Add detectors for incorrect use of Oracle API #2289

talfao · 2024-02-04T15:18:48Z

I am creating this pull request based on the following issue: #2283.

The code here presents basic foundations for detecting improper usage of Oracle API's. So far, the detector supports just Chainlink, but I plan to add other providers such as Tellor or Chronicle.

The PR contains three detectors:
oracle-data-validation - Staleness price, check for price != 0
deprecated-chainlink-call - Check if the smart contract uses deprecated chainlink API functions
oracle-sequencer - Recommendation to the user to check the liveness of sequence if planning to use chainlink oracle on L2.

The checks that indicate improper data validation, such as staleness price, are still under development. I will improve these checks and overall detection in the following weeks.

The reason behind this PR is to get feedback for the approach I have chosen to detect an oracle and if the checks for data validation make sense from your side.

I have one question: Should support for other oracles and improvements of checks be included in different pull requests, or should I add it to this one?

Talfao

Summary by CodeRabbit

New Features
- Updated version of the actions/setup-node action in the workflow file.
- Updated Solidity compiler version selection logic in the Dockerfile.
- Enhanced installation instructions for Slither in the README.md.
- Added new detectors for identifying deprecated Chainlink calls, oracle vulnerabilities, and sequencer checks.
- Introduced new classes and functions for managing oracle contracts and variables.
- Included additional support files for oracle validation and detection.
Tests
- Expanded test coverage for OracleDataCheck and DeprecatedChainlinkCall detectors using various Solidity files.

…xisting values

…tion

Improve checks and detection

New features and checks

talfao · 2024-03-18T08:25:44Z

Hello people,

From my side, the PR is ready for review. The checks were improved, and the code was also tested on several contracts to improve overall detection and variations of Oracle usage.

So far, the detection is supporting just Chainlink. The capabilities of detection of other providers can be extended in the future 😃

I am looking forward to hearing your feedback.
Talfao

coderabbitai

Actionable comments posted: 10

slither/detectors/oracles/supported_oracles/chainlink_oracle.py

...tors/snapshots/detectors__detector_OracleDataCheck_0_8_20_oracle_timestamp_in_var_sol__0.txt

...snapshots/detectors__detector_OracleDataCheck_0_8_20_oracle_check_out_of_function_sol__0.txt

tests/e2e/detectors/test_data/oracle-data-validation/0.8.20/oracle_timestamp_in_var.sol

tests/e2e/detectors/test_data/oracle-data-validation/0.8.20/oracle_check_out_of_function.sol

...detectors/test_data/oracle-data-validation/0.8.20/oracle_data_check_price_in_internal_fc.sol

slither/detectors/oracles/deprecated_chainlink_calls.py

slither/detectors/oracles/supported_oracles/oracle.py

coderabbitai

Actionable comments posted: 3

Out of diff range and nitpick comments (1)

slither/detectors/oracles/supported_oracles/chainlink_oracle.py (1)

27-113: Class ChainlinkOracle is well-structured. Consider adding more comments to complex methods to improve readability and maintainability.

...rs/test_data/oracle-data-validation/0.8.20/oracle_data_check_price_in_double_internal_fc.sol

slither/detectors/oracles/supported_oracles/chainlink_oracle.py

talfao added 30 commits November 3, 2023 15:57

Oracle module

78c3ea2

Before mapping

6c3da7c

Change the approach

86d7dd3

Change the approach

9f8f9ab

Return just not checked vars

e8a8758

Creating check for updated at - not finished

aadbd58

Add some documentation

ed029ed

add checking of internal calls

33b1c1f

Added basics of navive approach and now try to divide the files

398f067

Divided to two files and started with naive_check

bbe73f9

Reoder values based on the nodes mapping and check_price

6fded76

Add text output for price and timestamp

72eda7f

Improve checks part for price

e964ba3

Naive check work, however i need to find a way how to represent not e…

e98f03e

…xisting values

Slot0 simple check

c1532d0

Before experimenting with unused impl detector

509ebaf

Found used order

3f77626

Finding indexes of returned vars in oracle

876860d

Naive check should always work

5260262

Change output from detector of data validiy

ec5c69f

Add revert check

c250443

Fix an issue if variable is not constant in price

227b0f7

Correct revert check

b4c9b26

Rechange the output for mitigating duplicates of arrays

f584e6d

Simple detection of sequencer

5d79f48

Solved ordering of writing to vars

b9ffe01

Add handler if the node is not var

57df560

First testing

d45d144

Some changes to test

8a26717

Comment roundID for now

9eecd91

talfao and others added 12 commits February 24, 2024 14:38

fix: array issue

165dccd

feat: check for timestamp in var

fb5e650

feat: more information if the variabe is checked out of original func…

9296bae

…tion

fix: handle scenario when too many variations

0efcfce

fix: use recommended methods

0606169

fix: recursion error

7a3ced0

fix: sequencer check

6454d6a

fix: better solution for recursion error

dff5e50

feat: all done for merge

d6ac5cb

feat: for the merge improved checks

de9505b

Improve checks and detection

fix: black issue

19472cf

Merge pull request #2 from talfao/new_features_and_checks

14f43d4

New features and checks

talfao and others added 10 commits April 6, 2024 13:29

feat: interfaces detection

81365ed

Merge branch 'dev' into dev

bcebfeb

fix: nodes_with_var attribute

b4fb7c2

fix: DATA_DEPENDENCY error

02e04dd

fix: destination error

1ebbe1b

fix: another recursion error

f2b3346

fix: recursion error, better design

8b8a7bb

Merge branch 'dev' into dev

da1ad9c

Merge branch 'dev' into dev

b94963d

Merge branch 'dev' into dev

b746a01

coderabbitai bot reviewed Apr 26, 2024

View reviewed changes

talfao added 2 commits April 26, 2024 20:35

Merge branch 'fixes_after_evaluation' into dev

89b9711

fix: dead code, improvements from coderabit

46b900c

coderabbitai bot reviewed Apr 26, 2024

View reviewed changes

This was referenced Apr 27, 2024

Spot price detector #2447

Closed

Spot Price detector #2448

Open

fix: remove unused code

73f0b31

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add detectors for incorrect use of Oracle API #2289

Add detectors for incorrect use of Oracle API #2289

talfao commented Feb 4, 2024 •

edited by coderabbitai bot

talfao commented Mar 18, 2024

coderabbitai bot left a comment

coderabbitai bot left a comment

Add detectors for incorrect use of Oracle API #2289

Are you sure you want to change the base?

Add detectors for incorrect use of Oracle API #2289

Conversation

talfao commented Feb 4, 2024 • edited by coderabbitai bot

Summary by CodeRabbit

talfao commented Mar 18, 2024

coderabbitai bot left a comment

Choose a reason for hiding this comment

coderabbitai bot left a comment

Choose a reason for hiding this comment

talfao commented Feb 4, 2024 •

edited by coderabbitai bot