SNARKeling Treasure Hunt

First Flight #59

Beginner FriendlyGameFiFoundry

100 EXP

View all submissions

Previous Next

Submission Details

Impact: low

Likelihood: medium

L-03 Deployment Script Lacks a Chain-ID Safety Check

Author Revealed upon completion

Description

The deployment script logs the current block.chainid, but it does not enforce an expected chain or require operator confirmation before broadcasting transactions.

This means a misconfigured RPC URL or operator mistake can cause deployment to proceed on an unintended network without an explicit script-level safety stop.

Risk

This is an operational deployment risk rather than a direct protocol exploit:

contracts may be deployed to the wrong network
funds used for initial deployment may be stranded on an unintended chain
the resulting deployment may not correspond to the intended contest environment
the verifier may be economically or operationally impractical on the unintended chain even if deployment succeeds
the hunt may become unusable or fail to serve its intended purpose in the target operating environment

Proof of Concept

The script only logs the chain ID:

console2.log("Chain ID:", block.chainid);

but no guard exists before:

vm.startBroadcast(deployerKey);

As a result, if the operator points the script at the wrong RPC endpoint, deployment still proceeds.

This matters even when the unintended destination is EVM-compatible. The verifier and hunt contracts may still deploy, but the resulting deployment can be misaligned with the project’s real assumptions about network, users, funds, and proof-verification practicality. On some unintended networks, claim verification may be prohibitively expensive or otherwise unsuitable for the intended hunt workflow.

Recommended Mitigation

Require an expected chain ID from the environment and halt if the script is pointed at the wrong chain.

diff --git a/contracts/scripts/Deploy.s.sol b/contracts/scripts/Deploy.s.sol

--- a/contracts/scripts/Deploy.s.sol

+++ b/contracts/scripts/Deploy.s.sol

@@ -45,9 +45,13 @@ contract Deploy is Script {

uint256 deployerKey = vm.envUint("PRIVATE_KEY");

uint256 initialFunding = vm.envOr("INITIAL_FUNDING", DEFAULT_INITIAL_FUNDING);

+ uint256 expectedChainId = vm.envUint("EXPECTED_CHAIN_ID");

address deployer = vm.addr(deployerKey);

console2.log("Chain ID:", block.chainid);

+ require(block.chainid == expectedChainId, "UNEXPECTED_CHAIN_ID");

console2.log("Deployer:", deployer);

console2.log("Deployer balance:", deployer.balance);

console2.log("Initial funding:", initialFunding);

Rewards breakdown

nSLOC

220

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!