semgrep rules

.semgrepignore

@@ -0,0 +1,6 @@
+*/test/*
+*/script/*
+semgrep-rules/*
+PufToken.sol
+GuardianModule.sol
+EnclaveVerifier.sol

l2-contracts/src/L2RewardManager.sol

@@ -53,7 +53,7 @@ contract L2RewardManager is
      * @dev Restricted in this context is like the `whenNotPaused` modifier from Pausable.sol
      */
     function claimRewards(ClaimOrder[] calldata claimOrders) external restricted {
-        for (uint256 i = 0; i < claimOrders.length; i++) {
+        for (uint256 i = 0; i < claimOrders.length; ++i) {
             if (isClaimed(claimOrders[i].intervalId, claimOrders[i].account)) {
                 revert AlreadyClaimed(claimOrders[i].intervalId, claimOrders[i].account);
             }

mainnet-contracts/src/PufLocker.sol

@@ -95,8 +95,10 @@ contract PufLocker is IPufLocker, AccessManagedUpgradeable, UUPSUpgradeable, Puf
         uint128 totalAmount = 0;
         Deposit[] storage userDeposits = $.deposits[msg.sender][token];
 
+        // nosemgrep array-length-outside-loop
         for (uint256 i = 0; i < depositIndexes.length; ++i) {
             uint256 index = depositIndexes[i];
+            // nosemgrep array-length-outside-loop
             if (index >= userDeposits.length) {
                 revert InvalidDepositIndex();
             }
@@ -161,6 +163,7 @@ contract PufLocker is IPufLocker, AccessManagedUpgradeable, UUPSUpgradeable, Puf
         }
 
         uint256 end = start + limit > totalDeposits ? totalDeposits : start + limit;
+        // nosemgrep basic-arithmetic-underflow
         uint256 count = end - start;
 
         depositPage = new Deposit[](count);

mainnet-contracts/src/PufferDepositor.sol

@@ -65,6 +65,7 @@ contract PufferDepositor is IPufferDepositor, PufferDepositorStorage, AccessMana
         }
 
         // PUFFER_VAULT.deposit will revert if we get no stETH from this contract
+        // nosemgrep arbitrary-low-level-call
         (bool success, bytes memory returnData) = _1INCH_ROUTER.call{ value: msg.value }(callData);
         if (!success) {
             revert SwapFailed(address(tokenIn), amountIn);

mainnet-contracts/src/PufferDepositorV2.sol

@@ -43,6 +43,7 @@ contract PufferDepositorV2 is IPufferDepositorV2, PufferDepositorStorage, Access
     /**
      * @notice Returns the pufETH sent to this contract by mistake
      */
+    // nosemgrep tin-unprotected-initialize
     function initialize() public reinitializer(2) {
         // https://etherscan.io/token/0xd9a442856c234a39a81a089c06451ebaa4306a72?a=0x4aa799c5dfc01ee7d790e3bf1a7c2257ce1dceff
         // slither-disable-next-line unchecked-transfer

mainnet-contracts/src/PufferModule.sol

@@ -209,6 +209,7 @@ contract PufferModule is IPufferModule, Initializable, AccessManagedUpgradeable
         returns (bool success, bytes memory)
     {
         // slither-disable-next-line arbitrary-send-eth
+        // nosemgrep arbitrary-low-level-call
         return to.call{ value: amount }(data);
     }
 

mainnet-contracts/src/PufferModuleManager.sol

@@ -105,6 +105,7 @@ contract PufferModuleManager is IPufferModuleManager, AccessManagedUpgradeable,
         uint256 sharesWithdrawn;
 
         for (uint256 i = 0; i < withdrawals.length; ++i) {
+            // nosemgrep array-length-outside-loop
             for (uint256 j = 0; j < withdrawals[i].shares.length; ++j) {
                 sharesWithdrawn += withdrawals[i].shares[j];
             }

mainnet-contracts/src/PufferOracleV2.sol

@@ -66,6 +66,7 @@ contract PufferOracleV2 is IPufferOracleV2, AccessManaged {
      * @dev Restricted to PufferProtocol contract
      */
     function exitValidators(uint256 numberOfExits) public restricted {
+        // nosemgrep basic-arithmetic-underflow
         _numberOfActivePufferValidators -= numberOfExits;
         emit NumberOfActiveValidators(_numberOfActivePufferValidators);
     }

mainnet-contracts/src/PufferProtocol.sol

@@ -170,6 +170,7 @@ contract PufferProtocol is IPufferProtocol, AccessManagedUpgradeable, UUPSUpgrad
         }
 
         // Reverts if insufficient balance
+        // nosemgrep basic-arithmetic-underflow
         $.nodeOperatorInfo[msg.sender].vtBalance -= amount;
 
         // slither-disable-next-line unchecked-transfer
@@ -329,6 +330,7 @@ contract PufferProtocol is IPufferProtocol, AccessManagedUpgradeable, UUPSUpgrad
             burnAmounts.vt += vtBurnAmount;
 
             // Store the withdrawal amount for that node operator
+            // nosemgrep basic-arithmetic-underflow
             bondWithdrawals[i].pufETHAmount = (bondAmount - burnAmount);
 
             emit ValidatorExited({
@@ -342,6 +344,7 @@ contract PufferProtocol is IPufferProtocol, AccessManagedUpgradeable, UUPSUpgrad
             // Decrease the number of registered validators for that module
             _decreaseNumberOfRegisteredValidators($, validatorInfos[i].moduleName);
             // Storage VT and the active validator count update for the Node Operator
+            // nosemgrep basic-arithmetic-underflow
             $.nodeOperatorInfo[validator.node].vtBalance -= SafeCast.toUint96(vtBurnAmount);
             --$.nodeOperatorInfo[validator.node].activeValidatorCount;
 
@@ -401,6 +404,7 @@ contract PufferProtocol is IPufferProtocol, AccessManagedUpgradeable, UUPSUpgrad
         uint256 vtPenalty = $.vtPenalty;
         // Burn VT penalty amount from the Node Operator
         VALIDATOR_TICKET.burn(vtPenalty);
+        // nosemgrep basic-arithmetic-underflow
         $.nodeOperatorInfo[node].vtBalance -= SafeCast.toUint96(vtPenalty);
         --$.nodeOperatorInfo[node].pendingValidatorCount;
 

mainnet-contracts/src/PufferRevenueDepositor.sol

@@ -130,7 +130,7 @@ contract PufferRevenueDepositor is
         if (address(this).balance > 0) {
             WETH.deposit{ value: address(this).balance }();
         }
-
+        // nosemgrep tin-reentrant-dbl-diff-balance
         uint256 rewardsAmount = WETH.balanceOf(address(this));
 
         uint256 treasuryRewards = (rewardsAmount * $.treasuryRewardsBps) / _BASIS_POINT_SCALE;

mainnet-contracts/src/PufferVault.sol

@@ -242,6 +242,7 @@ contract PufferVault is
             revert InvalidWithdrawal();
         }
 
+        // nosemgrep basic-arithmetic-underflow
         $.eigenLayerPendingWithdrawalSharesAmount -= queuedWithdrawal.shares[0];
 
         _EIGEN_STRATEGY_MANAGER.completeQueuedWithdrawal({
@@ -274,6 +275,7 @@ contract PufferVault is
         SafeERC20.safeIncreaseAllowance(_ST_ETH, address(_LIDO_WITHDRAWAL_QUEUE), lockedAmount);
         requestIds = _LIDO_WITHDRAWAL_QUEUE.requestWithdrawals(amounts, address(this));
 
+        // nosemgrep array-length-outside-loop
         for (uint256 i = 0; i < requestIds.length; ++i) {
             $.lidoWithdrawals.add(requestIds[i]);
         }

mainnet-contracts/src/PufferVaultV2.sol

@@ -88,6 +88,7 @@ contract PufferVaultV2 is PufferVault, IPufferVaultV2 {
     /**
      * @notice Changes underlying asset from stETH to WETH
      */
+    // nosemgrep tin-unprotected-initialize
     function initialize() public reinitializer(2) {
         // In this initialization, we swap out the underlying stETH with WETH
         ERC4626Storage storage erc4626Storage = _getERC4626StorageInternal();
@@ -299,6 +300,7 @@ contract PufferVaultV2 is PufferVault, IPufferVaultV2 {
         SafeERC20.safeIncreaseAllowance(_ST_ETH, address(_LIDO_WITHDRAWAL_QUEUE), lockedAmount);
         requestIds = _LIDO_WITHDRAWAL_QUEUE.requestWithdrawals(amounts, address(this));
 
+        // nosemgrep array-length-outside-loop
         for (uint256 i = 0; i < requestIds.length; ++i) {
             $.lidoWithdrawalAmounts.set(requestIds[i], amounts[i]);
         }
@@ -333,6 +335,7 @@ contract PufferVaultV2 is PufferVault, IPufferVaultV2 {
         uint256 balanceAfter = address(this).balance;
         uint256 actualWithdrawal = balanceAfter - balanceBefore;
         // Deduct from the locked amount the expected amount
+        // nosemgrep basic-arithmetic-underflow
         $.lidoLockedETH -= expectedWithdrawal;
 
         emit ClaimedWithdrawals(requestIds);
@@ -352,6 +355,7 @@ contract PufferVaultV2 is PufferVault, IPufferVaultV2 {
         uint256 ethBalance = address(this).balance;
         if (ethBalance < ethAmount) {
             // Reverts if no WETH to unwrap
+            // nosemgrep basic-arithmetic-underflow
             _WETH.withdraw(ethAmount - ethBalance);
         }
 
@@ -456,6 +460,7 @@ contract PufferVaultV2 is PufferVault, IPufferVaultV2 {
      */
     function previewRedeem(uint256 shares) public view virtual override returns (uint256) {
         uint256 assets = super.previewRedeem(shares);
+        // nosemgrep basic-arithmetic-underflow
         return assets - _feeOnTotal(assets, getExitFeeBasisPoints());
     }
 
@@ -524,6 +529,7 @@ contract PufferVaultV2 is PufferVault, IPufferVaultV2 {
             revert InvalidWithdrawal();
         }
 
+        // nosemgrep
         $.eigenLayerPendingWithdrawalSharesAmount -= queuedWithdrawal.shares[0];
 
         _DELEGATION_MANAGER.completeQueuedWithdrawal({

mainnet-contracts/src/PufferVaultV3.sol

@@ -118,6 +118,7 @@ contract PufferVaultV3 is PufferVaultV2, IPufferVaultV3 {
         VaultStorage storage $ = _getPufferVaultStorage();
 
         uint256 previousMintAmount = $.totalRewardMintAmount;
+        // nosemgrep basic-arithmetic-underflow
         uint256 newMintAmount = previousMintAmount - ethAmount;
         $.totalRewardMintAmount = newMintAmount;
 

mainnet-contracts/src/PufferWithdrawalManager.sol

@@ -248,6 +248,7 @@ contract PufferWithdrawalManager is
                 expectedETHAmount: expectedETHAmount
             });
 
+            // nosemgrep basic-arithmetic-underflow
             uint256 diff = transferAmount - batch.amountClaimed;
             totalExcessETH += diff;
 
@@ -256,6 +257,7 @@ contract PufferWithdrawalManager is
         }
 
         if (totalExcessETH > 0) {
+            // nosemgrep arbitrary-low-level-call
             (bool success,) = address(PUFFER_VAULT).call{ value: totalExcessETH }("");
             require(success, TransferFailed());