Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
@across-protocol/contracts
Advanced tools
The latest contract deployments on Production will always be under the `deployed` tag.
Contains smart contract suite to enable instant token transfers between any two networks. Relays are backstopped by
liquidity held in a central HubPool
on Ethereum, which also serves as the cross-chain administrator of all contracts in the
system. SpokePool
contracts are deployed to any network that wants to originate token deposits or be the final
destination for token transfers, and they are all governed by the HubPool
on Ethereum.
This contract set is the second iteration of the Across smart contracts which facilitate token transfers from any L2 to L1.
These contracts were audited by OpenZeppelin which is a great resource for understanding the contracts.
This video is also useful for understanding the technical architecture.
The latest contract deployments on Production will always be under the deployed
tag.
This repository assumes you have Node installed, with a minimum version of 16.18.0. Depending on what you want to do with the repo you might also need foundry and anchor to also be installed. If you have build issues please insure these are both installed first.
yarn
yarn build # Will build all code. Compile solidity & rust, generate ts outputs
yarn test # Run all unit tests without gas analysis
yarn test:gas-analytics # Run only tests that count gas costs
yarn test:report-gas # Run unit tests with hardhat-gas-reporter enabled
yarn test-evm # Only test EVM code
yarn test-svm # Only test SVM code
yarn lint
yarn lint-js # Only lint Javascript
yarn lint-rust # Only lint rust
yarn lint-solidity # Only lint solidity
yarn lint-fix
NODE_URL_1=https://mainnet.infura.com/xxx yarn hardhat deploy --tags HubPool --network mainnet
ETHERSCAN_API_KEY=XXX yarn hardhat etherscan-verify --network mainnet --license AGPL-3.0 --force-license --solc-input
yarn hardhat finalize-scroll-claims --l2-address {operatorAddress}
Slither is a Solidity static analysis framework written in Python 3. It runs a suite of vulnerability detectors, prints visual information about contract details, and provides an API to easily write custom analyses. Slither enables developers to find vulnerabilities, enhance their code comprehension, and quickly prototype custom analyses.
Spire-Contracts has been analyzed using Slither@0.9.2
and no major bugs was found. To rerun the analytics, run:
slither contracts/SpokePool.sol
\ --solc-remaps @=node_modules/@
\ --solc-args "--optimize --optimize-runs 1000000"
\ --filter-paths "node_modules"
\ --exclude naming-convention
You can replace SpokePool.sol
with the specific contract you want to analyze.
These are special instructions for compiling and deploying contracts on zksync
. The compile command will create artifacts-zk
and cache-zk
directories.
This step requires Docker Desktop to be running, as the solc
docker image is fetched as a prerequisite.
yarn compile-zksync
All code in this repository is licensed under BUSL-1.1 unless specified differently in the file. Individual exceptions to this license can be made by Risk Labs, which holds the rights to this software and design. If you are interested in using the code or designs in a derivative work, feel free to reach out to licensing@risklabs.foundation.
FAQs
The latest contract deployments on Production will always be under the `deployed` tag.
We found that @across-protocol/contracts demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.