Adding the exact balance check rule (#20)

* Adding the exact balance check rule

* Fix the exact balance check rule

* Fix the taint mode of the exact balance check rule

* Another fix for the exact balance check rule

* extend if pattern

* Fixed the taint mode and separated the if branch detection without using the taint mode

* Remove the redundant pattern in the exact balance check rule

* Redo everything again based on the h1kk4's commit, extend it to cover more cases

---------

Co-authored-by: h1kk4 <[email protected]>

Author: beched

README.md

@@ -133,6 +133,7 @@ public-transfer-fees-supporting-tax-tokens | LeetSwap | public _transferFeesSupp
 olympus-dao-staking-incorrect-call-order | OlympusDAO, FloorDAO, Heavens Gate, Jump Farm, QuantumWN | The order of calling the transferFrom() and rebase() functions is incorrect in Olympus DAO forks
 compound-precision-loss | Hundred Finance, Midas Finance, Onyx Protocol | In Compound forks if there is a market with totalSupply = 0 and collateralFactor != 0 a precision loss attack is possible if redeemAmount is taken from the arguments of redeemFresh()
 thirdweb-vulnerability | Swopple Token, TIME Token, NAME Token, HXA Token | In contracts that support Multicall and ERC2771Context an Arbitrary Address Spoofing attack is possible
+exact-balance-check | Generic | Testing the balance of an account as a basis for some action has risks associated with unexpected receipt of ether or another token, including tokens deliberately transfered to cause such tests to fail, as an MEV attack.
 
 ## Gas Optimization Rules
 

solidity/security/exact-balance-check.sol

@@ -0,0 +1,78 @@
+contract Foobar {
+    function doit1(address ext) {
+        uint256 bal = IERC20(ext).balanceOf(address(this));
+        // ok: exact-balance-check
+        bal == 1338;
+        require(
+        	1==1 &&
+            // ruleid: exact-balance-check
+        	(bal == 1337) ||
+        	1==2,
+        	"Wrong balance!"
+        );
+        // do smth
+    }
+
+    function doit2(address ext) {
+        require(
+            1==1 &&
+            // ruleid: exact-balance-check
+            (address(ext).balance == 1337) ||
+            1==2,
+            "Wrong balance!"
+        );
+        // do smth
+    }
+
+    function doit3(address ext) {
+        require(
+            1==1 &&
+            // ruleid: exact-balance-check
+            (1337 == address(ext).balance) ||
+            1==2,
+            "Wrong balance!"
+        );
+        // do smth
+    }
+
+    function doit4(address ext) {
+        // ruleid: exact-balance-check
+        if (address(ext).balance == 1337 && 1 == 1) {
+            // do smth
+            uint a = 123;
+        };
+        // do smth
+    }
+
+    function doit5(address ext) {
+        // ok: exact-balance-check
+        if (1==1) {
+            // ruleid: exact-balance-check
+            bool b = address(ext).balance == 1337;
+            if(b) {}
+        };
+        // do smth
+    }
+
+    function doit_safe(address ext) {
+        require(
+            1==1 &&
+            // ok: exact-balance-check
+            (IERC20(ext).balanceOf(address(this)) >= 1337) ||
+            1==2,
+            "Wrong balance!"
+        );
+        // do smth
+    }
+
+    function doit2_safe(address ext) {
+        require(
+            1==1 &&
+            // ok: exact-balance-check
+            (address(ext).balance <= 1337) ||
+            1==2,
+            "Wrong balance!"
+        );
+        // do smth
+    }
+}

solidity/security/exact-balance-check.yaml

@@ -0,0 +1,54 @@
+rules:
+  - id: exact-balance-check
+    message: Testing the balance of an account as a basis for some action has risks
+      associated with unexpected receipt of ether or another token, including
+      tokens deliberately transfered to cause such tests to fail, as an MEV
+      attack.
+    metadata:
+      category: security
+      technology:
+          - solidity
+      cwe: "CWE-667: Improper Locking"
+      confidence: LOW
+      likelihood: MEDIUM
+      impact: MEDIUM
+      subcategory:
+          - vuln
+      references:
+        - https://entethalliance.org/specs/ethtrust-sl/v1/#req-1-exact-balance-check
+    mode: taint
+    pattern-sinks:
+      - pattern-either:
+        - patterns:
+            - pattern-either:
+                - pattern: $X == ...
+                - pattern: ... == $X
+            - pattern-either:
+                - pattern-inside: require(...)
+                - pattern-inside: |
+                    if (<... $X == ... ...>) {
+                      ...
+                    }
+                - pattern-inside: |
+                    if (<... ... == $X ...>) {
+                      ...
+                    }
+        - patterns:
+            - pattern-either:
+                - pattern: $BOOL = <... ... == ... ...>
+            - pattern-either:
+                - pattern-inside: |
+                    ...
+                    require(<... $BOOL ...>)
+                - pattern-inside: |
+                    ...
+                    if (<... $BOOL ...>) {
+                      ...
+                    }
+    pattern-sources:
+      - pattern-either:
+          - pattern: $T.balanceOf($A)
+          - pattern: $T.balance
+    languages:
+      - solidity
+    severity: WARNING