@ballkidz/defifa 0.0.12 → 0.0.14

package/test/audit/PendingReserveQuorumGrief.t.sol

@@ -0,0 +1,355 @@
+// SPDX-License-Identifier: UNLICENSED
+pragma solidity 0.8.28;
+
+import {TestBaseWorkflow} from "@bananapus/core-v6/test/helpers/TestBaseWorkflow.sol";
+
+import {DefifaGovernor} from "../../src/DefifaGovernor.sol";
+import {DefifaDeployer} from "../../src/DefifaDeployer.sol";
+import {DefifaHook} from "../../src/DefifaHook.sol";
+import {DefifaTokenUriResolver} from "../../src/DefifaTokenUriResolver.sol";
+import {JB721TiersHookStore} from "@bananapus/721-hook-v6/src/JB721TiersHookStore.sol";
+import {JB721TiersMintReservesConfig} from "@bananapus/721-hook-v6/src/structs/JB721TiersMintReservesConfig.sol";
+
+import {JBTest} from "@bananapus/core-v6/test/helpers/JBTest.sol";
+import {JBRuleset} from "@bananapus/core-v6/src/structs/JBRuleset.sol";
+import {JBRulesetMetadataResolver} from "@bananapus/core-v6/src/libraries/JBRulesetMetadataResolver.sol";
+import {JBAddressRegistry} from "@bananapus/address-registry-v6/src/JBAddressRegistry.sol";
+
+import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
+import {ITypeface} from "lib/typeface/contracts/interfaces/ITypeface.sol";
+import {IJB721TokenUriResolver} from "@bananapus/721-hook-v6/src/interfaces/IJB721TokenUriResolver.sol";
+import {DefifaDelegation} from "../../src/structs/DefifaDelegation.sol";
+import {DefifaLaunchProjectData} from "../../src/structs/DefifaLaunchProjectData.sol";
+import {DefifaTierParams} from "../../src/structs/DefifaTierParams.sol";
+import {DefifaTierCashOutWeight} from "../../src/structs/DefifaTierCashOutWeight.sol";
+import {DefifaScorecardState} from "../../src/enums/DefifaScorecardState.sol";
+import {JBAccountingContext} from "@bananapus/core-v6/src/structs/JBAccountingContext.sol";
+import {JBTerminalConfig} from "@bananapus/core-v6/src/structs/JBTerminalConfig.sol";
+import {JBRulesetConfig} from "@bananapus/core-v6/src/structs/JBRulesetConfig.sol";
+import {JBRulesetMetadata} from "@bananapus/core-v6/src/structs/JBRulesetMetadata.sol";
+import {JBSplitGroup} from "@bananapus/core-v6/src/structs/JBSplitGroup.sol";
+import {JBFundAccessLimitGroup} from "@bananapus/core-v6/src/structs/JBFundAccessLimitGroup.sol";
+import {JBSplit} from "@bananapus/core-v6/src/structs/JBSplit.sol";
+import {JBConstants} from "@bananapus/core-v6/src/libraries/JBConstants.sol";
+import {JBCurrencyIds} from "@bananapus/core-v6/src/libraries/JBCurrencyIds.sol";
+import {IJBRulesetApprovalHook} from "@bananapus/core-v6/src/interfaces/IJBRulesetApprovalHook.sol";
+
+contract PendingReserveQuorumGriefTest is JBTest, TestBaseWorkflow {
+    using JBRulesetMetadataResolver for JBRuleset;
+
+    uint256 internal _protocolFeeProjectId;
+    uint256 internal _defifaProjectId;
+    uint256 internal _gameId = 3;
+
+    DefifaDeployer internal _deployer;
+    DefifaHook internal _hookImpl;
+    DefifaGovernor internal _governorImpl;
+
+    address internal _projectOwner = address(bytes20(keccak256("projectOwner")));
+    address internal _reserveBeneficiary = address(bytes20(keccak256("reserveBeneficiary")));
+    address internal _player0 = address(bytes20(keccak256("player0")));
+    address internal _player1 = address(bytes20(keccak256("player1")));
+    address internal _player2 = address(bytes20(keccak256("player2")));
+    address internal _player3 = address(bytes20(keccak256("player3")));
+
+    DefifaHook internal _nft;
+    DefifaGovernor internal _gov;
+    uint256 internal _pid;
+
+    function setUp() public virtual override {
+        super.setUp();
+
+        JBAccountingContext[] memory tokens = new JBAccountingContext[](1);
+        tokens[0] = JBAccountingContext({token: JBConstants.NATIVE_TOKEN, decimals: 18, currency: JBCurrencyIds.ETH});
+
+        JBTerminalConfig[] memory terminalConfigs = new JBTerminalConfig[](1);
+        terminalConfigs[0] = JBTerminalConfig({terminal: jbMultiTerminal(), accountingContextsToAccept: tokens});
+
+        JBRulesetConfig[] memory rulesetConfigs = new JBRulesetConfig[](1);
+        rulesetConfigs[0] = JBRulesetConfig({
+            mustStartAtOrAfter: 0,
+            duration: 10 days,
+            weight: 1e18,
+            weightCutPercent: 0,
+            approvalHook: IJBRulesetApprovalHook(address(0)),
+            metadata: JBRulesetMetadata({
+                reservedPercent: 0,
+                cashOutTaxRate: 0,
+                baseCurrency: JBCurrencyIds.ETH,
+                pausePay: false,
+                pauseCreditTransfers: false,
+                allowOwnerMinting: false,
+                allowSetCustomToken: false,
+                allowTerminalMigration: false,
+                allowSetTerminals: false,
+                allowSetController: false,
+                allowAddAccountingContext: false,
+                allowAddPriceFeed: false,
+                ownerMustSendPayouts: false,
+                holdFees: false,
+                useTotalSurplusForCashOuts: false,
+                useDataHookForPay: true,
+                useDataHookForCashOut: true,
+                dataHook: address(0),
+                metadata: 0
+            }),
+            splitGroups: new JBSplitGroup[](0),
+            fundAccessLimitGroups: new JBFundAccessLimitGroup[](0)
+        });
+
+        _protocolFeeProjectId =
+            jbController().launchProjectFor(address(_projectOwner), "", rulesetConfigs, terminalConfigs, "");
+        vm.prank(_projectOwner);
+        address nanaToken =
+            address(jbController().deployERC20For(_protocolFeeProjectId, "Bananapus", "NANA", bytes32(0)));
+
+        _defifaProjectId =
+            jbController().launchProjectFor(address(_projectOwner), "", rulesetConfigs, terminalConfigs, "");
+        vm.prank(_projectOwner);
+        address defifaToken = address(jbController().deployERC20For(_defifaProjectId, "Defifa", "DEFIFA", bytes32(0)));
+
+        _hookImpl = new DefifaHook(jbDirectory(), IERC20(defifaToken), IERC20(nanaToken));
+        _governorImpl = new DefifaGovernor(jbController(), address(this));
+        _deployer = new DefifaDeployer(
+            address(_hookImpl),
+            new DefifaTokenUriResolver(ITypeface(address(0))),
+            _governorImpl,
+            jbController(),
+            new JBAddressRegistry(),
+            _defifaProjectId,
+            _protocolFeeProjectId
+        );
+
+        _hookImpl.transferOwnership(address(_deployer));
+        _governorImpl.transferOwnership(address(_deployer));
+    }
+
+    /// @notice RPT-H-2 FIX VERIFICATION: Pending reserves in quorum + attestation denominator prevent manipulation.
+    ///
+    /// 1. Four players mint into tiers 1-4 (tiers 1-2 have reserveRate=1, creating pending reserves;
+    ///    tiers 3-4 have no reserves)
+    /// 2. Pending reserves dilute tiers 1-2 players' attestation power to 50% of MAX_POWER per tier
+    /// 3. With BWA + HHI-adjusted quorum, disinterested tiers 3-4 (0 weight) provide full power
+    /// 4. Minting reserves doesn't change quorum (tier was already counted via pending reserves)
+    function test_reserveMintDoesNotChangeQuorumWhenPendingReservesAlreadyCounted() external {
+        (_pid, _nft, _gov) = _launch(_launchData());
+
+        // --- MINT phase --- players mint 1 NFT each into tiers 1-4
+        vm.warp(86_402);
+        _mint(_player0, 1);
+        _mint(_player1, 2);
+        _mint(_player2, 3);
+        _mint(_player3, 4);
+        _delegateSelf(_player0, 1);
+        _delegateSelf(_player1, 2);
+        _delegateSelf(_player2, 3);
+        _delegateSelf(_player3, 4);
+
+        // --- Skip REFUND phase (no cash-outs) ---
+        vm.warp(172_802);
+
+        // --- SCORING phase --- submit scorecard
+        vm.warp(259_202);
+        DefifaTierCashOutWeight[] memory scorecard = _buildScorecard();
+        uint256 proposalId = _gov.submitScorecardFor(_gameId, scorecard);
+
+        // Quorum = 4 tiers * MAX_POWER / 2 = 2 * MAX_POWER
+        uint256 snapshotQuorum = _gov.quorum(_gameId);
+        assertEq(snapshotQuorum, _gov.MAX_ATTESTATION_POWER_TIER() * 2, "4 tiers, quorum = 2 * MAX_POWER");
+
+        // Tiers 1-2 (with pending reserves): raw power = 500M per player, BWA * 0.5 = 250M.
+        // Tiers 3-4 (no reserves, 0 weight): raw power = 1e9 per player, BWA * 1.0 = 1e9.
+        // Total BWA = 250M + 250M + 1e9 + 1e9 = 2.5e9, meeting adjusted quorum of 2.5e9.
+        vm.prank(_player0);
+        _gov.attestToScorecardFrom(_gameId, proposalId);
+        vm.prank(_player1);
+        _gov.attestToScorecardFrom(_gameId, proposalId);
+        vm.prank(_player2);
+        _gov.attestToScorecardFrom(_gameId, proposalId);
+        vm.prank(_player3);
+        _gov.attestToScorecardFrom(_gameId, proposalId);
+
+        vm.warp(block.timestamp + _gov.attestationGracePeriodOf(_gameId) + 1);
+
+        assertEq(
+            uint256(_gov.stateOf(_gameId, proposalId)),
+            uint256(DefifaScorecardState.SUCCEEDED),
+            "scorecard succeeds with disinterested attestors providing quorum"
+        );
+
+        // --- ATTEMPTED ATTACK --- anyone mints pending reserves for tier 1
+        JB721TiersMintReservesConfig[] memory reserveConfigs = new JB721TiersMintReservesConfig[](1);
+        reserveConfigs[0] = JB721TiersMintReservesConfig({tierId: 1, count: 1});
+        _nft.mintReservesFor(reserveConfigs);
+
+        // Scorecard STILL SUCCEEDED — reserve mint doesn't change which tiers are counted
+        assertEq(
+            uint256(_gov.stateOf(_gameId, proposalId)),
+            uint256(DefifaScorecardState.SUCCEEDED),
+            "quorum unchanged after reserve mint"
+        );
+    }
+
+    /// @notice RPT-H-2 FIX VERIFICATION: Ratification succeeds after reserve mint because quorum is stable.
+    function test_ratificationSucceedsAfterReserveMint() external {
+        (_pid, _nft, _gov) = _launch(_launchData());
+
+        // MINT phase
+        vm.warp(86_402);
+        _mint(_player0, 1);
+        _mint(_player1, 2);
+        _mint(_player2, 3);
+        _mint(_player3, 4);
+        _delegateSelf(_player0, 1);
+        _delegateSelf(_player1, 2);
+        _delegateSelf(_player2, 3);
+        _delegateSelf(_player3, 4);
+
+        // Skip REFUND phase
+        vm.warp(172_802);
+
+        // SCORING phase — submit, all 4 attest.
+        // Tiers 3-4 (no reserves, 0 weight) provide disinterested attestation power.
+        vm.warp(259_202);
+        DefifaTierCashOutWeight[] memory scorecard = _buildScorecard();
+        uint256 proposalId = _gov.submitScorecardFor(_gameId, scorecard);
+        vm.prank(_player0);
+        _gov.attestToScorecardFrom(_gameId, proposalId);
+        vm.prank(_player1);
+        _gov.attestToScorecardFrom(_gameId, proposalId);
+        vm.prank(_player2);
+        _gov.attestToScorecardFrom(_gameId, proposalId);
+        vm.prank(_player3);
+        _gov.attestToScorecardFrom(_gameId, proposalId);
+        vm.warp(block.timestamp + _gov.attestationGracePeriodOf(_gameId) + 1);
+
+        assertEq(
+            uint256(_gov.stateOf(_gameId, proposalId)),
+            uint256(DefifaScorecardState.SUCCEEDED),
+            "scorecard should be succeeded"
+        );
+
+        // Mint reserves for tier 1 — shouldn't affect ratification
+        JB721TiersMintReservesConfig[] memory reserveConfigs = new JB721TiersMintReservesConfig[](1);
+        reserveConfigs[0] = JB721TiersMintReservesConfig({tierId: 1, count: 1});
+        _nft.mintReservesFor(reserveConfigs);
+
+        // Ratification succeeds because quorum is unchanged (tier already counted via pending reserves)
+        uint256 ratifiedId = _gov.ratifyScorecardFrom(_gameId, scorecard);
+        assertEq(ratifiedId, proposalId, "ratification succeeds after reserve mint");
+    }
+
+    function _buildScorecard() internal view returns (DefifaTierCashOutWeight[] memory scorecard) {
+        scorecard = new DefifaTierCashOutWeight[](4);
+        uint256 totalWeight = _nft.TOTAL_CASHOUT_WEIGHT();
+        scorecard[0] = DefifaTierCashOutWeight({id: 1, cashOutWeight: totalWeight / 2});
+        scorecard[1] = DefifaTierCashOutWeight({id: 2, cashOutWeight: totalWeight / 2});
+        scorecard[2] = DefifaTierCashOutWeight({id: 3, cashOutWeight: 0});
+        scorecard[3] = DefifaTierCashOutWeight({id: 4, cashOutWeight: 0});
+    }
+
+    function _launchData() internal returns (DefifaLaunchProjectData memory data) {
+        DefifaTierParams[] memory tiers = new DefifaTierParams[](4);
+        // Tiers 1-2: have reserves (reserveRate=1, 1 reserve per mint)
+        for (uint256 i; i < 2; i++) {
+            tiers[i] = DefifaTierParams({
+                reservedRate: 1,
+                reservedTokenBeneficiary: _reserveBeneficiary,
+                encodedIPFSUri: bytes32(0),
+                shouldUseReservedTokenBeneficiaryAsDefault: false,
+                name: "TEAM"
+            });
+        }
+        // Tiers 3-4: no reserves (disinterested attestors for BWA governance)
+        for (uint256 i = 2; i < 4; i++) {
+            tiers[i] = DefifaTierParams({
+                reservedRate: 1001,
+                reservedTokenBeneficiary: address(0),
+                encodedIPFSUri: bytes32(0),
+                shouldUseReservedTokenBeneficiaryAsDefault: false,
+                name: "TEAM"
+            });
+        }
+
+        data = DefifaLaunchProjectData({
+            name: "DEFIFA",
+            projectUri: "",
+            contractUri: "",
+            baseUri: "",
+            tiers: tiers,
+            tierPrice: 1 ether,
+            token: JBAccountingContext({token: JBConstants.NATIVE_TOKEN, decimals: 18, currency: JBCurrencyIds.ETH}),
+            mintPeriodDuration: 1 days,
+            refundPeriodDuration: 1 days,
+            start: uint48(block.timestamp + 3 days),
+            splits: new JBSplit[](0),
+            attestationStartTime: 0,
+            attestationGracePeriod: 100_381,
+            defaultAttestationDelegate: address(0),
+            defaultTokenUriResolver: IJB721TokenUriResolver(address(0)),
+            terminal: jbMultiTerminal(),
+            store: new JB721TiersHookStore(),
+            minParticipation: 0,
+            scorecardTimeout: 0,
+            timelockDuration: 0
+        });
+    }
+
+    function _launch(DefifaLaunchProjectData memory data)
+        internal
+        returns (uint256 projectId, DefifaHook nft, DefifaGovernor gov)
+    {
+        gov = _governorImpl;
+        projectId = _deployer.launchGameWith(data);
+        JBRuleset memory ruleset = jbRulesets().currentOf(projectId);
+        if (ruleset.dataHook() == address(0)) (ruleset,) = jbRulesets().latestQueuedOf(projectId);
+        nft = DefifaHook(ruleset.dataHook());
+    }
+
+    function _mint(address user, uint256 tierId) internal {
+        vm.deal(user, 1 ether);
+        uint16[] memory tiers = new uint16[](1);
+        // forge-lint: disable-next-line(unsafe-typecast)
+        tiers[0] = uint16(tierId);
+        bytes[] memory data = new bytes[](1);
+        data[0] = abi.encode(user, tiers);
+        bytes4[] memory ids = new bytes4[](1);
+        ids[0] = metadataHelper().getId("pay", address(_hookImpl));
+        bytes memory metadata = metadataHelper().createMetadata(ids, data);
+
+        vm.prank(user);
+        jbMultiTerminal().pay{value: 1 ether}(_pid, JBConstants.NATIVE_TOKEN, 1 ether, user, 0, "", metadata);
+    }
+
+    function _delegateSelf(address user, uint256 tierId) internal {
+        DefifaDelegation[] memory delegations = new DefifaDelegation[](1);
+        delegations[0] = DefifaDelegation({delegatee: user, tierId: tierId});
+        vm.prank(user);
+        _nft.setTierDelegatesTo(delegations);
+    }
+
+    function _cashOut(address user, uint256 tierId, uint256 tokenNumber) internal {
+        bytes memory metadata = _cashOutMetadata(tierId, tokenNumber);
+        vm.prank(user);
+        jbMultiTerminal()
+            .cashOutTokensOf({
+                holder: user,
+                projectId: _pid,
+                cashOutCount: 0,
+                tokenToReclaim: JBConstants.NATIVE_TOKEN,
+                minTokensReclaimed: 0,
+                beneficiary: payable(user),
+                metadata: metadata
+            });
+    }
+
+    function _cashOutMetadata(uint256 tierId, uint256 tokenNumber) internal view returns (bytes memory) {
+        uint256[] memory tokenIds = new uint256[](1);
+        tokenIds[0] = (tierId * 1_000_000_000) + tokenNumber;
+        bytes[] memory data = new bytes[](1);
+        data[0] = abi.encode(tokenIds);
+        bytes4[] memory ids = new bytes4[](1);
+        ids[0] = metadataHelper().getId("cashOut", address(_hookImpl));
+        return metadataHelper().createMetadata(ids, data);
+    }
+}

package/test/audit/PendingReserveSnapshotBypass.t.sol

@@ -0,0 +1,279 @@
+// SPDX-License-Identifier: UNLICENSED
+pragma solidity 0.8.28;
+
+import {TestBaseWorkflow} from "@bananapus/core-v6/test/helpers/TestBaseWorkflow.sol";
+
+import {DefifaGovernor} from "../../src/DefifaGovernor.sol";
+import {DefifaDeployer} from "../../src/DefifaDeployer.sol";
+import {DefifaHook} from "../../src/DefifaHook.sol";
+import {DefifaTokenUriResolver} from "../../src/DefifaTokenUriResolver.sol";
+import {JB721TiersHookStore} from "@bananapus/721-hook-v6/src/JB721TiersHookStore.sol";
+import {JB721TiersMintReservesConfig} from "@bananapus/721-hook-v6/src/structs/JB721TiersMintReservesConfig.sol";
+
+import {JBTest} from "@bananapus/core-v6/test/helpers/JBTest.sol";
+import {JBAddressRegistry} from "@bananapus/address-registry-v6/src/JBAddressRegistry.sol";
+import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
+import {ITypeface} from "lib/typeface/contracts/interfaces/ITypeface.sol";
+import {IJB721TokenUriResolver} from "@bananapus/721-hook-v6/src/interfaces/IJB721TokenUriResolver.sol";
+import {DefifaDelegation} from "../../src/structs/DefifaDelegation.sol";
+import {DefifaLaunchProjectData} from "../../src/structs/DefifaLaunchProjectData.sol";
+import {DefifaTierParams} from "../../src/structs/DefifaTierParams.sol";
+import {DefifaTierCashOutWeight} from "../../src/structs/DefifaTierCashOutWeight.sol";
+import {DefifaScorecardState} from "../../src/enums/DefifaScorecardState.sol";
+import {JBAccountingContext} from "@bananapus/core-v6/src/structs/JBAccountingContext.sol";
+import {JBTerminalConfig} from "@bananapus/core-v6/src/structs/JBTerminalConfig.sol";
+import {JBRulesetConfig} from "@bananapus/core-v6/src/structs/JBRulesetConfig.sol";
+import {JBRulesetMetadata} from "@bananapus/core-v6/src/structs/JBRulesetMetadata.sol";
+import {JBSplitGroup} from "@bananapus/core-v6/src/structs/JBSplitGroup.sol";
+import {JBFundAccessLimitGroup} from "@bananapus/core-v6/src/structs/JBFundAccessLimitGroup.sol";
+import {JBSplit} from "@bananapus/core-v6/src/structs/JBSplit.sol";
+import {JBRulesetMetadataResolver} from "@bananapus/core-v6/src/libraries/JBRulesetMetadataResolver.sol";
+import {JBConstants} from "@bananapus/core-v6/src/libraries/JBConstants.sol";
+import {JBCurrencyIds} from "@bananapus/core-v6/src/libraries/JBCurrencyIds.sol";
+import {IJBRulesetApprovalHook} from "@bananapus/core-v6/src/interfaces/IJBRulesetApprovalHook.sol";
+import {JBRuleset} from "@bananapus/core-v6/src/structs/JBRuleset.sol";
+
+/// @notice Verifies that the pending-reserve snapshot fix prevents reserve minting from inflating
+/// attestation power after scorecard submission.
+contract PendingReserveSnapshotBypassTest is JBTest, TestBaseWorkflow {
+    using JBRulesetMetadataResolver for JBRuleset;
+
+    uint256 internal _protocolFeeProjectId;
+    uint256 internal _defifaProjectId;
+    uint256 internal _gameId = 3;
+
+    DefifaDeployer internal _deployer;
+    DefifaHook internal _hookImpl;
+    DefifaGovernor internal _governorImpl;
+
+    address internal _projectOwner = address(bytes20(keccak256("projectOwner")));
+    address internal _reserveBeneficiary = address(bytes20(keccak256("reserveBeneficiary")));
+    address internal _player0 = address(bytes20(keccak256("player0")));
+    address internal _player1 = address(bytes20(keccak256("player1")));
+    address internal _player2 = address(bytes20(keccak256("player2")));
+    address internal _player3 = address(bytes20(keccak256("player3")));
+
+    DefifaHook internal _nft;
+    DefifaGovernor internal _gov;
+    uint256 internal _pid;
+
+    function setUp() public virtual override {
+        super.setUp();
+
+        JBAccountingContext[] memory tokens = new JBAccountingContext[](1);
+        tokens[0] = JBAccountingContext({token: JBConstants.NATIVE_TOKEN, decimals: 18, currency: JBCurrencyIds.ETH});
+
+        JBTerminalConfig[] memory terminalConfigs = new JBTerminalConfig[](1);
+        terminalConfigs[0] = JBTerminalConfig({terminal: jbMultiTerminal(), accountingContextsToAccept: tokens});
+
+        JBRulesetConfig[] memory rulesetConfigs = new JBRulesetConfig[](1);
+        rulesetConfigs[0] = JBRulesetConfig({
+            mustStartAtOrAfter: 0,
+            duration: 10 days,
+            weight: 1e18,
+            weightCutPercent: 0,
+            approvalHook: IJBRulesetApprovalHook(address(0)),
+            metadata: JBRulesetMetadata({
+                reservedPercent: 0,
+                cashOutTaxRate: 0,
+                baseCurrency: JBCurrencyIds.ETH,
+                pausePay: false,
+                pauseCreditTransfers: false,
+                allowOwnerMinting: false,
+                allowSetCustomToken: false,
+                allowTerminalMigration: false,
+                allowSetTerminals: false,
+                allowSetController: false,
+                allowAddAccountingContext: false,
+                allowAddPriceFeed: false,
+                ownerMustSendPayouts: false,
+                holdFees: false,
+                useTotalSurplusForCashOuts: false,
+                useDataHookForPay: true,
+                useDataHookForCashOut: true,
+                dataHook: address(0),
+                metadata: 0
+            }),
+            splitGroups: new JBSplitGroup[](0),
+            fundAccessLimitGroups: new JBFundAccessLimitGroup[](0)
+        });
+
+        _protocolFeeProjectId =
+            jbController().launchProjectFor(address(_projectOwner), "", rulesetConfigs, terminalConfigs, "");
+        vm.prank(_projectOwner);
+        address nanaToken =
+            address(jbController().deployERC20For(_protocolFeeProjectId, "Bananapus", "NANA", bytes32(0)));
+
+        _defifaProjectId =
+            jbController().launchProjectFor(address(_projectOwner), "", rulesetConfigs, terminalConfigs, "");
+        vm.prank(_projectOwner);
+        address defifaToken = address(jbController().deployERC20For(_defifaProjectId, "Defifa", "DEFIFA", bytes32(0)));
+
+        _hookImpl = new DefifaHook(jbDirectory(), IERC20(defifaToken), IERC20(nanaToken));
+        _governorImpl = new DefifaGovernor(jbController(), address(this));
+        _deployer = new DefifaDeployer(
+            address(_hookImpl),
+            new DefifaTokenUriResolver(ITypeface(address(0))),
+            _governorImpl,
+            jbController(),
+            new JBAddressRegistry(),
+            _defifaProjectId,
+            _protocolFeeProjectId
+        );
+
+        _hookImpl.transferOwnership(address(_deployer));
+        _governorImpl.transferOwnership(address(_deployer));
+    }
+
+    /// @notice Confirms the snapshot fix: minting pending reserves after scorecard submission does NOT
+    /// inflate the submitter's BWA attestation weight. The snapshot locks pending-reserve counts at
+    /// submission time so that post-submission reserve minting cannot remove the dilution.
+    function test_mintingPendingReserveAfterSnapshotInflatesVotingPowerAndFlipsOutcome() external {
+        (_pid, _nft, _gov) = _launch(_launchData());
+
+        vm.warp(block.timestamp + 1 days + 1);
+        _mint(_player0, 1);
+        _mint(_player1, 2);
+        _mint(_player2, 3);
+        _mint(_player3, 4);
+        _delegateSelf(_player0, 1);
+        _delegateSelf(_player1, 2);
+        _delegateSelf(_player2, 3);
+        _delegateSelf(_player3, 4);
+
+        assertEq(_nft.store().numberOfPendingReservesFor(address(_nft), 1), 1, "tier 1 starts with pending reserve");
+
+        vm.warp(block.timestamp + 2 days + 1);
+
+        DefifaTierCashOutWeight[] memory scorecard = _evenScorecard();
+        uint256 scorecardId = _gov.submitScorecardFor(_gameId, scorecard);
+        uint48 snapshotTime = uint48(block.timestamp);
+
+        uint256 preBwa0 = _gov.getBWAAttestationWeight(_gameId, scorecardId, _player0, snapshotTime);
+        uint256 preBwa1 = _gov.getBWAAttestationWeight(_gameId, scorecardId, _player1, snapshotTime);
+
+        assertEq(preBwa0, 375_000_000, "pending reserve should dilute tier 1 holder at snapshot");
+        assertEq(preBwa1, 750_000_000, "non-reserve tier holder keeps full post-BWA weight");
+        assertEq(preBwa0 + preBwa1 + preBwa1, 1_875_000_000, "three attestors start below adjusted quorum");
+
+        vm.warp(block.timestamp + 1);
+
+        JB721TiersMintReservesConfig[] memory reserveConfigs = new JB721TiersMintReservesConfig[](1);
+        reserveConfigs[0] = JB721TiersMintReservesConfig({tierId: 1, count: 1});
+        _nft.mintReservesFor(reserveConfigs);
+
+        uint256 postRaw0 = _gov.getAttestationWeight(_gameId, _player0, snapshotTime);
+        uint256 postBwa0 = _gov.getBWAAttestationWeight(_gameId, scorecardId, _player0, snapshotTime);
+
+        // After fix: getAttestationWeight reads live state (reserves are now minted), so raw weight goes up.
+        assertEq(postRaw0, 1_000_000_000, "minting reserves removes pending-reserve dilution in live view");
+
+        // After fix: getBWAAttestationWeight uses the snapshot, so pending-reserve dilution is preserved.
+        // The BWA weight does NOT double -- the snapshot prevents inflation.
+        assertEq(postBwa0, 375_000_000, "snapshot prevents reserve minting from inflating BWA power");
+
+        vm.startPrank(_player0);
+        _gov.attestToScorecardFrom(_gameId, scorecardId);
+        vm.stopPrank();
+        vm.startPrank(_player1);
+        _gov.attestToScorecardFrom(_gameId, scorecardId);
+        vm.stopPrank();
+        vm.startPrank(_player2);
+        _gov.attestToScorecardFrom(_gameId, scorecardId);
+        vm.stopPrank();
+
+        vm.warp(block.timestamp + _gov.attestationGracePeriodOf(_gameId) + 1);
+
+        // After fix: three attestors cannot reach quorum because the snapshot preserves the dilution.
+        // Their combined weight: 375M + 750M + 750M = 1,875M < quorum (2,000M base).
+        assertEq(
+            uint256(_gov.stateOf(_gameId, scorecardId)),
+            uint256(DefifaScorecardState.ACTIVE),
+            "reserve mint after snapshot does NOT let three attestors reach quorum"
+        );
+    }
+
+    function _evenScorecard() internal view returns (DefifaTierCashOutWeight[] memory scorecard) {
+        scorecard = new DefifaTierCashOutWeight[](4);
+        uint256 totalWeight = _nft.TOTAL_CASHOUT_WEIGHT();
+        uint256 perTier = totalWeight / 4;
+        for (uint256 i; i < 4; i++) {
+            scorecard[i] = DefifaTierCashOutWeight({id: i + 1, cashOutWeight: perTier});
+        }
+    }
+
+    function _launchData() internal returns (DefifaLaunchProjectData memory data) {
+        DefifaTierParams[] memory tiers = new DefifaTierParams[](4);
+        tiers[0] = DefifaTierParams({
+            reservedRate: 1,
+            reservedTokenBeneficiary: _reserveBeneficiary,
+            encodedIPFSUri: bytes32(0),
+            shouldUseReservedTokenBeneficiaryAsDefault: false,
+            name: "TEAM"
+        });
+        for (uint256 i = 1; i < 4; i++) {
+            tiers[i] = DefifaTierParams({
+                reservedRate: 1001,
+                reservedTokenBeneficiary: address(0),
+                encodedIPFSUri: bytes32(0),
+                shouldUseReservedTokenBeneficiaryAsDefault: false,
+                name: "TEAM"
+            });
+        }
+
+        data = DefifaLaunchProjectData({
+            name: "DEFIFA",
+            projectUri: "",
+            contractUri: "",
+            baseUri: "",
+            tiers: tiers,
+            tierPrice: 1 ether,
+            token: JBAccountingContext({token: JBConstants.NATIVE_TOKEN, decimals: 18, currency: JBCurrencyIds.ETH}),
+            mintPeriodDuration: 1 days,
+            refundPeriodDuration: 1 days,
+            start: uint48(block.timestamp + 3 days),
+            splits: new JBSplit[](0),
+            attestationStartTime: 0,
+            attestationGracePeriod: 100_381,
+            defaultAttestationDelegate: address(0),
+            defaultTokenUriResolver: IJB721TokenUriResolver(address(0)),
+            terminal: jbMultiTerminal(),
+            store: new JB721TiersHookStore(),
+            minParticipation: 0,
+            scorecardTimeout: 0,
+            timelockDuration: 0
+        });
+    }
+
+    function _launch(DefifaLaunchProjectData memory data)
+        internal
+        returns (uint256 projectId, DefifaHook nft, DefifaGovernor gov)
+    {
+        gov = _governorImpl;
+        projectId = _deployer.launchGameWith(data);
+        JBRuleset memory ruleset = jbRulesets().currentOf(projectId);
+        if (ruleset.dataHook() == address(0)) (ruleset,) = jbRulesets().latestQueuedOf(projectId);
+        nft = DefifaHook(ruleset.dataHook());
+    }
+
+    function _mint(address user, uint256 tierId) internal {
+        vm.deal(user, 1 ether);
+        uint16[] memory tiers = new uint16[](1);
+        tiers[0] = uint16(tierId);
+        bytes[] memory data = new bytes[](1);
+        data[0] = abi.encode(user, tiers);
+        bytes4[] memory ids = new bytes4[](1);
+        ids[0] = metadataHelper().getId("pay", address(_hookImpl));
+        bytes memory metadata = metadataHelper().createMetadata(ids, data);
+
+        vm.prank(user);
+        jbMultiTerminal().pay{value: 1 ether}(_pid, JBConstants.NATIVE_TOKEN, 1 ether, user, 0, "", metadata);
+    }
+
+    function _delegateSelf(address user, uint256 tierId) internal {
+        DefifaDelegation[] memory delegations = new DefifaDelegation[](1);
+        delegations[0] = DefifaDelegation({delegatee: user, tierId: tierId});
+        vm.prank(user);
+        _nft.setTierDelegatesTo(delegations);
+    }
+}

package/test/regression/AttestationDelegateBeneficiary.t.sol

@@ -248,7 +248,8 @@ contract AttestationDelegateBeneficiary is JBTest, TestBaseWorkflow {
             defaultTokenUriResolver: IJB721TokenUriResolver(address(0)),
             terminal: jbMultiTerminal(),
             minParticipation: 0,
-            scorecardTimeout: 0
+            scorecardTimeout: 0,
+            timelockDuration: 0
         });
 
         _mintPhaseStart = d.start - d.mintPeriodDuration - d.refundPeriodDuration;

package/test/regression/FulfillmentBlocksRatification.t.sol

@@ -251,7 +251,8 @@ contract FulfillmentBlocksRatification is JBTest, TestBaseWorkflow {
             defaultTokenUriResolver: IJB721TokenUriResolver(address(0)),
             terminal: jbMultiTerminal(),
             minParticipation: 0,
-            scorecardTimeout: 0
+            scorecardTimeout: 0,
+            timelockDuration: 0
         });
     }
 

package/test/regression/GracePeriodBypass.t.sol

@@ -274,7 +274,8 @@ contract GracePeriodBypass is JBTest, TestBaseWorkflow {
             defaultTokenUriResolver: IJB721TokenUriResolver(address(0)),
             terminal: jbMultiTerminal(),
             minParticipation: 0,
-            scorecardTimeout: 0
+            scorecardTimeout: 0,
+            timelockDuration: 0
         });
     }