how to detect the callee of a function

[alexanderhawl]

I wanna know how to detect a callee in a function. For example

// SPDX-License-Identifier: GPL-3.0
// Docgen-SOLC: 0.8.25

pragma solidity ^0.8.25;

interface IERC20{
    function transfer(address to,uint amount) external returns(bool);
}

contract Test{
    mapping(address => mapping(address => uint256)) public claimableAssets;

    function claimWithdrawal(address asset, address receiver) external {
        uint256 amount = claimableAssets[asset][receiver];
        claimableAssets[asset][receiver] = 0;

        IERC20(asset).transfer(receiver, amount);

    }
}

There is a transfer function in the claimWithdrawal, But the callee 'asset' is controlled by user, So How can I get the calle(asset) by using slither?

[smonicas]

I'm not sure to understand what do you mean with "to get the calle(asset)". As you said the asset is user controlled and slither is a static analysis tool so we don't know the actual value the user will use. However you can know that the destination of the high level call is the asset argument by looking at slithIR, which is slither intermediate representation. To see how it looks like run slither with --print slithir, the IR for that operation is an HighLevelCall and the destination will have the asset variable. You can also know if a variable is user controlled by using the is_tainted function.

[alexanderhawl]

I tried the destination, but the return value is TMP_0, not the asset argument.

[smonicas]

What do you want to do precisely? To know if it can be controlled by the user you can use the is_tainted function with just ir.destination and would work. For example see how it's done in the controlled delegate call detector,