search

foundry-rs / foundry

Foundry is a blazing fast, portable and modular toolkit for Ethereum application development written in Rust.
https://getfoundry.sh
Apache License 2.0
8.13k stars 1.69k forks source link

bug(linking): unused libraries may be deployed #6215

Open klkvr opened 10 months ago

klkvr commented 10 months ago

Component

Forge

Describe the feature you would like

Right now unused libraries may be deployed even if there is no usage of them outside of broadcasting:

This happens because from perspective of Solidity compiler, script contract depends on all libraries which are used in it regardeless of part of code they are used in.

One possible solution is as follows:

  1. After script simulation, go through all CREATE's and match bytecodes to artifacts.
  2. Determine which libraries are actually going to be used in newly created contracts. This can be done via existing code for dependency resolution
  3. If any unnecessary libraries are found, recompile the code and rerun the script, predeploying only the necessary libraries. This step is necessary because modifying the pre-deployed libraries list affects the sender nonce. All other libraries can be injected by some way similar to what vm.etch does

This approach has several drawbacks:

  1. Current code matching bytecode to artifacts uses diff_score which may result in false positives/negatives in some cases. Right now such fails are accepted because they are only affecting verification and trace decoding. However, in case of library linking it becomes much more dangerous as it may lead to contracts being deployed without needed libraries
  2. Recompiling code and re-running script with new libraries is pretty expensive.

Would be happy to get other opinions on this

Additional context

No response

mattsse commented 10 months ago

yeah this entire thing is giga cursed atm...

this needs a proper rewrite