solidity-argus 0.2.0 → 0.3.2

package/src/utils/solidity-parser.ts

@@ -1,22 +1,25 @@
-import type { ContractProfile } from "../state/types";
+import * as parser from "@solidity-parser/parser"
+import type { ContractProfile } from "../state/types"
+
+const EXTERNAL_CALL_METHODS = new Set(["call", "transfer", "send", "delegatecall", "staticcall"])
 
 interface ABIFunction {
-  type: string;
-  name: string;
-  inputs?: Array<{ name: string; type: string }>;
-  outputs?: Array<{ name: string; type: string }>;
-  stateMutability?: string;
+  type: string
+  name: string
+  inputs?: Array<{ name: string; type: string }>
+  outputs?: Array<{ name: string; type: string }>
+  stateMutability?: string
 }
 
 interface StorageLayoutItem {
-  label: string;
-  type: string;
-  slot: string;
+  label: string
+  type: string
+  slot: string
 }
 
 interface StorageLayout {
-  storage: StorageLayoutItem[];
-  types: Record<string, { label: string }>;
+  storage: StorageLayoutItem[]
+  types: Record<string, { label: string }>
 }
 
 /**
@@ -24,13 +27,117 @@ interface StorageLayout {
  * prefix (e.g. forge table-format output, compilation progress).
  * Falls back to the original string if no JSON delimiter is found.
  */
-function extractJson(raw: string, opener: "[" | "{"): string {
-  const closer = opener === "[" ? "]" : "}";
-  const start = raw.indexOf(opener);
-  if (start === -1) return raw;
-  const end = raw.lastIndexOf(closer);
-  if (end === -1) return raw;
-  return raw.slice(start, end + 1);
+export function extractJson(raw: string, opener: "[" | "{"): string {
+  const start = raw.indexOf(opener)
+  if (start === -1) return raw
+
+  let depth = 0
+  let inString = false
+  let escaped = false
+
+  for (let i = start; i < raw.length; i++) {
+    const ch = raw.charAt(i)
+
+    if (inString) {
+      if (escaped) {
+        escaped = false
+        continue
+      }
+      if (ch === "\\") {
+        escaped = true
+        continue
+      }
+      if (ch === '"') {
+        inString = false
+      }
+      continue
+    }
+
+    if (ch === '"') {
+      inString = true
+      continue
+    }
+
+    if (ch === "{" || ch === "[") {
+      depth++
+    } else if (ch === "}" || ch === "]") {
+      depth--
+      if (depth === 0) {
+        return raw.slice(start, i + 1)
+      }
+    }
+  }
+
+  return raw
+}
+
+function toRecord(value: unknown): Record<string, unknown> | undefined {
+  if (typeof value === "object" && value !== null) {
+    return value as Record<string, unknown>
+  }
+
+  return undefined
+}
+
+function extractNodeExpressionName(node: unknown): string | undefined {
+  const record = toRecord(node)
+  if (!record) return undefined
+
+  const type = typeof record.type === "string" ? record.type : undefined
+  if (!type) return undefined
+
+  if (type === "Identifier") {
+    return typeof record.name === "string" ? record.name : undefined
+  }
+
+  if (type === "ThisExpression") {
+    return "this"
+  }
+
+  if (type === "MemberAccess") {
+    const expressionName = extractNodeExpressionName(record.expression)
+    const memberName = typeof record.memberName === "string" ? record.memberName : undefined
+
+    if (expressionName && memberName) {
+      return `${expressionName}.${memberName}`
+    }
+
+    return expressionName ?? memberName
+  }
+
+  if (type === "IndexAccess") {
+    return extractNodeExpressionName(record.base)
+  }
+
+  if (type === "FunctionCall") {
+    return extractNodeExpressionName(record.expression)
+  }
+
+  return undefined
+}
+
+export function parseExternalCalls(sourceText: string): string[] {
+  try {
+    const ast = parser.parse(sourceText, { tolerant: true, loc: false, range: false })
+    const externalCalls = new Set<string>()
+
+    parser.visit(ast, {
+      MemberAccess(node: unknown) {
+        const record = toRecord(node)
+        if (!record) return
+
+        const memberName = typeof record.memberName === "string" ? record.memberName : undefined
+        if (!memberName || !EXTERNAL_CALL_METHODS.has(memberName)) return
+
+        const expressionName = extractNodeExpressionName(record.expression)
+        externalCalls.add(expressionName ? `${expressionName}.${memberName}` : memberName)
+      },
+    })
+
+    return [...externalCalls]
+  } catch {
+    return []
+  }
 }
 
 /**
@@ -41,7 +148,7 @@ function extractJson(raw: string, opener: "[" | "{"): string {
  */
 export async function extractContractInfo(
   contractName: string,
-  projectDir: string
+  projectDir: string,
 ): Promise<ContractProfile> {
   const result: ContractProfile = {
     name: contractName,
@@ -52,23 +159,21 @@ export async function extractContractInfo(
     accessControlPattern: "none",
     externalCalls: [],
     riskIndicators: [],
-  };
+  }
 
   try {
     // Run forge inspect abi
-    const abiResult = Bun.spawnSync(
-      ["forge", "inspect", contractName, "abi", "--json"],
-      {
-        cwd: projectDir,
-        stdout: "pipe",
-        stderr: "pipe",
-      }
-    );
+    const abiResult = Bun.spawnSync(["forge", "inspect", contractName, "abi", "--json"], {
+      cwd: projectDir,
+      stdout: "pipe",
+      stderr: "pipe",
+      timeout: 15_000,
+    })
 
     if (!abiResult.success) {
-      const errorMsg = abiResult.stderr?.toString() || "Unknown error";
-      result.error = `Failed to inspect ABI: ${errorMsg}`;
-      return result;
+      const errorMsg = abiResult.stderr?.toString() || "Unknown error"
+      result.error = `Failed to inspect ABI: ${errorMsg}`
+      return result
     }
 
     // Run forge inspect storage-layout
@@ -78,65 +183,66 @@ export async function extractContractInfo(
         cwd: projectDir,
         stdout: "pipe",
         stderr: "pipe",
-      }
-    );
+        timeout: 15_000,
+      },
+    )
 
     if (!storageResult.success) {
-      const errorMsg = storageResult.stderr?.toString() || "Unknown error";
-      result.error = `Failed to inspect storage layout: ${errorMsg}`;
-      return result;
+      const errorMsg = storageResult.stderr?.toString() || "Unknown error"
+      result.error = `Failed to inspect storage layout: ${errorMsg}`
+      return result
     }
 
     // Parse ABI
-    const abiRaw = abiResult.stdout?.toString() || "[]";
-    const abiOutput = extractJson(abiRaw, "[");
-    let abi: ABIFunction[] = [];
+    const abiRaw = abiResult.stdout?.toString() || "[]"
+    const abiOutput = extractJson(abiRaw, "[")
+    let abi: ABIFunction[] = []
     try {
-      abi = JSON.parse(abiOutput);
+      abi = JSON.parse(abiOutput)
     } catch (e) {
-      result.error = `Failed to parse ABI JSON: ${e instanceof Error ? e.message : "Unknown error"}`;
-      return result;
+      result.error = `Failed to parse ABI JSON: ${e instanceof Error ? e.message : "Unknown error"}`
+      return result
     }
 
     // Parse storage layout
-    const storageRaw = storageResult.stdout?.toString() || "{}";
-    const storageOutput = extractJson(storageRaw, "{");
-    let storageLayout: StorageLayout = { storage: [], types: {} };
+    const storageRaw = storageResult.stdout?.toString() || "{}"
+    const storageOutput = extractJson(storageRaw, "{")
+    let storageLayout: StorageLayout = { storage: [], types: {} }
     try {
-      storageLayout = JSON.parse(storageOutput);
+      storageLayout = JSON.parse(storageOutput)
     } catch (e) {
-      result.error = `Failed to parse storage layout JSON: ${e instanceof Error ? e.message : "Unknown error"}`;
-      return result;
+      result.error = `Failed to parse storage layout JSON: ${e instanceof Error ? e.message : "Unknown error"}`
+      return result
     }
 
     // Extract functions from ABI
-    const functions = abi.filter((item) => item.type === "function");
+    const functions = abi.filter((item) => item.type === "function")
     result.functions = functions.map((func) => ({
       name: func.name || "",
       visibility: mapStateMutabilityToVisibility(func.stateMutability || "nonpayable"),
       mutability: func.stateMutability || "nonpayable",
       modifiers: [],
-    }));
+    }))
 
     // Extract state variables from storage layout
     result.stateVars = storageLayout.storage.map((item) => {
-      const typeInfo = storageLayout.types[item.type];
-      const typeLabel = typeInfo?.label || item.type;
+      const typeInfo = storageLayout.types[item.type]
+      const typeLabel = typeInfo?.label || item.type
 
       return {
         name: item.label,
         type: typeLabel,
         visibility: "internal", // Default visibility for storage vars
-      };
-    });
+      }
+    })
 
     // Detect access control pattern
-    result.accessControlPattern = detectAccessControlPattern(result.functions);
+    result.accessControlPattern = detectAccessControlPattern(result.functions)
 
-    return result;
+    return result
   } catch (e) {
-    result.error = `Unexpected error: ${e instanceof Error ? e.message : "Unknown error"}`;
-    return result;
+    result.error = `Unexpected error: ${e instanceof Error ? e.message : "Unknown error"}`
+    return result
   }
 }
 
@@ -144,18 +250,16 @@ export async function extractContractInfo(
  * Map Solidity stateMutability to visibility
  * ABI doesn't directly specify visibility, so we infer from mutability
  */
-function mapStateMutabilityToVisibility(
-  stateMutability: string
-): string {
+function mapStateMutabilityToVisibility(stateMutability: string): string {
   switch (stateMutability) {
     case "pure":
     case "view":
-      return "view";
+      return "view"
     case "payable":
     case "nonpayable":
-      return "external";
+      return "external"
     default:
-      return "external";
+      return "external"
   }
 }
 
@@ -163,28 +267,24 @@ function mapStateMutabilityToVisibility(
  * Detect access control pattern from function names and signatures
  */
 function detectAccessControlPattern(
-  functions: Array<{ name: string; visibility: string; mutability: string; modifiers: string[] }>
+  functions: Array<{ name: string; visibility: string; mutability: string; modifiers: string[] }>,
 ): "ownable" | "access-control" | "custom" | "none" {
-  const functionNames = functions.map((f) => f.name.toLowerCase());
+  const functionNames = functions.map((f) => f.name.toLowerCase())
 
   // Check for Ownable pattern
   if (functionNames.includes("owner") || functionNames.includes("transferownership")) {
-    return "ownable";
+    return "ownable"
   }
 
   // Check for AccessControl pattern (OpenZeppelin)
   if (functionNames.includes("hasrole") || functionNames.includes("grantrole")) {
-    return "access-control";
+    return "access-control"
   }
 
   // Check for custom access control patterns
-  if (
-    functionNames.some((name) =>
-      name.includes("onlyadmin") || name.includes("requireadmin")
-    )
-  ) {
-    return "custom";
+  if (functionNames.some((name) => name.includes("onlyadmin") || name.includes("requireadmin"))) {
+    return "custom"
   }
 
-  return "none";
+  return "none"
 }

package/skills/patterns/access-control.yaml

@@ -1,31 +0,0 @@
-pack_name: access-control
-pack_version: "1.0"
-patterns:
-  - name: missing-access-modifier
-    category: access-control
-    severity: High
-    swc: SWC-105
-    confidence: Low
-    version: "1.0"
-    regex: 'function\s+\w+\s*\([^)]*\)\s+(external|public)'
-    description: External or public function — verify appropriate access control modifiers (onlyOwner, onlyRole, require(msg.sender)) are applied
-    remediation: Add access control modifiers to sensitive functions; use OpenZeppelin AccessControl or Ownable patterns
-
-  - name: unprotected-initialize
-    category: access-control
-    severity: Critical
-    confidence: High
-    version: "1.0"
-    regex: 'function\s+initialize'
-    description: Initializer function detected — if missing initializer modifier, anyone can call and take ownership of the contract
-    remediation: Use OpenZeppelin Initializable with initializer modifier; call _disableInitializers() in constructor for implementation contracts
-
-  - name: default-visibility
-    category: access-control
-    severity: Medium
-    swc: SWC-100
-    confidence: Low
-    version: "1.0"
-    regex: 'function\s+\w+\s*\([^)]*\)\s*\{'
-    description: Function without explicit visibility specifier — defaults to public in older Solidity versions, potentially exposing internal logic
-    remediation: Always specify visibility (external, public, internal, private) explicitly for every function

package/skills/patterns/erc4626.yaml

@@ -1,29 +0,0 @@
-pack_name: erc4626
-pack_version: "1.0"
-patterns:
-  - name: inflation-attack
-    category: erc4626
-    severity: Critical
-    confidence: High
-    version: "1.0"
-    regex: 'deposit.*totalSupply.*==.*0|convertToShares.*totalSupply'
-    description: ERC-4626 vault first-depositor inflation attack — attacker can donate assets to vault before first deposit to manipulate share price and steal subsequent deposits
-    remediation: Mint dead shares on first deposit (e.g., 10**3 to address(0)); use virtual offset in share calculation; set minimum deposit amount
-
-  - name: donation-attack
-    category: erc4626
-    severity: High
-    confidence: Medium
-    version: "1.0"
-    regex: 'balanceOf.*address.*this.*totalAssets|asset\.balanceOf'
-    description: Vault totalAssets derived from balanceOf — vulnerable to donation attack where attacker sends assets directly to inflate share price
-    remediation: Use internal accounting for totalAssets instead of balanceOf; track deposits and withdrawals explicitly
-
-  - name: rounding-error
-    category: erc4626
-    severity: Medium
-    confidence: Medium
-    version: "1.0"
-    regex: 'mulDiv|roundUp|roundDown|FullMath'
-    description: Custom rounding math in vault share calculations — potential rounding errors that favor attacker (round down on deposit, round up on withdraw)
-    remediation: Round against the user (down on deposit/mint, up on withdraw/redeem); use OpenZeppelin Math.mulDiv with explicit rounding direction

package/skills/patterns/flash-loan.yaml

@@ -1,20 +0,0 @@
-pack_name: flash-loan
-pack_version: "1.0"
-patterns:
-  - name: unchecked-flash-return
-    category: flash-loan
-    severity: High
-    confidence: Medium
-    version: "1.0"
-    regex: 'flashLoan|flashBorrow'
-    description: Flash loan invocation without verified return — borrowed funds may not be repaid if return value is not checked
-    remediation: Verify flash loan callback returns expected success value; check token balance after repayment; use established flash loan receiver interfaces
-
-  - name: balance-inflation
-    category: flash-loan
-    severity: Medium
-    confidence: Medium
-    version: "1.0"
-    regex: 'balanceOf\(address\(this\)\)'
-    description: Contract reads its own token balance — vulnerable to donation/inflation attacks where attacker sends tokens directly to manipulate balance-dependent logic
-    remediation: Track balances via internal accounting instead of balanceOf(address(this)); use shares-based accounting for vaults

package/skills/patterns/oracle.yaml

@@ -1,30 +0,0 @@
-pack_name: oracle-manipulation
-pack_version: "1.0"
-patterns:
-  - name: stale-price-check
-    category: oracle-manipulation
-    severity: High
-    swc: SWC-120
-    confidence: High
-    version: "1.0"
-    regex: 'latestRoundData|getPrice'
-    description: Oracle price feed usage — verify staleness checks (updatedAt, roundId) are enforced to prevent using outdated prices
-    remediation: Add require(updatedAt > block.timestamp - MAX_STALENESS) after latestRoundData calls; check answeredInRound >= roundId
-
-  - name: twap-manipulation
-    category: oracle-manipulation
-    severity: Medium
-    confidence: Medium
-    version: "1.0"
-    regex: 'observe\(|consult\('
-    description: TWAP oracle usage — time-weighted average prices can be manipulated via sustained trading pressure within the observation window
-    remediation: Use sufficiently long TWAP windows (30+ minutes); combine with spot price deviation checks; add circuit breakers
-
-  - name: price-feed-decimals
-    category: oracle-manipulation
-    severity: Medium
-    confidence: Medium
-    version: "1.0"
-    regex: 'priceFeed|oracle.*decimals'
-    description: Oracle price feed with decimal handling — potential decimal mismatch between oracle feed (8 decimals) and token (18 decimals)
-    remediation: Normalize oracle response to consistent decimals; use oracle.decimals() dynamically rather than hardcoded values

package/skills/patterns/proxy.yaml

@@ -1,30 +0,0 @@
-pack_name: proxy
-pack_version: "1.0"
-patterns:
-  - name: storage-collision
-    category: proxy
-    severity: Critical
-    swc: SWC-112
-    confidence: Medium
-    version: "1.0"
-    regex: 'delegatecall|IMPLEMENTATION_SLOT'
-    description: Delegatecall or implementation slot usage — potential storage collision between proxy and implementation contracts if storage layouts diverge
-    remediation: Use EIP-1967 standard storage slots; use OpenZeppelin TransparentUpgradeableProxy or UUPS; verify storage layout compatibility on upgrades
-
-  - name: uninitialized-proxy
-    category: proxy
-    severity: High
-    confidence: Medium
-    version: "1.0"
-    regex: '_disableInitializers|initializer'
-    description: Proxy initialization pattern detected — verify implementation contract calls _disableInitializers() in constructor and proxy calls initialize()
-    remediation: Call _disableInitializers() in implementation constructor; ensure initialize() is called atomically during proxy deployment
-
-  - name: selector-clash
-    category: proxy
-    severity: Medium
-    confidence: Low
-    version: "1.0"
-    regex: 'fallback\(\)|receive\(\).*delegatecall'
-    description: Fallback or receive function with delegatecall — risk of function selector clash between proxy admin functions and implementation functions
-    remediation: Use TransparentUpgradeableProxy pattern to separate admin and user call paths; verify no selector collisions with implementation ABI

package/skills/patterns/reentrancy.yaml

@@ -1,30 +0,0 @@
-pack_name: reentrancy
-pack_version: "1.0"
-patterns:
-  - name: reentrancy-eth-transfer
-    category: reentrancy
-    severity: High
-    swc: SWC-107
-    confidence: High
-    version: "1.0"
-    regex: '\.call\{value:'
-    description: ETH transfer via low-level call — classic reentrancy vector where external call is made before state updates
-    remediation: Apply checks-effects-interactions pattern; use ReentrancyGuard; update state before external calls
-
-  - name: reentrancy-erc20
-    category: reentrancy
-    severity: Medium
-    confidence: Medium
-    version: "1.0"
-    regex: '\.(transfer|transferFrom)\('
-    description: ERC-20 token transfer that may precede state changes — potential reentrancy via token callback hooks (ERC-777, ERC-1155)
-    remediation: Update state variables before token transfers; use ReentrancyGuard for functions with external token interactions
-
-  - name: cross-function-reentrancy
-    category: reentrancy
-    severity: High
-    confidence: Low
-    version: "1.0"
-    regex: '(external|public)\s.*\{[^}]*\.call'
-    description: Public or external function containing a low-level call — potential cross-function reentrancy if shared state is read by other functions
-    remediation: Use ReentrancyGuard on all functions sharing mutable state; apply checks-effects-interactions across the contract

package/skills/patterns/signature.yaml

@@ -1,31 +0,0 @@
-pack_name: signature
-pack_version: "1.0"
-patterns:
-  - name: replay-attack
-    category: signature
-    severity: High
-    swc: SWC-117
-    confidence: Medium
-    version: "1.0"
-    regex: 'ecrecover|ECDSA\.recover'
-    description: Signature recovery without nonce tracking — signatures may be replayed across transactions or chains if nonce and chainId are not included in signed data
-    remediation: Include nonce, chainId, and contract address in signed message hash; increment nonce after use; use EIP-712 typed structured data
-
-  - name: sig-malleability
-    category: signature
-    severity: Medium
-    swc: SWC-117
-    confidence: Medium
-    version: "1.0"
-    regex: ecrecover
-    description: Raw ecrecover usage — ECDSA signatures are malleable (s-value can be flipped) allowing signature reuse if not checked against canonical form
-    remediation: Use OpenZeppelin ECDSA.recover which enforces s <= 0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5D576E7357A4501DDFE92F46681B20A0; reject non-canonical signatures
-
-  - name: missing-nonce
-    category: signature
-    severity: High
-    confidence: Medium
-    version: "1.0"
-    regex: 'permit\(|signTypedData'
-    description: Permit or typed data signing without nonce validation — missing nonce allows signature replay after the original transaction is executed
-    remediation: Track per-address nonces mapping(address => uint256); include nonce in EIP-712 struct; increment nonce on each use

package/src/hooks/event-hook-v2.ts

@@ -1,99 +0,0 @@
-import type { AuditState } from "../state/types"
-import { createAuditState } from "../state/audit-state"
-import { createLogger } from "../shared/logger"
-
-export type AuditEventType =
-  | "session.created"
-  | "session.idle"
-  | "session.error"
-  | "session.deleted"
-  | "audit.phase-changed"
-  | "audit.finding-added"
-  | "audit.complete"
-
-export type EventHookV2Fn = (input: {
-  event: { type: string; sessionId?: string; properties?: Record<string, unknown> }
-}) => Promise<void>
-
-export type EventSubHandler = (event: {
-  type: string
-  sessionId?: string
-  auditState: AuditState | null
-  setAuditState: (state: AuditState | null) => void
-}) => Promise<void>
-
-export function createEventHookV2(
-  projectDir?: string,
-  subHandlers: EventSubHandler[] = [],
-): {
-  hook: EventHookV2Fn
-  getAuditState: () => AuditState | null
-  setAuditState: (state: AuditState | null) => void
-} {
-  const logger = createLogger()
-  let currentAuditState: AuditState | null = null
-
-  const getAuditState = (): AuditState | null => currentAuditState
-  const setAuditState = (state: AuditState | null): void => {
-    currentAuditState = state
-  }
-
-  const hook: EventHookV2Fn = async (input): Promise<void> => {
-    const { type, sessionId } = input.event
-
-    switch (type) {
-      case "session.created": {
-        const dir = projectDir ?? process.cwd()
-        const { state } = createAuditState(dir)
-        currentAuditState = state
-        break
-      }
-
-      case "session.idle": {
-        if (currentAuditState) {
-          logger.debug(
-            `Session idle — phase: ${currentAuditState.currentPhase}, findings: ${currentAuditState.findings.length}`,
-          )
-        }
-        break
-      }
-
-      case "session.error": {
-        if (currentAuditState) {
-          logger.error(
-            `Session error — state snapshot: ${JSON.stringify({
-              sessionId: currentAuditState.sessionId,
-              phase: currentAuditState.currentPhase,
-              findingsCount: currentAuditState.findings.length,
-              contractsReviewed: currentAuditState.contractsReviewed,
-            })}`,
-          )
-        }
-        break
-      }
-
-      case "session.deleted": {
-        currentAuditState = null
-        break
-      }
-
-      default:
-        break
-    }
-
-    for (const handler of subHandlers) {
-      try {
-        await handler({
-          type,
-          sessionId,
-          auditState: currentAuditState,
-          setAuditState,
-        })
-      } catch (error) {
-        logger.error(`Sub-handler failed for event ${type}:`, error)
-      }
-    }
-  }
-
-  return { hook, getAuditState, setAuditState }
-}

package/src/state/plugin-state.ts

@@ -1,14 +0,0 @@
-import type { ArgusConfig } from "../config/types";
-import type { Managers } from "../managers/types";
-
-/**
- * PluginState interface
- * Represents the complete state of the Argus plugin instance
- * Includes configuration, project context, and manager instances
- */
-export interface PluginState {
-  config: ArgusConfig;
-  projectDir: string;
-  managers: Managers;
-  isHookEnabled: (name: string) => boolean;
-}