web3crit-scanner 7.0.1

package/src/detectors/permit-exploits.js

@@ -0,0 +1,368 @@
+const BaseDetector = require('./base-detector');
+
+/**
+ * Permit and Approval Exploits Detector
+ * Detects vulnerabilities in token approval mechanisms:
+ * - ERC20 Permit front-running
+ * - Approval race conditions
+ * - Unlimited approval risks
+ * - Permit2 integration issues
+ * - Phantom function exploits
+ *
+ * Immunefi Critical: Direct theft of approved tokens
+ */
+class PermitExploitsDetector extends BaseDetector {
+  constructor() {
+    super(
+      'Permit/Approval Exploits',
+      'Detects vulnerabilities in token approval mechanisms',
+      'CRITICAL'
+    );
+    this.currentContract = null;
+    this.currentFunction = null;
+  }
+
+  async detect(ast, sourceCode, fileName, cfg, dataFlow) {
+    this.findings = [];
+    this.ast = ast;
+    this.sourceCode = sourceCode;
+    this.fileName = fileName;
+    this.sourceLines = sourceCode.split('\n');
+    this.cfg = cfg;
+    this.dataFlow = dataFlow;
+
+    this.traverse(ast);
+
+    return this.findings;
+  }
+
+  visitContractDefinition(node) {
+    this.currentContract = node.name;
+  }
+
+  visitFunctionDefinition(node) {
+    this.currentFunction = node.name || 'constructor';
+
+    if (!node.body) return;
+
+    const funcCode = this.getCodeSnippet(node.loc);
+    const funcName = (node.name || '').toLowerCase();
+
+    // Skip internal functions for direct exploitability
+    if (node.visibility === 'private' || node.visibility === 'internal') {
+      return;
+    }
+
+    // Detect permit usage patterns
+    this.detectPermitVulnerabilities(funcCode, node, funcName);
+
+    // Detect approval patterns
+    this.detectApprovalVulnerabilities(funcCode, node, funcName);
+
+    // Detect transferFrom patterns
+    this.detectTransferFromVulnerabilities(funcCode, node, funcName);
+
+    // Detect Permit2 patterns
+    this.detectPermit2Vulnerabilities(funcCode, node, funcName);
+  }
+
+  /**
+   * Detect ERC20 Permit vulnerabilities
+   */
+  detectPermitVulnerabilities(funcCode, node, funcName) {
+    // Check for permit calls
+    const hasPermit = /\.permit\s*\(/.test(funcCode);
+
+    if (hasPermit) {
+      // Check for permit griefing (DoS via front-running)
+      if (/try\s*.*\.permit|\.permit.*catch/.test(funcCode)) {
+        // Has try-catch, likely protected
+      } else {
+        this.addFinding({
+          title: 'Permit Front-Running DoS',
+          description: `Function '${this.currentFunction}' calls permit() without try-catch protection. An attacker can front-run the transaction by using the same permit, causing the original transaction to revert.
+
+Attack scenario:
+1. User signs permit and submits tx calling ${this.currentFunction}
+2. Attacker sees tx in mempool, extracts permit signature
+3. Attacker front-runs with own tx using the same permit
+4. User's tx reverts because permit is already used (nonce consumed)
+
+This is a DoS attack that wastes user gas and blocks functionality.`,
+          location: `Contract: ${this.currentContract}, Function: ${this.currentFunction}`,
+          line: node.loc?.start?.line || 0,
+          column: node.loc?.start?.column || 0,
+          code: funcCode.substring(0, 300),
+          severity: 'HIGH',
+          confidence: 'HIGH',
+          exploitable: true,
+          exploitabilityScore: 75,
+          attackVector: 'permit-dos',
+          recommendation: `Wrap permit calls in try-catch:
+try token.permit(owner, spender, value, deadline, v, r, s) {} catch {}
+
+The function should continue even if permit fails (allowance may already exist).
+Alternative: Check allowance before calling permit.`,
+          references: [
+            'https://www.trust-security.xyz/post/permission-denied',
+            'https://eips.ethereum.org/EIPS/eip-2612'
+          ]
+        });
+      }
+
+      // Check for permit replay (missing nonce/deadline validation)
+      if (/permit.*deadline/i.test(funcCode)) {
+        if (!/deadline\s*>=\s*block\.timestamp|block\.timestamp\s*<=\s*deadline|require.*deadline/i.test(funcCode)) {
+          this.addFinding({
+            title: 'Permit Deadline Not Validated',
+            description: `Function '${this.currentFunction}' uses permit but may not properly validate the deadline. Expired permits should be rejected.`,
+            location: `Contract: ${this.currentContract}, Function: ${this.currentFunction}`,
+            line: node.loc?.start?.line || 0,
+            code: funcCode.substring(0, 200),
+            severity: 'MEDIUM',
+            confidence: 'MEDIUM',
+            exploitable: true,
+            exploitabilityScore: 60,
+            attackVector: 'expired-permit',
+            recommendation: 'Ensure permit implementation validates: require(deadline >= block.timestamp, "Permit expired")'
+          });
+        }
+      }
+    }
+
+    // Check for permit implementation vulnerabilities
+    if (/function\s+permit\s*\(/i.test(funcCode)) {
+      // DOMAIN_SEPARATOR issues
+      if (/DOMAIN_SEPARATOR|_domainSeparator/i.test(funcCode)) {
+        if (!/block\.chainid|chainId/i.test(funcCode)) {
+          this.addFinding({
+            title: 'Permit Missing Chain ID Validation',
+            description: `Permit implementation in '${this.currentFunction}' may not validate chain ID. Permits signed on one chain could be replayed on forks or other chains.`,
+            location: `Contract: ${this.currentContract}, Function: ${this.currentFunction}`,
+            line: node.loc?.start?.line || 0,
+            code: funcCode.substring(0, 200),
+            severity: 'HIGH',
+            confidence: 'MEDIUM',
+            exploitable: true,
+            exploitabilityScore: 75,
+            attackVector: 'cross-chain-permit-replay',
+            recommendation: 'Include chainId in DOMAIN_SEPARATOR and recompute on chain ID change: if (block.chainid != INITIAL_CHAIN_ID) return _computeDomainSeparator();'
+          });
+        }
+      }
+
+      // Nonce handling
+      if (!/nonces\s*\[|_useNonce|nonce\s*\+\+/i.test(funcCode)) {
+        this.addFinding({
+          title: 'Permit Missing Nonce Protection',
+          description: `Permit implementation in '${this.currentFunction}' may not properly handle nonces. Without nonce tracking, permits can be replayed.`,
+          location: `Contract: ${this.currentContract}, Function: ${this.currentFunction}`,
+          line: node.loc?.start?.line || 0,
+          code: funcCode.substring(0, 200),
+          severity: 'CRITICAL',
+          confidence: 'MEDIUM',
+          exploitable: true,
+          exploitabilityScore: 90,
+          attackVector: 'permit-replay',
+          recommendation: 'Implement nonce tracking: require(nonce == nonces[owner]++, "Invalid nonce")'
+        });
+      }
+    }
+  }
+
+  /**
+   * Detect approval vulnerabilities
+   */
+  detectApprovalVulnerabilities(funcCode, node, funcName) {
+    // Approval race condition (ERC20 approve)
+    if (/function\s+approve\s*\(/.test(funcCode)) {
+      // Check for standard approve without increaseAllowance pattern
+      if (!/require.*allowance.*==\s*0|safeApprove|increaseAllowance/i.test(funcCode)) {
+        this.addFinding({
+          title: 'ERC20 Approval Race Condition',
+          description: `Standard approve() in '${this.currentFunction}' is vulnerable to race condition:
+
+1. User has approved spender for 100 tokens
+2. User wants to change approval to 50 tokens
+3. User sends approve(spender, 50) transaction
+4. Spender sees pending tx, front-runs to transferFrom(100)
+5. User's approve(50) executes
+6. Spender now has additional 50 allowance (150 total extracted)
+
+This is a known ERC20 issue affecting token safety.`,
+          location: `Contract: ${this.currentContract}, Function: ${this.currentFunction}`,
+          line: node.loc?.start?.line || 0,
+          code: funcCode.substring(0, 200),
+          severity: 'MEDIUM',
+          confidence: 'HIGH',
+          exploitable: true,
+          exploitabilityScore: 60,
+          attackVector: 'approval-race',
+          recommendation: `Implement increaseAllowance/decreaseAllowance pattern:
+function increaseAllowance(address spender, uint256 addedValue) public returns (bool) {
+    _approve(msg.sender, spender, allowance[msg.sender][spender] + addedValue);
+    return true;
+}
+
+Or require current allowance is 0: require(allowance == 0 || newAllowance == 0);`
+        });
+      }
+    }
+
+    // Unlimited approval griefing
+    if (/approve.*type\s*\(\s*uint256\s*\)\.max|approve.*MAX_UINT|0xffffffff/i.test(funcCode)) {
+      this.addFinding({
+        title: 'Unlimited Token Approval',
+        description: `Function '${this.currentFunction}' sets unlimited approval (type(uint256).max). If the approved contract is compromised, all user tokens can be stolen.`,
+        location: `Contract: ${this.currentContract}, Function: ${this.currentFunction}`,
+        line: node.loc?.start?.line || 0,
+        code: funcCode.substring(0, 200),
+        severity: 'MEDIUM',
+        confidence: 'HIGH',
+        exploitable: true,
+        exploitabilityScore: 55,
+        attackVector: 'unlimited-approval',
+        recommendation: 'Consider using exact amounts for approvals or implementing a approval management pattern. Document risks to users.'
+      });
+    }
+  }
+
+  /**
+   * Detect transferFrom vulnerabilities
+   */
+  detectTransferFromVulnerabilities(funcCode, node, funcName) {
+    // Phantom function vulnerability (non-standard token handling)
+    if (/\.transferFrom\s*\(/.test(funcCode)) {
+      // Check if return value is checked
+      if (!/require.*transferFrom|bool.*=.*transferFrom|safeTransferFrom/i.test(funcCode)) {
+        this.addFinding({
+          title: 'Unchecked transferFrom Return Value',
+          description: `Function '${this.currentFunction}' calls transferFrom without checking return value. Some tokens (USDT, BNB) don't revert on failure but return false.
+
+Attack scenario:
+1. User calls function with failing token transfer
+2. transferFrom returns false but execution continues
+3. Contract state updated as if transfer succeeded
+4. Attacker extracts value without actually paying`,
+          location: `Contract: ${this.currentContract}, Function: ${this.currentFunction}`,
+          line: node.loc?.start?.line || 0,
+          code: funcCode.substring(0, 200),
+          severity: 'HIGH',
+          confidence: 'HIGH',
+          exploitable: true,
+          exploitabilityScore: 80,
+          attackVector: 'unchecked-transfer',
+          recommendation: `Use SafeERC20.safeTransferFrom() from OpenZeppelin:
+using SafeERC20 for IERC20;
+token.safeTransferFrom(from, to, amount);
+
+Or explicitly check: require(token.transferFrom(from, to, amount), "Transfer failed");`
+        });
+      }
+    }
+
+    // Fee-on-transfer token vulnerability
+    if (/transferFrom.*amount|amount.*transferFrom/i.test(funcCode)) {
+      // Check if actual received amount is validated
+      if (!/balanceOf.*after|balance.*before.*after|actualAmount|received/i.test(funcCode)) {
+        this.addFinding({
+          title: 'Fee-on-Transfer Token Not Handled',
+          description: `Function '${this.currentFunction}' assumes transferFrom amount equals received amount. Fee-on-transfer tokens (like USDT with fees enabled) deduct fees, causing accounting errors.
+
+This can lead to:
+- Protocol insolvency (crediting more than received)
+- Failed withdrawals (less tokens than expected)
+- Share price manipulation`,
+          location: `Contract: ${this.currentContract}, Function: ${this.currentFunction}`,
+          line: node.loc?.start?.line || 0,
+          code: funcCode.substring(0, 200),
+          severity: 'HIGH',
+          confidence: 'MEDIUM',
+          exploitable: true,
+          exploitabilityScore: 70,
+          attackVector: 'fee-on-transfer',
+          recommendation: `Measure actual received amount:
+uint256 balanceBefore = token.balanceOf(address(this));
+token.safeTransferFrom(from, address(this), amount);
+uint256 actualReceived = token.balanceOf(address(this)) - balanceBefore;
+// Use actualReceived for accounting`
+        });
+      }
+    }
+  }
+
+  /**
+   * Detect Permit2 specific vulnerabilities
+   */
+  detectPermit2Vulnerabilities(funcCode, node, funcName) {
+    const usesPermit2 = /permit2|IPermit2|ISignatureTransfer|IAllowanceTransfer/i.test(funcCode);
+
+    if (!usesPermit2) return;
+
+    // Permit2 witness data validation
+    if (/permitWitness|signatureTransfer/i.test(funcCode)) {
+      if (!/verify.*witness|witness.*hash|keccak.*witness/i.test(funcCode)) {
+        this.addFinding({
+          title: 'Permit2 Witness Data Not Validated',
+          description: `Function '${this.currentFunction}' uses Permit2 witness but may not properly validate witness data. Attacker could substitute malicious parameters.`,
+          location: `Contract: ${this.currentContract}, Function: ${this.currentFunction}`,
+          line: node.loc?.start?.line || 0,
+          code: funcCode.substring(0, 200),
+          severity: 'HIGH',
+          confidence: 'MEDIUM',
+          exploitable: true,
+          exploitabilityScore: 75,
+          attackVector: 'permit2-witness-bypass',
+          recommendation: 'Ensure witness data is properly hashed and verified in the signature. Include all critical parameters in witness.'
+        });
+      }
+    }
+
+    // Permit2 allowance vs signature transfer confusion
+    if (/allowanceTransfer|transferFrom.*permit2/i.test(funcCode)) {
+      this.addFinding({
+        title: 'Permit2 Integration Detected',
+        description: `Function '${this.currentFunction}' uses Permit2 allowance transfers. Ensure proper integration:
+- Validate permit2 address is correct
+- Handle both single and batch transfers
+- Verify nonce handling for replay protection`,
+        location: `Contract: ${this.currentContract}, Function: ${this.currentFunction}`,
+        line: node.loc?.start?.line || 0,
+        code: funcCode.substring(0, 150),
+        severity: 'MEDIUM',
+        confidence: 'LOW',
+        exploitable: false,
+        exploitabilityScore: 45,
+        attackVector: 'permit2-integration',
+        recommendation: 'Audit Permit2 integration carefully. Use official Permit2 library and validate all parameters.'
+      });
+    }
+  }
+
+  /**
+   * Visit member access for specific patterns
+   */
+  visitMemberAccess(node) {
+    const memberName = node.memberName;
+
+    // Detect safeApprove with non-zero value
+    if (memberName === 'safeApprove') {
+      // safeApprove is deprecated and reverts if current allowance != 0
+      // This can cause DoS if allowance wasn't fully used
+      this.addFinding({
+        title: 'Deprecated safeApprove Usage',
+        description: `Contract uses deprecated safeApprove which reverts if current allowance is non-zero. This can cause DoS if previous allowance wasn't fully consumed.`,
+        location: `Contract: ${this.currentContract}`,
+        line: node.loc?.start?.line || 0,
+        severity: 'MEDIUM',
+        confidence: 'HIGH',
+        exploitable: true,
+        exploitabilityScore: 55,
+        attackVector: 'safeapprove-dos',
+        recommendation: 'Use forceApprove() or approve(0) before approve(amount): token.approve(spender, 0); token.approve(spender, amount);'
+      });
+    }
+  }
+}
+
+module.exports = PermitExploitsDetector;