2026 02 05 audit

[thedavidmeister]

Motivation

Solution

Checks

By submitting this for review, I'm confirming I've done the following:

• made this PR as small as possible
• unit-tested any new functionality
• linked any relevant issues or PRs
• included screenshots (if this involves a front-end change)

Summary by CodeRabbit

• New Features

  • Added multi-network deployment support for Arbitrum, Base, Flare, and Polygon.

• Chores

  • Updated library dependencies and submodule references.
  • Refactored deployment infrastructure for improved multi-network capability.
  • Enhanced CI/CD workflows with updated deployment automation.
  • Updated configuration settings for multi-chain operations.
  • Updated gas performance metrics.

• Tests

  • Added deployment verification tests.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

This change introduces the rain.deploy submodule, refactors the deployment script to use LibRainDeploy for multi-network deployment, adds a new LibCloneFactoryDeploy library with deployment constants, updates CI workflows to use forge-based commands, and updates submodule references and foundry configuration accordingly.

Changes

Cohort / File(s)	Summary
Submodule Management .gitmodules, lib/rain.deploy, lib/forge-std, lib/rain.extrospection	Added new rain.deploy submodule; updated forge-std commit reference; added rain.deploy submodule pointer; updated rain.extrospection commit reference.
Deployment Library src/lib/LibCloneFactoryDeploy.sol	New library defining CloneFactory deployment constants: CLONE_FACTORY_DEPLOYED_ADDRESS and CLONE_FACTORY_DEPLOYED_CODEHASH.
Deployment Scripts & Configuration script/Deploy.sol, foundry.toml, .github/workflows/manual-sol-artifacts.yaml	Refactored Deploy.sol to use LibRainDeploy.deployAndBroadcastToSupportedNetworks; added rain.deploy remapping, bytecode hashing config, and per-network RPC/Etherscan settings to foundry.toml; replaced nix-based workflow with forge-based commands (forge selectors, forge script).
Workflow & Environment Configuration .github/workflows/rainix.yaml, .gitignore	Added CI_FORK_ETH_RPC_URL environment variable to rainix workflow; added .env to gitignore.
Tests test/src/lib/LibCloneFactoryDeploy.t.sol, test/src/concrete/CloneFactory.t.sol	New test file validating CloneFactory deployment via LibRainDeploy; updated import path for LibExtrospectERC1167Proxy in existing test.
Gas Metrics .gas-snapshot	Updated gas benchmark values for six CloneFactoryCloneTest entries.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• extrospection bump #23: Updates the lib/rain.extrospection submodule pointer to match the commit reference change in this PR.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title '2026 02 05 audit' is vague and generic, using a date format that does not convey meaningful information about the actual changes.	Replace the date-based title with a descriptive summary of the main changes, such as 'Integrate rain.deploy submodule and refactor deployment script' or similar.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch 2026-02-05-audit

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

🤖 Fix all issues with AI agents

In `@lib/forge-std`:
- Line 1: Replace the placeholder zero values in LibCloneFactoryDeploy by
setting the constants CLONE_FACTORY_DEPLOYED_ADDRESS and
CLONE_FACTORY_DEPLOYED_CODEHASH to the actual deployed clone factory address and
its runtime bytecode keccak256 hash; open the LibCloneFactoryDeploy contract
(symbol: LibCloneFactoryDeploy) and update the constants
CLONE_FACTORY_DEPLOYED_ADDRESS and CLONE_FACTORY_DEPLOYED_CODEHASH with the real
address and bytes32 codehash from the deployed clone factory instance (compute
codehash with keccak256 on the deployed runtime bytecode), then verify usage
sites that rely on these constants still function correctly.

In `@script/Deploy.sol`:
- Around line 25-28: Remove the commented-out dead deployment code block: delete
the unused commented lines referencing vm.startBroadcast(deployerPrivateKey),
CloneFactory cloneFactory = new CloneFactory(), the standalone (cloneFactory);
statement, and vm.stopBroadcast(); so the file no longer contains leftover
commented deployment logic related to vm.startBroadcast, deployerPrivateKey,
CloneFactory, and vm.stopBroadcast before merging.
- Around line 20-21: The constants
LibCloneFactoryDeploy.CLONE_FACTORY_DEPLOYED_ADDRESS and
LibCloneFactoryDeploy.CLONE_FACTORY_DEPLOYED_CODEHASH are still zero
placeholders which can cause deployAndBroadcastToSupportedNetworks (or any
validation/skip logic) to treat the factory as undeployed or target address(0);
update LibCloneFactoryDeploy to set the real deployed factory address and actual
codehash (replace address(0) and bytes32(0) with the correct on-chain values),
or add a runtime guard in deployAndBroadcastToSupportedNetworks to detect
placeholder values and fail/skip deployment until the real values are provided;
reference CLONE_FACTORY_DEPLOYED_ADDRESS, CLONE_FACTORY_DEPLOYED_CODEHASH and
deployAndBroadcastToSupportedNetworks when making the fix.
- Around line 14-23: Import the missing libraries and replace the zero-value
deploy constants: add imports for LibRainDeploy and LibCloneFactoryDeploy at the
top of the file, and update the call to
LibRainDeploy.deployAndBroadcastToSupportedNetworks to use valid values for
LibCloneFactoryDeploy.CLONE_FACTORY_DEPLOYED_ADDRESS and
LibCloneFactoryDeploy.CLONE_FACTORY_DEPLOYED_CODEHASH (or compute/resolve them
at runtime) instead of address(0)/bytes32(0); specifically, ensure
LibRainDeploy.deployAndBroadcastToSupportedNetworks and the
LibCloneFactoryDeploy constants are available by importing the corresponding
contracts/libraries and provide the actual deployed address/codehash or a
fallback handling before calling the function.

In `@src/lib/LibCloneFactoryDeploy.sol`:
- Around line 1-3: The file LibCloneFactoryDeploy.sol declares a floating pragma
pragma solidity ^0.8.25 while Deploy.sol uses a pinned pragma =0.8.25; update
one of them to match the project's enforced compiler policy so they are
consistent—either change LibCloneFactoryDeploy.sol's pragma to =0.8.25 to pin it
to the same compiler as Deploy.sol or change Deploy.sol to ^0.8.25 if the
project prefers floating versions; adjust the pragma line in
LibCloneFactoryDeploy.sol (and/or Deploy.sol) accordingly to make both
identical.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@script/Deploy.sol`:
- Around line 7-8: Remove the leftover commented-out deployment block mentioned
in the review — delete the commented lines that contain the disabled deployment
code (previously around where LibRainDeploy and LibCloneFactoryDeploy are
imported) so the file contains only active imports and code; ensure no stray
commented deployment calls or placeholder deployment logic remain in the script.

In `@src/lib/LibCloneFactoryDeploy.sol`:
- Around line 5-9: The two zero-valued placeholders
CLONE_FACTORY_DEPLOYED_ADDRESS and CLONE_FACTORY_DEPLOYED_CODEHASH in
LibCloneFactoryDeploy must be replaced with the actual deployed address and
codehash of the clone factory (per chain) after the first deployment so
subsequent runs of LibRainDeploy.deployAndBroadcastToSupportedNetworks() detect
the existing contract and skip redeploying; update the constants in
LibCloneFactoryDeploy (CLONE_FACTORY_DEPLOYED_ADDRESS and
CLONE_FACTORY_DEPLOYED_CODEHASH) to the real on-chain values (or a mapping
per-chain if supported) immediately after initial deployment and commit that
backfill to the repo so redeployments are idempotent.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@foundry.toml`:
- Around line 34-38: The Flare entry under the [etherscan] table currently only
provides a key (flare = { key = "${CI_DEPLOY_FLARE_ETHERSCAN_API_KEY}" }) but
Foundry needs an explicit Etherscan API URL for Flare; update the flare entry to
include a url field pointing to the Flarescan/Routescan API endpoint (i.e.,
change flare = { key = "..."} to flare = { key = "...", url =
"<Flarescan/Routescan API URL>" }) so contract verification can resolve the
correct API host.

In `@test/src/lib/LibCloneFactoryDeploy.t.sol`:
- Around line 22-26: Rename the misleading test function
testExpectedCodeHashDecimalFloat to a clear name that reflects what it verifies
(for example testExpectedCloneFactoryCodeHash or testCloneFactoryCodeHash);
update the function declaration and any references to the old name, keeping the
body intact where it instantiates CloneFactory and asserts
address(cloneFactory).codehash equals
LibCloneFactoryDeploy.CLONE_FACTORY_DEPLOYED_CODEHASH so the test name matches
the behavior.