@snovon/solast 0.2.0

package/dist/detectors/bridge-accounting-bypass.js

@@ -0,0 +1,449 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BridgeAccountingBypassDetector = void 0;
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'bridge-accounting-bypass';
+const PATTERN = `${RULE_ID}/entitlement-not-debited-before-payout`;
+const PAYOUT_MEMBERS = new Set(['transfer', 'safeTransfer', 'send', 'call']);
+const ACCOUNTING_TERMS = [
+    'credit',
+    'credits',
+    'redeemable',
+    'liquidity',
+    'entitlement',
+    'claimable',
+    'allocation',
+    'shares',
+    'lp',
+];
+const BRIDGE_CONTEXT_TERMS = [
+    'bridge',
+    'pool',
+    'stargate',
+    'remote',
+    'crosschain',
+    'xchain',
+    'liquidity',
+    'redeem',
+    'withdraw',
+    'swapremote',
+    'credit',
+];
+class BridgeAccountingBypassDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    currentFile = '';
+    findings = [];
+    contractStack = [];
+    currentFunction = null;
+    branchByBody = new WeakMap();
+    branchStack = [];
+    nextBranchId = 1;
+    setFile(file) {
+        this.currentFile = file;
+        this.findings = [];
+        this.contractStack = [];
+        this.currentFunction = null;
+        this.branchByBody = new WeakMap();
+        this.branchStack = [];
+        this.nextBranchId = 1;
+    }
+    getFindings() {
+        return this.findings;
+    }
+    ContractDefinition(node) {
+        const kind = String(node?.kind || '').toLowerCase();
+        this.contractStack.push({
+            name: node?.name || '<anonymous>',
+            executable: kind !== 'interface' && kind !== 'library',
+        });
+    }
+    ContractDefinition_post(node) {
+        if (!node || this.contractStack.length > 0)
+            this.contractStack.pop();
+    }
+    ['ContractDefinition:exit'](node) {
+        this.ContractDefinition_post(node);
+    }
+    FunctionDefinition(node) {
+        this.currentFunction = null;
+        if (!this.currentContract()?.executable)
+            return;
+        if (!node?.body)
+            return;
+        if (node.isConstructor || String(node.kind || '').toLowerCase() === 'constructor')
+            return;
+        const mutability = String(node.stateMutability || '').toLowerCase();
+        if (mutability === 'view' || mutability === 'pure')
+            return;
+        this.currentFunction = {
+            name: node.name || '<anonymous>',
+            node,
+            path: { checks: [], debits: new Set() },
+            branchPath: '',
+            pending: [],
+            emittedKeys: new Set(),
+        };
+    }
+    FunctionDefinition_post(node) {
+        if (!this.currentFunction)
+            return;
+        if (node && this.currentFunction.node !== node)
+            return;
+        for (const pending of this.currentFunction.pending) {
+            const reason = pending.lateDebit ? 'late debit' : 'missing debit';
+            pending.result.message =
+                `Bridge accounting bypass in '${pending.result.contractName}.${pending.result.functionName}': ` +
+                    `recorded credit/liquidity must be debited before payout; ${this.currentFunction.name} performs a ` +
+                    `payout while the checked entitlement source '${pending.source}' has a ${reason}, enabling ` +
+                    `over-withdrawal or over-redemption.`;
+            this.findings.push(pending.result);
+        }
+        this.currentFunction = null;
+        this.branchStack = [];
+        this.branchByBody = new WeakMap();
+    }
+    ['FunctionDefinition:exit'](node) {
+        this.FunctionDefinition_post(node);
+    }
+    IfStatement(node) {
+        if (!this.currentFunction)
+            return;
+        // This `if` may itself be the unbraced body of an enclosing branch
+        // (`if (a) if (b) ...`). Reset the live path to that enclosing branch's
+        // entry state before we snapshot `before`, so the nested branch does
+        // not inherit a sibling arm's debits.
+        this.enterBranchBody(node);
+        const branch = {
+            id: this.nextBranchId++,
+            before: clonePath(this.currentFunction.path),
+            beforeBranchPath: this.currentFunction.branchPath,
+            trueBody: node?.trueBody,
+            falseBody: node?.falseBody,
+        };
+        if (branch.trueBody && typeof branch.trueBody === 'object') {
+            this.branchByBody.set(branch.trueBody, { branch, side: 'true' });
+        }
+        if (branch.falseBody && typeof branch.falseBody === 'object') {
+            this.branchByBody.set(branch.falseBody, { branch, side: 'false' });
+        }
+        this.branchStack.push(branch);
+    }
+    IfStatement_post(node) {
+        if (!this.currentFunction)
+            return;
+        const branch = this.branchStack.pop();
+        if (!branch)
+            return;
+        if (node && branch.trueBody !== node.trueBody)
+            return;
+        // Merge the two arm-end states. Both braced (`Block`) and unbraced
+        // (`ExpressionStatement`, nested `IfStatement`, ...) bodies record their
+        // end state via `exitBranchBody`. Only a genuinely absent `else` falls
+        // back to `branch.before` — the implicit empty false path. If a present
+        // body somehow left its end state unset, fall back to the *live* path,
+        // never to `branch.before`: falling back to `before` would drop debits
+        // the arm actually performed and produce a false `missing debit`.
+        const live = this.currentFunction.path;
+        const truePath = branch.trueEnd ?? live;
+        const falsePath = branch.falseBody ? (branch.falseEnd ?? live) : branch.before;
+        this.currentFunction.path = mergePaths(truePath, falsePath);
+        this.currentFunction.branchPath = branch.beforeBranchPath;
+        // This `if` may itself be the unbraced body of an enclosing branch;
+        // record the merged result as that arm's end state.
+        this.exitBranchBody(node);
+    }
+    ['IfStatement:exit'](node) {
+        this.IfStatement_post(node);
+    }
+    Block(node) {
+        this.enterBranchBody(node);
+    }
+    Block_post(node) {
+        this.exitBranchBody(node);
+    }
+    ['Block:exit'](node) {
+        this.Block_post(node);
+    }
+    // Unbraced `if`/`else` arms are single statements, not `Block` nodes, so
+    // the `Block`/`Block:exit` hooks above never fire for them. Subscribe to
+    // every statement type that can stand alone as an arm body and route it
+    // through the same branch entry/exit capture. The helpers are no-ops
+    // unless the visited node is registered in `branchByBody`, so statements
+    // that merely sit inside a `Block` (or the function body) are unaffected.
+    ExpressionStatement(node) { this.enterBranchBody(node); }
+    ['ExpressionStatement:exit'](node) { this.exitBranchBody(node); }
+    VariableDeclarationStatement(node) { this.enterBranchBody(node); }
+    ['VariableDeclarationStatement:exit'](node) { this.exitBranchBody(node); }
+    ReturnStatement(node) { this.enterBranchBody(node); }
+    ['ReturnStatement:exit'](node) { this.exitBranchBody(node); }
+    EmitStatement(node) { this.enterBranchBody(node); }
+    ['EmitStatement:exit'](node) { this.exitBranchBody(node); }
+    RevertStatement(node) { this.enterBranchBody(node); }
+    ['RevertStatement:exit'](node) { this.exitBranchBody(node); }
+    ForStatement(node) { this.enterBranchBody(node); }
+    ['ForStatement:exit'](node) { this.exitBranchBody(node); }
+    WhileStatement(node) { this.enterBranchBody(node); }
+    ['WhileStatement:exit'](node) { this.exitBranchBody(node); }
+    DoWhileStatement(node) { this.enterBranchBody(node); }
+    ['DoWhileStatement:exit'](node) { this.exitBranchBody(node); }
+    UncheckedStatement(node) { this.enterBranchBody(node); }
+    ['UncheckedStatement:exit'](node) { this.exitBranchBody(node); }
+    /**
+     * Called when the walker enters a node that is registered as a branch
+     * arm body (any statement type — `Block` or an unbraced single
+     * statement). Resets the live path to the branch's entry snapshot so the
+     * arm is analysed in isolation from its sibling arm. No-op for nodes that
+     * are not arm bodies.
+     */
+    enterBranchBody(node) {
+        if (!this.currentFunction || !node || typeof node !== 'object')
+            return;
+        const branchSide = this.branchByBody.get(node);
+        if (!branchSide)
+            return;
+        this.currentFunction.path = clonePath(branchSide.branch.before);
+        this.currentFunction.branchPath =
+            `${branchSide.branch.beforeBranchPath}/${branchSide.branch.id}:${branchSide.side}`;
+    }
+    /**
+     * Called when the walker exits a branch arm body. Snapshots the live path
+     * into the branch's `trueEnd`/`falseEnd` so `IfStatement_post` can merge
+     * the arms, then restores the live path to the branch entry snapshot
+     * (the next arm starts fresh). No-op for nodes that are not arm bodies.
+     */
+    exitBranchBody(node) {
+        if (!this.currentFunction || !node || typeof node !== 'object')
+            return;
+        const branchSide = this.branchByBody.get(node);
+        if (!branchSide)
+            return;
+        if (branchSide.side === 'true') {
+            branchSide.branch.trueEnd = clonePath(this.currentFunction.path);
+        }
+        else {
+            branchSide.branch.falseEnd = clonePath(this.currentFunction.path);
+        }
+        this.currentFunction.path = clonePath(branchSide.branch.before);
+        this.currentFunction.branchPath = branchSide.branch.beforeBranchPath;
+    }
+    BinaryOperation(node) {
+        if (!this.currentFunction)
+            return;
+        const operator = String(node?.operator || '');
+        if (operator === '>=' || operator === '>') {
+            this.recordEntitlementCheck(node.left, node.right);
+            this.recordEntitlementCheck(node.right, node.left);
+            return;
+        }
+        if (operator === '-=' || operator === '=') {
+            const source = accountingSource(node.left);
+            if (!source)
+                return;
+            if (operator === '=' && !isSubtractionFromSameSource(node.right, source))
+                return;
+            this.currentFunction.path.debits.add(source);
+            for (const pending of this.currentFunction.pending) {
+                if (pending.source === source &&
+                    pending.branchPath === this.currentFunction.branchPath &&
+                    !pending.payoutSeenDebits.has(source)) {
+                    pending.lateDebit = true;
+                }
+            }
+        }
+    }
+    FunctionCall(node) {
+        if (!this.currentFunction || !this.currentContract()?.executable)
+            return;
+        const payout = payoutAmount(node);
+        if (!payout)
+            return;
+        const relevant = this.currentFunction.path.checks.find(check => check.amount === payout.amount && !this.currentFunction?.path.debits.has(check.source));
+        if (!relevant)
+            return;
+        if (!this.hasBridgeAccountingContext(relevant.source))
+            return;
+        const key = `${relevant.source}:${payout.amount}:${payout.node.loc?.start?.line || 0}`;
+        if (this.currentFunction.emittedKeys.has(key))
+            return;
+        this.currentFunction.emittedKeys.add(key);
+        const loc = (0, ast_1.assertLoc)(payout.node, this.currentFunction.node);
+        const contractName = this.currentContract()?.name || '<anonymous>';
+        const functionName = this.currentFunction.name;
+        this.currentFunction.pending.push({
+            source: relevant.source,
+            payoutSeenDebits: new Set(this.currentFunction.path.debits),
+            branchPath: this.currentFunction.branchPath,
+            lateDebit: false,
+            result: {
+                file: this.currentFile,
+                contract: contractName,
+                'function': functionName,
+                line: loc.line,
+                endLine: loc.endLine,
+                column: loc.column,
+                ruleId: RULE_ID,
+                pattern: PATTERN,
+                severity: 'critical',
+                confidence: 'medium',
+                category: 'bridge-accounting',
+                message: '',
+                contractName,
+                functionName,
+                sourceLocation: { line: loc.line, column: loc.column },
+                findingId: '',
+                contractHash: '',
+            },
+        });
+    }
+    recordEntitlementCheck(maybeSource, maybeAmount) {
+        const source = accountingSource(maybeSource);
+        if (!source)
+            return;
+        const amount = exprSignature(maybeAmount);
+        if (!amount)
+            return;
+        if (!looksLikeAmount(maybeAmount, amount))
+            return;
+        if (this.currentFunction?.path.checks.some(check => check.source === source && check.amount === amount))
+            return;
+        this.currentFunction?.path.checks.push({ source, amount });
+    }
+    hasBridgeAccountingContext(source) {
+        const contractName = this.currentContract()?.name || '';
+        const fnName = this.currentFunction?.name || '';
+        let score = 0;
+        if (containsAnyTerm(contractName, BRIDGE_CONTEXT_TERMS))
+            score += 1;
+        if (containsAnyTerm(fnName, BRIDGE_CONTEXT_TERMS))
+            score += 1;
+        if (containsAnyTerm(source, ACCOUNTING_TERMS))
+            score += 1;
+        return score >= 2;
+    }
+    currentContract() {
+        return this.contractStack[this.contractStack.length - 1] || null;
+    }
+}
+exports.BridgeAccountingBypassDetector = BridgeAccountingBypassDetector;
+function payoutAmount(call) {
+    if (!(0, ast_1.isNode)(call, 'FunctionCall'))
+        return null;
+    const expr = unwrapCallOptions(call.expression);
+    if ((0, ast_1.isNode)(expr, 'MemberAccess')) {
+        const member = String(expr.memberName || '');
+        if (!PAYOUT_MEMBERS.has(member))
+            return null;
+        if (member === 'call') {
+            const value = callValue(call.expression);
+            return value ? { amount: value, node: call } : null;
+        }
+        const args = Array.isArray(call.arguments) ? call.arguments : [];
+        const amountArg = member === 'send' ? args[0] : args[1];
+        const amount = exprSignature(amountArg);
+        return amount ? { amount, node: call } : null;
+    }
+    return null;
+}
+function unwrapCallOptions(expr) {
+    let current = expr;
+    while ((0, ast_1.isNode)(current, 'NameValueExpression') || (0, ast_1.isNode)(current, 'FunctionCallOptions')) {
+        current = current.expression;
+    }
+    return current;
+}
+function callValue(expr) {
+    let current = expr;
+    while (current && typeof current === 'object') {
+        if ((0, ast_1.isNode)(current, 'NameValueExpression') || (0, ast_1.isNode)(current, 'FunctionCallOptions')) {
+            const names = current.names || current.arguments?.names || current.options?.map((option) => option?.name);
+            const values = Array.isArray(current.arguments)
+                ? current.arguments
+                : current.arguments?.arguments || current.options?.map((option) => option?.value);
+            if (Array.isArray(names) && Array.isArray(values)) {
+                const index = names.findIndex((name) => String(name) === 'value');
+                if (index >= 0)
+                    return exprSignature(values[index]);
+            }
+            current = current.expression;
+            continue;
+        }
+        break;
+    }
+    return null;
+}
+function accountingSource(node) {
+    if (!node)
+        return null;
+    if ((0, ast_1.isNode)(node, 'IndexAccess')) {
+        const base = accountingSource(node.base);
+        if (base && containsAnyTerm(base, ACCOUNTING_TERMS))
+            return base;
+    }
+    if ((0, ast_1.isNode)(node, 'MemberAccess')) {
+        const member = String(node.memberName || '');
+        if (containsAnyTerm(member, ACCOUNTING_TERMS))
+            return member;
+    }
+    if ((0, ast_1.isNode)(node, 'Identifier')) {
+        const name = String(node.name || '');
+        if (containsAnyTerm(name, ACCOUNTING_TERMS))
+            return name;
+    }
+    return null;
+}
+function isSubtractionFromSameSource(node, source) {
+    if (!(0, ast_1.isNode)(node, 'BinaryOperation') || node.operator !== '-')
+        return false;
+    return accountingSource(node.left) === source || accountingSource(node.right) === source;
+}
+function exprSignature(node) {
+    if (!node)
+        return null;
+    if ((0, ast_1.isNode)(node, 'Identifier'))
+        return String(node.name || '') || null;
+    if ((0, ast_1.isNode)(node, 'MemberAccess')) {
+        const base = exprSignature(node.expression);
+        const member = String(node.memberName || '');
+        return base && member ? `${base}.${member}` : member || null;
+    }
+    if ((0, ast_1.isNode)(node, 'IndexAccess')) {
+        const base = exprSignature(node.base);
+        const index = exprSignature(node.index);
+        return base ? `${base}[${index || '?'}]` : null;
+    }
+    if ((0, ast_1.isNode)(node, 'NumberLiteral'))
+        return String(node.number || '');
+    return null;
+}
+function looksLikeAmount(node, signature) {
+    if ((0, ast_1.isNode)(node, 'NumberLiteral'))
+        return true;
+    return containsAnyTerm(signature, ['amount', 'amt', 'value', 'shares', 'liquidity']);
+}
+function containsAnyTerm(value, terms) {
+    const normalized = value.replace(/[^a-zA-Z0-9]/g, '').toLowerCase();
+    return terms.some(term => normalized.includes(term.toLowerCase()));
+}
+function clonePath(path) {
+    return {
+        checks: path.checks.slice(),
+        debits: new Set(path.debits),
+    };
+}
+function mergePaths(left, right) {
+    const debits = new Set();
+    for (const debit of left.debits) {
+        if (right.debits.has(debit))
+            debits.add(debit);
+    }
+    const checks = left.checks.slice();
+    for (const check of right.checks) {
+        if (!checks.some(existing => existing.source === check.source && existing.amount === check.amount)) {
+            checks.push(check);
+        }
+    }
+    return { checks, debits };
+}
+//# sourceMappingURL=bridge-accounting-bypass.js.map

package/dist/detectors/bridge-business-logic-flaw-incorrect-acc.d.ts

@@ -0,0 +1,43 @@
+import type { ScanResult } from '../index';
+export declare class BridgeBusinessLogicFlawIncorrectAccDetector {
+    readonly id = "bridge-business-logic-flaw-incorrect-acc";
+    readonly patternKey = "bridge-business-logic-flaw-incorrect-acc";
+    readonly supportedAstKinds: "parser"[];
+    readonly descriptor: {
+        id: string;
+        shortDescription: string;
+        helpUri: string;
+        defaultSeverity: "critical";
+        help: string;
+    };
+    private currentFile;
+    private currentContract;
+    private stateVars;
+    private findings;
+    setFile(file: string): void;
+    getFindings(): ScanResult[];
+    ContractDefinition(node: any): void;
+    ContractDefinition_post(node: any): void;
+    ['ContractDefinition:exit'](node: any): void;
+    StateVariableDeclaration(node: any): void;
+    FunctionDefinition(node: any): void;
+    private isExternallyReachable;
+    private findCandidates;
+    private acceptedStorageRootSig;
+    private isCandidateGuarded;
+    private isPathTerminatingZeroRootGuard;
+    private conditionRejectsZeroRoot;
+    private flattenChain;
+    private matchesRoot;
+    private branchTerminates;
+    private containsNode;
+    private confirmAtRootSig;
+    private storageRootSig;
+    private isStateIndexAccess;
+    private containsTimestampGate;
+    private isZeroLiteral;
+    private callName;
+    private identifierName;
+    private exprSig;
+    private walk;
+}