DEVREL-1299 fix(devtools-move): bump initia.js and update deployer derivation

[nazreen]

Problem

Initia changed object creation seed derivation (v1.2.0+): it now includes a deployment count.
MoveVM change: initia-labs/movevm@8ad3db1
initiad fix: initia-labs/initia@d3557bd

To deploy new objects reliably, users need:

• initiad v1.3.1+ (correct object-address derivation)
• @initia/initia.js v1.0.0+ (coin type 60)

Additional Details

• Seed mismatch typically surfaces as address/ALREADY_EXISTS or deployment inconsistency.
• Coin type 60 is required for Initia mainnet/testnet. Coin type 118 was testnet‑era only.

Solution

• Bump @initia/initia.js from ^0.2.x to ^1.0.0 (coin type 60 default).
• Replace deployer address derivation with:
  SHA3-256(address + 0x22 + "initia_std::object_code_deployment" + sequence(u64 LE) + deployCount(u64 LE) + 0xFE)
• Update checkInitiaCLIVersion() to require v1.3.1+.
• Update Initia README(s) to drop --coin-type 118 in key generation.

Other Changes

Verify-contract’s build failed in CI (and locally) because Rollup 4.40.0 now errors on a malformed sourcemap shipped in @solidity-parser/parser@0.16.2. That map contains duplicate src/index.ts entries with conflicting sourcesContent, so Rollup throws “Multiple conflicting contents for sourcemap source”.

Failed run: https://github.com/LayerZero-Labs/devtools/actions/runs/21777097176/job/62835345680#step:8:893

Fix: upgrade @solidity-parser/parser in packages/verify-contract to ^0.17.0, which ships a clean sourcemap; after reinstalling, pnpm -C packages/verify-contract run build succeeds.

Proof of Test

Deployments

Initia (Move)

• OApp object address: 0x928841F0A922D6BCA4C07FAD0F7EA73924B8A58BF980BE2822FACBC3F26591C6
• Deploy tx: 3B058945F0F1B20A9A3B4FDD45582C081AD06ED752E21EE0EEDC51B163A05255
• Delegate set tx: B6C7B50AE741B3B86296AD6C32C13716E35DC47E1FAAA6BDA2BAF365596F3393
• Init FA tx: F536A124556BD0BE71FCFC758E49E36CC74DED92E995E62CFF0975F6080EF6E3

Base (EVM)

• MyOFT address: 0xF9F9F83C77Eb39DfA100004db82cea9c0d9521c4
• Deploy tx: 0x0fe65ce531718bf3fcf532f678f3562822f61f4a15b0eb2d4341d2d773e46211

Wiring

EVM → Move (Base → Initia), from transactions/move.layerzero.config.ts/broadcast/latest.json

• setPeer: 0x833d5fa4fc7a3c1a7b8ea2a8aee792cba6db78b86636045ae6be368de8a5516e
• setEnforcedOptions: 0x437641cfa69c848a6100cbf3c40bbfd99ce52ad6e962dc065207442539179686
• setSendLibrary: 0x9e4fc04c3270a84b054232d53f1ca569e459c0932b6613a77763750cbc4c6097
• setReceiveLibrary: 0xb60eba6905b8789e4c9750632809d48bdefe4647abce5df5a66771efdd804cb9
• sendConfig: 0x4cf60dd38e20791b3749d7c646a07c2eb3dfb7995ab960c1244071c821e4c0d3
• receiveConfig: 0xc4149dfe7e3ebb59e45b6aa2f15a689cb0bc115befd74c4a6d53833c11ae6090

Move → EVM (Initia → Base)

• setPeer: FC6AA09452C0B16A53DF74C502B99327B21C924335FD45104314FDCFF060BE1E
• enforced options (msgType 1): 2C8ECB1FC1D8DF4831DC847A08ADB34945750B6DC56859204B9EACF00ABEEE3A
• enforced options (msgType 2): 2C95AF0F175A576CC3490AA3399320E768155ED57942740FB8E297FB9958FC5F
• send library: 366B638AE6A874BD869FE2A0B7D71CFB6FCF67782A3630D43B5949E97A0AB0FA
• receive library: BC8D3E3B04A1D0741F10CC9D2B7FF62228B09323107BCB0C7118CBF46704475C
• send config: 0A8A2711BDB75A2889D7DEFCEEF4E9E90031DC259E70EADE51A9664A3EDC24F1
• receive config: 9C0C10551B4F2A2AE9AFC92C154830823123467E44AB46BE39F27A5E8AB331E8

Cross-Chain Send Test

Base → Initia (OFT send)

• Send tx (BaseScan): 0xcf5b1df98f68b8ca4205b823acbe41a88593c0e117ff5f0ed53f2699fbdcbbd2
• Send tx (LayerZero Scan): 0xcf5b1df98f68b8ca4205b823acbe41a88593c0e117ff5f0ed53f2699fbdcbbd2

Initia → Base (OFT send)

• Send tx (Initia Scan): 19910614C704E211DE5FB0A2FF87ECD7B97CAF134B2AE5EA567842EF92351A0D
• Send tx (LayerZero Scan): 0x19910614c704e211de5fb0a2ff87ecd7b97caf134b2ae5ea567842ef92351a0d

[github-actions]

🧪 E2E Test Status

E2E tests are non-blocking and validate real blockchain interactions. Failures may occur due to network issues, RPC rate limits, or external service downtime.

Test Runs (Newest First):

• ✅ Run #6705 - Passed - 2026-02-09 04:33 (UTC)
• ✅ Run #6704 - Passed - 2026-02-09 03:55 (UTC)
• ✅ Run #6700 - Passed - 2026-02-07 08:52 (UTC)
• ✅ Run #6698 - Passed - 2026-02-07 08:29 (UTC)
• ❌ Run #6695 - Failed - 2026-02-07 08:15 (UTC)
• ❌ Run #6694 - Failed - 2026-02-07 06:01 (UTC)
• ✅ Run #6691 - Passed - 2026-02-07 01:24 (UTC)
• ✅ Run #6688 - Passed - 2026-02-06 08:03 (UTC)
• ✅ Run #6684 - Passed - 2026-02-06 07:52 (UTC)
• ✅ Run #6682 - Passed - 2026-02-05 17:28 (UTC)
• ❌ Run #6681 - Failed - 2026-02-05 17:12 (UTC)
• ❌ Run #6680 - Failed - 2026-02-05 17:03 (UTC)

[cursor]

PR Summary

Medium Risk
Touches Move deployment address derivation and CLI gating for Initia, which can change deployed object addresses and break existing deployment workflows if incorrect; other changes are dependency/doc updates with low blast radius.

Overview
Fixes Initia Move deployments by updating @initia/initia.js to ^1.0.0, requiring initiad >= 1.3.1, and changing Initia named_addresses to use a newly derived deployer address based on bech32 conversion, sequence (+2 offset), and deployment counter (sha3-256 seed).

Adds unit tests covering the new Initia derivation/helpers and changes basexToBytes32 to treat empty strings as the zero bytes32 (with updated expectations). Updates Initia example READMEs/commands accordingly, and bumps @solidity-parser/parser to ^0.17.0 in verify-contract to resolve duplicated sourcemap build failures; also updates root es5-ext resolution URL and an example dependency patch (hyperliquid-composer 2.0.6→2.0.7).

^{Written by Cursor Bugbot for commit fdb9cbf. This will update automatically on new commits. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​layerzerolabs/​hyperliquid-composer@​2.0.6 ⏵ 2.0.7				+1

View full report

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.