feat(lint): feature parity with slither/aderyn

[0xrusowsky]

Missing Lint Detectors in forge lint

this checklist compares Slither and Aderyn detectors against forge lint and merges equivalent detectors into single items.

NOTE: some items are blocked until Solar outputs a CFG (control-flow graph), as they need data-flow analysis, taint tracking, or path-sensitive reasoning.

Implementable Today (only require AST or HIR)

High

• encode-packed-collision — abi.encodePacked with multiple dynamic types causes hash collisions
• msg-value-loop — msg.value reused inside a loop (double-spend)
• delegatecall-loop — Payable delegatecall inside a loop
• rtlo — Right-to-left-override Unicode character hiding malicious code
• incorrect-exp — ^ (xor) used instead of ** (exponentiation)
• yul-return — return in assembly/Yul halts entire EVM execution, not just the function (OSS-381)
• suicidal — Unprotected selfdestruct (no access-control modifier) (OSS-25)
• weak-prng — block.timestamp/blockhash used as randomness source
• shadowing-state — Child contract re-declares parent's state variable (OSS-18)
• controlled-array-length — Direct assignment to storage array .length (OSS-23)
• array-by-reference — Storage array modified via memory copy has no effect (OSS-16)
• function-selector-collision — Colliding 4-byte function selectors
• name-reused — Contract name reused across inheritance tree (OSS-35)
• enumerable-loop-removal — Removing items from EnumerableSet inside a loop using at + remove corrupts order

Medium

• tx-origin — tx.origin used for authorization
• mapping-deletion — delete on struct containing a mapping doesn't clear it
• tautological-compare — x >= x always true
• tautology — uint >= 0 always true, uint8 < 512 always true
• erc20-interface — ERC20 functions with wrong return types
• erc721-interface — ERC721 functions with wrong return types
• boolean-cst — if(false) or b || true — misused boolean constant
• domain-separator-collision — Function selector collides with EIP-2612 DOMAIN_SEPARATOR() (OSS-51)
• reused-constructor — Base constructor called with args from two inheritance paths
• ecrecover — Bare ecrecover without signature malleability check
• non-reentrant-not-first — nonReentrant modifier not listed first
• unsafe-oz-erc721-mint — _mint instead of _safeMint for ERC721
• out-of-order-retryable — Multiple L1→L2 retryable tickets depend on execution order (OSS-45)
• block-timestamp-deadline — block.timestamp used as swap/tx deadline (proposer can hold) (OSS-378)
• dangerous-unary-operator — x=+1 instead of x+=1

Low

• calls-loop — External calls inside unbounded loop (DoS risk)
• require-revert-in-loop — require/revert inside a loop (single failure reverts all)
• timestamp — Dangerous block.timestamp dependency
• shadowing-local — Local variable shadows state variable (OSS-57)
• shadowing-builtin — Variable shadows Solidity builtin (now, assert, etc.) (OSS-53)
• incorrect-modifier — Modifier doesn't always execute _ or revert
• void-cst — Calling empty parent constructor
• centralization-risk — Single-owner critical functions
• deprecated-oz-function — Deprecated OpenZeppelin function
• solmate-safe-transfer-lib — Solmate SafeTransferLib doesn't check contract existence
• empty-block — Empty function body
• empty-require-revert — require()/revert() with no error message
• multiple-placeholders — Modifier with multiple _ placeholders (OSS-381)

Info / Optimization

• constable-states — State variable never modified; should be constant
• immutable-states — State variable only set in constructor; should be immutable
• cache-array-length — Storage .length re-read every loop iteration
• var-read-using-this — this.x adds unnecessary STATICCALL overhead
• external-function — public function never called internally; use external
• unused-state — Unused state variable
• unused-error — Unused custom error definition
• boolean-equal — x == true instead of just x
• redundant-statements — Statement with no side effect (OSS-76)
• assert-state-change — State modification inside assert()
• too-many-digits — 10000000000000000000 instead of 10 ether
• literal-instead-of-constant — Magic numbers should be named constants
• deprecated-standards — throw, msg.gas, sha3(), suicide() (OSS-33)
• erc20-indexed — Transfer/Approval events missing indexed keyword (OSS-380)
• unindexed-event-address — Event has address params but none indexed
• function-init-state — State variable initialized via non-pure function call
• missing-inheritance — Contract implements interface functions but doesn't inherit it
• solc-version — Outdated or overly complex pragma (OSS-31)
• pragma — Different Solidity versions used across files
• cyclomatic-complexity — Function complexity exceeds threshold
• incorrect-using-for — using L for T where L has no functions taking T
• unimplemented-functions — Derived contract missing interface implementations (OSS-38)
• todo — TODO comments left in production code
• push-0-opcode — Use push0 opcode, available since solc 0.8.20
• inconsistent-type-names — Inconsistent type naming across codebase
• internal-function-used-once — Internal function used only once; inline it
• modifier-used-only-once — Modifier used only once; inline it

Require CFG

these detectors need control-flow graph, data-flow/taint analysis, or path-sensitive reasoning that cannot be done with AST pattern matching alone.

High

• reentrancy-eth — Reentrancy that drains ETH (state change after external call)
• reentrancy-no-eth — Reentrancy that manipulates state without ETH
• reentrancy-balance — Reentrancy exploiting address(this).balance check
• arbitrary-send-erc20 — Taint: attacker-controlled from in transferFrom
• arbitrary-send-erc20-permit — Taint: transferFrom + permit front-running
• arbitrary-send-eth — Taint: ETH sent to attacker-controlled destination
• unprotected-upgrade — No access control on initialize() across all paths
• controlled-delegatecall — Taint: user-controlled delegatecall target
• uninitialized-state — State variable used before initialization on some path
• uninitialized-storage — Storage pointer left uninitialized on some path (OSS-19)
• protected-vars — Protected variable accessed without required modifier

Medium

• locked-ether — Contract accepts ETH (payable) but has no withdrawal path
• incorrect-equality — Strict equality on address(this).balance (manipulable)
• unused-return — External call return value ignored
• write-after-write — Variable written twice without intermediate read
• uninitialized-local — Local variable used before assignment on some path
• costly-loop — SSTORE inside loop body

Low

• missing-zero-check — Parameter flows to state variable write without != address(0) check
• events-access — State change on access-control parameter without emitting event
• return-bomb — Callee can returnbomb caller via unlimited returndata copy
• variable-scope — Variable used before declaration is dominated (OSS-66)

Info / Optimization

• dead-code — Unreachable internal functions (call graph reachability) (OSS-32)
• reentrancy-benign — Benign reentrancy (double-call, no exploit) (OSS-59)
• reentrancy-events — Reentrancy manipulates event emission order
• reentrancy-unlimited-gas — Reentrancy via transfer/send with gas repricing risk

Additional context

ref: #11034 (comment)

[grandizzy]

Checked off the detectors already implemented on master (41 total, based on crates/lint/docs/*.md). A few are registered under different IDs in foundry, and a few are only partially covered — noting them here so the mapping is clear:

Checked, but registered under a different ID in foundry:

• tautology → type-based-tautology
• erc20-interface / erc721-interface → incorrect-erc20-interface / incorrect-erc721-interface
• timestamp → block-timestamp
• void-cst → redundant-base-constructor-call
• constable-states / immutable-states → could-be-constant / could-be-immutable
• unused-state → unused-state-variables
• unindexed-event-address → event-fields
• pragma → pragma-inconsistent
• unprotected-upgrade → unprotected-initializer
• incorrect-equality → incorrect-strict-equality
• events-access → missing-events-access-control

Left unchecked — only partially covered today:

• block-timestamp-deadline — block-timestamp flags block.timestamp comparisons generally, not deadline-specific usage
• empty-require-revert — custom-errors flags bare revert() for gas reasons, not specifically empty messages
• erc20-indexed — event-fields covers unindexed address params generally, not Transfer/Approval specifically
• incorrect-modifier is not covered by unwrapped-modifier-logic (that one is codesize-only)

Note: most of the "Require CFG" section is already implemented, so the Solar-CFG blocker appears largely resolved for those items.