fix: XSS vulnerability, DAI address typo, docs inconsistencies, and repo hygiene

[devin-ai-integration]

fix: XSS vulnerability, DAI address typo, docs inconsistencies, and repo hygiene

Summary

This PR addresses several issues identified during a code review of the repository:

1. XSS vulnerability fix in docs/index.html - replaced innerHTML with textContent and proper DOM manipulation in the log function to prevent XSS attacks
2. DAI address fix in script/arb-scanner.ts - corrected the truncated DAI token address to 0x6B175474E89094C44Da98b954EedeAC495271d0F
3. Documentation fix in SECURITY.md - removed reference to non-existent rescueETH() function, replaced with sync()
4. Repo hygiene - removed 90+ tracked build artifacts from out/ and cache/ directories that were committed before gitignore was added
5. Network validation in docs/index.html - added chainId check and automatic network switching to match the webapp version
6. CI/CD workflow - added GitHub Actions workflow for Foundry tests and formatting checks (TypeScript check omitted due to 46 pre-existing type errors in the repo)
7. package.json scripts - added useful npm scripts for testing, building, deploying, and running the arb scanner
8. Solidity formatting - ran forge fmt to fix formatting inconsistencies

Updates since last revision

Repo reorganization:

• Created research/ directory and moved Balancer artifacts (CSVs, Python scripts, BALANCER_COMPARISON.md)
• Created deployments/ directory and moved deployment-mainnet.json
• Removed webapp/ directory (consolidated with docs/ as canonical source)
• Updated deploy scripts to reference docs/ instead of webapp/

CodeRabbit review fixes:

• Removed unused escapeHtml function (dead code)
• Added chain ID re-verification after network switch for better UX

README improvements:

• Added badges (CI status, MIT license, Deployed on Ethereum)
• Added Quick Links section with contract address, gas analysis, and security policy
• Fixed incorrect "What's NOT checked" section (removed claim that token parameter isn't checked - it actually IS checked and reverts if not USDC)
• Added FAQ section explaining design decisions (Why USDC only? Why Yul? Why not check callback return? What happens with direct USDC transfers?)
• Added Security section linking to SECURITY.md

Review & Testing Checklist for Human

• Verify the DAI address fix matches the canonical mainnet address (0x6B175474E89094C44Da98b954EedeAC495271d0F)
• Test the XSS fix by opening docs/index.html in a browser and verifying the log function displays messages correctly
• Verify network validation works by connecting with a wallet on a non-mainnet network (should prompt to switch, then re-verify)
• Verify README badges render correctly on GitHub (3 badges: CI, MIT License, Deployed on Ethereum)
• Verify Quick Links paths work (especially research/BALANCER_COMPARISON.md)

Recommended test plan:

1. Run npm run arb:scan to verify the arb-scanner works with corrected addresses
2. Open docs/index.html locally and test wallet connection + logging functionality
3. View README.md on GitHub to confirm badges and links render properly
4. CI is passing - Foundry tests run against mainnet fork

Notes

The TypeScript CI check was intentionally removed because the repo has 46 pre-existing type errors related to viem library compatibility. The repo uses tsx for runtime execution which doesn't require type checking, so this doesn't affect functionality.

Link to Devin run: https://app.devin.ai/sessions/861106c4151b439ebcb344694d9b611a
Requested by: Player 53627 ([email protected]) / @igor53627

[devin-ai-integration]

Original prompt from Player 53627

is there anything we can make better in the repo?


You only need to look in the following repo: igor53627/liq

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR that start with 'DevinAI' or '@devin'.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[changeset-bot]

⚠️ No Changeset found

Latest commit: 2097943

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

The PR establishes a GitHub Actions CI workflow for automated testing and linting, removes cached build artifacts and compiled contract JSON files from the output directory, updates security documentation to reflect a changed privilege action, and enhances the frontend HTML with Ethereum Mainnet network validation and improved logging practices.

Changes

Cohort / File(s)	Summary
CI & Workflows .github/workflows/ci.yml	Introduces new GitHub Actions workflow for the main branch with Foundry toolchain setup, build, format checks, and test execution against a forked Ethereum RPC endpoint.
Documentation SECURITY.md	Updates owner privileges section, replacing rescueETH action with sync (pool balance synchronization).
Cache Cleanup cache/solidity-files-cache.json, cache/test-failures	Removes build cache file and associated test failure metadata, eliminating stored artifact mappings and test identifiers.
Frontend Security & Logging docs/index.html	Adds runtime Ethereum Mainnet chain ID validation during wallet connection with automatic chain switching attempt; refactors logging to construct DOM nodes instead of injecting HTML strings; introduces HTML escaping utility for sanitization.
Build Artifacts out/*/*.json (20+ files)	Removes compiled contract artifacts across multiple test suites and contracts, including ABI definitions, bytecode, source maps, and metadata for AsmSequenceTest, Base, Comparison, Counter, DebugFlash, Discoverable, Final, FlashGas, FlashUSDC, ForkDebug, HighMem, HuffDeployer contracts and interfaces.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 A rabbit's ode to the cleanup:

Cache swept clean, artifacts gone,
Network guards greet the break of dawn,
Logs now safe from HTML harm,
Tests run swift with CI's charm—
Foundry builds, the warren's strong! ✨

Pre-merge checks

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main categories of changes: XSS vulnerability fix, DAI address typo correction, documentation inconsistencies, and repository hygiene improvements (build artifact cleanup).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[igor53627]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

.github/workflows/ci.yml (1)

1-33: Consider adding dependency caching and handling public RPC rate limits.

The CI workflow looks good overall, but consider these optional improvements:

1. Caching: Add Foundry dependency caching to speed up builds:

   - name: Cache Foundry dependencies
     uses: actions/cache@v3
     with:
       path: |
         ~/.foundry
         cache
       key: foundry-${{ runner.os }}-${{ hashFiles('foundry.toml') }}

2. RPC Rate Limits: The public RPC endpoint at line 33 may hit rate limits during CI runs. Consider using FORK_URL as a secret or environment variable to allow easy switching to Alchemy/Infura if needed.

docs/index.html (2)

515-520: Remove unused escapeHtml function.

The escapeHtml function is defined but never called. The XSS fix was correctly implemented by using textContent and createTextNode in the log function (lines 527-531), making this function unnecessary.

🔎 Proposed fix to remove dead code

-        // Escape HTML to prevent XSS
-        function escapeHtml(str) {
-            const div = document.createElement('div');
-            div.textContent = str;
-            return div.innerHTML;
-        }
-

---

563-576: Consider re-verifying chain ID after network switch.

The network validation logic is good and improves security. However, after attempting to switch networks (line 568-571), the code continues without re-verifying that the switch was successful. The wallet_switchEthereumChain request may succeed, but the user could still be on the wrong network if they rejected a previous prompt or if the switch failed silently.

🔎 Proposed improvement to re-verify after switch

                 if (chainId !== MAINNET_CHAIN_ID) {
                     log(`Wrong network (chain ${chainId}). Please switch to Ethereum Mainnet.`, 'error');
                     try {
                         await window.ethereum.request({
                             method: 'wallet_switchEthereumChain',
                             params: [{ chainId: '0x1' }],
                         });
+                        // Re-verify the chain ID after switch
+                        const newChainIdHex = await window.ethereum.request({ method: 'eth_chainId' });
+                        const newChainId = parseInt(newChainIdHex, 16);
+                        if (newChainId !== MAINNET_CHAIN_ID) {
+                            log('Still on wrong network after switch attempt', 'error');
+                            return;
+                        }
+                        log('Successfully switched to Ethereum Mainnet', 'success');
                     } catch (switchErr) {
                         log('Failed to switch network', 'error');
                         return;
                     }
                 }

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d18d176 and 2c41731.

📒 Files selected for processing (102)

• .github/workflows/ci.yml
• SECURITY.md
• cache/solidity-files-cache.json
• cache/test-failures
• docs/index.html
• out/AsmSequenceTest.t.sol/AsmSequenceTest.json
• out/AsmSequenceTest.t.sol/HuffSimulator.json
• out/AsmSequenceTest.t.sol/IERC20.json
• out/Base.sol/CommonBase.json
• out/Base.sol/ScriptBase.json
• out/Base.sol/TestBase.json
• out/Comparison.t.sol/ComparisonTest.json
• out/Comparison.t.sol/IBalancerRecipient.json
• out/Comparison.t.sol/ILIQFree.json
• out/Comparison.t.sol/ILIQPaid.json
• out/Comparison.t.sol/LIQBorrower.json
• out/Comparison.t.sol/MockBalancerBorrower.json
• out/Comparison.t.sol/MockBalancerVault.json
• out/Counter.s.sol/CounterScript.json
• out/Counter.sol/Counter.json
• out/Counter.t.sol/CounterTest.json
• out/DebugFlash2Test.t.sol/DebugBorrower.json
• out/DebugFlash2Test.t.sol/DebugFlash2Test.json
• out/DebugFlash2Test.t.sol/IERC20.json
• out/DebugFlash2Test.t.sol/ILIQFlashUSDC.json
• out/DebugFlashTest.t.sol/DebugFlashTest.json
• out/DebugFlashTest.t.sol/IERC20.json
• out/DebugFlashTest.t.sol/ILIQFlashUSDC.json
• out/Discoverable.t.sol/DiscoverableTest.json
• out/Discoverable.t.sol/IERC165.json
• out/Discoverable.t.sol/IFlashLender.json
• out/Discoverable.t.sol/MockBorrower.json
• out/Final.t.sol/FinalTest.json
• out/Final.t.sol/ILIQFinal.json
• out/Final.t.sol/MockBorrower.json
• out/FlashGas.t.sol/FlashGasTest.json
• out/FlashGas.t.sol/IFlashLender.json
• out/FlashGas.t.sol/MockBorrower.json
• out/FlashUSDC.t.sol/BreakEvenAnalysis.json
• out/FlashUSDC.t.sol/FlashUSDCTest.json
• out/FlashUSDC.t.sol/IERC20.json
• out/FlashUSDC.t.sol/ILIQFlashUSDC.json
• out/FlashUSDC.t.sol/MockUSDCBorrower.json
• out/ForkDebugTest.t.sol/ForkDebugTest.json
• out/ForkDebugTest.t.sol/IERC20.json
• out/HighMemTest.t.sol/HighMemTest.json
• out/HighMemTest.t.sol/IERC20.json
• out/HuffConfig.sol/HuffConfig.json
• out/HuffDeployer.sol/HuffDeployer.json
• out/IMulticall3.sol/IMulticall3.json
• out/LIQYul.sol/IERC3156FlashBorrower.json
• out/LIQYul.sol/LIQYul.json
• out/LocalFlashTest.t.sol/ILIQFlashUSDC.json
• out/LocalFlashTest.t.sol/LocalFlashTest.json
• out/LocalFlashTest.t.sol/MockUSDC.json
• out/MinimalHuffTest.t.sol/IERC20.json
• out/MinimalHuffTest.t.sol/MinimalHuffTest.json
• out/NoCacheTest.t.sol/IERC20.json
• out/NoCacheTest.t.sol/NoCacheTest.json
• out/Paid.t.sol/ILIQPaid.json
• out/Paid.t.sol/MockPaidBorrower.json
• out/Paid.t.sol/PaidTest.json
• out/RawDeployTest.t.sol/IERC20.json
• out/RawDeployTest.t.sol/RawDeployTest.json
• out/SafeMemTest.t.sol/IERC20.json
• out/SafeMemTest.t.sol/SafeMemTest.json
• out/Script.sol/Script.json
• out/SolVersionTest.t.sol/IERC20.json
• out/SolVersionTest.t.sol/IERC3156FlashBorrower.json
• out/SolVersionTest.t.sol/SimpleBorrower.json
• out/SolVersionTest.t.sol/SimpleLIQFlash.json
• out/SolVersionTest.t.sol/SolVersionTest.json
• out/StdAssertions.sol/StdAssertions.json
• out/StdChains.sol/StdChains.json
• out/StdCheats.sol/StdCheats.json
• out/StdCheats.sol/StdCheatsSafe.json
• out/StdConstants.sol/StdConstants.json
• out/StdError.sol/stdError.json
• out/StdInvariant.sol/StdInvariant.json
• out/StdJson.sol/stdJson.json
• out/StdMath.sol/stdMath.json
• out/StdStorage.sol/stdStorage.json
• out/StdStorage.sol/stdStorageSafe.json
• out/StdStyle.sol/StdStyle.json
• out/StdToml.sol/stdToml.json
• out/StdUtils.sol/StdUtils.json
• out/Test.sol/Test.json
• out/VeryHighTest.t.sol/IERC20.json
• out/VeryHighTest.t.sol/PureAsmContract.json
• out/VeryHighTest.t.sol/VeryHighTest.json
• out/Vm.sol/Vm.json
• out/Vm.sol/VmSafe.json
• out/build-info/18e1ef47f8e03f20.json
• out/console.sol/console.json
• out/safeconsole.sol/safeconsole.json
• out/strings.sol/strings.json
• package.json
• script/Deploy.s.sol
• script/arb-scanner.ts
• src/LIQFlashYul.sol
• src/TestBorrower.sol
• test/YulTest.t.sol

💤 Files with no reviewable changes (37)

• out/FlashGas.t.sol/MockBorrower.json
• out/Comparison.t.sol/MockBalancerBorrower.json
• out/DebugFlashTest.t.sol/ILIQFlashUSDC.json
• out/FlashUSDC.t.sol/MockUSDCBorrower.json
• out/AsmSequenceTest.t.sol/AsmSequenceTest.json
• out/DebugFlash2Test.t.sol/IERC20.json
• out/Comparison.t.sol/IBalancerRecipient.json
• out/Counter.sol/Counter.json
• out/Base.sol/ScriptBase.json
• out/Comparison.t.sol/MockBalancerVault.json
• out/HighMemTest.t.sol/IERC20.json
• out/Final.t.sol/MockBorrower.json
• out/Discoverable.t.sol/IERC165.json
• out/AsmSequenceTest.t.sol/HuffSimulator.json
• out/Counter.s.sol/CounterScript.json
• out/Comparison.t.sol/LIQBorrower.json
• out/AsmSequenceTest.t.sol/IERC20.json
• out/DebugFlashTest.t.sol/IERC20.json
• cache/solidity-files-cache.json
• out/ForkDebugTest.t.sol/IERC20.json
• out/Counter.t.sol/CounterTest.json
• out/HuffDeployer.sol/HuffDeployer.json
• out/Discoverable.t.sol/MockBorrower.json
• out/FlashUSDC.t.sol/IERC20.json
• out/Base.sol/TestBase.json
• cache/test-failures
• out/DebugFlash2Test.t.sol/DebugBorrower.json
• out/Base.sol/CommonBase.json
• out/Comparison.t.sol/ILIQPaid.json
• out/FlashUSDC.t.sol/ILIQFlashUSDC.json
• out/Discoverable.t.sol/IFlashLender.json
• out/DebugFlash2Test.t.sol/ILIQFlashUSDC.json
• out/FlashUSDC.t.sol/BreakEvenAnalysis.json
• out/FlashGas.t.sol/IFlashLender.json
• out/Final.t.sol/ILIQFinal.json
• out/HighMemTest.t.sol/HighMemTest.json
• out/Comparison.t.sol/ILIQFree.json

🔇 Additional comments (3)

docs/index.html (2)

478-478: LGTM!

Good practice to define the Mainnet chain ID as a constant for clarity and maintainability.

---

523-534: LGTM! XSS vulnerability correctly fixed.

The logging function now safely constructs DOM elements using createElement, textContent, and createTextNode instead of potentially unsafe innerHTML. This prevents XSS attacks from user-controlled log messages.

SECURITY.md (1)

69-69: The sync() function is correctly documented and fully implemented in the contract (selector 0xfff6cae9, lines 303-329 of LIQFlashYul.sol). The function exists as an owner-only operation that syncs the poolBalance to the actual USDC balance held by the contract. The SECURITY.md documentation is accurate.