@snovon/solast 0.2.0

package/dist/detectors/cross-protocol-oracle-collateral.js

@@ -0,0 +1,487 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CrossProtocolOracleCollateralDetector = void 0;
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'cross-protocol-oracle-collateral';
+const CONVERSION_METHODS = new Set([
+    'getExchangeRate',
+    'exchangeRate',
+    'exchangeRateStored',
+    'exchangeRateCurrent',
+    'convertToAssets',
+    'convertToShares',
+    'previewRedeem',
+    'previewWithdraw',
+    'previewMint',
+    'getPooledEth',
+    'getPooledEthByShares',
+    'getSharesByPooledEth',
+    'getRate',
+    'pricePerShare',
+]);
+const CONTEXT_RE = /collateral|borrow|lend|deposit|price|value|ltv|factor|limit|liquidat|health/i;
+const GUARD_CONDITION_CONTEXT_RE = /debt|borrow|collateral|ltv|factor|value|health/i;
+const FRESHNESS_RE = /updatedAt|updated_at|lastUpdate|lastRateUpdate|lastUpdated|publishTime|maxAge|max_age|MAX_AGE|heartbeat|maxDelay|staleAfter|stalePriceThreshold/i;
+const ORACLE_METHODS = new Set([
+    'latestAnswer',
+    'latestRoundData',
+    'getRoundData',
+    'getPrice',
+    'getAssetPrice',
+    'consult',
+]);
+class CrossProtocolOracleCollateralDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    scanAst(ast, file) {
+        if (!ast || ast.type !== 'SourceUnit')
+            return [];
+        const findings = [];
+        for (const contract of ast.children || []) {
+            if (contract?.type !== 'ContractDefinition')
+                continue;
+            if (contract.kind === 'interface' || contract.kind === 'library')
+                continue;
+            for (const sub of contract.subNodes || []) {
+                if (sub?.type !== 'FunctionDefinition')
+                    continue;
+                if (!sub.body)
+                    continue;
+                findings.push(...this.analyzeFunction(file, contract, sub));
+            }
+        }
+        return findings;
+    }
+    analyzeFunction(file, contract, fn) {
+        const body = fn.body;
+        const reads = this.collectConversionReads(body);
+        if (reads.length === 0)
+            return [];
+        if (this.hasVisibleSafetyGuard(body))
+            return [];
+        const functionName = fn.name || (fn.isConstructor ? '<constructor>' : '<anonymous>');
+        const findings = [];
+        for (const read of reads) {
+            if (this.isBalancerWeightedPoolRateRead(read, body))
+                continue;
+            const tainted = this.propagateTaint(body, read.assignedNames);
+            if (!this.hasCollateralBorrowContext(read, tainted, body, functionName))
+                continue;
+            findings.push(this.buildFinding(file, contract, functionName, read));
+            break;
+        }
+        return findings;
+    }
+    propagateTaint(body, seeds) {
+        const tainted = new Set(seeds);
+        let changed = true;
+        while (changed) {
+            changed = false;
+            this.walk(body, node => {
+                if (!node || typeof node !== 'object')
+                    return;
+                if (node.type === 'VariableDeclarationStatement' && node.initialValue) {
+                    const initNames = this.collectIdentifiers(node.initialValue);
+                    if (initNames.some(n => tainted.has(n))) {
+                        for (const v of node.variables || []) {
+                            if (v?.name && !tainted.has(v.name)) {
+                                tainted.add(v.name);
+                                changed = true;
+                            }
+                        }
+                    }
+                }
+                if (node.type === 'BinaryOperation' && this.isAssignment(node.operator)) {
+                    const rightNames = this.collectIdentifiers(node.right);
+                    if (rightNames.some(n => tainted.has(n))) {
+                        for (const name of this.collectIdentifiers(node.left)) {
+                            if (!tainted.has(name)) {
+                                tainted.add(name);
+                                changed = true;
+                            }
+                        }
+                    }
+                }
+            });
+        }
+        return tainted;
+    }
+    collectConversionReads(body) {
+        const reads = [];
+        const parentMap = new WeakMap();
+        this.buildParentMap(body, parentMap, null);
+        this.walkWithParent(body, (node, _parent) => {
+            if (!this.isConversionCall(node))
+                return;
+            const expr = this.unwrapCallOptions(node.expression);
+            reads.push({
+                node,
+                method: this.memberName(expr),
+                receiver: expr?.type === 'MemberAccess' ? this.receiverText(expr.expression) : '<local>',
+                assignedNames: this.assignedNamesForCall(node, parentMap),
+            });
+        });
+        return reads;
+    }
+    isBalancerWeightedPoolRateRead(read, body) {
+        if (read.method !== 'getRate')
+            return false;
+        let hasWeightedPoolContext = false;
+        this.walk(body, node => {
+            if (hasWeightedPoolContext || !node || node.type !== 'FunctionCall')
+                return;
+            const expr = this.unwrapCallOptions(node.expression);
+            if (!expr || expr.type !== 'MemberAccess')
+                return;
+            const method = expr.memberName || '';
+            hasWeightedPoolContext = (method === 'getNormalizedWeights' || method === 'getInvariant') &&
+                this.receiverText(expr.expression) === read.receiver;
+        });
+        return hasWeightedPoolContext;
+    }
+    buildParentMap(node, map, parent) {
+        if (!node || typeof node !== 'object')
+            return;
+        if (parent)
+            map.set(node, parent);
+        for (const child of this.children(node)) {
+            this.buildParentMap(child, map, node);
+        }
+    }
+    hasCollateralBorrowContext(read, tainted, body, functionName) {
+        for (const name of tainted) {
+            if (CONTEXT_RE.test(name))
+                return true;
+            if (this.nameFlowsToContext(body, name))
+                return true;
+        }
+        for (const name of read.assignedNames) {
+            if (CONTEXT_RE.test(functionName) && this.returnUsesName(body, name))
+                return true;
+        }
+        if (this.callFlowsInlineToContext(body, read.node, functionName))
+            return true;
+        if (CONTEXT_RE.test(functionName) && this.isReturned(body, read.node))
+            return true;
+        return false;
+    }
+    nameFlowsToContext(body, name) {
+        let found = false;
+        this.walk(body, node => {
+            if (found || !node || typeof node !== 'object')
+                return;
+            if (node.type === 'VariableDeclarationStatement' && node.initialValue) {
+                const initNames = this.collectIdentifiers(node.initialValue);
+                if (initNames.includes(name)) {
+                    found = (node.variables || []).some((v) => v?.name && CONTEXT_RE.test(v.name));
+                }
+                return;
+            }
+            if (node.type === 'BinaryOperation' && this.isAssignment(node.operator)) {
+                const leftNames = this.collectIdentifiers(node.left);
+                const rightNames = this.collectIdentifiers(node.right);
+                found = rightNames.includes(name) && leftNames.some(left => CONTEXT_RE.test(left));
+                return;
+            }
+            if (node.type === 'ReturnStatement') {
+                const names = this.collectIdentifiers(node.expression);
+                found = names.includes(name) && names.some(other => other !== name && CONTEXT_RE.test(other));
+                return;
+            }
+            if (node.type === 'FunctionCall') {
+                const calleeName = this.memberName(node.expression);
+                const args = node.arguments || [];
+                found = CONTEXT_RE.test(calleeName) &&
+                    args.some((arg) => this.collectIdentifiers(arg).includes(name));
+            }
+        });
+        return found;
+    }
+    callFlowsInlineToContext(body, call, functionName) {
+        let found = false;
+        this.walk(body, node => {
+            if (found || !node || typeof node !== 'object')
+                return;
+            if (node.type === 'VariableDeclarationStatement') {
+                if (node.initialValue && this.containsNode(node.initialValue, call)) {
+                    found = (node.variables || []).some((v) => v?.name && CONTEXT_RE.test(v.name));
+                }
+                return;
+            }
+            if (node.type === 'BinaryOperation' && this.isAssignment(node.operator)) {
+                found = this.containsNode(node.right, call) &&
+                    this.collectIdentifiers(node.left).some(name => CONTEXT_RE.test(name));
+                return;
+            }
+            if (node.type === 'ReturnStatement') {
+                found = this.containsNode(node.expression, call) &&
+                    this.collectIdentifiers(node.expression).some(name => CONTEXT_RE.test(name));
+                return;
+            }
+            if (node.type === 'FunctionCall' && node !== call) {
+                const calleeName = this.memberName(node.expression);
+                if (calleeName === 'require' || calleeName === 'assert') {
+                    const condition = (node.arguments || [])[0] || null;
+                    found = this.guardConditionContainsContextualCall(condition, call, functionName);
+                    return;
+                }
+                found = CONTEXT_RE.test(calleeName) && this.containsNode(node, call);
+            }
+        });
+        return found;
+    }
+    guardConditionContainsContextualCall(condition, call, functionName) {
+        if (!condition || !this.containsNode(condition, call))
+            return false;
+        if (CONTEXT_RE.test(functionName))
+            return true;
+        return this.collectIdentifiers(condition).some(name => GUARD_CONDITION_CONTEXT_RE.test(name));
+    }
+    hasVisibleSafetyGuard(body) {
+        return this.hasFreshnessGuard(body) || this.hasIndependentOracleFreshness(body) || this.hasTwapWindowGuard(body);
+    }
+    hasFreshnessGuard(body) {
+        let found = false;
+        this.walk(body, node => {
+            if (found)
+                return;
+            const condition = this.guardCondition(node);
+            if (!condition)
+                return;
+            found = this.containsBlockTimestamp(condition) &&
+                this.containsComparison(condition) &&
+                this.hasFreshnessIdentifier(condition);
+        });
+        return found;
+    }
+    hasFreshnessIdentifier(node) {
+        return this.collectIdentifiers(node).some(name => name !== 'timestamp' && FRESHNESS_RE.test(name));
+    }
+    hasIndependentOracleFreshness(body) {
+        let hasOracleRead = false;
+        this.walk(body, node => {
+            if (hasOracleRead || !node || node.type !== 'FunctionCall')
+                return;
+            const name = this.memberName(node.expression);
+            hasOracleRead = ORACLE_METHODS.has(name);
+        });
+        return hasOracleRead && this.hasFreshnessGuard(body);
+    }
+    hasTwapWindowGuard(body) {
+        let hasTwapRead = false;
+        let hasWindowGuard = false;
+        this.walk(body, node => {
+            if (!node || typeof node !== 'object')
+                return;
+            if (node.type === 'FunctionCall') {
+                const name = this.memberName(node.expression);
+                const names = this.collectIdentifiers(node).join(' ');
+                if (name === 'consult' || /twap/i.test(names))
+                    hasTwapRead = true;
+            }
+            const condition = this.guardCondition(node);
+            if (!condition)
+                return;
+            const names = this.collectIdentifiers(condition).join(' ');
+            hasWindowGuard = hasWindowGuard ||
+                (/twap|window|secondsAgo|MIN_TWAP_WINDOW/i.test(names) && this.containsComparison(condition));
+        });
+        return hasTwapRead && hasWindowGuard;
+    }
+    buildFinding(file, contract, functionName, read) {
+        const { line, column, endLine } = (0, ast_1.assertLoc)(read.node);
+        return {
+            file,
+            contract: contract?.name || '<anonymous>',
+            'function': functionName,
+            line,
+            endLine,
+            column,
+            endColumn: read.node?.loc?.end?.column,
+            pattern: RULE_ID,
+            confidence: 'medium',
+            category: 'vulnerability',
+            ruleId: RULE_ID,
+            severity: 'medium',
+            message: `Collateral or borrow-power logic depends on '${read.receiver}.${read.method}()' without a visible independent oracle, TWAP, or freshness guard.`,
+            contractName: contract?.name || '<anonymous>',
+            functionName,
+            sourceLocation: { line, column },
+            trace: 'unchecked-redemption-rate-collateral-pricing',
+            findingId: '',
+            contractHash: '',
+        };
+    }
+    isConversionCall(node) {
+        if (!node || node.type !== 'FunctionCall')
+            return false;
+        const expr = this.unwrapCallOptions(node.expression);
+        const name = this.memberName(expr);
+        return CONVERSION_METHODS.has(name);
+    }
+    assignedNamesForCall(call, parentMap) {
+        const names = new Set();
+        const exprTypes = new Set(['BinaryOperation', 'TupleExpression', 'UnaryOperation', 'IndexAccess', 'MemberAccess', 'FunctionCall']);
+        let current = call;
+        while (true) {
+            const parent = parentMap.get(current);
+            if (!parent || typeof parent !== 'object')
+                break;
+            if (parent.type === 'VariableDeclarationStatement') {
+                if (parent.initialValue && this.containsNode(parent.initialValue, call)) {
+                    for (const variable of parent.variables || []) {
+                        if (variable?.name)
+                            names.add(variable.name);
+                    }
+                }
+                break;
+            }
+            if (parent.type === 'BinaryOperation' && this.isAssignment(parent.operator)) {
+                if (this.containsNode(parent.right, call)) {
+                    this.collectIdentifiers(parent.left).forEach(name => names.add(name));
+                }
+                break;
+            }
+            if (parent.type === 'ExpressionStatement') {
+                const expr = parent.expression;
+                if (expr?.type === 'BinaryOperation' && this.isAssignment(expr.operator) && this.containsNode(expr.right, call)) {
+                    this.collectIdentifiers(expr.left).forEach(name => names.add(name));
+                }
+                break;
+            }
+            if (!exprTypes.has(parent.type))
+                break;
+            current = parent;
+        }
+        return names;
+    }
+    guardCondition(node) {
+        if (!node || typeof node !== 'object')
+            return null;
+        if (node.type === 'FunctionCall') {
+            const name = this.memberName(node.expression);
+            if (name === 'require' || name === 'assert')
+                return (node.arguments || [])[0] || null;
+        }
+        if (node.type === 'IfStatement')
+            return node.condition || null;
+        return null;
+    }
+    isAssignment(operator) {
+        return ['=', '+=', '-=', '*=', '/=', '%='].includes(operator);
+    }
+    containsComparison(node) {
+        if (!node || typeof node !== 'object')
+            return false;
+        if (node.type === 'BinaryOperation' && ['<', '<=', '>', '>=', '==', '!='].includes(node.operator)) {
+            return true;
+        }
+        return this.children(node).some(child => this.containsComparison(child));
+    }
+    containsBlockTimestamp(node) {
+        if (!node || typeof node !== 'object')
+            return false;
+        if (node.type === 'MemberAccess' &&
+            node.memberName === 'timestamp' &&
+            node.expression?.type === 'Identifier' &&
+            node.expression.name === 'block') {
+            return true;
+        }
+        return this.children(node).some(child => this.containsBlockTimestamp(child));
+    }
+    returnUsesName(body, name) {
+        let used = false;
+        this.walk(body, node => {
+            if (used || node?.type !== 'ReturnStatement')
+                return;
+            used = this.collectIdentifiers(node.expression).includes(name);
+        });
+        return used;
+    }
+    isReturned(body, target) {
+        let returned = false;
+        this.walk(body, node => {
+            if (returned || node?.type !== 'ReturnStatement')
+                return;
+            returned = this.containsNode(node.expression, target);
+        });
+        return returned;
+    }
+    memberName(expr) {
+        const unwrapped = this.unwrapCallOptions(expr);
+        if (!unwrapped || typeof unwrapped !== 'object')
+            return '';
+        if (unwrapped.type === 'MemberAccess')
+            return unwrapped.memberName || '';
+        if (unwrapped.type === 'Identifier')
+            return unwrapped.name || '';
+        return '';
+    }
+    unwrapCallOptions(expr) {
+        return expr?.type === 'FunctionCallOptions' ? expr.expression : expr;
+    }
+    receiverText(node) {
+        if (!node || typeof node !== 'object')
+            return '<unknown>';
+        if (node.type === 'Identifier')
+            return node.name || '<unknown>';
+        if (node.type === 'MemberAccess')
+            return `${this.receiverText(node.expression)}.${node.memberName || '<member>'}`;
+        return '<expression>';
+    }
+    collectIdentifiers(node) {
+        const names = [];
+        this.walk(node, child => {
+            if (child?.type === 'Identifier' && child.name)
+                names.push(child.name);
+            if (child?.type === 'MemberAccess' && child.memberName)
+                names.push(child.memberName);
+        });
+        return names;
+    }
+    containsNode(root, target) {
+        if (!root || !target)
+            return false;
+        if (root === target)
+            return true;
+        return this.children(root).some(child => this.containsNode(child, target));
+    }
+    walk(node, visit) {
+        if (!node || typeof node !== 'object')
+            return;
+        visit(node);
+        for (const child of this.children(node)) {
+            this.walk(child, visit);
+        }
+    }
+    walkWithParent(node, visit, parent = null) {
+        if (!node || typeof node !== 'object')
+            return;
+        visit(node, parent);
+        for (const child of this.children(node)) {
+            this.walkWithParent(child, visit, node);
+        }
+    }
+    children(node) {
+        if (!node || typeof node !== 'object')
+            return [];
+        const out = [];
+        for (const [key, value] of Object.entries(node)) {
+            if (key === 'loc' || key === 'range' || key === 'type')
+                continue;
+            if (Array.isArray(value)) {
+                for (const item of value) {
+                    if (item && typeof item === 'object')
+                        out.push(item);
+                }
+            }
+            else if (value && typeof value === 'object') {
+                out.push(value);
+            }
+        }
+        return out;
+    }
+}
+exports.CrossProtocolOracleCollateralDetector = CrossProtocolOracleCollateralDetector;
+//# sourceMappingURL=cross-protocol-oracle-collateral.js.map

package/dist/detectors/cross-vm-reentrancy.d.ts

@@ -0,0 +1,7 @@
+import type { ScanResult } from '../index';
+export declare class CrossVmReentrancyDetector {
+    readonly id = "cross-vm-reentrancy";
+    readonly patternKey = "cross-vm-reentrancy";
+    readonly supportedAstKinds: ("parser" | "solc")[];
+    scanAst(ast: any, file: string, sourceText?: string): ScanResult[];
+}