update rule and tests

Decurity · Aug 26, 2024 · 2b85dfd · 2b85dfd
1 parent ba096be
commit 2b85dfd
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 28 deletions.
diff --git a/solidity/security/bad-transferfrom-access-control.sol b/solidity/security/bad-transferfrom-access-control.sol
@@ -72,7 +72,7 @@ contract Test {
     }
 
     function _func10(address from, address to) internal {
-        // ruleid: bad-transferfrom-access-control
+        // todoruleid: bad-transferfrom-access-control
         usdc.transferFrom(from, to, amount);
     }
 
@@ -152,7 +152,7 @@ contract Test {
     }
 
     function _func20(address from, address to) internal {
-        // ruleid: bad-transferfrom-access-control
+        // todoruleid: bad-transferfrom-access-control
         usdc.safeTransferFrom(from, to, amount);
     }
 
@@ -183,6 +183,11 @@ contract Test {
         super.transferFrom(from, to, amount);
     }
 
+    function stakeForAccount(address _fundingAccount, address _account, address _depositToken, uint256 _amount) external override nonReentrant {
+        _validateHandler();
+        _stake(_fundingAccount, _account, _depositToken, _amount);
+    }
+
     function _stake(address _fundingAccount, address _account, address _depositToken, uint256 _amount) private {
         require(_amount > 0, "RewardTracker: invalid _amount");
         require(isDepositToken[_depositToken], "RewardTracker: invalid _depositToken");
@@ -200,7 +205,7 @@ contract Test {
     }
 
 
-    function func24(address to, address from) external onlyOwner {
+    function func24(address from, address to) onlyOwner public {
         // ok: bad-transferfrom-access-control
         usdc.safeTransferFrom(from, to, amount);
     }
@@ -209,5 +214,29 @@ contract Test {
         // ok: bad-transferfrom-access-control
         usdc.safeTransferFrom(from, address(this), amount);
     }
+
+    function transferIn(
+    address _token,
+    address _sender,
+    uint256 _amount
+    ) public onlyGame onlyWhitelistedToken(_token) {
+        // ok: bad-transferfrom-access-control
+        IERC20(_token).safeTransferFrom(_sender, address(this), _amount);
+    }
+
+    function func26(address random, address from, address to) public {
+        // ok: bad-transferfrom-access-control
+        usdc.safeTransferFrom(from, someaddress, amount);
+    }
+
+    function func28(address random, address from, address to) public {
+        // ok: bad-transferfrom-access-control
+        usdc.safeTransferFrom(this, some, from);
+    }
+
+    function func29(address random, address from, address token, address onemore) public {
+        // ok: bad-transferfrom-access-control
+        IERC20(token).safeTransferFrom(this, some, amount);
+    }
 }
 
diff --git a/solidity/security/bad-transferfrom-access-control.yaml b/solidity/security/bad-transferfrom-access-control.yaml
@@ -15,33 +15,26 @@ rules:
       subcategory:
         - vuln
       references:
-        - https://app.blocksec.com/explorer/tx/eth/0x54f659773dae6e01f83184d4b6d717c7f1bb71c0aa59e8c8f4a57c25271424b3
+        - https://app.blocksec.com/explorer/tx/eth/0x54f659773dae6e01f83184d4b6d717c7f1bb71c0aa59e8c8f4a57c25271424b3 #YODL hack
     mode: taint
+    options:
+      taint_unify_mvars: true
     pattern-sources:
-      - label: INPUT_TO
-        pattern-either:
-          - patterns:
-              - pattern: function $F(..., address $FROM, ..., address $TO, ...) public { ... }
-              - focus-metavariable: $TO
-          - patterns:
+      - patterns:
+          - pattern-either:
               - pattern: function $F(..., address $FROM, ..., address $TO, ...) external { ... }
-              - focus-metavariable: $TO
-      - label: INPUT_FROM
-        pattern-either:
-          - patterns:
               - pattern: function $F(..., address $FROM, ..., address $TO, ...) public { ... }
-              - focus-metavariable: $FROM
-          - patterns:
-              - pattern: function $F(..., address $FROM, ..., address $TO, ...) external { ... }
-              - focus-metavariable: $FROM
-      - label: OWNER
-        pattern: function $F(...) onlyOwner {...}
+              - pattern: function $F(..., address $TO, ..., address $FROM, ...) external { ... }
+              - pattern: function $F(..., address $TO, ..., address $FROM, ...) public { ... }
+          - focus-metavariable:
+              - $FROM
+              - $TO
+          - pattern-not: function $F(...) onlyOwner { ... }
     pattern-sinks:
-      - requires: INPUT_TO and INPUT_FROM and not (OWNER)
-        patterns:
-         - pattern-either:
-            - pattern: $TOKEN.transferFrom($FROM,$TO,$AMOUNT);
-            - pattern: $TOKEN.safeTransferFrom($FROM,$TO,$AMOUNT);
-            - pattern: $HELPER.transferFrom($TOKEN,$FROM,$TO,...);
-            - pattern: $HELPER.safeTransferFrom($TOKEN,$FROM,$TO,...);
-         - pattern-not: super.$F(...);
+      - patterns:
+          - pattern-either:
+              - pattern: $TOKEN.transferFrom($FROM,$TO,$AMOUNT);
+              - pattern: $TOKEN.safeTransferFrom($FROM,$TO,$AMOUNT);
+              - pattern: $HELPER.transferFrom($TOKEN,$FROM,$TO,...);
+              - pattern: $HELPER.safeTransferFrom($TOKEN,$FROM,$TO,...);
+          - pattern-not: super.$FUN(...);