Merge pull request #2580 from crytic/dev-pyth-deprecated-functions

Add Pyth deprecated functions detector
crytic · Oct 10, 2024 · 3caad58 · 3caad58
2 parents 8190a48 + 25f6e46
commit 3caad58
Show file tree

Hide file tree

Showing 6 changed files with 117 additions and 0 deletions.
diff --git a/slither/detectors/all_detectors.py b/slither/detectors/all_detectors.py
@@ -97,6 +97,7 @@
 from .statements.tautological_compare import TautologicalCompare
 from .statements.return_bomb import ReturnBomb
 from .functions.out_of_order_retryable import OutOfOrderRetryable
+from .functions.pyth_deprecated_functions import PythDeprecatedFunctions
 from .functions.optimism_deprecation import OptimismDeprecation
 
 # from .statements.unused_import import UnusedImport
diff --git a/slither/detectors/functions/pyth_deprecated_functions.py b/slither/detectors/functions/pyth_deprecated_functions.py
@@ -0,0 +1,73 @@
+from typing import List
+
+from slither.detectors.abstract_detector import (
+    AbstractDetector,
+    DetectorClassification,
+    DETECTOR_INFO,
+)
+from slither.utils.output import Output
+
+
+class PythDeprecatedFunctions(AbstractDetector):
+    """
+    Documentation: This detector finds deprecated Pyth function calls
+    """
+
+    ARGUMENT = "pyth-deprecated-functions"
+    HELP = "Detect Pyth deprecated functions"
+    IMPACT = DetectorClassification.MEDIUM
+    CONFIDENCE = DetectorClassification.HIGH
+
+    WIKI = "https://github.com/crytic/slither/wiki/Detector-Documentation#pyth-deprecated-functions"
+    WIKI_TITLE = "Pyth deprecated functions"
+    WIKI_DESCRIPTION = "Detect when a Pyth deprecated function is used"
+    WIKI_RECOMMENDATION = (
+        "Do not use deprecated Pyth functions. Visit https://api-reference.pyth.network/."
+    )
+
+    WIKI_EXPLOIT_SCENARIO = """
+```solidity
+import "@pythnetwork/pyth-sdk-solidity/IPyth.sol";
+import "@pythnetwork/pyth-sdk-solidity/PythStructs.sol";
+
+contract C {
+
+    IPyth pyth;
+    
+    constructor(IPyth _pyth) {
+        pyth = _pyth;
+    }
+    
+    function A(bytes32 priceId) public {
+        PythStructs.Price memory price = pyth.getPrice(priceId);
+        ...
+    }
+}    
+```
+The function `A` uses the deprecated `getPrice` Pyth function. 
+"""
+
+    def _detect(self):
+        DEPRECATED_PYTH_FUNCTIONS = [
+            "getValidTimePeriod",
+            "getEmaPrice",
+            "getPrice",
+        ]
+        results: List[Output] = []
+
+        for contract in self.compilation_unit.contracts_derived:
+            for target_contract, ir in contract.all_high_level_calls:
+                if (
+                    target_contract.name == "IPyth"
+                    and ir.function_name in DEPRECATED_PYTH_FUNCTIONS
+                ):
+                    info: DETECTOR_INFO = [
+                        "The following Pyth deprecated function is used\n\t- ",
+                        ir.node,
+                        "\n",
+                    ]
+
+                    res = self.generate_result(info)
+                    results.append(res)
+
+        return results
diff --git a/...s/detectors__detector_PythDeprecatedFunctions_0_8_20_pyth_deprecated_functions_sol__0.txt b/...s/detectors__detector_PythDeprecatedFunctions_0_8_20_pyth_deprecated_functions_sol__0.txt
@@ -0,0 +1,3 @@
+The following Pyth deprecated function is used
+	- price = pyth.getPrice(priceId) (tests/e2e/detectors/test_data/pyth-deprecated-functions/0.8.20/pyth_deprecated_functions.sol#23)
+
diff --git a/tests/e2e/detectors/test_data/pyth-deprecated-functions/0.8.20/pyth_deprecated_functions.sol b/tests/e2e/detectors/test_data/pyth-deprecated-functions/0.8.20/pyth_deprecated_functions.sol
@@ -0,0 +1,35 @@
+
+// Fake Pyth interface
+interface IPyth {
+    function getPrice(bytes32 id) external returns (uint256 price);
+    function notDeprecated(bytes32 id) external returns (uint256 price);
+}
+
+interface INotPyth {
+    function getPrice(bytes32 id) external returns (uint256 price);
+}
+
+contract C {
+
+    IPyth pyth;
+    INotPyth notPyth;
+
+    constructor(IPyth _pyth, INotPyth _notPyth) {
+        pyth = _pyth;
+        notPyth = _notPyth;
+    }
+
+    function Deprecated(bytes32 priceId) public {
+        uint256 price = pyth.getPrice(priceId);
+    }
+
+    function notDeprecated(bytes32 priceId) public {
+        uint256 price = pyth.notDeprecated(priceId);
+    }
+
+    function notPythCall(bytes32 priceId) public {
+        uint256 price = notPyth.getPrice(priceId);
+    }
+
+
+}    
diff --git a/...ctors/test_data/pyth-deprecated-functions/0.8.20/pyth_deprecated_functions.sol-0.8.20.zip b/...ctors/test_data/pyth-deprecated-functions/0.8.20/pyth_deprecated_functions.sol-0.8.20.zip
diff --git a/tests/e2e/detectors/test_detectors.py b/tests/e2e/detectors/test_detectors.py
@@ -1714,6 +1714,11 @@ def id_test(test_item: Test):
         "out_of_order_retryable.sol",
         "0.8.20",
     ),
+    Test(
+        all_detectors.PythDeprecatedFunctions,
+        "pyth_deprecated_functions.sol",
+        "0.8.20",
+    ),
     Test(
         all_detectors.OptimismDeprecation,
         "optimism_deprecation.sol",