feat(lint): impl erc20 transfer check using HIR (#11552)

Author: 0xrusowsky

crates/lint/src/sol/high/mod.rs

@@ -9,5 +9,5 @@ use unchecked_calls::{ERC20_UNCHECKED_TRANSFER, UNCHECKED_CALL};
 register_lints!(
     (IncorrectShift, early, (INCORRECT_SHIFT)),
     (UncheckedCall, early, (UNCHECKED_CALL)),
-    (UncheckedTransferERC20, early, (ERC20_UNCHECKED_TRANSFER))
+    (UncheckedTransferERC20, late, (ERC20_UNCHECKED_TRANSFER))
 );

crates/lint/src/sol/high/unchecked_calls.rs

@@ -1,11 +1,12 @@
 use super::{UncheckedCall, UncheckedTransferERC20};
 use crate::{
-    linter::{EarlyLintPass, LintContext},
+    linter::{EarlyLintPass, LateLintPass, LintContext},
     sol::{Severity, SolLint},
 };
 use solar::{
     ast::{Expr, ExprKind, ItemFunction, Stmt, StmtKind, visit::Visit},
     interface::kw,
+    sema::hir::{self},
 };
 use std::ops::ControlFlow;
 
@@ -25,55 +26,91 @@ declare_forge_lint!(
 
 // -- ERC20 UNCKECKED TRANSFERS -------------------------------------------------------------------
 
-/// WARN: can issue false positives. It does not check that the contract being called is an ERC20.
-/// TODO: re-implement using `LateLintPass` so that it can't issue false positives.
-impl<'ast> EarlyLintPass<'ast> for UncheckedTransferERC20 {
-    fn check_item_function(&mut self, ctx: &LintContext, func: &'ast ItemFunction<'ast>) {
-        if let Some(body) = &func.body {
-            let mut checker = UncheckedTransferERC20Checker { ctx };
-            let _ = checker.visit_block(body);
-        }
-    }
-}
-
-/// Visitor that detects unchecked ERC20 transfer calls within function bodies.
+/// Checks that calls to functions with the same signature as the ERC20 transfer methods, and which
+/// return a boolean are not ignored.
 ///
-/// Unchecked transfers appear as standalone expression statements.
-/// When a transfer's return value is used (in require, assignment, etc.), it's part
-/// of a larger expression and won't be flagged.
-struct UncheckedTransferERC20Checker<'a, 's> {
-    ctx: &'a LintContext<'s, 'a>,
-}
-
-impl<'ast> Visit<'ast> for UncheckedTransferERC20Checker<'_, '_> {
-    type BreakValue = ();
-
-    fn visit_stmt(&mut self, stmt: &'ast Stmt<'ast>) -> ControlFlow<Self::BreakValue> {
+/// WARN: can issue false positives, as it doesn't check that the contract being called sticks to
+/// the full ERC20 specification.
+impl<'hir> LateLintPass<'hir> for UncheckedTransferERC20 {
+    fn check_stmt(
+        &mut self,
+        ctx: &LintContext,
+        hir: &'hir hir::Hir<'hir>,
+        stmt: &'hir hir::Stmt<'hir>,
+    ) {
         // Only expression statements can contain unchecked transfers.
-        if let StmtKind::Expr(expr) = &stmt.kind
-            && is_erc20_transfer_call(expr)
+        if let hir::StmtKind::Expr(expr) = &stmt.kind
+            && is_erc20_transfer_call(hir, expr)
         {
-            self.ctx.emit(&ERC20_UNCHECKED_TRANSFER, expr.span);
+            ctx.emit(&ERC20_UNCHECKED_TRANSFER, expr.span);
         }
-        self.walk_stmt(stmt)
     }
 }
 
 /// Checks if an expression is an ERC20 `transfer` or `transferFrom` call.
-/// `function ERC20.transfer(to, amount)`
-/// `function ERC20.transferFrom(from, to, amount)`
+/// * `function transfer(address to, uint256 amount) external returns bool;`
+/// * `function transferFrom(address from, address to, uint256 amount) external returns bool;`
 ///
-/// Validates both the method name and argument count to avoid false positives
-/// from other functions that happen to be named "transfer".
-fn is_erc20_transfer_call(expr: &Expr<'_>) -> bool {
-    if let ExprKind::Call(call_expr, args) = &expr.kind {
-        // Must be a member access pattern: `token.transfer(...)`
-        if let ExprKind::Member(_, member) = &call_expr.kind {
-            return (args.len() == 2 && member.as_str() == "transfer")
-                || (args.len() == 3 && member.as_str() == "transferFrom");
+/// Validates the method name, the params (count + types), and the returns (count + types).
+fn is_erc20_transfer_call(hir: &hir::Hir<'_>, expr: &hir::Expr<'_>) -> bool {
+    let is_type = |var_id: hir::VariableId, type_str: &str| {
+        matches!(
+            &hir.variable(var_id).ty.kind,
+            hir::TypeKind::Elementary(ty) if ty.to_abi_str() == type_str
+        )
+    };
+
+    // Ensure the expression is a call to a contract member function.
+    let hir::ExprKind::Call(
+        hir::Expr { kind: hir::ExprKind::Member(contract_expr, func_ident), .. },
+        hir::CallArgs { kind: hir::CallArgsKind::Unnamed(args), .. },
+        ..,
+    ) = &expr.kind
+    else {
+        return false;
+    };
+
+    // Determine the expected ERC20 signature from the call
+    let (expected_params, expected_returns): (&[&str], &[&str]) = match func_ident.as_str() {
+        "transferFrom" if args.len() == 3 => (&["address", "address", "uint256"], &["bool"]),
+        "transfer" if args.len() == 2 => (&["address", "uint256"], &["bool"]),
+        _ => return false,
+    };
+
+    let Some(cid) = (match &contract_expr.kind {
+        // Call to pre-instantiated contract variable
+        hir::ExprKind::Ident([hir::Res::Item(hir::ItemId::Variable(id)), ..]) => {
+            if let hir::TypeKind::Custom(hir::ItemId::Contract(cid)) = hir.variable(*id).ty.kind {
+                Some(cid)
+            } else {
+                None
+            }
         }
-    }
-    false
+        // Call to address wrapped by the contract interface
+        hir::ExprKind::Call(
+            hir::Expr {
+                kind: hir::ExprKind::Ident([hir::Res::Item(hir::ItemId::Contract(cid))]),
+                ..
+            },
+            ..,
+        ) => Some(*cid),
+        _ => None,
+    }) else {
+        return false;
+    };
+
+    // Try to find a function in the contract that matches the expected signature.
+    hir.contract_item_ids(cid).any(|item| {
+        let Some(fid) = item.as_function() else { return false };
+        let func = hir.function(fid);
+        func.name.is_some_and(|name| name.as_str() == func_ident.as_str())
+            && func.kind.is_function()
+            && func.mutates_state()
+            && func.parameters.len() == expected_params.len()
+            && func.returns.len() == expected_returns.len()
+            && func.parameters.iter().zip(expected_params).all(|(id, &ty)| is_type(*id, ty))
+            && func.returns.iter().zip(expected_returns).all(|(id, &ty)| is_type(*id, ty))
+    })
 }
 
 // -- UNCKECKED LOW-LEVEL CALLS -------------------------------------------------------------------

crates/lint/testdata/UncheckedTransferERC20.sol

@@ -7,34 +7,50 @@ interface IERC20 {
     function approve(address spender, uint256 amount) external returns (bool);
 }
 
+interface IERC20Wrapper {
+    function transfer(address to, uint256 amount) external;
+    function transferFrom(address from, address to, uint256 amount) external;
+}
+
 contract UncheckedTransfer {
     IERC20 public token;
+    IERC20Wrapper public tokenWrapper;
     mapping(address => uint256) public balances;
 
     constructor(address _token) {
         token = IERC20(_token);
+        tokenWrapper = IERC20Wrapper(_token);
     }
 
     // SHOULD FAIL: Unchecked transfer calls
     function uncheckedTransfer(address to, uint256 amount) public {
+        IERC20(address(token)).transfer(to, amount); //~WARN: ERC20 'transfer' and 'transferFrom' calls should check the return value
         token.transfer(to, amount); //~WARN: ERC20 'transfer' and 'transferFrom' calls should check the return value
     }
 
     function uncheckedTransferFrom(address from, address to, uint256 amount) public {
+        IERC20(address(token)).transferFrom(from, to, amount); //~WARN: ERC20 'transfer' and 'transferFrom' calls should check the return value
         token.transferFrom(from, to, amount); //~WARN: ERC20 'transfer' and 'transferFrom' calls should check the return value
     }
 
-    function multipleUnchecked(address to, uint256 amount) public {
-        token.transfer(to, amount / 2); //~WARN: ERC20 'transfer' and 'transferFrom' calls should check the return value
-        token.transfer(to, amount / 2); //~WARN: ERC20 'transfer' and 'transferFrom' calls should check the return value
-    }
-
     function uncheckedInLoop(address[] memory recipients, uint256[] memory amounts) public {
         for (uint i = 0; i < recipients.length; i++) {
+            IERC20(address(token)).transfer(recipients[i], amounts[i]); //~WARN: ERC20 'transfer' and 'transferFrom' calls should check the return value
             token.transfer(recipients[i], amounts[i]); //~WARN: ERC20 'transfer' and 'transferFrom' calls should check the return value
         }
     }
 
+    // SHOULD PASS: Function with same params but NO boolean return
+    function proxyCheckedTransfer(address to, uint256 amount) public {
+        IERC20Wrapper(address(token)).transfer(to, amount);
+        tokenWrapper.transfer(to, amount);
+    }
+
+    function proxyCheckedTransferFrom(address from, address to, uint256 amount) public {
+        IERC20Wrapper(address(token)).transferFrom(from, to, amount);
+        tokenWrapper.transferFrom(from, to, amount);
+    }
+
     // SHOULD PASS: Properly checked transfer calls
     function checkedTransferWithRequire(address to, uint256 amount) public {
         require(token.transfer(to, amount), "Transfer failed");
@@ -63,6 +79,8 @@ contract UncheckedTransfer {
     function checkedTransferInExpression(address to, uint256 amount) public {
         if (token.transfer(to, amount)) {
             balances[to] += amount;
+        } else {
+            revert("Transfer failed");
         }
     }
 
@@ -73,8 +91,38 @@ contract UncheckedTransfer {
         );
     }
 
-    // Edge case: approve is not a transfer function, should not be flagged
     function uncheckedApprove(address spender, uint256 amount) public {
         token.approve(spender, amount);
     }
 }
+
+library Currency {
+    function transfer(Currency currency, address to, uint256 amount) internal {
+        // transfer and check output internally
+    }
+    function transferFrom(Currency currency, address from, address to, uint256 amount) internal {
+        // transfer and check output internally
+    }
+}
+
+contract UncheckedTransferUsingCurrencyLib {
+    using Currency for address;
+
+    Currency public token;
+    mapping(address => uint256) public balances;
+
+    constructor(Currency _token) {
+        token = _token;
+    }
+
+    // SHOULD PASS: Function with same params but NO boolean return
+    function currencyTransfer(address to, uint256 amount) public {
+        token.transfer(to, amount);
+        token.transfer(to, amount);
+    }
+
+    function currencyTransferFrom(address from, address to, uint256 amount) public {
+        token.transferFrom(from, to, amount);
+        token.transferFrom(from, to, amount);
+    }
+}

crates/lint/testdata/UncheckedTransferERC20.stderr

@@ -1,39 +1,47 @@
 warning[erc20-unchecked-transfer]: ERC20 'transfer' and 'transferFrom' calls should check the return value
   --> ROOT/testdata/UncheckedTransferERC20.sol:LL:CC
    |
-20 |         token.transfer(to, amount);
+27 |         IERC20(address(token)).transfer(to, amount);
+   |         -------------------------------------------
+   |
+   = help: https://book.getfoundry.sh/reference/forge/forge-lint#erc20-unchecked-transfer
+
+warning[erc20-unchecked-transfer]: ERC20 'transfer' and 'transferFrom' calls should check the return value
+  --> ROOT/testdata/UncheckedTransferERC20.sol:LL:CC
+   |
+28 |         token.transfer(to, amount);
    |         --------------------------
    |
    = help: https://book.getfoundry.sh/reference/forge/forge-lint#erc20-unchecked-transfer
 
 warning[erc20-unchecked-transfer]: ERC20 'transfer' and 'transferFrom' calls should check the return value
   --> ROOT/testdata/UncheckedTransferERC20.sol:LL:CC
    |
-24 |         token.transferFrom(from, to, amount);
-   |         ------------------------------------
+32 | ...   IERC20(address(token)).transferFrom(from, to, amount);
+   |       -----------------------------------------------------
    |
    = help: https://book.getfoundry.sh/reference/forge/forge-lint#erc20-unchecked-transfer
 
 warning[erc20-unchecked-transfer]: ERC20 'transfer' and 'transferFrom' calls should check the return value
   --> ROOT/testdata/UncheckedTransferERC20.sol:LL:CC
    |
-28 |         token.transfer(to, amount / 2);
-   |         ------------------------------
+33 |         token.transferFrom(from, to, amount);
+   |         ------------------------------------
    |
    = help: https://book.getfoundry.sh/reference/forge/forge-lint#erc20-unchecked-transfer
 
 warning[erc20-unchecked-transfer]: ERC20 'transfer' and 'transferFrom' calls should check the return value
   --> ROOT/testdata/UncheckedTransferERC20.sol:LL:CC
    |
-29 |         token.transfer(to, amount / 2);
-   |         ------------------------------
+38 | ...   IERC20(address(token)).transfer(recipients[i], amounts[i]);
+   |       ----------------------------------------------------------
    |
    = help: https://book.getfoundry.sh/reference/forge/forge-lint#erc20-unchecked-transfer
 
 warning[erc20-unchecked-transfer]: ERC20 'transfer' and 'transferFrom' calls should check the return value
   --> ROOT/testdata/UncheckedTransferERC20.sol:LL:CC
    |
-34 |             token.transfer(recipients[i], amounts[i]);
+39 |             token.transfer(recipients[i], amounts[i]);
    |             -----------------------------------------
    |
    = help: https://book.getfoundry.sh/reference/forge/forge-lint#erc20-unchecked-transfer