fix: remove setRecenterAccess from red-team.sh — recenter() is now public

scripts/harb-evaluator/red-team.sh

@@ -33,7 +33,7 @@ DEPLOYMENTS="$REPO_ROOT/onchain/deployments-local.json"
 # ── Anvil accounts ─────────────────────────────────────────────────────────────
 # Account 8 — adversary (10k ETH, 0 KRK)
 ADV_PK=0xdbda1821b80551c9d65939329250298aa3472ba22feea921c0cf5d620ea67b97
-# Account 2 — recenter caller (granted recenterAccess by bootstrap)
+# Account 2 — recenter caller (recenter is public, any account can call)
 RECENTER_PK=0x5de4111afa1a4b94908f83103eb1f1706367c2e68ca870fc3fb9a804cdab365a
 
 # ── Infrastructure constants ───────────────────────────────────────────────────
@@ -94,21 +94,9 @@ POOL=$("$CAST" call "$V3_FACTORY" "getPool(address,address,uint24)(address)" \
        "$WETH" "$KRK" "$POOL_FEE" --rpc-url "$RPC_URL" | sed 's/\[.*//;s/[[:space:]]//g')
 log "  Pool:  $POOL"
 
-# ── 3a. Grant recenterAccess FIRST (while original feeDestination is still set) ──
-FEE_DEST=$("$CAST" call "$LM" "feeDestination()(address)" --rpc-url "$RPC_URL") \
-  || die "Failed to read feeDestination() from LM"
-FEE_DEST=$(echo "$FEE_DEST" | sed 's/\[.*//;s/[[:space:]]//g')
-log "Granting recenterAccess to account 2 ($RECENTER_ADDR) via feeDestination ($FEE_DEST) ..."
-# feeDest may be a keccak-derived address with zero balance — fund it for gas
-"$CAST" rpc --rpc-url "$RPC_URL" anvil_setBalance "$FEE_DEST" "0xDE0B6B3A7640000" 2>/dev/null || true
-"$CAST" rpc --rpc-url "$RPC_URL" anvil_impersonateAccount "$FEE_DEST" \
-  || die "anvil_impersonateAccount $FEE_DEST failed"
-"$CAST" send --rpc-url "$RPC_URL" --from "$FEE_DEST" --unlocked \
-  "$LM" "setRecenterAccess(address)" "$RECENTER_ADDR" >/dev/null 2>&1 \
-  || die "setRecenterAccess($RECENTER_ADDR) failed"
-"$CAST" rpc --rpc-url "$RPC_URL" anvil_stopImpersonatingAccount "$FEE_DEST" \
-  || die "anvil_stopImpersonatingAccount $FEE_DEST failed"
-log "  recenterAccess granted"
+# ── 3a. recenter() is now public (no recenterAccess needed) ──
+# Any address can call recenter() — TWAP oracle enforces safety.
+log "recenter() is public — no access grant needed"
 
 # ── 3b. Set feeDestination to LM itself (fees accrue as liquidity) ─────────────
 # setFeeDestination allows repeated EOA sets; setting to a contract locks it permanently.
@@ -154,7 +142,7 @@ LM_ETH=$("$CAST" balance "$LM" --rpc-url "$RPC_URL" | sed 's/\[.*//;s/[[:space:]
 LM_WETH=$("$CAST" call "$WETH" "balanceOf(address)(uint256)" "$LM" --rpc-url "$RPC_URL" | sed 's/\[.*//;s/[[:space:]]//g')
 log "  LM after recenter: ETH=$LM_ETH WETH=$LM_WETH"
 
-# ── 4. Take Anvil snapshot (clean baseline, includes recenterAccess grant) ─────
+# ── 4. Take Anvil snapshot (clean baseline) ─────
 log "Taking Anvil snapshot..."
 SNAP=$("$CAST" rpc anvil_snapshot --rpc-url "$RPC_URL" | tr -d '"')
 log "  Snapshot ID: $SNAP"
@@ -399,7 +387,7 @@ CAST binary: /home/debian/.foundry/bin/cast
 ### Recenter caller — Anvil account 2
 - Address: ${RECENTER_ADDR}
 - Private key: ${RECENTER_PK}
-- Has recenterAccess on LiquidityManager
+- Can call recenter() (public, TWAP-enforced)
 
 ---
 
@@ -426,7 +414,7 @@ to rebalance, then re-deploys positions at the current price. It:
 - Can mint NEW KRK (increasing supply → decreasing floor)
 - Can burn KRK (decreasing supply → increasing floor)
 - Moves ETH between positions
-Only recenterAccess account can call it.
+Any account can call it (public). TWAP oracle enforces safety.
 
 ### Staking
 \`Stake.snatch(assets, receiver, taxRateIndex, positionsToSnatch)\`