Skip to content

docs: update TestBorrower address after security fix redeployment #24

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
igor53627 merged 2 commits into from
Jan 4, 2026
Merged

docs: update TestBorrower address after security fix redeployment #24

igor53627 merged 2 commits into from
Jan 4, 2026

Conversation

@devin-ai-integration
Copy link
Contributor

@devin-ai-integration devin-ai-integration bot commented Jan 4, 2026
edited by igor53627
Loading

Summary

Updates the README with the new TestBorrower contract address after redeploying with the security fix from PR #22 (hardening against arbitrary lender injection attacks).

  • Old TestBorrower: 0x53cddbcdee2dc2b756a25307f4810c609b28c3e7 (vulnerable)
  • New TestBorrower: 0x7e13a21ce933a7122a8d1bdf0aeced4ba48ecad6 (fixed)
  • Deploy tx: 0x6fbf0987...

Also added a note that the gas breakdown numbers (85,292) are from the legacy TestBorrower.

Review & Testing Checklist for Human

  • Verify the new TestBorrower address - Confirm 0x7e13a21ce933a7122a8d1bdf0aeced4ba48ecad6 is the correct deployment
  • Verify contract on Etherscan - Automated verification failed due to compiler version mismatch. Run locally: 
    forge verify-contract 0x7e13a21ce933a7122a8d1bdf0aeced4ba48ecad6 src/TestBorrower.sol:TestBorrower --etherscan-api-key YOUR_KEY --watch
  • Consider updating gas numbers - The new TestBorrower has additional security checks (expectedLender, expectedAmount validation) which will increase gas usage. A new flash loan tx would give accurate numbers.

Notes

The new TestBorrower includes security hardening from PR #22:

  • Validates msg.sender == expectedLender
  • Validates initiator == address(this)
  • Validates token == USDC
  • Validates amount == expectedAmount

Link to Devin run: https://app.devin.ai/sessions/55585942721f4bcaa48cdfa0c67d9110
Requested by: Player 53627 (github.stagnate430@passmail.com) / @igor53627

@devin-ai-integration @igor53627
docs: update TestBorrower address after security fix redeployment
5873d8e 
- New TestBorrower: 0x7e13a21ce933a7122a8d1bdf0aeced4ba48ecad6
- Old TestBorrower (0x53cdd...) had arbitrary lender injection vulnerability
- Security fix from PR #22 now deployed on mainnet
- Deploy tx: 0x6fbf09875769de685b2118a130ff0b2c1986df29174bd8c2cb7e28062f420350

Co-Authored-By: Player 53627 <github.stagnate430@passmail.com>
@devin-ai-integration
Copy link
Contributor Author

devin-ai-integration bot commented Jan 4, 2026

Original prompt from Player 53627 
https://github.com/igor53627/liq/blob/main/research/BALANCER_COMPARISON.md should we update this file? do you need Tenderly keys for test? 

You only need to look in the following repo: igor53627/liq

@changeset-bot
Copy link

changeset-bot bot commented Jan 4, 2026
edited
Loading

⚠️ No Changeset found

Latest commit: ca3fc18

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@devin-ai-integration
Copy link
Contributor Author

devin-ai-integration bot commented Jan 4, 2026

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR that start with 'DevinAI' or '@devin'.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

@coderabbitai
Copy link

coderabbitai bot commented Jan 4, 2026

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Comment @coderabbitai help to get the list of available commands and usage tips.

@devin-ai-integration @igor53627
docs: update audit_responses.md with deployed TestBorrower address
ca3fc18 
- Updated Finding #1 status to FIXED AND DEPLOYED
- Added new TestBorrower mainnet address (0x7e13a21ce933a7122a8d1bdf0aeced4ba48ecad6)
- Updated Finding #7 status to FIXED

Co-Authored-By: Player 53627 <github.stagnate430@passmail.com>
@igor53627 igor53627 merged commit ed4935e into main Jan 4, 2026
2 checks passed
@igor53627 igor53627 deleted the devin/1767562637-update-testborrower-address branch January 4, 2026 21:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@igor53627