What are best practices regarding obfuscating secure/financial code? [migrated]
It is in the news that there has been $1.5 billion crypto hack. This was the result of a supply chain attack on a Javascript library (reviewers pdf). My understanding is that the below code fragment shows some malicious code highlighted with a dark background and the "benign" code has a lighter background. Excluding the malicious code, the benign code strikes me as having been obfuscated or minified with a tool rather than being the editable version, such that for example the GPL would require distribution of the code prior to minification. It is just possible a human likes to write code that way, which I think at least borders on intentional obfuscation.
I am familiar with scientific computing, and I think it is uncontroversial to say that having such code used to support published research hurts the replicability of science by making the logic of the code hard for a human to understand. This would apply as much if this was a specific process of minification or a programmer who liked that style of coding.
In the context of software security, particularly regards financial computing, are there rules or best practices regarding when it is appropriate to distribute obfuscated or minified code? Does this "benign" code meet those rules?
The "benign" code:
[h, m, v] = (0, _A)(async () => (
if(!i || !l || !r || !a || !e) return
// malicious code
let t = eg(r, e, d ? l : void 0, e.signatures.size < n );
