Vanguard

First Flight #56

Beginner FriendlyDeFiFoundry

0 EXP

View all submissions

Previous Next

Submission Details

Impact: low

Likelihood: high

Deploy script imports not existing file

Author Revealed upon completion

Description

The deploy script should import the shared script base with the exact file name (case‑sensitive on Linux/CI). The repository’s README even shows building the deploy script directly, so the file imports in that script must be valid.
In DeployHookScript, the import uses ./Base.s.sol (capital “B”). If the actual file on disk is script/base.s.sol (lowercase), this causes a compilation error on case‑sensitive filesystems (Linux/CI). The deploy script will not compile, blocking scripted deployments.

// Root cause in the codebase with @> marks to highlight the relevant section

// script/deployLaunchHook.s.sol

@> import {BaseScript} from "./Base.s.sol"; // <— mismatched casing if file is "base.s.sol"

// The README demonstrates compiling this script explicitly:

# forge build --contracts script/deployLaunchHook.s.sol

Risk

Likelihood: High

High in CI / Linux dev environments: Most CI agents and Linux build boxes use case‑sensitive filesystems, so the import will fail immediately during compilation. Developers on macOS/Windows may not notice locally if their FS is case‑insensitive.

Impact: Low

Deployment scripts fail to compile: forge build --contracts script/deployLaunchHook.s.sol (as documented) will error, blocking automated deployments and pipeline builds.
Developer friction / delays: Teams waste time debugging non‑semantic failures caused by filename casing rather than contract logic.

Proof of Concept

Create DeployScriptImportCasing.t.sol under test directory and copy code below.
Run command forge test --mt test_DeployScript_ImportCasing_Mismatch -vvvv.

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.26;

import {Test} from "forge-std/Test.sol";

/// @notice PoC: detect deploy script import casing mismatch without breaking compilation.

contract DeployScriptImportCasingTest is Test {

function test_DeployScript_ImportCasing_Mismatch() public {

// On case-sensitive FS (Linux/CI):

// 1) Expect reading the capitalized path to REVERT if only lowercase exists.

vm.expectRevert();

vm.readFile("script/Base.s.sol"); // will revert if file is actually "base.s.sol"

// 2) Reading the lowercase file should SUCCEED and return non-empty contents.

string memory content = vm.readFile("script/base.s.sol");

assertGt(bytes(content).length, 0, "lowercase file should exist and be non-empty");

}

Recommended Mitigation

Correct the import statement.
After fixing the casing, re‑run the documented command to verify forge build --contracts script/deployLaunchHook.s.sol

- import {BaseScript} from "./Base.s.sol";

+ import {BaseScript} from "./base.s.sol";

Rewards breakdown

nSLOC

273

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!