@snovon/solast 0.2.0

package/dist/detectors/eip7702-cross-chain-replay.d.ts

@@ -0,0 +1,27 @@
+import type { ScanResult } from '../index';
+export declare class EIP7702CrossChainReplayDetector {
+    readonly id = "eip7702-cross-chain-replay";
+    readonly patternKey = "eip7702-cross-chain-replay";
+    readonly supportedAstKinds: "parser"[];
+    readonly descriptor: {
+        id: string;
+        shortDescription: string;
+        helpUri: string;
+        defaultSeverity: "high";
+    };
+    private findings;
+    private currentFile;
+    private contract;
+    private fn;
+    setFile(file: string): void;
+    getFindings(): ScanResult[];
+    ContractDefinition(node: any): void;
+    ContractDefinition_post(_node: any): void;
+    ['ContractDefinition:exit'](node: any): void;
+    FunctionDefinition(node: any): void;
+    FunctionDefinition_post(_node: any): void;
+    ['FunctionDefinition:exit'](node: any): void;
+    MemberAccess(node: any): void;
+    IfStatement(node: any): void;
+    BinaryOperation(node: any): void;
+}

package/dist/detectors/eip7702-cross-chain-replay.js

@@ -0,0 +1,307 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EIP7702CrossChainReplayDetector = void 0;
+const ast_1 = require("./_common/ast");
+const RULE_ID = 'eip7702-cross-chain-replay';
+const PROVENANCE = 'x-20260511-eip7702-cross-chain-replay';
+class EIP7702CrossChainReplayDetector {
+    id = RULE_ID;
+    patternKey = RULE_ID;
+    supportedAstKinds = ['parser'];
+    descriptor = {
+        id: RULE_ID,
+        shortDescription: 'EIP-7702 delegated-account authorization entries are accepted without binding chainId to block.chainid.',
+        helpUri: 'https://snovon.com/',
+        defaultSeverity: 'high',
+    };
+    findings = [];
+    currentFile = '';
+    contract = null;
+    fn = null;
+    setFile(file) {
+        this.currentFile = file;
+        this.findings = [];
+        this.contract = null;
+        this.fn = null;
+    }
+    getFindings() {
+        return this.findings;
+    }
+    ContractDefinition(node) {
+        if (node?.kind === 'interface' || node?.kind === 'library') {
+            this.contract = null;
+            return;
+        }
+        const structs = collectStructs(node);
+        this.contract = {
+            name: node?.name || '<anonymous>',
+            node,
+            structs,
+            hasAuthorizationStruct: [...structs.values()].some(info => info.authLike),
+            hasExecuteEntrypoint: (node?.subNodes || []).some((sub) => isExecuteEntrypoint(sub)),
+            hasSelfSenderGuard: false,
+        };
+    }
+    ContractDefinition_post(_node) {
+        this.contract = null;
+        this.fn = null;
+    }
+    ['ContractDefinition:exit'](node) {
+        this.ContractDefinition_post(node);
+    }
+    FunctionDefinition(node) {
+        this.fn = null;
+        if (!this.contract || !node?.body)
+            return;
+        if (!isExternallyCallable(node))
+            return;
+        const consumed = consumedAuthParams(node, this.contract.structs);
+        if (consumed.length === 0)
+            return;
+        this.fn = {
+            node,
+            name: node.name || '<fallback>',
+            consumed,
+            hasExecuteEntrypoint: isExecuteEntrypoint(node),
+            hasSelfSenderGuard: false,
+            hasChainBinding: false,
+            acceptsZeroChainId: false,
+            chainReadNode: null,
+            zeroChainNode: null,
+            rejectedZeroNodes: new Set(),
+        };
+    }
+    FunctionDefinition_post(_node) {
+        if (!this.contract || !this.fn) {
+            this.fn = null;
+            return;
+        }
+        const signalCount = [
+            this.contract.hasAuthorizationStruct,
+            this.contract.hasExecuteEntrypoint || this.fn.hasExecuteEntrypoint,
+            this.contract.hasSelfSenderGuard || this.fn.hasSelfSenderGuard,
+        ].filter(Boolean).length;
+        if (signalCount < 2) {
+            this.fn = null;
+            return;
+        }
+        const missingChainField = this.fn.hasExecuteEntrypoint && this.fn.consumed.some(auth => !auth.structInfo.hasChainField);
+        const missingBinding = this.fn.consumed.some(auth => auth.structInfo.hasChainField) && !this.fn.hasChainBinding;
+        if (!missingChainField && !missingBinding && !this.fn.acceptsZeroChainId) {
+            this.fn = null;
+            return;
+        }
+        const loc = locOf(this.fn.zeroChainNode || this.fn.chainReadNode || this.fn.node);
+        this.findings.push({
+            file: this.currentFile,
+            contract: this.contract.name,
+            'function': this.fn.name,
+            line: loc.line,
+            endLine: loc.line,
+            column: loc.column,
+            pattern: RULE_ID,
+            confidence: 'high',
+            ruleId: RULE_ID,
+            severity: 'high',
+            message: `EIP-7702 cross-chain replay risk: '${this.contract.name}.${this.fn.name}' consumes delegated-account authorization data without strict chainId binding.`,
+            rationale: 'EIP-7702 authorization-list entries can be replayed on another chain unless delegated account logic rejects chainId 0 and requires the consumed entry chainId to equal block.chainid.',
+            suggestedFix: 'Require every consumed authorization or downstream user operation to carry a chainId field, reject chainId 0, and compare that field directly against block.chainid before executing delegated calls.',
+            contractName: this.contract.name,
+            functionName: this.fn.name,
+            sourceLocation: { line: loc.line, column: loc.column },
+            findingId: '',
+            contractHash: '',
+            provenance: PROVENANCE,
+            source: PROVENANCE,
+        });
+        this.fn = null;
+    }
+    ['FunctionDefinition:exit'](node) {
+        this.FunctionDefinition_post(node);
+    }
+    MemberAccess(node) {
+        if (!this.fn)
+            return;
+        if (!isChainFieldName(node.memberName))
+            return;
+        if (!isConsumedParamAccess(node.expression, new Set(this.fn.consumed.map(auth => auth.paramName))))
+            return;
+        this.fn.chainReadNode ||= node;
+    }
+    IfStatement(node) {
+        if (!this.fn)
+            return;
+        const paramNames = new Set(this.fn.consumed.map(auth => auth.paramName));
+        const body = node.trueBody || node.body;
+        if (isZeroChainComparisonNode(node.condition, paramNames) && isRejectionBody(body)) {
+            this.fn.rejectedZeroNodes.add(node.condition);
+        }
+    }
+    BinaryOperation(node) {
+        if (!this.fn)
+            return;
+        const paramNames = new Set(this.fn.consumed.map(auth => auth.paramName));
+        if ((node.operator === '==' || node.operator === '!=') && isSelfSenderComparison(node)) {
+            this.fn.hasSelfSenderGuard = true;
+            if (this.contract)
+                this.contract.hasSelfSenderGuard = true;
+        }
+        if (node.operator === '==' && isAuthChainToBlockChainComparison(node, paramNames)) {
+            this.fn.hasChainBinding = true;
+        }
+        if (node.operator === '==' && hasAuthChainAndZero(node, paramNames)) {
+            if (!this.fn.rejectedZeroNodes.has(node)) {
+                this.fn.acceptsZeroChainId = true;
+                this.fn.zeroChainNode ||= node;
+            }
+        }
+    }
+}
+exports.EIP7702CrossChainReplayDetector = EIP7702CrossChainReplayDetector;
+function collectStructs(contract) {
+    const structs = new Map();
+    for (const sub of contract?.subNodes || []) {
+        if (!(0, ast_1.isNode)(sub, 'StructDefinition') || !sub.name)
+            continue;
+        const fields = new Set();
+        for (const member of sub.members || []) {
+            if (member?.name)
+                fields.add(String(member.name));
+        }
+        const lowerFields = new Set([...fields].map(field => field.toLowerCase()));
+        const lowerName = String(sub.name).toLowerCase();
+        const hasNonce = lowerFields.has('nonce');
+        const hasSigner = ['authority', 'authorizer', 'signer', 'sender', 'account'].some(field => lowerFields.has(field));
+        const hasChainField = hasChainIdField(fields);
+        const nameMatches = lowerName.includes('authorization') || lowerName === 'useroperation' || lowerName === 'userop';
+        structs.set(sub.name, {
+            name: sub.name,
+            fields,
+            authLike: nameMatches || (hasNonce && (hasSigner || hasChainField)),
+            hasChainField,
+        });
+    }
+    return structs;
+}
+function consumedAuthParams(fn, structs) {
+    const consumed = [];
+    for (const param of fn?.parameters || []) {
+        if (!param?.name)
+            continue;
+        const typeName = baseTypeName(param.typeName);
+        if (!typeName)
+            continue;
+        const structInfo = structs.get(typeName);
+        if (!structInfo?.authLike)
+            continue;
+        consumed.push({ paramName: param.name, structInfo });
+    }
+    return consumed;
+}
+function isAuthChainToBlockChainComparison(node, paramNames) {
+    return (isAuthChainField(node.left, paramNames) && isBlockChainId(node.right))
+        || (isAuthChainField(node.right, paramNames) && isBlockChainId(node.left));
+}
+function hasAuthChainAndZero(node, paramNames) {
+    return (isAuthChainField(node.left, paramNames) && isZeroLiteral(node.right))
+        || (isAuthChainField(node.right, paramNames) && isZeroLiteral(node.left));
+}
+function isAuthChainField(node, paramNames) {
+    return (0, ast_1.isNode)(node, 'MemberAccess')
+        && isChainFieldName(node.memberName)
+        && isConsumedParamAccess(node.expression, paramNames);
+}
+function isConsumedParamAccess(node, paramNames) {
+    if ((0, ast_1.isNode)(node, 'Identifier'))
+        return paramNames.has(String(node.name || ''));
+    if ((0, ast_1.isNode)(node, 'IndexAccess'))
+        return isConsumedParamAccess(node.base, paramNames);
+    return false;
+}
+function isBlockChainId(node) {
+    return (0, ast_1.isNode)(node, 'MemberAccess')
+        && isChainFieldName(node.memberName)
+        && (0, ast_1.isNode)(node.expression, 'Identifier')
+        && node.expression.name === 'block';
+}
+function isZeroLiteral(node) {
+    return ((0, ast_1.isNode)(node, 'NumberLiteral') && String(node.number) === '0')
+        || ((0, ast_1.isNode)(node, 'DecimalNumber') && String(node.value) === '0')
+        || ((0, ast_1.isNode)(node, 'Literal') && String(node.value) === '0');
+}
+function isExecuteEntrypoint(node) {
+    if (!(0, ast_1.isNode)(node, 'FunctionDefinition'))
+        return false;
+    if (!node.body || !isExternallyCallable(node))
+        return false;
+    return /^execute(?:Batch)?[A-Za-z0-9_]*$/.test(String(node.name || ''));
+}
+function isExternallyCallable(fn) {
+    const visibility = String(fn?.visibility || '').toLowerCase();
+    return visibility === 'external' || visibility === 'public';
+}
+function isSelfSenderComparison(node) {
+    return (isMsgSender(node.left) && isAddressThis(node.right))
+        || (isMsgSender(node.right) && isAddressThis(node.left));
+}
+function isMsgSender(node) {
+    return (0, ast_1.isNode)(node, 'MemberAccess')
+        && String(node.memberName || '') === 'sender'
+        && (0, ast_1.isNode)(node.expression, 'Identifier')
+        && node.expression.name === 'msg';
+}
+function isAddressThis(node) {
+    return (0, ast_1.isNode)(node, 'FunctionCall')
+        && (0, ast_1.isNode)(node.expression, 'Identifier')
+        && node.expression.name === 'address'
+        && (0, ast_1.isNode)(node.arguments?.[0], 'Identifier')
+        && node.arguments[0].name === 'this';
+}
+function baseTypeName(typeName) {
+    if (!typeName)
+        return '';
+    if ((0, ast_1.isNode)(typeName, 'ArrayTypeName'))
+        return baseTypeName(typeName.baseTypeName);
+    if ((0, ast_1.isNode)(typeName, 'UserDefinedTypeName'))
+        return String(typeName.namePath || typeName.name || '');
+    return '';
+}
+function hasChainIdField(fields) {
+    return [...fields].some(isChainFieldName);
+}
+function isChainFieldName(name) {
+    const normalized = String(name || '').toLowerCase();
+    return normalized === 'chainid';
+}
+function locOf(node) {
+    const loc = (0, ast_1.tryLoc)(node) ?? { line: 1, endLine: 1, column: 0 };
+    return { line: loc.line, column: loc.column };
+}
+function isZeroChainComparisonNode(node, paramNames) {
+    return (0, ast_1.isNode)(node, 'BinaryOperation')
+        && node.operator === '=='
+        && hasAuthChainAndZero(node, paramNames);
+}
+function isRejectionBody(node) {
+    if (!node)
+        return false;
+    if ((0, ast_1.isNode)(node, 'RevertStatement'))
+        return true;
+    if ((0, ast_1.isNode)(node, 'ThrowStatement'))
+        return true;
+    if ((0, ast_1.isNode)(node, 'ExpressionStatement'))
+        return isRejectionBody(node.expression);
+    if ((0, ast_1.isNode)(node, 'FunctionCall')) {
+        const callee = node.expression;
+        if ((0, ast_1.isNode)(callee, 'Identifier')) {
+            const name = String(callee.name || '');
+            if (name === 'revert' || name === 'assert')
+                return true;
+        }
+    }
+    if ((0, ast_1.isNode)(node, 'Block')) {
+        return (node.statements || []).some((s) => isRejectionBody(s));
+    }
+    return false;
+}
+//# sourceMappingURL=eip7702-cross-chain-replay.js.map

package/dist/detectors/eip7702-delegated-eoa-approval-race.d.ts

@@ -0,0 +1,39 @@
+import type { ScanResult } from '../index';
+export declare class EIP7702DelegatedEoaApprovalRaceDetector {
+    readonly id = "eip7702-delegated-eoa-approval-race";
+    readonly patternKey = "eip7702-delegated-eoa-approval-race";
+    readonly supportedAstKinds: "parser"[];
+    readonly descriptor: {
+        id: string;
+        shortDescription: string;
+        helpUri: string;
+        defaultSeverity: "medium";
+    };
+    private currentFile;
+    private findings;
+    private currentContractName;
+    private currentContractIsConcrete;
+    private currentContractNode;
+    private authStructNames;
+    private stateAuthVars;
+    private functionStack;
+    setFile(file: string): void;
+    getFindings(): ScanResult[];
+    ContractDefinition(node: any): void;
+    'ContractDefinition:exit'(): void;
+    FunctionDefinition(node: any): void;
+    'FunctionDefinition:exit'(node: any): void;
+    VariableDeclaration(node: any): void;
+    Assignment(node: any): void;
+    UnaryOperation(node: any): void;
+    BinaryOperation(node: any): void;
+    MemberAccess(node: any): void;
+    AssemblyAssignment(node: any): void;
+    AssemblyLocalDefinition(node: any): void;
+    FunctionCall(node: any): void;
+    private currentFunction;
+    private recordAuthVariable;
+    private recordAssemblyCodeState;
+    private isAuthVariable;
+    private expressionIsAuthRelated;
+}