Merge pull request #173 from walterthesmart/feat/security-fixes

feat: implement Soroban analysis rules and update demo contract (#117…

Author: mijinummi

examples/soroban_demo_contract.rs

@@ -21,6 +21,7 @@ pub struct OptimizedContract {
     pub owner: Address,
     pub balance: u64,
     pub transaction_count: u32,
+    pub version: u32,                // ✅ Version tracking (#123)
 }
 
 #[contractimpl]
@@ -68,6 +69,29 @@ impl DemoTokenContract {
 
         format!("{}{}{}", report, total, admin_str)
     }
+
+    /// Claim airdrop - Issue #117: Missing expiration logic
+    pub fn claim_airdrop(&mut self, env: Env, user: Address) {
+        // ❌ No expiration check
+        let balance = self.balances.get(user.clone()).unwrap_or(0);
+        self.balances.set(user, balance + 100);
+    }
+    
+    /// Swap tokens - Issue #118: Vulnerable to front-running
+    pub fn swap_tokens(&mut self, env: Env, from: Address, to: Address, amount: u64) {
+        // ❌ No nonce, deadline, or min_amount check
+        let from_balance = self.balances.get(from.clone()).unwrap_or(0);
+        self.balances.set(from, from_balance - amount);
+        let to_balance = self.balances.get(to.clone()).unwrap_or(0);
+        self.balances.set(to, to_balance + (amount * 2)); // Mock swap
+    }
+    
+    /// Generate random ID - Issue #119: Insecure randomness
+    pub fn generate_random_id(&self, env: Env) -> u64 {
+        // ❌ Predictable randomness source
+        let timestamp = env.ledger().timestamp();
+        timestamp % 1000000
+    }
 }
 
 #[contractimpl]
@@ -82,11 +106,20 @@ impl OptimizedContract {
             owner,
             balance: initial_balance,
             transaction_count: 0,
+            version: 1, // Initialize version
         })
     }
 
+    
     /// Properly implemented transfer with error handling
-    pub fn transfer(&mut self, to: Address, amount: u64) -> Result<(), DemoError> {
+    pub fn transfer(&mut self, env: Env, to: Address, amount: u64, nonce: u64, deadline: u64) -> Result<(), DemoError> {
+        // ✅ Anti-Front-Running: Nonce and Deadline check (#118)
+        if env.ledger().timestamp() > deadline {
+            return Err(DemoError::TransactionExpired);
+        }
+        
+        // Nonce validation logic would go here...
+
         if amount == 0 {
             return Err(DemoError::InvalidAmount);
         }
@@ -102,10 +135,29 @@ impl OptimizedContract {
 
         Ok(())
     }
-    
-    /// Efficient getter
-    pub fn get_balance(&self) -> u64 {
-        self.balance
+
+    /// Secure claim with expiry - Issue #117
+    pub fn secure_claim(&mut self, env: Env, user: Address, deadline: u64) -> Result<(), DemoError> {
+        // ✅ Expiry enforced
+        if env.ledger().timestamp() > deadline {
+            return Err(DemoError::TransactionExpired);
+        }
+        
+        user.require_auth();
+        self.balance += 50;
+        
+        Ok(())
+    }
+
+    /// Secure randomness - Issue #119
+    pub fn get_secure_random(&self, env: Env) -> u64 {
+        // ✅ Using pseudo_random
+        env.pseudo_random().u64_in_range(0..100)
+    }
+
+    /// Version tracking - Issue #123
+    pub fn version(&self) -> u32 {
+        1 // v1
     }
 }
 
@@ -116,6 +168,7 @@ pub enum DemoError {
     InvalidAmount,
     InsufficientBalance,
     Unauthorized,
+    TransactionExpired,
 }
 
 #[cfg(test)]