fix: bootstrap + red-team on forked networks

Bootstrap fixes: - Idempotency check: skip if Kraiken already deployed on Anvil - anvil_setCode to strip ERC-4337 code from deployer + feeDest - DeployLocal.sol: feeDest derived from keccak256('harb.local.feeDest') Red-team fixes: - New bootstrap-light.sh: Anvil-only, ~30s deploy - red-team.sh uses bootstrap-light instead of full docker compose - anvil_setBalance for feeDest before impersonation - forge --color never, path resolution, docker chown Address fixes (all Base mainnet, in both FitnessEvaluator + AttackRunner): - V3_FACTORY: 0x33128a8fC17869897dcE68Ed026d694621f6FDfD - SWAP_ROUTER: 0x2626664c2603336E57B271c5C0b26F421741e481 - NPM_ADDR: 0x03a520b32C04BF3bEEf7BEb72E919cf822Ed34f1
2026-03-13 11:55:22 +00:00 · 2026-03-13 11:55:22 +00:00 · dbf78de793
commit dbf78de793
parent 8607c097eb
5 changed files with 208 additions and 61 deletions
--- a/containers/bootstrap.sh
+++ b/containers/bootstrap.sh
@ -130,7 +130,33 @@ main() {

  bootstrap_log "Waiting for Anvil"
  wait_for_rpc
+
+  # Idempotency: if deployments-local.json exists and contracts have code,
+  # bootstrap already ran against this Anvil instance — skip.
+  local deploy_file="$ONCHAIN_DIR/deployments-local.json"
+  if [[ -f "$deploy_file" ]]; then
+    local krk_addr
+    krk_addr=$(jq -r '.contracts.Kraiken // empty' "$deploy_file" 2>/dev/null || true)
+    if [[ -n "$krk_addr" ]]; then
+      local code
+      code=$(cast call --rpc-url "$ANVIL_RPC" "$krk_addr" "decimals()(uint8)" 2>/dev/null || true)
+      if [[ -n "$code" && "$code" != "0x" ]]; then
+        bootstrap_log "Already bootstrapped (Kraiken at $krk_addr responds) — skipping"
+        return 0
+      fi
+    fi
+  fi
  maybe_set_deployer_from_mnemonic
+
+  # On forked networks, well-known addresses (Anvil mnemonic accounts) may
+  # have code (e.g. ERC-4337 Account Abstraction proxies on Base Sepolia).
+  # The feeDestination lock in LiquidityManager treats any address with code
+  # as a contract and locks permanently. Strip code so they behave as EOAs.
+  bootstrap_log "Clearing code from deployer + feeDest (fork safety)"
+  cast rpc --rpc-url "$ANVIL_RPC" anvil_setCode "$DEPLOYER_ADDR" "0x" 2>/dev/null || true
+  # feeDest = address(uint160(uint256(keccak256("harb.local.feeDest"))))
+  cast rpc --rpc-url "$ANVIL_RPC" anvil_setCode "0x8A9145E1Ea4C4d7FB08cF1011c8ac1F0e10F9383" "0x" 2>/dev/null || true
+
  derive_txnbot_wallet
  run_forge_script
  extract_addresses