decurity / semgrep-smart-contracts Goto Github PK

View Code? Open in Web Editor NEW

621.0 621.0 83.0 436 KB

Semgrep rules for smart contracts based on DeFi exploits

License: Other

Solidity 99.45% Makefile 0.01% Rust 0.54%

defi ethereum security semgrep solidity

semgrep-smart-contracts's People

Contributors

Stargazers

Watchers

Forkers

alexpro401 timb-machine-mirrors forkoooor pinkperfect drdarbin bixia tommalvoriddle alkia woods1060 contractforme sbwengineer subconscious-navigator cache-and-burn eth-hacker eukadish bbenzikry pedrobergamini yanrising hax0rg1rl fpgaq monst3rsec 0xcryptoshark yunsoul pynchmeister arbazkiraak gejeduck chriscczhou pauliusdotpro bpam1021 re13orn crazy-abc dutchcyberguy jgaleotti mohammedbenhelli sh4m2hwz cyberok-org pi3ch mirageiii thaddeus19 yzkee ethsecurity1 abhishekthak344 chimera-defi 0xmikko paulatsydney passkeyra shanzson hackmogador nikitastupin nick199910 vnavascues xlk3099 websecresearch web3in1pro web3secresearch trillion-fi 0x0918 noorahsmith crat1st0s stamp9 lcfr-eth sentry0x winomot web3secresearch tinotendajoe01 fangbing0565 zhwanwancn setland34 bluenights004 princeleonal minwoogramer zeeshansultan owade kuwatakushi xiaoxianboy okx amrayoub orangesantra

semgrep-smart-contracts's Issues

Could you make a release?

Hi,

We are using your rules for scientific work and need to perhaps refer to release version of the rules. Could you please create a release so that we can refer to?

Additional references for potential inclusion

here is a catalog of contracts and their exploits with corresponding SWC entries: https://github.com/manifoldfinance/defi-threat/tree/2020/10/catalog

please let me know how to best contribute and also how to best cite your work.

cheers

inefficient-state-variable-increment / inefficient-state-variable-decrement

Why is there no inefficient-state-variable-decrement to detect the decrement case, similar to the inefficient-state-variable-increment case?

Fix: arbitrary-low-level-call matching workarounds

Great repo. I've been learning semgrep with your examples and believe I've found a workaround to incorporate arbitrary-low-level-calls without waiting for beta improvements to solidity semgrep.

The fixes include:

Defining types for metavariables inside function declarations
Adding pattern-either patterns to include curly braces for call

rules:
 -
    id: arbitrary-low-level-call
    message: An attacker may perform call() to an arbitrary address with controlled calldata
    metadata:
        references:
        - https://twitter.com/CertiKAlert/status/1512198846343954445
        - https://twitter.com/SlowMist_Team/status/1508787862791069700
        - https://twitter.com/Beosin_com/status/1509099103401127942
        - https://blocksecteam.medium.com/li-fi-attack-a-cross-chain-bridge-vulnerability-no-its-due-to-unchecked-external-call-c31e7dadf60f
        - https://etherscan.io/address/0xe7597f774fd0a15a617894dc39d45a28b97afa4f # Auctus Options
        - https://etherscan.io/address/0x73a499e043b03fc047189ab1ba72eb595ff1fc8e # Li.Fi
        category: controlled-call
        tags:
        - auctus-options
        - starstream-finance
        - basket-dao
        - li-finance
    patterns:
    - pattern-either:
        - pattern-inside: |
            function $F(..., address $ADDR, ..., bytes calldata $DATA, ...) external { ... }
        - pattern-inside: |
            function $F(..., address $ADDR, ..., bytes calldata $DATA, ...) public { ... }
    - pattern-either:
        - pattern: $ADDR.call($DATA);
        - pattern: $ADDR.call{$VALUE:...}($DATA);
        - pattern: $ADDR.call{$VALUE:..., $GAS:...}($DATA);
    languages: 
    - solidity
    severity: ERROR

Four matching cases:

contract wxBTRFLY is FrozenToken {
    function execute(
        address to,
        uint256 value,
        bytes calldata data
    ) external returns (bool, bytes memory) {

        // ruleid: arbitrary-low-level-call
        (bool success, bytes memory result) = to.call{value: value}(data);

        // ruleid: arbitrary-low-level-call
        (bool success, bytes memory result) = to.call{gas: value}(data);

        // ruleid: arbitrary-low-level-call
        (bool success, bytes memory result) = to.call(data);

        // ruleid: arbitrary-low-level-call
        (bool success, bytes memory result) = to.call{value: value, gas: 0}(data);

        return (success, result);
    }
}

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.