@snovon/solast 0.2.0

package/dist/detectors/decimals-mismatch.js

@@ -0,0 +1,451 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DecimalsMismatchDetector = void 0;
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'decimals-mismatch';
+const PATTERN = `${RULE_ID}/mismatched-arithmetic`;
+const ERC20_AMOUNT_METHODS = new Set(['balanceOf', 'allowance', 'totalSupply']);
+const ARITHMETIC_OPS = new Set(['+', '-', '*', '/']);
+const COMPARISON_OPS = new Set(['>=', '<=', '>', '<', '==', '!=']);
+const ALL_CHECKED_OPS = new Set([...ARITHMETIC_OPS, ...COMPARISON_OPS]);
+class DecimalsMismatchDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    descriptor = {
+        id: RULE_ID,
+        shortDescription: 'Arithmetic or comparison of token amounts with different decimals without explicit scale normalization.',
+        helpUri: 'https://snovon.com/',
+        defaultSeverity: 'high',
+    };
+    currentFile = '';
+    findings = [];
+    currentContractName = '';
+    currentContractNode = null;
+    currentFunctionName = '';
+    currentFunctionNode = null;
+    stateVars = new Set();
+    tokenDecimals = new Map();
+    localAmounts = new Map();
+    constructorParams = new Set();
+    paramToStateVars = new Map(); // param → bound state variables
+    decimalsCacheToParam = new Map(); // state var decimals cache → param
+    setFile(file) {
+        this.currentFile = file;
+        this.findings = [];
+        this.resetContract();
+    }
+    getFindings() {
+        return this.findings;
+    }
+    ContractDefinition(node) {
+        this.resetContract();
+        this.currentContractName = node?.name || '';
+        this.currentContractNode = node;
+        for (const sub of node?.subNodes || []) {
+            if ((0, ast_1.isNode)(sub, 'StateVariableDeclaration')) {
+                for (const variable of sub.variables || []) {
+                    if (variable?.name)
+                        this.stateVars.add(variable.name);
+                }
+            }
+        }
+    }
+    'ContractDefinition:exit'() {
+        this.resetContract();
+    }
+    FunctionDefinition(node) {
+        this.currentFunctionName = node?.name || '';
+        this.currentFunctionNode = node;
+        this.localAmounts.clear();
+        if (node?.isConstructor || node?.kind === 'constructor') {
+            this.constructorParams.clear();
+            this.paramToStateVars.clear();
+            this.decimalsCacheToParam.clear();
+            for (const param of node?.parameters || []) {
+                if (param?.name)
+                    this.constructorParams.add(param.name);
+            }
+        }
+    }
+    'FunctionDefinition:exit'(_node) {
+        this.currentFunctionName = '';
+        this.currentFunctionNode = null;
+        this.localAmounts.clear();
+        this.constructorParams.clear();
+        this.paramToStateVars.clear();
+        this.decimalsCacheToParam.clear();
+    }
+    FunctionCall(node) {
+        this.tryLearnDecimals(node);
+    }
+    VariableDeclarationStatement(node) {
+        this.tryTrackLocalAmount(node);
+    }
+    BinaryOperation(node) {
+        if (!this.currentContractName)
+            return;
+        const op = node?.operator;
+        // Track constructor parameter → state variable bindings
+        if (op === '=') {
+            this.trackConstructorBinding(node);
+        }
+        if (!ALL_CHECKED_OPS.has(op))
+            return;
+        const leftDecimals = this.resolveAmountDecimals(node.left);
+        const rightDecimals = this.resolveAmountDecimals(node.right);
+        if (leftDecimals === null ||
+            rightDecimals === null ||
+            leftDecimals.decimals === rightDecimals.decimals) {
+            return;
+        }
+        // Check if either operand is a scale-normalized version of the other token's amount
+        if (this.isScaleNormalized(node.left))
+            return;
+        if (this.isScaleNormalized(node.right))
+            return;
+        const loc = (0, ast_1.assertLoc)(node, this.currentFunctionNode);
+        const message = `Token amounts with different decimals combined without normalization: ` +
+            `token '${leftDecimals.tokenVar}' has ${leftDecimals.decimals} decimals, ` +
+            `token '${rightDecimals.tokenVar}' has ${rightDecimals.decimals} decimals. ` +
+            `Scale one of the amounts before performing arithmetic or comparison ` +
+            `(e.g., amount * 10**(decimalsDiff)). See FutureSwap (2026-01-10) exploit.`;
+        this.findings.push({
+            file: this.currentFile,
+            contract: this.currentContractName,
+            'function': this.currentFunctionName,
+            line: loc.line,
+            column: loc.column,
+            endLine: loc.endLine,
+            endColumn: loc.endColumn,
+            pattern: PATTERN,
+            confidence: 'medium',
+            ruleId: RULE_ID,
+            severity: 'high',
+            message,
+            contractName: this.currentContractName,
+            functionName: this.currentFunctionName,
+            sourceLocation: { line: loc.line, column: loc.column },
+            category: 'vulnerability',
+            findingId: '',
+            contractHash: '',
+        });
+    }
+    // ---- helpers ----
+    resetContract() {
+        this.currentContractName = '';
+        this.currentContractNode = null;
+        this.currentFunctionName = '';
+        this.currentFunctionNode = null;
+        this.stateVars.clear();
+        this.tokenDecimals.clear();
+        this.localAmounts.clear();
+        this.constructorParams.clear();
+        this.paramToStateVars.clear();
+        this.decimalsCacheToParam.clear();
+    }
+    /**
+     * Track `stateVar = param` bindings in constructors, and
+     * `decimalsCache = param.decimals()` patterns.
+     */
+    trackConstructorBinding(node) {
+        const left = node?.left;
+        const right = node?.right;
+        if (!(0, ast_1.isNode)(left, 'Identifier') || !this.stateVars.has(left.name))
+            return;
+        const stateVarName = left.name;
+        // stateVar = param
+        if ((0, ast_1.isNode)(right, 'Identifier') && this.constructorParams.has(right.name)) {
+            const param = right.name;
+            const existing = this.paramToStateVars.get(param);
+            if (existing)
+                existing.push(stateVarName);
+            else
+                this.paramToStateVars.set(param, [stateVarName]);
+            // If param already has known decimals, propagate to state var now
+            const paramInfo = this.tokenDecimals.get(param);
+            if (paramInfo) {
+                this.tokenDecimals.set(stateVarName, paramInfo);
+            }
+            return;
+        }
+        // stateVar = param.decimals() → track decimals cache
+        if ((0, ast_1.isNode)(right, 'FunctionCall')) {
+            const decimalsCallResult = this.parseDecimalsCall(right);
+            if (decimalsCallResult && this.constructorParams.has(decimalsCallResult)) {
+                this.decimalsCacheToParam.set(stateVarName, decimalsCallResult);
+            }
+        }
+    }
+    /**
+     * Detect `require(tokenVar.decimals() == N)` (directly on token) and
+     * `require(decimalsCache == N)` (cached decimals state var). Also
+     * detect `require(N == ...)` ordering.
+     */
+    tryLearnDecimals(node) {
+        const callName = this.directCallName(node?.expression);
+        if (callName !== 'require' && callName !== 'assert')
+            return;
+        const args = node?.arguments || [];
+        if (args.length === 0)
+            return;
+        const condition = args[0];
+        if (!(0, ast_1.isNode)(condition, 'BinaryOperation') || condition.operator !== '==')
+            return;
+        // Case 1: token.decimals() == N  or  N == token.decimals()
+        this.tryLearnDecimalsFromCall(condition.left, condition.right);
+        this.tryLearnDecimalsFromCall(condition.right, condition.left);
+        // Case 2: cachedDecimals == N  or  N == cachedDecimals (where cachedDecimals stores param.decimals())
+        this.tryLearnDecimalsFromCache(condition.left, condition.right);
+        this.tryLearnDecimalsFromCache(condition.right, condition.left);
+    }
+    tryLearnDecimalsFromCall(a, b) {
+        if (!(0, ast_1.isNode)(a, 'FunctionCall'))
+            return;
+        const tokenName = this.parseDecimalsCall(a);
+        if (!tokenName)
+            return;
+        const decimals = this.parseNumberLiteral(b);
+        if (decimals === null)
+            return;
+        this.setDecimals(tokenName, decimals);
+    }
+    tryLearnDecimalsFromCache(a, b) {
+        if (!(0, ast_1.isNode)(a, 'Identifier'))
+            return;
+        const param = this.decimalsCacheToParam.get(a.name);
+        if (!param)
+            return;
+        const decimals = this.parseNumberLiteral(b);
+        if (decimals === null)
+            return;
+        this.setDecimals(param, decimals);
+    }
+    /**
+     * Record decimals for a token name (state var or constructor param),
+     * and propagate to bound state variables.
+     */
+    setDecimals(name, decimals) {
+        this.tokenDecimals.set(name, { decimals });
+        // Propagate to state variables bound to this param
+        const bound = this.paramToStateVars.get(name);
+        if (bound) {
+            for (const sv of bound) {
+                this.tokenDecimals.set(sv, { decimals });
+            }
+        }
+    }
+    /**
+     * Parse `tokenVar.decimals()` call — returns the identifier name (state var or param).
+     */
+    parseDecimalsCall(node) {
+        if (!(0, ast_1.isNode)(node, 'FunctionCall'))
+            return null;
+        const expr = node?.expression;
+        if (!(0, ast_1.isNode)(expr, 'MemberAccess'))
+            return null;
+        if (expr.memberName !== 'decimals')
+            return null;
+        const base = expr.expression;
+        if ((0, ast_1.isNode)(base, 'Identifier')) {
+            const name = base.name;
+            // Accept state variables, constructor parameters, or any identifier
+            if (this.stateVars.has(name) || this.constructorParams.has(name))
+                return name;
+            // Fall through: accept for cases where caller is a constructor parameter
+            return name;
+        }
+        return null;
+    }
+    /**
+     * Parse a NumberLiteral and return its integer value, or null.
+     */
+    parseNumberLiteral(node) {
+        if (!(0, ast_1.isNode)(node, 'NumberLiteral'))
+            return null;
+        const num = Number(node.number);
+        if (!Number.isFinite(num) || num < 0)
+            return null;
+        if (num > 255)
+            return null; // decimals() returns uint8
+        return num;
+    }
+    /**
+     * Detect `uint256 x = token.balanceOf(...)` and record that x is an amount
+     * from the given token with its known decimals.
+     */
+    tryTrackLocalAmount(node) {
+        if (!(0, ast_1.isNode)(node, 'VariableDeclarationStatement'))
+            return;
+        const initialValue = node?.initialValue;
+        if (!initialValue)
+            return;
+        const amountInfo = this.extractTokenAmountCall(initialValue);
+        if (!amountInfo)
+            return;
+        for (const variable of node?.variables || []) {
+            if (variable?.name) {
+                this.localAmounts.set(variable.name, amountInfo);
+            }
+        }
+    }
+    /**
+     * Extract the token variable and its decimals from a balanceOf-like call.
+     */
+    extractTokenAmountCall(node) {
+        // Check for direct balanceOf/allowance: tokenVar.balanceOf(...)
+        return this.parseErc20AmountCall(node, node?.expression);
+    }
+    /**
+     * Parse a MemberAccess expression for balanceOf/allowance on a token.
+     */
+    parseErc20AmountCall(node, expr) {
+        if (!(0, ast_1.isNode)(node, 'FunctionCall'))
+            return null;
+        if (!(0, ast_1.isNode)(expr, 'MemberAccess'))
+            return null;
+        if (!ERC20_AMOUNT_METHODS.has(expr.memberName || ''))
+            return null;
+        const base = expr.expression;
+        if ((0, ast_1.isNode)(base, 'Identifier')) {
+            const tokenName = base.name;
+            const info = this.tokenDecimals.get(tokenName);
+            if (info) {
+                return { tokenVar: tokenName, decimals: info.decimals };
+            }
+        }
+        return null;
+    }
+    /**
+     * Resolve the effective decimals of an expression node.
+     * Handles: Identifier (localAmounts), FunctionCall (balanceOf/allowance),
+     * BinaryOperation (* or / by power-of-10 → scale normalization).
+     */
+    resolveAmountDecimals(node) {
+        if (!node || typeof node !== 'object')
+            return null;
+        // Identifier: look up local tracking
+        if ((0, ast_1.isNode)(node, 'Identifier')) {
+            const info = this.localAmounts.get(node.name);
+            return info || null;
+        }
+        // Direct balanceOf/allowance call
+        if ((0, ast_1.isNode)(node, 'FunctionCall')) {
+            const expr = node.expression;
+            if ((0, ast_1.isNode)(expr, 'MemberAccess') && ERC20_AMOUNT_METHODS.has(expr.memberName || '')) {
+                const base = expr.expression;
+                if ((0, ast_1.isNode)(base, 'Identifier')) {
+                    const tokenInfo = this.tokenDecimals.get(base.name);
+                    if (tokenInfo) {
+                        return { tokenVar: base.name, decimals: tokenInfo.decimals };
+                    }
+                }
+            }
+            return null;
+        }
+        // Scale normalization: BinaryOperation with * or / by a power-of-10
+        if ((0, ast_1.isNode)(node, 'BinaryOperation')) {
+            const op = node.operator;
+            if (op === '*') {
+                const scale = this.extractPowerOfTen(node.right);
+                if (scale !== null) {
+                    const base = this.resolveAmountDecimals(node.left);
+                    if (base) {
+                        return { tokenVar: base.tokenVar, decimals: base.decimals + scale };
+                    }
+                }
+                const scaleL = this.extractPowerOfTen(node.left);
+                if (scaleL !== null) {
+                    const base = this.resolveAmountDecimals(node.right);
+                    if (base) {
+                        return { tokenVar: base.tokenVar, decimals: base.decimals + scaleL };
+                    }
+                }
+            }
+            if (op === '/') {
+                const scale = this.extractPowerOfTen(node.right);
+                if (scale !== null) {
+                    const base = this.resolveAmountDecimals(node.left);
+                    if (base) {
+                        return { tokenVar: base.tokenVar, decimals: base.decimals - scale };
+                    }
+                }
+            }
+        }
+        return null;
+    }
+    /**
+     * Check if a node represents a scale normalization (multiply or divide by power-of-10).
+     */
+    isScaleNormalized(node) {
+        if (!(0, ast_1.isNode)(node, 'BinaryOperation'))
+            return false;
+        const op = node.operator;
+        if (op === '*' || op === '/') {
+            return this.extractPowerOfTen(node.right) !== null ||
+                this.extractPowerOfTen(node.left) !== null;
+        }
+        return false;
+    }
+    /**
+     * Extract the power of 10 from a node if it represents 10**N or 1eN.
+     * Returns the exponent N, or null if not a power-of-10.
+     */
+    extractPowerOfTen(node) {
+        if (!node || typeof node !== 'object')
+            return null;
+        if ((0, ast_1.isNode)(node, 'NumberLiteral')) {
+            const num = String(node.number);
+            const match = num.match(/^1[eE](\d+)$/);
+            if (match) {
+                const exp = parseInt(match[1], 10);
+                if (exp > 0 && exp <= 77)
+                    return exp;
+            }
+            if (/^10+$/.test(num)) {
+                return num.length - 1;
+            }
+            if (/^1\d*$/.test(num)) {
+                const val = BigInt(num);
+                if (isPowerOfTen(val)) {
+                    return num.length - 1;
+                }
+            }
+            return null;
+        }
+        if ((0, ast_1.isNode)(node, 'BinaryOperation') && node.operator === '**') {
+            const left = this.parseNumberLiteral(node.left);
+            const right = this.parseNumberLiteral(node.right);
+            if (left === 10 && right !== null && right > 0 && right <= 77) {
+                return right;
+            }
+        }
+        if ((0, ast_1.isNode)(node, 'TupleExpression')) {
+            // Handle parenthesized expressions like (10 ** 12) → unwrap
+            const comps = node.components || [];
+            if (comps.length === 1) {
+                return this.extractPowerOfTen(comps[0]);
+            }
+        }
+        return null;
+    }
+    directCallName(expr) {
+        if (!expr || typeof expr !== 'object')
+            return '';
+        if ((0, ast_1.isNode)(expr, 'Identifier'))
+            return expr.name || '';
+        return '';
+    }
+}
+exports.DecimalsMismatchDetector = DecimalsMismatchDetector;
+function isPowerOfTen(n) {
+    if (n <= 0n)
+        return false;
+    while (n > 1n) {
+        if (n % 10n !== 0n)
+            return false;
+        n /= 10n;
+    }
+    return true;
+}
+//# sourceMappingURL=decimals-mismatch.js.map

package/dist/detectors/deferred-state-update.d.ts

@@ -0,0 +1,16 @@
+import type { ScanResult } from '../index';
+export declare class DeferredStateUpdateDetector {
+    readonly id = "deferred-state-update";
+    readonly patternKey = "deferred-state-update";
+    readonly supportedAstKinds: ("parser" | "solc")[];
+    readonly enabledByDefault = false;
+    readonly descriptor: {
+        id: string;
+        shortDescription: string;
+        helpUri: string;
+        defaultSeverity: "high";
+        help: string;
+    };
+    private readonly delegate;
+    scanAst(ast: any, file: string, sourceText?: string): ScanResult[];
+}

package/dist/detectors/deferred-state-update.js

@@ -0,0 +1,35 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DeferredStateUpdateDetector = void 0;
+const treasury_reentrancy_1 = require("./treasury-reentrancy");
+const RULE_ID = 'deferred-state-update';
+const DELEGATE_RULE_ID = 'treasury-reentrancy';
+class DeferredStateUpdateDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser', 'solc'];
+    // Not enabled in default scans: this detector is a direct delegate to
+    // `treasury-reentrancy` and would otherwise emit a duplicate finding for
+    // the same vulnerability. It stays registered so it remains selectable
+    // via `--rule deferred-state-update` / `--enable deferred-state-update`
+    // and keeps its SARIF rule descriptor. See issue #2914.
+    enabledByDefault = false;
+    descriptor = {
+        id: RULE_ID,
+        shortDescription: 'External interactions should not precede caller accounting updates.',
+        helpUri: 'https://snovon.com/',
+        defaultSeverity: 'high',
+        help: 'Debit caller-controlled accounting before external value or token transfers, or guard unavoidable post-call work with an established reentrancy guard.',
+    };
+    delegate = new treasury_reentrancy_1.TreasuryReentrancyDetector();
+    scanAst(ast, file, sourceText) {
+        return this.delegate.scanAst(ast, file, sourceText).map(finding => ({
+            ...finding,
+            ruleId: RULE_ID,
+            severity: 'high',
+            pattern: finding.pattern?.replace(DELEGATE_RULE_ID, RULE_ID),
+        }));
+    }
+}
+exports.DeferredStateUpdateDetector = DeferredStateUpdateDetector;
+//# sourceMappingURL=deferred-state-update.js.map

package/dist/detectors/deflationary-token.d.ts

@@ -0,0 +1,27 @@
+import type { ScanResult } from '../index';
+type ParserOrSolcNode = any;
+export declare class DeflationaryTokenDetector {
+    readonly id = "deflationary-token";
+    readonly patternKey = "deflationary-token";
+    readonly supportedAstKinds: ("parser" | "solc")[];
+    readonly descriptor: {
+        id: string;
+        shortDescription: string;
+        helpUri: string;
+        defaultSeverity: "medium";
+        help: string;
+    };
+    private findings;
+    private currentFile;
+    private currentContract;
+    private fileHasDeflationaryToken;
+    setFile(file: string): void;
+    getFindings(): ScanResult[];
+    SourceUnit(node: ParserOrSolcNode): void;
+    ContractDefinition(node: ParserOrSolcNode): void;
+    ContractDefinition_post(): void;
+    FunctionDefinition(node: ParserOrSolcNode): void;
+    private analyzeFunction;
+    private emit;
+}
+export {};