feat(lint): add delegatecall-loop lint (#14752)

Co-authored-by: Matthias Seitz <matthias.seitz@outlook.de>

Author: 0xKarl98

crates/lint/README.md

@@ -25,6 +25,7 @@ It helps enforce best practices and improve code quality within Foundry projects
   - `unused-return`: Return value of an external call is not used.
 - **Low Severity:**
   - `block-timestamp`: Warns when `block.timestamp` is used in a comparison, as it may be manipulated by validators.
+  - `delegatecall-loop`: Payable functions should not use `delegatecall` inside a loop.
   - `missing-zero-check`: Address parameter is used in a state write or value transfer without a zero-address check.
 - **Informational / Style Guide:**
   - `boolean-equal`: Boolean comparisons to constants should be simplified.

crates/lint/docs/delegatecall-loop.md

@@ -0,0 +1,48 @@
+# Delegatecall inside payable loop
+
+**Severity**: `Low`
+**ID**: `delegatecall-loop`
+
+Flags `delegatecall` operations inside loops in externally callable payable functions.
+
+## What it does
+
+Reports `delegatecall` expressions that appear in the body of a `for`, `while`, or `do while`
+loop when the enclosing function is `public payable` or `external payable`.
+
+## Why is this bad?
+
+`delegatecall` executes another contract's code in the caller's storage context and preserves
+the original `msg.sender` and `msg.value`. In a payable function, a loop can therefore expose the
+same `msg.value` to multiple delegatecalls even though Ether was only transferred once.
+
+If the delegated code accounts for `msg.value`, one transaction can credit the same payment
+multiple times or repeatedly mutate the caller's storage in unexpected ways.
+
+## Example
+
+### Bad
+
+```solidity
+function batch(address[] calldata receivers) external payable {
+    for (uint256 i; i < receivers.length; ++i) {
+        address(this).delegatecall(abi.encodeWithSignature("credit(address)", receivers[i]));
+    }
+}
+```
+
+### Good
+
+```solidity
+function batch(address[] calldata receivers) external payable {
+    uint256 share = msg.value / receivers.length;
+    for (uint256 i; i < receivers.length; ++i) {
+        _credit(receivers[i], share);
+    }
+}
+```
+
+## Notes
+
+Review each occurrence manually. If `delegatecall` is required, ensure delegated code cannot
+reuse `msg.value` or unexpectedly modify caller storage across loop iterations.

crates/lint/src/linter/late.rs

@@ -1,4 +1,7 @@
-use solar::{interface::data_structures::Never, sema::hir};
+use solar::{
+    interface::data_structures::Never,
+    sema::{Gcx, hir},
+};
 use std::ops::ControlFlow;
 
 use super::LintContext;
@@ -62,6 +65,15 @@ pub trait LateLintPass<'hir>: Send + Sync {
         _func: &'hir hir::Function<'hir>,
     ) {
     }
+    fn check_function_with_gcx(
+        &mut self,
+        ctx: &LintContext,
+        _gcx: Gcx<'hir>,
+        hir: &'hir hir::Hir<'hir>,
+        func: &'hir hir::Function<'hir>,
+    ) {
+        self.check_function(ctx, hir, func);
+    }
     fn check_modifier(
         &mut self,
         _ctx: &LintContext,
@@ -110,6 +122,7 @@ pub trait LateLintPass<'hir>: Send + Sync {
 pub struct LateLintVisitor<'a, 's, 'hir> {
     ctx: &'a LintContext<'s, 'a>,
     passes: &'a mut [Box<dyn LateLintPass<'hir> + 's>],
+    gcx: Gcx<'hir>,
     hir: &'hir hir::Hir<'hir>,
 }
 
@@ -120,9 +133,10 @@ where
     pub fn new(
         ctx: &'a LintContext<'s, 'a>,
         passes: &'a mut [Box<dyn LateLintPass<'hir> + 's>],
+        gcx: Gcx<'hir>,
         hir: &'hir hir::Hir<'hir>,
     ) -> Self {
-        Self { ctx, passes, hir }
+        Self { ctx, passes, gcx, hir }
     }
 }
 
@@ -183,7 +197,7 @@ where
 
     fn visit_function(&mut self, func: &'hir hir::Function<'hir>) -> ControlFlow<Self::BreakValue> {
         for pass in self.passes.iter_mut() {
-            pass.check_function(self.ctx, self.hir, func);
+            pass.check_function_with_gcx(self.ctx, self.gcx, self.hir, func);
         }
         self.walk_function(func)
     }
@@ -389,7 +403,7 @@ mod tests {
                 );
                 let mut passes: Vec<Box<dyn LateLintPass<'_>>> =
                     vec![Box::new(RecordingPass { counts: counts.clone() })];
-                let mut visitor = LateLintVisitor::new(&ctx, &mut passes, &gcx.hir);
+                let mut visitor = LateLintVisitor::new(&ctx, &mut passes, gcx, &gcx.hir);
                 let _ = hir::Visit::visit_nested_source(&mut visitor, source_id);
                 Ok(())
             })