New Research: Supply Chain Attack on Axios Pulls Malicious Dependency from npm.Details
Socket
Book a DemoSign in
Socket
Book a DemoSign in

@finstable/smart-order-router

Package Overview
Dependencies
Maintainers
1
Versions
3
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@finstable/smart-order-router

Findex Smart Order Router

latest
Source
npmnpm
Version
2.10.6
Version published
Maintainers
1
Created
Source

Uniswap Smart Order Router Fork

This repository contains routing logic for the Uniswap V2 protocol.

It searches for the most efficient way to swap token A for token B, considering splitting swaps across multiple routes and gas costs.

WIP

  • Refactor code

Usage

Install and Build package

npm install
npm run build

Adding a new Chain

The main components to complete are:

  • Deploy contracts on chain, add the pools to subgraph
  • Populate chainId and addresses in src/util/chains.ts and src/util/addresses.ts
    • factory address
    • multicall address
    • tokens address (Native Token)
  • Populate pair in src/util/pair.ts
    • INIT_CODE_HASH
    • Fee
    • LP Token
  • Populate v2 providers in src/providers/v2/subgraph-provider and src/providers/v2/static-subgraph-provider
  • Populate token providers in src/providers/caching-token-provider and src/providers/token-provider.ts
  • Populate gas constants in src/routers/alpha-router/gas-models/*
  • Populate src/routers/alpha-router/*

Contracts

  • Deploy UniswapInterfaceMulticall to get multicall address at swap-router-contracts
    • also check INIT_CODE_HASH from contracts/libraries/UniswapV2Library.sol
  • Deploy SwapRouter02 to get swap router at swap-router-contracts
    • don't forget to approve token to SwapRouter02 before send a transaction

CLI

The package can be run as a CLI for testing purposes.

First create a .env file in the root of the project and configure:

# JSON_RPC_PROVIDER_[CHAIN]=
JSON_RPC_PROVIDER_BITKUBT=https://rpc.bitkubchain.io
JSON_RPC_PROVIDER_BITKUB_TESTNET=https://rpc-testnet.bitkubchain.io

SUBGRAPH_URL_BITKUB=
SUBGRAPH_URL_BITKUB_TESTNET=

Examples

Some examples to use for manual CLI testing.

Mainnet

./bin/cli quote --tokenIn 0xa0b86991c6218b36c1d19d4a2e9eb0ce3606eb48 --tokenOut 0x1f9840a85d5af5bf1d1762f925bdaddc4201f984 --amount 1000 --exactIn --recipient 0xAb5801a7D398351b8bE11C439e05C5B3259aeC9B --protocols v2

Bitkub Testnet

./bin/cli quote --tokenIn 0xbfadd0f9c1617d4b17ba1516017b19ad2c162f1d --tokenOut 0x33ddd91c7a7fa078b4fcdfd3cd0c9aca95496b0a --amount 1 --exactIn --minSplits 1 --protocols v2 --router alpha --chainId 25925

Testing

Unit Tests

First make sure you have run npm install and npm run build.

npm run test

Integration Tests

Make sure the .env file is configured to connect to mainnet and other chains. See the CLI section below for more details.


npm run integ-test

Tenderly Simulations

Quotes can be simulated on Tenderly

Ensure you set the following environment variables:


process.env.TENDERLY_BASE_URL!,
process.env.TENDERLY_USER!,
process.env.TENDERLY_PROJECT!,
process.env.TENDERLY_ACCESS_KEY!,

Troubleshooting

ProviderGasLimit errors

The package sends many large multicall requests to nodes. You must ensure that your node provider's eth_call gas limit is high enough to succesfully process the RPC calls.

By default each eth_call will consume up to:

  • 132,000,000 gas on Optimism
  • 120,000,000 gas on Arbitrum
  • 50,000,000 gas on Celo
  • 150,000,000 gas on every other network (Mainnet, Goerli, etc.)

These parameters should work on Infura and Alchemy by default.

This total amount of gas each eth_call can consume is equal to the multicallChunk config value multiplied by the gasLimitPerCall config value. If you are using a node provider with a lower gas limit per eth_call you will need to override the default V3QuoteProvider with an instance that lowers the multicallChunk and gasLimitPerCall parameters such that the multiplication is below your node providers limit. Lowering these values will cause each multicall to consume less gas. See here for examples of how to set these values. Note some providers have different limits per chain.

If you are running your own node, we recommend you configure start your node with a higher gas limit per call. For example, on Geth you can use the command line argument --rpc.gascap 150000000 to raise the limit to 150m, which is enough to run the default configuration of this package.

If you are using Hardhat mainnet forking, you should add blockGasLimit: 150_000_000 to your Hardhat config to use the default package configuration.

FAQs

Package last updated on 17 Jan 2023

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

Axios Supply Chain Attack Reaches OpenAI macOS Signing Pipeline, Forces Certificate Rotation

Security News

Axios Supply Chain Attack Reaches OpenAI macOS Signing Pipeline, Forces Certificate Rotation

OpenAI rotated macOS signing certificates after a malicious Axios package reached its CI pipeline in a broader software supply chain attack.

By Sarah Gooding  -  Apr 11, 2026
Don't Kill the Goose That Lays the Golden Eggs

Security News

Don't Kill the Goose That Lays the Golden Eggs

Open source is under attack because of how much value it creates. It has been the foundation of every major software innovation for the last three decades. This is not the time to walk away from it.

By Sarah Gooding  -  Apr 10, 2026
Feross on TBPN: How North Korea Hijacked Axios

Security News

Feross on TBPN: How North Korea Hijacked Axios

Socket CEO Feross Aboukhadijeh breaks down how North Korea hijacked Axios and what it means for the future of software supply chain security.

By Sarah Gooding  -  Apr 08, 2026