@snovon/solast 0.2.0

package/dist/detectors/balancer-flash-loan-manipulation.js

@@ -0,0 +1,178 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BalancerFlashLoanManipulationDetector = void 0;
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'balancer-flash-loan-manipulation';
+const FLASH_LOAN_METHODS = new Set(['flashloan', 'flashloansimple']);
+const FLASH_LOAN_CALLBACKS = new Set(['receiveflashloan', 'onflashloan']);
+const POOL_MUTATION_METHODS = new Set(['joinpool', 'exitpool']);
+const DISTORTION_METHODS = new Set(['swap', 'batchswap', 'manageuserbalance']);
+const STANDALONE_DISTORTION_METHODS = new Set(['batchswap']);
+const SPOT_CONSUMPTION_METHODS = new Set([
+    'spotprice',
+    'getspotprice',
+    'getpooltokens',
+    'getpooltokeninfo',
+    'getbalance',
+]);
+class BalancerFlashLoanManipulationDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    descriptor = {
+        id: RULE_ID,
+        shortDescription: 'Balancer weighted-pool flash-loan manipulation before spot-price consumption.',
+        helpUri: 'https://snovon.com/',
+        defaultSeverity: 'high',
+        help: 'Flags same-function flash-loan or Balancer callback flows that mutate a Balancer weighted pool, distort balances with a swap or internal-balance operation, and then consume a spot-style price or balance read.',
+    };
+    currentFile = '';
+    currentContract = '';
+    currentFunction = '';
+    currentFunctionNode = null;
+    findings = [];
+    order = 0;
+    hasFlashContext = false;
+    poolMutations = [];
+    distortions = [];
+    spotConsumptions = [];
+    emittedFunctions = new Set();
+    setFile(file) {
+        this.currentFile = file;
+        this.currentContract = '';
+        this.findings = [];
+        this.emittedFunctions.clear();
+        this.resetFunctionState();
+    }
+    getFindings() {
+        return this.findings;
+    }
+    ContractDefinition(node) {
+        this.currentContract = node.name || '<anonymous>';
+    }
+    ContractDefinition_post(_node) {
+        this.currentContract = '';
+    }
+    FunctionDefinition(node) {
+        this.resetFunctionState();
+        this.currentFunction = node.name || '<anonymous>';
+        this.currentFunctionNode = node;
+        this.hasFlashContext = FLASH_LOAN_CALLBACKS.has(this.currentFunction.toLowerCase());
+    }
+    FunctionDefinition_post(_node) {
+        this.emitIfManipulationSequenceExists();
+        this.resetFunctionState();
+    }
+    FunctionCall(node) {
+        if (!this.currentFunction)
+            return;
+        const callee = unwrapCallOptions(node.expression);
+        if (!callee || (callee.type ?? callee.nodeType) !== 'MemberAccess')
+            return;
+        const memberName = String(callee.memberName || '').toLowerCase();
+        const order = ++this.order;
+        if (FLASH_LOAN_METHODS.has(memberName)) {
+            this.hasFlashContext = true;
+        }
+        if (POOL_MUTATION_METHODS.has(memberName) && hasMinArgs(node, 3)) {
+            this.poolMutations.push({ order, node });
+        }
+        if (DISTORTION_METHODS.has(memberName)) {
+            this.distortions.push({ order, node });
+            if (STANDALONE_DISTORTION_METHODS.has(memberName)) {
+                this.poolMutations.push({ order, node });
+            }
+        }
+        if (isSpotConsumption(memberName)) {
+            this.spotConsumptions.push({ order, node });
+        }
+    }
+    emitIfManipulationSequenceExists() {
+        if (!this.hasFlashContext)
+            return;
+        if (this.poolMutations.length === 0 || this.distortions.length === 0 || this.spotConsumptions.length === 0)
+            return;
+        let best = null;
+        for (const mutation of this.poolMutations) {
+            for (const distortion of this.distortions) {
+                if (mutation.order !== distortion.order && !POOL_MUTATION_METHODS.has(memberName(mutation.node))) {
+                    continue;
+                }
+                const manipulationOrder = Math.max(mutation.order, distortion.order);
+                if (!this.spotConsumptions.some(spot => spot.order > manipulationOrder))
+                    continue;
+                if (!best || manipulationOrder < best.order) {
+                    best = { order: manipulationOrder, node: mutation.node };
+                }
+            }
+        }
+        if (!best)
+            return;
+        const dedupKey = `${this.currentFile}:${this.currentContract}:${this.currentFunction}`;
+        if (this.emittedFunctions.has(dedupKey))
+            return;
+        this.emittedFunctions.add(dedupKey);
+        const loc = (0, ast_1.assertLoc)(best.node, this.currentFunctionNode);
+        const functionName = this.currentFunction;
+        const contractName = this.currentContract;
+        this.findings.push({
+            file: this.currentFile,
+            contract: contractName,
+            'function': functionName,
+            line: loc.line,
+            endLine: loc.endLine || loc.line,
+            column: loc.column,
+            pattern: RULE_ID,
+            confidence: 'medium',
+            ruleId: RULE_ID,
+            severity: 'high',
+            message: `Potential Balancer weighted-pool flash-loan manipulation in '${contractName}.${functionName}': ` +
+                `a flash-loan context mutates/distorts pool state before a spot-style price or balance read.`,
+            rationale: 'Static analysis cannot prove price deviation magnitude, so this rule requires ordered same-function structural signals: flash context, Balancer pool mutation, swap/internal-balance distortion, and later spot consumption.',
+            contractName,
+            functionName,
+            sourceLocation: { line: loc.line, column: loc.column },
+            findingId: '',
+            contractHash: '',
+        });
+    }
+    resetFunctionState() {
+        this.currentFunction = '';
+        this.currentFunctionNode = null;
+        this.order = 0;
+        this.hasFlashContext = false;
+        this.poolMutations = [];
+        this.distortions = [];
+        this.spotConsumptions = [];
+    }
+}
+exports.BalancerFlashLoanManipulationDetector = BalancerFlashLoanManipulationDetector;
+const _balancerFlashLoanManipulationProto = BalancerFlashLoanManipulationDetector.prototype;
+_balancerFlashLoanManipulationProto['ContractDefinition:exit'] =
+    _balancerFlashLoanManipulationProto.ContractDefinition_post;
+_balancerFlashLoanManipulationProto['FunctionDefinition:exit'] =
+    _balancerFlashLoanManipulationProto.FunctionDefinition_post;
+function unwrapCallOptions(expr) {
+    if (!expr)
+        return expr;
+    const kind = expr.type ?? expr.nodeType;
+    if (kind === 'FunctionCallOptions' || kind === 'NameValueExpression') {
+        return unwrapCallOptions(expr.expression);
+    }
+    return expr;
+}
+function hasMinArgs(node, min) {
+    return Array.isArray(node.arguments) && node.arguments.length >= min;
+}
+function memberName(node) {
+    const callee = unwrapCallOptions(node?.expression);
+    return String(callee?.memberName || '').toLowerCase();
+}
+function isSpotConsumption(name) {
+    if (!name)
+        return false;
+    if (name.includes('twap') || name.includes('timeweighted') || name.includes('cumulative'))
+        return false;
+    return SPOT_CONSUMPTION_METHODS.has(name);
+}
+//# sourceMappingURL=balancer-flash-loan-manipulation.js.map

package/dist/detectors/balancer-pause-guard.d.ts

@@ -0,0 +1,33 @@
+import type { ScanResult } from '../index';
+export declare class BalancerPauseGuardDetector {
+    readonly id = "balancer-pause-guard";
+    readonly patternKey = "balancer-pause-guard";
+    readonly supportedAstKinds: "parser"[];
+    readonly descriptor: {
+        id: string;
+        shortDescription: string;
+        helpUri: string;
+        defaultSeverity: "medium";
+    };
+    private currentFile;
+    private findings;
+    private contractStack;
+    private currentFunction;
+    private currentModifier;
+    setFile(file: string): void;
+    getFindings(): ScanResult[];
+    ContractDefinition(node: any): void;
+    ContractDefinition_post(node: any): void;
+    ModifierDefinition(node: any): void;
+    ModifierDefinition_post(_node: any): void;
+    FunctionDefinition(node: any): void;
+    FunctionDefinition_post(_node: any): void;
+    FunctionCall(node: any): void;
+    IfStatement(node: any): void;
+    private evaluateContract;
+    private functionHasPauseGuard;
+    private makeFinding;
+    private markPauseGuard;
+    private markAccessControl;
+    private currentContract;
+}

package/dist/detectors/balancer-pause-guard.js

@@ -0,0 +1,307 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BalancerPauseGuardDetector = void 0;
+const access_control_1 = require("./_common/access-control");
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'balancer-pause-guard';
+const CALLBACK_ENTRYPOINTS = new Set(['onSwap', 'onJoinPool', 'onExitPool']);
+const VAULT_ENTRYPOINTS = new Set(['swap', 'joinPool', 'exitPool']);
+const PAUSE_WORDS = new Set([
+    'pause',
+    'paused',
+    'pauser',
+    'stop',
+    'stopped',
+    'halt',
+    'halted',
+    'freeze',
+    'frozen',
+    'circuit',
+    'breaker',
+    'emergency',
+]);
+class BalancerPauseGuardDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    descriptor = {
+        id: RULE_ID,
+        shortDescription: 'Balancer V2-style pool operation lacks an emergency pause or circuit-breaker guard.',
+        helpUri: 'https://snovon.com/',
+        defaultSeverity: 'medium',
+    };
+    currentFile = '';
+    findings = [];
+    contractStack = [];
+    currentFunction = null;
+    currentModifier = null;
+    setFile(file) {
+        this.currentFile = file;
+        this.findings = [];
+        this.contractStack = [];
+        this.currentFunction = null;
+        this.currentModifier = null;
+    }
+    getFindings() {
+        return this.findings;
+    }
+    ContractDefinition(node) {
+        this.contractStack.push({
+            name: String(node.name || ''),
+            node,
+            bases: collectBaseNames(node),
+            functions: [],
+            modifiers: new Map(),
+        });
+    }
+    ContractDefinition_post(node) {
+        const contract = this.contractStack.pop();
+        if (!contract)
+            return;
+        this.evaluateContract(contract);
+        if (this.contractStack.length > 0 && node?.name === contract.name) {
+            const parent = this.contractStack[this.contractStack.length - 1];
+            for (const fn of contract.functions)
+                parent.functions.push(fn);
+            for (const [name, modifier] of contract.modifiers)
+                parent.modifiers.set(name, modifier);
+        }
+    }
+    ModifierDefinition(node) {
+        this.currentModifier = {
+            name: String(node.name || ''),
+            hasPauseGuard: pauseNameMatches(String(node.name || '')),
+            hasAccessControl: false,
+        };
+    }
+    ModifierDefinition_post(_node) {
+        if (!this.currentModifier)
+            return;
+        this.currentContract()?.modifiers.set(this.currentModifier.name, this.currentModifier);
+        this.currentModifier = null;
+    }
+    FunctionDefinition(node) {
+        this.currentFunction = {
+            name: node.isConstructor ? '<constructor>' : String(node.name || '<anonymous>'),
+            visibility: String(node.visibility || ''),
+            stateMutability: String(node.stateMutability || ''),
+            node,
+            modifierNames: collectModifierNames(node),
+            hasBody: !!node.body,
+            hasPauseGuard: hasPauseModifierName(node),
+            hasAccessControl: (0, access_control_1.hasRecognisedAccessControlModifier)(node),
+        };
+    }
+    FunctionDefinition_post(_node) {
+        if (!this.currentFunction)
+            return;
+        this.currentContract()?.functions.push(this.currentFunction);
+        this.currentFunction = null;
+    }
+    FunctionCall(node) {
+        if (!isRequireOrAssert(node))
+            return;
+        const condition = node.arguments?.[0];
+        if (!condition)
+            return;
+        if (conditionExpressesPauseGuard(condition)) {
+            this.markPauseGuard();
+        }
+        if ((0, access_control_1.requireExpressesAccessControl)(condition, isEmergencyPrivilegedName)) {
+            this.markAccessControl();
+        }
+    }
+    IfStatement(node) {
+        if (!conditionExpressesPauseGuard(node.condition))
+            return;
+        this.markPauseGuard();
+    }
+    evaluateContract(contract) {
+        const hasBalancerSignal = contract.bases.some(name => poolShapeNameMatches(name))
+            || contract.functions.some(fn => fn.name === 'getPoolId');
+        const unguarded = contract.functions.find(fn => {
+            if (!isExternallyReachable(fn))
+                return false;
+            if (!isCriticalPoolEntrypoint(fn.name, hasBalancerSignal))
+                return false;
+            return !this.functionHasPauseGuard(fn, contract);
+        });
+        if (!unguarded)
+            return;
+        this.findings.push(this.makeFinding(contract, unguarded));
+    }
+    functionHasPauseGuard(fn, contract) {
+        if (fn.hasPauseGuard)
+            return true;
+        if (fn.hasAccessControl && fn.modifierNames.some(name => pauseNameMatches(name)))
+            return true;
+        for (const name of fn.modifierNames) {
+            const modifier = contract.modifiers.get(name);
+            if (!modifier)
+                continue;
+            if (modifier.hasPauseGuard)
+                return true;
+            if (modifier.hasAccessControl && pauseNameMatches(modifier.name))
+                return true;
+        }
+        return false;
+    }
+    makeFinding(contract, fn) {
+        const loc = (0, ast_1.tryLoc)(fn.node, contract.node) || { line: 1, endLine: 1, column: 0, endColumn: 0 };
+        return {
+            findingId: '',
+            contractHash: '',
+            file: this.currentFile,
+            line: loc.line,
+            endLine: loc.endLine,
+            column: loc.column,
+            endColumn: loc.endColumn,
+            ruleId: RULE_ID,
+            pattern: RULE_ID,
+            severity: 'medium',
+            confidence: 'medium',
+            category: 'vulnerability',
+            contract: contract.name,
+            'function': fn.name,
+            contractName: contract.name,
+            functionName: fn.name,
+            message: `Balancer V2-style pool entrypoint ${fn.name} is externally reachable without an emergency pause, stop, or circuit-breaker guard.`,
+            rationale: 'Balancer pool swap/join/exit paths should fail closed behind pause-state checks so incident responders can disable critical pool operations.',
+            suggestedFix: 'Protect the pool entrypoint with a whenNotPaused/notPaused-style modifier or an inline require/assert that checks a role-controlled paused, stopped, or circuit-breaker state.',
+            sourceLocation: { line: loc.line, column: loc.column },
+        };
+    }
+    markPauseGuard() {
+        if (this.currentFunction)
+            this.currentFunction.hasPauseGuard = true;
+        if (this.currentModifier)
+            this.currentModifier.hasPauseGuard = true;
+    }
+    markAccessControl() {
+        if (this.currentFunction)
+            this.currentFunction.hasAccessControl = true;
+        if (this.currentModifier)
+            this.currentModifier.hasAccessControl = true;
+    }
+    currentContract() {
+        return this.contractStack[this.contractStack.length - 1] || null;
+    }
+}
+exports.BalancerPauseGuardDetector = BalancerPauseGuardDetector;
+function collectBaseNames(node) {
+    const names = [];
+    for (const base of node.baseContracts || []) {
+        const namePath = base.baseName || base.namePath;
+        const name = namePath?.name || namePath?.namePath || base.name || '';
+        if (name)
+            names.push(String(name));
+    }
+    return names;
+}
+function collectModifierNames(node) {
+    const names = [];
+    for (const modifier of node.modifiers || []) {
+        const name = modifierName(modifier);
+        if (name)
+            names.push(name);
+    }
+    return names;
+}
+function modifierName(modifier) {
+    if (!modifier)
+        return '';
+    if (typeof modifier === 'string')
+        return modifier;
+    if (typeof modifier.name === 'string')
+        return modifier.name;
+    if (modifier.name?.name)
+        return String(modifier.name.name);
+    if (modifier.modifierName?.name)
+        return String(modifier.modifierName.name);
+    return '';
+}
+function isExternallyReachable(fn) {
+    if (!fn.hasBody)
+        return false;
+    if (fn.stateMutability === 'view' || fn.stateMutability === 'pure')
+        return false;
+    return fn.visibility === 'public' || fn.visibility === 'external';
+}
+function isCriticalPoolEntrypoint(name, hasBalancerSignal) {
+    if (CALLBACK_ENTRYPOINTS.has(name))
+        return true;
+    if (VAULT_ENTRYPOINTS.has(name))
+        return hasBalancerSignal;
+    return false;
+}
+function hasPauseModifierName(node) {
+    return collectModifierNames(node).some(name => pauseNameMatches(name));
+}
+function isRequireOrAssert(node) {
+    const callee = node?.expression;
+    return (0, ast_1.isNode)(callee, 'Identifier') && (callee.name === 'require' || callee.name === 'assert');
+}
+function conditionExpressesPauseGuard(node) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if ((0, ast_1.isNode)(node, 'UnaryOperation') && node.operator === '!') {
+        return isPauseReference(node.subExpression);
+    }
+    if ((0, ast_1.isNode)(node, 'BinaryOperation')) {
+        const operator = String(node.operator || '');
+        if (operator === '&&' || operator === '||') {
+            return conditionExpressesPauseGuard(node.left) || conditionExpressesPauseGuard(node.right);
+        }
+        if (operator === '==' || operator === '!=' || operator === '===') {
+            if (isPauseReference(node.left) && isFalseLiteral(node.right))
+                return true;
+            if (isPauseReference(node.right) && isFalseLiteral(node.left))
+                return true;
+            if (operator === '!=' && isPauseReference(node.left) && isTrueLiteral(node.right))
+                return true;
+            if (operator === '!=' && isPauseReference(node.right) && isTrueLiteral(node.left))
+                return true;
+        }
+    }
+    if ((0, ast_1.isNode)(node, 'TupleExpression')) {
+        return (node.components || []).some((child) => conditionExpressesPauseGuard(child));
+    }
+    if (isPauseReference(node) && pauseNameMatches(node.name || node.memberName || ''))
+        return true;
+    return false;
+}
+function isPauseReference(node) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if ((0, ast_1.isNode)(node, 'Identifier'))
+        return pauseNameMatches(String(node.name || ''));
+    if ((0, ast_1.isNode)(node, 'MemberAccess')) {
+        return pauseNameMatches(String(node.memberName || '')) || isPauseReference(node.expression);
+    }
+    if ((0, ast_1.isNode)(node, 'FunctionCall'))
+        return isPauseReference(node.expression);
+    return false;
+}
+function isFalseLiteral(node) {
+    return (0, ast_1.isNode)(node, 'BooleanLiteral') && node.value === false;
+}
+function isTrueLiteral(node) {
+    return (0, ast_1.isNode)(node, 'BooleanLiteral') && node.value === true;
+}
+function pauseNameMatches(name) {
+    return (0, access_control_1.splitIdentifierTokens)(name).some(token => PAUSE_WORDS.has(token));
+}
+function poolShapeNameMatches(name) {
+    const tokens = (0, access_control_1.splitIdentifierTokens)(name);
+    return tokens.includes('balancer') || tokens.includes('pool');
+}
+function isEmergencyPrivilegedName(name) {
+    return (0, access_control_1.isPrivilegedIdentifier)(name, {
+        keywords: ['owner', 'admin', 'role', 'guardian', 'governor', 'governance', 'multisig', 'pauser', 'operator', 'emergency'],
+        mode: 'word-boundary',
+    });
+}
+BalancerPauseGuardDetector.prototype['ContractDefinition:exit'] = BalancerPauseGuardDetector.prototype.ContractDefinition_post;
+BalancerPauseGuardDetector.prototype['FunctionDefinition:exit'] = BalancerPauseGuardDetector.prototype.FunctionDefinition_post;
+BalancerPauseGuardDetector.prototype['ModifierDefinition:exit'] = BalancerPauseGuardDetector.prototype.ModifierDefinition_post;
+//# sourceMappingURL=balancer-pause-guard.js.map

package/dist/detectors/balancer-weighted-pool-flash-loan.d.ts

@@ -0,0 +1,42 @@
+import type { ScanResult } from '../index';
+import type { DetectorContext } from './types';
+export declare class BalancerWeightedPoolFlashLoanDetector {
+    readonly id = "balancer-weighted-pool-flash-loan";
+    readonly patternKey = "balancer-weighted-pool-flash-loan";
+    readonly supportedAstKinds: ("parser" | "solc")[];
+    private findings;
+    private currentFile;
+    private currentContract;
+    private currentFunction;
+    private currentFunctionNode;
+    private hasFlashLoanCall;
+    private hasPoolOperation;
+    private poolOperationNode;
+    private isFlashLoanCallback;
+    private seenFunctions;
+    private emptyArrayLocals;
+    private pragmaValues;
+    private fallbackSolcVersion;
+    private compilerProfile;
+    private uncheckedDepth;
+    private invariantSignals;
+    private hasWeightedInvariantShape;
+    setFile(file: string): void;
+    setContext(ctx: DetectorContext): void;
+    getFindings(): ScanResult[];
+    PragmaDirective(node: any): void;
+    ContractDefinition(node: any): void;
+    ContractDefinition_post(_node: any): void;
+    FunctionDefinition(node: any): void;
+    VariableDeclarationStatement(node: any): void;
+    BinaryOperation(node: any): void;
+    UncheckedStatement(_node: any): void;
+    UncheckedStatement_post(_node: any): void;
+    FunctionDefinition_post(_node: any): void;
+    FunctionCall(node: any): void;
+    private resetFunctionState;
+    private isNoOpFlashLoan;
+    private isResolvedEmptyArray;
+    private addFinding;
+    private versionRationale;
+}