Merge pull request #157 from pessimistic-io/develop

v0.7.0

.github/workflows/benchmark.yml

@@ -34,6 +34,7 @@ jobs:
  - name: Configure
  run: |
  cd slitherin-benchmark/
+ ls
  mv example.config.py config.py
  - name: Install node dependencies
  run: npm ci
@@ -44,12 +45,26 @@ jobs:
  - name: Run Benchmark
  run: |
  cd slitherin-benchmark/
- python runner.py -i contracts/mainnet -o mainnet.csv --limit 7000
+ python runner.py -i contracts/mainnet -o mainnet.csv -eo mainnet_extra.csv --limit 8000 --skip-duplicates --skip-libs
+ - name: Upload sheet
+ run: |
+ cd slitherin-benchmark/
+ echo $GOOGLE_JWT > service_account.json
+ python save_sheet.py -i mainnet.csv -sa service_account.json -si $GOOGLE_SHEET_ID -ln mainnet -pr $PR_NUMBER
+ env:
+ GOOGLE_JWT : ${{secrets.SERVICE_ACCOUNT}}
+ GOOGLE_SHEET_ID : ${{ secrets.GOOGLE_SHEET_ID }}
+ PR_NUMBER: ${{ github.event.number }}
  - name: 'Upload Artifact'
  uses: actions/upload-artifact@v3
  with:
  name: mainnet
  path: slitherin-benchmark/mainnet.csv
+ - name: 'Upload Artifact Extra'
+ uses: actions/upload-artifact@v3
+ with:
+ name: mainnet
+ path: slitherin-benchmark/mainnet_extra.csv
  RunBenchmarkOZ: 
  runs-on: ubuntu-latest
  steps:
@@ -89,6 +104,15 @@ jobs:
  run: |
  cd slitherin-benchmark/
  python runner.py -i contracts/openzeppelin -o oz.csv -eo oz_extra.csv
+ - name: Upload sheet
+ run: |
+ cd slitherin-benchmark/
+ echo $GOOGLE_JWT > service_account.json
+ python save_sheet.py -i oz.csv -sa service_account.json -si $GOOGLE_SHEET_ID -ln OZ -pr $PR_NUMBER
+ env:
+ GOOGLE_JWT : ${{secrets.SERVICE_ACCOUNT}}
+ GOOGLE_SHEET_ID : ${{ secrets.GOOGLE_SHEET_ID }}
+ PR_NUMBER: ${{ github.event.number }}
  - name: 'Upload Artifact'
  uses: actions/upload-artifact@v3
  with:
@@ -99,4 +123,3 @@ jobs:
  with:
  name: oz_extra
  path: slitherin-benchmark/oz_extra.csv
-

.github/workflows/old_version.yml

@@ -0,0 +1,118 @@
+name: Run Benchmark
+
+on:
+ workflow_dispatch: # Ручной запуск через UI Гитхаба
+jobs:
+ RunBenchmarkOld: 
+ runs-on: ubuntu-latest
+ env:
+ slitherin_version: 0.1.0
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v4
+ with:
+ submodules: 'true'
+ - name: Set up Python
+ uses: actions/setup-python@v4
+ with:
+ python-version: '3.x'
+ - name: Set up Node
+ uses: actions/setup-node@v4
+ with:
+ node-version: '18.x'
+ - name: Update pip
+ run: python -m pip install --upgrade pip
+ - name: Install solc-select
+ run: python -m pip install solc-select
+ - name: Install Slither
+ run: python -m pip install slither-analyzer
+ - name: Install Setuptools
+ run: python -m pip install setuptools
+ - name: Install Slitherin
+ run: python -m pip install slitherin==$slitherin_version
+ - name: Configure
+ run: |
+ cd slitherin-benchmark/
+ mv example.config.py config.py
+ - name: Install benchmark requirements
+ run: |
+ cd slitherin-benchmark/
+ python -m pip install -r requirements.txt
+ - name: Run Benchmark
+ run: |
+ cd slitherin-benchmark/
+ python runner.py -i contracts/mainnet -o mainnet.csv --limit 8000 --skip-duplicates --skip-libs --use-slither
+ - name: Upload sheet
+ run: |
+ cd slitherin-benchmark/
+ echo $GOOGLE_JWT > service_account.json
+ python save_sheet.py -i mainnet.csv -sa service_account.json -si $GOOGLE_SHEET_ID -ln mainnet -sv "slitherin $slitherin_version"
+ env:
+ GOOGLE_JWT : ${{secrets.SERVICE_ACCOUNT}}
+ GOOGLE_SHEET_ID : ${{ secrets.GOOGLE_SHEET_ID }}
+ - name: 'Upload Artifact'
+ uses: actions/upload-artifact@v3
+ with:
+ name: mainnet
+ path: slitherin-benchmark/mainnet.csv
+ RunBenchmarkOZOld: 
+ runs-on: ubuntu-latest
+ env:
+ slitherin_version: 0.1.0
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v4
+ with:
+ submodules: 'true'
+ - name: Set up Python
+ uses: actions/setup-python@v4
+ with:
+ python-version: '3.x'
+ - name: Set up Node
+ uses: actions/setup-node@v4
+ with:
+ node-version: '18.x'
+ - name: Update pip
+ run: python -m pip install --upgrade pip
+ - name: Install solc-select
+ run: python -m pip install solc-select
+ - name: Install Slither
+ run: python -m pip install slither-analyzer
+ - name: Install Setuptools
+ run: python -m pip install setuptools
+ - name: Install Slitherin
+ run: python -m pip install slitherin==$slitherin_version
+ - name: Configure
+ run: |
+ cd slitherin-benchmark/
+ mv example.config.py config.py
+ - name: Install node dependencies
+ run: npm ci
+ - name: Install benchmark requirements
+ run: |
+ cd slitherin-benchmark/
+ python -m pip install -r requirements.txt
+ - name: Run Benchmark
+ run: |
+ cd slitherin-benchmark/
+ python runner.py -i contracts/openzeppelin -o oz.csv -eo oz_extra.csv --use-slither
+ - name: Upload sheet
+ run: |
+ cd slitherin-benchmark/
+ echo $GOOGLE_JWT > service_account.json
+ ls
+ python save_sheet.py -i oz.csv -sa service_account.json -si $GOOGLE_SHEET_ID -ln OZ -sv "slitherin $slitherin_version"
+ env:
+ GOOGLE_JWT : ${{secrets.SERVICE_ACCOUNT}}
+ GOOGLE_SHEET_ID : ${{ secrets.GOOGLE_SHEET_ID }}
+ - name: 'Upload Artifact'
+ uses: actions/upload-artifact@v3
+ with:
+ name: oz
+ path: slitherin-benchmark/oz.csv
+ - name: 'Upload Artifact'
+ uses: actions/upload-artifact@v3
+ with:
+ name: oz_extra
+ path: slitherin-benchmark/oz_extra.csv
+

README.md

@@ -1,4 +1,4 @@
-#  Slitherin by Pessimistic.io
+# Slitherin by Pessimistic.io
 
 [![Blog](https://img.shields.io/badge/Blog-Link-blue?style=flat-square&logo=appveyor?logo=data:https://pessimistic.io/favicon.ico)](https://blog.pessimistic.io/)
 [![Our Website](https://img.shields.io/badge/By-pessimistic.io-green?style=flat-square&logo=appveyor?logo=data:https://pessimistic.io/favicon.ico)](https://pessimistic.io/)
@@ -99,6 +99,7 @@ Slitherin detectors are included into original Slither after the installation. Y
 | [Arbitrary Call](https://github.com/pessimistic-io/slitherin/blob/master/slitherin/detectors/arbitrary_call/arbitrary_call.py) | [Explore](https://github.com/pessimistic-io/slitherin/blob/master/docs/arbitrary_call.md) | [Test](https://github.com/pessimistic-io/slitherin/blob/master/tests/arbitrary_call_test.sol) | 0 |
 | [Elliptic Curve Recover](https://github.com/pessimistic-io/slitherin/blob/master/slitherin/detectors/ecrecover.py) | [Explore](https://github.com/pessimistic-io/slitherin/blob/master/docs/ecrecover.md) | [Test](https://github.com/pessimistic-io/slitherin/blob/master/tests/ecrecover.sol) | 0 |
 | [Public vs External](https://github.com/pessimistic-io/slitherin/blob/master/slitherin/detectors/public_vs_external.py) | [Explore](https://github.com/pessimistic-io/slitherin/blob/master/docs/public_vs_external.md) | [Test](https://github.com/pessimistic-io/slitherin/blob/master/tests/public_vs_external_test.sol) | 0 |
+| [Balancer Read-only Reentrancy](https://github.com/pessimistic-io/slitherin/blob/master/slitherin/detectors/balancer/balancer_readonly_reentrancy.py) | [Explore](https://github.com/pessimistic-io/slitherin/blob/master/docs/balancer/readonly_reentrancy.md) | [Test](https://github.com/pessimistic-io/slitherin/blob/master/tests/balancer/readonly_reentrancy_test.sol) | 0 |
 
 **Please note:**
 

docs/arb_chainlink_price_feed.md

@@ -0,0 +1,18 @@
+# Arbitrum chainlink sequencer uptime
+## Configuration
+
+- Check: `pess-arb-chainlink-price-feed`
+- Severity: `Medium`
+- Confidence: `Medium`
+
+## Description
+
+Sequencer uptime status should be checked. For details: [chainlink docs](https://docs.chain.link/data-feeds/l2-sequencer-feeds)
+
+## Vulnerable Scenario
+
+[test scenarios](../tests/arbitrum_chainlink_pricefeed_test.sol)
+
+## Recommendation
+
+Verify, sequencer uptmie

docs/balancer/readonly_reentrancy.md

@@ -0,0 +1,24 @@
+# Balancer Readonly Reentrancy
+
+## Configuration
+
+- Check: `pess-balancer-readonly-reentrancy`
+- Severity: `High`
+- Confidence: `Medium`
+
+## Description
+
+Highlights the use of Balancer getter functions `getRate` and `getPoolTokens` (which are not checked for readonly reentrancy via `VaultReentrancyLib.ensureNotInVaultContext` or `IVault.manageUserBalance`), which return values that theoretically could be manipulated during the execution.
+
+## Vulnerable Scenario
+
+[test scenarios](../../tests/balancer/readonly_reentrancy_test.sol)
+
+## Related Attacks
+
+- [Sentimentxyz Exploit](https://quillaudits.medium.com/decoding-sentiment-protocols-1-million-exploit-quillaudits-f36bee77d376)
+- [Sturdy Exploit](https://blog.solidityscan.com/sturdy-finance-hack-analysis-bd8605cd2956)
+
+## Recommendation
+
+- [Official Balancer recomendation](https://docs.balancer.fi/concepts/advanced/valuing-bpt/valuing-bpt.html#on-chain-price-evaluation)

docs/curve_readonly_reentrancy.md

@@ -0,0 +1,24 @@
+# Curve Readonly Reentrancy
+
+## Configuration
+
+- Check: `pess-curve-readonly-reentrancy`
+- Severity: `High`
+- Confidence: `Medium`
+
+## Description
+
+Highlights the use of Curve getter functions `get_virtual_price` and `lp_price` (which are not checked for readonly reentrancy `withdraw_admin_fee`), which return values that theoretically could be manipulated during the execution. Details: [Curve LP Oracle Manipulation](https://chainsecurity.com/curve-lp-oracle-manipulation-post-mortem/)
+
+## Vulnerable Scenario
+
+[test scenarios](../../tests/curve_readonly_reentrancy_test.sol)
+
+## Related Attacks
+
+- [Jarvis Exploit](https://www.google.com/url?q=https://blog.solidityscan.com/jarvis-polygon-pool-hack-analysis-read-only-re-entrancy-af0607e4585a&sa=D&source=editors&ust=1709713964156907&usg=AOvVaw1Oess2f9Z_UCD6vLM2hN26)
+- [Market.xyz Exploit](https://quillaudits.medium.com/decoding-220k-read-only-reentrancy-exploit-quillaudits-30871d728ad5)
+
+## Recomendations
+
+- Verify by calling `withdraw_admin_fee` and checking for fail of call

docs/curve_vyper_reentrancy.md

@@ -0,0 +1,26 @@
+# Curve Readonly Reentrancy
+
+## Configuration
+
+- Check: `pess-curve-vyper-reentrancy`
+- Severity: `High`
+- Confidence: `High`
+
+## Description
+
+Finds if the code is compiled with vulnerable Vyper compiler version and contains non-reentrant modifiers. 
+Details:
+- [Curve exploit postmortem](https://hackmd.io/@LlamaRisk/BJzSKHNjn)
+- [Postmortem from Vyper team](https://hackmd.io/@vyperlang/HJUgNMhs2)
+
+## Vulnerable Scenario
+
+[test scenarios](../../tests/vyper/curve_vyper_reentrancy_test.vy)
+
+## Related Attacks
+
+- [Vyper compiler exploits](https://www.halborn.com/blog/post/explained-the-vyper-bug-hack-july-2023)
+
+## Recomendations
+
+- Upgrade the version of your Vyper compiler.

docs/nft_approve_warning.md

@@ -6,7 +6,7 @@
 * Confidence: `Low`
 
 ## Description
-The detector sees if a contract contains `erc721.[safe]TransferFrom(from, ...)` where `from` parameter is not related to `msg.sender`.
+The detector sees if a contract contains `erc721.[safe]TransferFrom(from, ...)` or `erc1155.safe[Batch]TransferFrom(from, ...)` where `from` parameter is not related to `msg.sender`.
 An attacker can steal any approved NFTs because `transferFrom` function does NOT check that the call is made by its owner. 
 
 ## Vulnerable Scenario
@@ -17,4 +17,4 @@ An attacker can steal any approved NFTs because `transferFrom` function does NOT
 [Unauthorized transfer_from Vulnerability](https://ventral.digital/posts/2022/8/18/sznsdaos-bountyboard-unauthorized-transferfrom-vulnerability)
 
 ## Recommendation
-Make sure that in `erc721.[safe]TransferFrom(from, ...)` functions `from` parameter is related to `msg.sender`.
+Make sure that in `erc721.[safe]TransferFrom(from, ...)` and `erc1155.safe[Batch]TransferFrom(from, ...)` functions `from` parameter is related to `msg.sender`.

docs/price_manipulation.md

@@ -0,0 +1,15 @@
+# Price Manipulation through token transfers
+
+## Configuration
+* Check: `pess-price-manipulation`
+* Severity: `High`
+* Confidence: `Low`
+
+## Description
+The detector finds calculations that depend on the balance and supply of some token. Such calculations could be manipulated through direct transfers to the contract, increasing its balance.
+
+## Vulnerable Scenario
+[test scenario](../tests/price_manipulation_test.sol)
+
+## Recommendation
+Avoid possible manipulations of calculations because of external transfers.

package.json

@@ -1,5 +1,8 @@
 {
  "dependencies": {
- "@openzeppelin/contracts": "^4.9.3"
+ "@openzeppelin/contracts": "^4.9.3",
+ "@balancer-labs/v2-interfaces": "^0.4.0",
+ "@balancer-labs/v2-pool-utils": "^4.0.0"
+
  }
 }