@snovon/solast 0.2.0

package/dist/detectors/dont-let-eth-get-rekt.js

@@ -0,0 +1,1151 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DontLetEthGetRektDetector = void 0;
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'dont-let-eth-get-rekt';
+const ALWAYS_ETH_OUT_MEMBERS = new Set(['transfer', 'send']);
+const SPOT_PRICE_SOURCE_MEMBERS = new Set([
+    'getReserves',
+    'slot0',
+    'latestAnswer',
+    'latestRoundData',
+    'getAmountsOut',
+]);
+const TWAP_SOURCE_MEMBERS = new Set([
+    'consult',
+    'observe',
+    'getTwap',
+    'getTWAP',
+    'twap',
+    'getAveragePrice',
+]);
+class DontLetEthGetRektDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    descriptor = {
+        id: RULE_ID,
+        shortDescription: 'ETH payout amount is derived from manipulable balance or spot-price state.',
+        helpUri: 'https://snovon.com/',
+        defaultSeverity: 'high',
+        help: 'Flags ETH payouts or accounting paths that derive value from address(this).balance or a single-source spot price such as getReserves(), slot0(), latestAnswer(), or getAmountsOut() without an independent anchor.',
+    };
+    currentFile = '';
+    findings = [];
+    contractStack = [];
+    setFile(file) {
+        this.currentFile = file;
+        this.findings = [];
+        this.contractStack = [];
+    }
+    getFindings() {
+        return this.findings;
+    }
+    ContractDefinition(node) {
+        const kind = String(node?.kind || '').toLowerCase();
+        this.contractStack.push({
+            name: node?.name || '<anonymous>',
+            node,
+            executable: kind !== 'interface' && kind !== 'library',
+        });
+    }
+    FunctionDefinition(node) {
+        const contract = this.currentContract();
+        if (!contract?.executable || !node?.body || this.isViewOrPure(node))
+            return;
+        const finding = this.findSpotPriceEthPayout(node, contract.name);
+        if (finding)
+            this.findings.push(finding);
+    }
+    ['ContractDefinition:exit'](node) {
+        const contract = this.contractStack[this.contractStack.length - 1];
+        if (contract?.node === node && contract.executable) {
+            const result = this.analyzeContract(node, contract.name);
+            if (result)
+                this.findings.push({ ...result, file: this.currentFile });
+        }
+        this.contractStack.pop();
+    }
+    ContractDefinition_post(node) {
+        this['ContractDefinition:exit'](node);
+    }
+    currentContract() {
+        return this.contractStack[this.contractStack.length - 1] || null;
+    }
+    findSpotPriceEthPayout(fn, contractName) {
+        const taint = this.buildPerFunctionSpotPriceTaint(fn);
+        if (taint.size === 0 && !this.functionContainsUnsafeSpotSource(fn))
+            return null;
+        if (this.hasSafeLatestRoundDataValidation(fn.body || fn))
+            return null;
+        const sink = this.findSpotTaintedEthSink(fn.body || fn, taint);
+        if (!sink)
+            return null;
+        // Taint-linked safety check: a TWAP/oracle call plus any generic require(...)
+        // must never suppress on its own (see PR #3437 review consensus). The
+        // payout is allowed to use spot-derived values only when a dominating
+        // guard bounds the spot taint against an independently-derived reference
+        // taint via a real bounded comparator (<, <=, >, >=).
+        const referenceTaint = this.buildPerFunctionReferenceTaint(fn);
+        if (referenceTaint.size > 0 &&
+            this.guardBindsSpotToReference(fn, sink.node, taint, referenceTaint)) {
+            return null;
+        }
+        const loc = (0, ast_1.assertLoc)(sink.node, fn);
+        const fnName = fn.name || '<anonymous>';
+        return {
+            file: this.currentFile,
+            contract: contractName,
+            'function': fnName,
+            line: loc.line,
+            endLine: loc.endLine,
+            column: loc.column,
+            endColumn: loc.endColumn,
+            ruleId: RULE_ID,
+            pattern: `${RULE_ID}/spot-price-eth-payout`,
+            severity: 'high',
+            confidence: 'high',
+            category: 'oracle-manipulation',
+            message: `ETH payout in '${contractName}.${fnName}' is derived from a single-source spot price without an independent freshness, TWAP, or bounds check.`,
+            rationale: 'Same-block reserve, slot0, raw aggregator, or router quote values can be manipulated before they determine an ETH transfer amount.',
+            suggestedFix: 'Use a TWAP or independent oracle and bound the spot value against that reference before using it in ETH settlement.',
+            contractName,
+            functionName: fnName,
+            sourceLocation: { line: loc.line, column: loc.column },
+            findingId: '',
+            contractHash: '',
+        };
+    }
+    buildPerFunctionSpotPriceTaint(fn) {
+        const localVariables = this.collectLocalVariableNames(fn.body || fn);
+        const taint = new Set();
+        const steps = this.collectLocalTaintSteps(fn.body || fn, localVariables);
+        let changed = true;
+        while (changed) {
+            changed = false;
+            for (const step of steps) {
+                if (taint.has(step.name))
+                    continue;
+                if (this.expressionDependsOnSpotPrice(step.value, taint)) {
+                    taint.add(step.name);
+                    changed = true;
+                }
+            }
+        }
+        return taint;
+    }
+    functionContainsUnsafeSpotSource(fn) {
+        let found = false;
+        this.walk(fn.body || fn, (node) => {
+            if (found)
+                return;
+            if (this.isUnsafeSpotPriceSourceCall(node))
+                found = true;
+        });
+        return found;
+    }
+    findSpotTaintedEthSink(node, taint) {
+        if (!node || typeof node !== 'object')
+            return null;
+        const value = this.ethPayoutValueExpression(node);
+        if (value && this.expressionDependsOnSpotPrice(value, taint)) {
+            return { node };
+        }
+        for (const key of childKeys(node)) {
+            const child = node[key];
+            if (Array.isArray(child)) {
+                for (const item of child) {
+                    const found = this.findSpotTaintedEthSink(item, taint);
+                    if (found)
+                        return found;
+                }
+            }
+            else if (child && typeof child === 'object') {
+                const found = this.findSpotTaintedEthSink(child, taint);
+                if (found)
+                    return found;
+            }
+        }
+        return null;
+    }
+    ethPayoutValueExpression(node) {
+        if (!node || node.type !== 'FunctionCall')
+            return null;
+        const callee = node.expression;
+        if (callee?.type === 'MemberAccess') {
+            const member = String(callee.memberName || '').toLowerCase();
+            if (ALWAYS_ETH_OUT_MEMBERS.has(member) && this.isLikelyEthReceiver(callee.expression)) {
+                return node.arguments?.[0] || null;
+            }
+        }
+        if (callee?.type === 'NameValueExpression' || callee?.type === 'FunctionCallOptions') {
+            const inner = callee.expression;
+            if (inner?.type === 'MemberAccess' && String(inner.memberName || '').toLowerCase() === 'call') {
+                return this.nameValueOptionExpression(callee, 'value');
+            }
+        }
+        return null;
+    }
+    isLikelyEthReceiver(expr) {
+        if (!expr || typeof expr !== 'object')
+            return false;
+        if (expr.type === 'MemberAccess') {
+            return expr.expression?.type === 'Identifier' && ['msg', 'tx'].includes(expr.expression.name);
+        }
+        if (expr.type === 'FunctionCall') {
+            const callee = expr.expression;
+            if (callee?.type === 'Identifier' && (callee.name === 'payable' || callee.name === 'address'))
+                return true;
+        }
+        return false;
+    }
+    nameValueOptionExpression(nve, optionName) {
+        const args = nve?.arguments;
+        if (args?.type === 'NameValueList') {
+            const names = args.names || [];
+            const values = args.arguments || [];
+            const index = names.indexOf(optionName);
+            return index >= 0 ? values[index] || null : null;
+        }
+        for (const option of nve?.options || []) {
+            if (option?.name === optionName)
+                return option.value || null;
+        }
+        return null;
+    }
+    expressionDependsOnSpotPrice(node, taint) {
+        if (!node || typeof node !== 'object')
+            return false;
+        if (node.type === 'Identifier' && taint.has(node.name))
+            return true;
+        if (this.isUnsafeSpotPriceSourceCall(node))
+            return true;
+        for (const key of childKeys(node)) {
+            const child = node[key];
+            if (Array.isArray(child)) {
+                for (const item of child) {
+                    if (this.expressionDependsOnSpotPrice(item, taint))
+                        return true;
+                }
+            }
+            else if (child && typeof child === 'object') {
+                if (this.expressionDependsOnSpotPrice(child, taint))
+                    return true;
+            }
+        }
+        return false;
+    }
+    isUnsafeSpotPriceSourceCall(node) {
+        if (!node || node.type !== 'FunctionCall')
+            return false;
+        const calleeName = this.getCalleeMemberName(node.expression);
+        return SPOT_PRICE_SOURCE_MEMBERS.has(calleeName);
+    }
+    getCalleeMemberName(expr) {
+        if (!expr || typeof expr !== 'object')
+            return '';
+        if (expr.type === 'Identifier')
+            return expr.name || '';
+        if (expr.type === 'MemberAccess')
+            return expr.memberName || '';
+        if (expr.type === 'NameValueExpression' || expr.type === 'FunctionCallOptions')
+            return this.getCalleeMemberName(expr.expression);
+        return '';
+    }
+    buildPerFunctionReferenceTaint(fn) {
+        const localVariables = this.collectLocalVariableNames(fn.body || fn);
+        const taint = new Set();
+        const steps = this.collectLocalTaintSteps(fn.body || fn, localVariables);
+        let changed = true;
+        while (changed) {
+            changed = false;
+            for (const step of steps) {
+                if (taint.has(step.name))
+                    continue;
+                if (this.expressionDependsOnReferencePrice(step.value, taint)) {
+                    taint.add(step.name);
+                    changed = true;
+                }
+            }
+        }
+        return taint;
+    }
+    expressionDependsOnReferencePrice(node, taint) {
+        if (!node || typeof node !== 'object')
+            return false;
+        if (node.type === 'Identifier' && taint.has(node.name))
+            return true;
+        if (this.isReferencePriceSourceCall(node))
+            return true;
+        for (const key of childKeys(node)) {
+            const child = node[key];
+            if (Array.isArray(child)) {
+                for (const item of child) {
+                    if (this.expressionDependsOnReferencePrice(item, taint))
+                        return true;
+                }
+            }
+            else if (child && typeof child === 'object') {
+                if (this.expressionDependsOnReferencePrice(child, taint))
+                    return true;
+            }
+        }
+        return false;
+    }
+    isReferencePriceSourceCall(node) {
+        if (!node || node.type !== 'FunctionCall')
+            return false;
+        const calleeName = this.getCalleeMemberName(node.expression);
+        return TWAP_SOURCE_MEMBERS.has(calleeName);
+    }
+    // Suppress only when a require/assert/if-revert guard textually precedes the
+    // payout sink in the same function and explicitly binds a spot-derived value
+    // to a reference-derived value via a bounded comparison (e.g. `spot <= avg *
+    // 105 / 100`, `abs(spot - avg) < threshold`). Trivial guards like
+    // `require(avg > 0)` — which only mention a reference identifier without
+    // bounding spot against it — must not suppress, since they leave the spot
+    // value free to be manipulated before driving the ETH payout.
+    guardBindsSpotToReference(fn, sinkNode, spotTaint, referenceTaint) {
+        if (spotTaint.size === 0 || referenceTaint.size === 0)
+            return false;
+        const sinkStart = this.getRangeStart(sinkNode);
+        if (sinkStart < 0)
+            return false;
+        let bound = false;
+        this.walk(fn.body || fn, (current) => {
+            if (bound)
+                return;
+            const condition = this.getGuardCondition(current);
+            if (!condition)
+                return;
+            const guardStart = this.getRangeStart(current);
+            if (guardStart < 0 || guardStart >= sinkStart)
+                return;
+            if (this.conditionBindsSpotToReference(condition, spotTaint, referenceTaint)) {
+                bound = true;
+            }
+        });
+        return bound;
+    }
+    getGuardCondition(node) {
+        if (node?.type === 'FunctionCall') {
+            const name = this.getCalleeMemberName(node.expression);
+            if ((name === 'require' || name === 'assert') && node.arguments?.[0]) {
+                return node.arguments[0];
+            }
+        }
+        if (node?.type === 'IfStatement' && node.condition && this.bodyContainsRevert(node.trueBody)) {
+            return node.condition;
+        }
+        return null;
+    }
+    bodyContainsRevert(node) {
+        if (!node || typeof node !== 'object')
+            return false;
+        if (node.type === 'RevertStatement')
+            return true;
+        if (node.type === 'FunctionCall') {
+            const name = this.getCalleeMemberName(node.expression);
+            if (name === 'revert')
+                return true;
+        }
+        for (const key of childKeys(node)) {
+            const child = node[key];
+            if (Array.isArray(child)) {
+                for (const item of child)
+                    if (this.bodyContainsRevert(item))
+                        return true;
+            }
+            else if (child && typeof child === 'object') {
+                if (this.bodyContainsRevert(child))
+                    return true;
+            }
+        }
+        return false;
+    }
+    conditionBindsSpotToReference(condition, spotTaint, referenceTaint) {
+        let bound = false;
+        this.walk(condition, (current) => {
+            if (bound)
+                return;
+            if (current?.type !== 'BinaryOperation')
+                return;
+            if (!['<', '<=', '>', '>='].includes(current.operator))
+                return;
+            const left = current.left;
+            const right = current.right;
+            const touchesSpot = this.expressionTouchesTaint(left, spotTaint) ||
+                this.expressionTouchesTaint(right, spotTaint);
+            const touchesRef = this.expressionTouchesTaint(left, referenceTaint) ||
+                this.expressionTouchesTaint(right, referenceTaint);
+            if (touchesSpot && touchesRef)
+                bound = true;
+        });
+        return bound;
+    }
+    expressionTouchesTaint(node, taint) {
+        if (!node || typeof node !== 'object')
+            return false;
+        if (node.type === 'Identifier' && taint.has(node.name))
+            return true;
+        for (const key of childKeys(node)) {
+            const child = node[key];
+            if (Array.isArray(child)) {
+                for (const item of child) {
+                    if (this.expressionTouchesTaint(item, taint))
+                        return true;
+                }
+            }
+            else if (child && typeof child === 'object') {
+                if (this.expressionTouchesTaint(child, taint))
+                    return true;
+            }
+        }
+        return false;
+    }
+    getRangeStart(node) {
+        if (Array.isArray(node?.range) && node.range.length >= 1) {
+            const start = Number(node.range[0]);
+            if (Number.isFinite(start))
+                return start;
+        }
+        const line = node?.loc?.start?.line;
+        const column = node?.loc?.start?.column;
+        if (typeof line === 'number' && line > 0) {
+            return line * 1_000_000 + (typeof column === 'number' ? column : 0);
+        }
+        return -1;
+    }
+    hasSafeLatestRoundDataValidation(node) {
+        let hasLatestRoundData = false;
+        let hasFreshness = false;
+        let hasRoundCompleteness = false;
+        let hasBounds = false;
+        this.walk(node, (current) => {
+            if (current?.type !== 'FunctionCall')
+                return;
+            const name = this.getCalleeMemberName(current.expression);
+            if (name === 'latestRoundData')
+                hasLatestRoundData = true;
+            if (name !== 'require' || !current.arguments?.[0])
+                return;
+            const condition = current.arguments[0];
+            if (this.expressionMentionsAny(condition, ['updatedAt']) && this.expressionMentionsAny(condition, ['timestamp', 'block'])) {
+                hasFreshness = true;
+            }
+            if (this.expressionMentionsAny(condition, ['answeredInRound']) && this.expressionMentionsAny(condition, ['roundId'])) {
+                hasRoundCompleteness = true;
+            }
+            if (this.expressionMentionsAny(condition, ['price', 'answer']) && this.expressionHasNumericLiteral(condition)) {
+                hasBounds = true;
+            }
+        });
+        return hasLatestRoundData && hasFreshness && hasRoundCompleteness && hasBounds;
+    }
+    expressionMentionsAny(node, needles) {
+        let found = false;
+        this.walk(node, (current) => {
+            if (found || !current || typeof current !== 'object')
+                return;
+            if (current.type === 'Identifier' && needles.includes(current.name))
+                found = true;
+            if (current.type === 'MemberAccess' && needles.includes(current.memberName))
+                found = true;
+        });
+        return found;
+    }
+    expressionHasNumericLiteral(node) {
+        let found = false;
+        this.walk(node, (current) => {
+            if (found || !current || typeof current !== 'object')
+                return;
+            if (current.type === 'NumberLiteral')
+                found = true;
+        });
+        return found;
+    }
+    walk(node, cb) {
+        if (!node || typeof node !== 'object')
+            return;
+        cb(node);
+        for (const key of childKeys(node)) {
+            const child = node[key];
+            if (Array.isArray(child)) {
+                for (const item of child)
+                    this.walk(item, cb);
+            }
+            else if (child && typeof child === 'object') {
+                this.walk(child, cb);
+            }
+        }
+    }
+    analyzeContract(contract, contractName) {
+        const hasEthIn = this.contractHasEthInSurface(contract);
+        if (!hasEthIn)
+            return null;
+        // Direct payout path is independent of whether the enclosing function performs
+        // state mutation: a `claim()` whose only statement is `transfer(address(this).balance)`
+        // still drains the contract on a manipulated balance.
+        const directPayoutInfo = this.balanceDrivesDirectPayoutWithLoc(contract);
+        if (directPayoutInfo) {
+            return {
+                contract: contractName,
+                line: directPayoutInfo.line,
+                column: directPayoutInfo.column,
+                'function': directPayoutInfo.functionName,
+                ruleId: RULE_ID,
+                severity: 'high',
+                confidence: 'high',
+                message: `Contract '${contractName}' receives ETH and derives a payout or accounting amount directly from address(this).balance with no independent accounting anchor. An attacker can manipulate the balance via forced ETH to drain funds.`,
+                contractName,
+                functionName: directPayoutInfo.functionName,
+                findingId: '',
+                contractHash: '',
+            };
+        }
+        const balanceReadInfo = this.contractHasBalanceReadWithLoc(contract);
+        if (!balanceReadInfo)
+            return null;
+        const hasEthOut = this.contractHasEthOutCall(contract);
+        const severity = this.balanceReadDrivesAccountingRate(contract) ? 'high' : 'medium';
+        if (!hasEthOut) {
+            return {
+                contract: contractName,
+                line: balanceReadInfo.line,
+                column: balanceReadInfo.column,
+                'function': balanceReadInfo.functionName,
+                ruleId: RULE_ID,
+                severity,
+                confidence: 'high',
+                message: `Contract '${contractName}' receives ETH and reads address(this).balance in non-view state-changing logic, but has no ETH-out path (no call{value:}, transfer, send, or selfdestruct found in the contract body). Forced ETH accumulation can manipulate the balance-driven accounting.`,
+                contractName,
+                functionName: balanceReadInfo.functionName,
+                findingId: '',
+                contractHash: '',
+            };
+        }
+        return null;
+    }
+    contractHasEthInSurface(contract) {
+        for (const sub of contract.subNodes || []) {
+            if (sub?.type === 'FunctionDefinition') {
+                if (this.isPayableFunction(sub))
+                    return true;
+            }
+        }
+        return false;
+    }
+    isPayableFunction(fn) {
+        const mutability = String(fn.stateMutability || '').toLowerCase();
+        if (mutability === 'payable')
+            return true;
+        const kind = (fn.kind || fn.functionKind || '').toLowerCase();
+        if (kind === 'fallback' || kind === 'receive')
+            return true;
+        return false;
+    }
+    contractHasBalanceReadWithLoc(contract) {
+        let result = null;
+        for (const sub of contract.subNodes || []) {
+            if (sub?.type !== 'FunctionDefinition')
+                continue;
+            const fn = sub;
+            if (this.isViewOrPure(fn))
+                continue;
+            if (!this.functionHasStateMutation(fn))
+                continue;
+            this.walkForBalanceRead(fn.body || fn, (node) => {
+                if (!result) {
+                    const { line, column } = (0, ast_1.assertLoc)(node);
+                    result = { line, column, functionName: fn.name || '<anonymous>' };
+                }
+            });
+            if (result)
+                break;
+        }
+        return result;
+    }
+    walkForBalanceRead(node, cb) {
+        if (!node || typeof node !== 'object')
+            return;
+        if (node.type === 'MemberAccess' && node.memberName === 'balance') {
+            if (this.isThisBalanceRead(node)) {
+                cb(node);
+                return;
+            }
+        }
+        for (const key of childKeys(node)) {
+            const value = node[key];
+            if (Array.isArray(value)) {
+                for (const item of value) {
+                    if (item && typeof item === 'object')
+                        this.walkForBalanceRead(item, cb);
+                }
+            }
+            else if (value && typeof value === 'object') {
+                this.walkForBalanceRead(value, cb);
+            }
+        }
+    }
+    isThisBalanceRead(node) {
+        if (node.type !== 'MemberAccess')
+            return false;
+        if (node.memberName !== 'balance')
+            return false;
+        const expr = node.expression;
+        if (expr?.type === 'FunctionCall') {
+            const callee = expr.expression;
+            if (callee?.type === 'Identifier' && callee.name === 'address' && expr.arguments?.length === 1) {
+                const arg = expr.arguments[0];
+                if (arg?.type === 'Identifier' && arg.name === 'this')
+                    return true;
+            }
+        }
+        if (expr?.type === 'MemberAccess') {
+            if (expr.expression?.type === 'Identifier' && expr.expression.name === 'this')
+                return true;
+        }
+        return false;
+    }
+    contractHasEthOutCall(contract) {
+        const contractReceivers = this.collectContractAddressReceivers(contract);
+        for (const sub of contract.subNodes || []) {
+            if (sub?.type !== 'FunctionDefinition')
+                continue;
+            if (!sub.body)
+                continue;
+            const fnReceivers = this.buildPerFunctionReceivers(sub, contractReceivers);
+            let found = false;
+            this.walkForEthOutCallWithLocals(sub.body, fnReceivers, () => { found = true; });
+            if (found)
+                return true;
+        }
+        return false;
+    }
+    collectContractAddressReceivers(contract) {
+        const locals = new Set();
+        for (const sub of contract.subNodes || []) {
+            if (sub?.type === 'StateVariableDeclaration') {
+                for (const v of sub.variables || []) {
+                    if (v?.name && this.isAddressType(v)) {
+                        locals.add(v.name);
+                    }
+                }
+            }
+            if (sub?.type === 'FunctionDefinition') {
+                this.walkLocalAddressDeclarations(sub.body || sub, locals);
+            }
+        }
+        return locals;
+    }
+    buildPerFunctionReceivers(fn, contractReceivers) {
+        const receivers = new Set(contractReceivers);
+        const params = (Array.isArray(fn?.parameters) ? fn.parameters : fn?.parameters?.parameters) || [];
+        for (const p of params) {
+            if (p?.name && this.isAddressType(p)) {
+                receivers.add(p.name);
+            }
+        }
+        return receivers;
+    }
+    isAddressType(v) {
+        const typeString = String(v.typeName?.name || v.typeName || '');
+        return typeString === 'address' || typeString === 'address payable';
+    }
+    walkLocalAddressDeclarations(node, locals) {
+        if (!node || typeof node !== 'object')
+            return;
+        if (node.type === 'VariableDeclarationStatement') {
+            for (const v of node.variables || []) {
+                if (v?.name && this.isAddressType(v)) {
+                    locals.add(v.name);
+                }
+            }
+        }
+        for (const key of childKeys(node)) {
+            const value = node[key];
+            if (Array.isArray(value)) {
+                for (const item of value) {
+                    if (item && typeof item === 'object')
+                        this.walkLocalAddressDeclarations(item, locals);
+                }
+            }
+            else if (value && typeof value === 'object') {
+                this.walkLocalAddressDeclarations(value, locals);
+            }
+        }
+    }
+    walkForEthOutCallWithLocals(node, addressTypedLocals, cb) {
+        if (!node || typeof node !== 'object')
+            return;
+        if (this.isRealEthOutCall(node, addressTypedLocals)) {
+            cb();
+            return;
+        }
+        for (const key of childKeys(node)) {
+            const value = node[key];
+            if (Array.isArray(value)) {
+                for (const item of value) {
+                    if (item && typeof item === 'object')
+                        this.walkForEthOutCallWithLocals(item, addressTypedLocals, cb);
+                }
+            }
+            else if (value && typeof value === 'object') {
+                this.walkForEthOutCallWithLocals(value, addressTypedLocals, cb);
+            }
+        }
+    }
+    isRealEthOutCall(node, addressTypedLocals) {
+        if (node.type !== 'FunctionCall')
+            return false;
+        const callee = node.expression;
+        if (callee?.type === 'Identifier' && callee.name === 'selfdestruct') {
+            return true;
+        }
+        if (callee?.type === 'MemberAccess') {
+            const member = String(callee.memberName || '').toLowerCase();
+            if (ALWAYS_ETH_OUT_MEMBERS.has(member)) {
+                return this.isAddressShapedReceiver(callee.expression, addressTypedLocals);
+            }
+        }
+        if (callee?.type === 'NameValueExpression' || callee?.type === 'FunctionCallOptions') {
+            const inner = callee.expression;
+            if (inner?.type === 'MemberAccess') {
+                const member = String(inner.memberName || '').toLowerCase();
+                if (member === 'call' && this.nameValueHasOption(callee, 'value')) {
+                    return true;
+                }
+                if (ALWAYS_ETH_OUT_MEMBERS.has(member)) {
+                    return this.isAddressShapedReceiver(inner.expression, addressTypedLocals);
+                }
+            }
+        }
+        return false;
+    }
+    isAddressShapedReceiver(expr, addressTypedLocals) {
+        if (!expr)
+            return false;
+        if (expr.type === 'Identifier') {
+            const name = expr.name;
+            if (name === 'msg.sender' || name === 'tx.origin')
+                return true;
+            if (addressTypedLocals.has(name))
+                return true;
+            return false;
+        }
+        if (expr.type === 'FunctionCall') {
+            const fn = expr.expression;
+            if (fn?.type === 'Identifier') {
+                const fnName = fn.name;
+                if (fnName === 'payable' || fnName === 'address')
+                    return true;
+            }
+        }
+        return false;
+    }
+    nameValueHasOption(nve, optionName) {
+        const args = nve.arguments;
+        if (args?.type === 'NameValueList')
+            return (args.names || []).includes(optionName);
+        return (nve.options || []).some((option) => option?.name === optionName);
+    }
+    functionHasStateMutation(fn) {
+        return this.walkForStateMutation(fn.body || fn);
+    }
+    walkForStateMutation(node) {
+        if (!node || typeof node !== 'object')
+            return false;
+        if (node.type === 'VariableDeclarationStatement')
+            return true;
+        if (node.type === 'BinaryOperation' && ['=', '+=', '-=', '*=', '/=', '%=', '&=', '|=', '^=', '<<=', '>>=', '>>>='].includes(node.operator)) {
+            return true;
+        }
+        if (node.type === 'UnaryOperation' && ['++', '--'].includes(node.operator)) {
+            return true;
+        }
+        for (const key of childKeys(node)) {
+            const value = node[key];
+            if (Array.isArray(value)) {
+                for (const item of value) {
+                    if (item && typeof item === 'object' && this.walkForStateMutation(item))
+                        return true;
+                }
+            }
+            else if (value && typeof value === 'object') {
+                if (this.walkForStateMutation(value))
+                    return true;
+            }
+        }
+        return false;
+    }
+    balanceReadDrivesAccountingRate(contract) {
+        for (const sub of contract.subNodes || []) {
+            if (sub?.type !== 'FunctionDefinition')
+                continue;
+            if (!sub.body)
+                continue;
+            if (this.isViewOrPure(sub))
+                continue;
+            if (!this.functionHasStateMutation(sub))
+                continue;
+            if (this.functionHasBalanceAndMsgValueInSameExpression(sub))
+                return true;
+        }
+        return false;
+    }
+    functionHasBalanceAndMsgValueInSameExpression(fn) {
+        return this.walkForBalanceMsgValueExpression(fn.body || fn);
+    }
+    walkForBalanceMsgValueExpression(node) {
+        if (!node || typeof node !== 'object')
+            return false;
+        if (this.isExpressionNode(node) && this.expressionContainsBalanceRead(node) && this.expressionContainsMsgValue(node)) {
+            return true;
+        }
+        for (const key of childKeys(node)) {
+            const value = node[key];
+            if (Array.isArray(value)) {
+                for (const item of value) {
+                    if (item && typeof item === 'object' && this.walkForBalanceMsgValueExpression(item))
+                        return true;
+                }
+            }
+            else if (value && typeof value === 'object') {
+                if (this.walkForBalanceMsgValueExpression(value))
+                    return true;
+            }
+        }
+        return false;
+    }
+    isExpressionNode(node) {
+        return [
+            'BinaryOperation',
+            'Conditional',
+            'FunctionCall',
+            'IndexAccess',
+            'MemberAccess',
+            'NameValueExpression',
+            'TupleExpression',
+            'UnaryOperation',
+        ].includes(node.type);
+    }
+    expressionContainsBalanceRead(node) {
+        let found = false;
+        this.walkForBalanceRead(node, () => { found = true; });
+        return found;
+    }
+    expressionContainsMsgValue(node) {
+        if (!node || typeof node !== 'object')
+            return false;
+        if (node.type === 'MemberAccess' && node.memberName === 'value') {
+            const expr = node.expression;
+            if (expr?.type === 'Identifier' && expr.name === 'msg')
+                return true;
+        }
+        for (const key of childKeys(node)) {
+            const value = node[key];
+            if (Array.isArray(value)) {
+                for (const item of value) {
+                    if (item && typeof item === 'object' && this.expressionContainsMsgValue(item))
+                        return true;
+                }
+            }
+            else if (value && typeof value === 'object') {
+                if (this.expressionContainsMsgValue(value))
+                    return true;
+            }
+        }
+        return false;
+    }
+    balanceDrivesDirectPayoutWithLoc(contract) {
+        const contractReceivers = this.collectContractAddressReceivers(contract);
+        for (const sub of contract.subNodes || []) {
+            if (sub?.type !== 'FunctionDefinition')
+                continue;
+            if (!sub.body)
+                continue;
+            if (this.isViewOrPure(sub))
+                continue;
+            const fnReceivers = this.buildPerFunctionReceivers(sub, contractReceivers);
+            const taint = this.buildPerFunctionTaint(sub);
+            const loc = this.findBalanceInPayoutContext(sub.body || sub, taint, sub, fnReceivers);
+            if (loc)
+                return { ...loc, functionName: sub.name || '<anonymous>' };
+        }
+        return null;
+    }
+    findBalanceInPayoutContext(node, taint, funcNode, receivers) {
+        if (!node || typeof node !== 'object')
+            return null;
+        if (this.isRealEthOutCall(node, receivers) && this.callArgumentsContainBalance(node, taint)) {
+            if (!this.isOwnerSweep(funcNode, node)) {
+                const { line, column } = (0, ast_1.assertLoc)(node);
+                return { line, column };
+            }
+        }
+        for (const key of childKeys(node)) {
+            const value = node[key];
+            if (Array.isArray(value)) {
+                for (const item of value) {
+                    if (item && typeof item === 'object') {
+                        const found = this.findBalanceInPayoutContext(item, taint, funcNode, receivers);
+                        if (found)
+                            return found;
+                    }
+                }
+            }
+            else if (value && typeof value === 'object') {
+                const found = this.findBalanceInPayoutContext(value, taint, funcNode, receivers);
+                if (found)
+                    return found;
+            }
+        }
+        return null;
+    }
+    isOwnerSweep(funcNode, callNode) {
+        if (!this.functionHasAccessControlModifier(funcNode))
+            return false;
+        const recipient = this.getEthOutRecipient(callNode);
+        if (!recipient)
+            return false;
+        return this.isFixedSafeRecipient(recipient);
+    }
+    functionHasAccessControlModifier(fn) {
+        for (const mod of fn.modifiers || []) {
+            if (mod?.type === 'ModifierInvocation' && mod.name) {
+                if (/^only[A-Z]/.test(mod.name))
+                    return true;
+            }
+        }
+        return false;
+    }
+    getEthOutRecipient(callNode) {
+        const callee = callNode.expression;
+        if (callee?.type === 'Identifier' && callee.name === 'selfdestruct') {
+            return callNode.arguments?.[0] || null;
+        }
+        if (callee?.type === 'MemberAccess') {
+            const member = String(callee.memberName || '').toLowerCase();
+            if (ALWAYS_ETH_OUT_MEMBERS.has(member)) {
+                return callee.expression;
+            }
+        }
+        if (callee?.type === 'NameValueExpression' || callee?.type === 'FunctionCallOptions') {
+            const inner = callee.expression;
+            if (inner?.type === 'MemberAccess') {
+                const member = String(inner.memberName || '').toLowerCase();
+                if (member === 'call' || ALWAYS_ETH_OUT_MEMBERS.has(member)) {
+                    return inner.expression;
+                }
+            }
+        }
+        return null;
+    }
+    isFixedSafeRecipient(expr) {
+        if (!expr)
+            return false;
+        if (expr.type === 'FunctionCall' &&
+            expr.expression?.type === 'Identifier' &&
+            expr.expression.name === 'payable' &&
+            expr.arguments?.length === 1) {
+            return this.isFixedSafeRecipient(expr.arguments[0]);
+        }
+        if (expr.type === 'Identifier') {
+            return /^(owner|admin|treasury|feeRecipient|feeAddress|fee_to|beneficiary|payee)$/.test(expr.name);
+        }
+        if (expr.type === 'FunctionCall' && expr.expression?.type === 'Identifier') {
+            return /^(owner|admin|treasury|feeRecipient|feeAddress|fee_to|beneficiary|payee)$/.test(expr.expression.name);
+        }
+        return false;
+    }
+    buildPerFunctionTaint(fn) {
+        const localVariables = this.collectLocalVariableNames(fn.body || fn);
+        const taint = new Set();
+        const steps = this.collectLocalTaintSteps(fn.body || fn, localVariables);
+        let changed = true;
+        while (changed) {
+            changed = false;
+            for (const step of steps) {
+                if (taint.has(step.name))
+                    continue;
+                if (this.expressionDependsOnTaint(step.value, taint)) {
+                    taint.add(step.name);
+                    changed = true;
+                }
+            }
+        }
+        return taint;
+    }
+    collectLocalVariableNames(node) {
+        const locals = new Set();
+        this.walkLocalDeclarations(node, locals);
+        return locals;
+    }
+    walkLocalDeclarations(node, locals) {
+        if (!node || typeof node !== 'object')
+            return;
+        if (node.type === 'VariableDeclarationStatement') {
+            for (const v of node.variables || []) {
+                if (v?.name)
+                    locals.add(v.name);
+            }
+        }
+        for (const key of childKeys(node)) {
+            const value = node[key];
+            if (Array.isArray(value)) {
+                for (const item of value) {
+                    if (item && typeof item === 'object')
+                        this.walkLocalDeclarations(item, locals);
+                }
+            }
+            else if (value && typeof value === 'object') {
+                this.walkLocalDeclarations(value, locals);
+            }
+        }
+    }
+    collectLocalTaintSteps(node, locals) {
+        const steps = [];
+        this.walkLocalTaintSteps(node, locals, steps);
+        return steps;
+    }
+    walkLocalTaintSteps(node, locals, steps) {
+        if (!node || typeof node !== 'object')
+            return;
+        if (node.type === 'VariableDeclarationStatement' && node.initialValue) {
+            for (const v of node.variables || []) {
+                if (v?.name)
+                    steps.push({ name: v.name, value: node.initialValue });
+            }
+        }
+        if (node.type === 'ExpressionStatement' && node.expression?.type === 'BinaryOperation' && node.expression.operator === '=') {
+            const lhs = node.expression.left;
+            if (lhs?.type === 'Identifier' && locals.has(lhs.name)) {
+                steps.push({ name: lhs.name, value: node.expression.right });
+            }
+        }
+        for (const key of childKeys(node)) {
+            const value = node[key];
+            if (Array.isArray(value)) {
+                for (const item of value) {
+                    if (item && typeof item === 'object')
+                        this.walkLocalTaintSteps(item, locals, steps);
+                }
+            }
+            else if (value && typeof value === 'object') {
+                this.walkLocalTaintSteps(value, locals, steps);
+            }
+        }
+    }
+    callArgumentsContainBalance(node, taint) {
+        const allArgs = [];
+        if (node?.arguments) {
+            if (node.arguments.type === 'NameValueList') {
+                for (const arg of node.arguments.arguments || []) {
+                    allArgs.push(arg);
+                }
+            }
+            else {
+                for (const arg of node.arguments) {
+                    allArgs.push(arg);
+                }
+            }
+        }
+        if (node?.expression?.type === 'NameValueExpression' || node?.expression?.type === 'FunctionCallOptions') {
+            const nveArgs = node.expression.arguments;
+            if (nveArgs?.type === 'NameValueList') {
+                for (const arg of nveArgs.arguments || []) {
+                    allArgs.push(arg);
+                }
+            }
+            for (const option of node.expression.options || []) {
+                if (option?.value)
+                    allArgs.push(option.value);
+            }
+        }
+        for (const arg of allArgs) {
+            if (this.argContainsBalance(arg, taint))
+                return true;
+        }
+        return false;
+    }
+    argContainsBalance(arg, taint) {
+        return this.expressionDependsOnTaint(arg, taint);
+    }
+    expressionDependsOnTaint(node, taint) {
+        if (!node || typeof node !== 'object')
+            return false;
+        if (node.type === 'Identifier' && taint.has(node.name))
+            return true;
+        if (node.type === 'MemberAccess' && node.memberName === 'balance' && this.isThisBalanceRead(node)) {
+            return true;
+        }
+        if (node.type === 'BinaryOperation') {
+            return this.expressionDependsOnTaint(node.left, taint) || this.expressionDependsOnTaint(node.right, taint);
+        }
+        if (node.type === 'UnaryOperation') {
+            return this.expressionDependsOnTaint(node.subExpression, taint);
+        }
+        if (node.type === 'Conditional') {
+            return this.expressionDependsOnTaint(node.trueExpression, taint) || this.expressionDependsOnTaint(node.falseExpression, taint);
+        }
+        if (node.type === 'TupleExpression') {
+            for (const component of node.components || []) {
+                if (this.expressionDependsOnTaint(component, taint))
+                    return true;
+            }
+            return false;
+        }
+        if (node.type === 'FunctionCall') {
+            if (this.expressionDependsOnTaint(node.expression, taint))
+                return true;
+            const args = node.arguments;
+            if (args?.type === 'NameValueList') {
+                for (const arg of args.arguments || []) {
+                    if (this.expressionDependsOnTaint(arg, taint))
+                        return true;
+                }
+            }
+            else {
+                for (const arg of args || []) {
+                    if (this.expressionDependsOnTaint(arg, taint))
+                        return true;
+                }
+            }
+            return false;
+        }
+        if (node.type === 'IndexAccess') {
+            return this.expressionDependsOnTaint(node.base, taint) || this.expressionDependsOnTaint(node.index, taint);
+        }
+        if (node.type === 'MemberAccess') {
+            return this.expressionDependsOnTaint(node.expression, taint);
+        }
+        if (node.type === 'NameValueExpression') {
+            if (this.expressionDependsOnTaint(node.expression, taint))
+                return true;
+            const args = node.arguments;
+            if (args?.type === 'NameValueList') {
+                for (const arg of args.arguments || []) {
+                    if (this.expressionDependsOnTaint(arg, taint))
+                        return true;
+                }
+            }
+            return false;
+        }
+        return false;
+    }
+    isViewOrPure(fn) {
+        const mutability = String(fn.stateMutability || '').toLowerCase();
+        return mutability === 'view' || mutability === 'pure';
+    }
+}
+exports.DontLetEthGetRektDetector = DontLetEthGetRektDetector;
+function childKeys(node) {
+    const skip = new Set(['loc', 'range', 'typeName']);
+    const keys = [];
+    for (const k of Object.keys(node)) {
+        if (!skip.has(k))
+            keys.push(k);
+    }
+    return keys;
+}
+//# sourceMappingURL=dont-let-eth-get-rekt.js.map