Merge pull request #157 from pessimistic-io/develop

v0.7.0

.github/workflows/benchmark.yml

@@ -34,6 +34,7 @@ jobs:
             - name: Configure
               run: |
                 cd slitherin-benchmark/
+                ls
                 mv example.config.py config.py
             - name: Install node dependencies
               run: npm ci
@@ -44,12 +45,26 @@ jobs:
             - name: Run Benchmark
               run: |
                 cd slitherin-benchmark/
-                python runner.py -i contracts/mainnet -o mainnet.csv --limit 7000
+                python runner.py -i contracts/mainnet -o mainnet.csv -eo mainnet_extra.csv --limit 8000 --skip-duplicates --skip-libs
+            - name: Upload sheet
+              run: |
+                cd slitherin-benchmark/
+                echo $GOOGLE_JWT > service_account.json
+                python save_sheet.py -i mainnet.csv -sa service_account.json -si $GOOGLE_SHEET_ID -ln mainnet -pr $PR_NUMBER
+              env:
+                GOOGLE_JWT : ${{secrets.SERVICE_ACCOUNT}}
+                GOOGLE_SHEET_ID : ${{ secrets.GOOGLE_SHEET_ID }}
+                PR_NUMBER: ${{ github.event.number }}
             - name: 'Upload Artifact'
               uses: actions/upload-artifact@v3
               with:
                 name: mainnet
                 path: slitherin-benchmark/mainnet.csv
+            - name: 'Upload Artifact Extra'
+              uses: actions/upload-artifact@v3
+              with:
+                name: mainnet
+                path: slitherin-benchmark/mainnet_extra.csv
     RunBenchmarkOZ: 
         runs-on: ubuntu-latest
         steps:
@@ -89,6 +104,15 @@ jobs:
               run: |
                 cd slitherin-benchmark/
                 python runner.py -i contracts/openzeppelin -o oz.csv -eo oz_extra.csv
+            - name: Upload sheet
+              run: |
+                cd slitherin-benchmark/
+                echo $GOOGLE_JWT > service_account.json
+                python save_sheet.py -i oz.csv -sa service_account.json -si $GOOGLE_SHEET_ID -ln OZ -pr $PR_NUMBER
+              env:
+                GOOGLE_JWT : ${{secrets.SERVICE_ACCOUNT}}
+                GOOGLE_SHEET_ID : ${{ secrets.GOOGLE_SHEET_ID }}
+                PR_NUMBER: ${{ github.event.number }}
             - name: 'Upload Artifact'
               uses: actions/upload-artifact@v3
               with:
@@ -99,4 +123,3 @@ jobs:
               with:
                 name: oz_extra
                 path: slitherin-benchmark/oz_extra.csv
-

.github/workflows/old_version.yml

@@ -0,0 +1,118 @@
+name: Run Benchmark
+
+on:
+     workflow_dispatch:  # Ручной запуск через UI Гитхаба
+jobs:
+    RunBenchmarkOld: 
+        runs-on: ubuntu-latest
+        env:
+          slitherin_version: 0.1.0
+        steps:
+            - name: Checkout repository
+              uses: actions/checkout@v4
+              with:
+                submodules: 'true'
+            - name: Set up Python
+              uses: actions/setup-python@v4
+              with:
+                python-version: '3.x'
+            - name: Set up Node
+              uses: actions/setup-node@v4
+              with:
+                node-version: '18.x'
+            - name: Update pip
+              run: python -m pip install --upgrade pip
+            - name: Install solc-select
+              run: python -m pip install solc-select
+            - name: Install Slither
+              run: python -m pip install slither-analyzer
+            - name: Install Setuptools
+              run: python -m pip install setuptools
+            - name: Install Slitherin
+              run: python -m pip install slitherin==$slitherin_version
+            - name: Configure
+              run: |
+                cd slitherin-benchmark/
+                mv example.config.py config.py
+            - name: Install benchmark requirements
+              run: |
+                cd slitherin-benchmark/
+                python -m pip install -r requirements.txt
+            - name: Run Benchmark
+              run: |
+                cd slitherin-benchmark/
+                python runner.py -i contracts/mainnet -o mainnet.csv --limit 8000 --skip-duplicates --skip-libs --use-slither
+            - name: Upload sheet
+              run: |
+                cd slitherin-benchmark/
+                echo $GOOGLE_JWT > service_account.json
+                python save_sheet.py -i mainnet.csv -sa service_account.json -si $GOOGLE_SHEET_ID -ln mainnet -sv "slitherin $slitherin_version"
+              env:
+                GOOGLE_JWT : ${{secrets.SERVICE_ACCOUNT}}
+                GOOGLE_SHEET_ID : ${{ secrets.GOOGLE_SHEET_ID }}
+            - name: 'Upload Artifact'
+              uses: actions/upload-artifact@v3
+              with:
+                name: mainnet
+                path: slitherin-benchmark/mainnet.csv
+    RunBenchmarkOZOld: 
+        runs-on: ubuntu-latest
+        env:
+          slitherin_version: 0.1.0
+        steps:
+            - name: Checkout repository
+              uses: actions/checkout@v4
+              with:
+                submodules: 'true'
+            - name: Set up Python
+              uses: actions/setup-python@v4
+              with:
+                python-version: '3.x'
+            - name: Set up Node
+              uses: actions/setup-node@v4
+              with:
+                node-version: '18.x'
+            - name: Update pip
+              run: python -m pip install --upgrade pip
+            - name: Install solc-select
+              run: python -m pip install solc-select
+            - name: Install Slither
+              run: python -m pip install slither-analyzer
+            - name: Install Setuptools
+              run: python -m pip install setuptools
+            - name: Install Slitherin
+              run: python -m pip install slitherin==$slitherin_version
+            - name: Configure
+              run: |
+                cd slitherin-benchmark/
+                mv example.config.py config.py
+            - name: Install node dependencies
+              run: npm ci
+            - name: Install benchmark requirements
+              run: |
+                cd slitherin-benchmark/
+                python -m pip install -r requirements.txt
+            - name: Run Benchmark
+              run: |
+                cd slitherin-benchmark/
+                python runner.py -i contracts/openzeppelin -o oz.csv -eo oz_extra.csv --use-slither
+            - name: Upload sheet
+              run: |
+                cd slitherin-benchmark/
+                echo $GOOGLE_JWT > service_account.json
+                ls
+                python save_sheet.py -i oz.csv -sa service_account.json -si $GOOGLE_SHEET_ID -ln OZ -sv "slitherin $slitherin_version"
+              env:
+                GOOGLE_JWT : ${{secrets.SERVICE_ACCOUNT}}
+                GOOGLE_SHEET_ID : ${{ secrets.GOOGLE_SHEET_ID }}
+            - name: 'Upload Artifact'
+              uses: actions/upload-artifact@v3
+              with:
+                name: oz
+                path: slitherin-benchmark/oz.csv
+            - name: 'Upload Artifact'
+              uses: actions/upload-artifact@v3
+              with:
+                name: oz_extra
+                path: slitherin-benchmark/oz_extra.csv
+

README.md

@@ -1,4 +1,4 @@
-#  Slitherin by Pessimistic.io
+# Slitherin by Pessimistic.io
 
 [![Blog](https://img.shields.io/badge/Blog-Link-blue?style=flat-square&logo=appveyor?logo=data:https://pessimistic.io/favicon.ico)](https://blog.pessimistic.io/)
 [![Our Website](https://img.shields.io/badge/By-pessimistic.io-green?style=flat-square&logo=appveyor?logo=data:https://pessimistic.io/favicon.ico)](https://pessimistic.io/)
@@ -99,6 +99,7 @@ Slitherin detectors are included into original Slither after the installation. Y
 | [Arbitrary Call](https://github.com/pessimistic-io/slitherin/blob/master/slitherin/detectors/arbitrary_call/arbitrary_call.py)                        | [Explore](https://github.com/pessimistic-io/slitherin/blob/master/docs/arbitrary_call.md)                 | [Test](https://github.com/pessimistic-io/slitherin/blob/master/tests/arbitrary_call_test.sol)                                                         | 0                                                                                                                |
 | [Elliptic Curve Recover](https://github.com/pessimistic-io/slitherin/blob/master/slitherin/detectors/ecrecover.py)                        | [Explore](https://github.com/pessimistic-io/slitherin/blob/master/docs/ecrecover.md)                 | [Test](https://github.com/pessimistic-io/slitherin/blob/master/tests/ecrecover.sol)                                                         | 0                                                                                                                |
 | [Public vs External](https://github.com/pessimistic-io/slitherin/blob/master/slitherin/detectors/public_vs_external.py)                        | [Explore](https://github.com/pessimistic-io/slitherin/blob/master/docs/public_vs_external.md)                 | [Test](https://github.com/pessimistic-io/slitherin/blob/master/tests/public_vs_external_test.sol)                                                         | 0                                                                                                                |
+| [Balancer Read-only Reentrancy](https://github.com/pessimistic-io/slitherin/blob/master/slitherin/detectors/balancer/balancer_readonly_reentrancy.py)                        | [Explore](https://github.com/pessimistic-io/slitherin/blob/master/docs/balancer/readonly_reentrancy.md)                 | [Test](https://github.com/pessimistic-io/slitherin/blob/master/tests/balancer/readonly_reentrancy_test.sol)                                                         | 0                                                                                                                |
 
 **Please note:**
 

docs/arb_chainlink_price_feed.md

@@ -0,0 +1,18 @@
+# Arbitrum chainlink sequencer uptime
+## Configuration
+
+- Check: `pess-arb-chainlink-price-feed`
+- Severity: `Medium`
+- Confidence: `Medium`
+
+## Description
+
+Sequencer uptime status should be checked. For details: [chainlink docs](https://docs.chain.link/data-feeds/l2-sequencer-feeds)
+
+## Vulnerable Scenario
+
+[test scenarios](../tests/arbitrum_chainlink_pricefeed_test.sol)
+
+## Recommendation
+
+Verify, sequencer uptmie

docs/balancer/readonly_reentrancy.md

@@ -0,0 +1,24 @@
+# Balancer Readonly Reentrancy
+
+## Configuration
+
+- Check: `pess-balancer-readonly-reentrancy`
+- Severity: `High`
+- Confidence: `Medium`
+
+## Description
+
+Highlights the use of Balancer getter functions `getRate` and `getPoolTokens` (which are not checked for readonly reentrancy via `VaultReentrancyLib.ensureNotInVaultContext` or `IVault.manageUserBalance`), which return values that theoretically could be manipulated during the execution.
+
+## Vulnerable Scenario
+
+[test scenarios](../../tests/balancer/readonly_reentrancy_test.sol)
+
+## Related Attacks
+
+- [Sentimentxyz Exploit](https://quillaudits.medium.com/decoding-sentiment-protocols-1-million-exploit-quillaudits-f36bee77d376)
+- [Sturdy Exploit](https://blog.solidityscan.com/sturdy-finance-hack-analysis-bd8605cd2956)
+
+## Recommendation
+
+- [Official Balancer recomendation](https://docs.balancer.fi/concepts/advanced/valuing-bpt/valuing-bpt.html#on-chain-price-evaluation)

docs/curve_readonly_reentrancy.md

@@ -0,0 +1,24 @@
+# Curve Readonly Reentrancy
+
+## Configuration
+
+- Check: `pess-curve-readonly-reentrancy`
+- Severity: `High`
+- Confidence: `Medium`
+
+## Description
+
+Highlights the use of Curve getter functions `get_virtual_price` and `lp_price` (which are not checked for readonly reentrancy `withdraw_admin_fee`), which return values that theoretically could be manipulated during the execution. Details: [Curve LP Oracle Manipulation](https://chainsecurity.com/curve-lp-oracle-manipulation-post-mortem/)
+
+## Vulnerable Scenario
+
+[test scenarios](../../tests/curve_readonly_reentrancy_test.sol)
+
+## Related Attacks
+
+- [Jarvis Exploit](https://www.google.com/url?q=https://blog.solidityscan.com/jarvis-polygon-pool-hack-analysis-read-only-re-entrancy-af0607e4585a&sa=D&source=editors&ust=1709713964156907&usg=AOvVaw1Oess2f9Z_UCD6vLM2hN26)
+- [Market.xyz Exploit](https://quillaudits.medium.com/decoding-220k-read-only-reentrancy-exploit-quillaudits-30871d728ad5)
+
+## Recomendations
+
+- Verify by calling `withdraw_admin_fee` and checking for fail of call

docs/curve_vyper_reentrancy.md

@@ -0,0 +1,26 @@
+# Curve Readonly Reentrancy
+
+## Configuration
+
+- Check: `pess-curve-vyper-reentrancy`
+- Severity: `High`
+- Confidence: `High`
+
+## Description
+
+Finds if the code is compiled with vulnerable Vyper compiler version and contains non-reentrant modifiers. 
+Details:
+- [Curve exploit postmortem](https://hackmd.io/@LlamaRisk/BJzSKHNjn)
+- [Postmortem from Vyper team](https://hackmd.io/@vyperlang/HJUgNMhs2)
+
+## Vulnerable Scenario
+
+[test scenarios](../../tests/vyper/curve_vyper_reentrancy_test.vy)
+
+## Related Attacks
+
+- [Vyper compiler exploits](https://www.halborn.com/blog/post/explained-the-vyper-bug-hack-july-2023)
+
+## Recomendations
+
+- Upgrade the version of your Vyper compiler.

docs/nft_approve_warning.md

@@ -6,7 +6,7 @@
 * Confidence: `Low`
 
 ## Description
-The detector sees if a contract contains `erc721.[safe]TransferFrom(from, ...)` where `from` parameter is not related to `msg.sender`.
+The detector sees if a contract contains `erc721.[safe]TransferFrom(from, ...)` or `erc1155.safe[Batch]TransferFrom(from, ...)` where `from` parameter is not related to `msg.sender`.
 An attacker can steal any approved NFTs because `transferFrom` function does NOT check that the call is made by its owner. 
 
 ## Vulnerable Scenario
@@ -17,4 +17,4 @@ An attacker can steal any approved NFTs because `transferFrom` function does NOT
 [Unauthorized transfer_from Vulnerability](https://ventral.digital/posts/2022/8/18/sznsdaos-bountyboard-unauthorized-transferfrom-vulnerability)
 
 ## Recommendation
-Make sure that in `erc721.[safe]TransferFrom(from, ...)` functions `from` parameter is related to `msg.sender`.
+Make sure that in `erc721.[safe]TransferFrom(from, ...)` and `erc1155.safe[Batch]TransferFrom(from, ...)` functions `from` parameter is related to `msg.sender`.

docs/price_manipulation.md

@@ -0,0 +1,15 @@
+# Price Manipulation through token transfers
+
+## Configuration
+* Check: `pess-price-manipulation`
+* Severity: `High`
+* Confidence: `Low`
+
+## Description
+The detector finds calculations that depend on the balance and supply of some token. Such calculations could be manipulated through direct transfers to the contract, increasing its balance.
+
+## Vulnerable Scenario
+[test scenario](../tests/price_manipulation_test.sol)
+
+## Recommendation
+Avoid possible manipulations of calculations because of external transfers.

package.json

@@ -1,5 +1,8 @@
 {
   "dependencies": {
-    "@openzeppelin/contracts": "^4.9.3"
+    "@openzeppelin/contracts": "^4.9.3",
+    "@balancer-labs/v2-interfaces": "^0.4.0",
+    "@balancer-labs/v2-pool-utils": "^4.0.0"
+
   }
 }