@ballkidz/defifa 0.0.11 → 0.0.13

package/AUDIT_INSTRUCTIONS.md

@@ -421,7 +421,7 @@ forge test --match-contract DefifaMintCostInvariant -vvv
 | `initialSupply` per tier | 999,999,999 | `DefifaDeployer` |
 | Max tiers per game | 128 | `DefifaHook` (`uint256[128]`) |
 | Min grace period | 1 day | `DefifaGovernor` |
-| Compiler | Solidity ^0.8.26 | All files |
+| Compiler | Solidity 0.8.28 | All files |
 
 ---
 
@@ -489,7 +489,7 @@ No prior formal audit with finding IDs has been conducted for defifa-collection-
 
 | Setting | Value | Source |
 |---------|-------|--------|
-| Solidity version | `^0.8.26` | `foundry.toml` `solc` field; all `src/*.sol` files use `pragma solidity ^0.8.26` (library uses `^0.8.17`) |
+| Solidity version | `0.8.28` | `foundry.toml` `solc` field; all `src/*.sol` files use `pragma solidity ^0.8.26` (library uses `0.8.28`) |
 | EVM target | `cancun` | `foundry.toml` `evm_version` field |
 | Optimizer | Enabled, 200 runs | `foundry.toml` `optimizer_runs = 200` |
 | Via IR | `true` | `foundry.toml` `via_ir = true` -- uses the Yul-based compilation pipeline |

package/CHANGE_LOG.md

@@ -8,7 +8,20 @@ This document describes the changes between `defifa-collection-deployer` (v5) an
 - **Dependency modernization**: Core, permission IDs, address registry, and ownable dependencies all updated to v6. New ecosystem dependencies on `croptop-core-v6` and `revnet-core-v6`.
 - **Error naming standardized**: Error names changed from bare names (e.g., `InvalidCashoutWeights`) to contract-prefixed names (e.g., `DefifaHook_InvalidCashoutWeights`).
 - **Cash out hook spec gains `noop` field**: `beforeCashOutRecordedWith` now returns `noop=false` in all specifications, ensuring the terminal always calls the hook callback.
-- **Game lifecycle unchanged**: The core game phases (COUNTDOWN → MINT → REFUND → SCORING → COMPLETE) and governance model (50% quorum, scorecard ratification) remain identical.
+- **Compiler/tooling updated**: The v6 repo now builds and tests on Solidity `0.8.28`, matching the rest of the V6 ecosystem.
+- **Game lifecycle preserved**: The core game phases (COUNTDOWN → MINT → REFUND → SCORING → COMPLETE) and governance model (50% quorum, scorecard ratification) remain the same at the product level even though the underlying hook/controller integrations changed.
+
+## ABI Status
+
+This repo does have meaningful ABI migration surface. The main ABI-facing contracts for integrators are:
+- `IDefifaDeployer`
+- `IDefifaHook`
+- `IDefifaGovernor`
+
+The largest ABI risks are:
+- inherited 721-hook/core-v6 struct and return-shape changes flowing through Defifa interfaces;
+- event families now living on v6 interfaces/contracts with prefixed errors and updated dependent types;
+- hook return values that now include v6 `noop`-aware hook-spec structures.
 
 ---
 
@@ -42,7 +55,8 @@ The v6 `JBCashOutHookSpecification` struct has a `noop` boolean field. `DefifaHo
 
 ### 1.4 Solidity Version
 
-Compiler remains at `pragma solidity 0.8.23` (not bumped to 0.8.26 unlike most other v6 repos).
+- **v5:** `pragma solidity 0.8.23`
+- **v6:** `pragma solidity 0.8.28`
 
 ### 1.5 721 Hook API Changes
 
@@ -52,6 +66,14 @@ Inherited from `nana-721-hook-v6`:
 - `JB721TierConfig` gained `splitPercent` and `splits` fields
 - `JB721TiersHookFlags` gained `issueTokensForSplits` field
 
+### 1.6 Function-Level Integration Changes
+
+These are the main V6 surface changes integrators should care about:
+- `beforeCashOutRecordedWith(...)` now returns a `JBCashOutHookSpecification` that includes the new `noop` field from core-v6.
+- Any integration constructing or decoding `JB721TierConfig` must account for the added `splitPercent` and `splits` fields.
+- Any integration reading pricing context from the inherited 721 hook must expect 2 return values, not 3.
+- Defifa deployer integrations should re-check `launchGameWith(...)`, `fulfillCommitmentsOf(...)`, `triggerNoContestFor(...)`, `nextPhaseNeedsQueueing(...)`, `safetyParamsOf(...)`, and `timesFor(...)` against the v6 ABIs and dependent core-v6 structs.
+
 ---
 
 ## 2. Game Lifecycle (Unchanged)
@@ -89,9 +111,22 @@ DefifaHook instances are deployed as minimal proxy clones via `Clones.cloneDeter
 - One-time `initialize()` call per clone
 - Owned by DefifaGovernor for scorecard weight setting
 
+## 4. Events and Errors
+
+The most important integration-facing patterns are:
+- Errors are now consistently contract-prefixed (`DefifaHook_*`, `DefifaDeployer_*`, `DefifaGovernor_*`, `DefifaProjectOwner_*`) instead of using the older unprefixed style.
+- Defifa-specific events remain centered around game launch, phase transitions, fulfillment, scoring, minting, claims, and delegation, but they now live against the V6 hook/controller stack and should be indexed using the V6 ABIs.
+- `CommitmentPayoutFailed`, `LaunchGame`, `QueuedRefundPhase`, `QueuedScoringPhase`, `QueuedNoContest`, `GameInitialized`, `ScorecardSubmitted`, `ScorecardAttested`, `ScorecardRatified`, `Mint`, `MintReservedToken`, `ClaimedTokens`, and `TierCashOutWeightsSet` are the key integration events to watch across the deployer, governor, and hook.
+- Other hook-level events worth indexing for governance clients are `TierDelegateAttestationsChanged` and `DelegateChanged`.
+
+Key runtime errors now exposed by the v6 contracts include:
+- `DefifaDeployer_*` errors such as `DefifaDeployer_InvalidGameConfiguration`, `DefifaDeployer_TerminalNotFound`, `DefifaDeployer_SplitsDontAddUp`, `DefifaDeployer_CantFulfillYet`, and `DefifaDeployer_NoContestAlreadyTriggered`.
+- `DefifaHook_*` errors such as `DefifaHook_InvalidCashoutWeights`, `DefifaHook_InvalidTierId`, `DefifaHook_ReservedTokenMintingPaused`, `DefifaHook_TransfersPaused`, and `DefifaHook_Unauthorized(...)`.
+- `DefifaGovernor_*` errors such as `DefifaGovernor_AlreadyAttested`, `DefifaGovernor_AlreadyRatified`, `DefifaGovernor_DuplicateScorecard`, `DefifaGovernor_NotAllowed`, and `DefifaGovernor_UnknownProposal`.
+
 ---
 
-## 4. Migration Table
+## 5. Migration Table
 
 | Aspect | v5 | v6 |
 |--------|----|----|
@@ -100,8 +135,28 @@ DefifaHook instances are deployed as minimal proxy clones via `Clones.cloneDeter
 | Permission IDs | Not a direct dependency | `@bananapus/permission-ids-v6` |
 | Error naming | Bare names | Contract-prefixed names |
 | `JBCashOutHookSpecification` | No `noop` field | `noop=false` on all specs |
-| Solidity version | `0.8.23` | `0.8.23` (unchanged) |
+| Solidity version | `0.8.23` | `0.8.28` |
 | Game lifecycle | COUNTDOWN->MINT->REFUND->SCORING->COMPLETE | Identical |
 | Governance model | 50% quorum, tier-delegated | Identical |
 
-> **Cross-repo impact**: Uses `nana-721-hook-v6` for all tier management and cashout weight distribution. The `nana-permission-ids-v6` ID shifts affect any hardcoded permission checks. Not yet included in `deploy-all-v6` deployment phases (awaiting source updates).
+> **Cross-repo impact**: Uses `nana-721-hook-v6` for all tier management and cashout weight distribution. The `nana-permission-ids-v6` ID shifts affect any hardcoded permission checks. `deploy-all-v6` now includes Defifa as Phase 10, so canonical deployments can source Defifa addresses from the top-level rollout.
+
+---
+
+## 6. Post-Audit Fixes (Codex R2)
+
+### 6.1 H-1: Prevent same-block double attestation via timestamp snapshot
+
+**File:** `DefifaGovernor.sol` -- `attestToScorecardFrom()`
+
+Previously, attestation weight was snapshot at `_scorecard.attestationsBegin`, which could equal `block.timestamp` during the same block as a transfer. This allowed a holder to attest, transfer the NFT, and have the recipient also attest in the same block -- both counting because `upperLookup(block.timestamp)` includes same-block checkpoints.
+
+**Fix:** Changed the snapshot to `block.timestamp - 1`, ensuring only state from before the current block is visible. Same-block transfer recipients now receive zero attestation weight.
+
+### 6.2 H-2: Include pending reserve NFTs in cash-out weight denominator
+
+**File:** `DefifaHookLib.sol` -- `computeCashOutWeight()`
+
+Previously, the cash-out weight denominator only counted actually minted tokens. Pending (unminted) reserve NFTs were excluded, allowing paid holders to cash out before reserves were minted and extract more than their fair share of the surplus.
+
+**Fix:** Added `hookStore.numberOfPendingReservesFor()` to the denominator in `computeCashOutWeight()`. Each token's share of the tier weight is now computed against the full eventual supply (minted + pending reserves), protecting reserve holders' shares.