For EOAs, when deploying a contract the address of the contract is determined by the address itself and nonce.
If the deployer private key is ever compromised and no transactions have been made on other EVM chains, a threat actor actor with access to the key can deploy a malicious contract at the same address, but on a different chain, and phish users into interacting with it.
While this issue is very unlikely, it can easily be mitigated by using a fresh deployment address and doing 1 transaction on all the major EVM chains / L2s.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.