall') {
+        const callName = internalCallName(expr);
+        if (callName)
+            summary.internalCalls.push({ name: callName, order: nextOrder() });
+    }
+    const slot = resolveStateVariable(expr, summary, contract);
+    if (slot) {
+        summary.reads.push(access(slot, readContext || expr, nextOrder()));
+    }
+    const childReadContext = dependencyReadContext(expr, readContext);
+    for (const child of expressionChildren(expr))
+        visitExpression(child, summary, contract, nextOrder, childReadContext);
+}
+function recordRead(expr, summary, contract, nextOrder) {
+    const slot = resolveStateVariable(expr, summary, contract);
+    if (slot)
+        summary.reads.push(access(slot, expr, nextOrder()));
+    else
+        visitExpression(expr, summary, contract, nextOrder);
+}
+function recordWrite(expr, summary, contract, nextOrder) {
+    const slot = resolveStateVariable(expr, summary, contract);
+    if (slot)
+        summary.writes.push(access(slot, expr, nextOrder()));
+    else
+        visitExpression(expr, summary, contract, nextOrder);
+}
+function access(variable, node, order) {
+    const loc = (0, ast_1.tryLoc)(node) ?? { line: 0, endLine: 0, column: 0 };
+    return {
+        variable,
+        order,
+        line: loc.line,
+        column: loc.column,
+    };
+}
+function resolveStateVariable(expr, summary, contract) {
+    if (!expr || typeof expr !== 'object')
+        return null;
+    if (expr.type === 'Identifier') {
+        return contract.stateVariables.has(expr.name) && !summary.locals.has(expr.name) && !summary.parameters.has(expr.name)
+            ? expr.name
+            : null;
+    }
+    if (expr.type === 'IndexAccess')
+        return resolveStateVariable(expr.base, summary, contract);
+    if (expr.type === 'MemberAccess') {
+        if (expr.expression?.type === 'Identifier' && expr.expression.name === 'this') {
+            return contract.stateVariables.has(expr.memberName) ? expr.memberName : null;
+        }
+        return resolveStateVariable(expr.expression, summary, contract);
+    }
+    return null;
+}
+function internalCallName(expr) {
+    const callee = expr.expression;
+    if (callee?.type === 'Identifier')
+        return callee.name || null;
+    if (callee?.type === 'MemberAccess' && callee.expression?.type === 'Identifier' && callee.expression.name === 'this') {
+        return callee.memberName || null;
+    }
+    return null;
+}
+function findLaterDependency(hook, write, functionsByName) {
+    const directRead = hook.reads.find(read => read.variable === write.variable && read.order > write.order);
+    if (directRead)
+        return directRead;
+    for (const call of hook.internalCalls.filter(call => call.order > write.order)) {
+        const target = functionsByName.get(call.name);
+        const helperRead = target?.reads.find(read => read.variable === write.variable);
+        if (helperRead)
+            return helperRead;
+    }
+    return null;
+}
+function createFinding(file, sourceText, hook, write, dependency) {
+    return {
+        file,
+        contract: hook.contractName,
+        'function': hook.name,
+        line: write.line,
+        endLine: write.line,
+        column: write.column,
+        pattern: RULE_ID,
+        confidence: 'high',
+        ruleId: RULE_ID,
+        severity: 'warning',
+        message: `Uniswap V4 hook ${hook.name} mutates '${write.variable}' and later reads it in swap-sensitive logic.`,
+        contractName: hook.contractName,
+        functionName: hook.name,
+        sourceLocation: { line: write.line, column: write.column },
+        stateMutationNode: { stateVariable: write.variable, classification: 'state-manipulation' },
+        stateDependencyNode: {
+            stateVariable: write.variable,
+            line: dependency.line,
+            column: dependency.column,
+        },
+        dependencyLocation: { line: dependency.line, column: dependency.column },
+        trace: `${hook.name} writes ${write.variable} -> reads ${write.variable}`,
+        rationale: 'Hook-mutated state reused during the same swap lifecycle can let callback-controlled values influence pricing, balance accounting, access control, fees, or settlement assumptions.',
+        suggestedFix: 'Keep callback-derived values in local variables or validate them before using them for swap pricing, balances, access control, fees, or settlement.',
+        classification: 'state-manipulation',
+        stateVariable: write.variable,
+        findingId: '',
+        contractHash: '',
+        ...(sourceText ? { source: sourceText } : {}),
+    };
+}
+function isAssignmentOperator(operator) {
+    return ['=', '+=', '-=', '*=', '/=', '%=', '&=', '|=', '^=', '<<=', '>>=', '>>>='].includes(operator);
+}
+function expressionChildren(expr) {
+    const children = [];
+    for (const key of ['expression', 'left', 'right', 'subExpression', 'base', 'index', 'initialValue', 'arguments', 'components']) {
+        const value = expr[key];
+        if (Array.isArray(value)) {
+            for (const item of value) {
+                if (item && typeof item === 'object')
+                    children.push(item);
+            }
+        }
+        else if (value && typeof value === 'object') {
+            children.push(value);
+        }
+    }
+    return children;
+}
+function dependencyReadContext(expr, currentContext) {
+    if (!expr || typeof expr !== 'object')
+        return currentContext;
+    if (expr.type === 'BinaryOperation' || expr.type === 'FunctionCall')
+        return currentContext || expr;
+    return currentContext;
+}
+function objectChildren(node) {
+    const children = [];
+    for (const value of Object.values(node)) {
+        if (Array.isArray(value)) {
+            for (const item of value) {
+                if (item && typeof item === 'object')
+                    children.push(item);
+            }
+        }
+        else if (value && typeof value === 'object') {
+            children.push(value);
+        }
+    }
+    return children;
+}
+//# sourceMappingURL=uniswap-v4-hook-state-manipulation.js.map

package/dist/detectors/unprotected-admin-or-fund-sink.d.ts

@@ -0,0 +1,7 @@
+import type { ScanResult } from '../index';
+export declare class UnprotectedAdminOrFundSinkDetector {
+    readonly id = "unprotected-admin-or-fund-sink";
+    readonly patternKey = "unprotected-admin-or-fund-sink";
+    readonly supportedAstKinds: ("parser" | "solc")[];
+    scanAst(ast: any, file: string, sourceText?: string): ScanResult[];
+}