@snovon/solast 0.2.0

package/dist/detectors/_common/oracle.js

@@ -0,0 +1,64 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.LIQUIDITY_WITHDRAWAL_CALL_NAMES = exports.SINK_CALL_NAMES = exports.TWAP_CALLS = exports.AMM_SPOT_SOURCES = void 0;
+exports.isLiquidityWithdrawalCall = isLiquidityWithdrawalCall;
+const price_rate_1 = require("./price-rate");
+exports.AMM_SPOT_SOURCES = price_rate_1.AMM_SPOT_SOURCE_CALL_NAMES;
+exports.TWAP_CALLS = price_rate_1.TWAP_PRICE_SOURCE_CALL_NAMES;
+exports.SINK_CALL_NAMES = new Set([
+    'liquidate',
+    '_liquidate',
+    'swap',
+    '_swap',
+    'mint',
+    '_mint',
+    'borrow',
+    '_borrow',
+    'redeem',
+    '_redeem',
+    'seize',
+    '_seize',
+    'close',
+    '_close',
+    'forceLiquidation',
+    '_forceLiquidation',
+]);
+exports.LIQUIDITY_WITHDRAWAL_CALL_NAMES = new Set([
+    'removeliquidity',
+    'remove_liquidity',
+]);
+function isLiquidityWithdrawalCall(callNode, getCalleeName) {
+    if (!callNode || typeof callNode !== 'object')
+        return false;
+    const calleeName = getCalleeName(callNode.expression);
+    if (!calleeName)
+        return false;
+    const lowerName = calleeName.toLowerCase();
+    if (exports.LIQUIDITY_WITHDRAWAL_CALL_NAMES.has(lowerName)) {
+        return true;
+    }
+    if (lowerName === 'burn') {
+        const args = callNode.arguments || [];
+        if (args.length === 3)
+            return true;
+        let receiver = getReceiverName(callNode.expression);
+        // Handle NamedArgs where callNode is functionally identical but parser wraps it differently.
+        // In parser AST, arguments can be name-value lists. We just check receiver.
+        if (receiver && (receiver.includes('pool') || receiver.includes('pair'))) {
+            return true;
+        }
+    }
+    return false;
+}
+function getReceiverName(expr) {
+    if (!expr || typeof expr !== 'object')
+        return null;
+    if (expr.type === 'NameValueExpression' || expr.type === 'FunctionCallOptions') {
+        return getReceiverName(expr.expression);
+    }
+    if (expr.type === 'MemberAccess' && expr.expression?.type === 'Identifier') {
+        return expr.expression.name?.toLowerCase() || null;
+    }
+    return null;
+}
+//# sourceMappingURL=oracle.js.map

package/dist/detectors/_common/price-rate.d.ts

@@ -0,0 +1,116 @@
+/**
+ * Shared structural predicates for price/rate dependency reasoning.
+ *
+ * Detectors that flag single-source price or rate dependencies (the "veth pattern")
+ * need to identify: (1) price/rate signal sources, (2) critical value-transfer sinks,
+ * and (3) guard expressions that mitigate the dependency. This module provides the
+ * structural vocabulary for all three so the heuristics stay consistent and the
+ * rule-id vocabulary is captured in one place.
+ *
+ * Design notes for callers:
+ * - `isPriceSourceCall` / `isPriceSourceCalleeName` identify external oracle-style
+ *   calls that return a price or rate. The set covers Chainlink, Pyth, and common
+ *   custom oracle patterns.
+ * - `isPriceRateVariableName` identifies state-variable name shapes that suggest
+ *   the variable holds a price or rate value (anchored / camel-case-prefixed
+ *   patterns).
+ * - `isPriceRateLikeIdentifier` is a broader, camel-case-token-aware variant
+ *   suitable for local variables and same-contract helper-function names
+ *   (e.g. `currentRedeemRate`, `oraclePrice`, `stakedExchangeRate`).
+ * - `isCriticalValueTransferFunctionName` identifies function names whose bodies
+ *   typically contain value movement (transfer, mint, burn, swap, redeem,
+ *   withdraw).
+ * - `isFreshnessGuard` recognises timestamp-based staleness checks — both the
+ *   immediate-comparison shape and the additive-tolerance shape
+ *   (`updatedAt + MAX_AGE >= block.timestamp`).
+ * - `isSanityBoundGuard` recognises require/if conditions that bound a price
+ *   or rate value (min/max, deviation from TWAP, etc.).
+ */
+/**
+ * Callee names of price/rate oracle calls that return a single scalar value
+ * (as opposed to TWAP or multi-source aggregators). Covers Chainlink basic,
+ * Pyth, and common custom oracle shapes.
+ */
+export declare const PRICE_SOURCE_CALL_NAMES: ReadonlySet<string>;
+/**
+ * AMM calls that expose same-block spot state. These are not TWAP or
+ * aggregation APIs by themselves; callers must add their own time averaging,
+ * bounded-deviation check, or independent-source aggregation before using the
+ * value in protocol accounting.
+ */
+export declare const AMM_SPOT_SOURCE_CALL_NAMES: ReadonlySet<string>;
+/**
+ * Scalar spot-price call vocabulary shared by spot-manipulation detectors.
+ * The set intentionally includes raw AMM reads, raw aggregator answers, and
+ * custom getPrice-style oracles, while excluding TWAP/median helper names.
+ */
+export declare const SPOT_PRICE_SOURCE_CALL_NAMES: ReadonlySet<string>;
+/**
+ * Calls that are commonly used to derive or fetch a time-weighted/reference
+ * price instead of a raw spot quote.
+ */
+export declare const TWAP_PRICE_SOURCE_CALL_NAMES: ReadonlySet<string>;
+/**
+ * State-variable name patterns that suggest the variable holds a price or
+ * exchange rate value sourced from an external system (not a governance-set
+ * constant). Used as a stricter filter than `isPriceRateLikeIdentifier`.
+ */
+export declare const PRICE_RATE_VARIABLE_PATTERNS: RegExp[];
+/**
+ * Function names whose bodies are expected to contain critical value-transfer
+ * logic (token movement, share minting/burning, collateral settlement). Used
+ * by detectors to decide whether a function is value-transfer-shaped.
+ */
+export declare const CRITICAL_VALUE_TRANSFER_NAMES: ReadonlySet<string>;
+/**
+ * Fields commonly used to track the freshness of a price or rate feed.
+ * Used to detect staleness checks: `require(updatedAt + maxAge >= block.timestamp)`.
+ */
+export declare const FRESHNESS_FIELD_NAMES: ReadonlySet<string>;
+/**
+ * Recognized freshness guard modifier names. A function decorated with one of
+ * these is considered to have equivalent protection to an inline freshness check.
+ */
+export declare const RECOGNIZED_FRESHNESS_MODIFIER_NAMES: ReadonlySet<string>;
+export declare function isPriceSourceCall(node: any): boolean;
+export declare function isPriceSourceCalleeName(name: string): boolean;
+export declare function isPriceRateVariableName(name: string): boolean;
+/**
+ * Camel-case-token-aware identifier matcher. Splits the name on underscores
+ * and lower→upper transitions, lower-cases each token, and returns true when
+ * any token is in `PRICE_RATE_TOKEN_VOCAB`. Catches both state vars (`rate`,
+ * `redeemRate`) and helper / local names (`currentRedeemRate`, `oraclePrice`).
+ */
+export declare function isPriceRateLikeIdentifier(name: string): boolean;
+export declare function isCriticalValueTransferFunctionName(name: string): boolean;
+export declare function isFreshnessFieldName(name: string): boolean;
+export declare function isRecognizedFreshnessModifierName(name: string): boolean;
+/**
+ * Does the condition validate the freshness of a price or rate signal via a
+ * timestamp-based staleness guard?
+ *
+ * Recognised structurally as: the condition references `block.timestamp`
+ * AND mentions a known freshness field (`updatedAt`, `lastUpdate`,
+ * `publishTime`, ...) anywhere in the expression tree. Covers
+ *   `updatedAt + MAX_AGE >= block.timestamp`
+ *   `block.timestamp - updatedAt <= MAX_AGE`
+ *   `lastUpdate + maxAge > block.timestamp`
+ * and require/if wrappings of the same.
+ */
+export declare function isFreshnessGuard(condition: any): boolean;
+/**
+ * Does the condition validate a price or rate against a min/max bound,
+ * a deviation check against a TWAP/reference, or any other sanity constraint?
+ * These are distinct from freshness checks and provide a different mitigation.
+ */
+export declare function isSanityBoundGuard(condition: any, priceSymbolNames?: string[]): boolean;
+export declare function getCalleeName(expr: any): string;
+/**
+ * Split an identifier into lower-cased camel-case / snake-case tokens.
+ *
+ * `redeemRate` -> ['redeem', 'rate']
+ * `current_redeem_rate` -> ['current', 'redeem', 'rate']
+ * `getOraclePrice` -> ['get', 'oracle', 'price']
+ * `RATE_LIMIT` -> ['rate', 'limit']
+ */
+export declare function splitCamelTokens(name: string): string[];

package/dist/detectors/_common/price-rate.js

@@ -0,0 +1,446 @@
+"use strict";
+/**
+ * Shared structural predicates for price/rate dependency reasoning.
+ *
+ * Detectors that flag single-source price or rate dependencies (the "veth pattern")
+ * need to identify: (1) price/rate signal sources, (2) critical value-transfer sinks,
+ * and (3) guard expressions that mitigate the dependency. This module provides the
+ * structural vocabulary for all three so the heuristics stay consistent and the
+ * rule-id vocabulary is captured in one place.
+ *
+ * Design notes for callers:
+ * - `isPriceSourceCall` / `isPriceSourceCalleeName` identify external oracle-style
+ *   calls that return a price or rate. The set covers Chainlink, Pyth, and common
+ *   custom oracle patterns.
+ * - `isPriceRateVariableName` identifies state-variable name shapes that suggest
+ *   the variable holds a price or rate value (anchored / camel-case-prefixed
+ *   patterns).
+ * - `isPriceRateLikeIdentifier` is a broader, camel-case-token-aware variant
+ *   suitable for local variables and same-contract helper-function names
+ *   (e.g. `currentRedeemRate`, `oraclePrice`, `stakedExchangeRate`).
+ * - `isCriticalValueTransferFunctionName` identifies function names whose bodies
+ *   typically contain value movement (transfer, mint, burn, swap, redeem,
+ *   withdraw).
+ * - `isFreshnessGuard` recognises timestamp-based staleness checks — both the
+ *   immediate-comparison shape and the additive-tolerance shape
+ *   (`updatedAt + MAX_AGE >= block.timestamp`).
+ * - `isSanityBoundGuard` recognises require/if conditions that bound a price
+ *   or rate value (min/max, deviation from TWAP, etc.).
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RECOGNIZED_FRESHNESS_MODIFIER_NAMES = exports.FRESHNESS_FIELD_NAMES = exports.CRITICAL_VALUE_TRANSFER_NAMES = exports.PRICE_RATE_VARIABLE_PATTERNS = exports.TWAP_PRICE_SOURCE_CALL_NAMES = exports.SPOT_PRICE_SOURCE_CALL_NAMES = exports.AMM_SPOT_SOURCE_CALL_NAMES = exports.PRICE_SOURCE_CALL_NAMES = void 0;
+exports.isPriceSourceCall = isPriceSourceCall;
+exports.isPriceSourceCalleeName = isPriceSourceCalleeName;
+exports.isPriceRateVariableName = isPriceRateVariableName;
+exports.isPriceRateLikeIdentifier = isPriceRateLikeIdentifier;
+exports.isCriticalValueTransferFunctionName = isCriticalValueTransferFunctionName;
+exports.isFreshnessFieldName = isFreshnessFieldName;
+exports.isRecognizedFreshnessModifierName = isRecognizedFreshnessModifierName;
+exports.isFreshnessGuard = isFreshnessGuard;
+exports.isSanityBoundGuard = isSanityBoundGuard;
+exports.getCalleeName = getCalleeName;
+exports.splitCamelTokens = splitCamelTokens;
+const ast_1 = require("./ast");
+/**
+ * Callee names of price/rate oracle calls that return a single scalar value
+ * (as opposed to TWAP or multi-source aggregators). Covers Chainlink basic,
+ * Pyth, and common custom oracle shapes.
+ */
+exports.PRICE_SOURCE_CALL_NAMES = new Set([
+    'latestAnswer',
+    'latestRoundData',
+    'getPrice',
+    'getPriceUnsafe',
+    'getRate',
+    'redeemRate',
+    'exchangeRate',
+    'convertToAssets',
+    'convertToShares',
+    'getAmountOut',
+    'getAmountIn',
+]);
+/**
+ * AMM calls that expose same-block spot state. These are not TWAP or
+ * aggregation APIs by themselves; callers must add their own time averaging,
+ * bounded-deviation check, or independent-source aggregation before using the
+ * value in protocol accounting.
+ */
+exports.AMM_SPOT_SOURCE_CALL_NAMES = new Set([
+    'getReserves',
+    'slot0',
+    'getAmountsOut',
+    'getAmountOut',
+]);
+/**
+ * Scalar spot-price call vocabulary shared by spot-manipulation detectors.
+ * The set intentionally includes raw AMM reads, raw aggregator answers, and
+ * custom getPrice-style oracles, while excluding TWAP/median helper names.
+ */
+exports.SPOT_PRICE_SOURCE_CALL_NAMES = new Set([
+    'getReserves',
+    'slot0',
+    'spotPrice',
+    'latestRoundData',
+    'latestAnswer',
+    'getPrice',
+    'getPriceUnsafe',
+    'getExpectedRate',
+    'getAmountOut',
+    'getAmountsOut',
+    'price0CumulativeLast',
+    'price1CumulativeLast',
+]);
+/**
+ * Calls that are commonly used to derive or fetch a time-weighted/reference
+ * price instead of a raw spot quote.
+ */
+exports.TWAP_PRICE_SOURCE_CALL_NAMES = new Set([
+    'observe',
+    'consult',
+    'getTimeWeightedPrices',
+    'getAveragePrice',
+    'getTwap',
+    'getTWAP',
+    'twap',
+]);
+/**
+ * State-variable name patterns that suggest the variable holds a price or
+ * exchange rate value sourced from an external system (not a governance-set
+ * constant). Used as a stricter filter than `isPriceRateLikeIdentifier`.
+ */
+exports.PRICE_RATE_VARIABLE_PATTERNS = [
+    /^(rate|exchangeRate|redeemRate|price|spotPrice|fairPrice|oraclePrice)$/i,
+    /^(price|rate|exchange)[A-Z]/,
+    /[A-Z](Price|Rate|Exchange)([A-Z]|$)/,
+];
+/**
+ * Lower-case camel-case tokens that mark an identifier as price/rate-like.
+ * Combined with `splitCamelTokens`, this catches helper names like
+ * `currentRedeemRate` or `getOraclePrice` without inflating the variable-name
+ * patterns above.
+ */
+const PRICE_RATE_TOKEN_VOCAB = new Set([
+    'rate', 'price', 'exchange',
+]);
+/**
+ * Function names whose bodies are expected to contain critical value-transfer
+ * logic (token movement, share minting/burning, collateral settlement). Used
+ * by detectors to decide whether a function is value-transfer-shaped.
+ */
+exports.CRITICAL_VALUE_TRANSFER_NAMES = new Set([
+    'transfer',
+    'transferFrom',
+    'safeTransfer',
+    'safeTransferFrom',
+    'mint',
+    'burn',
+    'redeem',
+    'withdraw',
+    'deposit',
+    'swap',
+    'liquidate',
+    'flashLoan',
+    'sendValue',
+]);
+/**
+ * Fields commonly used to track the freshness of a price or rate feed.
+ * Used to detect staleness checks: `require(updatedAt + maxAge >= block.timestamp)`.
+ */
+exports.FRESHNESS_FIELD_NAMES = new Set([
+    'updatedAt',
+    'updated_at',
+    'publishTime',
+    'publish_time',
+    'lastUpdate',
+    'lastupdate',
+    'lastUpdated',
+    'blockTimestampLast',
+    'roundTimestamp',
+]);
+/**
+ * Recognized freshness guard modifier names. A function decorated with one of
+ * these is considered to have equivalent protection to an inline freshness check.
+ */
+exports.RECOGNIZED_FRESHNESS_MODIFIER_NAMES = new Set([
+    'whenpricefresh',
+    'whenoraclefresh',
+    'onlywhenpricefresh',
+    'onlywhenoraclefresh',
+    'requirefresh',
+    'requirepricefresh',
+    'validrate',
+    'validprice',
+    'onlyvalidrate',
+    'onlyvalidprice',
+]);
+function isPriceSourceCall(node) {
+    if (!node || !(0, ast_1.isNode)(node, 'FunctionCall'))
+        return false;
+    const name = getCalleeName(node.expression);
+    return exports.PRICE_SOURCE_CALL_NAMES.has(name);
+}
+function isPriceSourceCalleeName(name) {
+    return exports.PRICE_SOURCE_CALL_NAMES.has(name);
+}
+function isPriceRateVariableName(name) {
+    if (!name)
+        return false;
+    return exports.PRICE_RATE_VARIABLE_PATTERNS.some(p => p.test(name));
+}
+/**
+ * Camel-case-token-aware identifier matcher. Splits the name on underscores
+ * and lower→upper transitions, lower-cases each token, and returns true when
+ * any token is in `PRICE_RATE_TOKEN_VOCAB`. Catches both state vars (`rate`,
+ * `redeemRate`) and helper / local names (`currentRedeemRate`, `oraclePrice`).
+ */
+function isPriceRateLikeIdentifier(name) {
+    if (!name)
+        return false;
+    for (const token of splitCamelTokens(name)) {
+        if (PRICE_RATE_TOKEN_VOCAB.has(token))
+            return true;
+    }
+    return false;
+}
+function isCriticalValueTransferFunctionName(name) {
+    if (!name)
+        return false;
+    if (exports.CRITICAL_VALUE_TRANSFER_NAMES.has(name))
+        return true;
+    for (const token of splitCamelTokens(name)) {
+        if (token === 'mint' || token === 'burn' || token === 'redeem' ||
+            token === 'withdraw' || token === 'swap' || token === 'liquidate' ||
+            token === 'deposit') {
+            return true;
+        }
+    }
+    return false;
+}
+function isFreshnessFieldName(name) {
+    return exports.FRESHNESS_FIELD_NAMES.has(name);
+}
+function isRecognizedFreshnessModifierName(name) {
+    return exports.RECOGNIZED_FRESHNESS_MODIFIER_NAMES.has(name.toLowerCase());
+}
+/**
+ * Does the condition validate the freshness of a price or rate signal via a
+ * timestamp-based staleness guard?
+ *
+ * Recognised structurally as: the condition references `block.timestamp`
+ * AND mentions a known freshness field (`updatedAt`, `lastUpdate`,
+ * `publishTime`, ...) anywhere in the expression tree. Covers
+ *   `updatedAt + MAX_AGE >= block.timestamp`
+ *   `block.timestamp - updatedAt <= MAX_AGE`
+ *   `lastUpdate + maxAge > block.timestamp`
+ * and require/if wrappings of the same.
+ */
+function isFreshnessGuard(condition) {
+    if (!condition || typeof condition !== 'object')
+        return false;
+    if ((0, ast_1.isNode)(condition, 'FunctionCall')) {
+        const callee = getCalleeName(condition.expression);
+        if (callee === 'require' || callee === 'assert') {
+            const arg = (condition.arguments || [])[0];
+            return isFreshnessGuard(arg);
+        }
+    }
+    const containsBlockTimestamp = walkAny(condition, (n) => isBlockMemberAccess(n, 'timestamp'));
+    if (!containsBlockTimestamp)
+        return false;
+    const containsFreshnessField = walkAny(condition, (n) => {
+        if ((0, ast_1.isNode)(n, 'Identifier') && exports.FRESHNESS_FIELD_NAMES.has(n.name || ''))
+            return true;
+        if ((0, ast_1.isNode)(n, 'MemberAccess') && exports.FRESHNESS_FIELD_NAMES.has(n.memberName || ''))
+            return true;
+        return false;
+    });
+    if (!containsFreshnessField)
+        return false;
+    const containsMath = walkAny(condition, (n) => (0, ast_1.isNode)(n, 'BinaryOperation') && ['+', '-'].includes(n.operator));
+    if (!containsMath)
+        return false;
+    return true;
+}
+/**
+ * Does the condition validate a price or rate against a min/max bound,
+ * a deviation check against a TWAP/reference, or any other sanity constraint?
+ * These are distinct from freshness checks and provide a different mitigation.
+ */
+function isSanityBoundGuard(condition, priceSymbolNames = []) {
+    if (!condition || typeof condition !== 'object')
+        return false;
+    if ((0, ast_1.isNode)(condition, 'FunctionCall')) {
+        const callee = getCalleeName(condition.expression);
+        if (callee === 'require' || callee === 'assert') {
+            const arg = (condition.arguments || [])[0];
+            if (arg && isSanityBoundGuard(arg, priceSymbolNames))
+                return true;
+        }
+    }
+    if ((0, ast_1.isNode)(condition, 'BinaryOperation') && condition.operator === '&&') {
+        if (isTwoSidedReferenceBoundGuard(condition, priceSymbolNames))
+            return true;
+    }
+    if ((0, ast_1.isNode)(condition, 'BinaryOperation') && (condition.operator === '&&' || condition.operator === '||')) {
+        if (isSanityBoundGuard(condition.left || condition.leftExpression, priceSymbolNames))
+            return true;
+        if (isSanityBoundGuard(condition.right || condition.rightExpression, priceSymbolNames))
+            return true;
+    }
+    if ((0, ast_1.isNode)(condition, 'BinaryOperation') && ['<', '<=', '>', '>=', '==', '!='].includes(condition.operator)) {
+        const names = extractAllNames(condition);
+        const lowerNames = names.map(n => n.toLowerCase());
+        const hasBoundTerm = lowerNames.some(n => ['min', 'max', 'bound', 'floor', 'ceiling', 'cap', 'limit', 'deviation', 'delta', 'spread', 'tolerance'].some(t => n.includes(t)));
+        const hasReferenceTerm = lowerNames.some(n => ['last', 'old', 'prior', 'twap', 'avg', 'average', 'reference', 'median', 'trusted', 'expected', 'fair', 'nominal'].some(t => n.includes(t)));
+        if (hasBoundTerm && hasReferenceTerm)
+            return true;
+        if (hasBoundTerm && priceSymbolNames.some(p => names.includes(p)))
+            return true;
+    }
+    return false;
+}
+function isTwoSidedReferenceBoundGuard(condition, priceSymbolNames) {
+    if (priceSymbolNames.length === 0)
+        return false;
+    let hasUpperBound = false;
+    let hasLowerBound = false;
+    for (const comparison of flattenAndConditions(condition)) {
+        if (!(0, ast_1.isNode)(comparison, 'BinaryOperation'))
+            continue;
+        if (!['<', '<=', '>', '>='].includes(comparison.operator))
+            continue;
+        const left = comparison.left || comparison.leftExpression;
+        const right = comparison.right || comparison.rightExpression;
+        const leftHasPrice = containsAnyName(left, priceSymbolNames);
+        const rightHasPrice = containsAnyName(right, priceSymbolNames);
+        if (leftHasPrice === rightHasPrice)
+            continue;
+        const referenceSide = leftHasPrice ? right : left;
+        if (!containsReferenceTerm(referenceSide))
+            continue;
+        if (!containsArithmetic(referenceSide))
+            continue;
+        if (leftHasPrice) {
+            if (comparison.operator === '<' || comparison.operator === '<=')
+                hasUpperBound = true;
+            if (comparison.operator === '>' || comparison.operator === '>=')
+                hasLowerBound = true;
+        }
+        else {
+            if (comparison.operator === '<' || comparison.operator === '<=')
+                hasLowerBound = true;
+            if (comparison.operator === '>' || comparison.operator === '>=')
+                hasUpperBound = true;
+        }
+    }
+    return hasUpperBound && hasLowerBound;
+}
+function flattenAndConditions(node) {
+    if ((0, ast_1.isNode)(node, 'BinaryOperation') && node.operator === '&&') {
+        return [
+            ...flattenAndConditions(node.left || node.leftExpression),
+            ...flattenAndConditions(node.right || node.rightExpression),
+        ];
+    }
+    return [node];
+}
+function containsAnyName(node, names) {
+    const wanted = new Set(names);
+    return walkAny(node, (n) => {
+        if ((0, ast_1.isNode)(n, 'Identifier') && wanted.has(n.name || ''))
+            return true;
+        if ((0, ast_1.isNode)(n, 'MemberAccess') && wanted.has(n.memberName || ''))
+            return true;
+        return false;
+    });
+}
+function containsReferenceTerm(node) {
+    const names = extractAllNames(node).map(n => n.toLowerCase());
+    return names.some(n => ['last', 'old', 'prior', 'twap', 'avg', 'average', 'reference', 'median', 'trusted', 'expected', 'fair', 'nominal'].some(t => n.includes(t)));
+}
+function containsArithmetic(node) {
+    return walkAny(node, (n) => (0, ast_1.isNode)(n, 'BinaryOperation') && ['+', '-', '*', '/', '%'].includes(n.operator));
+}
+function isBlockMemberAccess(node, member) {
+    if (!node)
+        return false;
+    return (0, ast_1.isNode)(node, 'MemberAccess') &&
+        node.expression?.type === 'Identifier' &&
+        node.expression.name === 'block' &&
+        node.memberName === member;
+}
+function extractAllNames(node) {
+    const names = [];
+    walk(node, n => {
+        if ((0, ast_1.isNode)(n, 'Identifier') && n.name)
+            names.push(n.name);
+        if ((0, ast_1.isNode)(n, 'MemberAccess') && n.memberName)
+            names.push(n.memberName);
+    });
+    return names;
+}
+function walk(node, visitor) {
+    if (!node || typeof node !== 'object')
+        return;
+    visitor(node);
+    for (const child of childNodes(node))
+        walk(child, visitor);
+}
+function walkAny(node, predicate) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (predicate(node))
+        return true;
+    for (const child of childNodes(node)) {
+        if (walkAny(child, predicate))
+            return true;
+    }
+    return false;
+}
+function childNodes(node) {
+    const children = [];
+    for (const [key, value] of Object.entries(node)) {
+        if (key === 'loc' || key === 'range' || key === 'src')
+            continue;
+        if (Array.isArray(value)) {
+            for (const item of value) {
+                if (item && typeof item === 'object')
+                    children.push(item);
+            }
+        }
+        else if (value && typeof value === 'object') {
+            children.push(value);
+        }
+    }
+    return children;
+}
+function getCalleeName(expr) {
+    if (!expr || typeof expr !== 'object')
+        return '';
+    if ((0, ast_1.isNode)(expr, 'Identifier'))
+        return expr.name || '';
+    if ((0, ast_1.isNode)(expr, 'MemberAccess'))
+        return expr.memberName || '';
+    return '';
+}
+/**
+ * Split an identifier into lower-cased camel-case / snake-case tokens.
+ *
+ * `redeemRate` -> ['redeem', 'rate']
+ * `current_redeem_rate` -> ['current', 'redeem', 'rate']
+ * `getOraclePrice` -> ['get', 'oracle', 'price']
+ * `RATE_LIMIT` -> ['rate', 'limit']
+ */
+function splitCamelTokens(name) {
+    if (!name)
+        return [];
+    const spaced = name
+        .replace(/_/g, ' ')
+        .replace(/([a-z0-9])([A-Z])/g, '$1 $2')
+        .replace(/([A-Z]+)([A-Z][a-z])/g, '$1 $2');
+    return spaced
+        .toLowerCase()
+        .split(/\s+/)
+        .filter(t => t.length > 0);
+}
+//# sourceMappingURL=price-rate.js.map

package/dist/detectors/_common/source-text.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Source-text helpers for detectors that need to look at raw Solidity text.
+ *
+ * Several detectors fall back to source-text inspection when the AST shape
+ * varies between parsers or when a structural predicate would be too
+ * expensive. The risk of source-text matching is well-known: regexes that
+ * see commented-out code or string literals will match content that would
+ * never execute. `stripCommentsAndStrings` neutralizes both. New detectors
+ * should prefer AST predicates; this helper exists for the legacy paths.
+ */
+export declare function stripCommentsAndStrings(input: string): string;