From 0d0838bea035a3a05af84f711878809fc79bf8d2 Mon Sep 17 00:00:00 2001
From: openhands <openhands@all-hands.dev>
Date: Fri, 13 Mar 2026 16:13:01 +0000
Subject: [PATCH] =?UTF-8?q?lesson:=20fork=20safety=20=E2=80=94=20ERC-4337?=
 =?UTF-8?q?=20code,=20impersonation,=20chain=20addresses,=20docker=20perms?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 factory/best-practices/dev-agent.md | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/factory/best-practices/dev-agent.md b/factory/best-practices/dev-agent.md
index 03bd4aa..3d2220d 100644
--- a/factory/best-practices/dev-agent.md
+++ b/factory/best-practices/dev-agent.md
@@ -47,3 +47,32 @@ DO NOT try to find the specific PR that closed an issue. This is over-engineerin
 - The factory itself closes issues after merging, so closed = merged
 
 The only check needed: `issue.state == "closed"`.
+
+## Fork Safety (Base Sepolia / Base Mainnet)
+
+**ERC-4337 code at well-known addresses.** Base Sepolia (and potentially other L2s) has 23-byte Account Abstraction proxy code at ALL well-known addresses:
+- Anvil default mnemonic accounts (0xf39Fd6..., 0x70997...)
+- Deterministic addresses (CREATE2 salts, keccak derivations)
+- Any address that "looks" like an EOA might actually have code
+
+This breaks any contract that checks `address.code.length` to distinguish EOAs from contracts. Specifically: `feeDestinationLocked` in LiquidityManager.
+
+**Fix pattern:** Before deploying on a forked Anvil, strip code from addresses that need to be EOAs:
+```bash
+cast rpc --rpc-url $RPC anvil_setCode "$ADDRESS" "0x"
+```
+
+**Impersonated accounts need ETH.** `anvil_impersonateAccount` lets you send from any address, but gas estimation fails if the account has 0 balance:
+```bash
+cast rpc --rpc-url $RPC anvil_setBalance "$ADDRESS" "0xDE0B6B3A7640000"  # 1 ETH
+```
+
+**Mainnet vs Sepolia addresses differ.** Uniswap V3 contracts have different addresses per chain:
+- V3 Factory: `0x33128...` (mainnet) vs `0x4752...` (Sepolia)
+- SwapRouter02: `0x2626...` (mainnet) vs `0x94cC...` (Sepolia)
+Always verify which chain you're forking before using hardcoded addresses.
+
+**Docker creates root-owned files.** When forge runs inside a docker container, `cache/`, `out/`, `broadcast/` become root-owned. Subsequent runs as a non-root user fail with permission denied.
+```bash
+sudo chown -R "$(id -u):$(id -g)" cache out broadcast 2>/dev/null || true
+```