Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add detectors for incorrect use of Oracle API #2289

Open
wants to merge 102 commits into
base: dev
Choose a base branch
from
Open

Add detectors for incorrect use of Oracle API #2289

wants to merge 102 commits into from

Conversation

talfao
Copy link

@talfao talfao commented Feb 4, 2024
edited by coderabbitai bot
Loading

I am creating this pull request based on the following issue: #2283.

The code here presents basic foundations for detecting improper usage of Oracle API's. So far, the detector supports just Chainlink, but I plan to add other providers such as Tellor or Chronicle.

The PR contains three detectors:
oracle-data-validation - Staleness price, check for price != 0
deprecated-chainlink-call - Check if the smart contract uses deprecated chainlink API functions
oracle-sequencer - Recommendation to the user to check the liveness of sequence if planning to use chainlink oracle on L2.

The checks that indicate improper data validation, such as staleness price, are still under development. I will improve these checks and overall detection in the following weeks.

The reason behind this PR is to get feedback for the approach I have chosen to detect an oracle and if the checks for data validation make sense from your side.

I have one question: Should support for other oracles and improvements of checks be included in different pull requests, or should I add it to this one?

Talfao

Summary by CodeRabbit

  • New Features

    • Updated version of the actions/setup-node action in the workflow file.
    • Updated Solidity compiler version selection logic in the Dockerfile.
    • Enhanced installation instructions for Slither in the README.md.
    • Added new detectors for identifying deprecated Chainlink calls, oracle vulnerabilities, and sequencer checks.
    • Introduced new classes and functions for managing oracle contracts and variables.
    • Included additional support files for oracle validation and detection.

  • Tests

    • Expanded test coverage for OracleDataCheck and DeprecatedChainlinkCall detectors using various Solidity files.

@talfao
Oracle module
78c3ea2
@talfao
Before mapping
6c3da7c
@talfao
Change the approach
86d7dd3
@talfao
Change the approach
9f8f9ab
@talfao
Return just not checked vars
e8a8758
@talfao
Creating check for updated at - not finished
aadbd58
@talfao
Add some documentation
ed029ed
@talfao
add checking of internal calls
33b1c1f
@talfao
Added basics of navive approach and now try to divide the files
398f067
@talfao
Divided to two files and started with naive_check
bbe73f9
@talfao
Reoder values based on the nodes mapping and check_price
6fded76
@talfao
Add text output for price and timestamp
72eda7f
@talfao
Improve checks part for price
e964ba3
@talfao
Naive check work, however i need to find a way how to represent not e…
e98f03e 
…xisting values
@talfao
Slot0 simple check
c1532d0
@talfao
Before experimenting with unused impl detector
509ebaf
@talfao
Found used order
3f77626
@talfao
Finding indexes of returned vars in oracle
876860d
@talfao
Naive check should always work
5260262
@talfao
Change output from detector of data validiy
ec5c69f
@talfao
Add revert check
c250443
@talfao
Fix an issue if variable is not constant in price
227b0f7
@talfao
Correct revert check
b4c9b26
@talfao
Rechange the output for mitigating duplicates of arrays
f584e6d
@talfao
Simple detection of sequencer
5d79f48
@talfao
Solved ordering of writing to vars
b9ffe01
@talfao
Add handler if the node is not var
57df560
@talfao
First testing
d45d144
@talfao
Some changes to test
8a26717
@talfao
Comment roundID for now
9eecd91
@talfao
Copy link
Author

talfao commented Mar 18, 2024

Hello people,

From my side, the PR is ready for review. The checks were improved, and the code was also tested on several contracts to improve overall detection and variations of Oracle usage.

So far, the detection is supporting just Chainlink. The capabilities of detection of other providers can be extended in the future 😃

I am looking forward to hearing your feedback.
Talfao

coderabbitai[bot]
coderabbitai bot reviewed Apr 26, 2024
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 10

slither/detectors/oracles/supported_oracles/chainlink_oracle.py Outdated Show resolved Hide resolved
slither/detectors/oracles/supported_oracles/chainlink_oracle.py Outdated Show resolved Hide resolved
...tors/snapshots/detectors__detector_OracleDataCheck_0_8_20_oracle_timestamp_in_var_sol__0.txt Show resolved Hide resolved
...snapshots/detectors__detector_OracleDataCheck_0_8_20_oracle_check_out_of_function_sol__0.txt Show resolved Hide resolved
...snapshots/detectors__detector_OracleDataCheck_0_8_20_oracle_check_out_of_function_sol__0.txt Show resolved Hide resolved
tests/e2e/detectors/test_data/oracle-data-validation/0.8.20/oracle_timestamp_in_var.sol Outdated Show resolved Hide resolved
tests/e2e/detectors/test_data/oracle-data-validation/0.8.20/oracle_check_out_of_function.sol Show resolved Hide resolved
...detectors/test_data/oracle-data-validation/0.8.20/oracle_data_check_price_in_internal_fc.sol Show resolved Hide resolved
slither/detectors/oracles/deprecated_chainlink_calls.py Outdated Show resolved Hide resolved
slither/detectors/oracles/supported_oracles/oracle.py Outdated Show resolved Hide resolved
coderabbitai[bot]
coderabbitai bot reviewed Apr 26, 2024
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

Out of diff range and nitpick comments (1)
slither/detectors/oracles/supported_oracles/chainlink_oracle.py (1)

27-113: Class ChainlinkOracle is well-structured. Consider adding more comments to complex methods to improve readability and maintainability.

...rs/test_data/oracle-data-validation/0.8.20/oracle_data_check_price_in_double_internal_fc.sol Show resolved Hide resolved
...rs/test_data/oracle-data-validation/0.8.20/oracle_data_check_price_in_double_internal_fc.sol Show resolved Hide resolved
slither/detectors/oracles/supported_oracles/chainlink_oracle.py Outdated Show resolved Hide resolved
This was referenced Apr 27, 2024
Closed
Open
@montyly montyly self-assigned this Oct 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@elopez elopez Awaiting requested review from elopez

@montyly montyly Awaiting requested review from montyly montyly is a code owner

@0xalpharush 0xalpharush Awaiting requested review from 0xalpharush

@smonicas smonicas Awaiting requested review from smonicas smonicas is a code owner

Assignees

@montyly montyly

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@talfao @CLAassistant @montyly