@snovon/solast 0.2.0

package/dist/detectors/donate-inflation-exchangerate-roundin.js

@@ -0,0 +1,621 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DonateInflationExchangerateRoundinDetector = void 0;
+const RULE_ID = 'donate-inflation-exchangerate-roundin';
+const PROVENANCE = 'x-20231111-mahalend-donate-inflation-exchangerate-roundin';
+const ACCESS_CONTROL_MODIFIERS = new Set([
+    'onlyowner',
+    'onlyrole',
+    'onlyadmin',
+    'onlyauthorized',
+    'onlyoperator',
+    'onlygovernance',
+    'onlygovernor',
+    'onlyguardian',
+    'onlymanager',
+]);
+const SUPPLY_NAME_RE = /^_?(total)?[Ss]upply$/;
+const DONATION_FN_RE = /(donate|donation|gulp|sync|skim|accrue)/i;
+class DonateInflationExchangerateRoundinDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser', 'solc'];
+    scanAst(ast, file, sourceText) {
+        if (!ast || typeof ast !== 'object')
+            return [];
+        const findings = [];
+        const lineOffsets = buildLineOffsets(sourceText);
+        for (const contract of collectContracts(ast)) {
+            if (isInterfaceLike(contract))
+                continue;
+            const contractName = getName(contract) || '<anonymous>';
+            const stateVarNames = collectStateVarNames(contract);
+            const functions = new Map();
+            for (const fn of getContractFunctions(contract)) {
+                const body = getFunctionBody(fn);
+                const name = functionDisplayName(fn);
+                functions.set(name, {
+                    node: fn,
+                    name,
+                    body,
+                    internalCallees: body ? collectInternalCallNames(body) : new Set(),
+                    hasUnsafeRateMath: false,
+                    donationStateWrites: body ? collectPublicDonationStateWrites(fn, body, stateVarNames) : new Set(),
+                });
+            }
+            const donatedStateVars = new Set();
+            for (const info of functions.values()) {
+                for (const name of info.donationStateWrites)
+                    donatedStateVars.add(name);
+            }
+            const unsafeRateFns = new Set();
+            for (const info of functions.values()) {
+                if (!info.body)
+                    continue;
+                const ctx = collectRateAliases(info.body, new Set(), donatedStateVars);
+                info.hasUnsafeRateMath = bodyHasUnsafeExchangeRateMath(info.body, ctx, new Set(), donatedStateVars);
+                if (info.hasUnsafeRateMath)
+                    unsafeRateFns.add(info.name);
+            }
+            const reachesUnsafeRate = computeTransitive(functions, info => info.hasUnsafeRateMath);
+            for (const [name, reaches] of reachesUnsafeRate)
+                if (reaches)
+                    unsafeRateFns.add(name);
+            const seen = new Set();
+            for (const info of functions.values()) {
+                if (!info.body)
+                    continue;
+                if (!isExternallyCallable(info.node))
+                    continue;
+                if (isViewOrPure(info.node))
+                    continue;
+                if (hasRecognizedAccessControlModifier(info.node))
+                    continue;
+                const ctx = collectRateAliases(info.body, unsafeRateFns, donatedStateVars);
+                const settlement = findRoundingDownSettlement(info.body, ctx, unsafeRateFns, donatedStateVars);
+                if (!settlement)
+                    continue;
+                if (!reachesUnsafeRate.get(info.name) && !bodyHasUnsafeExchangeRateMath(info.body, ctx, unsafeRateFns, donatedStateVars))
+                    continue;
+                const key = `${contractName}:${info.name}`;
+                if (seen.has(key))
+                    continue;
+                seen.add(key);
+                const fnLoc = getLoc(info.node, lineOffsets) || { line: 0, column: 0 };
+                findings.push({
+                    file,
+                    contract: contractName,
+                    'function': info.name,
+                    line: fnLoc.line,
+                    endLine: fnLoc.line,
+                    column: fnLoc.column,
+                    pattern: RULE_ID,
+                    confidence: 'high',
+                    ruleId: RULE_ID,
+                    severity: 'error',
+                    message: `Donate-inflated exchange-rate rounding risk in '${contractName}.${info.name}': settlement divides by a donation-inflatable exchange rate and rounds shares/tokens down.`,
+                    rationale: 'Mirrors the 2023-11-11 Mahalend pattern: a public donation or raw token balance can inflate the exchange rate while redeem/mint settlement computes shares with integer division that rounds in the attacker-favorable direction.',
+                    suggestedFix: 'Use internal accounting that excludes unsolicited donations, restrict donation/sync paths, and round burn/redemption share calculations up when converting assets to shares.',
+                    contractName,
+                    functionName: info.name,
+                    sourceLocation: { line: fnLoc.line, column: fnLoc.column },
+                    findingId: '',
+                    contractHash: '',
+                    provenance: PROVENANCE,
+                    source: PROVENANCE,
+                });
+            }
+        }
+        return findings;
+    }
+}
+exports.DonateInflationExchangerateRoundinDetector = DonateInflationExchangerateRoundinDetector;
+function collectPublicDonationStateWrites(fn, body, stateVarNames) {
+    const out = new Set();
+    if (!isExternallyCallable(fn))
+        return out;
+    if (isViewOrPure(fn))
+        return out;
+    if (hasRecognizedAccessControlModifier(fn))
+        return out;
+    if (!DONATION_FN_RE.test(functionDisplayName(fn)))
+        return out;
+    walk(body, node => {
+        if (!isAssignmentNode(node))
+            return;
+        const lhs = stripTuple(getAssignmentLeft(node));
+        if (!isNode(lhs, 'Identifier'))
+            return;
+        const name = String(lhs.name || '');
+        if (!stateVarNames.has(name) || isSupplyName(name))
+            return;
+        if (assignmentIncreasesStateVar(node, name))
+            out.add(name);
+    });
+    return out;
+}
+function assignmentIncreasesStateVar(node, name) {
+    const op = String(node.operator || '');
+    if (op === '+=')
+        return true;
+    if (op !== '=')
+        return false;
+    const rhs = getAssignmentRight(node);
+    return isNode(rhs, 'BinaryOperation') &&
+        String(rhs.operator || '') === '+' &&
+        walkAny(rhs, n => isIdentifierName(n, name));
+}
+function collectRateAliases(body, unsafeRateFns, donatedStateVars) {
+    const ctx = {
+        rateAliases: new Set(),
+        supplyAliases: new Set(),
+    };
+    const localNames = new Set();
+    const assignments = [];
+    walk(body, node => {
+        const decl = extractSingleDeclaration(node);
+        if (!decl)
+            return;
+        localNames.add(decl.name);
+        assignments.push({ name: decl.name, expr: decl.init });
+        if (isSupplyLeaf(decl.init, ctx))
+            ctx.supplyAliases.add(decl.name);
+    });
+    walk(body, node => {
+        if (!isAssignmentNode(node))
+            return;
+        const op = String(node.operator || '');
+        if (!op || !op.includes('=') || op === '==' || op === '!=' || op === '<=' || op === '>=')
+            return;
+        const lhs = stripTuple(getAssignmentLeft(node));
+        if (!isNode(lhs, 'Identifier'))
+            return;
+        const name = String(lhs.name || '');
+        if (!localNames.has(name))
+            return;
+        const rhs = getAssignmentRight(node);
+        if (rhs)
+            assignments.push({ name, expr: rhs });
+    });
+    let changed = true;
+    while (changed) {
+        changed = false;
+        for (const { name, expr } of assignments) {
+            if (ctx.rateAliases.has(name))
+                continue;
+            if (isUnsafeRateExpression(expr, ctx, unsafeRateFns, donatedStateVars)) {
+                ctx.rateAliases.add(name);
+                changed = true;
+            }
+        }
+    }
+    return ctx;
+}
+function bodyHasUnsafeExchangeRateMath(body, ctx, unsafeRateFns, donatedStateVars) {
+    return walkAny(body, node => isExchangeRateMath(node, ctx, unsafeRateFns, donatedStateVars));
+}
+function isUnsafeRateExpression(expr, ctx, unsafeRateFns, donatedStateVars) {
+    const stripped = stripTuple(expr);
+    if (isNode(stripped, 'Identifier'))
+        return ctx.rateAliases.has(String(stripped.name || ''));
+    if (isUnsafeRateCall(stripped, unsafeRateFns))
+        return true;
+    return isExchangeRateMath(stripped, ctx, unsafeRateFns, donatedStateVars);
+}
+function isExchangeRateMath(node, ctx, unsafeRateFns, donatedStateVars) {
+    if (!isNode(node, 'BinaryOperation'))
+        return false;
+    const op = String(node.operator || '');
+    if (op !== '*' && op !== '/')
+        return false;
+    return containsInflatableCash(node, ctx, unsafeRateFns, donatedStateVars) && containsSupply(node, ctx);
+}
+function findRoundingDownSettlement(body, ctx, unsafeRateFns, donatedStateVars) {
+    const roundedAliases = new Set();
+    const assignments = [];
+    walk(body, node => {
+        const decl = extractSingleDeclaration(node);
+        if (decl)
+            assignments.push({ name: decl.name, expr: decl.init });
+        if (!isAssignmentNode(node))
+            return;
+        const lhs = stripTuple(getAssignmentLeft(node));
+        if (!isNode(lhs, 'Identifier'))
+            return;
+        const rhs = getAssignmentRight(node);
+        if (rhs)
+            assignments.push({ name: String(lhs.name || ''), expr: rhs });
+    });
+    let changed = true;
+    while (changed) {
+        changed = false;
+        for (const { name, expr } of assignments) {
+            if (roundedAliases.has(name))
+                continue;
+            if (isRoundingDownConversion(expr, ctx, unsafeRateFns, donatedStateVars) ||
+                (isNode(stripTuple(expr), 'Identifier') && roundedAliases.has(String(stripTuple(expr).name || '')))) {
+                roundedAliases.add(name);
+                changed = true;
+            }
+        }
+    }
+    return walkFind(body, node => {
+        if (!isAssignmentNode(node))
+            return false;
+        const lhs = stripTuple(getAssignmentLeft(node));
+        if (!isShareOrSupplyMutationTarget(lhs))
+            return false;
+        const rhs = getAssignmentRight(node);
+        if (walkAny(rhs, n => isRoundedAlias(n, roundedAliases)))
+            return true;
+        return String(node.operator || '') === '-=' && walkAny(rhs, n => isRoundedAlias(n, roundedAliases));
+    });
+}
+function isRoundingDownConversion(expr, ctx, unsafeRateFns, donatedStateVars) {
+    const stripped = stripTuple(expr);
+    if (!isNode(stripped, 'BinaryOperation') || String(stripped.operator || '') !== '/')
+        return false;
+    const right = stripped.right || stripped.rightExpression;
+    const left = stripped.left || stripped.leftExpression;
+    if (!containsUnsafeRateValue(right, ctx, unsafeRateFns, donatedStateVars))
+        return false;
+    if (containsUnsafeRateValue(left, ctx, unsafeRateFns, donatedStateVars))
+        return false;
+    return !containsOperator(left, '+') && !containsOperator(left, '-');
+}
+function isShareOrSupplyMutationTarget(lhs) {
+    if (!lhs || typeof lhs !== 'object')
+        return false;
+    if (isNode(lhs, 'IndexAccess'))
+        return true;
+    if (isNode(lhs, 'Identifier'))
+        return isSupplyName(String(lhs.name || ''));
+    if (isNode(lhs, 'MemberAccess'))
+        return isSupplyName(String(lhs.memberName || ''));
+    return false;
+}
+function containsUnsafeRateValue(node, ctx, unsafeRateFns, donatedStateVars) {
+    return walkAny(node, n => {
+        if (isNode(n, 'Identifier') && ctx.rateAliases.has(String(n.name || '')))
+            return true;
+        return isUnsafeRateCall(n, unsafeRateFns) || isExchangeRateMath(n, ctx, unsafeRateFns, donatedStateVars);
+    });
+}
+function containsInflatableCash(node, ctx, unsafeRateFns, donatedStateVars) {
+    return walkAny(node, n => {
+        if (isBalanceOfThisCall(n))
+            return true;
+        if (isNode(n, 'Identifier')) {
+            const name = String(n.name || '');
+            return donatedStateVars.has(name) || ctx.rateAliases.has(name);
+        }
+        if (isNode(n, 'MemberAccess'))
+            return donatedStateVars.has(String(n.memberName || ''));
+        return isUnsafeRateCall(n, unsafeRateFns);
+    });
+}
+function containsSupply(node, ctx) {
+    return walkAny(node, n => isSupplyLeaf(n, ctx));
+}
+function isSupplyLeaf(expr, ctx) {
+    const stripped = stripTuple(expr);
+    if (isNode(stripped, 'Identifier')) {
+        const name = String(stripped.name || '');
+        return isSupplyName(name) || ctx.supplyAliases.has(name);
+    }
+    if (isNode(stripped, 'MemberAccess'))
+        return isSupplyName(String(stripped.memberName || ''));
+    if (isNode(stripped, 'FunctionCall')) {
+        const callee = stripped.expression;
+        if (isNode(callee, 'Identifier'))
+            return isSupplyName(String(callee.name || ''));
+        if (isNode(callee, 'MemberAccess'))
+            return isSupplyName(String(callee.memberName || ''));
+    }
+    return false;
+}
+function isUnsafeRateCall(node, unsafeRateFns) {
+    if (!isFunctionCall(node))
+        return false;
+    const callee = node.expression;
+    if (isNode(callee, 'Identifier'))
+        return unsafeRateFns.has(String(callee.name || ''));
+    if (isNode(callee, 'MemberAccess') && isNode(callee.expression, 'Identifier') && String(callee.expression.name || '') === 'this') {
+        return unsafeRateFns.has(String(callee.memberName || ''));
+    }
+    return false;
+}
+function isBalanceOfThisCall(node) {
+    if (!isFunctionCall(node))
+        return false;
+    const callee = node.expression;
+    if (!isNode(callee, 'MemberAccess'))
+        return false;
+    if (String(callee.memberName || '') !== 'balanceOf')
+        return false;
+    const args = getCallArguments(node);
+    return args.length === 1 && isAddressThisExpression(args[0]);
+}
+function isAddressThisExpression(expr) {
+    const stripped = stripTuple(expr);
+    if (isNode(stripped, 'Identifier') && String(stripped.name || '') === 'this')
+        return true;
+    if (isNode(stripped, 'FunctionCall')) {
+        const args = getCallArguments(stripped);
+        return args.length === 1 && isAddressTypeNode(stripped.expression) && isAddressThisExpression(args[0]);
+    }
+    return false;
+}
+function isAddressTypeNode(node) {
+    if (isNode(node, 'ElementaryTypeName') && String(node.name || '') === 'address')
+        return true;
+    if (isNode(node, 'ElementaryTypeNameExpression'))
+        return String(node.typeName?.name || '') === 'address';
+    return isNode(node, 'Identifier') && String(node.name || '') === 'address';
+}
+function extractSingleDeclaration(node) {
+    if (!isNode(node, 'VariableDeclarationStatement'))
+        return null;
+    const decls = (node.variables || node.declarations || []).filter((d) => d && typeof d === 'object');
+    if (decls.length !== 1)
+        return null;
+    const init = node.initialValue || node.initialExpression || null;
+    const name = String(decls[0]?.name || '');
+    return name && init ? { name, init } : null;
+}
+function computeTransitive(functions, predicate) {
+    const cache = new Map();
+    function compute(info, seen) {
+        const cached = cache.get(info.name);
+        if (cached !== undefined)
+            return cached;
+        if (predicate(info)) {
+            cache.set(info.name, true);
+            return true;
+        }
+        if (seen.has(info.name))
+            return false;
+        seen.add(info.name);
+        for (const calleeName of info.internalCallees) {
+            const callee = functions.get(calleeName);
+            if (callee && compute(callee, seen)) {
+                cache.set(info.name, true);
+                return true;
+            }
+        }
+        cache.set(info.name, false);
+        return false;
+    }
+    for (const info of functions.values())
+        compute(info, new Set());
+    return cache;
+}
+function collectStateVarNames(contract) {
+    const names = new Set();
+    for (const child of getContractMembers(contract)) {
+        const decls = isNode(child, 'StateVariableDeclaration') ? child.variables || [] : (isNode(child, 'VariableDeclaration') && child.stateVariable ? [child] : []);
+        for (const decl of decls)
+            if (decl?.name)
+                names.add(String(decl.name));
+    }
+    return names;
+}
+function collectInternalCallNames(body) {
+    const out = new Set();
+    walk(body, n => {
+        if (!isFunctionCall(n))
+            return;
+        const callee = n.expression;
+        if (isNode(callee, 'Identifier'))
+            out.add(String(callee.name || ''));
+    });
+    return out;
+}
+function getCallArguments(node) {
+    return Array.isArray(node?.arguments) ? node.arguments : [];
+}
+function isFunctionCall(n) {
+    return isNode(n, 'FunctionCall');
+}
+function isAssignmentNode(node) {
+    return isNode(node, 'Assignment') || isNode(node, 'BinaryOperation');
+}
+function getAssignmentLeft(node) {
+    return node?.left ?? node?.leftHandSide ?? node?.leftExpression ?? null;
+}
+function getAssignmentRight(node) {
+    return node?.right ?? node?.rightHandSide ?? node?.rightExpression ?? null;
+}
+function hasRecognizedAccessControlModifier(fn) {
+    const modifiers = fn?.modifiers || [];
+    if (!Array.isArray(modifiers))
+        return false;
+    return modifiers.some((m) => ACCESS_CONTROL_MODIFIERS.has(getModifierName(m).toLowerCase()));
+}
+function getModifierName(modifier) {
+    if (!modifier)
+        return '';
+    if (typeof modifier === 'string')
+        return modifier;
+    if (typeof modifier.name === 'string')
+        return modifier.name;
+    if (modifier.name && typeof modifier.name === 'object')
+        return String(modifier.name.name || modifier.name.namePath || '');
+    const inner = modifier.modifierName;
+    if (typeof inner === 'string')
+        return inner;
+    return inner && typeof inner.name === 'string' ? inner.name : '';
+}
+function isExternallyCallable(fn) {
+    if (!fn)
+        return false;
+    if (fn.isConstructor === true)
+        return false;
+    const kind = String(fn.kind || '').toLowerCase();
+    if (kind === 'constructor' || kind === 'fallback' || kind === 'receive')
+        return false;
+    if (fn.isFallback === true || fn.isReceiveEther === true)
+        return false;
+    const visibility = String(fn.visibility || '').toLowerCase();
+    return visibility === 'public' || visibility === 'external';
+}
+function isViewOrPure(fn) {
+    const stateMutability = String(fn?.stateMutability || '').toLowerCase();
+    return stateMutability === 'view' || stateMutability === 'pure';
+}
+function isInterfaceLike(contract) {
+    const kind = String(contract?.kind || contract?.contractKind || '').toLowerCase();
+    return kind === 'interface' || kind === 'library';
+}
+function getFunctionBody(node) {
+    return node?.body || null;
+}
+function getContractFunctions(contract) {
+    return getContractMembers(contract).filter(child => isNode(child, 'FunctionDefinition'));
+}
+function getContractMembers(contract) {
+    if (!contract || typeof contract !== 'object')
+        return [];
+    if (Array.isArray(contract.subNodes))
+        return contract.subNodes;
+    if (Array.isArray(contract.nodes))
+        return contract.nodes;
+    return [];
+}
+function collectContracts(ast) {
+    const out = [];
+    walkContracts(ast, n => out.push(n));
+    return out;
+}
+function walkContracts(node, visit) {
+    if (!node || typeof node !== 'object')
+        return;
+    if (isNode(node, 'ContractDefinition')) {
+        visit(node);
+        return;
+    }
+    for (const child of childrenOf(node))
+        walkContracts(child, visit);
+}
+function walkAny(node, predicate) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (predicate(node))
+        return true;
+    return childrenOf(node).some(c => walkAny(c, predicate));
+}
+function walkFind(node, predicate) {
+    if (!node || typeof node !== 'object')
+        return null;
+    if (predicate(node))
+        return node;
+    for (const c of childrenOf(node)) {
+        const found = walkFind(c, predicate);
+        if (found)
+            return found;
+    }
+    return null;
+}
+function walk(node, visit) {
+    if (!node || typeof node !== 'object')
+        return;
+    visit(node);
+    for (const c of childrenOf(node))
+        walk(c, visit);
+}
+function stripTuple(node) {
+    if (!node || typeof node !== 'object')
+        return node;
+    if (isNode(node, 'TupleExpression')) {
+        const components = (node.components || []).filter((c) => c && typeof c === 'object');
+        if (components.length === 1)
+            return stripTuple(components[0]);
+    }
+    return node;
+}
+function childrenOf(node) {
+    if (!node || typeof node !== 'object')
+        return [];
+    const out = [];
+    for (const [key, value] of Object.entries(node)) {
+        if (key === 'loc' || key === 'src' || key === 'range' || key === 'typeDescriptions' || key === 'id' || key === 'typeName')
+            continue;
+        if (Array.isArray(value)) {
+            for (const item of value)
+                if (item && typeof item === 'object')
+                    out.push(item);
+        }
+        else if (value && typeof value === 'object') {
+            out.push(value);
+        }
+    }
+    return out;
+}
+function containsOperator(node, operator) {
+    return walkAny(node, n => isNode(n, 'BinaryOperation') && String(n.operator || '') === operator);
+}
+function isRoundedAlias(node, aliases) {
+    return isNode(node, 'Identifier') && aliases.has(String(node.name || ''));
+}
+function isIdentifierName(node, name) {
+    return isNode(node, 'Identifier') && String(node.name || '') === name;
+}
+function isSupplyName(name) {
+    return SUPPLY_NAME_RE.test(name);
+}
+function isNode(node, kind) {
+    return node?.type === kind || node?.nodeType === kind;
+}
+function getName(node) {
+    return typeof node?.name === 'string' ? node.name : '';
+}
+function functionDisplayName(fn) {
+    const kind = String(fn?.kind || '').toLowerCase();
+    if (fn?.isFallback === true || kind === 'fallback')
+        return '<fallback>';
+    if (fn?.isReceiveEther === true || kind === 'receive')
+        return '<receive>';
+    if (fn?.isConstructor === true || kind === 'constructor')
+        return '<constructor>';
+    return getName(fn) || '<anonymous>';
+}
+function buildLineOffsets(sourceText) {
+    if (sourceText === undefined)
+        return undefined;
+    const offsets = [0];
+    let byteOffset = 0;
+    for (const ch of sourceText) {
+        byteOffset += Buffer.byteLength(ch, 'utf8');
+        if (ch === '\n')
+            offsets.push(byteOffset);
+    }
+    return offsets;
+}
+function getLoc(node, lineOffsets) {
+    if (node?.loc?.start)
+        return { line: node.loc.start.line || 0, column: node.loc.start.column || 0 };
+    if (!node?.src || !lineOffsets)
+        return undefined;
+    const [offsetRaw] = String(node.src).split(':');
+    const offset = Number(offsetRaw);
+    if (!Number.isFinite(offset) || offset < 0)
+        return undefined;
+    return byteOffsetToLineColumn(offset, lineOffsets);
+}
+function byteOffsetToLineColumn(byteOffset, lineOffsets) {
+    let low = 0;
+    let high = lineOffsets.length - 1;
+    let lineIdx = 0;
+    while (low <= high) {
+        const mid = Math.floor((low + high) / 2);
+        if (lineOffsets[mid] <= byteOffset) {
+            lineIdx = mid;
+            low = mid + 1;
+        }
+        else {
+            high = mid - 1;
+        }
+    }
+    return { line: lineIdx + 1, column: byteOffset - lineOffsets[lineIdx] };
+}
+//# sourceMappingURL=donate-inflation-exchangerate-roundin.js.map

package/dist/detectors/donation-share-inflation.d.ts

@@ -0,0 +1,24 @@
+import type { ScanResult } from '../index';
+export declare class DonationShareInflationDetector {
+    readonly id = "donation-share-inflation";
+    readonly patternKey = "donation-share-inflation";
+    readonly supportedAstKinds: "parser"[];
+    readonly descriptor: {
+        id: string;
+        shortDescription: string;
+        helpUri: string;
+        defaultSeverity: "high";
+        help: string;
+    };
+    private currentFile;
+    private currentContract;
+    private contractHasDeadShares;
+    private findings;
+    setFile(file: string): void;
+    getFindings(): ScanResult[];
+    ContractDefinition(node: any): void;
+    ContractDefinition_post(_node: any): void;
+    ['ContractDefinition:exit'](node: any): void;
+    FunctionDefinition(node: any): void;
+    private makeFinding;
+}