feat(Foundry): Updated constants usage

[fusmanii]

With the new constants JSON file from #1105, need to update its usage in deploy scripts

[fusmanii]

Most of the changes in this file is just updating the JSON keys to uppercase

[pxrl]

Nice - this is going to be really useful. I have a couple of broader comments but I like the direction this is going.

[pxrl]

Only tangentially related to this change, but I feel like we should be reading the spoke chain ID from the environment and then using it to resolve all the correct addresses. With that approach I think we we remove a barrier to consolidating a lot of scripts. wdyt?

(This approach worked well for the OP Adapter deployment script here)

[fusmanii]

Thats good idea, I was thinking of using this strategy in the spokepool consolidation pr, wanted to get some initial feedback on the direction first before I put any more effort

[pxrl]

Yeah I left some comments on that one; we have an unresolved question about the exact strategy to take, but in general it's unavoiable that we consolidate these contracts & scripts so I'm fully in favour of frontloading as much of that as possible, including setting SPOKE_CHAIN_ID in the env and auto-configuring everything based on that.

[pxrl]

Testnet chain IDs are identified separately via TESTNET_CHAIN_IDs in constants. Could we check for chainId inclusion in that mapping instead of enumerating these here separately?

[fusmanii]

done 45a034a

[pxrl]

Given that this is generated, wdyt about storing it separately from code? i.e. under an artefacts directory or something?

[fusmanii]

My concern with this is that the file can get out of date. From what I can tell, foundry doesn't have a like a pre-script hook where we can generate this file.
I think in general better approach would be to have this file generated in the constants repo and we just import it here

[pxrl]

Yeah; I like proding it as a build artefact over there and importing it here.

Given the above it's a moot point, but I don't fwiw understand what you mean about the file getting out of date; I'm just suggesting that it be stored separately from code in the repo.

[pxrl]

Does this impliy that we know CCTP is supported for the chain in advance; should we have a separate function that determines whether it's supported? Or should the revert be caught to infer that CCTP is not supported?

Background: For a generic OP adapter that supports all variety of configurations, we basically need to configure for native or bridged USDC dynamically based on the domain ID.

[fusmanii]

my idea here was that we dont want to have a script accidentally set -1 as domain id but I think that would fail because of uint256 on the contract.

added hasCctpDomain that can be used upstream 9daffac

[grasphoper]

Should we call this isChainZkStack? (as we're checking for ZK_STACK family here)

[fusmanii]

done 7b16cb5

[pxrl]

It took a while for me to figure this out, but Matter Labs call it Elastic Chain. ZK_STACK is unfortunately a pretty heavily overloaded term so I am wondering whether we should just rename it everywhere.

[grasphoper]

Looks good. It's be nice to have https://github.com/across-protocol/contracts/pull/1111/files#r2356459637 before we merge if possible

[grasphoper]

This gives me LSP errors. Seems like we want to return a string, but returning a uint?

[fusmanii]

done 7b16cb5

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​nomicfoundation/​solidity-analyzer-darwin-arm64@​0.1.0
	@​nomicfoundation/​solidity-analyzer-darwin-x64@​0.1.0
	@​nomicfoundation/​solidity-analyzer-freebsd-x64@​0.1.0
	@​nomicfoundation/​solidity-analyzer-linux-arm64-gnu@​0.1.0
	@​nomicfoundation/​solidity-analyzer-linux-arm64-musl@​0.1.0
	@​nomicfoundation/​solidity-analyzer-linux-x64-gnu@​0.1.0
	@​nomicfoundation/​solidity-analyzer-linux-x64-musl@​0.1.0
	@​nomicfoundation/​solidity-analyzer-win32-arm64-msvc@​0.1.0
	@​nomicfoundation/​solidity-analyzer-win32-ia32-msvc@​0.1.0
	@​nomicfoundation/​solidity-analyzer-win32-x64-msvc@​0.1.0
	@​matterlabs/​zksync-contracts@​0.2.4
	array-buffer-byte-length@​1.0.0
	aggregate-error@​3.1.0
	array.prototype.flat@​1.2.5
	array.prototype.reduce@​1.0.5
	array-includes@​3.1.4
	constant-case@​2.0.0
	boolbase@​1.0.0
	babel-helper-optimise-call-expression@​6.24.1
	camel-case@​3.0.0
	babel-helper-get-function-arity@​6.24.1
	@​types/​parse-json@​4.0.0
	at-least-node@​1.0.0
	babel-helper-regex@​6.26.0
	copy-descriptor@​0.1.1
	babel-helper-builder-binary-assignment-operator-visitor@​6.24.1
	babel-helper-call-delegate@​6.24.1
	babel-helper-hoist-variables@​6.24.1
	babel-helper-explode-assignable-expression@​6.24.1
	@​types/​mkdirp@​0.5.2
	@​types/​responselike@​1.0.0
	@​resolver-engine/​imports-fs@​0.3.3
See 281 more rows in the dashboard

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		@openzeppelin/[email protected] has a Critical CVE. CVE: GHSA-fg47-3c2x-m2wr TimelockController vulnerability in OpenZeppelin Contracts (CRITICAL) Affected versions: >= 4.0.0 < 4.3.1; >= 3.3.0 < 3.4.2 Patched version: 4.3.1 From: yarn.lock → npm/@across-protocol/[email protected] → npm/@openzeppelin/[email protected] ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@openzeppelin/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		@openzeppelin/[email protected] has a Critical CVE. CVE: GHSA-5vp3-v4hc-gx76 UUPSUpgradeable vulnerability in @openzeppelin/contracts (CRITICAL) Affected versions: >= 4.1.0 < 4.3.2 Patched version: 4.3.2 From: yarn.lock → npm/@across-protocol/[email protected] → npm/@openzeppelin/[email protected] ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@openzeppelin/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		[email protected] has a Critical CVE. CVE: GHSA-67hx-6x53-jw92 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code (CRITICAL) Affected versions: >= 0 Patched version: No patched versions From: yarn.lock → npm/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		@matterlabs/[email protected] has a Git dependency. Dependency: @matterlabs/zksync-telemetry-js@git+https://github.com/matter-labs/zksync-telemetry-js.git#2fd9edbe6b9a5e0c2caeda4b04dd5631d7546a11 Location: Package overview From: yarn.lock → npm/@matterlabs/[email protected] ℹ Read more on: This package | This alert | What are git dependencies? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Publish the git dependency to npm or a private package repository and consume it from there. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@matterlabs/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report