chainlink-audit 0.3.1 → 0.3.3

package/README.md

@@ -17,6 +17,17 @@ Results are heuristic risk leads for manual review, not confirmed vulnerabilitie
 
 Use `chainlink-audit triage <report.json>` to turn JSON scan output into a manual review checklist.
 
+## Ecosystem Benchmark
+
+The repository includes a pinned Chainlink Ecosystem benchmark manifest at `benchmarks/ecosystem-repos.json`.
+It tracks public GitHub repositories for Ecosystem projects outside the original manual audit sample.
+
+```bash
+npm run benchmark:ecosystem -- --out ../../cache/ecosystem-benchmark-report.json
+```
+
+The runner clones pinned commits into `../../cache/ecosystem-benchmark`, scans each checkout, and writes an aggregate JSON report with per-project and per-rule lead counts.
+
 Published package: https://www.npmjs.com/package/chainlink-audit
 
 See the repository README for full documentation:

package/dist/benchmark.js

@@ -0,0 +1,58 @@
+function increment(map, key, value = 1) {
+    map[key] = (map[key] ?? 0) + value;
+}
+function sortCounts(counts) {
+    return Object.fromEntries(Object.entries(counts).sort(([leftKey, leftValue], [rightKey, rightValue]) => {
+        return rightValue - leftValue || leftKey.localeCompare(rightKey);
+    }));
+}
+function productFromRuleId(ruleId) {
+    const productCode = ruleId.split("-")[1]?.toUpperCase();
+    return ({
+        AUTO: "automation",
+        CCIP: "ccip",
+        DF: "data-feeds",
+        FN: "functions-cre",
+        VRF: "vrf",
+    }[productCode ?? ""] ?? "unknown");
+}
+export function summarizeScanResults(manifestRepositories, scanResults) {
+    return scanResults.map((result, index) => {
+        const repository = manifestRepositories[index];
+        const findingsByRule = {};
+        for (const finding of result.findings) {
+            increment(findingsByRule, finding.ruleId);
+        }
+        return {
+            project: repository.project,
+            githubUrl: repository.githubUrl,
+            commit: repository.commit,
+            scannedFiles: result.scannedFiles,
+            scannerProducts: result.products,
+            totalFindings: result.findings.length,
+            findingsByRule: sortCounts(findingsByRule),
+        };
+    });
+}
+export function summarizeBenchmarkResults(projectResults) {
+    const products = new Set();
+    const findingsByRule = {};
+    const findingsByProduct = {};
+    for (const result of projectResults) {
+        for (const product of result.scannerProducts) {
+            products.add(product);
+        }
+        for (const [ruleId, count] of Object.entries(result.findingsByRule)) {
+            increment(findingsByRule, ruleId, count);
+            increment(findingsByProduct, productFromRuleId(ruleId), count);
+        }
+    }
+    return {
+        repositoryCount: projectResults.length,
+        scannedFiles: projectResults.reduce((total, result) => total + result.scannedFiles, 0),
+        totalFindings: projectResults.reduce((total, result) => total + result.totalFindings, 0),
+        scannerProducts: [...products].sort(),
+        findingsByRule: sortCounts(findingsByRule),
+        findingsByProduct: sortCounts(findingsByProduct),
+    };
+}

package/dist/rules/automation.js

@@ -1,7 +1,17 @@
-import { extractFunctionBody, firstLineMatching, makeFinding } from "./helpers.js";
+import { escapeRegExp, extractFunctionBody, firstLineMatching, isInterfaceOnlyFile, makeFinding } from "./helpers.js";
 function hasAutomation(content) {
     return /(AutomationCompatibleInterface|KeeperCompatibleInterface|function\s+checkUpkeep\b|function\s+performUpkeep\b)/.test(content);
 }
+function internalCallBodies(content, body) {
+    const calledNames = [...body.matchAll(/\b([a-zA-Z_]\w*)\s*\(/g)].map((match) => match[1]);
+    return [...new Set(calledNames)]
+        .map((name) => {
+        const declaration = new RegExp(`function\\s+${escapeRegExp(name)}\\b[^{;]*\\b(internal|private)\\b`);
+        return declaration.test(content) ? extractFunctionBody(content, name) : "";
+    })
+        .filter(Boolean)
+        .join("\n");
+}
 export const automationRules = [
     {
         metadata: {
@@ -17,8 +27,9 @@ export const automationRules = [
             const body = extractFunctionBody(context.content, "performUpkeep");
             if (!body)
                 return [];
-            const revalidates = /(require|revert|UpkeepNotNeeded|checkUpkeep)/.test(body) &&
-                /(block\.timestamp|lastExecutedAt|interval|upkeepNeeded|balance|paused)/.test(body);
+            const extendedBody = `${body}\n${internalCallBodies(context.content, body)}`;
+            const revalidates = /(require|revert|UpkeepNotNeeded|checkUpkeep)/.test(extendedBody) &&
+                /(block\.timestamp|lastExecutedAt|interval|upkeepNeeded|balance|paused)/.test(extendedBody);
             if (revalidates)
                 return [];
             return [
@@ -81,7 +92,10 @@ export const automationRules = [
                 return [];
             if (!/function\s+performUpkeep\b/.test(context.content))
                 return [];
-            const hasPause = /(Pausable|whenNotPaused|paused|pause\(|emergency|guardian)/i.test(context.content);
+            if (isInterfaceOnlyFile(context.content))
+                return [];
+            const pausePattern = /(Pausable|whenNotPaused|paused|unpause|pause\w*\s*\(|emergency|guardian|abort\w*\s*\(|dismantle|kill\w*\s*\(|circuitBreak)/i;
+            const hasPause = pausePattern.test(context.content) || context.repoSignals.files.some((file) => pausePattern.test(file.content));
             if (hasPause)
                 return [];
             return [

package/dist/rules/ccip.js

@@ -1,7 +1,8 @@
-import { countMatches, extractFunctionBody, firstLineMatching, makeFinding } from "./helpers.js";
+import { countMatches, escapeRegExp, extractBlockBody, extractFunctionBody, firstLineMatching, makeFinding } from "./helpers.js";
 function ccipBody(content) {
     return [extractFunctionBody(content, "ccipReceive"), extractFunctionBody(content, "_ccipReceive")].filter(Boolean).join("\n");
 }
+const CCIP_RECEIVE_DECL = /function\s+(_ccipReceive|ccipReceive)\b/;
 function ccipHeader(content) {
     const match = /function\s+(_ccipReceive|ccipReceive)\b[^{;]*/.exec(content);
     return match?.[0] ?? "";
@@ -31,9 +32,6 @@ function isCcipBaseReceiver(content) {
 function inheritsCcipReceiver(content) {
     return /\bis\s+[\s\S{]*\bCCIPReceiver(Upgradeable)?\b/.test(content);
 }
-function escapeRegExp(value) {
-    return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-}
 function extractParentNames(content) {
     const match = /\bcontract\s+\w+\s+is\s+([\w\s,]+?)(?:\{|$)/m.exec(content);
     if (!match)
@@ -58,6 +56,44 @@ function delegatedCcipContent(body, repoSignals) {
     const delegate = repoSignals.files.find((file) => typePattern.test(file.content) && functionPattern.test(file.content));
     return delegate ? `${body}\n${delegate.content}` : body;
 }
+function extractModifierNames(header) {
+    const afterParams = header.replace(/^function\s+\w+\s*\([^)]*\)/s, "");
+    const names = afterParams.match(/\b[A-Za-z_]\w*\b/g) ?? [];
+    const keywords = new Set([
+        "external",
+        "public",
+        "internal",
+        "private",
+        "view",
+        "pure",
+        "payable",
+        "override",
+        "virtual",
+        "returns",
+    ]);
+    return [...new Set(names)].filter((name) => !keywords.has(name));
+}
+function resolveModifierBodies(content, repoSignals) {
+    const header = ccipHeader(content);
+    const modifierNames = extractModifierNames(header);
+    if (modifierNames.length === 0)
+        return "";
+    const parents = extractParentNames(content);
+    const parentFiles = repoSignals.files.filter((file) => parents.some((parent) => new RegExp(`\\b(?:abstract\\s+)?contract\\s+${escapeRegExp(parent)}\\b`).test(file.content)));
+    const candidateFiles = [{ content }, ...parentFiles];
+    return modifierNames
+        .map((name) => {
+        const declaration = new RegExp(`modifier\\s+${escapeRegExp(name)}\\b`);
+        for (const file of candidateFiles) {
+            const body = extractBlockBody(file.content, declaration);
+            if (body)
+                return body;
+        }
+        return "";
+    })
+        .filter(Boolean)
+        .join("\n");
+}
 function stripEmitLines(body) {
     return body
         .split("\n")
@@ -136,7 +172,7 @@ export const ccipRules = [
             if (isCcipBaseReceiver(context.content))
                 return [];
             const body = ccipBody(context.content) || context.content;
-            const validationContent = `${ccipHeader(context.content)}\n${delegatedCcipContent(body, context.repoSignals)}`;
+            const validationContent = `${ccipHeader(context.content)}\n${delegatedCcipContent(body, context.repoSignals)}\n${resolveModifierBodies(context.content, context.repoSignals)}`;
             if (validatesSourceChain(context.content, validationContent))
                 return [];
             return [
@@ -145,7 +181,7 @@ export const ccipRules = [
                     ruleId: this.metadata.ruleId,
                     severity: this.metadata.severity,
                     confidence: "medium",
-                    line: firstLineMatching(context.lines, /(_ccipReceive|ccipReceive)/),
+                    line: firstLineMatching(context.lines, CCIP_RECEIVE_DECL),
                     title: this.metadata.title,
                     description: "Potential issue: messages from unexpected source chains may be accepted.",
                     risk: "Cross-chain spoofing or misrouted messages can trigger unauthorized state changes.",
@@ -168,7 +204,7 @@ export const ccipRules = [
             if (isCcipBaseReceiver(context.content))
                 return [];
             const body = ccipBody(context.content) || context.content;
-            const validationContent = `${ccipHeader(context.content)}\n${delegatedCcipContent(body, context.repoSignals)}`;
+            const validationContent = `${ccipHeader(context.content)}\n${delegatedCcipContent(body, context.repoSignals)}\n${resolveModifierBodies(context.content, context.repoSignals)}`;
             if (validatesSourceSender(context.content, validationContent))
                 return [];
             return [
@@ -177,7 +213,7 @@ export const ccipRules = [
                     ruleId: this.metadata.ruleId,
                     severity: this.metadata.severity,
                     confidence: "medium",
-                    line: firstLineMatching(context.lines, /(_ccipReceive|ccipReceive)/),
+                    line: firstLineMatching(context.lines, CCIP_RECEIVE_DECL),
                     title: this.metadata.title,
                     description: "Potential issue: messages from untrusted source contracts may be accepted.",
                     risk: "An attacker may spoof business instructions if sender validation is missing or incomplete.",
@@ -210,7 +246,7 @@ export const ccipRules = [
                     ruleId: this.metadata.ruleId,
                     severity: this.metadata.severity,
                     confidence: "medium",
-                    line: firstLineMatching(context.lines, /(ccipReceive|_ccipReceive)/),
+                    line: firstLineMatching(context.lines, CCIP_RECEIVE_DECL),
                     title: this.metadata.title,
                     description: "Potential issue: direct calls to the receiver may bypass CCIP router trust assumptions.",
                     risk: "If the entrypoint is public/external and router validation is absent, fabricated messages may be processed.",
@@ -238,6 +274,10 @@ export const ccipRules = [
             const defensiveChecks = /(message\.data\.length|try\s+this|catch|InvalidPayload|Payload|version|schema)/i.test(body);
             if (defensiveChecks)
                 return [];
+            // A trusted, validated sender already constrains the payload to the expected schema.
+            const validationContent = `${ccipHeader(context.content)}\n${delegatedCcipContent(body, context.repoSignals)}\n${resolveModifierBodies(context.content, context.repoSignals)}`;
+            if (validatesSourceSender(context.content, validationContent))
+                return [];
             return [
                 makeFinding({
                     context,
@@ -279,7 +319,7 @@ export const ccipRules = [
                     ruleId: this.metadata.ruleId,
                     severity: this.metadata.severity,
                     confidence: "low",
-                    line: firstLineMatching(context.lines, /(_ccipReceive|ccipReceive)/),
+                    line: firstLineMatching(context.lines, CCIP_RECEIVE_DECL),
                     title: this.metadata.title,
                     description: "Potential issue: receiver business logic appears coupled to CCIP execution without a visible retry/manual path.",
                     risk: "A revert in message handling may require manual execution or leave cross-chain state inconsistent.",
@@ -351,7 +391,7 @@ export const ccipRules = [
                     ruleId: this.metadata.ruleId,
                     severity: this.metadata.severity,
                     confidence: "low",
-                    line: firstLineMatching(context.lines, /(_ccipReceive|ccipReceive)/),
+                    line: firstLineMatching(context.lines, CCIP_RECEIVE_DECL),
                     title: this.metadata.title,
                     description: "Potential issue: repeated or retried CCIP messages may execute mutating business logic more than once.",
                     risk: "Without idempotency tracking, replay-like operational scenarios or manual execution flows can duplicate state changes.",

package/dist/rules/data-feeds.js

@@ -1,4 +1,8 @@
 import { firstLineMatching, hasAny, makeFinding } from "./helpers.js";
+const AGGREGATOR_WRAPPER_PATTERN = /function\s+latestRoundData\s*\([^)]*\)\s*(?:external|public|view|override|virtual|\s)*returns\s*\(\s*uint80\s*,\s*int256\s*,\s*uint256\s*,\s*uint256\s*,\s*uint80\s*\)\s*\{/s;
+function isAggregatorWrapper(content) {
+    return AGGREGATOR_WRAPPER_PATTERN.test(content);
+}
 export const dataFeedRules = [
     {
         metadata: {
@@ -11,6 +15,8 @@ export const dataFeedRules = [
         scan(context) {
             if (!/\.latestRoundData\s*\(/.test(context.content))
                 return [];
+            if (isAggregatorWrapper(context.content))
+                return [];
             const hasFreshnessCheck = /updatedAt/.test(context.content) &&
                 /(block\.timestamp|maxStaleness|stale|heartbeat|updatedAt\s*!=\s*0)/i.test(context.content);
             if (hasFreshnessCheck)
@@ -41,11 +47,18 @@ export const dataFeedRules = [
         scan(context) {
             if (!/\.latestRoundData\s*\(/.test(context.content))
                 return [];
+            if (isAggregatorWrapper(context.content))
+                return [];
             const hasPositiveAnswerCheck = hasAny(context.content, [
-                /answer\s*>\s*0/,
-                /price\s*>\s*0/,
-                /oracleAnswer\s*>\s*0/,
+                /answer\s*>=?\s*0/,
+                /price\s*>=?\s*0/,
+                /oracleAnswer\s*>=?\s*0/,
                 /InvalidOracleAnswer/,
+                /answer\s*<=?\s*0/,
+                /price\s*<=?\s*0/,
+                /oracleAnswer\s*<=?\s*0/,
+                /Invalid(?:Oracle)?(?:Price|Answer|Round)/i,
+                /\.\s*minAnswer\s*\(\s*\)/,
             ]);
             if (hasPositiveAnswerCheck)
                 return [];

package/dist/rules/functions-cre.js

@@ -1,6 +1,6 @@
 import { firstLineMatching, hasAny, makeFinding } from "./helpers.js";
 function hasFunctions(content) {
-    return /(FunctionsClient|FunctionsRequest|sendRequest|fulfillRequest|DONHostedSecrets|sourceCode|secrets)/i.test(content);
+    return /(FunctionsClient|FunctionsRequest|\bsendRequest\s*\(|\bfulfillRequest\s*\(|DONHostedSecrets|sourceCode|secrets)/i.test(content);
 }
 export const functionsCreRules = [
     {

package/dist/rules/helpers.js

@@ -5,8 +5,11 @@ export function firstLineMatching(lines, pattern) {
 export function hasAny(content, patterns) {
     return patterns.some((pattern) => pattern.test(content));
 }
-export function extractFunctionBody(content, functionName) {
-    const match = new RegExp(`function\\s+${functionName}\\b`).exec(content);
+export function escapeRegExp(value) {
+    return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+export function extractBlockBody(content, declarationPattern) {
+    const match = declarationPattern.exec(content);
     if (!match)
         return "";
     const open = content.indexOf("{", match.index);
@@ -24,9 +27,18 @@ export function extractFunctionBody(content, functionName) {
     }
     return content.slice(open + 1);
 }
+export function extractFunctionBody(content, functionName) {
+    return extractBlockBody(content, new RegExp(`function\\s+${functionName}\\b`));
+}
 export function countMatches(content, patterns) {
     return patterns.reduce((count, pattern) => count + (pattern.test(content) ? 1 : 0), 0);
 }
+export function isInterfaceOnlyFile(content) {
+    const declarations = [...content.matchAll(/\b(?:abstract\s+)?(contract|library|interface)\s+\w+(?:\s+is\s+[^{]+)?\s*\{/g)];
+    if (declarations.length === 0)
+        return false;
+    return declarations.every((match) => match[1] === "interface");
+}
 export function makeFinding(input) {
     return {
         ruleId: input.ruleId,

package/dist/rules/vrf.js

@@ -1,4 +1,4 @@
-import { countMatches, extractFunctionBody, firstLineMatching, makeFinding } from "./helpers.js";
+import { countMatches, extractFunctionBody, firstLineMatching, isInterfaceOnlyFile, makeFinding } from "./helpers.js";
 function hasVrf(content) {
     return /(VRFConsumerBase|VRFCoordinator|function\s+fulfillRandomWords\b|requestRandomWords)/.test(content);
 }
@@ -78,6 +78,8 @@ export const vrfRules = [
         scan(context) {
             if (!/requestRandomWords\s*\(/.test(context.content))
                 return [];
+            if (isInterfaceOnlyFile(context.content))
+                return [];
             const tracksBeforeFulfillment = /(pendingRequests|requestStatus|requests)\s*\[.*\]\s*=/.test(context.content);
             if (tracksBeforeFulfillment)
                 return [];

package/dist/scanner.js

@@ -60,7 +60,16 @@ function isExcluded(fileOrDirectory, scanRoot, config) {
 async function collectSolidityFiles(targetPath, scanRoot, config) {
     if (isExcluded(targetPath, scanRoot, config))
         return [];
-    const stat = await fs.stat(targetPath);
+    let stat;
+    try {
+        stat = await fs.stat(targetPath);
+    }
+    catch (error) {
+        const code = error && typeof error === "object" && "code" in error ? error.code : undefined;
+        if (code === "ENOENT" || code === "ELOOP")
+            return [];
+        throw error;
+    }
     if (stat.isFile()) {
         if (!targetPath.endsWith(".sol"))
             return [];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "chainlink-audit",
-  "version": "0.3.1",
+  "version": "0.3.3",
   "description": "Security review CLI for flagging unverified Chainlink integration risk leads in Solidity repositories.",
   "license": "MIT",
   "type": "module",
@@ -41,6 +41,7 @@
     "build": "tsc -p tsconfig.json",
     "test": "vitest run",
     "dev": "tsx src/index.ts",
+    "benchmark:ecosystem": "tsx scripts/benchmark-ecosystem.ts",
     "prepack": "npm run build"
   },
   "dependencies": {