@snovon/solast 0.2.0

package/dist/detectors/unsafe-transient-storage.js

@@ -0,0 +1,1052 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.UnsafeTransientStorageDetector = void 0;
+const RULE_ID = 'unsafe-transient-storage';
+const ASSIGN_OPS = new Set(['=', '+=', '-=', '*=', '/=', '%=', '&=', '|=', '^=', '<<=', '>>=', '>>>=']);
+const BUILTIN_NAMESPACES = new Set(['msg', 'block', 'tx', 'abi', 'this', 'super', 'type']);
+const LOW_LEVEL_CALL_MEMBERS = new Set(['call', 'delegatecall', 'staticcall', 'send', 'transfer']);
+const INTERNAL_MEMBER_CALL_MEMBERS = new Set([
+    'push', 'pop', 'length', 'at',
+    'bump', 'increment', 'decrement', 'update', 'add', 'sub', 'mul', 'div', 'mod',
+    'get', 'set', 'append', 'extend', 'remove', 'delete', 'contains', 'indexOf',
+    'keys', 'values', 'entries', 'snapshot', 'commit', 'revert',
+]);
+class UnsafeTransientStorageDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    scanAst(ast, file) {
+        if (!ast || ast.type !== 'SourceUnit')
+            return [];
+        if (!hasTransientPragma(ast))
+            return [];
+        const findings = [];
+        const contractIndex = collectContractsByName(ast);
+        for (const child of ast.children || []) {
+            if (child?.type !== 'ContractDefinition')
+                continue;
+            if (child.kind === 'interface' || child.kind === 'library')
+                continue;
+            let info;
+            try {
+                info = buildContractInfo(child, contractIndex);
+                precomputeWriterMaps(info);
+            }
+            catch (_) {
+                continue;
+            }
+            for (const fn of info.functions) {
+                if (!fn.body)
+                    continue;
+                try {
+                    findings.push(...analyzeFunction(file, info, fn));
+                }
+                catch (_) {
+                    // Defensive: parser anomalies must not crash the scan.
+                }
+            }
+        }
+        return findings;
+    }
+}
+exports.UnsafeTransientStorageDetector = UnsafeTransientStorageDetector;
+function hasTransientPragma(ast) {
+    for (const child of ast.children || []) {
+        if (child?.type !== 'PragmaDirective')
+            continue;
+        if (child.name !== 'solidity')
+            continue;
+        return pragmaPermitsTransient(String(child.value || ''));
+    }
+    return false;
+}
+// `transient` storage was added in 0.8.24 (Cancun). The detector only fires
+// when every alternative in the pragma's lower bound is at least 0.8.24, so
+// projects that compile with 0.8.23 still produce zero findings even if the
+// parser happily accepts `tstore`/`tload` syntactically.
+function pragmaPermitsTransient(value) {
+    if (!value)
+        return false;
+    const branches = value.split('||').map(s => s.trim()).filter(Boolean);
+    if (branches.length === 0)
+        return false;
+    return branches.every(branchPermitsTransient);
+}
+function branchPermitsTransient(branch) {
+    const tokens = branch.split(/\s+/).filter(Boolean);
+    let lowerMinor = -1;
+    let lowerPatch = -1;
+    for (const token of tokens) {
+        const m = token.match(/^([\^~]|>=|>|<=|<|=)?\s*0\.(\d+)(?:\.(\d+))?/);
+        if (!m)
+            continue;
+        const op = m[1] || '=';
+        const minor = parseInt(m[2], 10);
+        const patch = m[3] ? parseInt(m[3], 10) : 0;
+        if (op === '<' || op === '<=')
+            continue;
+        if (lowerMinor < 0 || minor > lowerMinor || (minor === lowerMinor && patch > lowerPatch)) {
+            lowerMinor = minor;
+            lowerPatch = patch;
+        }
+    }
+    if (lowerMinor < 0)
+        return false;
+    if (lowerMinor > 8)
+        return true;
+    if (lowerMinor === 8 && lowerPatch >= 24)
+        return true;
+    return false;
+}
+function buildContractInfo(contractNode, contractIndex) {
+    const transientStateVars = resolveTransientVars(contractNode, contractIndex);
+    const modifiers = resolveModifiers(contractNode, contractIndex);
+    const functions = [];
+    for (const sub of contractNode.subNodes || []) {
+        if (!sub || typeof sub !== 'object')
+            continue;
+        if (sub.type === 'FunctionDefinition') {
+            functions.push(sub);
+        }
+    }
+    return {
+        node: contractNode,
+        name: String(contractNode.name || '<anonymous>'),
+        transientStateVars,
+        stateVariableTypes: resolveStateVariableTypes(contractNode, contractIndex),
+        stateVariableUserDefinedTypes: resolveStateVariableUserDefinedTypes(contractNode, contractIndex),
+        internalOnlyTypes: collectInternalOnlyTypes(contractIndex),
+        modifiers,
+        functions,
+        nonClearWriters: new Map(),
+        clearers: new Map(),
+    };
+}
+function collectInternalOnlyTypes(contractIndex) {
+    const names = new Set();
+    for (const node of contractIndex.values()) {
+        collectInternalOnlyTypesFromSubNodes(node?.subNodes, names);
+    }
+    return names;
+}
+function collectInternalOnlyTypesFromSubNodes(subNodes, names) {
+    for (const sub of subNodes || []) {
+        if (!sub || typeof sub !== 'object')
+            continue;
+        if ((sub.type === 'StructDefinition' || sub.type === 'EnumDefinition') && sub.name) {
+            names.add(String(sub.name));
+        }
+        if (Array.isArray(sub.subNodes))
+            collectInternalOnlyTypesFromSubNodes(sub.subNodes, names);
+    }
+}
+function collectContractsByName(ast) {
+    const map = new Map();
+    for (const child of ast.children || []) {
+        if (child?.type === 'ContractDefinition' && child.name) {
+            map.set(String(child.name), child);
+        }
+    }
+    return map;
+}
+function resolveStateVariableUserDefinedTypes(contractNode, contractIndex, visited = new Set()) {
+    const vars = new Set();
+    const contractName = String(contractNode?.name || '');
+    if (contractName) {
+        if (visited.has(contractName))
+            return vars;
+        visited.add(contractName);
+    }
+    for (const base of contractNode?.baseContracts || []) {
+        const baseName = baseContractName(base);
+        if (!baseName)
+            continue;
+        const baseContract = contractIndex.get(baseName);
+        if (!baseContract)
+            continue;
+        for (const name of resolveStateVariableUserDefinedTypes(baseContract, contractIndex, visited)) {
+            vars.add(name);
+        }
+    }
+    for (const sub of contractNode?.subNodes || []) {
+        if (sub?.type !== 'StateVariableDeclaration')
+            continue;
+        for (const v of sub.variables || []) {
+            if (v?.isStateVar && v?.name && isUserDefinedTypeName(v?.typeName)) {
+                vars.add(String(v.name));
+            }
+        }
+    }
+    return vars;
+}
+function resolveTransientVars(contractNode, contractIndex, visited = new Set()) {
+    const vars = new Set();
+    const contractName = String(contractNode?.name || '');
+    if (contractName) {
+        if (visited.has(contractName))
+            return vars;
+        visited.add(contractName);
+    }
+    for (const base of contractNode?.baseContracts || []) {
+        const baseName = baseContractName(base);
+        if (!baseName)
+            continue;
+        const baseContract = contractIndex.get(baseName);
+        if (!baseContract)
+            continue;
+        for (const name of resolveTransientVars(baseContract, contractIndex, visited)) {
+            vars.add(name);
+        }
+    }
+    for (const sub of contractNode?.subNodes || []) {
+        if (sub?.type !== 'StateVariableDeclaration')
+            continue;
+        for (const v of sub.variables || []) {
+            if (v?.isStateVar && v?.isTransient && v?.name) {
+                vars.add(String(v.name));
+            }
+        }
+    }
+    return vars;
+}
+function resolveStateVariableTypes(contractNode, contractIndex, visited = new Set()) {
+    const vars = new Map();
+    const contractName = String(contractNode?.name || '');
+    if (contractName) {
+        if (visited.has(contractName))
+            return vars;
+        visited.add(contractName);
+    }
+    for (const base of contractNode?.baseContracts || []) {
+        const baseName = baseContractName(base);
+        if (!baseName)
+            continue;
+        const baseContract = contractIndex.get(baseName);
+        if (!baseContract)
+            continue;
+        for (const [name, typeName] of resolveStateVariableTypes(baseContract, contractIndex, visited)) {
+            vars.set(name, typeName);
+        }
+    }
+    for (const sub of contractNode?.subNodes || []) {
+        if (sub?.type !== 'StateVariableDeclaration')
+            continue;
+        for (const v of sub.variables || []) {
+            const typeName = typeNameToString(v?.typeName);
+            if (v?.isStateVar && v?.name && typeName)
+                vars.set(String(v.name), typeName);
+        }
+    }
+    return vars;
+}
+function resolveModifiers(contractNode, contractIndex, visited = new Set()) {
+    const modifiers = new Map();
+    const contractName = String(contractNode?.name || '');
+    if (contractName) {
+        if (visited.has(contractName))
+            return modifiers;
+        visited.add(contractName);
+    }
+    for (const base of contractNode?.baseContracts || []) {
+        const baseName = baseContractName(base);
+        if (!baseName)
+            continue;
+        const baseContract = contractIndex.get(baseName);
+        if (!baseContract)
+            continue;
+        for (const [name, def] of resolveModifiers(baseContract, contractIndex, visited)) {
+            modifiers.set(name, def);
+        }
+    }
+    for (const sub of contractNode?.subNodes || []) {
+        if (sub?.type === 'ModifierDefinition' && sub.name) {
+            modifiers.set(String(sub.name), sub);
+        }
+    }
+    return modifiers;
+}
+function baseContractName(base) {
+    const namePath = base?.baseName?.namePath;
+    if (namePath)
+        return String(namePath).split('.').pop() || '';
+    const name = base?.baseName?.name;
+    if (name)
+        return String(name).split('.').pop() || '';
+    return '';
+}
+function precomputeWriterMaps(info) {
+    for (const fn of info.functions) {
+        if (!fn.body)
+            continue;
+        let events;
+        try {
+            events = collectFunctionEvents(info, fn);
+        }
+        catch (_) {
+            continue;
+        }
+        const fnName = String(fn.name || '');
+        for (const ev of events) {
+            if (ev.kind !== 'tWrite')
+                continue;
+            const map = ev.isClear ? info.clearers : info.nonClearWriters;
+            let set = map.get(ev.var);
+            if (!set) {
+                set = new Set();
+                map.set(ev.var, set);
+            }
+            set.add(fnName);
+        }
+    }
+}
+function analyzeFunction(file, info, fn) {
+    const events = collectFunctionEvents(info, fn);
+    if (events.length === 0)
+        return [];
+    const findings = [];
+    const fnName = String(fn.name || '<anonymous>');
+    const guarded = hasReentrancyGuard(fn);
+    const varsInEvents = new Set();
+    for (const ev of events) {
+        if (ev.kind !== 'externalCall' && ev.var)
+            varsInEvents.add(ev.var);
+    }
+    const hasExternalCall = events.some(ev => ev.kind === 'externalCall');
+    // Rule 1: access-control flag (high). Transient flag is asserted in
+    // require/if and a non-clear write exists somewhere in the function or its
+    // modifiers, the function performs an external action, and no clear runs.
+    const accessControlVars = new Set();
+    for (const v of varsInEvents) {
+        const usedAsGuard = events.some(ev => ev.kind === 'tRequireUse' && ev.var === v);
+        if (!usedAsGuard)
+            continue;
+        const hasNonClearWrite = events.some(ev => ev.kind === 'tWrite' && ev.var === v && !ev.isClear);
+        if (!hasNonClearWrite)
+            continue;
+        if (!hasExternalCall)
+            continue;
+        const hasClearWrite = events.some(ev => ev.kind === 'tWrite' && ev.var === v && ev.isClear);
+        if (hasClearWrite)
+            continue;
+        accessControlVars.add(v);
+    }
+    const suppressed = new Set(accessControlVars);
+    for (const v of accessControlVars) {
+        findings.push(makeFinding({
+            file,
+            contract: info.name,
+            function: fnName,
+            loc: locOf(fn),
+            severity: 'high',
+            message: `Transient state variable '${v}' is used as an authorization flag in '${info.name}.${fnName}' without a paired clear before exit, leaving authorization stuck for the rest of the transaction.`,
+            rationale: 'Transient storage resets at transaction end but persists across same-transaction calls; using it as an unconditional authorization flag without clearing leaks authority to subsequent calls.',
+            suggestedFix: `Reset '${v}' to a falsey value at the end of the function or in a modifier epilogue, or replace the transient flag with a non-transient guarded check.`,
+        }));
+    }
+    // Rule 2: write-reaches-external-call (medium).
+    const rule2Vars = new Set();
+    if (!guarded) {
+        for (let i = 0; i < events.length; i++) {
+            const ev = events[i];
+            if (ev.kind !== 'tWrite' || ev.isClear)
+                continue;
+            if (suppressed.has(ev.var))
+                continue;
+            let crossesCall = false;
+            for (let j = i + 1; j < events.length; j++) {
+                const next = events[j];
+                if (next.kind === 'tWrite' && next.var === ev.var && next.isClear)
+                    break;
+                if (next.kind === 'externalCall') {
+                    crossesCall = true;
+                    break;
+                }
+            }
+            if (crossesCall)
+                rule2Vars.add(ev.var);
+        }
+    }
+    for (const v of rule2Vars) {
+        findings.push(makeFinding({
+            file,
+            contract: info.name,
+            function: fnName,
+            loc: locOf(fn),
+            severity: 'medium',
+            message: `Transient write of '${v}' in '${info.name}.${fnName}' reaches an external-call boundary before being cleared.`,
+            rationale: 'A transient slot left set across an external call can be observed or reused by a re-entered or attacker-influenced caller within the same transaction.',
+            suggestedFix: `Clear '${v}' (set it to zero/false, or call the equivalent assembly tstore(slot, 0)) before invoking external code.`,
+        }));
+        suppressed.add(v);
+    }
+    // Rule 3: read-after-external-call (medium). Suppressed if the function
+    // carries a recognized reentrancy guard modifier.
+    const rule3Vars = new Set();
+    if (!guarded) {
+        let firstCallIdx = -1;
+        for (let i = 0; i < events.length; i++) {
+            if (events[i].kind === 'externalCall') {
+                firstCallIdx = i;
+                break;
+            }
+        }
+        if (firstCallIdx >= 0) {
+            for (let i = firstCallIdx + 1; i < events.length; i++) {
+                const ev = events[i];
+                if (ev.kind !== 'tRead' && ev.kind !== 'tRequireUse')
+                    continue;
+                if (accessControlVars.has(ev.var))
+                    continue;
+                rule3Vars.add(ev.var);
+            }
+        }
+    }
+    for (const v of rule3Vars) {
+        findings.push(makeFinding({
+            file,
+            contract: info.name,
+            function: fnName,
+            loc: locOf(fn),
+            severity: 'medium',
+            message: `Transient read of '${v}' in '${info.name}.${fnName}' occurs after an external call without a reentrancy guard.`,
+            rationale: 'Reading transient state after an external call exposes the function to a re-entered caller overwriting the slot in the same transaction.',
+            suggestedFix: 'Read the transient slot before performing the external call, gate the function with a reentrancy guard, or revalidate the value with an immutable check.',
+        }));
+    }
+    // Rule 4: missing exit clear (medium). Only fires when the contract never
+    // clears the variable anywhere — otherwise we treat the producer/consumer
+    // pair as an intentional cross-function pattern (rule 5 handles the consumer).
+    const rule4Vars = new Set();
+    for (const v of varsInEvents) {
+        if (suppressed.has(v))
+            continue;
+        const hasNonClearWrite = events.some(ev => ev.kind === 'tWrite' && ev.var === v && !ev.isClear);
+        if (!hasNonClearWrite)
+            continue;
+        const clearedInThisFn = events.some(ev => ev.kind === 'tWrite' && ev.var === v && ev.isClear);
+        const clearedAnywhere = (info.clearers.get(v)?.size || 0) > 0;
+        if (clearedInThisFn || clearedAnywhere)
+            continue;
+        rule4Vars.add(v);
+    }
+    for (const v of rule4Vars) {
+        findings.push(makeFinding({
+            file,
+            contract: info.name,
+            function: fnName,
+            loc: locOf(fn),
+            severity: 'medium',
+            message: `Transient write of '${v}' in '${info.name}.${fnName}' is never cleared before function exit.`,
+            rationale: 'Transient storage persists for the rest of the transaction; failing to reset it before returning leaks the value to subsequent calls in the same transaction.',
+            suggestedFix: `Reset '${v}' at the end of the function, or pair it with a modifier epilogue that runs after the function body.`,
+        }));
+    }
+    // Rule 5: cross-function assumption (medium). Function reads transient
+    // state before writing it locally and the producer lives in another
+    // function in the same contract.
+    if (!guarded) {
+        const rule5Vars = new Set();
+        for (let i = 0; i < events.length; i++) {
+            const ev = events[i];
+            if (ev.kind !== 'tRead' && ev.kind !== 'tRequireUse')
+                continue;
+            const v = ev.var;
+            if (suppressed.has(v) || rule3Vars.has(v) || rule5Vars.has(v))
+                continue;
+            const writeBefore = events.slice(0, i).some(e => e.kind === 'tWrite' && e.var === v);
+            if (writeBefore)
+                continue;
+            const writers = info.nonClearWriters.get(v);
+            if (!writers)
+                continue;
+            let hasOtherWriter = false;
+            for (const name of writers) {
+                if (name !== fnName) {
+                    hasOtherWriter = true;
+                    break;
+                }
+            }
+            if (hasOtherWriter)
+                rule5Vars.add(v);
+        }
+        for (const v of rule5Vars) {
+            findings.push(makeFinding({
+                file,
+                contract: info.name,
+                function: fnName,
+                loc: locOf(fn),
+                severity: 'medium',
+                message: `Transient read of '${v}' in '${info.name}.${fnName}' depends on a value set by another function within the same transaction.`,
+                rationale: 'Cross-function dependence on transient storage assumes the producing call ran first in the same transaction; that ordering is not enforced and the consumer may see stale or unset state.',
+                suggestedFix: 'Replace the transient cross-function assumption with explicit per-call parameters or a session pattern that initializes and clears the slot atomically.',
+            }));
+        }
+    }
+    return findings;
+}
+function collectFunctionEvents(info, fn) {
+    const events = [];
+    const typeContext = buildFunctionTypeContext(info, fn);
+    const preludes = [];
+    const epilogues = [];
+    for (const inv of fn.modifiers || []) {
+        const modName = modifierInvocationName(inv);
+        if (!modName)
+            continue;
+        const def = info.modifiers.get(modName);
+        if (!def?.body)
+            continue;
+        const split = splitModifierBody(def.body);
+        preludes.push(split.prelude);
+        // Epilogues unwind in reverse of the modifier list to match Solidity's
+        // wrapping order: outer modifier prelude, inner modifier prelude, body,
+        // inner modifier epilogue, outer modifier epilogue.
+        epilogues.unshift(split.epilogue);
+    }
+    for (const stmts of preludes) {
+        for (const stmt of stmts)
+            walkStmt(stmt, info, events, typeContext);
+    }
+    if (fn.body)
+        walkStmt(fn.body, info, events, typeContext);
+    for (const stmts of epilogues) {
+        for (const stmt of stmts)
+            walkStmt(stmt, info, events, typeContext);
+    }
+    return events;
+}
+function buildFunctionTypeContext(info, fn) {
+    const variableTypes = new Map(info.stateVariableTypes);
+    const userDefinedVariables = new Set(info.stateVariableUserDefinedTypes);
+    for (const parameter of fn.parameters || []) {
+        const typeName = typeNameToString(parameter?.typeName);
+        if (parameter?.name && typeName)
+            variableTypes.set(String(parameter.name), typeName);
+        if (parameter?.name && isUserDefinedTypeName(parameter?.typeName))
+            userDefinedVariables.add(String(parameter.name));
+    }
+    for (const parameter of fn.returnParameters || []) {
+        const typeName = typeNameToString(parameter?.typeName);
+        if (parameter?.name && typeName)
+            variableTypes.set(String(parameter.name), typeName);
+        if (parameter?.name && isUserDefinedTypeName(parameter?.typeName))
+            userDefinedVariables.add(String(parameter.name));
+    }
+    collectLocalVariableTypes(fn.body, variableTypes, userDefinedVariables);
+    return { variableTypes, userDefinedVariables, internalOnlyTypes: info.internalOnlyTypes };
+}
+function collectLocalVariableTypes(node, variableTypes, userDefinedVariables) {
+    if (!node || typeof node !== 'object')
+        return;
+    if (node.type === 'VariableDeclarationStatement') {
+        for (const variable of node.variables || []) {
+            const typeName = typeNameToString(variable?.typeName);
+            if (variable?.name && typeName)
+                variableTypes.set(String(variable.name), typeName);
+            if (variable?.name && isUserDefinedTypeName(variable?.typeName))
+                userDefinedVariables.add(String(variable.name));
+        }
+    }
+    for (const c of childrenOf(node))
+        collectLocalVariableTypes(c, variableTypes, userDefinedVariables);
+}
+function modifierInvocationName(inv) {
+    if (!inv)
+        return '';
+    if (typeof inv.name === 'string')
+        return inv.name;
+    if (inv.name?.name)
+        return String(inv.name.name);
+    if (inv.name?.namePath)
+        return String(inv.name.namePath);
+    return '';
+}
+function splitModifierBody(body) {
+    const stmts = Array.isArray(body?.statements) ? body.statements : [];
+    let placeholder = -1;
+    for (let i = 0; i < stmts.length; i++) {
+        const s = stmts[i];
+        if (!s || typeof s !== 'object')
+            continue;
+        if (s.type === 'PlaceholderStatement') {
+            placeholder = i;
+            break;
+        }
+        if (s.type === 'ExpressionStatement' && s.expression?.type === 'Identifier' && s.expression.name === '_') {
+            placeholder = i;
+            break;
+        }
+    }
+    if (placeholder < 0)
+        return { prelude: stmts.slice(), epilogue: [] };
+    return { prelude: stmts.slice(0, placeholder), epilogue: stmts.slice(placeholder + 1) };
+}
+function walkStmt(node, info, events, typeContext) {
+    if (!node || typeof node !== 'object')
+        return;
+    switch (node.type) {
+        case 'Block':
+            for (const s of node.statements || [])
+                walkStmt(s, info, events, typeContext);
+            return;
+        case 'ExpressionStatement':
+            walkExpr(node.expression, info, events, typeContext);
+            return;
+        case 'IfStatement':
+            gatherTransientUses(node.condition, info, events);
+            walkExpr(node.condition, info, events, typeContext);
+            walkStmt(node.trueBody, info, events, typeContext);
+            walkStmt(node.falseBody, info, events, typeContext);
+            return;
+        case 'ForStatement':
+            walkStmt(node.initExpression, info, events, typeContext);
+            walkExpr(node.conditionExpression, info, events, typeContext);
+            walkStmt(node.body, info, events, typeContext);
+            walkStmt(node.loopExpression, info, events, typeContext);
+            return;
+        case 'WhileStatement':
+            gatherTransientUses(node.condition, info, events);
+            walkExpr(node.condition, info, events, typeContext);
+            walkStmt(node.body, info, events, typeContext);
+            return;
+        case 'DoWhileStatement':
+            walkStmt(node.body, info, events, typeContext);
+            walkExpr(node.condition, info, events, typeContext);
+            return;
+        case 'VariableDeclarationStatement':
+            walkExpr(node.initialValue, info, events, typeContext);
+            return;
+        case 'ReturnStatement':
+        case 'EmitStatement':
+        case 'RevertStatement':
+            walkExpr(node.expression, info, events, typeContext);
+            return;
+        case 'InlineAssemblyStatement':
+            walkAssembly(node.body, events);
+            return;
+        case 'TryStatement':
+            walkExpr(node.expression, info, events, typeContext);
+            walkStmt(node.body, info, events, typeContext);
+            for (const clause of node.catchClauses || [])
+                walkStmt(clause?.body, info, events, typeContext);
+            return;
+        case 'UncheckedStatement':
+            walkStmt(node.body, info, events, typeContext);
+            return;
+        default:
+            for (const c of childrenOf(node))
+                walkStmt(c, info, events, typeContext);
+    }
+}
+function walkExpr(node, info, events, typeContext) {
+    if (!node || typeof node !== 'object')
+        return;
+    switch (node.type) {
+        case 'BinaryOperation': {
+            if (ASSIGN_OPS.has(String(node.operator || ''))) {
+                walkExpr(node.right, info, events, typeContext);
+                const lhs = node.left;
+                if (lhs?.type === 'Identifier' && info.transientStateVars.has(String(lhs.name))) {
+                    const isClear = node.operator === '=' && isFalseyLiteral(node.right);
+                    events.push({ kind: 'tWrite', var: String(lhs.name), isClear, loc: locOf(node), node });
+                }
+                else if (lhs && lhs.type !== 'Identifier') {
+                    // Walk index keys etc. so transient identifiers used as map keys
+                    // still register; the outer write target is non-transient so we
+                    // don't synthesize a write event.
+                    walkExpr(lhs, info, events, typeContext);
+                }
+                return;
+            }
+            walkExpr(node.left, info, events, typeContext);
+            walkExpr(node.right, info, events, typeContext);
+            return;
+        }
+        case 'UnaryOperation':
+            if (node.operator === 'delete') {
+                const target = transientTargetName(node.subExpression, info);
+                if (target) {
+                    events.push({ kind: 'tWrite', var: target, isClear: true, loc: locOf(node), node });
+                    return;
+                }
+            }
+            if ((node.operator === '++' || node.operator === '--') &&
+                node.subExpression?.type === 'Identifier' &&
+                info.transientStateVars.has(String(node.subExpression.name))) {
+                events.push({ kind: 'tWrite', var: String(node.subExpression.name), isClear: false, loc: locOf(node), node });
+                return;
+            }
+            walkExpr(node.subExpression, info, events, typeContext);
+            return;
+        case 'FunctionCall': {
+            const callee = node.expression;
+            const calleeName = callee?.type === 'Identifier' ? String(callee.name || '') : '';
+            if (calleeName === 'require' || calleeName === 'assert') {
+                for (const arg of node.arguments || []) {
+                    gatherTransientUses(arg, info, events);
+                    walkExpr(arg, info, events, typeContext);
+                }
+                return;
+            }
+            if (isExternalCallExpr(node, typeContext)) {
+                // Walk callee/argument identifiers first so any read events register
+                // before the externalCall marker.
+                if (callee?.type === 'MemberAccess') {
+                    walkExpr(callee.expression, info, events, typeContext);
+                }
+                else if (callee?.type === 'NameValueExpression') {
+                    const inner = callee.expression;
+                    if (inner?.type === 'MemberAccess')
+                        walkExpr(inner.expression, info, events, typeContext);
+                }
+                for (const arg of node.arguments || [])
+                    walkExpr(arg, info, events, typeContext);
+                events.push({ kind: 'externalCall', loc: locOf(node), node });
+                return;
+            }
+            walkExpr(callee, info, events, typeContext);
+            for (const arg of node.arguments || [])
+                walkExpr(arg, info, events, typeContext);
+            return;
+        }
+        case 'Identifier':
+            if (info.transientStateVars.has(String(node.name || ''))) {
+                events.push({ kind: 'tRead', var: String(node.name), loc: locOf(node), node });
+            }
+            return;
+        case 'TupleExpression':
+            for (const c of node.components || [])
+                walkExpr(c, info, events, typeContext);
+            return;
+        case 'IndexAccess':
+            walkExpr(node.base, info, events, typeContext);
+            walkExpr(node.index, info, events, typeContext);
+            return;
+        case 'IndexRangeAccess':
+            walkExpr(node.base, info, events, typeContext);
+            walkExpr(node.indexStart, info, events, typeContext);
+            walkExpr(node.indexEnd, info, events, typeContext);
+            return;
+        case 'MemberAccess':
+            walkExpr(node.expression, info, events, typeContext);
+            return;
+        case 'NameValueExpression':
+            walkExpr(node.expression, info, events, typeContext);
+            return;
+        case 'Conditional':
+            walkExpr(node.condition, info, events, typeContext);
+            walkExpr(node.trueExpression, info, events, typeContext);
+            walkExpr(node.falseExpression, info, events, typeContext);
+            return;
+        case 'NewExpression':
+            walkExpr(node.typeName, info, events, typeContext);
+            return;
+        default:
+            for (const c of childrenOf(node))
+                walkExpr(c, info, events, typeContext);
+    }
+}
+function transientTargetName(node, info) {
+    if (!node || typeof node !== 'object')
+        return null;
+    if (node.type === 'Identifier' && info.transientStateVars.has(String(node.name || ''))) {
+        return String(node.name);
+    }
+    if (node.type === 'MemberAccess' &&
+        node.expression?.type === 'Identifier' &&
+        node.expression.name === 'this' &&
+        info.transientStateVars.has(String(node.memberName || ''))) {
+        return String(node.memberName);
+    }
+    return null;
+}
+function gatherTransientUses(node, info, events) {
+    if (!node || typeof node !== 'object')
+        return;
+    if (node.type === 'Identifier' && info.transientStateVars.has(String(node.name || ''))) {
+        events.push({ kind: 'tRequireUse', var: String(node.name), loc: locOf(node), node });
+        return;
+    }
+    for (const c of childrenOf(node))
+        gatherTransientUses(c, info, events);
+}
+function walkAssembly(node, events) {
+    if (!node || typeof node !== 'object')
+        return;
+    switch (node.type) {
+        case 'AssemblyBlock':
+            for (const s of node.operations || [])
+                walkAssembly(s, events);
+            return;
+        case 'AssemblyCall': {
+            const fname = String(node.functionName || '');
+            const args = node.arguments || [];
+            if (fname === 'tstore') {
+                const slot = assemblySlotKey(args[0]);
+                if (slot) {
+                    const isClear = isAssemblyZero(args[1]);
+                    events.push({ kind: 'tWrite', var: slot, isClear, loc: locOf(node), node });
+                }
+                for (const arg of args)
+                    walkAssembly(arg, events);
+                return;
+            }
+            if (fname === 'tload') {
+                const slot = assemblySlotKey(args[0]);
+                if (slot)
+                    events.push({ kind: 'tRead', var: slot, loc: locOf(node), node });
+                for (const arg of args)
+                    walkAssembly(arg, events);
+                return;
+            }
+            for (const arg of args)
+                walkAssembly(arg, events);
+            return;
+        }
+        case 'AssemblyAssignment':
+            walkAssembly(node.expression, events);
+            return;
+        case 'AssemblyLocalDefinition':
+            walkAssembly(node.expression, events);
+            return;
+        case 'AssemblyIf':
+            walkAssembly(node.condition, events);
+            walkAssembly(node.body, events);
+            return;
+        case 'AssemblyFor':
+            walkAssembly(node.pre, events);
+            walkAssembly(node.condition, events);
+            walkAssembly(node.body, events);
+            walkAssembly(node.post, events);
+            return;
+        case 'AssemblySwitch':
+            walkAssembly(node.expression, events);
+            for (const c of node.cases || [])
+                walkAssembly(c, events);
+            return;
+        case 'AssemblyCase':
+            walkAssembly(node.value, events);
+            walkAssembly(node.block, events);
+            return;
+        case 'AssemblyFunctionDefinition':
+            walkAssembly(node.body, events);
+            return;
+        default:
+            for (const c of childrenOf(node))
+                walkAssembly(c, events);
+    }
+}
+function assemblySlotKey(node) {
+    if (!node || typeof node !== 'object')
+        return null;
+    if (node.type === 'AssemblyCall' && (!Array.isArray(node.arguments) || node.arguments.length === 0)
+        && typeof node.functionName === 'string' && node.functionName.length > 0) {
+        return 'id:' + node.functionName;
+    }
+    if (node.type === 'HexNumber' && typeof node.value === 'string') {
+        try {
+            return 'lit:' + BigInt(node.value).toString();
+        }
+        catch {
+            return null;
+        }
+    }
+    if (node.type === 'DecimalNumber' && typeof node.value === 'string') {
+        try {
+            return 'lit:' + BigInt(node.value).toString();
+        }
+        catch {
+            return null;
+        }
+    }
+    if (node.type === 'Identifier' && typeof node.name === 'string')
+        return 'id:' + node.name;
+    return null;
+}
+function isAssemblyZero(node) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (node.type === 'HexNumber' || node.type === 'DecimalNumber') {
+        try {
+            return BigInt(node.value).toString() === '0';
+        }
+        catch {
+            return false;
+        }
+    }
+    return false;
+}
+function isFalseyLiteral(node) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (node.type === 'BooleanLiteral')
+        return node.value === false;
+    if (node.type === 'NumberLiteral') {
+        const raw = String(node.number ?? node.value ?? '').trim();
+        if (raw === '')
+            return false;
+        try {
+            return BigInt(raw).toString() === '0';
+        }
+        catch {
+            return /^0(x0+)?$/i.test(raw);
+        }
+    }
+    if (node.type === 'HexLiteral') {
+        const raw = String(node.value ?? '').trim();
+        return /^0x0+$/i.test(raw) || raw === '0';
+    }
+    if (node.type === 'StringLiteral')
+        return false;
+    // address(0), uint256(0), bytes32(0). The parser emits these casts as
+    // FunctionCall whose expression is either ElementaryTypeName or an
+    // Identifier whose name happens to be a built-in type token.
+    if (node.type === 'FunctionCall') {
+        const args = node.arguments || [];
+        if (args.length !== 1)
+            return false;
+        const callee = node.expression;
+        if (callee?.type === 'ElementaryTypeName')
+            return isFalseyLiteral(args[0]);
+        if (callee?.type === 'Identifier' && isBuiltinTypeName(String(callee.name || ''))) {
+            return isFalseyLiteral(args[0]);
+        }
+    }
+    return false;
+}
+function isBuiltinTypeName(name) {
+    if (!name)
+        return false;
+    if (name === 'address' || name === 'bool')
+        return true;
+    if (/^u?int(8|16|24|32|40|48|56|64|72|80|88|96|104|112|120|128|136|144|152|160|168|176|184|192|200|208|216|224|232|240|248|256)?$/.test(name))
+        return true;
+    if (/^bytes([1-9]|[12][0-9]|3[0-2])?$/.test(name))
+        return true;
+    return false;
+}
+function isExternalCallExpr(node, typeContext) {
+    if (!node || node.type !== 'FunctionCall')
+        return false;
+    let target = node.expression;
+    if (!target)
+        return false;
+    if (target.type === 'NameValueExpression')
+        target = target.expression;
+    if (target?.type !== 'MemberAccess')
+        return false;
+    const member = String(target.memberName || '');
+    if (LOW_LEVEL_CALL_MEMBERS.has(member))
+        return true;
+    if (INTERNAL_MEMBER_CALL_MEMBERS.has(member))
+        return false;
+    const base = target.expression;
+    if (!base)
+        return false;
+    if (base.type === 'Identifier' && BUILTIN_NAMESPACES.has(String(base.name || '')))
+        return false;
+    if (base.type === 'Identifier') {
+        const baseName = String(base.name || '');
+        const typeName = typeContext.variableTypes.get(baseName);
+        if (typeName) {
+            if (!typeContext.userDefinedVariables.has(baseName))
+                return false;
+            if (typeContext.internalOnlyTypes.has(typeName))
+                return false;
+            return true;
+        }
+        return true;
+    }
+    if (base.type === 'MemberAccess' || base.type === 'IndexAccess' || base.type === 'FunctionCall')
+        return true;
+    return false;
+}
+function typeNameToString(typeName) {
+    if (!typeName || typeof typeName !== 'object')
+        return null;
+    if (typeName.type === 'ElementaryTypeName')
+        return normalizeTypeName(typeName.name);
+    if (typeName.type === 'UserDefinedTypeName')
+        return normalizeTypeName(typeName.namePath || typeName.name);
+    if (typeName.type === 'ArrayTypeName')
+        return typeNameToString(typeName.baseTypeName);
+    if (typeName.type === 'Mapping')
+        return 'mapping';
+    return null;
+}
+function isUserDefinedTypeName(typeName) {
+    if (!typeName || typeof typeName !== 'object')
+        return false;
+    if (typeName.type === 'UserDefinedTypeName')
+        return true;
+    if (typeName.type === 'ArrayTypeName')
+        return isUserDefinedTypeName(typeName.baseTypeName);
+    return false;
+}
+function normalizeTypeName(typeName) {
+    if (!typeName)
+        return null;
+    const last = String(typeName).split('.').pop() || '';
+    if (last === 'uint')
+        return 'uint256';
+    if (last === 'int')
+        return 'int256';
+    return last || null;
+}
+function hasReentrancyGuard(fn) {
+    for (const m of fn.modifiers || []) {
+        const name = modifierInvocationName(m).toLowerCase();
+        if (!name)
+            continue;
+        if (name === 'nonreentrant' || name.includes('reentrancyguard'))
+            return true;
+    }
+    return false;
+}
+function makeFinding(input) {
+    const loc = input.loc || { line: 0, column: 0 };
+    return {
+        file: input.file,
+        contract: input.contract,
+        'function': input.function,
+        line: loc.line,
+        endLine: loc.line,
+        column: loc.column,
+        pattern: RULE_ID,
+        confidence: 'high',
+        ruleId: RULE_ID,
+        severity: input.severity,
+        message: input.message,
+        rationale: input.rationale,
+        suggestedFix: input.suggestedFix,
+        contractName: input.contract,
+        functionName: input.function,
+        sourceLocation: { line: loc.line, column: loc.column },
+        findingId: '',
+        contractHash: '',
+    };
+}
+function locOf(node) {
+    const start = node?.loc?.start;
+    if (!start)
+        return null;
+    return { line: Number(start.line || 0), column: Number(start.column || 0) };
+}
+function childrenOf(node) {
+    const out = [];
+    for (const [key, value] of Object.entries(node)) {
+        if (key === 'loc' || key === 'range')
+            continue;
+        if (Array.isArray(value)) {
+            for (const item of value) {
+                if (item && typeof item === 'object')
+                    out.push(item);
+            }
+        }
+        else if (value && typeof value === 'object') {
+            out.push(value);
+        }
+    }
+    return out;
+}
+//# sourceMappingURL=unsafe-transient-storage.js.map