fix: red-team.sh and AttackRunner.s.sol still use Base mainnet addresses (#939)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-18 07:33:54 +00:00 · 2026-03-18 07:33:54 +00:00 · 13f406b5a9
commit 13f406b5a9
parent 79b98feef9
2 changed files with 47 additions and 17 deletions
--- a/onchain/script/backtesting/AttackRunner.s.sol
+++ b/onchain/script/backtesting/AttackRunner.s.sol
@ -151,8 +151,8 @@ contract AttackRunner is Script {

    uint24 internal constant POOL_FEE = 10_000;
    address internal constant WETH = 0x4200000000000000000000000000000000000006;
-    address internal constant SWAP_ROUTER = 0x2626664c2603336E57B271c5C0b26F421741e481;
-    address internal constant NPM_ADDR = 0x03a520B32c04bf3beef7BEb72E919cF822Ed34F3;
+    address internal constant DEFAULT_SWAP_ROUTER = 0x2626664c2603336E57B271c5C0b26F421741e481;
+    address internal constant DEFAULT_NPM_ADDR = 0x03a520B32c04bf3beef7BEb72E919cF822Ed34F3;
    address internal constant V3_FACTORY = 0x33128a8fC17869897dcE68Ed026d694621f6FDfD; // Base mainnet

    // ─── Anvil test accounts ──────────────────────────────────────────────────
@ -164,6 +164,8 @@ contract AttackRunner is Script {

    // ─── Runtime state (populated in run()) ──────────────────────────────────

+    address internal swapRouter;
+    address internal npmAddr;
    address internal advAddr;
    address internal recenterAddr;
    address internal lmAddr;
@ -189,6 +191,10 @@ contract AttackRunner is Script {
    // ─── Entry point ─────────────────────────────────────────────────────────

    function run() external {
+        // Resolve periphery addresses from environment, falling back to mainnet defaults.
+        swapRouter = vm.envOr("SWAP_ROUTER", DEFAULT_SWAP_ROUTER);
+        npmAddr = vm.envOr("NPM_ADDR", DEFAULT_NPM_ADDR);
+
        // Load deployment addresses before broadcast.
        string memory deploymentsPath = _deploymentsPath();
        string memory deployJson = vm.readFile(deploymentsPath);
@ -235,11 +241,11 @@ contract AttackRunner is Script {
        // Wrap most of the adversary's ETH (leave 1 ETH for gas).
        // The adversary starts with 10 000 ETH; wrapping 9 000 covers the heaviest buy sequences.
        IWETH9(WETH).deposit{ value: 9_000 ether }();
-        IERC20(WETH).approve(SWAP_ROUTER, type(uint256).max);
-        IERC20(WETH).approve(NPM_ADDR, type(uint256).max);
-        IERC20(krkAddr).approve(SWAP_ROUTER, type(uint256).max);
+        IERC20(WETH).approve(swapRouter, type(uint256).max);
+        IERC20(WETH).approve(npmAddr, type(uint256).max);
+        IERC20(krkAddr).approve(swapRouter, type(uint256).max);
        IERC20(krkAddr).approve(stakeAddr, type(uint256).max);
-        IERC20(krkAddr).approve(NPM_ADDR, type(uint256).max);
+        IERC20(krkAddr).approve(npmAddr, type(uint256).max);
        vm.stopBroadcast();
    }

@ -292,7 +298,7 @@ contract AttackRunner is Script {
    function _executeBuy(string memory line) internal {
        uint256 amount = vm.parseUint(vm.parseJsonString(line, ".amount"));
        vm.startBroadcast(ADV_PK);
-        ISwapRouter02(SWAP_ROUTER).exactInputSingle(
+        ISwapRouter02(swapRouter).exactInputSingle(
            ISwapRouter02.ExactInputSingleParams({
                tokenIn: WETH,
                tokenOut: krkAddr,
@ -321,7 +327,7 @@ contract AttackRunner is Script {
        for (uint256 i = 0; i < count; i++) {
            // Buy WETH→KRK.
            vm.startBroadcast(ADV_PK);
-            ISwapRouter02(SWAP_ROUTER).exactInputSingle(
+            ISwapRouter02(swapRouter).exactInputSingle(
                ISwapRouter02.ExactInputSingleParams({
                    tokenIn: WETH,
                    tokenOut: krkAddr,
@ -353,7 +359,7 @@ contract AttackRunner is Script {
        uint256 amount = _eq(amtStr, "all") ? IERC20(krkAddr).balanceOf(advAddr) : vm.parseUint(amtStr);
        if (amount == 0) return;
        vm.startBroadcast(ADV_PK);
-        ISwapRouter02(SWAP_ROUTER).exactInputSingle(
+        ISwapRouter02(swapRouter).exactInputSingle(
            ISwapRouter02.ExactInputSingleParams({
                tokenIn: krkAddr,
                tokenOut: WETH,
@ -407,7 +413,7 @@ contract AttackRunner is Script {
        (address t0, address t1) = token0isWeth ? (WETH, krkAddr) : (krkAddr, WETH);

        vm.startBroadcast(ADV_PK);
-        INonfungiblePositionManager(NPM_ADDR).mint(
+        INonfungiblePositionManager(npmAddr).mint(
            INonfungiblePositionManager.MintParams({
                token0: t0,
                token1: t1,
@ -430,11 +436,11 @@ contract AttackRunner is Script {
        uint256 tokenId = vm.parseJsonUint(line, ".tokenId");

        // Read current liquidity for this token.
-        (,,,,,,,uint128 liquidity,,,,) = INonfungiblePositionManager(NPM_ADDR).positions(tokenId);
+        (,,,,,,,uint128 liquidity,,,,) = INonfungiblePositionManager(npmAddr).positions(tokenId);
        if (liquidity == 0) return;

        vm.startBroadcast(ADV_PK);
-        INonfungiblePositionManager(NPM_ADDR).decreaseLiquidity(
+        INonfungiblePositionManager(npmAddr).decreaseLiquidity(
            INonfungiblePositionManager.DecreaseLiquidityParams({
                tokenId: tokenId,
                liquidity: liquidity,
@ -443,7 +449,7 @@ contract AttackRunner is Script {
                deadline: block.timestamp + 3600
            })
        );
-        INonfungiblePositionManager(NPM_ADDR).collect(
+        INonfungiblePositionManager(npmAddr).collect(
            INonfungiblePositionManager.CollectParams({
                tokenId: tokenId,
                recipient: advAddr,