feat: Add Function module to detect functions returning msg.sender directly or via alias #2753
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
The following Solidity contract was used for local testing of the // SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
contract TestMsgSender {
address public owner;
constructor() {
owner = msg.sender;
}
// ✅ Should be detected
function directSender() internal view returns (address) {
return msg.sender;
}
// ✅ Should be detected
function aliasSender() internal view returns (address) {
address a = msg.sender;
return a;
}
// ✅ Should be detected
function multiAliasSender() internal view returns (address) {
address a = msg.sender;
address b = a;
address c = b;
return c;
}
// ✅ Should be detected
function reassignSender() internal view returns (address) {
address a = msg.sender;
address b = a;
a = b;
return a;
}
// ✅ Should be detected
function _getSender() internal view returns (address) {
return msg.sender;
}
// ❌ Should NOT be detected (msg.sender conversions)
function conversionSender() internal view returns (address) {
address a = msg.sender;
address b = address(uint160(uint256(uint160(a))));
return b;
}
// ❌ Should NOT be detected (nested internal call)
function returnsViaInternal() internal view returns (address) {
return _getSender();
}
// ❌ Should NOT be detected (returns unrelated var)
function unrelatedReturn() internal view returns (address) {
address a = owner;
return a;
}
// ❌ Should NOT be detected (does not return msg.sender)
function notMsgSender() internal view returns (address) {
return address(this);
}
// ❌ Should NOT be detected (does not return address)
function notAddress() internal view returns (uint256) {
address a = msg.sender;
return 7;
}
}Test Codefrom slither.slither import Slither
sl = Slither('test_msgsender.sol')
contract = sl.contracts[0]
for func in contract.functions:
print(f'{func.canonical_name} : {func.is_returning_msg_sender()}' )Output |
sidarth16
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR introduces a new method
is_returning_msg_sender()in theFunctionclass, enabling detection of Solidity functions that returnmsg.sender, either directly or through variable aliasing.Motivation
In many smart contract patterns,
msg.senderis returned through internal functions, often after assignment to local variables or via wrapper functions like_msgSender(). Detecting such patterns is crucial for accurate static analysis—particularly when assessing function protection or authorization flows.This utility provides foundational support for enhancing other modules involving
msg.sender(in future PRs ).What’s Covered
The newly added method
Function.is_returning_msg_sender()returnsTrueif:msg.sendermsg.senderExamples:
What's not Covered
msg.sender:Support for such recursive or wrapper logic will be addressed in a future update.
Closes #2755