sentri-cli 0.3.0

Sentri: multi-chain smart contract security analyzer with static analysis, invariant checking, and vulnerability detection for Solana, EVM, and Move programs.
module 0xCAFE::vulnerable_token {
    use std::signer;
    use std::error;

    const EINSUFFICIENT_BALANCE: u64 = 0;

    struct Token has key {
        amount: u64,
    }

    // VULNERABILITY 1: Resource leak - move_from without binding
    public fun destroy_account(addr: address) acquires Token {
        let token = move_from<Token>(addr);
        // Resource dropped without handling - leaked!
        _ = token;
    }

    // VULNERABILITY 2: Missing ability checks on move
    public fun transfer(from: &signer, to: address, amount: u64) acquires Token {
        let from_addr = signer::address_of(from);
        let token = borrow_global_mut<Token>(from_addr);
        
        // VULNERABILITY 4: Unchecked arithmetic - potential underflow
        token.amount = token.amount - amount;
        
        // VULNERABILITY 3: Move to without signer verification of recipient
        let new_token = Token { amount };
        move_to(from, new_token); // Should require recipient signer
    }

    // VULNERABILITY 5: Unguarded state mutation
    public fun unchecked_modify(addr: address) acquires Token {
        let token = borrow_global_mut<Token>(addr);
        token.amount = token.amount * 2; // No validation!
    }

    // VULNERABILITY 6: Privilege escalation
    public fun extract_address(signer_ref: &signer): address {
        let addr = signer::address_of(signer_ref);
        // Then use this address without proper verification
        addr
    }

    // VULNERABILITY 7: Unsafe abort
    public fun validate_amount(amount: u64) {
        if (amount == 0) {
            abort 100; // Error code without reason
        }
    }

    public fun initialize(account: &signer) {
        let token_store = Token { amount: 0 };
        move_to(account, token_store);
    }
}