From 18ebb9033897703c27c1c8a86310029c1858150f Mon Sep 17 00:00:00 2001 From: DHARMIK GANGANI Date: Thu, 2 Nov 2023 11:27:18 +0530 Subject: [PATCH] Add files via upload --- src/issues/H/delegateCallInLoop.ts | 11 +++++++++++ src/issues/L/0.8.20.ts | 11 +++++++++++ src/issues/L/2StepOwner.ts | 11 +++++++++++ src/issues/L/BoundingForLoop.ts | 11 +++++++++++ src/issues/L/BugOppenzeplinVersion.ts | 11 +++++++++++ src/issues/L/DoubleTypeCast.ts | 11 +++++++++++ src/issues/L/EmptyReciverFallback.ts | 11 +++++++++++ src/issues/L/SafeApproveTypeMax.ts | 11 +++++++++++ src/issues/L/avoidEncodePacked.ts | 13 +++++++++++++ src/issues/L/deprecatedFunctions.ts | 10 ++++++++++ src/issues/L/don'tUseBlockTimeStamp.ts | 11 +++++++++++ src/issues/L/draftContracts.ts | 11 +++++++++++ src/issues/L/emptyBody.ts | 10 ++++++++++ src/issues/L/ercrecover.ts | 11 +++++++++++ src/issues/L/frontRunnableInitializer.ts | 11 +++++++++++ src/issues/L/payableTransferSend.ts | 12 ++++++++++++ src/issues/L/pricisionLossDivision.ts | 12 ++++++++++++ src/issues/L/pushArray.ts | 12 ++++++++++++ src/issues/L/transferFromandtransfer.ts | 11 +++++++++++ src/issues/L/unsafeERC20Operations.ts | 10 ++++++++++ src/issues/L/unsafeExternalCall.ts | 11 +++++++++++ src/issues/L/unspecifiedPragma.ts | 10 ++++++++++ src/issues/L/useOfEcrecover.ts | 12 ++++++++++++ src/issues/M/centralizationRisk.ts | 11 +++++++++++ src/issues/M/safeTransfer.ts | 10 ++++++++++ src/issues/M/soladySafeTransferLib.ts | 16 ++++++++++++++++ src/issues/M/solmateSafeTransferLib.ts | 16 ++++++++++++++++ src/issues/index.ts | 15 +++++++++++++++ 28 files changed, 323 insertions(+) create mode 100644 src/issues/H/delegateCallInLoop.ts create mode 100644 src/issues/L/0.8.20.ts create mode 100644 src/issues/L/2StepOwner.ts create mode 100644 src/issues/L/BoundingForLoop.ts create mode 100644 src/issues/L/BugOppenzeplinVersion.ts create mode 100644 src/issues/L/DoubleTypeCast.ts create mode 100644 src/issues/L/EmptyReciverFallback.ts create mode 100644 src/issues/L/SafeApproveTypeMax.ts create mode 100644 src/issues/L/avoidEncodePacked.ts create mode 100644 src/issues/L/deprecatedFunctions.ts create mode 100644 src/issues/L/don'tUseBlockTimeStamp.ts create mode 100644 src/issues/L/draftContracts.ts create mode 100644 src/issues/L/emptyBody.ts create mode 100644 src/issues/L/ercrecover.ts create mode 100644 src/issues/L/frontRunnableInitializer.ts create mode 100644 src/issues/L/payableTransferSend.ts create mode 100644 src/issues/L/pricisionLossDivision.ts create mode 100644 src/issues/L/pushArray.ts create mode 100644 src/issues/L/transferFromandtransfer.ts create mode 100644 src/issues/L/unsafeERC20Operations.ts create mode 100644 src/issues/L/unsafeExternalCall.ts create mode 100644 src/issues/L/unspecifiedPragma.ts create mode 100644 src/issues/L/useOfEcrecover.ts create mode 100644 src/issues/M/centralizationRisk.ts create mode 100644 src/issues/M/safeTransfer.ts create mode 100644 src/issues/M/soladySafeTransferLib.ts create mode 100644 src/issues/M/solmateSafeTransferLib.ts create mode 100644 src/issues/index.ts diff --git a/src/issues/H/delegateCallInLoop.ts b/src/issues/H/delegateCallInLoop.ts new file mode 100644 index 0000000..399d9c9 --- /dev/null +++ b/src/issues/H/delegateCallInLoop.ts @@ -0,0 +1,11 @@ +import { IssueTypes, RegexIssue } from '../../types'; + +const issue: RegexIssue = { + regexOrAST: 'Regex', + type: IssueTypes.H, + title: 'Using `delegatecall` inside a loop', + impact: 'When calling `delegatecall` the same `msg.value` amount will be accredited multiple times.', + regex: /for[^\(]?\([^\)]*\)?.\{((.*[^\}])\n)*.*delegatecall/g, +}; + +export default issue; diff --git a/src/issues/L/0.8.20.ts b/src/issues/L/0.8.20.ts new file mode 100644 index 0000000..beb0cef --- /dev/null +++ b/src/issues/L/0.8.20.ts @@ -0,0 +1,11 @@ +import { IssueTypes, RegexIssue } from '../../types'; + +const issue: RegexIssue = { + regexOrAST: 'Regex', + type: IssueTypes.L, + title: 'Solidity version 0.8.20 may not work on other chains due to PUSH0', + description:"In Solidity 0.8.20's compiler, the default target EVM version has been changed to Shanghai. This version introduces a new op code called PUSH0.\n However, not all Layer 2 solutions have implemented this op code yet, leading to deployment failures on these chains. To overcome this problem, it is recommended to utilize an earlier EVM version.", + regex: /pragma solidity 0.8.1[1-8];/gm, +}; + +export default issue; diff --git a/src/issues/L/2StepOwner.ts b/src/issues/L/2StepOwner.ts new file mode 100644 index 0000000..16058a9 --- /dev/null +++ b/src/issues/L/2StepOwner.ts @@ -0,0 +1,11 @@ +import { IssueTypes, RegexIssue } from '../../types'; + +const issue: RegexIssue = { + regexOrAST: 'Regex', + type: IssueTypes.L, + title: 'Use Ownable2Step rather than Ownable', + description:"[`Ownable2Step`](https://github.com/OpenZeppelin/openzeppelin-contracts/blob/3d7a93876a2e5e1d7fe29b5a0e96e222afdc4cfa/contracts/access/Ownable2Step.sol#L31-L56) and [`Ownable2StepUpgradeable`](https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/blob/25aabd286e002a1526c345c8db259d57bdf0ad28/contracts/access/Ownable2StepUpgradeable.sol#L47-L63) prevent the contract ownership from mistakenly being transferred to an address that cannot handle it (e.g. due to a typo in the address), by requiring that the recipient of the owner permissions actively accept via a contract call of its own.", + regex: /(Ownable | OwnableUpgradeable)/g, +}; + +export default issue; diff --git a/src/issues/L/BoundingForLoop.ts b/src/issues/L/BoundingForLoop.ts new file mode 100644 index 0000000..f328493 --- /dev/null +++ b/src/issues/L/BoundingForLoop.ts @@ -0,0 +1,11 @@ +import { IssueTypes, RegexIssue } from '../../types'; + +const issue: RegexIssue = { + regexOrAST: 'Regex', + type: IssueTypes.L, + title: 'Consider bounding input array length', + regex: /\bfor\s*\([^;]*;[^;]*;[^)]*\)/g, + description:"The functions below take in an unbounded array, and make function calls for entries in the array. While the function will revert if it eventually runs out of gas, it may be a nicer user experience to require() that the length of the array is below some reasonable maximum, so that the user doesn't have to use up a full transaction's gas only to see that the transaction reverts.", +}; + +export default issue; diff --git a/src/issues/L/BugOppenzeplinVersion.ts b/src/issues/L/BugOppenzeplinVersion.ts new file mode 100644 index 0000000..d6a6989 --- /dev/null +++ b/src/issues/L/BugOppenzeplinVersion.ts @@ -0,0 +1,11 @@ +import { IssueTypes, RegexIssue } from '../../types'; + +const issue: RegexIssue = { + regexOrAST: 'Regex', + type: IssueTypes.L, + title: 'Project has vulnarable NPM dependency version', + description:"Upgrade Openzeppelin versi,on to version 4.9.2 or higher. \n Check https://security.snyk.io/package/npm/@openzeppelin%2Fcontracts and \n https://security.snyk.io/package/npm/@openzeppelin%2Fcontracts-upgradeable for more information.", + regex: /("@openzeppelin\/contracts"\s*([<:>]+)\s*\s*"(4\.[0-8](\.\d+)?)",|"@openzeppelin\/contracts-upgradeable"\s*([<:>]+)\s*"(\s*(4\.[0-8](\.\d+)?))",)/gm, +}; + +export default issue; diff --git a/src/issues/L/DoubleTypeCast.ts b/src/issues/L/DoubleTypeCast.ts new file mode 100644 index 0000000..be61443 --- /dev/null +++ b/src/issues/L/DoubleTypeCast.ts @@ -0,0 +1,11 @@ +import { IssueTypes, RegexIssue } from '../../types'; + +const issue: RegexIssue = { + regexOrAST: 'Regex', + type: IssueTypes.L, + title: 'Double type casts create complexity within the code', + description:"Double type casting should be avoided in Solidity contracts to prevent unintended consequences and ensure accurate data representation. Performing multiple type casts in succession can lead to unexpected truncation, rounding errors, or loss of precision, potentially compromising the contract's functionality and reliability./n Furthermore, double type casting can make the code less readable and harder to maintain, increasing the likelihood of errors and misunderstandings during development and debugging. To ensure precise and consistent data handling, developers should use appropriate data types and avoid unnecessary or excessive type casting, promoting a more robust and dependable contract execution.", + regex: /(uint|int)[0-9]+\((uint|int)[0-9]+/gm, +}; + +export default issue; diff --git a/src/issues/L/EmptyReciverFallback.ts b/src/issues/L/EmptyReciverFallback.ts new file mode 100644 index 0000000..c9944fe --- /dev/null +++ b/src/issues/L/EmptyReciverFallback.ts @@ -0,0 +1,11 @@ +import { IssueTypes, RegexIssue } from '../../types'; + +const issue: RegexIssue = { + regexOrAST: 'Regex', + type: IssueTypes.L, + title: 'No access control on receive/payable fallback', + regex: /fallback|receive\(\)\s+\w+(?:\s+\w+)*\s+\{[^\}]*\}/g, + description:"Users may send ETH by mistake to these contracts. As there is no access control on these functions, the funds will be permanently lost.", +}; + +export default issue; diff --git a/src/issues/L/SafeApproveTypeMax.ts b/src/issues/L/SafeApproveTypeMax.ts new file mode 100644 index 0000000..b0f242e --- /dev/null +++ b/src/issues/L/SafeApproveTypeMax.ts @@ -0,0 +1,11 @@ +import { IssueTypes, RegexIssue } from '../../types'; + +const issue: RegexIssue = { + regexOrAST: 'Regex', + type: IssueTypes.L, + title: 'Approve type(uint256).max not work with some tokens', + description:"Source: https://github.com/d-xo/weird-erc20#revert-on-large-approvals--transfers.", + regex: /.*safeApprove.*type\(uint256\)\.max.*;/gm, +}; + +export default issue; diff --git a/src/issues/L/avoidEncodePacked.ts b/src/issues/L/avoidEncodePacked.ts new file mode 100644 index 0000000..654070b --- /dev/null +++ b/src/issues/L/avoidEncodePacked.ts @@ -0,0 +1,13 @@ +import { IssueTypes, RegexIssue } from '../../types'; + +const issue: RegexIssue = { + regexOrAST: 'Regex', + type: IssueTypes.L, + title: + ' `abi.encodePacked()` should not be used with dynamic types when passing the result to a hash function such as `keccak256()`', + description: + 'Use `abi.encode()` instead which will pad items to 32 bytes, which will [prevent hash collisions](https://docs.soliditylang.org/en/v0.8.13/abi-spec.html#non-standard-packed-mode) (e.g. `abi.encodePacked(0x123,0x456)` => `0x123456` => `abi.encodePacked(0x1,0x23456)`, but `abi.encode(0x123,0x456)` => `0x0...1230...456`). "Unless there is a compelling reason, `abi.encode` should be preferred". If there is only one argument to `abi.encodePacked()` it can often be cast to `bytes()` or `bytes32()` [instead](https://ethereum.stackexchange.com/questions/30912/how-to-compare-strings-in-solidity#answer-82739).\nIf all arguments are strings and or bytes, `bytes.concat()` should be used instead', + regex: /keccak(256)?.?\(abi.encodePacked/g, +}; + +export default issue; diff --git a/src/issues/L/deprecatedFunctions.ts b/src/issues/L/deprecatedFunctions.ts new file mode 100644 index 0000000..c6376be --- /dev/null +++ b/src/issues/L/deprecatedFunctions.ts @@ -0,0 +1,10 @@ +import { IssueTypes, RegexIssue } from '../../types'; + +const issue: RegexIssue = { + regexOrAST: 'Regex', + type: IssueTypes.L, + title: 'Do not use deprecated library functions', + regex: /_setupRole\(|safeApprove\(/g, +}; + +export default issue; diff --git a/src/issues/L/don'tUseBlockTimeStamp.ts b/src/issues/L/don'tUseBlockTimeStamp.ts new file mode 100644 index 0000000..b3634d9 --- /dev/null +++ b/src/issues/L/don'tUseBlockTimeStamp.ts @@ -0,0 +1,11 @@ +import { IssueTypes, RegexIssue } from '../../types'; + +const issue: RegexIssue = { + regexOrAST: 'Regex', + type: IssueTypes.L, + title: 'Truncating block.timestamp can reduce the lifespan of a contract', + description:'Consider removing the casting to extend the lifespan of these contracts.', + regex: /uint64\(block\.timestamp\)/gm, +}; + +export default issue; diff --git a/src/issues/L/draftContracts.ts b/src/issues/L/draftContracts.ts new file mode 100644 index 0000000..6adfd99 --- /dev/null +++ b/src/issues/L/draftContracts.ts @@ -0,0 +1,11 @@ +import { IssueTypes, RegexIssue } from '../../types'; + +const issue: RegexIssue = { + regexOrAST: 'Regex', + type: IssueTypes.L, + title: 'Draft OpenZeppelin Dependencies', + description:"OpenZeppelin contracts may be considered draft contracts if they have not received adequate security auditing or are liable to change with future development.", + regex: /\draft/gm, +}; + +export default issue; diff --git a/src/issues/L/emptyBody.ts b/src/issues/L/emptyBody.ts new file mode 100644 index 0000000..2701254 --- /dev/null +++ b/src/issues/L/emptyBody.ts @@ -0,0 +1,10 @@ +import { IssueTypes, RegexIssue } from '../../types'; + +const issue: RegexIssue = { + regexOrAST: 'Regex', + type: IssueTypes.L, + title: 'Empty Function Body - Consider commenting why', + regex: /(\{\})|(\{ \})/g, +}; + +export default issue; diff --git a/src/issues/L/ercrecover.ts b/src/issues/L/ercrecover.ts new file mode 100644 index 0000000..6af5c6e --- /dev/null +++ b/src/issues/L/ercrecover.ts @@ -0,0 +1,11 @@ +import { IssueTypes, RegexIssue } from '../../types'; + +const issue: RegexIssue = { + regexOrAST: 'Regex', + type: IssueTypes.L, + title: 'Use of ecrecover is susceptible to signature malleability', + description:"The built-in EVM precompile ecrecover is susceptible to signature malleability, which could lead to [replay attacks](https://medium.com/cryptronics/signature-replay-vulnerabilities-in-smart-contracts-3b6f7596df57).\n Consider using OpenZeppelin’s [ECDSA library](https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/utils/cryptography/ECDSA.sol#L125-L128) instead of the built-in function.", + regex: /ecrecover\(/gm, +}; + +export default issue; diff --git a/src/issues/L/frontRunnableInitializer.ts b/src/issues/L/frontRunnableInitializer.ts new file mode 100644 index 0000000..ce39dcb --- /dev/null +++ b/src/issues/L/frontRunnableInitializer.ts @@ -0,0 +1,11 @@ +import { IssueTypes, RegexIssue } from '../../types'; + +const issue: RegexIssue = { + regexOrAST: 'Regex', + type: IssueTypes.L, + title: 'Initializers could be front-run', + description: "Initializers could be front-run, allowing an attacker to either set their own values, take ownership of the contract, and in the best case forcing a re-deployment", + regex: /initialize\(|init\(|(initializer)/g, +}; + +export default issue; diff --git a/src/issues/L/payableTransferSend.ts b/src/issues/L/payableTransferSend.ts new file mode 100644 index 0000000..3939478 --- /dev/null +++ b/src/issues/L/payableTransferSend.ts @@ -0,0 +1,12 @@ + +import { IssueTypes, RegexIssue } from '../../types'; + +const issue: RegexIssue = { + regexOrAST: 'Regex', + type: IssueTypes.L, + title: "Don't use payable.transfer()/payable.send()", + description:"The use of payable.transfer() is heavily frowned upon because it can lead to the locking of funds. The transfer() call requires that the recipient is either an EOA account, or is a contract that has a payable callback. For the contract case, the transfer() call only provides 2300 gas for the contract to complete its operations. This means the following cases can cause the transfer to fail: \ The contract does not have a payable callback \ The contract's payable callback spends more than 2300 gas (which is only enough to emit something) \ The contract is called through a proxy which itself uses up the 2300 gas \ Use OpenZeppelin's Address.sendValue() instead", + regex: /payable\([a-z0-9]+\)\.(send|transfer)/gm, +}; + +export default issue; diff --git a/src/issues/L/pricisionLossDivision.ts b/src/issues/L/pricisionLossDivision.ts new file mode 100644 index 0000000..328f74e --- /dev/null +++ b/src/issues/L/pricisionLossDivision.ts @@ -0,0 +1,12 @@ +//@audit-ok require testing +import { IssueTypes, RegexIssue } from '../../types'; + +const issue: RegexIssue = { + regexOrAST: 'Regex', + type: IssueTypes.L, + title: "Loss of precision on division", +description:"Solidity doesn't support fractions, so division by large numbers could result in the quotient being zero \n To avoid this, it's recommended to require a minimum numerator amount to ensure that it is always greater than the denominator.", + regex: /\/\s*.*\s*;/gm, +}; + +export default issue; diff --git a/src/issues/L/pushArray.ts b/src/issues/L/pushArray.ts new file mode 100644 index 0000000..3ee074d --- /dev/null +++ b/src/issues/L/pushArray.ts @@ -0,0 +1,12 @@ + +import { IssueTypes, RegexIssue } from '../../types'; + +const issue: RegexIssue = { + regexOrAST: 'Regex', + type: IssueTypes.L, + title: "Array lacks use of the pop function", + description:"There are some arrays that can grow indefinitely in size, as they never shrink: this can lead to inefficient memory management and increase the likelihood of out-of-gas errors.", + regex: /\.push\(/g, +}; + +export default issue; diff --git a/src/issues/L/transferFromandtransfer.ts b/src/issues/L/transferFromandtransfer.ts new file mode 100644 index 0000000..05bbb36 --- /dev/null +++ b/src/issues/L/transferFromandtransfer.ts @@ -0,0 +1,11 @@ +import { IssueTypes, RegexIssue } from '../../types'; + +const issue: RegexIssue = { + regexOrAST: 'Regex', + type: IssueTypes.L, + title: 'Use of transfer instead of safeTransfer', + description:'It is good to add a `require` statement that checks the return value of token transfers or to use something like OpenZeppelin’s `safeTransfer/safeTransferFrom` unless one is sure the given token reverts in case of a failure. Failure to do so will cause silent failures of transfers and affect token accounting in contract.', + regex: /(\.transferFrom|\.transfer)/gm, +}; + +export default issue; diff --git a/src/issues/L/unsafeERC20Operations.ts b/src/issues/L/unsafeERC20Operations.ts new file mode 100644 index 0000000..0f241d2 --- /dev/null +++ b/src/issues/L/unsafeERC20Operations.ts @@ -0,0 +1,10 @@ +import { IssueTypes, RegexIssue } from '../../types'; + +const issue: RegexIssue = { + regexOrAST: 'Regex', + type: IssueTypes.L, + title: 'Unsafe ERC20 operation(s)', + regex: /\.transfer\(|\.transferFrom\(|\.approve\(/g, +}; + +export default issue; diff --git a/src/issues/L/unsafeExternalCall.ts b/src/issues/L/unsafeExternalCall.ts new file mode 100644 index 0000000..2343535 --- /dev/null +++ b/src/issues/L/unsafeExternalCall.ts @@ -0,0 +1,11 @@ +import { IssueTypes, RegexIssue } from '../../types'; + +const issue: RegexIssue = { + regexOrAST: 'Regex', + type: IssueTypes.L, + title: 'Gas griefing/theft is possible on an unsafe external call', + regex: /\.call/g, + description:"A low-level call will copy any amount of bytes to local memory. When bytes are copied from returndata to memory, the memory expansion cost is paid.\n This means that when using a standard solidity call, the callee can 'returnbomb' the caller, imposing an arbitrary gas cost.\n Because this gas is paid by the caller and in the caller's context, it can cause the caller to run out of gas and halt execution.\n Consider replacing all unsafe `call` with `excessivelySafeCall` from this [repository](https://github.com/nomad-xyz/ExcessivelySafeCall).", +}; + +export default issue; diff --git a/src/issues/L/unspecifiedPragma.ts b/src/issues/L/unspecifiedPragma.ts new file mode 100644 index 0000000..a653699 --- /dev/null +++ b/src/issues/L/unspecifiedPragma.ts @@ -0,0 +1,10 @@ +import { IssueTypes, RegexIssue } from '../../types'; + +const issue: RegexIssue = { + regexOrAST: 'Regex', + type: IssueTypes.L, + title: 'Unspecific compiler version pragma', + regex: /pragma solidity (\\^|>)[0-9\.]*/g, +}; + +export default issue; diff --git a/src/issues/L/useOfEcrecover.ts b/src/issues/L/useOfEcrecover.ts new file mode 100644 index 0000000..c871808 --- /dev/null +++ b/src/issues/L/useOfEcrecover.ts @@ -0,0 +1,12 @@ +import { IssueTypes, RegexIssue } from '../../types'; + +const issue: RegexIssue = { + regexOrAST: 'Regex', + type: IssueTypes.L, + title: "Use of ecrecover is susceptible to signature malleability", + description: "The built-in EVM precompile ecrecover is susceptible to signature malleability, which could lead to replay attacks.Consider using OpenZeppelin’s ECDSA library instead of the built-in function.", + regex:/\becrecover\b/g +}; + +export default issue; + diff --git a/src/issues/M/centralizationRisk.ts b/src/issues/M/centralizationRisk.ts new file mode 100644 index 0000000..26071a6 --- /dev/null +++ b/src/issues/M/centralizationRisk.ts @@ -0,0 +1,11 @@ +import { IssueTypes, RegexIssue } from '../../types'; + +const issue: RegexIssue = { + regexOrAST: 'Regex', + type: IssueTypes.M, + title: 'Centralization Risk for trusted owners', + impact: 'Contracts have owners with privileged rights to perform admin tasks and need to be trusted to not perform malicious updates or drain funds.', + regex: /( onlyOwner )|( onlyRole\()|( requiresAuth )|(Owned)!?([(, ])|(Ownable)!?([(, ])|(Ownable2Step)!?([(, ])|(AccessControl)!?([(, ])|(AccessControlCrossChain)!?([(, ])|(AccessControlEnumerable)!?([(, ])|(Auth)!?([(, ])|(RolesAuthority)!?([(, ])|(MultiRolesAuthority)!?([(, ])/g, +}; + +export default issue; diff --git a/src/issues/M/safeTransfer.ts b/src/issues/M/safeTransfer.ts new file mode 100644 index 0000000..72fc6af --- /dev/null +++ b/src/issues/M/safeTransfer.ts @@ -0,0 +1,10 @@ +import { IssueTypes, RegexIssue } from '../../types'; + +const issue: RegexIssue = { + regexOrAST: 'Regex', + type: IssueTypes.M, + title: 'Unsafe ERC20 operation(s)', + regex: /(\.transferFrom|\.transfer)/gm, +}; + +export default issue; diff --git a/src/issues/M/soladySafeTransferLib.ts b/src/issues/M/soladySafeTransferLib.ts new file mode 100644 index 0000000..dbedc4b --- /dev/null +++ b/src/issues/M/soladySafeTransferLib.ts @@ -0,0 +1,16 @@ +import { IssueTypes, RegexIssue } from '../../types'; + +const issue: RegexIssue = { + regexOrAST: 'Regex', + type: IssueTypes.M, + title: + 'Solady\'s SafeTransferLib does not check for token contract\'s existence', + description: + 'There is a subtle difference between the implementation of solady’s SafeTransferLib and OZ’s SafeERC20: OZ’s SafeERC20 checks if the token is a contract or not, solady’s SafeTransferLib does not.\n' + + 'https://github.com/Vectorized/solady/blob/main/src/utils/SafeTransferLib.sol#L10 \n' + + '`@dev Note that none of the functions in this library check that a token has code at all! That responsibility is delegated to the caller` \n', + regexPreCondition: /solady\/utils\/SafeTransferLib.sol/g, + regex: /.safeTransfer\(|\.safeTransferFrom\(|\.safeApprove\(/g, +}; + +export default issue; diff --git a/src/issues/M/solmateSafeTransferLib.ts b/src/issues/M/solmateSafeTransferLib.ts new file mode 100644 index 0000000..b951276 --- /dev/null +++ b/src/issues/M/solmateSafeTransferLib.ts @@ -0,0 +1,16 @@ +import { IssueTypes, RegexIssue } from '../../types'; + +const issue: RegexIssue = { + regexOrAST: 'Regex', + type: IssueTypes.M, + title: + ' Solmate\'s SafeTransferLib does not check for token contract\'s existence', + description: + 'There is a subtle difference between the implementation of solmate’s SafeTransferLib and OZ’s SafeERC20: OZ’s SafeERC20 checks if the token is a contract or not, solmate’s SafeTransferLib does not.\n' + + 'https://github.com/transmissions11/solmate/blob/main/src/utils/SafeTransferLib.sol#L9 \n' + + '`@dev Note that none of the functions in this library check that a token has code at all! That responsibility is delegated to the caller` \n', + regexPreCondition: /solmate\/utils\/SafeTransferLib.sol/g, + regex: /.safeTransfer\(|\.safeTransferFrom\(|\.safeApprove\(/g, +}; + +export default issue; diff --git a/src/issues/index.ts b/src/issues/index.ts new file mode 100644 index 0000000..da5f409 --- /dev/null +++ b/src/issues/index.ts @@ -0,0 +1,15 @@ +import { Issue } from '../types'; +import { recursiveExploration } from '../utils'; +import path from 'path'; + +const fileNames = recursiveExploration(__dirname + '/', '.ts'); + +const issues: Issue[] = []; +for (let file of fileNames) { + file = path.join(__dirname, file); + if (file !== __filename) { + issues.push(require(file).default); + } +} + +export default issues; \ No newline at end of file