Custom lint for 'Instance' storage misuse

tooling/sanctifier-cli/src/commands/analyze.rs

@@ -1013,6 +1013,12 @@ impl AnalysisCache {
                     cache.path = path;
                     return cache;
                 }
+
+                let mut inst = analyzer.scan_instance_storage_risks(&content);
+                for i in &mut inst {
+                    i.snippet = format!("{}:{}: {}", file_name, i.line, i.snippet);
+                }
+                instance_storage_risks.extend(inst);
             }
         }
         Self {

tooling/sanctifier-cli/tests/cli_tests.rs

@@ -54,6 +54,9 @@ fn test_analyze_vulnerable_contract() {
         .stdout(predicates::str::contains("Found explicit Panics/Unwraps!"))
         .stdout(predicates::str::contains(
             "Found unchecked Arithmetic Operations!",
+        ))
+        .stdout(predicates::str::contains(
+            "Instance storage may be hosting large / per-user data!",
         ));
 }
 
@@ -77,6 +80,42 @@ fn test_analyze_json_output() {
     assert.stdout(predicates::str::starts_with("{"));
 }
 
+#[test]
+fn test_analyze_instance_storage_large_data() {
+    let mut cmd = Command::cargo_bin("sanctifier").unwrap();
+    let fixture_path = env::current_dir()
+        .unwrap()
+        .join("tests/fixtures/instance_storage_contract.rs");
+
+    cmd.arg("analyze")
+        .arg(fixture_path)
+        .env_remove("RUST_LOG")
+        .assert()
+        .success()
+        .stdout(predicates::str::contains(
+            "Instance storage may be hosting large / per-user data!",
+        ));
+}
+
+#[test]
+fn test_analyze_instance_storage_json_output() {
+    let mut cmd = Command::cargo_bin("sanctifier").unwrap();
+    let fixture_path = env::current_dir()
+        .unwrap()
+        .join("tests/fixtures/instance_storage_contract.rs");
+
+    let assert = cmd
+        .arg("analyze")
+        .arg(fixture_path)
+        .arg("--format")
+        .arg("json")
+        .env_remove("RUST_LOG")
+        .assert()
+        .success();
+
+    assert.stdout(predicates::str::contains("instance_storage_risks"));
+}
+
 #[test]
 fn test_analyze_empty_macro_heavy() {
     let mut cmd = Command::cargo_bin("sanctifier").unwrap();

tooling/sanctifier-cli/tests/fixtures/instance_storage_contract.rs

@@ -0,0 +1,30 @@
+#![no_std]
+use soroban_sdk::{contract, contractimpl, Env, Address, Map, String, symbol_short};
+
+#[contract]
+pub struct InstanceStorageContract;
+
+#[contractimpl]
+impl InstanceStorageContract {
+    /// BAD: stores a per-user map in instance storage — balloons the single ledger entry.
+    pub fn store_user_profiles(env: Env) {
+        let profiles: Map<Address, String> = Map::new(&env);
+        env.storage()
+            .instance()
+            .set(&symbol_short!("profiles"), &profiles);
+    }
+
+    /// BAD: key name suggests per-user data.
+    pub fn store_user_data(env: Env, data: String) {
+        env.storage()
+            .instance()
+            .set(&symbol_short!("user_data"), &data);
+    }
+
+    /// GOOD: small scalar config value — should not be flagged.
+    pub fn set_admin(env: Env, admin: Address) {
+        env.storage()
+            .instance()
+            .set(&symbol_short!("ADMIN"), &admin);
+    }
+}

tooling/sanctifier-cli/tests/fixtures/vulnerable_contract.rs

@@ -1,5 +1,5 @@
 #![no_std]
-use soroban_sdk::{contract, contractimpl, Env, Address, String};
+use soroban_sdk::{contract, contractimpl, Env, Address, Map, String, symbol_short};
 
 #[contract]
 pub struct VulnerableContract;
@@ -16,4 +16,12 @@ impl VulnerableContract {
         }
         a + b // Unchecked arithmetic
     }
+
+    /// BAD: large per-user map stored in instance storage.
+    pub fn store_user_profiles(env: Env) {
+        let profiles: Map<Address, String> = Map::new(&env);
+        env.storage()
+            .instance()
+            .set(&symbol_short!("profiles"), &profiles);
+    }
 }

tooling/sanctifier-core/src/lib.rs

@@ -1347,6 +1347,11 @@ impl Analyzer {
         with_panic_guard(|| self.scan_unhandled_results_impl(source))
     }
 
+    /// Heuristic: `instance().set` with map/vec/string/profile-like payloads (see SEP/Soroban storage guidance).
+    pub fn scan_instance_storage_risks(&self, source: &str) -> Vec<InstanceStorageRisk> {
+        with_panic_guard(|| crate::rules::instance_storage::scan_instance_storage_risks(source))
+    }
+
     fn scan_unhandled_results_impl(&self, source: &str) -> Vec<UnhandledResultIssue> {
         let file = match parse_str::<File>(source) {
             Ok(f) => f,
@@ -3216,6 +3221,7 @@ impl MyContract {
         let registry = RuleRegistry::default();
         let rules = registry.available_rules();
         assert!(rules.contains(&"auth_gap"));
+        assert!(rules.contains(&"instance_storage_large_data"));
         assert!(rules.contains(&"ledger_size"));
         assert!(rules.contains(&"panic_detection"));
         assert!(rules.contains(&"arithmetic_overflow"));