@snovon/solast 0.2.0

package/dist/detectors/v4-hook-reentrancy.js

@@ -0,0 +1,488 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.V4HookReentrancyDetector = void 0;
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'v4-hook-reentrancy';
+const V4_HOOKS = new Set([
+    'beforeSwap',
+    'afterSwap',
+    'beforeModifyPosition',
+    'afterModifyPosition',
+]);
+const POOL_MANAGER_ENTRYPOINTS = new Set([
+    'swap',
+    'modifyPosition',
+    'settle',
+    'take',
+    'mint',
+    'burn',
+    'donate',
+]);
+// Pinned to the canonical Uniswap V4 PoolManager accounting surface modeled by
+// this rule: Slot0-derived price/tick fields, global fee growth, liquidity, and tick state.
+const V4_POOL_STATE = new Set([
+    'slot0',
+    'Slot0',
+    'sqrtPriceX96',
+    'tick',
+    'protocolFee',
+    'lpFee',
+    'feeGrowthGlobal0X128',
+    'feeGrowthGlobal1X128',
+    'liquidity',
+    'ticks',
+    'tickBitmap',
+]);
+class V4HookReentrancyDetector {
+    findings = [];
+    currentFile = '';
+    scanAst(ast, file, sourceText) {
+        this.currentFile = file;
+        this.findings = [];
+        if (sourceText && !containsV4HookName(sourceText)) {
+            return [];
+        }
+        const contracts = collectContracts(ast);
+        const allFunctions = contracts.flatMap(contract => contract.functions);
+        const functionsByName = new Map();
+        for (const fn of allFunctions) {
+            const bucket = functionsByName.get(fn.name) || [];
+            bucket.push(fn);
+            functionsByName.set(fn.name, bucket);
+        }
+        for (const contract of contracts) {
+            const hooks = contract.functions.filter(fn => V4_HOOKS.has(fn.name));
+            for (const hook of hooks) {
+                if (!isReentrancyGuarded(hook)) {
+                    for (const call of hook.poolManagerCalls) {
+                        this.findings.push(this.reentrancyFinding(hook, call, 'direct-reentrancy', `${hook.name} -> ${call.edge}`));
+                    }
+                    for (const call of hook.externalCalls) {
+                        if (hook.poolManagerCalls.some(poolCall => poolCall.line === call.line && poolCall.column === call.column)) {
+                            continue;
+                        }
+                        for (const target of functionsByName.get(call.member) || []) {
+                            for (const nested of target.poolManagerCalls) {
+                                this.findings.push(this.reentrancyFinding(hook, call, 'indirect-reentrancy', `${hook.name} -> ${call.edge} -> ${nested.edge}`, nested));
+                            }
+                        }
+                    }
+                }
+                const reportedState = new Set();
+                for (const write of hook.stateWrites.filter(access => V4_POOL_STATE.has(access.variable))) {
+                    if (reportedState.has(write.variable))
+                        continue;
+                    reportedState.add(write.variable);
+                    const laterRead = findRelatedHookRead(hooks, hook, write.variable);
+                    this.findings.push(this.stateManipulationFinding(hook, write, laterRead));
+                }
+            }
+        }
+        return this.findings.map(finding => sourceText ? { ...finding, source: sourceText } : finding);
+    }
+    getFindings() {
+        return this.findings;
+    }
+    reentrancyFinding(hook, call, classification, trace, nested) {
+        const poolEdge = nested || call;
+        return {
+            file: this.currentFile,
+            contract: hook.contractName,
+            'function': hook.name,
+            line: call.line,
+            column: call.column,
+            endLine: call.line,
+            pattern: RULE_ID,
+            confidence: 'high',
+            ruleId: RULE_ID,
+            severity: 'error',
+            message: `Uniswap V4 hook ${hook.name} can re-enter PoolManager via ${poolEdge.edge}.`,
+            contractName: hook.contractName,
+            functionName: hook.name,
+            sourceLocation: { line: call.line, column: call.column },
+            externalCallNode: { callbackEdge: `${hook.name} -> ${poolEdge.edge}`, classification },
+            trace,
+            rationale: 'V4 hook callbacks execute inside PoolManager state transitions; re-entering PoolManager from the callback can observe or mutate partially updated pool state.',
+            suggestedFix: 'Add a reentrancy guard to the V4 hook callback or move PoolManager interactions out of the hook callback.',
+            classification,
+            callbackEdge: `${hook.name} -> ${poolEdge.edge}`,
+            findingId: '',
+            contractHash: '',
+        };
+    }
+    stateManipulationFinding(hook, write, relatedRead) {
+        const trace = relatedRead
+            ? `${hook.name} writes ${write.variable} -> ${relatedRead.name} reads ${write.variable}`
+            : `${hook.name} writes ${write.variable}`;
+        return {
+            file: this.currentFile,
+            contract: hook.contractName,
+            'function': hook.name,
+            line: write.line,
+            column: write.column,
+            endLine: write.line,
+            pattern: RULE_ID,
+            confidence: 'high',
+            ruleId: RULE_ID,
+            severity: 'error',
+            message: `Uniswap V4 hook ${hook.name} mutates modeled pool state '${write.variable}' across the callback boundary.`,
+            contractName: hook.contractName,
+            functionName: hook.name,
+            sourceLocation: { line: write.line, column: write.column },
+            stateMutationNode: { stateVariable: write.variable, classification: 'state-manipulation' },
+            trace,
+            rationale: 'The modeled V4 pool state field is consumed by swap or modify-position accounting after hook callbacks return.',
+            suggestedFix: 'Do not mutate PoolManager accounting state from hook callbacks; keep hook-local accounting separate and validate effects after the PoolManager transition.',
+            classification: 'state-manipulation',
+            stateVariable: write.variable,
+            findingId: '',
+            contractHash: '',
+        };
+    }
+}
+exports.V4HookReentrancyDetector = V4HookReentrancyDetector;
+function containsV4HookName(sourceText) {
+    return /\b(beforeSwap|afterSwap|beforeModifyPosition|afterModifyPosition)\b/.test(sourceText);
+}
+function collectContracts(ast) {
+    const contracts = [];
+    for (const node of ast?.children || ast?.subNodes || []) {
+        if (node?.type !== 'ContractDefinition')
+            continue;
+        const contract = {
+            name: node.name || '<anonymous>',
+            stateVariables: new Set(),
+            stateVariableTypes: new Map(),
+            functions: [],
+        };
+        for (const subNode of node.subNodes || []) {
+            if (subNode?.type !== 'StateVariableDeclaration')
+                continue;
+            for (const variable of subNode.variables || []) {
+                if (!variable?.name)
+                    continue;
+                contract.stateVariables.add(variable.name);
+                contract.stateVariableTypes.set(variable.name, typeNameToString(variable.typeName));
+            }
+        }
+        for (const subNode of node.subNodes || []) {
+            if (subNode?.type === 'FunctionDefinition') {
+                contract.functions.push(summarizeFunction(subNode, contract));
+            }
+        }
+        contracts.push(contract);
+    }
+    return contracts;
+}
+function summarizeFunction(node, contract) {
+    const loc = (0, ast_1.tryLoc)(node) ?? { line: 0, endLine: 0, column: 0 };
+    const summary = {
+        contractName: contract.name,
+        name: node.name || '',
+        visibility: node.visibility || '',
+        stateMutability: node.stateMutability || '',
+        modifiers: getModifiers(node),
+        line: loc.line,
+        column: loc.column,
+        body: node.body,
+        parameters: collectParameters(node),
+        localTypes: new Map(),
+        poolManagerCalls: [],
+        externalCalls: [],
+        stateReads: [],
+        stateWrites: [],
+    };
+    visitStatement(node.body, summary, contract);
+    return summary;
+}
+function collectParameters(node) {
+    const params = new Map();
+    for (const param of node.parameters || []) {
+        if (param?.name)
+            params.set(param.name, typeNameToString(param.typeName));
+    }
+    return params;
+}
+function visitStatement(statement, summary, contract) {
+    if (!statement || typeof statement !== 'object')
+        return;
+    if (statement.type === 'VariableDeclarationStatement') {
+        for (const variable of statement.variables || []) {
+            if (variable?.name)
+                summary.localTypes.set(variable.name, typeNameToString(variable.typeName));
+        }
+        visitExpression(statement.initialValue, summary, contract, statement);
+        return;
+    }
+    if (statement.type === 'ExpressionStatement') {
+        visitExpression(statement.expression, summary, contract, statement);
+        return;
+    }
+    if (statement.type === 'ReturnStatement') {
+        visitExpression(statement.expression, summary, contract, statement);
+        return;
+    }
+    if (statement.type === 'IfStatement') {
+        visitExpression(statement.condition, summary, contract, statement);
+        visitStatement(statement.trueBody, summary, contract);
+        visitStatement(statement.falseBody, summary, contract);
+        return;
+    }
+    if (statement.type === 'Block') {
+        for (const child of statement.statements || [])
+            visitStatement(child, summary, contract);
+        return;
+    }
+    traverseChildren(statement, child => {
+        if (child?.type && String(child.type).endsWith('Statement'))
+            visitStatement(child, summary, contract);
+    });
+}
+function visitExpression(expr, summary, contract, fallbackNode) {
+    if (!expr || typeof expr !== 'object')
+        return;
+    if (expr.type === 'FunctionCall') {
+        const call = getMemberCall(expr, summary, fallbackNode);
+        if (call && !isAbiOrSelectorCall(call)) {
+            if (POOL_MANAGER_ENTRYPOINTS.has(call.member) && isPoolManagerReceiver(call.receiver, summary, contract)) {
+                summary.poolManagerCalls.push(call);
+            }
+            if (!POOL_MANAGER_ENTRYPOINTS.has(call.member) || !isPoolManagerReceiver(call.receiver, summary, contract)) {
+                summary.externalCalls.push(call);
+            }
+            else {
+                summary.externalCalls.push(call);
+            }
+        }
+    }
+    if (expr.type === 'BinaryOperation' && isAssignmentOperator(expr.operator)) {
+        if (expr.operator !== '=')
+            recordStateAccess(expr.left, 'read', summary, contract, fallbackNode);
+        visitExpression(expr.right, summary, contract, fallbackNode);
+        recordStateAccess(expr.left, 'write', summary, contract, fallbackNode);
+        return;
+    }
+    if (expr.type === 'UnaryOperation' && (expr.operator === '++' || expr.operator === '--')) {
+        recordStateAccess(expr.subExpression, 'write', summary, contract, fallbackNode);
+        return;
+    }
+    const slot = resolveStateVariable(expr, summary, contract);
+    if (slot) {
+        const loc = (0, ast_1.tryLoc)(expr, fallbackNode) ?? { line: 0, endLine: 0, column: 0 };
+        summary.stateReads.push({
+            variable: slot,
+            line: loc.line,
+            column: loc.column,
+        });
+    }
+    for (const child of expressionChildren(expr))
+        visitExpression(child, summary, contract, fallbackNode);
+}
+function recordStateAccess(expr, kind, summary, contract, fallbackNode) {
+    const slot = resolveStateVariable(expr, summary, contract);
+    if (!slot) {
+        visitExpression(expr, summary, contract, fallbackNode);
+        return;
+    }
+    const loc = (0, ast_1.tryLoc)(expr, fallbackNode) ?? { line: 0, endLine: 0, column: 0 };
+    const access = {
+        variable: slot,
+        line: loc.line,
+        column: loc.column,
+    };
+    if (kind === 'write')
+        summary.stateWrites.push(access);
+    else
+        summary.stateReads.push(access);
+}
+function getMemberCall(expr, summary, fallbackNode) {
+    let callee = expr.expression;
+    if (callee?.type === 'NameValueExpression')
+        callee = callee.expression;
+    if (callee?.type !== 'MemberAccess')
+        return null;
+    const member = String(callee.memberName || '');
+    const receiver = expressionToString(callee.expression);
+    if (!member || !receiver)
+        return null;
+    const loc = (0, ast_1.tryLoc)(expr, fallbackNode);
+    return {
+        receiver,
+        member,
+        line: loc?.line ?? summary.line,
+        column: loc?.column ?? summary.column,
+        edge: `${receiver}.${member}`,
+    };
+}
+function isAbiOrSelectorCall(call) {
+    const member = call.member.toLowerCase();
+    return call.receiver === 'abi' ||
+        member === 'encode' ||
+        member === 'encodewithsignature' ||
+        member === 'encodewithselector' ||
+        member === 'decode' ||
+        member === 'selector';
+}
+function isPoolManagerReceiver(receiver, summary, contract) {
+    const root = receiver.split(/[.[(]/)[0];
+    if (!root)
+        return false;
+    if (root.toLowerCase().includes('poolmanager'))
+        return true;
+    const type = summary.parameters.get(root) || summary.localTypes.get(root) || contract.stateVariableTypes.get(root) || '';
+    return /(^|\.|I)PoolManager\b/.test(type) || type.toLowerCase().includes('poolmanager');
+}
+function resolveStateVariable(expr, summary, contract) {
+    if (!expr || typeof expr !== 'object')
+        return null;
+    if (expr.type === 'Identifier') {
+        return contract.stateVariables.has(expr.name) && !summary.localTypes.has(expr.name) && !summary.parameters.has(expr.name)
+            ? expr.name
+            : null;
+    }
+    if (expr.type === 'IndexAccess')
+        return resolveStateVariable(expr.base, summary, contract);
+    if (expr.type === 'MemberAccess') {
+        if (expr.expression?.type === 'Identifier' && expr.expression.name === 'this') {
+            return contract.stateVariables.has(expr.memberName) ? expr.memberName : null;
+        }
+        return resolveStateVariable(expr.expression, summary, contract);
+    }
+    return null;
+}
+function findRelatedHookRead(hooks, writer, variable) {
+    return hooks.find(fn => fn !== writer && fn.stateReads.some(read => read.variable === variable));
+}
+function isReentrancyGuarded(fn) {
+    if (fn.modifiers.some(isReentrancyGuardName))
+        return true;
+    return hasLockPattern(fn.body);
+}
+function isReentrancyGuardName(name) {
+    const lower = name.toLowerCase();
+    return lower === 'nonreentrant' || lower === 'nonreentrantview' || lower.includes('reentrancyguard');
+}
+function hasLockPattern(body) {
+    let sawRequireLocked = false;
+    let sawLockSet = false;
+    traverseAll(body, node => {
+        if (node?.type === 'FunctionCall') {
+            const callee = node.expression;
+            if (callee?.type === 'Identifier' && (callee.name === 'require' || callee.name === 'assert')) {
+                const rendered = (node.arguments || []).map(expressionToString).join(' ');
+                if (/!?\s*locked|!?\s*entered|status|_status|_entered/i.test(rendered))
+                    sawRequireLocked = true;
+            }
+        }
+        if (node?.type === 'BinaryOperation' && isAssignmentOperator(node.operator)) {
+            const left = expressionToString(node.left).toLowerCase();
+            const right = expressionToString(node.right).toLowerCase();
+            if (/(locked|entered|status)/.test(left) && /(true|entered|2|1)/.test(right))
+                sawLockSet = true;
+        }
+    });
+    return sawRequireLocked && sawLockSet;
+}
+function expressionToString(expr) {
+    if (!expr || typeof expr !== 'object')
+        return '';
+    if (expr.type === 'Identifier')
+        return expr.name || '';
+    if (expr.type === 'MemberAccess') {
+        const base = expressionToString(expr.expression);
+        return base ? `${base}.${expr.memberName || ''}` : expr.memberName || '';
+    }
+    if (expr.type === 'IndexAccess')
+        return expressionToString(expr.base);
+    if (expr.type === 'BooleanLiteral')
+        return String(expr.value);
+    if (expr.type === 'NumberLiteral')
+        return String(expr.number || expr.value || '');
+    if (expr.type === 'UnaryOperation')
+        return `${expr.operator || ''}${expressionToString(expr.subExpression)}`;
+    if (expr.type === 'BinaryOperation')
+        return `${expressionToString(expr.left)} ${expr.operator || ''} ${expressionToString(expr.right)}`;
+    if (expr.name)
+        return String(expr.name);
+    return '';
+}
+function typeNameToString(typeName) {
+    if (!typeName)
+        return '';
+    if (typeof typeName === 'string')
+        return typeName;
+    if (typeName.name)
+        return typeNameToString(typeName.name);
+    if (typeName.type === 'UserDefinedTypeName')
+        return typeName.namePath || typeName.name || '';
+    if (typeName.type === 'ElementaryTypeName')
+        return typeName.name || '';
+    if (typeName.type === 'Mapping')
+        return 'mapping';
+    if (typeName.baseTypeName)
+        return typeNameToString(typeName.baseTypeName);
+    if (typeName.typeName)
+        return typeNameToString(typeName.typeName);
+    return '';
+}
+function getModifiers(node) {
+    return (node.modifiers || [])
+        .map((modifier) => {
+        if (typeof modifier === 'string')
+            return modifier;
+        if (modifier.name)
+            return typeof modifier.name === 'string' ? modifier.name : modifier.name.name;
+        if (modifier.type === 'Identifier')
+            return modifier.name;
+        return '';
+    })
+        .filter(Boolean);
+}
+function isAssignmentOperator(operator) {
+    return ['=', '+=', '-=', '*=', '/=', '%=', '&=', '|=', '^=', '<<=', '>>=', '>>>='].includes(operator);
+}
+function expressionChildren(expr) {
+    const children = [];
+    for (const key of ['expression', 'left', 'right', 'subExpression', 'base', 'index', 'initialValue', 'arguments', 'components']) {
+        const value = expr[key];
+        if (Array.isArray(value)) {
+            for (const item of value) {
+                if (item && typeof item === 'object')
+                    children.push(item);
+            }
+        }
+        else if (value && typeof value === 'object') {
+            children.push(value);
+        }
+    }
+    return children;
+}
+function traverseChildren(node, callback) {
+    if (!node || typeof node !== 'object')
+        return;
+    for (const [key, value] of Object.entries(node)) {
+        if (key === 'parent' || key === 'scope' || key === 'loc')
+            continue;
+        if (Array.isArray(value)) {
+            for (const item of value) {
+                if (item && typeof item === 'object')
+                    callback(item);
+            }
+        }
+        else if (value && typeof value === 'object') {
+            callback(value);
+        }
+    }
+}
+function traverseAll(node, callback, seen = new Set()) {
+    if (!node || typeof node !== 'object' || seen.has(node))
+        return;
+    seen.add(node);
+    traverseChildren(node, child => {
+        if (child && typeof child === 'object' && !seen.has(child)) {
+            callback(child);
+            traverseAll(child, callback, seen);
+        }
+    });
+}
+//# sourceMappingURL=v4-hook-reentrancy.js.map

package/dist/detectors/vault-inflation-rounding.d.ts

@@ -0,0 +1,23 @@
+import type { ScanResult } from '../index';
+export declare class VaultInflationRoundingDetector {
+    readonly id = "vault-inflation-rounding";
+    readonly patternKey = "vault-inflation-rounding";
+    readonly supportedAstKinds: "parser"[];
+    readonly descriptor: {
+        id: string;
+        shortDescription: string;
+        helpUri: string;
+        defaultSeverity: "high";
+    };
+    private currentFile;
+    private currentContract;
+    private contractHasDeadShares;
+    private findings;
+    setFile(file: string): void;
+    getFindings(): ScanResult[];
+    ContractDefinition(node: any): void;
+    ContractDefinition_post(_node: any): void;
+    ['ContractDefinition:exit'](node: any): void;
+    FunctionDefinition(node: any): void;
+    private makeFinding;
+}