feat: predeploys, not era (#465)

uF4No · web-flow · commit ba01e1f4f4ae · 2025-10-29T09:58:18.000Z
# Description

- Adds createX predeploy
- Rewrite security and best practices
- More contracts in protocol ecosystem page

## Linked Issues

N/A

## Additional context

Feedback from Sophon team
diff --git a/content/00.zksync-network/90.security-best-practices.md b/content/00.zksync-network/90.security-best-practices.md
@@ -1,73 +1,75 @@
 ---
 title: Security and best practices
-description:
+description: Guidelines to help you build secure, efficient, and maintainable smart contracts on ZKsync chains powered by the EraVM.
 ---
 
-Before diving into development on ZKsync Era, it's crucial to consider the following recommendations. These best
-practices will help you optimize your code, ensure security, and align with the unique characteristics of ZKsync Era.
+Before developing on a ZKsync chain, review these best practices. Following these recommendations will
+help you optimize performance, maintain security, and align your contracts with the design of the EraVM.
 
-## Use `call` over `.send` or `.transfer`
+## Use `call` instead of `.send` or `.transfer`
 
-Avoid using `payable(addr).send(x)`/`payable(addr).transfer(x)` because the 2300 gas stipend may not be enough
-for such calls, especially if it involves state changes that require a large amount of L2 gas for data. Instead, we recommend using `call`.
+Avoid using `payable(addr).send(x)` or `payable(addr).transfer(x)`.
+These functions only provide a 2300 gas stipend, which may not be enough if the call triggers state changes or other operations that require more L2 gas.
 
-Instead of:
+Use `call` instead.
+
+**Instead of:**
 
 ```solidity
-payable(addr).send(x) // or
-payable(addr).transfer(x)
+payable(addr).send(x); // or
+payable(addr).transfer(x);
 ```
 
-Use:
+**Use:**
 
 ```solidity
 (bool s, ) = addr.call{value: x}("");
 require(s);
 ```
 
-This converts the `send`/`transfer` functionality to `call` and [avoids potential security risks outlined here.](https://consensys.net/diligence/blog/2019/09/stop-using-soliditys-transfer-now/).
+This approach replicates the behavior of `.send` or `.transfer` while providing more flexibility and avoiding gas-limit issues.
+See [Consensys’ explanation of `.transfer` risks](https://consensys.net/diligence/blog/2019/09/stop-using-soliditys-transfer-now/) for additional context.
 
-While `.call` offers more flexibility compared to `.send` or `.transfer`, developers should be aware that `.call`
-does not provide the same level of reentrancy protection as `.transfer`/`.send`. It's crucial to adhere to best
-practices like the checks-effects-interactions pattern and/or use reentrancy guard protection to secure your
-contracts against reentrancy attacks. It can help ensure the robustness and security of your smart contracts on the ZKSync VM, even under unexpected conditions.
+While `.call` is safer in terms of gas, it does not provide built-in reentrancy protection. To prevent vulnerabilities:
 
-## Use the proxy pattern at the early stage of the protocol
+- Follow the **checks-effects-interactions** pattern.
+- Use a **reentrancy guard** when interacting with external contracts.
 
-ZKsync Era is based on the zk-friendly VM. Thus, we offer
-[a dedicated compiler](/zksync-protocol/era-vm/compiler/toolchain)
-responsible for transforming conventional Solidity and Vyper code into zkEVM bytecode.
+These practices help secure your contracts against reentrancy attacks and unexpected external behavior.
 
-While we have extensive test coverage to ensure EVM compatibility, issues may still appear.
-We will implement the patches for these in a timely manner.
+## Use the Proxy Pattern
 
-To integrate a compiler bug fix, you need to recompile and upgrade your smart contract. We recommend using the
-Proxy pattern for a few months after your first deployment on ZKsync Era, even if you plan to migrate to an immutable
-contract in the future.
+ZKsync chains running EraVM support Solidity and Vyper code compilation into **EraVM bytecode** using custom compilers.
+Although the compilers undergoes extensive testing to ensure EVM compatibility, minor issues can occasionally appear.
 
-## Do not rely on EVM gas logic
+::callout{icon="i-heroicons-light-bulb"}
+ZKsync chains also support EVM Bytecode from the `solc` compiler.
+::
 
-ZKsync Era has a distinctive gas logic compared to Ethereum. There are two main drivers:
+To handle potential compiler patches or updates, use the **Proxy pattern** when deploying new contracts.
+This allows you to recompile and upgrade your contract logic without requiring a full redeployment.
 
-- We have a state-diff-based data availability, which means that the price for the execution depends on the L1 gas price.
-- ZKsync VM has a different set of computational trade-offs compared to the standard computational model. In
-practice, this means that the price for opcodes is different to Ethereum. Also, zkEVM contains a different set of
-opcodes under the hood and so the “gas” metric of the same set of operations may be different on ZKsync Era and on Ethereum.
+After your contracts have proven stable, you can migrate to an immutable version if desired.
 
-::callout{icon="i-heroicons-exclamation-triangle" color="amber"}
-Our fee model is being constantly improved and so it is highly recommended **NOT** to hardcode any constants since the fee
-model changes in the future might be breaking for this constant.
-::
+Using the Proxy pattern during the initial deployment phase reduces maintenance effort and ensures flexibility as the EraVM continues to evolve.
+
+## Do Not Rely on Ethereum Gas Logic
+
+The gas model on ZKsync chains differs from Ethereum’s. Two key factors influence gas costs:
+
+1. **State-diff-based data availability** – transaction costs depend on L1 gas prices.
+2. **Distinct computational model** – the EraVM uses a different opcode pricing model and computational trade-offs compared to the EVM.
 
-## `gasPerPubdataByte` should be taken into account in development
+Because of these differences, gas usage on a ZKsync chain cannot be directly compared to Ethereum.
+Avoid hardcoding gas constants in your contracts, as future changes to ZKsync’s fee model could make these assumptions invalid.
 
-Due to the state diff-based fee model of ZKsync Era, every transaction includes a constant called `gasPerPubdataByte`.
+## Account for `gasPerPubdataByte`
 
-Presently, the operator has control over this value. However, in EIP712 transactions, users also sign an upper bound
-on this value, but the operator is free to choose any value up to that upper bound. Note, that even if the value
-is chosen by the protocol, it still fluctuates based on the L1 gas price. Therefore, relying solely on gas is inadequate.
+Each transaction on ZKsync includes a constant called `gasPerPubdataByte`.
+This value is set by the operator, although users define an upper bound for it in EIP-712 transactions.
+Since `gasPerPubdataByte` fluctuates with L1 gas prices, relying solely on gas limits can lead to unpredictable behavior.
 
-A notable example is a Gnosis Safe’s `execTransaction` method:
+For example, in Gnosis Safe’s `execTransaction` method:
 
 ```solidity
 // We require some gas to emit the events (at least 2500) after the execution and some to perform code until the execution (500)
@@ -85,37 +87,46 @@ require(gasleft() >= ((safeTxGas * 64) / 63).max(safeTxGas + 2500) + 500, "GS010
 }
 ```
 
-While the contract does enforce the correct `gasleft()`, it does not enforce the correct `gasPerPubdata`, since there
-was no such parameter on Ethereum. This means that a malicious user could call this wallet when the `gasPerPubdata` is
-high and make the transaction fail, hence making it spend artificially more gas than required.
+This logic enforces a minimum `gasleft()` but does not account for `gasPerPubdata`.
+A malicious user could exploit a high `gasPerPubdata` value to increase gas costs or cause transaction failures.
 
-This is the case for all relayer-like logic ported directly from Ethereum and so if you see your code relying on logic
-like “the user should provide at X gas”, then the `gasPerPubdata` should be also taken into account on ZKsync Era.
+When porting logic from Ethereum:
 
-For now, ZKsync Era operators use honest values for ETH L1 price and `gasPerPubdata`, so it should not be an issue if
-enough margin is added to the estimated gas. In order to prepare for the future decentralization of ZKsync Era,
-it is imperative that you update your contract.
+- Include `gasPerPubdata` in your gas calculations.
+- Add a safety margin to handle price fluctuations.
+- Avoid assumptions based on Ethereum’s static gas model.
 
-## Use native account abstraction over `ecrecover` for validation
+Currently, ZKsync operators use accurate and fair values for ETH L1 pricing and `gasPerPubdata`,
+but preparing your contracts for future decentralization ensures long-term stability and reliability.
 
-Use ZKsync Era's native account abstraction support for signature validation instead of this function.
+## Use Native Account Abstraction for Validation
 
-We recommend not relying on the fact that an account has an ECDSA private key, since the account may be governed by
-multisig and use another signature scheme.
+Do not rely on `ecrecover` for signature verification.
+ZKsync chains running EraVM use **native account abstraction**, which supports flexible authentication
+mechanisms such as multisignature wallets or custom signature schemes.
 
-Read more about [ZKsync Era Account Abstraction support](/zksync-protocol/era-vm/account-abstraction).
+Assuming all accounts use ECDSA private keys may cause compatibility issues.
+Instead, rely on the built-in account abstraction mechanisms for validation to ensure forward compatibility.
 
-## Use local testing environment
+Learn more in the [Account Abstraction guide](/zksync-protocol/era-vm/account-abstraction).
 
-For optimal development and testing of your contracts, it is highly recommended to perform local testing before deploying
-them to the mainnet. Local testing allows you to test your contracts in a controlled environment, providing benefits such as
-reduced network latency and cost.
+## Test in a Local Environment
 
-We provide [two different testing environments](/zksync-network/tooling/local-setup) designed for local testing purposes.
-These tools allow you to simulate the ZKsync network locally, enabling you to validate your contracts effectively.
+Always test your contracts locally before deploying to mainnet.
+Local testing allows you to verify contract behavior in a controlled environment, reduce latency, and avoid transaction costs.
 
-By incorporating local testing into your development workflow, you can effectively verify the behavior and functionality of
-your contracts in a controlled environment, ensuring a smooth deployment process to the mainnet.
+ZKsync provides [local testing environments](/zksync-network/tooling/local-setup) that simulate mainnet behavior for development purposes.
+
+To test locally:
+
+1. **Set up the local environment** using one of the available tools.
+2. **Run your tests** with frameworks such as **Foundry** and **Hardhat**  to verify expected behavior.
+3. **Review results** and confirm that events, gas usage, and outputs match expectations.
+4. **Iterate and refine** before deploying to testnet or mainnet.
+
+Local testing helps you identify issues early, ensuring a more reliable and predictable deployment on ZKsync chains.
+
+---
 
-For detailed instructions on configuring the local testing environment and performing tests using Mocha and Chai,
-refer to the dedicated [Testing](/zksync-network/tooling/local-setup) page.
+By following these best practices, you can improve the security, reliability, and maintainability of your smart
+contracts across all ZKsync chains powered by the EraVM.
diff --git a/content/20.zksync-protocol/20.contracts/10.l1-contracts/30.zk-chain-addresses.md b/content/20.zksync-protocol/20.contracts/10.l1-contracts/30.zk-chain-addresses.md
@@ -22,6 +22,8 @@ that expects a chain ID as an argument and returns the address of the ZKsync Cha
 | -------------- | ------- |
 | Bridgehub      | [0x303a465B659cBB0ab36eE643eA362c509EEb5213](https://etherscan.io/address/0x303a465B659cBB0ab36eE643eA362c509EEb5213) |
 | Shared Bridge  | [0xD7f9f54194C633F36CCD5F3da84ad4a1c38cB2cB](https://etherscan.io/address/0xD7f9f54194C633F36CCD5F3da84ad4a1c38cB2cB) |
+| L1AssetRouter  | [0x8829AD80E425C646DAB305381ff105169FeEcE56](https://etherscan.io/address/0x8829AD80E425C646DAB305381ff105169FeEcE56) |
+| L1NativeTokenVault| [0xbeD1EB542f9a5aA6419Ff3deb921A372681111f6](https://etherscan.io/address/0xbeD1EB542f9a5aA6419Ff3deb921A372681111f6)|
 | CTM (official) | [0xc2eE6b6af7d616f6e27ce7F4A451Aedc2b0F5f5C](https://etherscan.io/address/0xc2eE6b6af7d616f6e27ce7F4A451Aedc2b0F5f5C) |
 
 ### CTM (official)
@@ -43,6 +45,8 @@ Learn [how to get the Chain Type Manager for a ZKsync Chain](#getting-the-chain-
 | -------------- | ------- |
 | Bridgehub      | [0x35A54c8C757806eB6820629bc82d90E056394C92](https://sepolia.etherscan.io/address/0x35A54c8C757806eB6820629bc82d90E056394C92) |
 | SharedBridge   | [0x3E8b2fe58675126ed30d0d12dea2A9bda72D18Ae](https://sepolia.etherscan.io/address/0x3E8b2fe58675126ed30d0d12dea2A9bda72D18Ae) |
+|L1AssetRouter| [0xF2a49545C5B1A85d2fB018cC39103661639a9B06](https://sepolia.etherscan.io/address/0xF2a49545C5B1A85d2fB018cC39103661639a9B06)|
+|L1NativeTokenVault| [0x746DBBa1edfBe1b547c87189eFE91B77d53d9E39](https://sepolia.etherscan.io/address/0x746DBBa1edfBe1b547c87189eFE91B77d53d9E39) |
 | CTM (official) | [0x4e39E90746A9ee410A8Ce173C7B96D3AfEd444a5](https://sepolia.etherscan.io/address/0x4e39E90746A9ee410A8Ce173C7B96D3AfEd444a5) |
 | CTM (custom)   | [0x762b5F15CAd9880ace81776f9046d6a52DD67a9b](https://sepolia.etherscan.io/address/0x762b5F15CAd9880ace81776f9046d6a52DD67a9b) |
 
diff --git a/content/20.zksync-protocol/30.era-vm/75.evm-interpreter/06.pre-deployed-contracts.md b/content/20.zksync-protocol/30.era-vm/75.evm-interpreter/06.pre-deployed-contracts.md
@@ -13,6 +13,7 @@ The following contracts are **pre-deployed** and available for use:
 | [Safe Singleton Factory](https://github.com/safe-global/safe-singleton-factory/blob/main/source/deterministic-deployment-proxy.yul) | `0x914d7Fec6aaC8cd542e72Bca78B30650d45643d7` |
 | [Multicall3](https://github.com/mds1/multicall/tree/main) | `0xcA11bde05977b3631167028862bE2a173976CA11` |
 | [Create2 Proxy (Zoltu)](https://github.com/Zoltu/deterministic-deployment-proxy) | `0x7A0D94F55792C434d74a40883C6ed8545E406D12` |
-|[Universal Deployer](https://gist.github.com/Agusx1211/de05dabf918d448d315aa018e2572031)| `0x1b926fbb24a9f78dcdd3272f2d86f5d0660e59c0` |
+| [Universal Deployer](https://gist.github.com/Agusx1211/de05dabf918d448d315aa018e2572031)| `0x1b926fbb24a9f78dcdd3272f2d86f5d0660e59c0` |
+| [CreateX (pcaversaccio)](https://github.com/pcaversaccio/createx)| `0xba5Ed099633D3B313e4D5F7bdc1305d3c28ba5Ed` |
 
 These contracts are **readily available** and can be used without requiring redeployment.
