search

Consensys / vscode-solidity-auditor

Solidity language support and visual security auditor for Visual Studio Code
https://marketplace.visualstudio.com/items?itemName=tintinweb.solidity-visual-auditor
GNU General Public License v3.0
569 stars 60 forks source link

Enhancement: include external calls for contracts gotten through getters in graph #126

Open jubeira opened 1 year ago

jubeira commented 1 year ago

I'll illustrate the case with a code sample:

interface IVault {
  function doSomething() external;
}

contract Pool {
  private immutable IVault _vault;

  constructor(IVault vault) {
    _vault = vault;
  }

  function getVault() public view returns (IVault) {
    return _vault;
  }

  function doSomethingInVault() external {
    getVault().doSomething();
  }
}

In this example, a Pool contract holds an immutable reference to a Vault contract, which has a known interface. When calling doSomethingInVault, the pool gets its internal reference through the public getter, and executes an external call.

When generating the graph however, the parser shows that doSomethingInVault calls getVault (which is correct), but it does not parse the external call to IVault#doSomething (i.e. shows doSomethingInVault --> getVault).

The proposal would be to include the external call as well. In this case, it would be doSomethingInVault --> getVault --> doSomething.

PS: thanks for sharing this tool; it's pretty cool and useful!

tintinweb commented 8 months ago

hi @jubeira, please file this with https://github.com/Consensys/surya/ which is the underlying lib that generates call traces - and link to this issue. thanks!