Vanguard
First Flight #56
Beginner FriendlyDeFiFoundry
0 EXP
View all submissions
Previous Next
Submission Details
Impact: low
Likelihood: high

Deployment script relies on implicit signer and ignores `deployerAddress`

Author Revealed upon completion

Deployment script relies on implicit signer and ignores deployerAddress

Description

The deployment script calls vm.startBroadcast() without specifying a signer. That means the broadcast uses Foundry’s default signer (typically the first wallet), which may not match the intended owner role described in the README.

NOTE: The TokenLaunchHook does not implement the owner role in the contract, which has been documented in a separate finding and also needs to be fixed.

function run() public {
// ...
@> vm.startBroadcast(); // No address specified
TokenLaunchHook hook = new TokenLaunchHook{salt: salt}(
// ...
);
vm.stopBroadcast();
}

Additionally, BaseScript derives a deployerAddress but never uses it for broadcasting; getDeployer() just returns the first address from vm.getWallets.

contract BaseScript is Script {
address immutable deployerAddress; // Not used for broadcasting
constructor() {
deployerAddress = getDeployer();
vm.label(address(deployerAddress), "Deployer");
}
}

Risk

Likelihood:

  • Every deployment using this script is affected (unless the Foundry signer is explicitly configured elsewhere)

Impact:

  • If ownership is added, whoever runs the script becomes owner, which may not match the intended owner role from the README

Recommended Mitigation

Source the deployer from environment configuration (private key or address), and use it explicitly in vm.startBroadcast. Keep or remove getDeployer() depending on whether you still need address derivation.

contract BaseScript is Script {
uint256 internal deployerPrivateKey;
address internal deployerAddress;
constructor() {
deployerPrivateKey = vm.envUint("DEPLOYER_PK");
deployerAddress = vm.addr(deployerPrivateKey);
vm.label(deployerAddress, "Deployer");
}
}
function run() public {
// ...
- vm.startBroadcast();
+ vm.startBroadcast(deployerPrivateKey);
TokenLaunchHook hook = new TokenLaunchHook{salt: salt}(
// ...
);
vm.stopBroadcast();
}

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!