Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add CEI pattern static analysis (FuelLabs#3168)
CEI stands for "Checks, Effects, Interactions". We check no storage reads/writes (effects) occur after calling external contracts (interaction). See this [blog post](https://fravoll.github.io/solidity-patterns/checks_effects_interactions.html) and [this blogpost](https://chainsecurity.com/curve-lp-oracle-manipulation-post-mortem) for more detail. TODOs: - [x] analyze libraries, scripts, and predicates (only contracts are analyzed at the moment) - [x] process assembly blocks - [x] what is the effects of the `__revert` intrinsic - [x] Treat nested code blocks - [x] more tests * [x] Tests using `storage.var = ...` * [x] Tests using `asm` blocks directly * [x] Tests using complex control flow * [x] Tests having multiple contract calls or multiple storage writes in various scenarios * [ ] Tests with nested code blocks (there is a very simple test, this needs more testing in a separate PR) - [x] check for storage reads after interaction * [x] Storage read intrinsics * [x] `StorageAccess` expressions * [x] `asm` blocks using `srw` or `srwq` * [x] `asm` blocks using [`bal`](https://github.com/FuelLabs/fuel-specs/blob/master/specs/vm/instruction_set.md#bal-balance-of-contract-id) because `bal` actually reads from storage - [x] ~~CLI option or attribute to control the warnings~~ (an internal discussion showed that we cannot do this at the moment, I guess this should be handled as a separate issue) - [ ] open an issue about unification of the currently existing storage annotation checks and effects inference in this PR close FuelLabs#10 Co-authored-by: Mohammad Fawaz <[email protected]>
- Loading branch information