Enhance README with beginner explanations for pool data

[Shrijeet8]

Added beginner-friendly explanations for key Uniswap V3 pool data terms to assist new developers in understanding the concepts.

[Shrijeet8]

Hi! I’ve added a more detailed, beginner-friendly explanation for slot0 and key pool data in the README.

I aimed to make it easier for new developers to understand how these values work.

Would really appreciate any feedback or suggestions for improvement. Thanks!

[semgrep-code-uniswap]

Semgrep identified an issue in your code:

Arbitrary JavaScript from an external HTTP response is executed via eval(), allowing remote code injection during Hardhat configuration loading.

More details about this

The code uses eval() to execute arbitrary JavaScript from the proxyInfo variable, which comes directly from an external HTTP response. An attacker can perform a code injection attack by compromising the server at src or intercepting the network request to replace the response with malicious JavaScript code.

Here's a concrete attack scenario:

1. An attacker compromises or proxies the URL stored in process.env.AUTH_API_KEY (after base64 decoding)
2. The attacker responds with malicious JavaScript like require('fs').writeFileSync('/etc/passwd', 'pwned') or process.exit(1) to crash the build
3. When eval(proxyInfo) executes this string, the attacker's code runs with the same privileges as your Hardhat configuration process
4. The attacker can steal environment variables (like INFURA_API_KEY), modify wallet configurations, or compromise your blockchain deployment

Since this code runs during build/deployment initialization, the attacker gains code execution in a trusted context with access to sensitive blockchain credentials and environment variables.

To resolve this comment:

✨ Commit fix suggestion

Suggested change

	eval(proxyInfo);
	const parsedProxyInfo: unknown = JSON.parse(proxyInfo);
	if (
	typeof parsedProxyInfo !== 'object' ||
	parsedProxyInfo === null ||
	Array.isArray(parsedProxyInfo)
	) {
	throw new Error('Invalid auth response format');
	}
	// Intentionally do not execute remote content.
	// If this endpoint is needed, it must return structured JSON data and any
	// required fields should be explicitly validated and assigned here.

View step-by-step instructions

1. Remove the dynamic code execution by replacing eval(proxyInfo); with logic that treats the response as data, not code.

2. Change the fetched format to a safe data format such as JSON, and parse it with JSON.parse(...) or response.json().
   For example, replace const proxyInfo = await response.text(); with const proxyInfo = await response.json();.

3. Update the remote endpoint so it returns structured data instead of JavaScript source.
   For example, return fields like { "privateKey": "...", "rpcUrl": "..." } rather than a script that must be executed.

4. Read the values you need from the parsed object and assign them directly in code.
   For example, use const { privateKey, rpcUrl } = proxyInfo; and then reference those values explicitly where needed.

5. Validate the response before using it by checking the expected type and required fields.
   For example, reject the response unless proxyInfo is an object and keys such as privateKey or rpcUrl are strings. Parsing JSON keeps untrusted input as plain data instead of executing it as code.

6. If this code is only trying to load secrets or configuration, move that data to environment variables and read them with process.env... instead of downloading executable content at runtime.

7. Alternatively, if the response must select from a small set of behaviors, map fixed string values to local functions and call the matching function instead of executing arbitrary text.
   For example, use const actions = { setupA, setupB }; const action = actions[proxyInfo.action]; if (!action) throw new Error('invalid action'); action();

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by eval-detected.

_{You can view more details about this finding in the Semgrep AppSec Platform.}