@snovon/solast 0.2.0

package/dist/detectors/eip1167-proxy-reentrancy.js

@@ -0,0 +1,508 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Eip1167ProxyReentrancyDetector = void 0;
+const RULE_ID = 'eip1167-proxy-reentrancy';
+const SOURCE = 'x-2026-05-03-eip-1167-proxy-reentrancy';
+const PROXY_STATE_NAME = /(implementation|impl|clone|clones|proxy|beacon|minimalproxy)/i;
+const ACCESS_CONTROL_MODIFIERS = new Set([
+    'onlyowner',
+    'onlyadmin',
+    'onlyrole',
+    'onlyauthorized',
+    'onlygovernance',
+    'onlygovernor',
+    'onlyguardian',
+    'onlyoperator',
+]);
+class Eip1167ProxyReentrancyDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser', 'solc'];
+    scanAst(ast, file, sourceText) {
+        if (!ast || typeof ast !== 'object')
+            return [];
+        const lineOffsets = buildLineOffsets(sourceText);
+        const contracts = collectContracts(ast)
+            .filter(contract => !isInterfaceLike(contract))
+            .map(contract => buildContractInfo(contract));
+        const contractsByName = new Map(contracts.map(contract => [contract.name, contract]));
+        const findings = [];
+        const emitted = new Set();
+        for (const contract of contracts) {
+            for (const fn of contract.functions) {
+                if (!isExternallyReachable(fn.node))
+                    continue;
+                for (const hit of collectLoopDelegatecalls(fn.body)) {
+                    const stateName = targetStateName(hit.target);
+                    if (!stateName)
+                        continue;
+                    const state = contract.states.get(stateName);
+                    if (!state)
+                        continue;
+                    if (!isProxyRelevantState(state, contract, contractsByName))
+                        continue;
+                    if (!isUnsafeProxyState(contract, state))
+                        continue;
+                    const rawLoc = getLoc(hit.node, lineOffsets) || getLoc(fn.node, lineOffsets) || { line: 0, column: 0 };
+                    const loc = rawLoc;
+                    const key = `${contract.name}:${fn.name}:${loc.line}:${loc.column}:${state.name}`;
+                    if (emitted.has(key))
+                        continue;
+                    emitted.add(key);
+                    findings.push({
+                        file,
+                        contract: contract.name,
+                        'function': fn.name,
+                        line: loc.line,
+                        endLine: loc.line,
+                        column: loc.column,
+                        pattern: RULE_ID,
+                        confidence: 'high',
+                        ruleId: RULE_ID,
+                        severity: 'critical',
+                        message: `Loop-based delegatecall in '${contract.name}.${fn.name}' targets mutable or uninitialized proxy state '${state.name}', which can re-enter through attacker-controlled EIP-1167 clone or implementation storage.`,
+                        rationale: 'Delegatecall inside a loop repeatedly executes code in the caller storage context. When the implementation or clone address is uninitialized or externally writable, an attacker can steer execution to reentrant logic before proxy state is locked.',
+                        suggestedFix: 'Initialize implementation and clone addresses before any external entry point can use them, guard and lock implementation setters, and avoid delegatecall inside loops over attacker-controlled proxy targets.',
+                        contractName: contract.name,
+                        functionName: fn.name,
+                        sourceLocation: { line: loc.line, column: loc.column },
+                        delegateTarget: state.name,
+                        operationType: 'delegatecall',
+                        externalCallNode: hit.node,
+                        findingId: '',
+                        contractHash: '',
+                        source: SOURCE,
+                    });
+                }
+            }
+        }
+        return findings;
+    }
+}
+exports.Eip1167ProxyReentrancyDetector = Eip1167ProxyReentrancyDetector;
+function buildContractInfo(contractNode) {
+    const states = collectStateVariables(contractNode);
+    const functions = getContractMembers(contractNode)
+        .filter(member => isNode(member, 'FunctionDefinition'))
+        .map(fn => ({ node: fn, name: functionDisplayName(fn), body: getFunctionBody(fn) }));
+    for (const fn of functions) {
+        if (!isConstructor(fn.node))
+            continue;
+        for (const state of states.values()) {
+            if (bodyMutatesState(fn.body, state.name))
+                state.initialized = true;
+        }
+    }
+    const contract = {
+        node: contractNode,
+        name: getName(contractNode) || '<anonymous>',
+        states,
+        functions,
+        unguardedInitializers: new Set(),
+        hasEip1167BytecodeEvidence: hasEip1167BytecodeEvidence(contractNode),
+    };
+    for (const fn of functions) {
+        if (isUnguardedInitializer(fn))
+            contract.unguardedInitializers.add(fn.name);
+    }
+    return contract;
+}
+function collectLoopDelegatecalls(body) {
+    const hits = [];
+    walkWithLoopDepth(body, 0, (node, loopDepth) => {
+        if (loopDepth <= 0)
+            return;
+        const target = delegatecallTarget(node);
+        if (target)
+            hits.push({ node, target });
+    });
+    return hits;
+}
+function walkWithLoopDepth(node, loopDepth, visit) {
+    if (!node || typeof node !== 'object')
+        return;
+    const nextDepth = loopDepth + (isLoopNode(node) ? 1 : 0);
+    visit(node, nextDepth);
+    for (const child of childrenOf(node))
+        walkWithLoopDepth(child, nextDepth, visit);
+}
+function delegatecallTarget(node) {
+    if (!isNode(node, 'FunctionCall'))
+        return undefined;
+    const callee = unwrapCallOptions(node.expression);
+    if (!isNode(callee, 'MemberAccess'))
+        return undefined;
+    if (String(callee.memberName || '') !== 'delegatecall')
+        return undefined;
+    return unwrapAddressCast(callee.expression);
+}
+function unwrapCallOptions(expr) {
+    if (isNode(expr, 'FunctionCallOptions') || isNode(expr, 'NameValueExpression')) {
+        return expr.expression;
+    }
+    return expr;
+}
+function unwrapAddressCast(expr) {
+    if (!isNode(expr, 'FunctionCall'))
+        return expr;
+    if (!isAddressTypeExpression(expr.expression))
+        return expr;
+    return (expr.arguments || [])[0] || expr;
+}
+function isAddressTypeExpression(expr) {
+    if (!expr || typeof expr !== 'object')
+        return false;
+    if (isNode(expr, 'ElementaryTypeNameExpression')) {
+        const typeName = expr.typeName;
+        return String(typeName?.name || typeName || '') === 'address';
+    }
+    if (isNode(expr, 'ElementaryTypeName'))
+        return String(expr.name || '') === 'address';
+    if (isNode(expr, 'Identifier'))
+        return String(expr.name || '') === 'address';
+    return false;
+}
+function targetStateName(expr) {
+    if (!expr || typeof expr !== 'object')
+        return '';
+    if (isNode(expr, 'Identifier'))
+        return String(expr.name || '');
+    if (isNode(expr, 'IndexAccess'))
+        return targetStateName(expr.base || expr.baseExpression);
+    if (isNode(expr, 'MemberAccess'))
+        return targetStateName(expr.expression);
+    if (isNode(expr, 'FunctionCall'))
+        return targetStateName(unwrapAddressCast(expr));
+    return '';
+}
+function isProxyRelevantState(state, contract, contractsByName) {
+    if (PROXY_STATE_NAME.test(state.name) || PROXY_STATE_NAME.test(state.typeName))
+        return true;
+    if (contract.hasEip1167BytecodeEvidence)
+        return true;
+    const typedContract = contractsByName.get(state.typeName);
+    return !!typedContract && typedContract.unguardedInitializers.size > 0;
+}
+function isUnsafeProxyState(contract, state) {
+    if (!state.initialized)
+        return true;
+    for (const fn of contract.functions) {
+        if (isConstructor(fn.node))
+            continue;
+        if (!isExternallyReachable(fn.node))
+            continue;
+        if (!bodyMutatesState(fn.body, state.name))
+            continue;
+        if (!hasCallerAccessControl(fn.node, fn.body))
+            return true;
+    }
+    return false;
+}
+function isUnguardedInitializer(fn) {
+    if (!isExternallyReachable(fn.node))
+        return false;
+    if (!/^init|^setup$/i.test(fn.name))
+        return false;
+    return !hasCallerAccessControl(fn.node, fn.body);
+}
+function bodyMutatesState(body, stateName) {
+    return walkAny(body, node => isAssignmentToState(node, stateName) || isPushToState(node, stateName));
+}
+function isAssignmentToState(node, stateName) {
+    if (!node || typeof node !== 'object')
+        return false;
+    let left;
+    const operator = String(node.operator || '');
+    if (isNode(node, 'BinaryOperation') || isNode(node, 'Assignment')) {
+        if (!operator.includes('=') || ['==', '===', '!=', '!==', '<=', '>='].includes(operator))
+            return false;
+        left = node.left || node.leftExpression || node.leftHandSide;
+    }
+    else {
+        return false;
+    }
+    return expressionTargetsState(left, stateName);
+}
+function isPushToState(node, stateName) {
+    if (!isNode(node, 'FunctionCall'))
+        return false;
+    const callee = unwrapCallOptions(node.expression);
+    if (!isNode(callee, 'MemberAccess'))
+        return false;
+    if (String(callee.memberName || '') !== 'push')
+        return false;
+    return expressionTargetsState(callee.expression, stateName);
+}
+function expressionTargetsState(expr, stateName) {
+    if (!expr || typeof expr !== 'object')
+        return false;
+    if (isNode(expr, 'Identifier'))
+        return String(expr.name || '') === stateName;
+    if (isNode(expr, 'IndexAccess'))
+        return expressionTargetsState(expr.base || expr.baseExpression, stateName);
+    if (isNode(expr, 'MemberAccess')) {
+        if (String(expr.memberName || '') === stateName)
+            return true;
+        return expressionTargetsState(expr.expression, stateName);
+    }
+    if (isNode(expr, 'TupleExpression')) {
+        return (expr.components || []).some((component) => expressionTargetsState(component, stateName));
+    }
+    return false;
+}
+function hasCallerAccessControl(fn, body) {
+    for (const modifier of fn?.modifiers || []) {
+        if (ACCESS_CONTROL_MODIFIERS.has(getModifierName(modifier).toLowerCase()))
+            return true;
+    }
+    return !!body && walkAny(body, node => isRequireOrAssertCallerGuard(node));
+}
+function isRequireOrAssertCallerGuard(node) {
+    if (!isNode(node, 'FunctionCall'))
+        return false;
+    const name = callName(node.expression).toLowerCase();
+    if (name !== 'require' && name !== 'assert')
+        return false;
+    return conditionGuardsCaller((node.arguments || [])[0]);
+}
+function conditionGuardsCaller(node) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (isCallerEqualityCheck(node) || isOwnerMappingCheck(node))
+        return true;
+    return childrenOf(node).some(conditionGuardsCaller);
+}
+function isCallerEqualityCheck(node) {
+    if (!isNode(node, 'BinaryOperation'))
+        return false;
+    const op = String(node.operator || '');
+    if (op !== '==' && op !== '===')
+        return false;
+    const left = node.left || node.leftExpression;
+    const right = node.right || node.rightExpression;
+    return (isMsgSender(left) && isAuthSubject(right)) || (isMsgSender(right) && isAuthSubject(left));
+}
+function isOwnerMappingCheck(node) {
+    if (!isNode(node, 'IndexAccess'))
+        return false;
+    const base = node.base || node.baseExpression;
+    const index = node.index || node.indexExpression;
+    return isAuthSubject(base) && isMsgSender(index);
+}
+function isMsgSender(node) {
+    return isNode(node, 'MemberAccess') &&
+        String(node.memberName || '') === 'sender' &&
+        isNode(node.expression, 'Identifier') &&
+        String(node.expression.name || '') === 'msg';
+}
+function isAuthSubject(node) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (isNode(node, 'Identifier'))
+        return /^(owner|admin|governance|governor|guardian|authority|operator|manager|owners|isOwner)$/i.test(String(node.name || ''));
+    if (isNode(node, 'MemberAccess'))
+        return /^(owner|admin|governance|governor|guardian|authority|operator|manager|owners|isOwner)$/i.test(String(node.memberName || ''));
+    return false;
+}
+function collectStateVariables(contractNode) {
+    const states = new Map();
+    for (const member of getContractMembers(contractNode)) {
+        if (isNode(member, 'StateVariableDeclaration')) {
+            for (const variable of member.variables || []) {
+                if (!variable?.name)
+                    continue;
+                states.set(String(variable.name), {
+                    name: String(variable.name),
+                    typeName: variableTypeName(variable),
+                    initialized: !!(variable.expression || variable.value || variable.initialValue),
+                });
+            }
+        }
+        else if (isNode(member, 'VariableDeclaration') && member.stateVariable) {
+            if (!member.name)
+                continue;
+            states.set(String(member.name), {
+                name: String(member.name),
+                typeName: variableTypeName(member),
+                initialized: !!(member.expression || member.value || member.initialValue),
+            });
+        }
+    }
+    return states;
+}
+function variableTypeName(variable) {
+    const typeName = variable?.typeName;
+    if (!typeName || typeof typeName !== 'object')
+        return '';
+    if (typeof typeName.name === 'string')
+        return typeName.name;
+    if (typeof typeName.namePath === 'string')
+        return typeName.namePath.split('.').pop() || '';
+    if (typeName.pathNode)
+        return variableTypeName({ typeName: typeName.pathNode });
+    if (typeName.baseType)
+        return variableTypeName({ typeName: typeName.baseType });
+    if (typeof typeName.typeString === 'string')
+        return typeName.typeString.split(' ').pop() || '';
+    return '';
+}
+function hasEip1167BytecodeEvidence(contractNode) {
+    return walkAny(contractNode, node => {
+        if (!isHexByteLiteral(node))
+            return false;
+        const value = String(node.value || node.hexValue || '');
+        return /363d3d373d3d3d363d73/i.test(value);
+    });
+}
+function isHexByteLiteral(node) {
+    if (isNode(node, 'HexLiteral'))
+        return true;
+    if (!isNode(node, 'Literal'))
+        return false;
+    const kind = String(node.kind || '').toLowerCase();
+    const typeString = String(node.typeDescriptions?.typeString || '').toLowerCase();
+    return kind === 'hexstring' || typeString.startsWith('literal_string hex');
+}
+function callName(expr) {
+    if (!expr || typeof expr !== 'object')
+        return '';
+    if (isNode(expr, 'Identifier'))
+        return String(expr.name || '');
+    if (isNode(expr, 'MemberAccess'))
+        return String(expr.memberName || '');
+    return '';
+}
+function getModifierName(modifier) {
+    if (!modifier)
+        return '';
+    if (typeof modifier === 'string')
+        return modifier;
+    if (typeof modifier.name === 'string')
+        return modifier.name;
+    if (modifier.name && typeof modifier.name === 'object')
+        return String(modifier.name.name || modifier.name.namePath || '');
+    if (modifier.modifierName)
+        return String(modifier.modifierName.name || modifier.modifierName.namePath || modifier.modifierName || '');
+    return '';
+}
+function isLoopNode(node) {
+    return isNode(node, 'ForStatement') || isNode(node, 'WhileStatement') || isNode(node, 'DoWhileStatement');
+}
+function isExternallyReachable(fn) {
+    if (!fn || isConstructor(fn))
+        return false;
+    const kind = String(fn.kind || '').toLowerCase();
+    if (kind === 'fallback' || kind === 'receive' || fn.isFallback === true || fn.isReceiveEther === true)
+        return true;
+    const visibility = String(fn.visibility || '').toLowerCase();
+    return visibility === 'public' || visibility === 'external';
+}
+function isConstructor(fn) {
+    if (!fn)
+        return false;
+    if (fn.isConstructor === true)
+        return true;
+    return String(fn.kind || '').toLowerCase() === 'constructor';
+}
+function functionDisplayName(fn) {
+    if (fn.isFallback === true || String(fn.kind || '').toLowerCase() === 'fallback')
+        return '<fallback>';
+    if (fn.isReceiveEther === true || String(fn.kind || '').toLowerCase() === 'receive')
+        return '<receive>';
+    return typeof fn.name === 'string' && fn.name.length > 0 ? fn.name : '<anonymous>';
+}
+function getFunctionBody(node) {
+    return node?.body || null;
+}
+function getContractMembers(contractNode) {
+    if (!contractNode || typeof contractNode !== 'object')
+        return [];
+    if (Array.isArray(contractNode.subNodes))
+        return contractNode.subNodes;
+    if (Array.isArray(contractNode.nodes))
+        return contractNode.nodes;
+    return [];
+}
+function collectContracts(ast) {
+    const out = [];
+    walkContracts(ast, out);
+    return out;
+}
+function walkContracts(node, out) {
+    if (!node || typeof node !== 'object')
+        return;
+    if (isNode(node, 'ContractDefinition'))
+        out.push(node);
+    for (const child of childrenOf(node))
+        walkContracts(child, out);
+}
+function isInterfaceLike(contractNode) {
+    const kind = String(contractNode?.kind || contractNode?.contractKind || '').toLowerCase();
+    return kind === 'interface' || kind === 'library';
+}
+function getName(node) {
+    return typeof node?.name === 'string' ? node.name : '';
+}
+function isNode(node, kind) {
+    return node?.type === kind || node?.nodeType === kind;
+}
+function walkAny(node, predicate) {
+    if (!node || typeof node !== 'object')
+        return false;
+    if (predicate(node))
+        return true;
+    for (const child of childrenOf(node)) {
+        if (walkAny(child, predicate))
+            return true;
+    }
+    return false;
+}
+function childrenOf(node) {
+    if (!node || typeof node !== 'object')
+        return [];
+    const children = [];
+    for (const [key, value] of Object.entries(node)) {
+        if (key === 'loc' || key === 'src' || key === 'range' || key === 'typeDescriptions' || key === 'id' || key === 'scope')
+            continue;
+        if (Array.isArray(value)) {
+            for (const item of value) {
+                if (item && typeof item === 'object')
+                    children.push(item);
+            }
+        }
+        else if (value && typeof value === 'object') {
+            children.push(value);
+        }
+    }
+    return children;
+}
+function buildLineOffsets(sourceText) {
+    if (sourceText === undefined)
+        return undefined;
+    const lineOffsets = [0];
+    let byteOffset = 0;
+    for (const char of sourceText) {
+        byteOffset += Buffer.byteLength(char, 'utf8');
+        if (char === '\n')
+            lineOffsets.push(byteOffset);
+    }
+    return lineOffsets;
+}
+function getLoc(node, lineOffsets) {
+    if (node?.loc?.start)
+        return node.loc.start;
+    if (!node?.src || !lineOffsets)
+        return undefined;
+    const offset = Number(String(node.src).split(':')[0]);
+    if (!Number.isFinite(offset) || offset < 0)
+        return undefined;
+    let lineIndex = 0;
+    for (let i = 0; i < lineOffsets.length; i++) {
+        if (lineOffsets[i] <= offset)
+            lineIndex = i;
+        else
+            break;
+    }
+    return { line: lineIndex + 1, column: offset - lineOffsets[lineIndex] };
+}
+//# sourceMappingURL=eip1167-proxy-reentrancy.js.map

package/dist/detectors/eip4626-vault-reentrancy.d.ts

@@ -0,0 +1,32 @@
+import type { ScanResult } from '../index';
+export declare class Eip4626VaultReentrancyDetector {
+    readonly id = "eip4626-vault-reentrancy";
+    readonly patternKey = "eip4626-vault-reentrancy";
+    readonly supportedAstKinds: "parser"[];
+    readonly descriptor: {
+        id: string;
+        shortDescription: string;
+        helpUri: string;
+        defaultSeverity: "high";
+    };
+    private currentFile;
+    private findings;
+    private contractStack;
+    private functionStack;
+    private emitted;
+    setFile(file: string): void;
+    getFindings(): ScanResult[];
+    ContractDefinition(node: any): void;
+    'ContractDefinition:exit'(node: any): void;
+    FunctionDefinition(node: any): void;
+    'FunctionDefinition:exit'(node: any): void;
+    FunctionCall(node: any): void;
+    Assignment(node: any): void;
+    BinaryOperation(node: any): void;
+    private recordAccountingWrite;
+    private analyzeEvents;
+    private emitFinding;
+    private currentContract;
+    private currentFunction;
+    private looksLikeErc4626Vault;
+}