chainlink-audit 0.3.0 → 0.3.3

package/README.md

@@ -17,6 +17,17 @@ Results are heuristic risk leads for manual review, not confirmed vulnerabilitie
 
 Use `chainlink-audit triage <report.json>` to turn JSON scan output into a manual review checklist.
 
+## Ecosystem Benchmark
+
+The repository includes a pinned Chainlink Ecosystem benchmark manifest at `benchmarks/ecosystem-repos.json`.
+It tracks public GitHub repositories for Ecosystem projects outside the original manual audit sample.
+
+```bash
+npm run benchmark:ecosystem -- --out ../../cache/ecosystem-benchmark-report.json
+```
+
+The runner clones pinned commits into `../../cache/ecosystem-benchmark`, scans each checkout, and writes an aggregate JSON report with per-project and per-rule lead counts.
+
 Published package: https://www.npmjs.com/package/chainlink-audit
 
 See the repository README for full documentation:

package/dist/benchmark.js

@@ -0,0 +1,58 @@
+function increment(map, key, value = 1) {
+    map[key] = (map[key] ?? 0) + value;
+}
+function sortCounts(counts) {
+    return Object.fromEntries(Object.entries(counts).sort(([leftKey, leftValue], [rightKey, rightValue]) => {
+        return rightValue - leftValue || leftKey.localeCompare(rightKey);
+    }));
+}
+function productFromRuleId(ruleId) {
+    const productCode = ruleId.split("-")[1]?.toUpperCase();
+    return ({
+        AUTO: "automation",
+        CCIP: "ccip",
+        DF: "data-feeds",
+        FN: "functions-cre",
+        VRF: "vrf",
+    }[productCode ?? ""] ?? "unknown");
+}
+export function summarizeScanResults(manifestRepositories, scanResults) {
+    return scanResults.map((result, index) => {
+        const repository = manifestRepositories[index];
+        const findingsByRule = {};
+        for (const finding of result.findings) {
+            increment(findingsByRule, finding.ruleId);
+        }
+        return {
+            project: repository.project,
+            githubUrl: repository.githubUrl,
+            commit: repository.commit,
+            scannedFiles: result.scannedFiles,
+            scannerProducts: result.products,
+            totalFindings: result.findings.length,
+            findingsByRule: sortCounts(findingsByRule),
+        };
+    });
+}
+export function summarizeBenchmarkResults(projectResults) {
+    const products = new Set();
+    const findingsByRule = {};
+    const findingsByProduct = {};
+    for (const result of projectResults) {
+        for (const product of result.scannerProducts) {
+            products.add(product);
+        }
+        for (const [ruleId, count] of Object.entries(result.findingsByRule)) {
+            increment(findingsByRule, ruleId, count);
+            increment(findingsByProduct, productFromRuleId(ruleId), count);
+        }
+    }
+    return {
+        repositoryCount: projectResults.length,
+        scannedFiles: projectResults.reduce((total, result) => total + result.scannedFiles, 0),
+        totalFindings: projectResults.reduce((total, result) => total + result.totalFindings, 0),
+        scannerProducts: [...products].sort(),
+        findingsByRule: sortCounts(findingsByRule),
+        findingsByProduct: sortCounts(findingsByProduct),
+    };
+}

package/dist/rules/automation.js

@@ -1,7 +1,17 @@
-import { extractFunctionBody, firstLineMatching, makeFinding } from "./helpers.js";
+import { escapeRegExp, extractFunctionBody, firstLineMatching, isInterfaceOnlyFile, makeFinding } from "./helpers.js";
 function hasAutomation(content) {
     return /(AutomationCompatibleInterface|KeeperCompatibleInterface|function\s+checkUpkeep\b|function\s+performUpkeep\b)/.test(content);
 }
+function internalCallBodies(content, body) {
+    const calledNames = [...body.matchAll(/\b([a-zA-Z_]\w*)\s*\(/g)].map((match) => match[1]);
+    return [...new Set(calledNames)]
+        .map((name) => {
+        const declaration = new RegExp(`function\\s+${escapeRegExp(name)}\\b[^{;]*\\b(internal|private)\\b`);
+        return declaration.test(content) ? extractFunctionBody(content, name) : "";
+    })
+        .filter(Boolean)
+        .join("\n");
+}
 export const automationRules = [
     {
         metadata: {
@@ -17,8 +27,9 @@ export const automationRules = [
             const body = extractFunctionBody(context.content, "performUpkeep");
             if (!body)
                 return [];
-            const revalidates = /(require|revert|UpkeepNotNeeded|checkUpkeep)/.test(body) &&
-                /(block\.timestamp|lastExecutedAt|interval|upkeepNeeded|balance|paused)/.test(body);
+            const extendedBody = `${body}\n${internalCallBodies(context.content, body)}`;
+            const revalidates = /(require|revert|UpkeepNotNeeded|checkUpkeep)/.test(extendedBody) &&
+                /(block\.timestamp|lastExecutedAt|interval|upkeepNeeded|balance|paused)/.test(extendedBody);
             if (revalidates)
                 return [];
             return [
@@ -81,7 +92,10 @@ export const automationRules = [
                 return [];
             if (!/function\s+performUpkeep\b/.test(context.content))
                 return [];
-            const hasPause = /(Pausable|whenNotPaused|paused|pause\(|emergency|guardian)/i.test(context.content);
+            if (isInterfaceOnlyFile(context.content))
+                return [];
+            const pausePattern = /(Pausable|whenNotPaused|paused|unpause|pause\w*\s*\(|emergency|guardian|abort\w*\s*\(|dismantle|kill\w*\s*\(|circuitBreak)/i;
+            const hasPause = pausePattern.test(context.content) || context.repoSignals.files.some((file) => pausePattern.test(file.content));
             if (hasPause)
                 return [];
             return [

package/dist/rules/ccip.js

@@ -1,7 +1,8 @@
-import { countMatches, extractFunctionBody, firstLineMatching, makeFinding } from "./helpers.js";
+import { countMatches, escapeRegExp, extractBlockBody, extractFunctionBody, firstLineMatching, makeFinding } from "./helpers.js";
 function ccipBody(content) {
     return [extractFunctionBody(content, "ccipReceive"), extractFunctionBody(content, "_ccipReceive")].filter(Boolean).join("\n");
 }
+const CCIP_RECEIVE_DECL = /function\s+(_ccipReceive|ccipReceive)\b/;
 function ccipHeader(content) {
     const match = /function\s+(_ccipReceive|ccipReceive)\b[^{;]*/.exec(content);
     return match?.[0] ?? "";
@@ -10,16 +11,40 @@ function hasCcipReceiver(content) {
     return /(function\s+_ccipReceive\b|function\s+ccipReceive\b|is\s+CCIPReceiver)/.test(content);
 }
 function isCcipBaseReceiver(content) {
-    return (/interface\s+\w*I?Any2EVMMessageReceiver\b/.test(content) ||
-        /interface\s+\w+\s*{[\s\S]*function\s+ccipReceive\b[^{]*;/.test(content) ||
-        /abstract\s+contract\s+\w*CCIPReceiver\b/.test(content) ||
-        /function\s+_ccipReceive\b[^{;]*internal[^{;]*virtual\s*;/.test(content));
+    if (/interface\s+\w*I?Any2EVMMessageReceiver\b/.test(content))
+        return true;
+    if (/interface\s+\w+\s*{[\s\S]*function\s+ccipReceive\b[^{]*;/.test(content))
+        return true;
+    if (/abstract\s+contract\s+\w*CCIPReceiver\b/.test(content))
+        return true;
+    if (/function\s+_ccipReceive\b[^{;]*internal[^{;]*virtual\s*;/.test(content))
+        return true;
+    // Guard stub: ccipReceive body is only a revert — intentional "not a receiver" pattern (e.g. EVM2EVMOffRamp)
+    const ccipReceiveBody = extractFunctionBody(content, "ccipReceive");
+    if (ccipReceiveBody) {
+        const bodyTrimmed = ccipReceiveBody.trim();
+        if (/^\s*revert\s*\(\s*\)\s*;\s*$/.test(bodyTrimmed) ||
+            /^\s*revert\s+\w[\w.]*\s*\([^)]*\)\s*;\s*$/.test(bodyTrimmed))
+            return true;
+    }
+    return false;
 }
 function inheritsCcipReceiver(content) {
     return /\bis\s+[\s\S{]*\bCCIPReceiver(Upgradeable)?\b/.test(content);
 }
-function escapeRegExp(value) {
-    return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+function extractParentNames(content) {
+    const match = /\bcontract\s+\w+\s+is\s+([\w\s,]+?)(?:\{|$)/m.exec(content);
+    if (!match)
+        return [];
+    return match[1].split(",").map((s) => s.trim()).filter(Boolean);
+}
+function inheritsViaCcipReceiver(content, repoSignals) {
+    const parents = extractParentNames(content);
+    return parents.some((parent) => {
+        const parentPattern = new RegExp(`\\b(?:abstract\\s+)?contract\\s+${escapeRegExp(parent)}\\b`);
+        const parentFile = repoSignals.files.find((f) => parentPattern.test(f.content));
+        return parentFile ? inheritsCcipReceiver(parentFile.content) : false;
+    });
 }
 function delegatedCcipContent(body, repoSignals) {
     const match = /\b([A-Z][A-Za-z0-9_]*)\s*\.\s*([A-Za-z0-9_]*ccipReceive|processCcipReceive)\s*\(/i.exec(body);
@@ -31,16 +56,66 @@ function delegatedCcipContent(body, repoSignals) {
     const delegate = repoSignals.files.find((file) => typePattern.test(file.content) && functionPattern.test(file.content));
     return delegate ? `${body}\n${delegate.content}` : body;
 }
+function extractModifierNames(header) {
+    const afterParams = header.replace(/^function\s+\w+\s*\([^)]*\)/s, "");
+    const names = afterParams.match(/\b[A-Za-z_]\w*\b/g) ?? [];
+    const keywords = new Set([
+        "external",
+        "public",
+        "internal",
+        "private",
+        "view",
+        "pure",
+        "payable",
+        "override",
+        "virtual",
+        "returns",
+    ]);
+    return [...new Set(names)].filter((name) => !keywords.has(name));
+}
+function resolveModifierBodies(content, repoSignals) {
+    const header = ccipHeader(content);
+    const modifierNames = extractModifierNames(header);
+    if (modifierNames.length === 0)
+        return "";
+    const parents = extractParentNames(content);
+    const parentFiles = repoSignals.files.filter((file) => parents.some((parent) => new RegExp(`\\b(?:abstract\\s+)?contract\\s+${escapeRegExp(parent)}\\b`).test(file.content)));
+    const candidateFiles = [{ content }, ...parentFiles];
+    return modifierNames
+        .map((name) => {
+        const declaration = new RegExp(`modifier\\s+${escapeRegExp(name)}\\b`);
+        for (const file of candidateFiles) {
+            const body = extractBlockBody(file.content, declaration);
+            if (body)
+                return body;
+        }
+        return "";
+    })
+        .filter(Boolean)
+        .join("\n");
+}
+function stripEmitLines(body) {
+    return body
+        .split("\n")
+        .filter((line) => !/\bemit\b/.test(line))
+        .join("\n");
+}
 function validatesSourceChain(content, body) {
     const header = ccipHeader(content);
-    const directValidation = /(sourceChainSelector|ccipSelectorToChainId)/.test(body) &&
+    // Strip event emissions before checking: sourceChainSelector that only appears in emit
+    // calls (e.g. for logging) must not suppress the finding.
+    const bodyWithoutEmits = stripEmitLines(body);
+    const directValidation = /(sourceChainSelector|ccipSelectorToChainId)/.test(bodyWithoutEmits) &&
         /(require|revert|allowed|trusted|allowlist|supportedNetworks|UnsupportedNetwork)/i.test(body);
     const modifierValidation = /(validChain|allowlisted|allowlist|trusted|onlyAllowlisted)[^{;]*(sourceChainSelector|\.sourceChainSelector)/i.test(header);
     return directValidation || modifierValidation;
 }
 function validatesSourceSender(content, body) {
     const header = ccipHeader(content);
-    const directValidation = /(message\.sender|data\.sender|sender)/.test(body) &&
+    // Strip event emissions before checking: sender that only appears in emit
+    // calls must not suppress the finding.
+    const bodyWithoutEmits = stripEmitLines(body);
+    const directValidation = /(message\.sender|data\.sender|sender)/.test(bodyWithoutEmits) &&
         /(require|revert|allowed|trusted|allowlist|Unauthorized)/i.test(body);
     const modifierValidation = /(validSender|trustedSender|allowlistedSender|onlyAllowlisted|allowlisted|allowlist|trusted)[^{;]*(message\.sender|\.sender|sender)/i.test(header);
     return directValidation || modifierValidation;
@@ -64,6 +139,24 @@ function hasMessageIdTracking(content, body) {
         return false;
     return /(processed|received|executed|consumed|handled|seen|replay|duplicate|messageDetail|failedMessages|messageIdTo)/i.test(content);
 }
+function hasTokenPoolSender(content) {
+    return (/function\s+lockOrBurn\b/.test(content) &&
+        /(Pool\.LockOrBurnInV1|LockOrBurnInV1|is\s+[\w\s,]*TokenPool)/.test(content));
+}
+function hasTokenPoolReceiver(content) {
+    return (/function\s+releaseOrMint\b/.test(content) &&
+        /(Pool\.ReleaseOrMintInV1|ReleaseOrMintInV1|is\s+[\w\s,]*TokenPool)/.test(content));
+}
+function isTokenPoolBase(content) {
+    if (/abstract\s+contract\s+\w*TokenPool\b/.test(content))
+        return true;
+    if (/interface\s+\w*(TokenPool|IPool)\b/.test(content))
+        return true;
+    // Abstract contracts that inherit from a TokenPool base (e.g. BurnMintTokenPoolAbstract is BurnMintTokenPool)
+    if (/abstract\s+contract\s+\w+\s+is\s+[\w\s,]*TokenPool\b/.test(content))
+        return true;
+    return false;
+}
 export const ccipRules = [
     {
         metadata: {
@@ -79,7 +172,7 @@ export const ccipRules = [
             if (isCcipBaseReceiver(context.content))
                 return [];
             const body = ccipBody(context.content) || context.content;
-            const validationContent = `${ccipHeader(context.content)}\n${delegatedCcipContent(body, context.repoSignals)}`;
+            const validationContent = `${ccipHeader(context.content)}\n${delegatedCcipContent(body, context.repoSignals)}\n${resolveModifierBodies(context.content, context.repoSignals)}`;
             if (validatesSourceChain(context.content, validationContent))
                 return [];
             return [
@@ -88,7 +181,7 @@ export const ccipRules = [
                     ruleId: this.metadata.ruleId,
                     severity: this.metadata.severity,
                     confidence: "medium",
-                    line: firstLineMatching(context.lines, /(_ccipReceive|ccipReceive)/),
+                    line: firstLineMatching(context.lines, CCIP_RECEIVE_DECL),
                     title: this.metadata.title,
                     description: "Potential issue: messages from unexpected source chains may be accepted.",
                     risk: "Cross-chain spoofing or misrouted messages can trigger unauthorized state changes.",
@@ -111,7 +204,7 @@ export const ccipRules = [
             if (isCcipBaseReceiver(context.content))
                 return [];
             const body = ccipBody(context.content) || context.content;
-            const validationContent = `${ccipHeader(context.content)}\n${delegatedCcipContent(body, context.repoSignals)}`;
+            const validationContent = `${ccipHeader(context.content)}\n${delegatedCcipContent(body, context.repoSignals)}\n${resolveModifierBodies(context.content, context.repoSignals)}`;
             if (validatesSourceSender(context.content, validationContent))
                 return [];
             return [
@@ -120,7 +213,7 @@ export const ccipRules = [
                     ruleId: this.metadata.ruleId,
                     severity: this.metadata.severity,
                     confidence: "medium",
-                    line: firstLineMatching(context.lines, /(_ccipReceive|ccipReceive)/),
+                    line: firstLineMatching(context.lines, CCIP_RECEIVE_DECL),
                     title: this.metadata.title,
                     description: "Potential issue: messages from untrusted source contracts may be accepted.",
                     risk: "An attacker may spoof business instructions if sender validation is missing or incomplete.",
@@ -145,7 +238,7 @@ export const ccipRules = [
             const body = ccipBody(context.content) || context.content;
             const validationContent = `${ccipHeader(context.content)}\n${delegatedCcipContent(body, context.repoSignals)}`;
             const validatesRouter = /msg\.sender\s*(!=|==)\s*(router|s_router|i_router|address\(router\))|InvalidRouter|onlyRouter|NotCcipRouter|_msgSender\(\)\s*!=\s*address\([^)]*ccipRouter/i.test(validationContent);
-            if (validatesRouter || inheritsCcipReceiver(context.content))
+            if (validatesRouter || inheritsCcipReceiver(context.content) || inheritsViaCcipReceiver(context.content, context.repoSignals))
                 return [];
             return [
                 makeFinding({
@@ -153,7 +246,7 @@ export const ccipRules = [
                     ruleId: this.metadata.ruleId,
                     severity: this.metadata.severity,
                     confidence: "medium",
-                    line: firstLineMatching(context.lines, /(ccipReceive|_ccipReceive)/),
+                    line: firstLineMatching(context.lines, CCIP_RECEIVE_DECL),
                     title: this.metadata.title,
                     description: "Potential issue: direct calls to the receiver may bypass CCIP router trust assumptions.",
                     risk: "If the entrypoint is public/external and router validation is absent, fabricated messages may be processed.",
@@ -181,6 +274,10 @@ export const ccipRules = [
             const defensiveChecks = /(message\.data\.length|try\s+this|catch|InvalidPayload|Payload|version|schema)/i.test(body);
             if (defensiveChecks)
                 return [];
+            // A trusted, validated sender already constrains the payload to the expected schema.
+            const validationContent = `${ccipHeader(context.content)}\n${delegatedCcipContent(body, context.repoSignals)}\n${resolveModifierBodies(context.content, context.repoSignals)}`;
+            if (validatesSourceSender(context.content, validationContent))
+                return [];
             return [
                 makeFinding({
                     context,
@@ -222,7 +319,7 @@ export const ccipRules = [
                     ruleId: this.metadata.ruleId,
                     severity: this.metadata.severity,
                     confidence: "low",
-                    line: firstLineMatching(context.lines, /(_ccipReceive|ccipReceive)/),
+                    line: firstLineMatching(context.lines, CCIP_RECEIVE_DECL),
                     title: this.metadata.title,
                     description: "Potential issue: receiver business logic appears coupled to CCIP execution without a visible retry/manual path.",
                     risk: "A revert in message handling may require manual execution or leave cross-chain state inconsistent.",
@@ -294,7 +391,7 @@ export const ccipRules = [
                     ruleId: this.metadata.ruleId,
                     severity: this.metadata.severity,
                     confidence: "low",
-                    line: firstLineMatching(context.lines, /(_ccipReceive|ccipReceive)/),
+                    line: firstLineMatching(context.lines, CCIP_RECEIVE_DECL),
                     title: this.metadata.title,
                     description: "Potential issue: repeated or retried CCIP messages may execute mutating business logic more than once.",
                     risk: "Without idempotency tracking, replay-like operational scenarios or manual execution flows can duplicate state changes.",
@@ -303,4 +400,106 @@ export const ccipRules = [
             ];
         },
     },
+    {
+        metadata: {
+            ruleId: "CL-CCIP-008",
+            product: "ccip",
+            severity: "high",
+            title: "Potential CCIP Token Pool lockOrBurn without _validateLockOrBurn",
+            description: "lockOrBurn override does not appear to call _validateLockOrBurn.",
+        },
+        scan(context) {
+            if (!hasTokenPoolSender(context.content))
+                return [];
+            if (isTokenPoolBase(context.content))
+                return [];
+            const body = extractFunctionBody(context.content, "lockOrBurn");
+            if (!body)
+                return [];
+            if (/_validateLockOrBurn\s*\(/.test(body))
+                return [];
+            return [
+                makeFinding({
+                    context,
+                    ruleId: this.metadata.ruleId,
+                    severity: this.metadata.severity,
+                    confidence: "medium",
+                    line: firstLineMatching(context.lines, /function\s+lockOrBurn\b/),
+                    title: this.metadata.title,
+                    description: "Potential issue: lockOrBurn may skip rate limit and chain allowlist enforcement.",
+                    risk: "Omitting _validateLockOrBurn bypasses CCIP-enforced rate limits and supported-chain checks, enabling unrestricted token locking or burning.",
+                    recommendation: "Call _validateLockOrBurn(lockOrBurnIn) at the start of every lockOrBurn override before executing custom logic.",
+                }),
+            ];
+        },
+    },
+    {
+        metadata: {
+            ruleId: "CL-CCIP-009",
+            product: "ccip",
+            severity: "high",
+            title: "Potential CCIP Token Pool releaseOrMint without _validateReleaseOrMint",
+            description: "releaseOrMint override does not appear to call _validateReleaseOrMint.",
+        },
+        scan(context) {
+            if (!hasTokenPoolReceiver(context.content))
+                return [];
+            if (isTokenPoolBase(context.content))
+                return [];
+            const body = extractFunctionBody(context.content, "releaseOrMint");
+            if (!body)
+                return [];
+            if (/_validateReleaseOrMint\s*\(/.test(body))
+                return [];
+            return [
+                makeFinding({
+                    context,
+                    ruleId: this.metadata.ruleId,
+                    severity: this.metadata.severity,
+                    confidence: "medium",
+                    line: firstLineMatching(context.lines, /function\s+releaseOrMint\b/),
+                    title: this.metadata.title,
+                    description: "Potential issue: releaseOrMint may skip offRamp caller verification and rate limit enforcement.",
+                    risk: "Omitting _validateReleaseOrMint allows arbitrary callers to trigger token minting or release, bypassing CCIP trust boundaries.",
+                    recommendation: "Call _validateReleaseOrMint(releaseOrMintIn) at the start of every releaseOrMint override before minting or releasing tokens.",
+                }),
+            ];
+        },
+    },
+    {
+        metadata: {
+            ruleId: "CL-CCIP-010",
+            product: "ccip",
+            severity: "medium",
+            title: "Potential unsafe CCIP Token Pool sourcePoolData decoding",
+            description: "releaseOrMint decodes sourcePoolData without obvious defensive checks.",
+        },
+        scan(context) {
+            if (!hasTokenPoolReceiver(context.content))
+                return [];
+            if (isTokenPoolBase(context.content))
+                return [];
+            const body = extractFunctionBody(context.content, "releaseOrMint");
+            if (!body)
+                return [];
+            if (!/abi\.decode\s*\(\s*(?:releaseOrMintIn\.)?sourcePoolData/.test(body))
+                return [];
+            const defensiveChecks = /(sourcePoolData\.length|try\s+this|catch|InvalidSourcePoolData|InvalidPayload|schema|version)/i.test(body);
+            if (defensiveChecks)
+                return [];
+            return [
+                makeFinding({
+                    context,
+                    ruleId: this.metadata.ruleId,
+                    severity: this.metadata.severity,
+                    confidence: "low",
+                    line: firstLineMatching(context.lines, /abi\.decode\s*\(\s*(?:releaseOrMintIn\.)?sourcePoolData/),
+                    title: this.metadata.title,
+                    description: "Potential issue: malformed or unexpected sourcePoolData may cause releaseOrMint to revert and block token delivery.",
+                    risk: "If sourcePoolData schema changes across an upgrade or pool version, decoding failures can permanently brick in-flight transfers.",
+                    recommendation: "Validate sourcePoolData length or schema before decoding, or isolate decode failures so they can be handled without reverting the entire transfer.",
+                }),
+            ];
+        },
+    },
 ];

package/dist/rules/data-feeds.js

@@ -1,4 +1,8 @@
 import { firstLineMatching, hasAny, makeFinding } from "./helpers.js";
+const AGGREGATOR_WRAPPER_PATTERN = /function\s+latestRoundData\s*\([^)]*\)\s*(?:external|public|view|override|virtual|\s)*returns\s*\(\s*uint80\s*,\s*int256\s*,\s*uint256\s*,\s*uint256\s*,\s*uint80\s*\)\s*\{/s;
+function isAggregatorWrapper(content) {
+    return AGGREGATOR_WRAPPER_PATTERN.test(content);
+}
 export const dataFeedRules = [
     {
         metadata: {
@@ -11,6 +15,8 @@ export const dataFeedRules = [
         scan(context) {
             if (!/\.latestRoundData\s*\(/.test(context.content))
                 return [];
+            if (isAggregatorWrapper(context.content))
+                return [];
             const hasFreshnessCheck = /updatedAt/.test(context.content) &&
                 /(block\.timestamp|maxStaleness|stale|heartbeat|updatedAt\s*!=\s*0)/i.test(context.content);
             if (hasFreshnessCheck)
@@ -41,11 +47,18 @@ export const dataFeedRules = [
         scan(context) {
             if (!/\.latestRoundData\s*\(/.test(context.content))
                 return [];
+            if (isAggregatorWrapper(context.content))
+                return [];
             const hasPositiveAnswerCheck = hasAny(context.content, [
-                /answer\s*>\s*0/,
-                /price\s*>\s*0/,
-                /oracleAnswer\s*>\s*0/,
+                /answer\s*>=?\s*0/,
+                /price\s*>=?\s*0/,
+                /oracleAnswer\s*>=?\s*0/,
                 /InvalidOracleAnswer/,
+                /answer\s*<=?\s*0/,
+                /price\s*<=?\s*0/,
+                /oracleAnswer\s*<=?\s*0/,
+                /Invalid(?:Oracle)?(?:Price|Answer|Round)/i,
+                /\.\s*minAnswer\s*\(\s*\)/,
             ]);
             if (hasPositiveAnswerCheck)
                 return [];

package/dist/rules/functions-cre.js

@@ -1,6 +1,6 @@
 import { firstLineMatching, hasAny, makeFinding } from "./helpers.js";
 function hasFunctions(content) {
-    return /(FunctionsClient|FunctionsRequest|sendRequest|fulfillRequest|DONHostedSecrets|sourceCode|secrets)/i.test(content);
+    return /(FunctionsClient|FunctionsRequest|\bsendRequest\s*\(|\bfulfillRequest\s*\(|DONHostedSecrets|sourceCode|secrets)/i.test(content);
 }
 export const functionsCreRules = [
     {

package/dist/rules/helpers.js

@@ -5,8 +5,11 @@ export function firstLineMatching(lines, pattern) {
 export function hasAny(content, patterns) {
     return patterns.some((pattern) => pattern.test(content));
 }
-export function extractFunctionBody(content, functionName) {
-    const match = new RegExp(`function\\s+${functionName}\\b`).exec(content);
+export function escapeRegExp(value) {
+    return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+export function extractBlockBody(content, declarationPattern) {
+    const match = declarationPattern.exec(content);
     if (!match)
         return "";
     const open = content.indexOf("{", match.index);
@@ -24,9 +27,18 @@ export function extractFunctionBody(content, functionName) {
     }
     return content.slice(open + 1);
 }
+export function extractFunctionBody(content, functionName) {
+    return extractBlockBody(content, new RegExp(`function\\s+${functionName}\\b`));
+}
 export function countMatches(content, patterns) {
     return patterns.reduce((count, pattern) => count + (pattern.test(content) ? 1 : 0), 0);
 }
+export function isInterfaceOnlyFile(content) {
+    const declarations = [...content.matchAll(/\b(?:abstract\s+)?(contract|library|interface)\s+\w+(?:\s+is\s+[^{]+)?\s*\{/g)];
+    if (declarations.length === 0)
+        return false;
+    return declarations.every((match) => match[1] === "interface");
+}
 export function makeFinding(input) {
     return {
         ruleId: input.ruleId,

package/dist/rules/vrf.js

@@ -1,4 +1,4 @@
-import { countMatches, extractFunctionBody, firstLineMatching, makeFinding } from "./helpers.js";
+import { countMatches, extractFunctionBody, firstLineMatching, isInterfaceOnlyFile, makeFinding } from "./helpers.js";
 function hasVrf(content) {
     return /(VRFConsumerBase|VRFCoordinator|function\s+fulfillRandomWords\b|requestRandomWords)/.test(content);
 }
@@ -78,6 +78,8 @@ export const vrfRules = [
         scan(context) {
             if (!/requestRandomWords\s*\(/.test(context.content))
                 return [];
+            if (isInterfaceOnlyFile(context.content))
+                return [];
             const tracksBeforeFulfillment = /(pendingRequests|requestStatus|requests)\s*\[.*\]\s*=/.test(context.content);
             if (tracksBeforeFulfillment)
                 return [];

package/dist/scanner.js

@@ -60,7 +60,16 @@ function isExcluded(fileOrDirectory, scanRoot, config) {
 async function collectSolidityFiles(targetPath, scanRoot, config) {
     if (isExcluded(targetPath, scanRoot, config))
         return [];
-    const stat = await fs.stat(targetPath);
+    let stat;
+    try {
+        stat = await fs.stat(targetPath);
+    }
+    catch (error) {
+        const code = error && typeof error === "object" && "code" in error ? error.code : undefined;
+        if (code === "ENOENT" || code === "ELOOP")
+            return [];
+        throw error;
+    }
     if (stat.isFile()) {
         if (!targetPath.endsWith(".sol"))
             return [];
@@ -78,7 +87,7 @@ function detectProducts(files) {
     const allContent = files.map((file) => file.content).join("\n");
     if (/(AggregatorV3Interface|latestRoundData|IChainlinkAggregator)/.test(allContent))
         products.add("data-feeds");
-    if (/(CCIPReceiver|Any2EVMMessage|IRouterClient|_ccipReceive|ccipReceive|sourceChainSelector)/.test(allContent))
+    if (/(CCIPReceiver|Any2EVMMessage|IRouterClient|_ccipReceive|ccipReceive|sourceChainSelector|TokenPool|LockOrBurnInV1|ReleaseOrMintInV1|_validateLockOrBurn|_validateReleaseOrMint)/.test(allContent))
         products.add("ccip");
     if (/(VRFConsumerBase|VRFCoordinator|fulfillRandomWords|requestRandomWords)/.test(allContent))
         products.add("vrf");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "chainlink-audit",
-  "version": "0.3.0",
+  "version": "0.3.3",
   "description": "Security review CLI for flagging unverified Chainlink integration risk leads in Solidity repositories.",
   "license": "MIT",
   "type": "module",
@@ -41,6 +41,7 @@
     "build": "tsc -p tsconfig.json",
     "test": "vitest run",
     "dev": "tsx src/index.ts",
+    "benchmark:ecosystem": "tsx scripts/benchmark-ecosystem.ts",
     "prepack": "npm run build"
   },
   "dependencies": {