// npm package
@aztec/ethereum
This package provides configuration and code for common chain operations such as contract deployment etc.
versions
1174
maintainers
6
first publish
2023-07-09
publisher
charlielye
tarball
4,353,572 B
AUTO-PUBLISHED·1 version indexed·latest published 2026-06-04
// exfil path
what is read → where it shipssteals
- ● Seed phrase
sends to
(no destination string extracted — payload may be dynamic / obfuscated)
evidence in excerpt
> l1RpcUrls: string[];
> export function makeL1HttpTransport(rpcUrls: string[], opts?: { timeout?: number }) {
> return fallback(rpcUrls.map(url => http(url, { batch: false, timeout: opts?.timeout })));
> const chain = createEthereumChain(config.l1RpcUrls, config.l1ChainId);
> import { spawn } from 'child_process';// publisher campaignby charlielye
9 caught packages from this accountThis is not an isolated catch. The same publisher has shipped 8 other packages that our pipeline flagged — the shape of a coordinated campaign, not a one-off. Each link below opens that sibling's analysis.
// offending code· @4.3.1· 3 files flagged
- @4.3.1··AUTO-PUBLISHED·publisher: charlielyeheuristic 64/100static flags 5llm skippednew-publisher:15dmature-packagepublisher-multi-name-burst:12publisher-version-pump:13reads-seed-phrasereads-env-varschild-process-spawnlong-base64-literalhex-decode
// offending code· 3 files flaggedpatterns: 5
--- package/src/client.ts (excerpt) --- import type { Logger } from '@aztec/foundation/log'; import { retryUntil } from '@aztec/foundation/retry'; import { type Chain, type HDAccount, type LocalAccount, type PrivateKeyAccount, createPublicClient, createWalletClient, fallback, http, publicActions, } from 'viem'; import { mnemonicToAccount, privateKeyToAccount } from 'viem/accounts'; import { foundry } from 'viem/chains'; import { createEthereumChain } from './chain.js'; import type { ExtendedViemWalletClient, ViemPublicClient } from './types.js'; type Config = { /** List of URLs of Ethereum RPC nodes that services will connect to (comma separated). */ l1RpcUrls: string[]; /** The chain ID of the ethereum host. */ l1ChainId: number; /** The polling interval viem uses in ms */ viemPollingIntervalMS?: number; /** Timeout for HTTP requests to the L1 RPC node in ms. */ l1HttpTimeoutMS?: number; }; export type { Config as EthereumClientConfig }; /** Creates a viem fallback HTTP transport for the given L1 RPC URLs. */ export function makeL1HttpTransport(rpcUrls: string[], opts?: { timeout?: number }) { return fallback(rpcUrls.map(url => http(url, { batch: false, timeout: opts?.timeout }))); } // TODO: Use these methods to abstract the creation of viem clients. /** Returns a viem public client given the L1 config. */ export function getPublicClient(config: Config): ViemPublicClient { const chain = createEthereumChain(config.l1RpcUrls, config.l1ChainId); return createPublicClien --- package/src/deploy_aztec_l1_contracts.ts (excerpt) --- import { SlotNumber } from '@aztec/foundation/branded-types'; import { SecretValue, getActiveNetworkName } from '@aztec/foundation/config'; import { EthAddress } from '@aztec/foundation/eth-address'; import { jsonStringify } from '@aztec/foundation/json-rpc'; import { createLogger } from '@aztec/foundation/log'; import { promiseWithResolvers } from '@aztec/foundation/promise'; import type { Fr } from '@aztec/foundation/schemas'; import { fileURLToPath } from '@aztec/foundation/url'; import { bn254 } from '@noble/curves/bn254'; import type { Abi, Narrow } from 'abitype'; import { spawn } from 'child_process'; import { cpSync, existsSync, mkdirSync, mkdtempSync, readFileSync, rmSync, writeFileSync } from 'fs'; import { tmpdir } from 'os'; import { dirname, join, resolve } from 'path'; import readline from 'readline'; import type { Hex } from 'viem'; import { mainnet, sepolia } from 'viem/chains'; import { createEthereumChain, isAnvilTestChain } from './chain.js'; import { createExtendedL1Client } from './client.js'; import type { L1ContractsConfig } from './config.js'; import { deployMulticall3 } from './contracts/multicall.js'; import { RollupContract } from './contracts/rollup.js'; import type { L1ContractAddresses } from './l1_contract_addresses.js'; import type { ExtendedViemWalletClient } from './types.js'; const logger = createLogger('ethereum:deploy_aztec_l1_contracts'); const JSON_DEPLOY_RESULT_PREFIX = 'JSON DEPLOY RESULT:'; /** * Runs a process and parses JSON d --- package/src/forwarder_proxy.ts (excerpt) --- /* eslint-disable no-console */ import { EthAddress } from '@aztec/foundation/eth-address'; import type { Logger } from '@aztec/foundation/log'; import { createLogger } from '@aztec/foundation/log'; import { DateProvider } from '@aztec/foundation/timer'; import { type Hex, extractChain } from 'viem'; import { anvil, mainnet, sepolia } from 'viem/chains'; import { L1Deployer } from './deploy_l1_contract.js'; import type { ExtendedViemWalletClient } from './types.js'; export const FORWARDER_SOLIDITY_SOURCE = ` contract ForwarderProxy { function forward(address target, bytes calldata data) external payable returns (bytes memory) { (bool success, bytes memory result) = target.call{value: msg.value}(data); require(success, "call failed"); return result; } }`; export const FORWARDER_ABI = [ { inputs: [ { internalType: 'address', name: 'target', type: 'address', }, { internalType: 'bytes', name: 'data', type: 'bytes', }, ], name: 'forward', outputs: [ { internalType: 'bytes', name: '', type: 'bytes', }, ], stateMutability: 'payable', type: 'function', }, ] as const; export const FORWARDER_BYTECODE = '0x6080604052348015600e575f5ffd5b506103bf8061001c5f395ff3fe60806040526004361061001d575f3560e01c80636fadcf7214610021575b5f5ffd5b61003b600480360381019061003691906101d0565b610051565b604051610048919061029d565b60405180910390f35b6060
