feat: update slither to 0.10.1 (#31)

Resolves: ENG-1055. Related: crytic/slither#2344
DeepSourceCorp · Mar 6, 2024 · 13078d4 · 13078d4
1 parent 1d03eb9
commit 13078d4
Show file tree

Hide file tree

Showing 7 changed files with 73 additions and 6 deletions.
diff --git a/analyzers/slither/.deepsource/analyzer/analyzer.toml b/analyzers/slither/.deepsource/analyzer/analyzer.toml
@@ -3,5 +3,5 @@ category = "lang"
 name = "Slither"
 shortcode = "slither"
 status = "active"
-tool_latest_version = "0.10.0"
+tool_latest_version = "0.10.1"
 description = "Slither is a Solidity & Vyper static analysis framework developed by Crytic, a blockchain security group by Trail of Bits."
diff --git a/analyzers/slither/.deepsource/issues/SLITHER-W1023.toml b/analyzers/slither/.deepsource/issues/SLITHER-W1023.toml
@@ -31,5 +31,5 @@ The function will return 6 bytes starting from offset 5, instead of returning a
 Use the `leave` statement.
 
 ## Learn more
-[incorrect-return](https://github.com/crytic/slither/wiki/Detector-Documentation#incorrect-assembly-return) on Slither's wiki.
+[incorrect-return](https://github.com/crytic/slither/wiki/Detector-Documentation#incorrect-return-in-assembly) on Slither's wiki.
 """
diff --git a/analyzers/slither/.deepsource/issues/SLITHER-W1026.toml b/analyzers/slither/.deepsource/issues/SLITHER-W1026.toml
@@ -26,5 +26,5 @@ The function will halt the execution, instead of returning a two uint.
 Use the `leave` statement.
 
 ## Learn more
-[return-leave](https://github.com/crytic/slither/wiki/Detector-Documentation#incorrect-assembly-return) on Slither's wiki.
+[return-leave](https://github.com/crytic/slither/wiki/Detector-Documentation#return-instead-of-leave-in-assembly) on Slither's wiki.
 """
diff --git a/analyzers/slither/.deepsource/issues/SLITHER-W1056.toml b/analyzers/slither/.deepsource/issues/SLITHER-W1056.toml
@@ -13,7 +13,7 @@ Detects the possible usage of a variable before the declaration is stepped over
 ```solidity
 contract C {
     function f(uint z) public returns (uint) {
-        uint y = x + 9 + z; // 'z' is used pre-declaration
+        uint y = x + 9 + z; // 'x' is used pre-declaration
         uint x = 7;
 
         if (z % 2 == 0) {

diff --git a/analyzers/slither/.deepsource/issues/SLITHER-W1093.toml b/analyzers/slither/.deepsource/issues/SLITHER-W1093.toml
@@ -0,0 +1,64 @@
+title = "Out-of-order retryable transactions"
+verbose_name = "out-of-order-retryable"
+severity = "major"
+category = "antipattern"
+weight = 60
+description = """
+Out-of-order retryable transactions
+
+<!--more-->
+
+## Exploit Scenario
+
+```solidity
+contract L1 {
+    function doStuffOnL2() external {
+        // Retryable A
+        IInbox(inbox).createRetryableTicket({
+            to: l2contract,
+            l2CallValue: 0,
+            maxSubmissionCost: maxSubmissionCost,
+            excessFeeRefundAddress: msg.sender,
+            callValueRefundAddress: msg.sender,
+            gasLimit: gasLimit,
+            maxFeePerGas: maxFeePerGas,
+            data: abi.encodeCall(l2contract.claim_rewards, ())
+        });
+        // Retryable B
+        IInbox(inbox).createRetryableTicket({
+            to: l2contract,
+            l2CallValue: 0,
+            maxSubmissionCost: maxSubmissionCost,
+            excessFeeRefundAddress: msg.sender,
+            callValueRefundAddress: msg.sender,
+            gasLimit: gas,
+            maxFeePerGas: maxFeePerGas,
+            data: abi.encodeCall(l2contract.unstake, ())
+        });
+    }
+}
+
+contract L2 {
+    function claim_rewards() public {
+        // rewards is computed based on balance and staking period
+        uint unclaimed_rewards = _compute_and_update_rewards();
+        token.safeTransfer(msg.sender, unclaimed_rewards);
+    }
+
+    // Call claim_rewards before unstaking, otherwise you lose your rewards
+    function unstake() public {
+        _free_rewards(); // clean up rewards related variables
+        balance = balance[msg.sender];
+        balance[msg.sender] = 0;
+        staked_token.safeTransfer(msg.sender, balance);
+    }
+}
+```
+Bob calls `doStuffOnL2` but the first retryable ticket calling `claim_rewards` fails. The second retryable ticket calling `unstake` is executed successfully. As a result, Bob loses his rewards.
+
+## Recommendation
+Do not rely on the order or successful execution of retryable tickets.
+
+## Learn more
+[out-of-order-retryable](https://github.com/crytic/slither/wiki/Detector-Documentation#out-of-order-retryable-transactions) on Slither's wiki.
+"""
diff --git a/analyzers/slither/utils/issue_map.json b/analyzers/slither/utils/issue_map.json
@@ -274,5 +274,8 @@
     },
     "4-0-var-read-using-this": {
         "issue_code": "SLITHER-W1092"
+    },
+    "1-1-out-of-order-retryable": {
+        "issue_code": "SLITHER-W1093"
     }
 }
diff --git a/analyzers/slither/utils/issue_map_gen.py b/analyzers/slither/utils/issue_map_gen.py
@@ -1,14 +1,14 @@
 import itertools
 import json
-from typing import Dict, Generator
+from typing import Dict, Iterator
 
 from constants import ISSUE_MAP_FILE, ISSUE_PREFIX
 from detectors import get_all_detector_json
 
 __all__ = ["get_issue_map", "generate_mapping"]
 
 
-def _get_next_code(mapping: Dict[str, Dict[str, str]]) -> Generator[int]:
+def _get_next_code(mapping: Dict[str, Dict[str, str]]) -> Iterator[int]:
     """Return the next available issue code."""
     num_issues = len(mapping.keys())  # get the number of issues already in the mapping
     next_code = 1001 + num_issues  # issue code series starts from `1001`