Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Test automated trades between multiple chains on Mach.
Test automated trades on Mach. Specify a start chain and symbol, and a policy determining how the destination token will be chosen (randomize chain and symbol, randomize chain and fix symbol). In each trade, the test wallet's entire balance of the source token will be sold for the destination token, and then the destination token because the new source token for the next trade. This continues until the script is killed by the user.
Install
python -m pip install mach-cctt
Usage
cctt --help
Example
# The script will create log files and an account data file. Make a working directory for it.
mkdir cctt/ && cd cctt/
# Set password to avoid being prompted
# export CCTT_PASSWORD="abc"
# Backend defaults to production, change if necessary
# export MACH_BACKEND_URL="https://cache-half-full-staging.fly.dev"
cctt import # Import account
cctt decrypt # Show public/private key
cctt balances # Show account balances
# Trade USDC on random chains, starting from optimism-USDC
cctt run --source optimism-USDC --destination-policy fixed:USDC
# Trade USDC on only arbitrum and optimism, starting from polygon-USDC
cctt run --source polygon-USDC --destination-policy cheap:USDC
# Trade between random tokens on random chains, starting from arbitrum-USDT
cctt run --source arbitrum-USDT --destination-policy random
# If the --source is empty, then an appropriate source with a non-zero balance is chosen for you.
cctt run --source --destination-policy random
Notes:
--source
token should be one that you hold a non-zero balance of in your wallet. If you set it to empty, it will be automatically chosen as any token with a non-zero balance in the wallet.There are 4 log files created by the application:
app.log
- everythingdelayed_transactions.log
- the source funds where not withdrawn in timestuck_transactions.log
- the source funds were withdrawn but the destination funds were not received in timeimproper_fill.log
- the trade filled on the source chain for 1 tick less than the order was placed for. This has been observed to happen primarily to USDM (on multiple chains)A plaintext JSON file storing your account encrypted with your password will be created once you first generate or import a wallet. By default this file is called account.json
but you can give a path to your own file via the --file PATH
flag. This file is required to be present for any operation other than importing or generating a new wallet.
You need the just
command runner and either Python 3.12.5+ with virtualenv
, or pyenv
.
Clone the repository
git clone https://github.com/tristeroresearch/cross-chain-trade-test.git
cd cross-chain-trade-test
Create and activate a virtual environment
Using venv
:
python -m venv .venv
source .venv/bin/activate
Or using pyenv
:
pyenv virtualenv 3.12.5 cctt
pyenv activate
Install dependencies
just init
View available recipes
just -l
Note that there are recipes that allow you to run the application in-source without needed to build and package to PyPI first:
just account_file=account.json import <private key> # Import a new account
just decrypt # Show public and private key
just balances # List balances of account
just source=arbitrum-USDC policy=random run # Run the trade tester, starting from arbitrum-USDC and trading to random tokens
just wallet=<public key> withdraw # Withdraw funds from the stored account to the given wallet
Building
just build
Make sure to bump the version number in pyproject.toml
.
To upload to the test PyPI:
just upload-test
To upload to the main PyPI:
just upload
FAQs
Test automated trades on the Mach exchange.
We found that mach-cctt demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.