@snovon/solast 0.2.0

package/dist/detectors/arbitrum-cross-chain-message-replay.js

@@ -0,0 +1,477 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ArbitrumCrossChainMessageReplayDetector = void 0;
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'arbitrum-cross-chain-message-replay';
+const PROVENANCE = 'x-20260514-arbitrum-cross-chain-message-replay';
+const ARBITRUM_TYPE_RE = /^(I)?(ArbSys|Inbox|Outbox|Bridge|L1Inbox|L2GatewayRouter|L1GatewayRouter)$/;
+const HANDLER_NAME_RE = /^(executeTransaction|redeemMessage|handleL1Message|finalizeInboundTransfer|finalizeOutboundTransfer|outboundTransfer)$/i;
+const ROUTER_GATEWAY_RE = /^(finalizeInboundTransfer|finalizeOutboundTransfer|outboundTransfer)$/i;
+const LOW_LEVEL_MEMBERS = new Set(['call', 'delegatecall', 'staticcall', 'send', 'transfer']);
+const ASSIGNMENT_OPS = new Set(['=', '+=', '-=', '*=', '/=', '%=', '&=', '|=', '^=', '<<=', '>>=']);
+const NONCE_LIKE_RE = /(nonce|messagehash|msghash|messageid|msgid|^id$|index)/i;
+const PAYLOAD_LIKE_RE = /(data|payload|calldata|message)/i;
+const TARGET_LIKE_RE = /(target|destination|receiver|recipient|^to$)/i;
+const SENDER_LIKE_RE = /(sender|from|l1sender|l2sender)/i;
+const VALUE_LIKE_RE = /(value|amount|block|timestamp|deadline)/i;
+class ArbitrumCrossChainMessageReplayDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    descriptor = {
+        id: RULE_ID,
+        shortDescription: 'Arbitrum bridge message handler executes a relayed payload without nonce or processed-message replay protection.',
+        helpUri: 'https://snovon.com/',
+        defaultSeverity: 'high',
+    };
+    currentFile = '';
+    findings = [];
+    contract = null;
+    setFile(file) {
+        this.currentFile = file;
+        this.findings = [];
+        this.contract = null;
+    }
+    getFindings() {
+        return this.findings;
+    }
+    ContractDefinition(node) {
+        if (node?.kind === 'interface' || node?.kind === 'library') {
+            this.contract = null;
+            return;
+        }
+        const stateVars = collectStateVars(node);
+        this.contract = {
+            name: node?.name || '<anonymous>',
+            node,
+            stateVars,
+            arbitrumVars: collectArbitrumVars(node),
+        };
+    }
+    ContractDefinition_post(_node) {
+        this.contract = null;
+    }
+    ['ContractDefinition:exit'](node) {
+        this.ContractDefinition_post(node);
+    }
+    FunctionDefinition_post(node) {
+        if (!this.contract || !node?.body)
+            return;
+        if (!isExternallyCallable(node))
+            return;
+        if (!hasRelayedExternalCall(node.body))
+            return;
+        if (isRouterEnforcedGateway(node))
+            return;
+        const hasArbitrumContext = hasArbitrumSenderBinding(node.body, this.contract.arbitrumVars)
+            || (this.contract.arbitrumVars.size > 0 && HANDLER_NAME_RE.test(String(node.name || '')));
+        if (!hasArbitrumContext)
+            return;
+        const decision = replayDecision(node, this.contract.stateVars);
+        if (!decision)
+            return;
+        const loc = locOf(node);
+        const functionName = node.name || '<fallback>';
+        this.findings.push({
+            file: this.currentFile,
+            contract: this.contract.name,
+            'function': functionName,
+            line: loc.line,
+            endLine: loc.endLine || loc.line,
+            column: loc.column,
+            endColumn: loc.endColumn,
+            pattern: RULE_ID,
+            confidence: 'high',
+            ruleId: RULE_ID,
+            severity: 'high',
+            message: `Arbitrum cross-chain message handler '${this.contract.name}.${functionName}' executes a relayed payload without sufficient destination-side replay protection: ${decision}.`,
+            rationale: 'Arbitrum bridge messages can be replayed at the application layer unless the destination handler consumes a unique message hash or enforces strict nonce ordering before dispatching the payload.',
+            suggestedFix: 'Check and consume a message id/hash or strictly monotonic nonce before the first payload execution, or route execution through a canonical router that owns replay protection.',
+            contractName: this.contract.name,
+            functionName,
+            sourceLocation: { line: loc.line, column: loc.column },
+            findingId: '',
+            contractHash: '',
+            provenance: PROVENANCE,
+            source: PROVENANCE,
+        });
+    }
+    ['FunctionDefinition:exit'](node) {
+        this.FunctionDefinition_post(node);
+    }
+}
+exports.ArbitrumCrossChainMessageReplayDetector = ArbitrumCrossChainMessageReplayDetector;
+function replayDecision(fn, stateVars) {
+    const derivations = collectLocalDerivations(fn.body);
+    const paramNames = new Set(collectParameters(fn).map(name => name.toLowerCase()));
+    const events = collectEvents(fn.body, stateVars);
+    const firstExternalCall = events.findIndex(event => event.kind === 'external-call');
+    if (firstExternalCall === -1)
+        return null;
+    const beforeExternal = events.slice(0, firstExternalCall);
+    const hasGoodCheck = beforeExternal.some(event => event.kind === 'processed-check' && isReplayKey(event.key, derivations, paramNames));
+    const hasGoodMark = beforeExternal.some(event => event.kind === 'processed-mark' && isReplayKey(event.key, derivations, paramNames));
+    if (hasGoodCheck && hasGoodMark)
+        return null;
+    const hasNonceCheck = beforeExternal.some(event => event.kind === 'nonce-check');
+    const hasNonceMark = beforeExternal.some(event => event.kind === 'nonce-mark');
+    if (hasNonceCheck && hasNonceMark)
+        return null;
+    const hasAnyCheck = events.some(event => event.kind === 'processed-check' || event.kind === 'nonce-check');
+    const hasAnyMark = events.some(event => event.kind === 'processed-mark' || event.kind === 'nonce-mark');
+    if (hasAnyCheck && hasAnyMark && !hasGoodMark && events.some((event, index) => event.kind === 'processed-mark' && index > firstExternalCall)) {
+        return 'replay-mark-occurs-after-payload-execution';
+    }
+    if (hasAnyCheck || hasAnyMark)
+        return 'replay-key-not-bound-to-unique-message-or-nonce';
+    return 'no-nonce-or-processed-message-guard';
+}
+function collectStateVars(contract) {
+    const vars = new Set();
+    for (const sub of contract?.subNodes || []) {
+        if (!(0, ast_1.isNode)(sub, 'StateVariableDeclaration'))
+            continue;
+        for (const variable of sub.variables || []) {
+            if (variable?.name)
+                vars.add(String(variable.name));
+        }
+    }
+    return vars;
+}
+function collectArbitrumVars(contract) {
+    const vars = new Set();
+    for (const sub of contract?.subNodes || []) {
+        if (!(0, ast_1.isNode)(sub, 'StateVariableDeclaration'))
+            continue;
+        for (const variable of sub.variables || []) {
+            if (!variable?.name)
+                continue;
+            if (isArbitrumType(variable.typeName) || isArbSysPrecompile(variable.expression)) {
+                vars.add(String(variable.name));
+            }
+        }
+    }
+    return vars;
+}
+function isArbitrumType(typeName) {
+    const name = String(typeName?.namePath || typeName?.name || '');
+    return ARBITRUM_TYPE_RE.test(name);
+}
+function isArbSysPrecompile(node) {
+    let found = false;
+    walk(node, child => {
+        if (found)
+            return;
+        if ((0, ast_1.isNode)(child, 'NumberLiteral') && String(child.number || child.value || '') === '100')
+            found = true;
+    });
+    return found;
+}
+function isExternallyCallable(fn) {
+    if (!(0, ast_1.isNode)(fn, 'FunctionDefinition'))
+        return false;
+    if (!fn.body)
+        return false;
+    if (fn.isConstructor || fn.kind === 'constructor')
+        return false;
+    if (fn.isFallback || fn.kind === 'fallback' || fn.kind === 'receive')
+        return false;
+    return fn.visibility === 'public' || fn.visibility === 'external';
+}
+function hasRelayedExternalCall(body) {
+    let found = false;
+    walk(body, node => {
+        if (!found && isLowLevelCall(node))
+            found = true;
+    });
+    return found;
+}
+function hasArbitrumSenderBinding(body, arbitrumVars) {
+    let found = false;
+    walk(body, node => {
+        if (found || !(0, ast_1.isNode)(node, 'BinaryOperation'))
+            return;
+        const op = String(node.operator || '');
+        if (op !== '==' && op !== '!=')
+            return;
+        if (!referencesMsgSender(node))
+            return;
+        if (referencesAnyIdentifier(node, arbitrumVars) || referencesArbSysAddress(node))
+            found = true;
+    });
+    return found;
+}
+function referencesArbSysAddress(node) {
+    let found = false;
+    walk(node, child => {
+        if (found)
+            return;
+        if ((0, ast_1.isNode)(child, 'NumberLiteral') && String(child.number || child.value || '') === '100')
+            found = true;
+    });
+    return found;
+}
+function referencesMsgSender(node) {
+    let found = false;
+    walk(node, child => {
+        if (found || !(0, ast_1.isNode)(child, 'MemberAccess'))
+            return;
+        if (String(child.memberName || '') === 'sender' && (0, ast_1.isNode)(child.expression, 'Identifier') && child.expression.name === 'msg') {
+            found = true;
+        }
+    });
+    return found;
+}
+function referencesAnyIdentifier(node, names) {
+    let found = false;
+    walk(node, child => {
+        if (!found && (0, ast_1.isNode)(child, 'Identifier') && names.has(String(child.name || '')))
+            found = true;
+    });
+    return found;
+}
+function isRouterEnforcedGateway(fn) {
+    if (!ROUTER_GATEWAY_RE.test(String(fn.name || '')))
+        return false;
+    for (const modifier of fn.modifiers || []) {
+        const name = String(modifier?.name || modifier?.modifierName?.name || '');
+        if (/router/i.test(name))
+            return true;
+    }
+    let found = false;
+    walk(fn.body, node => {
+        if (found || !(0, ast_1.isNode)(node, 'BinaryOperation'))
+            return;
+        const op = String(node.operator || '');
+        if (op !== '==' && op !== '!=')
+            return;
+        if (referencesMsgSender(node) && referencesIdentifierMatching(node, /router/i))
+            found = true;
+    });
+    return found;
+}
+function referencesIdentifierMatching(node, pattern) {
+    let found = false;
+    walk(node, child => {
+        if (!found && (0, ast_1.isNode)(child, 'Identifier') && pattern.test(String(child.name || '')))
+            found = true;
+    });
+    return found;
+}
+function collectEvents(body, stateVars) {
+    const events = [];
+    walk(body, node => {
+        if (isLowLevelCall(node)) {
+            events.push({ kind: 'external-call', node });
+            return;
+        }
+        if (isRequireCall(node)) {
+            const condition = node.arguments?.[0];
+            const key = processedCheckKey(condition, stateVars);
+            if (key)
+                events.push({ kind: 'processed-check', key, node });
+            if (isNonceOrderingCheck(condition, stateVars))
+                events.push({ kind: 'nonce-check', node });
+            return;
+        }
+        if (isAssignment(node)) {
+            const key = processedMarkKey(node.left, node.right, stateVars);
+            if (key)
+                events.push({ kind: 'processed-mark', key, node });
+            if (isNonceStateUpdate(node, stateVars))
+                events.push({ kind: 'nonce-mark', node });
+        }
+    });
+    return events;
+}
+function isRequireCall(node) {
+    return (0, ast_1.isNode)(node, 'FunctionCall')
+        && (0, ast_1.isNode)(node.expression, 'Identifier')
+        && (node.expression.name === 'require' || node.expression.name === 'assert');
+}
+function isAssignment(node) {
+    return (0, ast_1.isNode)(node, 'BinaryOperation') && ASSIGNMENT_OPS.has(String(node.operator || ''));
+}
+function processedCheckKey(condition, stateVars) {
+    if (!condition)
+        return null;
+    if ((0, ast_1.isNode)(condition, 'UnaryOperation') && condition.operator === '!') {
+        return indexAccessKey(condition.subExpression, stateVars);
+    }
+    if ((0, ast_1.isNode)(condition, 'BinaryOperation')) {
+        const op = String(condition.operator || '');
+        if (op === '==' || op === '!=') {
+            return indexAccessKey(condition.left, stateVars) || indexAccessKey(condition.right, stateVars);
+        }
+    }
+    return null;
+}
+function processedMarkKey(left, right, stateVars) {
+    if (!isBooleanTrue(right))
+        return null;
+    return indexAccessKey(left, stateVars);
+}
+function indexAccessKey(node, stateVars) {
+    if (!(0, ast_1.isNode)(node, 'IndexAccess'))
+        return null;
+    const base = node.base || node.expression;
+    if (!base)
+        return null;
+    const baseName = rootIdentifierName(base);
+    if (!baseName)
+        return null;
+    if (!stateVars.has(baseName) && !/(processed|consumed|executed|spent|seen|replay)/i.test(baseName))
+        return null;
+    return node.index || node.indexExpression;
+}
+function isBooleanTrue(node) {
+    return (0, ast_1.isNode)(node, 'BooleanLiteral') ? node.value === true : String(node?.name || '') === 'true';
+}
+function isNonceOrderingCheck(condition, stateVars) {
+    if (!(0, ast_1.isNode)(condition, 'BinaryOperation'))
+        return false;
+    const op = String(condition.operator || '');
+    if (op !== '==' && op !== '<=' && op !== '<')
+        return false;
+    return hasNonceLikeIdentifier(condition) && referencesStateNonce(condition, stateVars);
+}
+function isNonceStateUpdate(node, stateVars) {
+    if (!isAssignment(node))
+        return false;
+    const leftName = rootIdentifierName(node.left);
+    if (!leftName || !stateVars.has(leftName) || !/nonce|next|sequence|order/i.test(leftName))
+        return false;
+    return hasNonceLikeIdentifier(node.right);
+}
+function hasNonceLikeIdentifier(node) {
+    let found = false;
+    walk(node, child => {
+        if (!found && (0, ast_1.isNode)(child, 'Identifier') && NONCE_LIKE_RE.test(String(child.name || '')))
+            found = true;
+    });
+    return found;
+}
+function referencesStateNonce(node, stateVars) {
+    let found = false;
+    walk(node, child => {
+        const name = (0, ast_1.isNode)(child, 'Identifier') ? String(child.name || '') : '';
+        if (!found && stateVars.has(name) && /nonce|next|sequence|order/i.test(name))
+            found = true;
+    });
+    return found;
+}
+function collectLocalDerivations(body) {
+    const derivations = new Map();
+    walk(body, node => {
+        if (!(0, ast_1.isNode)(node, 'VariableDeclarationStatement') || !node.initialValue)
+            return;
+        for (const variable of node.variables || []) {
+            if (variable?.name)
+                derivations.set(String(variable.name).toLowerCase(), node.initialValue);
+        }
+    });
+    return derivations;
+}
+function collectParameters(fn) {
+    const out = [];
+    for (const param of fn.parameters || []) {
+        if (param?.name)
+            out.push(String(param.name));
+    }
+    return out;
+}
+function isReplayKey(key, derivations, paramNames, seen = new Set()) {
+    const quality = replayKeyQuality(key, derivations, paramNames, seen);
+    if (quality.nonceLike)
+        return true;
+    const categories = [quality.payloadLike, quality.targetLike, quality.senderLike, quality.valueLike].filter(Boolean).length;
+    return categories >= 2 && (quality.payloadLike || quality.targetLike);
+}
+function replayKeyQuality(key, derivations, paramNames, seen) {
+    const quality = {
+        nonceLike: false,
+        payloadLike: false,
+        targetLike: false,
+        senderLike: false,
+        valueLike: false,
+    };
+    walk(key, node => {
+        if (!(0, ast_1.isNode)(node, 'Identifier'))
+            return;
+        const name = String(node.name || '');
+        const lower = name.toLowerCase();
+        if (NONCE_LIKE_RE.test(name))
+            quality.nonceLike = true;
+        if (PAYLOAD_LIKE_RE.test(name))
+            quality.payloadLike = true;
+        if (TARGET_LIKE_RE.test(name))
+            quality.targetLike = true;
+        if (SENDER_LIKE_RE.test(name))
+            quality.senderLike = true;
+        if (VALUE_LIKE_RE.test(name))
+            quality.valueLike = true;
+        const derived = derivations.get(lower);
+        if (!derived || seen.has(lower))
+            return;
+        seen.add(lower);
+        const nested = replayKeyQuality(derived, derivations, paramNames, seen);
+        quality.nonceLike ||= nested.nonceLike;
+        quality.payloadLike ||= nested.payloadLike;
+        quality.targetLike ||= nested.targetLike;
+        quality.senderLike ||= nested.senderLike;
+        quality.valueLike ||= nested.valueLike;
+    });
+    if ((0, ast_1.isNode)(key, 'Identifier') && paramNames.has(String(key.name || '').toLowerCase()) && NONCE_LIKE_RE.test(String(key.name || ''))) {
+        quality.nonceLike = true;
+    }
+    return quality;
+}
+function isLowLevelCall(node) {
+    if (!(0, ast_1.isNode)(node, 'FunctionCall'))
+        return false;
+    const expression = unwrapFunctionCallOptions(node.expression);
+    return (0, ast_1.isNode)(expression, 'MemberAccess') && LOW_LEVEL_MEMBERS.has(String(expression.memberName || ''));
+}
+function unwrapFunctionCallOptions(node) {
+    if ((0, ast_1.isNode)(node, 'NameValueExpression'))
+        return node.expression;
+    return (0, ast_1.isNode)(node, 'FunctionCallOptions') ? node.expression : node;
+}
+function rootIdentifierName(node) {
+    if ((0, ast_1.isNode)(node, 'Identifier'))
+        return String(node.name || '');
+    if ((0, ast_1.isNode)(node, 'MemberAccess'))
+        return rootIdentifierName(node.expression);
+    if ((0, ast_1.isNode)(node, 'IndexAccess'))
+        return rootIdentifierName(node.base || node.expression);
+    return '';
+}
+function locOf(node) {
+    const loc = (0, ast_1.tryLoc)(node);
+    return loc ? { line: loc.line, column: loc.column, endLine: loc.endLine, endColumn: loc.endColumn } : { line: 1, column: 0 };
+}
+function walk(node, visit) {
+    if (!node || typeof node !== 'object')
+        return;
+    visit(node);
+    for (const child of childNodes(node))
+        walk(child, visit);
+}
+function childNodes(node) {
+    const out = [];
+    for (const [key, value] of Object.entries(node)) {
+        if (key === 'loc' || key === 'range' || key === 'comments')
+            continue;
+        if (Array.isArray(value)) {
+            for (const item of value) {
+                if (item && typeof item === 'object')
+                    out.push(item);
+            }
+        }
+        else if (value && typeof value === 'object') {
+            out.push(value);
+        }
+    }
+    return out;
+}
+//# sourceMappingURL=arbitrum-cross-chain-message-replay.js.map

package/dist/detectors/avs-slashing-without-quorum-check.d.ts

@@ -0,0 +1,50 @@
+import type { ScanResult } from '../index';
+export declare class AvsSlashingWithoutQuorumCheckDetector {
+    readonly id = "avs-slashing-without-quorum-check";
+    readonly patternKey = "avs-slashing-without-quorum-check";
+    readonly supportedAstKinds: "parser"[];
+    readonly descriptor: {
+        id: string;
+        shortDescription: string;
+        helpUri: string;
+        defaultSeverity: "high";
+        help: string;
+    };
+    private currentFile;
+    private currentContract;
+    private contractStack;
+    private executableContract;
+    private executableStack;
+    private stateVars;
+    private stateVarStack;
+    private fileStateVars;
+    private findings;
+    private fn;
+    setFile(file: string): void;
+    getFindings(): ScanResult[];
+    ContractDefinition(node: any): void;
+    ContractDefinition_post(_node: any): void;
+    ['ContractDefinition:exit'](node: any): void;
+    StateVariableDeclaration(node: any): void;
+    FunctionDefinition(node: any): void;
+    FunctionDefinition_post(_node: any): void;
+    ['FunctionDefinition:exit'](node: any): void;
+    FunctionCall(node: any): void;
+    IfStatement(node: any): void;
+    ['IfStatement:exit'](_node: any): void;
+    ForStatement(_node: any): void;
+    ['ForStatement:exit'](_node: any): void;
+    WhileStatement(_node: any): void;
+    ['WhileStatement:exit'](_node: any): void;
+    DoWhileStatement(_node: any): void;
+    ['DoWhileStatement:exit'](_node: any): void;
+    TryStatement(_node: any): void;
+    ['TryStatement:exit'](_node: any): void;
+    BinaryOperation(node: any): void;
+    UnaryOperation(node: any): void;
+    private isActiveCandidate;
+    private maybeEmitForMutation;
+    private isTerminatingStatement;
+    private isQuorumCondition;
+    private isThresholdSide;
+}