Summary

ffi is being imported by test script via CheatCodes.t.sol to run arbitrary code.

Vulnerability Details

ffi (Foreign Function Interface) is often used in testing environments like Foundry to allow smart contracts to interact with system-level operations or external data that are not typically accessible within the Ethereum Virtual Machine (EVM).

Impact

ffi can allow reading files, making HTTP requests, or executing system commands during tests. FFI should not be available in a production or mainnet environment due to security and decentralization concerns.

Tools Used

visual review

Recommendations

ffi can be useful for simulating various conditions and states that would be hard or impossible to replicate on mainnet.
However, it is not suitable for deployment in a production environment.
Ensure that production contracts do not include or rely on this testing feature.

set ffi = false in foundry.toml (line 10)

remove CheatCodes.t.sol file in /test/mocks/
remove import {_CheatCodes} from "./mocks/CheatCodes.t.sol"; statement from VotingBoothTest.t.sol in /test/
remove _CheatCodes cheatCodes = _CheatCodes(HEVM_ADDRESS); (line 18 VotingBoothTest.t.sol in /test/)
remove testPwned() function (line 88-93 VotingBoothTest.t.sol in /test/)
remove file 'youve-been-pwned-remember-to-turn-off-ffi!' in project root if exists