update bad-transferfrom-access-control rule and tests

Decurity · Aug 16, 2024 · ba096be · ba096be
1 parent 5d1079a
commit ba096be
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 9 deletions.
diff --git a/solidity/security/bad-transferfrom-access-control.sol b/solidity/security/bad-transferfrom-access-control.sol
@@ -178,4 +178,36 @@ contract Test {
         usdc.safeTransferFrom(from, to, amount);
     }
 
-}
+    function transferFrom(address to, address from, uint256 amount) external {
+        // ok: bad-transferfrom-access-control
+        super.transferFrom(from, to, amount);
+    }
+
+    function _stake(address _fundingAccount, address _account, address _depositToken, uint256 _amount) private {
+        require(_amount > 0, "RewardTracker: invalid _amount");
+        require(isDepositToken[_depositToken], "RewardTracker: invalid _depositToken");
+
+        // ok: bad-transferfrom-access-control
+        IERC20(_depositToken).transferFrom(_fundingAccount, address(this), _amount);
+
+        _updateRewards(_account);
+
+        stakedAmounts[_account] = stakedAmounts[_account] + _amount;
+        depositBalances[_account][_depositToken] = depositBalances[_account][_depositToken] + _amount;
+        totalDepositSupply[_depositToken] = totalDepositSupply[_depositToken] + _amount;
+
+        _mint(_account, _amount);
+    }
+
+
+    function func24(address to, address from) external onlyOwner {
+        // ok: bad-transferfrom-access-control
+        usdc.safeTransferFrom(from, to, amount);
+    }
+
+    function func25(address from, address to) public {
+        // ok: bad-transferfrom-access-control
+        usdc.safeTransferFrom(from, address(this), amount);
+    }
+}
+
diff --git a/solidity/security/bad-transferfrom-access-control.yaml b/solidity/security/bad-transferfrom-access-control.yaml
@@ -14,8 +14,8 @@ rules:
       impact: HIGH
       subcategory:
         - vuln
-      references: 
-        - https://app.blocksec.com/explorer/tx/eth/0x54f659773dae6e01f83184d4b6d717c7f1bb71c0aa59e8c8f4a57c25271424b3 # YODL hack
+      references:
+        - https://app.blocksec.com/explorer/tx/eth/0x54f659773dae6e01f83184d4b6d717c7f1bb71c0aa59e8c8f4a57c25271424b3
     mode: taint
     pattern-sources:
       - label: INPUT_TO
@@ -34,10 +34,14 @@ rules:
           - patterns:
               - pattern: function $F(..., address $FROM, ..., address $TO, ...) external { ... }
               - focus-metavariable: $FROM
+      - label: OWNER
+        pattern: function $F(...) onlyOwner {...}
     pattern-sinks:
-      - requires: INPUT_TO and INPUT_FROM
-        pattern-either:
-          - pattern: $TOKEN.transferFrom($FROM,$TO,$AMOUNT);
-          - pattern: $TOKEN.safeTransferFrom($FROM,$TO,$AMOUNT);
-          - pattern: $HELPER.transferFrom($TOKEN,$FROM,$TO,...);
-          - pattern: $HELPER.safeTransferFrom($TOKEN,$FROM,$TO,...);
+      - requires: INPUT_TO and INPUT_FROM and not (OWNER)
+        patterns:
+         - pattern-either:
+            - pattern: $TOKEN.transferFrom($FROM,$TO,$AMOUNT);
+            - pattern: $TOKEN.safeTransferFrom($FROM,$TO,$AMOUNT);
+            - pattern: $HELPER.transferFrom($TOKEN,$FROM,$TO,...);
+            - pattern: $HELPER.safeTransferFrom($TOKEN,$FROM,$TO,...);
+         - pattern-not: super.$F(...);