40,000 USDC
View results
Submission Details
Severity: low

Makefile `deploy` command does not work for production

Description

The escrow will be deployed using forge and the DeployEscrowFactory.s script.
The command to be used is noted in a classical Makefile. The command used to deploy the contract is deploy that utilizes the NETWORK_ARGS environment variable.

deploy:
@forge script script/DeployEscrowFactory.s.sol:DeployEscrowFactory $(NETWORK_ARGS)

As it is, the default NETWORK_ARGS is

NETWORK_ARGS := --rpc-url http://localhost:8545 --private-key $(DEFAULT_ANVIL_KEY) --broadcast

and it can be set to specific values tailored to Sepolia testnet if the ARGS value --network sepolia is provided when executing the Makefile

ifeq ($(findstring --network sepolia,$(ARGS)),--network sepolia)
NETWORK_ARGS := --rpc-url $(SEPOLIA_RPC_URL) --private-key $(PRIVATE_KEY) --broadcast --verify --etherscan-api-key $(ETHERSCAN_API_KEY) -vvvv
endif

however there is no implementation to deploy the escrow on mainnet as the script is right now.

Recommend Mitigation

Add another ifeq condition tailored for production launch on Ethereum mainnet:

ifeq ($(findstring --network ethereum,$(ARGS)),--network ethereum)
NETWORK_ARGS := --rpc-url $(ETHEREUM_RPC_URL) --private-key $(PROD_PRIVATE_KEY) --broadcast --verify --etherscan-api-key $(ETHERSCAN_API_KEY) -vvvv
endif

where as ETHEREUM_RPC_URL and PROD_PRIVATE_KEY are new environment variable.

Other recommendations:

  • consider using a suggestive named environment variable for each private key and scope

  • do not test on Sepolia using the production private key

  • the used PRIVATE_KEY for Sepolia can be named DEVEL_PRIVATE_KEY and the production private key env variable can remain PROD_PRIVATE_KEY. PRIVATE_KEY is too generic

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.