Skip to content

Don't use unsafe default balancer address #250

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Don't use unsafe default balancer address #250

wants to merge 3 commits into from

Conversation

@fafk
Copy link

@fafk fafk commented Oct 10, 2025
edited
Loading

Description

The key that the balancer vault used to be deployed from is compromised, so we can be sure that the contract deployed under this address is legit or if the contract is not deployed at all we can't be sure an attacker won't deploy to that address later. This PR removes the default address and asks the user to get a balancer address from the balancer team.

@fafk fafk requested a review from a team as a code owner October 10, 2025 12:14
@github-actions
Copy link
Contributor

github-actions bot commented Oct 10, 2025
edited
Loading

All contributors have signed the CLA ✍️ ✅
Posted by the CLA Assistant Lite bot.

@fafk
Copy link
Author

fafk commented Oct 10, 2025

I have read the CLA Document and I hereby sign the CLA

github-actions bot added a commit that referenced this pull request Oct 10, 2025
@github-actions
@fafk has signed the CLA in #250
ddbd2ce
@squadgazzz
Copy link
Contributor

squadgazzz commented Oct 10, 2025
edited
Loading

Not sure about this change since this will change the deployed bytecode, thus the deployed address by default.

@squadgazzz
Copy link
Contributor

squadgazzz commented Oct 10, 2025

It would probably make more sense to add a mandatory step in the docs with checking the deployed BalancerV2Vault address and source code.

fedgiac
fedgiac reviewed Oct 30, 2025
View reviewed changes
Copy link
Contributor

@fedgiac fedgiac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, good idea now that we know that the vault could be compromised.
Let's merge this also to the new-chain-deployments branch.

Not sure about this change since this will change the deployed bytecode, thus the deployed address by default.

No worries, changing bytecode mainly applies to .sol files that aren't tests or scripts.

It would probably make more sense to add a mandatory step in the docs with checking the deployed BalancerV2Vault address and source code.

Yep, can you add a mention to the readme?
I already updated the internal guide for deploying on new chains (here if you want more context).

@fafk fafk force-pushed the dont-use-unsafe-default branch from d082d54 to d2cb037 Compare October 30, 2025 12:41
kaze-cow
kaze-cow requested changes Nov 10, 2025
View reviewed changes
Copy link
Contributor

@kaze-cow kaze-cow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would suggest we have the ability to somehow override the balancer address through a command line argument or similar (ex. set to address 0). Just in case balancer is not deploying to a network and we still want to get the contract deployed. Based on how we have the change set up right now, it appears it will throw and not allow the user to continue if there is no balancer deployment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fedgiac fedgiac fedgiac left review comments

@kaze-cow kaze-cow kaze-cow requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@fafk @squadgazzz @fedgiac @kaze-cow