Merge pull request #144 from lidofinance/verify/l1erc20bridge-cantina-audit

tamtamchik · web-flow · commit d1a5d5df95f8 · 2026-04-04T17:13:53.000+01:00
feat: add L1ERC20Bridge config for zkSync cantina audit
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -3,6 +3,7 @@
   "build": {
     "dockerfile": "Dockerfile",
     "context": "..",
+    "options": ["--platform=linux/amd64"],
     "args": {
       "DEVCONTAINER_BASE_IMAGE": "mcr.microsoft.com/devcontainers/python:3.11@sha256:f46978552419eb3cbf3bcf662ba0dca1639b07307f64447a3fcbe46110710b27",
       "UV_VERSION": "0.10.9"
diff --git a/.github/workflows/regression.yml b/.github/workflows/regression.yml
@@ -97,18 +97,18 @@ jobs:
               --allow-source-diff 0xa11906bBBBaC5207b8FDA4F7F294d7EcB8dcc758
               --allow-source-diff 0xc5dCd2A9642ceA9B71A632BF5b8ff52424Ea1B40
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Restore diffyscan caches
-        uses: actions/cache@v4
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
         with:
           path: .diffyscan_cache
           key: diffyscan-cache-${{ github.ref_name }}-${{ matrix.config }}-${{ github.sha }}
           restore-keys: |
             diffyscan-cache-${{ github.ref_name }}-${{ matrix.config }}-
 
       - name: Restore devcontainer build cache
-        uses: actions/cache@v4
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
         with:
           path: ${{ env.DEVCONTAINER_BUILD_CACHE_DIR }}
           key: devcontainer-buildx-${{ runner.os }}-${{ hashFiles('.devcontainer/Dockerfile', '.dockerignore') }}
diff --git a/config_samples/zksync/mainnet/zksync_mainnet_L1_new_impl.yaml b/config_samples/zksync/mainnet/zksync_mainnet_L1_new_impl.yaml
@@ -0,0 +1,31 @@
+# Foundry-verified contracts store full paths in Etherscan metadata, unlike Hardhat:
+#   - Source paths include "zksync/" prefix, so relative_root must be "" (not "zksync")
+#   - Dependency paths include "node_modules/" prefix, so dependency keys must too
+
+contracts:
+  "0x43a66B32c9AdcA1A59b273E69b61Da5197c21cCd": L1ERC20Bridge
+
+explorer_hostname: api.etherscan.io
+explorer_chain_id: 1
+explorer_token_env_var: ETHERSCAN_EXPLORER_TOKEN
+
+github_repo:
+  url: https://github.com/lidofinance/lido-l2
+  commit: b5bbb12982cc5d3279243e271ae69de6e4e6725e
+  relative_root: ""  # "" for Foundry, "zksync" for Hardhat
+
+dependencies:
+  "node_modules/@openzeppelin/contracts":  # "node_modules/" prefix required for Foundry
+    url: https://github.com/OpenZeppelin/openzeppelin-contracts
+    commit: d4fb3a89f9d0a39c7ee6f2601d33ffbf30085322
+    relative_root: contracts
+
+  "node_modules/@openzeppelin/contracts-upgradeable":
+    url: https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable
+    commit: f6febd79e2a3a17e26969dd0d450c6ebd64bf459
+    relative_root: contracts
+
+  "node_modules/@matterlabs/zksync-contracts":
+    url: https://github.com/matter-labs/v2-testnet-contracts
+    commit: 093341c8549de4b750f779b14ae727c88ae884ff
+    relative_root: ""
diff --git a/config_samples/zksync/mainnet/zksync_mainnet_L1_old_impl.yaml b/config_samples/zksync/mainnet/zksync_mainnet_L1_old_impl.yaml
@@ -0,0 +1,27 @@
+contracts:
+  "0x9a810469F4a451Ebb7ef53672142053b4971587c": L1ERC20Bridge
+
+explorer_hostname: api.etherscan.io
+explorer_chain_id: 1
+explorer_token_env_var: ETHERSCAN_EXPLORER_TOKEN
+
+github_repo:
+  url: https://github.com/lidofinance/lido-l2
+  commit: fa6a77e694a34dc6f03d57bb8c934941e554ac9d
+  relative_root: zksync
+
+dependencies:
+  "@openzeppelin/contracts":
+    url: https://github.com/OpenZeppelin/openzeppelin-contracts
+    commit: d4fb3a89f9d0a39c7ee6f2601d33ffbf30085322
+    relative_root: contracts
+
+  "@openzeppelin/contracts-upgradeable":
+    url: https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable
+    commit: f6febd79e2a3a17e26969dd0d450c6ebd64bf459
+    relative_root: contracts
+
+  "@matterlabs/zksync-contracts":
+    url: https://github.com/matter-labs/v2-testnet-contracts
+    commit: 093341c8549de4b750f779b14ae727c88ae884ff
+    relative_root: ""
diff --git a/config_samples/zksync/mainnet/zksync_mainnet_fix_L1.yaml b/config_samples/zksync/mainnet/zksync_mainnet_fix_L1.yaml
@@ -0,0 +1,28 @@
+contracts:
+  "0x43a66b32c9adca1a59b273e69b61da5197c21ccd": L1ERC20Bridge
+
+network: mainnet
+explorer_hostname: api.etherscan.io
+explorer_token_env_var: ETHERSCAN_EXPLORER_TOKEN
+explorer_chain_id: 1
+
+github_repo:
+  url: https://github.com/lidofinance/lido-l2
+  # https://github.com/lidofinance/audits/blob/main/L2/zkSync-2026-03-05-Cantina-PR-85-fix-report.pdf
+  commit: b5bbb12982cc5d3279243e271ae69de6e4e6725e
+  relative_root: ""
+
+dependencies:
+  "node_modules/@openzeppelin/contracts":
+    url: https://github.com/OpenZeppelin/openzeppelin-contracts
+    commit: d4fb3a89f9d0a39c7ee6f2601d33ffbf30085322 # 4.6.0
+    relative_root: contracts
+  "node_modules/@openzeppelin/contracts-upgradeable":
+    url: https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable
+    commit: f6febd79e2a3a17e26969dd0d450c6ebd64bf459 # 4.9.0
+    relative_root: contracts
+  "node_modules/@matterlabs/zksync-contracts":
+    url: https://github.com/matter-labs/v2-testnet-contracts
+    commit: 093341c8549de4b750f779b14ae727c88ae884ff # 0.6.2-beta
+    relative_root: ""
+
diff --git a/pyproject.toml b/pyproject.toml
@@ -32,6 +32,9 @@ dev = [
 requires = ["hatchling==1.27.0"]
 build-backend = "hatchling.build"
 
+[tool.black]
+target-version = ["py311"]
+
 [tool.hatch.build.targets.wheel]
 packages = ["diffyscan"]
 
diff --git a/tests/test_config_loading.py b/tests/test_config_loading.py
@@ -78,8 +78,7 @@ def test_yaml_and_json_produce_identical_config(tmp_path):
 def test_yaml_comments_are_ignored(tmp_path):
     """Comments are the whole reason we migrated to YAML — verify they parse cleanly."""
     path = tmp_path / "config.yaml"
-    path.write_text(
-        """\
+    path.write_text("""\
 # Top-level comment
 contracts:
   "0x0000000000000000000000000000000000000001": TransparentUpgradeableProxy # Vault
@@ -96,8 +95,7 @@ def test_yaml_comments_are_ignored(tmp_path):
     commit: def456
     relative_root: contracts
     # version 1.0.0
-"""
-    )
+""")
     result = load_config(str(path))
     assert (
         result["contracts"]["0x0000000000000000000000000000000000000001"]
@@ -140,8 +138,7 @@ def test_yaml_preserves_hex_address_strings(tmp_path):
     """YAML auto-coerces unquoted hex (0x1A -> int 26). Quoted addresses must stay strings."""
     path = tmp_path / "config.yaml"
     # Write raw YAML with quoted hex addresses to ensure they stay as strings
-    path.write_text(
-        """\
+    path.write_text("""\
 contracts:
   "0x00000000000000000000000000000000000000AB": TestContract
   "0x0000000000000000000000000000000000000100": AnotherContract
@@ -153,8 +150,7 @@ def test_yaml_preserves_hex_address_strings(tmp_path):
   commit: abc123
   relative_root: ""
 dependencies: {}
-"""
-    )
+""")
     result = load_config(str(path))
     addresses = list(result["contracts"].keys())
     for addr in addresses:
@@ -171,8 +167,7 @@ def test_yaml_preserves_hex_address_strings(tmp_path):
 def test_yaml_unquoted_hex_address_raises(tmp_path):
     """Unquoted hex addresses get coerced to int by PyYAML — load_config must catch this."""
     path = tmp_path / "config.yaml"
-    path.write_text(
-        """\
+    path.write_text("""\
 contracts:
   0x00000000000000000000000000000000000000AB: TestContract
 explorer_hostname: api.etherscan.io
@@ -182,8 +177,7 @@ def test_yaml_unquoted_hex_address_raises(tmp_path):
   commit: abc123
   relative_root: ""
 dependencies: {}
-"""
-    )
+""")
     with pytest.raises(ValueError, match="parsed as integer"):
         load_config(str(path))
 
@@ -199,8 +193,7 @@ def test_empty_yaml_raises(tmp_path):
 def test_bytecode_comparison_unquoted_hex_raises(tmp_path):
     """Unquoted hex in bytecode_comparison.constructor_args keys should be caught."""
     path = tmp_path / "config.yaml"
-    path.write_text(
-        """\
+    path.write_text("""\
 contracts:
   "0x0000000000000000000000000000000000000001": TestContract
 explorer_hostname: api.etherscan.io
@@ -214,17 +207,15 @@ def test_bytecode_comparison_unquoted_hex_raises(tmp_path):
   constructor_args:
     0x00000000000000000000000000000000000000AB:
       - "0x01"
-"""
-    )
+""")
     with pytest.raises(ValueError, match="bytecode_comparison.constructor_args"):
         load_config(str(path))
 
 
 def test_bytecode_comparison_library_unquoted_hex_raises(tmp_path):
     """Unquoted hex in bytecode_comparison.libraries values should be caught."""
     path = tmp_path / "config.yaml"
-    path.write_text(
-        """\
+    path.write_text("""\
 contracts:
   "0x0000000000000000000000000000000000000001": TestContract
 explorer_hostname: api.etherscan.io
@@ -238,8 +229,7 @@ def test_bytecode_comparison_library_unquoted_hex_raises(tmp_path):
   libraries:
     "contracts/Foo.sol":
       MyLib: 0x00000000000000000000000000000000000000AB
-"""
-    )
+""")
     with pytest.raises(ValueError, match="bytecode_comparison.libraries"):
         load_config(str(path))
 
diff --git a/tests/test_refactored.py b/tests/test_refactored.py
@@ -19,7 +19,6 @@
 from diffyscan.utils.custom_exceptions import CalldataError, EncoderError
 from diffyscan.utils.explorer import merge_libraries, get_solc_sources
 
-
 # --- encoder tests ---
 
 
