web3crit-scanner 7.0.1

package/src/analyzers/exploit-chain.js

@@ -0,0 +1,751 @@
+/**
+ * Exploit Chain Modeler
+ * Models concrete attack paths assuming adversarial capabilities:
+ * - Flash loans (unlimited capital for single tx)
+ * - MEV (transaction ordering, sandwich attacks)
+ * - Malicious contracts (reentrancy, callbacks)
+ * - Oracle manipulation (spot price, TWAP gaming)
+ *
+ * Only produces findings with concrete profit extraction paths
+ */
+
+class ExploitChainModeler {
+  constructor(cfg, dataFlow) {
+    this.cfg = cfg;
+    this.dataFlow = dataFlow;
+
+    // Attacker capability model
+    this.attackerCapabilities = {
+      flashLoan: {
+        providers: ['Aave', 'dYdX', 'Balancer', 'Uniswap'],
+        maxCapital: 'unlimited_single_tx',
+        cost: 'gas + 0.09% fee (Aave)'
+      },
+      mev: {
+        capabilities: ['frontrun', 'backrun', 'sandwich', 'tx_reorder'],
+        tools: ['Flashbots', 'MEV-Boost', 'private_mempool'],
+        cost: 'bribes_to_builders'
+      },
+      maliciousContract: {
+        capabilities: ['reentrancy_callback', 'fallback_execution', 'custom_logic'],
+        cost: 'deployment_gas'
+      },
+      oracleManipulation: {
+        methods: ['large_swap', 'donation', 'sandwich_oracle_read'],
+        targets: ['spot_price', 'reserve_ratio', 'balance']
+      }
+    };
+  }
+
+  /**
+   * Model exploit chains for a set of findings
+   * Returns only findings with viable exploit paths
+   */
+  modelExploitChains(findings) {
+    const viableExploits = [];
+
+    for (const finding of findings) {
+      const chain = this.buildExploitChain(finding);
+
+      if (chain && chain.isViable) {
+        viableExploits.push({
+          ...finding,
+          exploitChain: chain,
+          attackerRequirements: chain.requirements,
+          profitPath: chain.profitPath,
+          estimatedComplexity: chain.complexity
+        });
+      }
+    }
+
+    return viableExploits;
+  }
+
+  /**
+   * Build a concrete exploit chain for a finding
+   */
+  buildExploitChain(finding) {
+    const attackVector = (finding.attackVector || '').toLowerCase();
+    const funcInfo = this.getFunctionInfo(finding);
+
+    let chain = null;
+
+    // Route to specific chain builder based on attack vector
+    if (attackVector.includes('reentrancy')) {
+      chain = this.modelReentrancyChain(finding, funcInfo);
+    } else if (attackVector.includes('flash-loan') || attackVector.includes('oracle')) {
+      chain = this.modelFlashLoanOracleChain(finding, funcInfo);
+    } else if (attackVector.includes('access-control')) {
+      chain = this.modelAccessControlChain(finding, funcInfo);
+    } else if (attackVector.includes('delegatecall')) {
+      chain = this.modelDelegatecallChain(finding, funcInfo);
+    } else if (attackVector.includes('signature') || attackVector.includes('replay')) {
+      chain = this.modelSignatureReplayChain(finding, funcInfo);
+    } else if (attackVector.includes('selfdestruct')) {
+      chain = this.modelSelfdestructChain(finding, funcInfo);
+    } else if (attackVector.includes('initializer') || attackVector.includes('proxy')) {
+      chain = this.modelProxyChain(finding, funcInfo);
+    } else {
+      chain = this.modelGenericChain(finding, funcInfo);
+    }
+
+    return chain;
+  }
+
+  /**
+   * Model reentrancy exploit chain
+   */
+  modelReentrancyChain(finding, funcInfo) {
+    const hasValueTransfer = this.detectsValueTransfer(finding);
+    const hasStateAfterCall = this.detectsStateAfterCall(finding);
+
+    if (!hasValueTransfer && !hasStateAfterCall) {
+      return { isViable: false, reason: 'No exploitable value flow' };
+    }
+
+    return {
+      isViable: true,
+      type: 'reentrancy',
+      requirements: {
+        deployContract: true,
+        flashLoan: false, // Optional but can amplify
+        mev: false,
+        estimatedGas: '500k-2M',
+        capitalRequired: 'Minimal (initial deposit)'
+      },
+      profitPath: {
+        mechanism: 'Repeated withdrawal before balance update',
+        valueSource: funcInfo?.contract || 'Target contract balance',
+        extraction: 'Direct ETH/token transfer to attacker contract'
+      },
+      steps: [
+        {
+          action: 'Deploy attacker contract',
+          code: `contract Attacker { receive() external payable { target.withdraw(); } }`,
+          gasEstimate: '200k'
+        },
+        {
+          action: 'Make initial deposit to target',
+          code: `target.deposit{value: 1 ether}()`,
+          note: 'Establishes withdrawal rights'
+        },
+        {
+          action: 'Call withdraw to trigger reentrancy',
+          code: `target.withdraw()`,
+          note: 'Triggers external call to attacker'
+        },
+        {
+          action: 'Reenter from fallback until drained',
+          code: `// In receive(): if(target.balance > 0) target.withdraw()`,
+          note: 'Repeatedly extracts funds'
+        }
+      ],
+      complexity: 'LOW',
+      foundryPoc: this.generateReentrancyPoC(finding, funcInfo)
+    };
+  }
+
+  /**
+   * Model flash loan + oracle manipulation chain
+   */
+  modelFlashLoanOracleChain(finding, funcInfo) {
+    return {
+      isViable: true,
+      type: 'flash_loan_oracle',
+      requirements: {
+        deployContract: true,
+        flashLoan: true,
+        mev: true, // Recommended to prevent frontrunning
+        estimatedGas: '1M-5M',
+        capitalRequired: 'None (flash loan)'
+      },
+      profitPath: {
+        mechanism: 'Price manipulation → favorable trade → reversal',
+        valueSource: 'Protocol reserves / other users deposits',
+        extraction: 'Trade at manipulated price, repay loan, keep difference'
+      },
+      steps: [
+        {
+          action: 'Request flash loan',
+          code: `aave.flashLoan(address(this), tokens, amounts, "")`,
+          gasEstimate: '100k'
+        },
+        {
+          action: 'Manipulate oracle price',
+          code: `router.swap(largeAmount, path, address(this))`,
+          note: 'Large swap moves spot price'
+        },
+        {
+          action: 'Execute target function at manipulated price',
+          code: `target.${funcInfo?.name || 'vulnerableFunction'}(...)`,
+          note: 'Borrow/mint/liquidate at favorable rate'
+        },
+        {
+          action: 'Reverse manipulation',
+          code: `router.swap(received, reversePath, address(this))`,
+          note: 'Swap back to original token'
+        },
+        {
+          action: 'Repay flash loan + fee, keep profit',
+          code: `token.transfer(aave, loanAmount + fee)`,
+          gasEstimate: '100k'
+        }
+      ],
+      complexity: 'MEDIUM',
+      foundryPoc: this.generateFlashLoanPoC(finding, funcInfo)
+    };
+  }
+
+  /**
+   * Model access control bypass chain
+   */
+  modelAccessControlChain(finding, funcInfo) {
+    const isAdminFunc = this.isAdminFunction(finding);
+    const hasFundAccess = this.detectsFundAccess(finding);
+
+    return {
+      isViable: true,
+      type: 'access_control_bypass',
+      requirements: {
+        deployContract: false,
+        flashLoan: false,
+        mev: false,
+        estimatedGas: '50k-200k',
+        capitalRequired: 'Gas only'
+      },
+      profitPath: {
+        mechanism: isAdminFunc ? 'Direct admin function call' : 'Unauthorized privileged operation',
+        valueSource: hasFundAccess ? 'Contract funds' : 'Elevated privileges',
+        extraction: hasFundAccess ? 'Direct transfer to attacker' : 'Persistent admin access'
+      },
+      steps: [
+        {
+          action: 'Identify unprotected function',
+          code: `// ${funcInfo?.name || 'targetFunction'} has no access control`,
+          note: 'Function is external/public without modifier'
+        },
+        {
+          action: 'Call function directly',
+          code: `target.${funcInfo?.name || 'adminFunction'}(attackerAddress)`,
+          gasEstimate: '50k'
+        },
+        {
+          action: hasFundAccess ? 'Extract funds' : 'Establish persistent access',
+          code: hasFundAccess ?
+            `target.withdraw(target.balance)` :
+            `// Now attacker is owner/admin`,
+          note: 'Immediate value extraction or future attack setup'
+        }
+      ],
+      complexity: 'LOW',
+      foundryPoc: this.generateAccessControlPoC(finding, funcInfo)
+    };
+  }
+
+  /**
+   * Model delegatecall injection chain
+   */
+  modelDelegatecallChain(finding, funcInfo) {
+    return {
+      isViable: true,
+      type: 'delegatecall_injection',
+      requirements: {
+        deployContract: true,
+        flashLoan: false,
+        mev: false,
+        estimatedGas: '200k-500k',
+        capitalRequired: 'Deployment gas only'
+      },
+      profitPath: {
+        mechanism: 'Arbitrary code execution in target context',
+        valueSource: 'Target contract storage/funds',
+        extraction: 'Modify storage to transfer ownership or drain funds'
+      },
+      steps: [
+        {
+          action: 'Deploy malicious implementation',
+          code: `contract Malicious { function attack() { owner = attacker; } }`,
+          gasEstimate: '200k'
+        },
+        {
+          action: 'Call vulnerable delegatecall with malicious address',
+          code: `target.execute(maliciousAddress, "attack()")`,
+          note: 'Delegatecall runs in target context'
+        },
+        {
+          action: 'Malicious code modifies target storage',
+          code: `// Overwrites owner slot with attacker address`,
+          note: 'Storage collision gives admin access'
+        },
+        {
+          action: 'Use gained privileges to extract funds',
+          code: `target.withdrawAll()`,
+          gasEstimate: '50k'
+        }
+      ],
+      complexity: 'MEDIUM',
+      foundryPoc: this.generateDelegatecallPoC(finding, funcInfo)
+    };
+  }
+
+  /**
+   * Model signature replay chain
+   */
+  modelSignatureReplayChain(finding, funcInfo) {
+    return {
+      isViable: true,
+      type: 'signature_replay',
+      requirements: {
+        deployContract: false,
+        flashLoan: false,
+        mev: false,
+        estimatedGas: '50k-150k',
+        capitalRequired: 'Gas only',
+        prerequisite: 'Obtain valid signature (on-chain or off-chain)'
+      },
+      profitPath: {
+        mechanism: 'Replay valid signature for unauthorized action',
+        valueSource: 'Signer\'s approved funds/permissions',
+        extraction: 'Execute signed action multiple times'
+      },
+      steps: [
+        {
+          action: 'Obtain valid signature from previous tx or off-chain',
+          code: `// Monitor mempool or obtain from dApp interaction`,
+          note: 'Signature is valid but reusable'
+        },
+        {
+          action: 'Replay signature on vulnerable contract',
+          code: `target.executeWithSig(data, v, r, s)`,
+          gasEstimate: '100k'
+        },
+        {
+          action: 'Repeat replay until value extracted or blocked',
+          code: `// No nonce prevents multiple uses`,
+          note: 'Can replay across chains if chainId not checked'
+        }
+      ],
+      complexity: 'LOW',
+      foundryPoc: this.generateSignatureReplayPoC(finding, funcInfo)
+    };
+  }
+
+  /**
+   * Model proxy/initializer chain
+   */
+  modelProxyChain(finding, funcInfo) {
+    const isInitializer = finding.title?.toLowerCase().includes('initializ');
+
+    return {
+      isViable: true,
+      type: isInitializer ? 'unprotected_initializer' : 'proxy_vulnerability',
+      requirements: {
+        deployContract: false,
+        flashLoan: false,
+        mev: true, // Frontrun recommended
+        estimatedGas: '100k-300k',
+        capitalRequired: 'Gas only'
+      },
+      profitPath: {
+        mechanism: isInitializer ?
+          'Call unprotected initializer to become owner' :
+          'Exploit proxy upgrade mechanism',
+        valueSource: 'Full contract control → all funds',
+        extraction: 'Admin functions to drain or upgrade to malicious'
+      },
+      steps: isInitializer ? [
+        {
+          action: 'Identify uninitialized proxy',
+          code: `// Check if initialize() callable`,
+          note: 'Proxy deployed but not initialized'
+        },
+        {
+          action: 'Frontrun initialize with attacker params',
+          code: `target.initialize(attackerAddress, ...)`,
+          gasEstimate: '150k'
+        },
+        {
+          action: 'Use admin privileges to drain',
+          code: `target.withdrawAll() // or upgrade to malicious`,
+          note: 'Full control achieved'
+        }
+      ] : [
+        {
+          action: 'Identify upgrade function without auth',
+          code: `// upgradeTo() or similar is unprotected`,
+          note: 'UUPS missing _authorizeUpgrade'
+        },
+        {
+          action: 'Deploy malicious implementation',
+          code: `contract Malicious { function drain() { ... } }`,
+          gasEstimate: '200k'
+        },
+        {
+          action: 'Upgrade proxy to malicious implementation',
+          code: `target.upgradeTo(maliciousImpl)`,
+          gasEstimate: '100k'
+        },
+        {
+          action: 'Call drain function',
+          code: `target.drain()`,
+          note: 'Funds extracted'
+        }
+      ],
+      complexity: 'LOW',
+      foundryPoc: this.generateProxyPoC(finding, funcInfo, isInitializer)
+    };
+  }
+
+  /**
+   * Model selfdestruct chain
+   */
+  modelSelfdestructChain(finding, funcInfo) {
+    return {
+      isViable: true,
+      type: 'selfdestruct',
+      requirements: {
+        deployContract: false,
+        flashLoan: false,
+        mev: false,
+        estimatedGas: '50k-100k',
+        capitalRequired: 'Gas only'
+      },
+      profitPath: {
+        mechanism: 'Destroy contract and force-send ETH or steal balance',
+        valueSource: 'Contract ETH balance',
+        extraction: 'selfdestruct sends balance to attacker'
+      },
+      steps: [
+        {
+          action: 'Call unprotected selfdestruct',
+          code: `target.destroy(attackerAddress)`,
+          gasEstimate: '30k'
+        },
+        {
+          action: 'Contract destroyed, ETH sent to attacker',
+          code: `// selfdestruct(attackerAddress) executes`,
+          note: 'Permanent destruction, funds extracted'
+        }
+      ],
+      complexity: 'LOW',
+      foundryPoc: this.generateSelfdestructPoC(finding, funcInfo)
+    };
+  }
+
+  /**
+   * Generic chain for unclassified vulnerabilities
+   */
+  modelGenericChain(finding, funcInfo) {
+    // Only return viable if high confidence exploitable
+    if (finding.confidence !== 'HIGH' || finding.exploitable === false) {
+      return { isViable: false, reason: 'Insufficient confidence for generic exploit' };
+    }
+
+    return {
+      isViable: true,
+      type: 'generic',
+      requirements: {
+        deployContract: false,
+        flashLoan: false,
+        mev: false,
+        estimatedGas: '100k-500k',
+        capitalRequired: 'Varies'
+      },
+      profitPath: {
+        mechanism: finding.title,
+        valueSource: 'Contract funds or state',
+        extraction: 'Depends on vulnerability'
+      },
+      steps: [
+        {
+          action: 'Exploit vulnerability',
+          code: `target.${funcInfo?.name || 'vulnerableFunction'}(...)`,
+          note: finding.description?.substring(0, 100)
+        }
+      ],
+      complexity: 'VARIES',
+      foundryPoc: null
+    };
+  }
+
+  // Helper methods
+
+  getFunctionInfo(finding) {
+    // Handle location being either a string or object
+    let location = finding.location || '';
+    if (typeof location !== 'string') {
+      location = String(location) || '';
+    }
+
+    const contractMatch = location.match(/Contract:\s*(\w+)/);
+    const funcMatch = location.match(/Function:\s*(\w+)/);
+
+    return {
+      contract: contractMatch ? contractMatch[1] : null,
+      name: funcMatch ? funcMatch[1] : null,
+      line: finding.line
+    };
+  }
+
+  detectsValueTransfer(finding) {
+    const desc = (finding.description || '').toLowerCase();
+    return /transfer|send|call.*value|withdraw|drain|steal/.test(desc);
+  }
+
+  detectsStateAfterCall(finding) {
+    const desc = (finding.description || '').toLowerCase();
+    return /state.*after|before.*state|external.*call.*state/.test(desc);
+  }
+
+  isAdminFunction(finding) {
+    const desc = (finding.description || finding.title || '').toLowerCase();
+    return /owner|admin|governance|upgrade|pause|emergency|set.*address/.test(desc);
+  }
+
+  detectsFundAccess(finding) {
+    const desc = (finding.description || '').toLowerCase();
+    return /fund|balance|withdraw|transfer|drain|treasury/.test(desc);
+  }
+
+  // PoC Generators
+
+  generateReentrancyPoC(finding, funcInfo) {
+    return `// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.0;
+
+import "forge-std/Test.sol";
+
+interface ITarget {
+    function deposit() external payable;
+    function withdraw() external;
+}
+
+contract ReentrancyExploit is Test {
+    ITarget target;
+    uint256 attackCount;
+
+    function setUp() public {
+        // NOTE: Set TARGET to a real deployed address in your test harness.
+        target = ITarget(address(0));
+        vm.deal(address(this), 1 ether);
+    }
+
+    function testExploit() public {
+        uint256 initialBalance = address(this).balance;
+
+        // Initial deposit
+        target.deposit{value: 1 ether}();
+
+        // Trigger reentrancy
+        target.withdraw();
+
+        assertGt(address(this).balance, initialBalance, "Exploit failed");
+    }
+
+    receive() external payable {
+        if (address(target).balance >= 1 ether && attackCount < 10) {
+            attackCount++;
+            target.withdraw();
+        }
+    }
+}`;
+  }
+
+  generateFlashLoanPoC(finding, funcInfo) {
+    return `// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.0;
+
+import "forge-std/Test.sol";
+
+interface IFlashLoanProvider {
+    function flashLoan(address receiver, address token, uint256 amount, bytes calldata data) external;
+}
+
+contract FlashLoanExploit is Test {
+    // NOTE: Set these to real deployed addresses in your test harness.
+    address constant FLASH_LOAN_PROVIDER = address(0);
+    address constant TARGET = address(0);
+
+    function testExploit() public {
+        uint256 initialBalance = address(this).balance;
+
+        // Request flash loan
+        // IFlashLoanProvider(FLASH_LOAN_PROVIDER).flashLoan(address(this), token, 1_000_000e18, "");
+
+        assertGt(address(this).balance, initialBalance, "No profit");
+    }
+
+    function executeOperation(
+        address asset,
+        uint256 amount,
+        uint256 premium,
+        address initiator,
+        bytes calldata params
+    ) external returns (bool) {
+        // 1. Manipulate price (large swap)
+        // router.swap(amount, path, address(this));
+
+        // 2. Call vulnerable function
+        // ITarget(TARGET).${funcInfo?.name || 'vulnerableFunction'}(...);
+
+        // 3. Reverse manipulation
+        // router.swap(received, reversePath, address(this));
+
+        // 4. Repay
+        // IERC20(asset).transfer(FLASH_LOAN_PROVIDER, amount + premium);
+
+        return true;
+    }
+}`;
+  }
+
+  generateAccessControlPoC(finding, funcInfo) {
+    return `// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.0;
+
+import "forge-std/Test.sol";
+
+contract AccessControlExploit is Test {
+    // NOTE: Set TARGET to a real deployed address in your test harness.
+    address constant TARGET = address(0);
+
+    function testExploit() public {
+        // Attacker is not owner/admin
+        address attacker = address(0xBAD);
+        vm.startPrank(attacker);
+
+        // Call unprotected admin function
+        // ITarget(TARGET).${funcInfo?.name || 'setOwner'}(attacker);
+
+        // Verify takeover
+        // assertEq(ITarget(TARGET).owner(), attacker);
+
+        // Extract value
+        // ITarget(TARGET).withdraw(ITarget(TARGET).balance);
+
+        vm.stopPrank();
+    }
+}`;
+  }
+
+  generateDelegatecallPoC(finding, funcInfo) {
+    return `// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.0;
+
+import "forge-std/Test.sol";
+
+contract MaliciousImpl {
+    // Storage layout must match target
+    address public owner;
+
+    function attack(address newOwner) external {
+        owner = newOwner;
+    }
+}
+
+contract DelegatecallExploit is Test {
+    function testExploit() public {
+        MaliciousImpl malicious = new MaliciousImpl();
+
+        // Call vulnerable delegatecall
+        // target.execute(address(malicious), abi.encodeWithSelector(MaliciousImpl.attack.selector, address(this)));
+
+        // Verify takeover
+        // assertEq(target.owner(), address(this));
+    }
+}`;
+  }
+
+  generateSignatureReplayPoC(finding, funcInfo) {
+    return `// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.0;
+
+import "forge-std/Test.sol";
+
+contract SignatureReplayExploit is Test {
+    function testExploit() public {
+        // Obtain signature from previous valid transaction
+        bytes32 r = 0x...;
+        bytes32 s = 0x...;
+        uint8 v = 27;
+
+        // First use (legitimate)
+        // target.executeWithSig(data, v, r, s);
+
+        // Replay (exploit - should fail but doesn't)
+        // target.executeWithSig(data, v, r, s);
+
+        // Assert double execution succeeded
+    }
+}`;
+  }
+
+  generateProxyPoC(finding, funcInfo, isInitializer) {
+    if (isInitializer) {
+      return `// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.0;
+
+import "forge-std/Test.sol";
+
+contract InitializerExploit is Test {
+    function testExploit() public {
+        address attacker = address(0xBAD);
+
+        // Call unprotected initializer
+        // proxy.initialize(attacker, ...);
+
+        // Verify takeover
+        // assertEq(proxy.owner(), attacker);
+
+        // Drain as new owner
+        // proxy.withdraw(proxy.balance);
+    }
+}`;
+    }
+
+    return `// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.0;
+
+import "forge-std/Test.sol";
+
+contract MaliciousUpgrade {
+    function drain(address payable to) external {
+        selfdestruct(to);
+    }
+}
+
+contract ProxyExploit is Test {
+    function testExploit() public {
+        MaliciousUpgrade malicious = new MaliciousUpgrade();
+
+        // Upgrade to malicious (UUPS without auth)
+        // proxy.upgradeTo(address(malicious));
+
+        // Drain
+        // MaliciousUpgrade(address(proxy)).drain(payable(address(this)));
+    }
+}`;
+  }
+
+  generateSelfdestructPoC(finding, funcInfo) {
+    return `// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.0;
+
+import "forge-std/Test.sol";
+
+contract SelfdestructExploit is Test {
+    function testExploit() public {
+        address attacker = address(0xBAD);
+        uint256 targetBalance = address(TARGET).balance;
+
+        // Call unprotected selfdestruct
+        // target.destroy(attacker);
+
+        // Verify funds received
+        // assertEq(attacker.balance, targetBalance);
+    }
+}`;
+  }
+}
+
+module.exports = ExploitChainModeler;