From d5a1e5350eddc99b8c921031ff0fc870f6bfa70b Mon Sep 17 00:00:00 2001 From: tomasavola <108414862+tomasavola@users.noreply.github.com> Date: Wed, 11 Sep 2024 09:28:27 -0300 Subject: [PATCH 1/8] Remove zero_address detector --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index dd872fe7..bf2e92ce 100644 --- a/README.md +++ b/README.md @@ -61,7 +61,6 @@ Currently Scout includes the following detectors. | [dos-unexpected-revert-with-vector](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/dos-unexpected-revert-with-vector) | DoS due to improper storage. | [1](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/dos-unexpected-revert-with-vector/dos-unexpected-revert-with-vector-1), [2](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/dos-unexpected-revert-with-vector/dos-unexpected-revert-with-vector-2) | Medium | | [unrestricted-transfer-from](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/unrestricted-transfer-from) | Avoid passing an user-defined parameter as a `from` field in transfer-from. | [1](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/unrestricted-transfer-from/unrestricted-transfer-from-1) | Critical | | [unsafe-map-get](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/unsafe-map-get) | Inappropriate usage of the `get` method for `Map` in soroban | [1](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/unsafe-map-get/unsafe-map-get-1) | Medium | -| [zero-or-test-address](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/zero-or-test-address) | Avoid zero or test address assignment to prevent contract control loss. | [1](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/zero-or-test-address/zero-or-test-address-1) | Medium | | [incorrect-exponentation](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/incorrect-exponentiation) | Warns against incorrect usage of ´^´. | [1](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/incorrect-exponentiation/incorrect-exponentiation-1) | Critical | ## Output formats From 33f85e8eb840046e2a8b0d05756c400f5300373a Mon Sep 17 00:00:00 2001 From: tomasavola <108414862+tomasavola@users.noreply.github.com> Date: Wed, 11 Sep 2024 09:33:52 -0300 Subject: [PATCH 2/8] add token-interface-events detector --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index bf2e92ce..48526ac4 100644 --- a/README.md +++ b/README.md @@ -62,6 +62,7 @@ Currently Scout includes the following detectors. | [unrestricted-transfer-from](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/unrestricted-transfer-from) | Avoid passing an user-defined parameter as a `from` field in transfer-from. | [1](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/unrestricted-transfer-from/unrestricted-transfer-from-1) | Critical | | [unsafe-map-get](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/unsafe-map-get) | Inappropriate usage of the `get` method for `Map` in soroban | [1](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/unsafe-map-get/unsafe-map-get-1) | Medium | | [incorrect-exponentation](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/incorrect-exponentiation) | Warns against incorrect usage of ´^´. | [1](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/incorrect-exponentiation/incorrect-exponentiation-1) | Critical | +| [token-interface-events](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/token-interface-events) | Warns if any of the token functions does not emit an event. | [1](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/token-interface-events/token-interface-events-1) | Medium | ## Output formats From 43635a433e514d5810f7a56538844b93f55c4b88 Mon Sep 17 00:00:00 2001 From: tomasavola <108414862+tomasavola@users.noreply.github.com> Date: Wed, 11 Sep 2024 09:56:13 -0300 Subject: [PATCH 3/8] add integer-overflow-or-underflow detector --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 48526ac4..7112d1fc 100644 --- a/README.md +++ b/README.md @@ -62,6 +62,7 @@ Currently Scout includes the following detectors. | [unrestricted-transfer-from](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/unrestricted-transfer-from) | Avoid passing an user-defined parameter as a `from` field in transfer-from. | [1](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/unrestricted-transfer-from/unrestricted-transfer-from-1) | Critical | | [unsafe-map-get](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/unsafe-map-get) | Inappropriate usage of the `get` method for `Map` in soroban | [1](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/unsafe-map-get/unsafe-map-get-1) | Medium | | [incorrect-exponentation](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/incorrect-exponentiation) | Warns against incorrect usage of ´^´. | [1](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/incorrect-exponentiation/incorrect-exponentiation-1) | Critical | +| [integer-overflow-or-underflow](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/integer-overflow-or-underflow) | Warns if there’s any numerical overflow or underflow | [1](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/integer-overflow-or-underflow/integer-overflow-or-underflow-1), [2](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/integer-overflow-or-underflow/integer-overflow-or-underflow-2), [3](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/integer-overflow-or-underflow/integer-overflow-or-underflow-3), [4](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/integer-overflow-or-underflow/integer-overflow-or-underflow-4), [5](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/integer-overflow-or-underflow/integer-overflow-or-underflow-5) | Critical | | [token-interface-events](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/token-interface-events) | Warns if any of the token functions does not emit an event. | [1](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/token-interface-events/token-interface-events-1) | Medium | ## Output formats From 9caba041479df9ae96b63697ea74b045a8ea4572 Mon Sep 17 00:00:00 2001 From: tomasavola <108414862+tomasavola@users.noreply.github.com> Date: Wed, 11 Sep 2024 10:12:02 -0300 Subject: [PATCH 4/8] add storage-change-events detector --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 7112d1fc..db39f47a 100644 --- a/README.md +++ b/README.md @@ -63,6 +63,7 @@ Currently Scout includes the following detectors. | [unsafe-map-get](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/unsafe-map-get) | Inappropriate usage of the `get` method for `Map` in soroban | [1](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/unsafe-map-get/unsafe-map-get-1) | Medium | | [incorrect-exponentation](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/incorrect-exponentiation) | Warns against incorrect usage of ´^´. | [1](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/incorrect-exponentiation/incorrect-exponentiation-1) | Critical | | [integer-overflow-or-underflow](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/integer-overflow-or-underflow) | Warns if there’s any numerical overflow or underflow | [1](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/integer-overflow-or-underflow/integer-overflow-or-underflow-1), [2](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/integer-overflow-or-underflow/integer-overflow-or-underflow-2), [3](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/integer-overflow-or-underflow/integer-overflow-or-underflow-3), [4](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/integer-overflow-or-underflow/integer-overflow-or-underflow-4), [5](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/integer-overflow-or-underflow/integer-overflow-or-underflow-5) | Critical | +| [storage-change-events](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/token-interface-events) | Warns if an event is not emitted when a change has occurred in the storage. | [1](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/storage-change-events/storage-change-events-1) | Minor | | [token-interface-events](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/token-interface-events) | Warns if any of the token functions does not emit an event. | [1](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/token-interface-events/token-interface-events-1) | Medium | ## Output formats From 63cbf4a1f7f791acb57bcd0164167fdb53a11d80 Mon Sep 17 00:00:00 2001 From: tomasavola <108414862+tomasavola@users.noreply.github.com> Date: Thu, 12 Sep 2024 11:24:31 -0300 Subject: [PATCH 5/8] add front-running detector --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index db39f47a..a3d5955e 100644 --- a/README.md +++ b/README.md @@ -65,6 +65,7 @@ Currently Scout includes the following detectors. | [integer-overflow-or-underflow](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/integer-overflow-or-underflow) | Warns if there’s any numerical overflow or underflow | [1](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/integer-overflow-or-underflow/integer-overflow-or-underflow-1), [2](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/integer-overflow-or-underflow/integer-overflow-or-underflow-2), [3](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/integer-overflow-or-underflow/integer-overflow-or-underflow-3), [4](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/integer-overflow-or-underflow/integer-overflow-or-underflow-4), [5](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/integer-overflow-or-underflow/integer-overflow-or-underflow-5) | Critical | | [storage-change-events](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/token-interface-events) | Warns if an event is not emitted when a change has occurred in the storage. | [1](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/storage-change-events/storage-change-events-1) | Minor | | [token-interface-events](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/token-interface-events) | Warns if any of the token functions does not emit an event. | [1](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/token-interface-events/token-interface-events-1) | Medium | +[front-running](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/front-running) | Front-running attacks can be avoided by comparing the transfer amount with a minimum value. | [1](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/front-running/front-running-1) | Warning | ## Output formats From 9100104dfc9b6df2ab365276b997b215cebafe09 Mon Sep 17 00:00:00 2001 From: tomasavola <108414862+tomasavola@users.noreply.github.com> Date: Thu, 12 Sep 2024 11:35:39 -0300 Subject: [PATCH 6/8] add token-interface-inference detector --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index a3d5955e..96d66bf8 100644 --- a/README.md +++ b/README.md @@ -66,6 +66,7 @@ Currently Scout includes the following detectors. | [storage-change-events](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/token-interface-events) | Warns if an event is not emitted when a change has occurred in the storage. | [1](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/storage-change-events/storage-change-events-1) | Minor | | [token-interface-events](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/token-interface-events) | Warns if any of the token functions does not emit an event. | [1](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/token-interface-events/token-interface-events-1) | Medium | [front-running](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/front-running) | Front-running attacks can be avoided by comparing the transfer amount with a minimum value. | [1](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/front-running/front-running-1) | Warning | +[token-interface-inference](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/token-interface-inference) | Recommend using the trait `soroban_sdk::token::TokenInterface` if a token contract does not implement it. | [1](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/token-interface-inference/token-interface-inference-1) | Best practices | ## Output formats From 19b26c798edd24f60935b164ad80948e168ff3ef Mon Sep 17 00:00:00 2001 From: tomasavola <108414862+tomasavola@users.noreply.github.com> Date: Thu, 12 Sep 2024 11:42:00 -0300 Subject: [PATCH 7/8] add unnecessary-admin-parameter detector --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 96d66bf8..4acd0549 100644 --- a/README.md +++ b/README.md @@ -66,7 +66,8 @@ Currently Scout includes the following detectors. | [storage-change-events](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/token-interface-events) | Warns if an event is not emitted when a change has occurred in the storage. | [1](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/storage-change-events/storage-change-events-1) | Minor | | [token-interface-events](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/token-interface-events) | Warns if any of the token functions does not emit an event. | [1](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/token-interface-events/token-interface-events-1) | Medium | [front-running](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/front-running) | Front-running attacks can be avoided by comparing the transfer amount with a minimum value. | [1](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/front-running/front-running-1) | Warning | -[token-interface-inference](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/token-interface-inference) | Recommend using the trait `soroban_sdk::token::TokenInterface` if a token contract does not implement it. | [1](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/token-interface-inference/token-interface-inference-1) | Best practices | +[token-interface-inference](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/token-interface-inference) | Recommend using the trait `soroban_sdk::token::TokenInterface` if a token contract does not implement it. | [1](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/token-interface-inference/token-interface-inference-1) | Best practices | | +[unnecessary-admin-parameter](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/unnecessary-admin-parameter) | Admin information should be retrieved from contract storage rather than passed as a parameter. | [1](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/unnecessary-admin-parameter/unnecessary-admin-parameter-1) | Medium | ## Output formats From 9deb295f20d8bf9172682abd307336a6da07d263 Mon Sep 17 00:00:00 2001 From: tomasavola <108414862+tomasavola@users.noreply.github.com> Date: Thu, 12 Sep 2024 11:50:21 -0300 Subject: [PATCH 8/8] add dynamic-types-in-storage detector --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 4acd0549..4b6b163c 100644 --- a/README.md +++ b/README.md @@ -67,7 +67,8 @@ Currently Scout includes the following detectors. | [token-interface-events](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/token-interface-events) | Warns if any of the token functions does not emit an event. | [1](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/token-interface-events/token-interface-events-1) | Medium | [front-running](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/front-running) | Front-running attacks can be avoided by comparing the transfer amount with a minimum value. | [1](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/front-running/front-running-1) | Warning | [token-interface-inference](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/token-interface-inference) | Recommend using the trait `soroban_sdk::token::TokenInterface` if a token contract does not implement it. | [1](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/token-interface-inference/token-interface-inference-1) | Best practices | | -[unnecessary-admin-parameter](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/unnecessary-admin-parameter) | Admin information should be retrieved from contract storage rather than passed as a parameter. | [1](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/unnecessary-admin-parameter/unnecessary-admin-parameter-1) | Medium | +[unnecessary-admin-parameter](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/unnecessary-admin-parameter) | Admin information should be retrieved from contract storage rather than passed as a parameter. | [1](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/unnecessary-admin-parameter/unnecessary-admin-parameter-1) | Medium || +[dynamic-types-in-storage](https://github.com/CoinFabrik/scout-soroban/tree/main/detectors/dynamic-instance-storage) | Warns against the usage of `storage().persistent()` with dynamic types. | [1](https://github.com/CoinFabrik/scout-soroban/tree/main/test-cases/dynamic-instance-storage/dynamic-instance-storage-1) | Critical | ## Output formats