Merge pull request ourzora#57 from ourzora/add_lavamoat

Add lavamoat scripts protection
emarai · Dec 15, 2023 · c322cdd · c322cdd
2 parents 0c3c0d2 + 402b108
commit c322cdd
Show file tree

Hide file tree

Showing 14 changed files with 455 additions and 224 deletions.
diff --git a/.github/actions/setup_deps/action.yml b/.github/actions/setup_deps/action.yml
@@ -6,7 +6,7 @@ runs:
     - name: Install Node.js
       uses: actions/setup-node@v3
       with:
-        node-version: 18
+        node-version: 20.10.0
         cache: "yarn"
 
     - name: Install project dependencies

diff --git a/.yarnrc b/.yarnrc
@@ -0,0 +1 @@
+ignore-scripts true
diff --git a/package.json b/package.json
@@ -17,7 +17,7 @@
     "prettier-plugin-solidity": "^1.1.3",
     "tsconfig": "*",
     "turbo": "latest",
-    "@changesets/cli": "^2.26.2"
+    "@changesets/cli": "2.26.2"
   },
   "name": "zora-protocol",
   "packageManager": "[email protected]",

diff --git a/packages/1155-contracts/package.json b/packages/1155-contracts/package.json
@@ -13,7 +13,7 @@
     "test-gas": "forge test --gas-report",
     "prettier:check": "prettier --check 'src/**/*.sol' 'test/**/*.sol' 'package/**/*.ts' 'wagmi.config.ts'",
     "prettier": "prettier --write 'src/**/*.sol' 'test/**/*.sol' 'package/**/*.ts' 'script/**/*.ts' 'wagmi.config.ts'",
-    "copy-abis": "tsx script/bundle-abis.ts",
+    "copy-abis": "yarn tsx script/bundle-abis.ts",
     "lint": "yarn run prettier:check",
     "coverage": "forge coverage --report lcov",
     "write-gas-report": "forge test --gas-report > gasreport.ansi",
@@ -36,24 +36,22 @@
     "_imagine/"
   ],
   "dependencies": {
-    "@openzeppelin/contracts": "4.9.2",
-    "@zoralabs/openzeppelin-contracts-upgradeable": "4.8.4",
-    "@zoralabs/protocol-rewards": "*",
-    "ds-test": "https://github.com/dapphub/ds-test#cd98eff28324bfac652e63a239a60632a761790b",
+    "solmate": "6.1.0",
     "forge-std": "https://github.com/foundry-rs/forge-std#705263c95892a906d7af65f0f73ce8a4a0c80b80",
-    "solady": "^0.0.123",
-    "solmate": "^6.1.0"
+    "ds-test": "https://github.com/dapphub/ds-test#cd98eff28324bfac652e63a239a60632a761790b",
+    "@zoralabs/protocol-rewards": "*",
+    "@zoralabs/openzeppelin-contracts-upgradeable": "4.8.4",
+    "@openzeppelin/contracts": "4.9.2"
   },
   "devDependencies": {
-    "@wagmi/cli": "^1.0.1",
+    "zoralabs-tsconfig": "*",
+    "typescript": "^5.2.2",
     "tsx": "^3.13.0",
+    "tsup": "^7.2.0",
     "glob": "^10.2.2",
-    "prettier": "^2.8.8",
     "es-main": "^1.2.0",
-    "prettier-plugin-solidity": "^1.1.3",
+    "@wagmi/cli": "^1.0.1",
     "@types/node": "^20.1.2",
-    "tsup": "^7.2.0",
-    "zoralabs-tsconfig": "*",
-    "typescript": "^5.2.2"
+    "@lavamoat/preinstall-always-fail": "2.0.0"
   }
 }
diff --git a/packages/1155-contracts/script/bundle-abis.ts b/packages/1155-contracts/script/bundle-abis.ts
@@ -96,7 +96,7 @@ async function saveContractsAbisJson(contracts: { abi: any; name: string }[]) {
       const abiJsonPath = `${abisFolder}/${contract.name}.json`;
 
       await fs.writeFile(abiJsonPath, abiJson);
-    })
+    }),
   );
 }
 

diff --git a/packages/protocol-deployments/package.json b/packages/protocol-deployments/package.json
@@ -21,26 +21,25 @@
     "link-contracts": "cd ../../ && rm -rf ./node_modules && yarn"
   },
   "dependencies": {
-    "@zoralabs/zora-1155-contracts": "*",
-    "ds-test": "https://github.com/dapphub/ds-test#cd98eff28324bfac652e63a239a60632a761790b",
+    "solmate": "6.1.0",
     "forge-std": "https://github.com/foundry-rs/forge-std#705263c95892a906d7af65f0f73ce8a4a0c80b80",
-    "solmate": "^6.1.0"
+    "ds-test": "https://github.com/dapphub/ds-test#cd98eff28324bfac652e63a239a60632a761790b",
+    "@zoralabs/zora-1155-contracts": "*"
   },
   "devDependencies": {
-    "@turnkey/api-key-stamper": "^0.1.1",
-    "@turnkey/http": "^1.2.0",
-    "@turnkey/viem": "^0.2.4",
-    "viem": "1.19.15",
-    "@types/node": "^20.1.2",
-    "@wagmi/cli": "^1.0.1",
-    "es-main": "^1.2.0",
-    "glob": "^10.2.2",
-    "prettier": "^2.8.8",
-    "prettier-plugin-solidity": "^1.1.3",
-    "solady": "^0.0.132",
-    "tsup": "^7.2.0",
-    "tsx": "^3.13.0",
     "zoralabs-tsconfig": "*",
-    "typescript": "^5.2.2"
+    "viem": "^1.19.15",
+    "typescript": "^5.2.2",
+    "tsx": "^3.13.0",
+    "tsup": "^7.2.0",
+    "solady": "0.0.132",
+    "glob": "^10.2.2",
+    "es-main": "^1.2.0",
+    "@wagmi/cli": "^1.0.1",
+    "@types/node": "^20.1.2",
+    "@turnkey/viem": "^0.4.4",
+    "@turnkey/http": "^2.5.1",
+    "@turnkey/api-key-stamper": "^0.3.1",
+    "@lavamoat/preinstall-always-fail": "2.0.0"
   }
 }
diff --git a/packages/protocol-deployments/package/batchPublish.test.ts b/packages/protocol-deployments/package/batchPublish.test.ts
@@ -171,7 +171,7 @@ function parseCreate1155Receipt(receipt: TransactionReceipt): {
     .filter(Boolean);
 
   const updatedTokenEvents = parsedLog.filter(
-    (log) => log?.eventName === "UpdatedToken"
+    (log) => log?.eventName === "UpdatedToken",
   );
   const lastUpdatedTokenEvent =
     updatedTokenEvents[updatedTokenEvents.length - 1];
@@ -277,7 +277,7 @@ describe("Zora1155", () => {
 
       const encodedParams = encodeAbiParameters(
         [{ type: "address", name: "address" }],
-        [collectorAccount]
+        [collectorAccount],
       );
 
       const zoraMintFee = parseEther("0.000777");
@@ -308,7 +308,7 @@ describe("Zora1155", () => {
 
       expect(
         (await publicClient.waitForTransactionReceipt({ hash: mintCall }))
-          .status
+          .status,
       ).toBe("success");
 
       // check balance of token
@@ -322,6 +322,6 @@ describe("Zora1155", () => {
       expect(tokenBalance).toBe(quantityToMint);
     },
     // 10 second timeout
-    10 * 1000
+    10 * 1000,
   );
 });
diff --git a/packages/protocol-deployments/script/copy-deployed-contracts.ts b/packages/protocol-deployments/script/copy-deployed-contracts.ts
@@ -1,5 +1,6 @@
 import { writeFile, readFile } from "fs/promises";
 import esMain from "es-main";
+// @ts-ignore
 import { glob } from "glob";
 
 type Deploy = {
@@ -12,35 +13,40 @@ async function copyEnvironmentRunFiles() {
   const latestFiles = await glob(`broadcast/**/*run-latest.json`);
 
   const allFileContents = await Promise.all(
-    latestFiles.map(async (file) => {
+    latestFiles.map(async (file: string) => {
       const fileParts = file.split("/");
       const chainId = fileParts[fileParts.length - 2];
       return {
         chainId,
         contents: JSON.parse(await readFile(file, "utf-8")) as Deploy,
       };
-    })
+    }),
   );
 
-  const groupedByChainId = allFileContents.reduce((acc, file) => {
-    const chainId = file.chainId!;
-    if (isNaN(Number(chainId))) return acc;
+  const groupedByChainId = allFileContents.reduce(
+    (acc: any, file: any) => {
+      const chainId = file.chainId!;
+      if (isNaN(Number(chainId))) return acc;
 
-    if (!acc[chainId]) {
-      acc[chainId] = [];
-    }
-    acc[chainId]!.push(file.contents);
-    return acc;
-  }, {} as Record<string, Deploy[]>);
+      if (!acc[chainId]) {
+        acc[chainId] = [];
+      }
+      acc[chainId]!.push(file.contents);
+      return acc;
+    },
+    {} as Record<string, Deploy[]>,
+  );
 
   const withLatest = Object.entries(groupedByChainId).map(
-    ([chainId, files]) => {
-      const latest = files.sort((a, b) => b.timestamp! - a.timestamp!)[0];
+    ([chainId, files]: any) => {
+      const latest = files.sort(
+        (a: any, b: any) => b.timestamp! - a.timestamp!,
+      )[0];
       return {
         chainId,
         latest,
       };
-    }
+    },
   );
 
   withLatest.forEach(async ({ chainId, latest }) => {
@@ -55,8 +61,8 @@ async function copyEnvironmentRunFiles() {
           commit: latest!.commit,
         },
         null,
-        2
-      )
+        2,
+      ),
     );
   });
 }

diff --git a/packages/protocol-deployments/script/signDeploymentTransactions.ts b/packages/protocol-deployments/script/signDeploymentTransactions.ts
@@ -39,11 +39,11 @@ async function signAndSaveSignatures({
 }) {
   const configFolder = path.resolve(
     __dirname,
-    `../deterministicConfig/${proxyName}/`
+    `../deterministicConfig/${proxyName}/`,
   );
   const configFile = path.join(configFolder, "params.json");
   const deterministicDeployConfig = JSON.parse(
-    await readFile(configFile, "utf-8")
+    await readFile(configFile, "utf-8"),
   );
 
   const deploymentConfig: DeterministicDeploymentConfig = {
@@ -66,19 +66,22 @@ async function signAndSaveSignatures({
           deterministicDeploymentConfig: deploymentConfig,
         }),
       };
-    })
+    }),
   );
 
   // aggregate above to object of key value pair indexed by chain id as number:
-  const byChainId = signedConfigs.reduce((acc, { chainId, signature }) => {
-    acc[chainId] = signature;
-    return acc;
-  }, {} as { [key: number]: string });
+  const byChainId = signedConfigs.reduce(
+    (acc, { chainId, signature }) => {
+      acc[chainId] = signature;
+      return acc;
+    },
+    {} as { [key: number]: string },
+  );
 
   // write as json to ../deterministicConfig/factoryDeploySignatures.json:
   await writeFile(
     path.join(configFolder, "signatures.json"),
-    JSON.stringify(byChainId, null, 2)
+    JSON.stringify(byChainId, null, 2),
   );
 }
 
@@ -96,11 +99,11 @@ async function signAndSaveUpgradeGate({
 }) {
   const configFolder = path.resolve(
     __dirname,
-    `../deterministicConfig/${proxyName}/`
+    `../deterministicConfig/${proxyName}/`,
   );
   const configFile = path.join(configFolder, "params.json");
   const deterministicDeployConfig = JSON.parse(
-    await readFile(configFile, "utf-8")
+    await readFile(configFile, "utf-8"),
   );
 
   const deploymentConfig: GenericDeploymentConfiguration = {
@@ -135,25 +138,28 @@ async function signAndSaveUpgradeGate({
           initCall,
         }),
       };
-    })
+    }),
   );
 
   // aggregate above to object of key value pair indexed by chain id as number:
-  const byChainId = signedConfigs.reduce((acc, { chainId, signature }) => {
-    acc[chainId] = signature;
-    return acc;
-  }, {} as { [key: number]: string });
+  const byChainId = signedConfigs.reduce(
+    (acc, { chainId, signature }) => {
+      acc[chainId] = signature;
+      return acc;
+    },
+    {} as { [key: number]: string },
+  );
 
   // write as json to ../deterministicConfig/factoryDeploySignatures.json:
   await writeFile(
     path.join(configFolder, "signatures.json"),
-    JSON.stringify(byChainId, null, 2)
+    JSON.stringify(byChainId, null, 2),
   );
 }
 
 const getChainConfigs = async () => {
   const chainConfigsFiles = await glob(
-    path.resolve(__dirname, "../chainConfigs/*.json")
+    path.resolve(__dirname, "../chainConfigs/*.json"),
   );
 
   const chainConfigs = await Promise.all(
@@ -167,15 +173,15 @@ const getChainConfigs = async () => {
         chainId,
         owner: fileContents["FACTORY_OWNER"]! as Address,
       };
-    })
+    }),
   );
 
   return chainConfigs;
 };
 
 const getFactoryImplConfigs = async () => {
   const addresseFiles = await glob(
-    path.resolve(__dirname, "../addresses/*.json")
+    path.resolve(__dirname, "../addresses/*.json"),
   );
 
   const chainConfigs = await Promise.all(
@@ -195,15 +201,15 @@ const getFactoryImplConfigs = async () => {
         implementationAddress: fileContents["FACTORY_IMPL"] as Address,
         owner: chainConfig["FACTORY_OWNER"] as Address,
       };
-    })
+    }),
   );
 
   return chainConfigs;
 };
 
 const getPreminterImplConfigs = async () => {
   const addresseFiles = await glob(
-    path.resolve(__dirname, "../addresses/*.json")
+    path.resolve(__dirname, "../addresses/*.json"),
   );
 
   const chainConfigs = await Promise.all(
@@ -223,7 +229,7 @@ const getPreminterImplConfigs = async () => {
         implementationAddress: fileContents["PREMINTER_IMPL"] as Address,
         owner: chainConfig["FACTORY_OWNER"] as Address,
       };
-    })
+    }),
   );
 
   return chainConfigs.filter((x) => x.implementationAddress !== undefined);
@@ -240,14 +246,14 @@ async function main() {
     new ApiKeyStamper({
       apiPublicKey: process.env.TURNKEY_API_PUBLIC_KEY!,
       apiPrivateKey: process.env.TURNKEY_API_PRIVATE_KEY!,
-    })
+    }),
   );
 
   // Create the Viem custom account
   const turnkeyAccount = await createAccount({
     client: httpClient,
     organizationId: process.env.TURNKEY_ORGANIZATION_ID!,
-    privateKeyId: process.env.TURNKEY_PRIVATE_KEY_ID!,
+    signWith: process.env.TURNKEY_PRIVATE_KEY_ID!,
     // optional; will be fetched from Turnkey if not provided
     ethereumAddress: process.env.TURNKEY_TARGET_ADDRESS!,
   });

diff --git a/packages/protocol-deployments/wagmi.config.ts b/packages/protocol-deployments/wagmi.config.ts
@@ -43,7 +43,7 @@ const getAddresses = () => {
 
   for (const addressesFile of addressesFiles) {
     const jsonAddress = JSON.parse(
-      readFileSync(`./addresses/${addressesFile}`, "utf-8")
+      readFileSync(`./addresses/${addressesFile}`, "utf-8"),
     ) as {
       FIXED_PRICE_SALE_STRATEGY: Address;
       MERKLE_MINT_SALE_STRATEGY: Address;

diff --git a/packages/protocol-rewards/.yarnrc b/packages/protocol-rewards/.yarnrc
@@ -0,0 +1 @@
+ignore-scripts true
-Original file line number
+Diff line change
@@ Expand Up @@
           const abiJsonPath = `${abisFolder}/${contract.name}.json`;
           await fs.writeFile(abiJsonPath, abiJson);
-        })
+        }),
       );
     }
@@ Expand Down @@