@ballkidz/defifa 0.0.4 → 0.0.6

package/RISKS.md

@@ -101,7 +101,7 @@ Deep implementation-level risk analysis with line references, severity ratings,
 
 **Severity:** MEDIUM
 **Status:** BY DESIGN
-**Tested:** `DefifaSecurityTest.testM_D6_delegationBlocked`, `DefifaHook_AuditFindings.test_M5_attestationUnitsPreservedOnTransferToUndelegatedRecipient`
+**Tested:** `DefifaSecurityTest.testM_D6_delegationBlocked`, `DefifaHookRegressions.test_M5_attestationUnitsPreservedOnTransferToUndelegatedRecipient`
 
 **Description:** `setTierDelegateTo` and `setTierDelegatesTo` only work during MINT phase (DefifaHook lines 730, 740). After MINT, NFT transfers auto-delegate to the recipient (if no delegate set), but holders cannot explicitly re-delegate.
 
@@ -140,7 +140,7 @@ Deep implementation-level risk analysis with line references, severity ratings,
 
 **Severity:** LOW
 **Status:** MITIGATED
-**Tested:** `M36_FulfillmentBlocksRatification.test_ratificationSucceedsWhenFulfillmentReverts`
+**Tested:** `FulfillmentBlocksRatification.test_ratificationSucceedsWhenFulfillmentReverts`
 
 **Description:** `ratifyScorecardFrom` wraps `fulfillCommitmentsOf` in a try-catch (DefifaGovernor lines 402-405). If fulfillment fails (e.g., `sendPayoutsOf` reverts), the scorecard is still ratified and `FulfillmentFailed` event is emitted.
 
@@ -154,7 +154,7 @@ Deep implementation-level risk analysis with line references, severity ratings,
 
 **Severity:** LOW
 **Status:** FIXED (Regression tested)
-**Tested:** `M35_GracePeriodBypass.test_gracePeriodExtendsFromAttestationStart`
+**Tested:** `GracePeriodBypass.test_gracePeriodExtendsFromAttestationStart`
 
 **Description:** When a scorecard is submitted before `attestationStartTime`, the grace period could previously expire before attestations even begin. Fixed by anchoring `gracePeriodEnds` to `attestationsBegin` rather than submission time.
 
@@ -245,7 +245,7 @@ Deep implementation-level risk analysis with line references, severity ratings,
 
 **Severity:** HIGH (before fix)
 **Status:** FIXED
-**Tested:** `DefifaHook_AuditFindings.test_M5_attestationUnitsPreservedOnTransferToUndelegatedRecipient`, `test_M5_multipleTransfersToUndelegatedRecipientsPreserveUnits`
+**Tested:** `DefifaHookRegressions.test_M5_attestationUnitsPreservedOnTransferToUndelegatedRecipient`, `test_M5_multipleTransfersToUndelegatedRecipientsPreserveUnits`
 
 **Description:** Previously, transferring an NFT to a recipient with no delegate set would lose attestation units (sender's delegate lost units but no one gained them). Fixed by auto-delegating undelegated recipients to themselves in `_transferTierAttestationUnits` (DefifaHook lines 1001-1006).
 
@@ -314,15 +314,15 @@ Deep implementation-level risk analysis with line references, severity ratings,
 | RISK-6 Delegation locked | `DefifaSecurity.t.sol` | `testM_D6_delegationBlocked` |
 | RISK-7 Single governor | (No isolation test) | Design review only |
 | RISK-8 Clone front-running | (Implicit) | All `launchGameWith` tests |
-| RISK-9 Fulfillment failure | `regression/M36_FulfillmentBlocksRatification.t.sol` | `test_ratificationSucceedsWhenFulfillmentReverts` |
-| RISK-10 Grace period bypass | `regression/M35_GracePeriodBypass.t.sol` | `test_gracePeriodExtendsFromAttestationStart` |
+| RISK-9 Fulfillment failure | `regression/FulfillmentBlocksRatification.t.sol` | `test_ratificationSucceedsWhenFulfillmentReverts` |
+| RISK-10 Grace period bypass | `regression/GracePeriodBypass.t.sol` | `test_gracePeriodExtendsFromAttestationStart` |
 | RISK-11 Overweight scorecard | `DefifaSecurity.t.sol` | `testC_D2_rejectsOverweight` |
 | RISK-12 No-contest trigger | `DefifaNoContest.t.sol` | `testNoContest_cashOutBeforeTrigger_reverts`, `testTriggerNoContest_revertsWhenNotNoContest`, `testTriggerNoContest_revertsWhenAlreadyTriggered` |
 | RISK-13 `_totalMintCost` | `DefifaMintCostInvariant.t.sol` | `invariant_totalMintCostMatchesExpected`, `invariant_totalMintCostEqualsPriceTimesLiveTokens`, `invariant_tokenCountConsistency` |
 | RISK-14 Fee accounting | `DefifaFeeAccounting.t.sol` | All 6 tests |
 | RISK-15 Cash-out reentrancy | (Code review) | State ordering analysis |
 | RISK-16 Fulfillment reentrancy | (Code review) | Guard analysis |
-| RISK-17 Attestation conservation | `DefifaHook_AuditFindings.t.sol` | `test_M5_attestationUnitsPreservedOnTransferToUndelegatedRecipient`, `test_M5_multipleTransfersToUndelegatedRecipientsPreserveUnits` |
+| RISK-17 Attestation conservation | `DefifaHookRegressions.t.sol` | `test_M5_attestationUnitsPreservedOnTransferToUndelegatedRecipient`, `test_M5_multipleTransfersToUndelegatedRecipientsPreserveUnits` |
 | RISK-18 Fund conservation | `DefifaSecurity.t.sol` | `testFuzz_fundConservation`, `testHighVolume_32tiers`, `testMultiPlayer_winnerTakesAll`, `testRefundIntegrity` |
 | RISK-19 uint208 overflow | (Bounded analysis) | Arithmetic review |
 | RISK-20 Timestamp caching | (Test infrastructure) | `TimestampReader` pattern |

package/STYLE_GUIDE.md

@@ -2,8 +2,6 @@
 
 How we write Solidity and organize repos across the Juicebox V6 ecosystem. `nana-core-v6` is the gold standard — when in doubt, match what it does.
 
-**This repo's deviations:** `via-ir = true`, `build_info = true`, `extra_output = ['storageLayout']`. Lower invariant runs (256/depth 50). Package scope: `@ballkidz/`.
-
 ## File Organization
 
 ```
@@ -19,8 +17,6 @@ src/
 
 One contract/interface/struct/enum per file. Name the file after the type it contains.
 
-**Structs, enums, libraries, and interfaces always go in their subdirectories** (`src/structs/`, `src/enums/`, `src/libraries/`, `src/interfaces/`) — never inline in contract files or placed in `src/` root. This keeps type definitions discoverable and import paths consistent across repos.
-
 ## Pragma Versions
 
 ```solidity
@@ -108,14 +104,6 @@ contract JBExample is JBPermissioned, IJBExample {
     // -------------------------- constructor ---------------------------- //
     //*********************************************************************//
 
-    //*********************************************************************//
-    // ---------------------- receive / fallback ------------------------- //
-    //*********************************************************************//
-
-    //*********************************************************************//
-    // --------------------------- modifiers ----------------------------- //
-    //*********************************************************************//
-
     //*********************************************************************//
     // ---------------------- external transactions ---------------------- //
     //*********************************************************************//
@@ -143,28 +131,23 @@ contract JBExample is JBPermissioned, IJBExample {
 ```
 
 **Section order:**
-1. `using` declarations
-2. Custom errors
-3. Public constants
-4. Internal constants
-5. Public immutable stored properties
-6. Internal immutable stored properties
-7. Public stored properties
-8. Internal stored properties
-9. Constructor
-10. `receive` / `fallback`
-11. Modifiers
-12. External transactions
-13. External views
-14. Public transactions
-15. Internal helpers
-16. Internal views
-17. Private helpers
+1. Custom errors
+2. Public constants
+3. Internal constants
+4. Public immutable stored properties
+5. Internal immutable stored properties
+6. Public stored properties
+7. Internal stored properties
+8. Constructor
+9. External transactions
+10. External views
+11. Public transactions
+12. Internal helpers
+13. Internal views
+14. Private helpers
 
 Functions are alphabetized within each section.
 
-**Events:** Events are declared in interfaces only, never in implementation contracts. Implementations inherit events from their interface and emit them unqualified. This keeps the ABI definition in one place and allows tests to use interface-qualified event expectations (e.g., `emit IJBController.LaunchProject(...)`).
-
 ## Interface Structure
 
 ```solidity
@@ -336,9 +319,6 @@ optimizer_runs = 200
 libs = ["node_modules", "lib"]
 fs_permissions = [{ access = "read-write", path = "./"}]
 
-[profile.ci_sizes]
-optimizer_runs = 200
-
 [fuzz]
 runs = 4096
 
@@ -353,18 +333,14 @@ multiline_func_header = "all"
 wrap_comments = true
 ```
 
-**Variations:**
-- `evm_version = 'cancun'` for repos using transient storage (buyback-hook, router-terminal, univ4-router)
-- `via_ir = true` for repos hitting stack-too-deep (buyback-hook, banny-retail, univ4-lp-split-hook, deploy-all)
-- `optimizer = false` only for deploy-all-v6 (stack-too-deep with optimization)
-
-**This repo uses:**
-- `via-ir = true` (note: hyphen not underscore in this repo's foundry.toml)
-- `build_info = true`, `extra_output = ['storageLayout']`
-- `[rpc_endpoints]` for ethereum, optimism, arbitrum, base, and their testnets
-- `[invariant]` with `runs = 256`, `depth = 50` (lower than standard)
-- No `[fuzz]` section
-- `[lint]` section with `lint_on_build = false`
+**Optional sections (add only when needed):**
+- `[rpc_endpoints]` — repos with fork tests. Maps named endpoints to env vars (e.g. `ethereum = "${RPC_ETHEREUM_MAINNET}"`).
+- `[profile.ci_sizes]` — only when CI needs different optimizer settings than defaults for the size check step (e.g. `optimizer_runs = 200` when the default profile uses a lower value).
+
+**Common variations:**
+- `via_ir = true` when hitting stack-too-deep
+- `optimizer = false` when optimization causes stack-too-deep
+- `optimizer_runs` reduced when deep struct nesting causes stack-too-deep at 200 runs
 
 ### CI Workflows
 
@@ -397,7 +373,7 @@ jobs:
         env:
           RPC_ETHEREUM_MAINNET: ${{ secrets.RPC_ETHEREUM_MAINNET }}
       - name: Check contract sizes
-        run: FOUNDRY_PROFILE=ci_sizes forge build --sizes --skip "*/test/**" --skip "*/script/**" --skip SphinxUtils
+        run: forge build --sizes --skip "*/test/**" --skip "*/script/**" --skip SphinxUtils
 ```
 
 **lint.yml:**
@@ -419,11 +395,60 @@ jobs:
         run: forge fmt --check
 ```
 
+**slither.yml** (repos with `src/` contracts only):
+```yaml
+name: slither
+on:
+    pull_request:
+      branches:
+        - main
+    push:
+      branches:
+        - main
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: recursive
+      - uses: actions/setup-node@v4
+        with:
+          node-version: latest
+      - name: Install npm dependencies
+        run: npm install --omit=dev
+      - name: Install Foundry
+        uses: foundry-rs/foundry-toolchain@v1
+      - name: Run slither
+        uses: crytic/slither-action@v0.3.1
+        with:
+            slither-config: slither-ci.config.json
+            fail-on: medium
+```
+
+**slither-ci.config.json:**
+```json
+{
+  "detectors_to_exclude": "timestamp,uninitialized-local,naming-convention,solc-version,shadowing-local",
+  "exclude_informational": true,
+  "exclude_low": false,
+  "exclude_medium": false,
+  "exclude_high": false,
+  "disable_color": false,
+  "filter_paths": "(mocks/|test/|node_modules/|lib/)",
+  "legacy_ast": false
+}
+```
+
+**Variations:**
+- Deployer-only repos (no `src/`, only `script/`) skip slither entirely — the action's internal `forge build` skips `test/` and `script/` by default, leaving nothing to compile.
+- Use inline `// slither-disable-next-line <detector>` to suppress known false positives rather than adding to `detectors_to_exclude` in the config. The comment must be on the line immediately before the flagged expression.
+
 ### package.json
 
 ```json
 {
-  "name": "@ballkidz/defifa",
+  "name": "@bananapus/package-name-v6",
   "version": "x.x.x",
   "license": "MIT",
   "repository": { "type": "git", "url": "git+https://github.com/Org/repo.git" },
@@ -443,13 +468,62 @@ jobs:
 
 ### remappings.txt
 
-Every repo has a `remappings.txt`. Minimal content:
+Every repo has a `remappings.txt` as the **single source of truth** for import remappings. Never add remappings to `foundry.toml`.
+
+**Principle:** Import paths in Solidity source must match npm package names exactly. With `libs = ["node_modules", "lib"]`, Foundry auto-resolves `@scope/package/path/File.sol` → `node_modules/@scope/package/path/File.sol`. No remapping needed for packages installed as real directories.
+
+**Note:** Auto-resolution does **not** work for symlinked packages (e.g. npm workspace links). Workspace repos like `deploy-all-v6` and `nana-cli-v6` need explicit `@scope/package/=node_modules/@scope/package/` remappings for each symlinked dependency.
+
+**Minimal content** (most repos):
 
 ```
-@sphinx-labs/contracts/=lib/sphinx/packages/contracts/contracts/foundry
+forge-std/=lib/forge-std/src/
 ```
 
-Additional mappings as needed for repo-specific dependencies.
+Only add extra remappings for:
+- **`forge-std`** — always needed (git submodule with `src/` subdirectory)
+- **Repo-specific `lib/` submodules** that have no npm package (e.g., `hookmate/=lib/hookmate/src/`)
+- **Symlinked npm packages** — need explicit `@scope/package/=node_modules/@scope/package/` entries
+- **Nested transitive deps** — e.g., `@chainlink/contracts-ccip/` nested inside `@bananapus/suckers-v6/node_modules/`
+
+**Never add remappings for:**
+- npm packages that match their import path and are installed as real directories — they auto-resolve
+- Short-form aliases (e.g., `@bananapus/core/` → `@bananapus/core-v6/src/`) — fix the import instead
+- Packages available via npm that are also git submodules — remove the submodule, use npm
+
+**Import path convention:**
+
+| Package | Import path | Resolves to |
+|---------|------------|-------------|
+| `@bananapus/core-v6` | `@bananapus/core-v6/src/libraries/JBConstants.sol` | `node_modules/@bananapus/core-v6/src/...` |
+| `@openzeppelin/contracts` | `@openzeppelin/contracts/token/ERC20/IERC20.sol` | `node_modules/@openzeppelin/contracts/...` |
+| `@uniswap/v4-core` | `@uniswap/v4-core/src/interfaces/IPoolManager.sol` | `node_modules/@uniswap/v4-core/src/...` |
+
+### Linting
+
+Solar (Foundry's built-in linter) runs automatically during `forge build`. It scans all `.sol` files in `libs` directories, including `node_modules`.
+
+**All test helpers must use relative imports** (e.g. `../../src/structs/JBRuleset.sol`), not bare `src/` imports. This ensures solar can resolve paths when the helper is consumed via npm in downstream repos.
+
+### Fork Tests
+
+Fork tests use named RPC endpoints defined in `[rpc_endpoints]` of `foundry.toml`. No skip guards — fork tests should hard-fail if the RPC endpoint is unavailable, making CI failures explicit.
+
+```solidity
+function setUp() public {
+    vm.createSelectFork("ethereum");
+    // ... setup code
+}
+```
+
+The endpoint name (e.g. `"ethereum"`) maps to an env var via `foundry.toml`:
+
+```toml
+[rpc_endpoints]
+ethereum = "${RPC_ETHEREUM_MAINNET}"
+```
+
+For multi-chain fork tests, add all needed endpoints.
 
 ### Formatting
 
@@ -460,15 +534,6 @@ Run `forge fmt` before committing. The `[fmt]` config in `foundry.toml` enforces
 
 CI checks formatting via `forge fmt --check`.
 
-### CI Secrets
-
-| Secret | Purpose |
-|--------|--------|
-| `NPM_TOKEN` | npm publish access (used by `publish.yml`) |
-| `RPC_ETHEREUM_MAINNET` | Ethereum mainnet RPC URL for fork tests (used by `test.yml`) |
-
-Fork tests require `RPC_ETHEREUM_MAINNET` — they fail if it's missing.
-
 ### Branching
 
 - `main` is the primary branch
@@ -486,4 +551,8 @@ Fork tests require `RPC_ETHEREUM_MAINNET` — they fail if it's missing.
 
 ### Contract Size Checks
 
-CI runs `FOUNDRY_PROFILE=ci_sizes forge build --sizes` to catch contracts approaching the 24KB limit. The `ci_sizes` profile uses `optimizer_runs = 200` for realistic size measurement even when the default profile has different optimizer settings.
+CI runs `forge build --sizes` to catch contracts approaching the 24KB limit. When the repo's default `optimizer_runs` differs from what you want for size checking, use `FOUNDRY_PROFILE=ci_sizes forge build --sizes` with a `[profile.ci_sizes]` section in `foundry.toml`.
+
+## Repo-Specific Deviations
+
+None. This repo follows the standard configuration exactly.

package/foundry.toml

@@ -6,18 +6,8 @@ optimizer_runs = 200
 libs = ["node_modules", "lib"]
 fs_permissions = [{ access = "read-write", path = "./"}]
 
-[profile.ci_sizes]
-optimizer_runs = 200
-
 [rpc_endpoints]
 ethereum = "${RPC_ETHEREUM_MAINNET}"
-optimism = "${RPC_OPTIMISM_MAINNET}"
-arbitrum = "${RPC_ARBITRUM_MAINNET}"
-base = "${RPC_BASE_MAINNET}"
-arbitrum_sepolia = "${RPC_ARBITRUM_SEPOLIA}"
-ethereum_sepolia = "${RPC_ETHEREUM_SEPOLIA}"
-optimism_sepolia = "${RPC_OPTIMISM_SEPOLIA}"
-base_sepolia = "${RPC_BASE_SEPOLIA}"
 
 [fuzz]
 runs = 4096

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ballkidz/defifa",
-  "version": "0.0.4",
+  "version": "0.0.6",
   "license": "MIT",
   "engines": {
     "node": ">=20.0.0"
@@ -13,11 +13,11 @@
     "url": "https://github.com/BallKidz/defifa-collection-deployer"
   },
   "dependencies": {
-    "@bananapus/721-hook-v6": "^0.0.9",
-    "@bananapus/address-registry-v6": "^0.0.4",
-    "@bananapus/core-v6": "^0.0.10",
-    "@bananapus/permission-ids-v6": "^0.0.5",
-    "@openzeppelin/contracts": "5.2.0",
+    "@bananapus/721-hook-v6": "^0.0.14",
+    "@bananapus/address-registry-v6": "^0.0.8",
+    "@bananapus/core-v6": "^0.0.15",
+    "@bananapus/permission-ids-v6": "^0.0.8",
+    "@openzeppelin/contracts": "^5.6.1",
     "@prb/math": "^4.1.1",
     "scripty.sol": "^2.1.1"
   },

package/remappings.txt

@@ -1,6 +1 @@
-@openzeppelin/=node_modules/@openzeppelin/
-@prb/math/=node_modules/@prb/math/
-@bananapus/=node_modules/@bananapus/
-@sphinx-labs/contracts/=node_modules/@sphinx-labs/contracts/contracts/foundry/
 forge-std/=lib/forge-std/src/
-scripty.sol/=node_modules/scripty.sol/

package/script/Deploy.s.sol

@@ -9,7 +9,7 @@ import {DefifaDeployer} from "../src/DefifaDeployer.sol";
 import {DefifaGovernor} from "../src/DefifaGovernor.sol";
 import {DefifaProjectOwner} from "../src/DefifaProjectOwner.sol";
 import {DefifaTokenUriResolver} from "../src/DefifaTokenUriResolver.sol";
-import {Sphinx} from "@sphinx-labs/contracts/SphinxPlugin.sol";
+import {Sphinx} from "@sphinx-labs/contracts/contracts/foundry/SphinxPlugin.sol";
 
 import {CoreDeployment, CoreDeploymentLib} from "@bananapus/core-v6/script/helpers/CoreDeploymentLib.sol";
 import {

package/script/helpers/DefifaDeploymentLib.sol

@@ -9,7 +9,7 @@ import {DefifaDeployer} from "../../src/DefifaDeployer.sol";
 import {DefifaGovernor} from "../../src/DefifaGovernor.sol";
 import {DefifaTokenUriResolver} from "../../src/DefifaTokenUriResolver.sol";
 
-import {SphinxConstants, NetworkInfo} from "@sphinx-labs/contracts/SphinxConstants.sol";
+import {SphinxConstants, NetworkInfo} from "@sphinx-labs/contracts/contracts/foundry/SphinxConstants.sol";
 
 struct DefifaDeployment {
     DefifaHook hook;

package/src/DefifaDeployer.sol

@@ -411,8 +411,8 @@ contract DefifaDeployer is IDefifaDeployer, IDefifaGamePhaseReporter, IDefifaGam
         }
 
         // Make sure the provided gameplay timestamps are sequential and that there is a mint duration.
-        // slither-disable-next-line incorrect-equality
         if (
+            // slither-disable-next-line incorrect-equality
             launchProjectData.mintPeriodDuration == 0
                 || launchProjectData.start
                     < block.timestamp + launchProjectData.refundPeriodDuration + launchProjectData.mintPeriodDuration

package/src/DefifaHook.sol

@@ -532,6 +532,7 @@ contract DefifaHook is JB721Hook, Ownable, IDefifaHook {
     /// @notice Mint reserved tokens within the tier for the provided value.
     /// @param tierId The ID of the tier to mint within.
     /// @param count The number of reserved tokens to mint.
+    // slither-disable-next-line reentrancy-no-eth
     function mintReservesFor(uint256 tierId, uint256 count) public override {
         // Minting reserves must not be paused.
         if (JB721TiersRulesetMetadataResolver.mintPendingReservesPaused(

package/src/interfaces/IDefifaDeployer.sol

@@ -2,7 +2,6 @@
 pragma solidity 0.8.26;
 
 import {DefifaLaunchProjectData} from "../structs/DefifaLaunchProjectData.sol";
-import {DefifaOpsData} from "../structs/DefifaOpsData.sol";
 import {IDefifaHook} from "./IDefifaHook.sol";
 import {IDefifaGovernor} from "./IDefifaGovernor.sol";
 

package/src/interfaces/IDefifaGovernor.sol

@@ -3,7 +3,6 @@ pragma solidity 0.8.26;
 
 import {DefifaScorecardState} from "../enums/DefifaScorecardState.sol";
 import {DefifaTierCashOutWeight} from "../structs/DefifaTierCashOutWeight.sol";
-import {IDefifaHook} from "./IDefifaHook.sol";
 import {IJBController} from "@bananapus/core-v6/src/interfaces/IJBController.sol";
 
 /// @notice Manages the ratification of Defifa scorecards through attestation-based governance.

package/src/interfaces/IDefifaTokenUriResolver.sol

@@ -2,8 +2,6 @@
 pragma solidity 0.8.26;
 
 import {ITypeface} from "lib/typeface/contracts/interfaces/ITypeface.sol";
-import {IDefifaHook} from "./IDefifaHook.sol";
-import {IDefifaGamePhaseReporter} from "./IDefifaGamePhaseReporter.sol";
 
 interface IDefifaTokenUriResolver {
     function typeface() external view returns (ITypeface);

package/src/structs/DefifaLaunchProjectData.sol

@@ -2,9 +2,7 @@
 pragma solidity 0.8.26;
 
 import {DefifaTierParams} from "./DefifaTierParams.sol";
-import {DefifaOpsData} from "./DefifaOpsData.sol";
 
-import {JBLaunchProjectConfig} from "@bananapus/721-hook-v6/src/structs/JBLaunchProjectConfig.sol";
 import {JBAccountingContext} from "@bananapus/core-v6/src/structs/JBAccountingContext.sol";
 import {IJB721TiersHookStore} from "@bananapus/721-hook-v6/src/interfaces/IJB721TiersHookStore.sol";
 import {IJB721TokenUriResolver} from "@bananapus/721-hook-v6/src/interfaces/IJB721TokenUriResolver.sol";

package/test/DefifaFeeAccounting.t.sol

@@ -463,7 +463,7 @@ contract DefifaFeeAccountingTest is JBTest, TestBaseWorkflow {
     /// @notice Mint 1 NFT per tier, set delegation, return array of user addresses.
     function _mintAllTiers(
         DefifaHook _nft,
-        DefifaGovernor _governor,
+        DefifaGovernor,
         uint256 projectId,
         uint8 nTiers
     )
@@ -499,7 +499,7 @@ contract DefifaFeeAccountingTest is JBTest, TestBaseWorkflow {
         address[] memory users,
         DefifaHook _nft,
         DefifaGovernor _governor,
-        uint256 projectId,
+        uint256,
         uint8 nTiers
     )
         internal
@@ -541,7 +541,7 @@ contract DefifaFeeAccountingTest is JBTest, TestBaseWorkflow {
         return (_tierId * 1_000_000_000) + _tokenNumber;
     }
 
-    function _buildPayMetadata(bytes memory metadata) internal returns (bytes memory) {
+    function _buildPayMetadata(bytes memory metadata) internal view returns (bytes memory) {
         bytes[] memory data = new bytes[](1);
         data[0] = metadata;
         bytes4[] memory ids = new bytes4[](1);
@@ -549,7 +549,7 @@ contract DefifaFeeAccountingTest is JBTest, TestBaseWorkflow {
         return metadataHelper().createMetadata(ids, data);
     }
 
-    function _buildCashOutMetadata(bytes memory metadata) internal returns (bytes memory) {
+    function _buildCashOutMetadata(bytes memory metadata) internal view returns (bytes memory) {
         bytes[] memory data = new bytes[](1);
         data[0] = metadata;
         bytes4[] memory ids = new bytes4[](1);

package/test/DefifaGovernor.t.sol

@@ -444,8 +444,8 @@ contract DefifaGovernorTest is JBTest, TestBaseWorkflow {
     }
 
     function testSetCashOutRatesAndRedeem_multipleTiers(uint8 nTiers, uint8[] calldata distribution) public {
-        vm.assume(nTiers > 10 && nTiers < 100);
-        vm.assume(distribution.length < nTiers);
+        nTiers = uint8(bound(uint256(nTiers), 11, 99));
+        vm.assume(distribution.length > 0 && distribution.length < nTiers);
 
         uint256 _sumDistribution;
         for (uint256 i = 0; i < distribution.length; i++) {
@@ -631,7 +631,6 @@ contract DefifaGovernorTest is JBTest, TestBaseWorkflow {
         JB721Tier memory _tier = _hook.store().tierOf(address(_hook), 1, false);
         uint256 _cost = _tier.price;
 
-        address _delegateUser = address(bytes20(keccak256("_delegateUser")));
         address _refundUser = address(bytes20(keccak256("refund_user")));
         // The user should have no balance
         assertEq(_hook.balanceOf(_refundUser), 0);
@@ -931,8 +930,6 @@ contract DefifaGovernorTest is JBTest, TestBaseWorkflow {
             _durationUntilProjectLaunch > 2 && _mintPeriodDuration > 1 && _inBetweenMintAndFifa > 1 && _fifaDuration > 1
         );
         uint48 _launchProjectAt = uint48(block.timestamp) + _durationUntilProjectLaunch;
-        uint48 _end =
-            _launchProjectAt + uint48(_mintPeriodDuration) + uint48(_inBetweenMintAndFifa) + uint48(_fifaDuration);
         DefifaTierParams[] memory tierParams = new DefifaTierParams[](1);
         tierParams[0] = DefifaTierParams({
             reservedRate: 1001,
@@ -988,12 +985,10 @@ contract DefifaGovernorTest is JBTest, TestBaseWorkflow {
 
     function testWhenScorecardIsSubmittedWithUnmintedTier() public {
         uint8 nTiers = 10;
-        address[] memory _users = new address[](nTiers);
         DefifaLaunchProjectData memory defifaData = getBasicDefifaLaunchData(nTiers);
-        (uint256 _projectId, DefifaHook _nft, DefifaGovernor _governor) = createDefifaProject(defifaData);
+        (,, DefifaGovernor _governor) = createDefifaProject(defifaData);
         // Phase 1: Mint
         vm.warp(defifaData.start - defifaData.mintPeriodDuration - defifaData.refundPeriodDuration);
-        //deployer.queueNextPhaseOf(_projectId);
 
         // Warp to scoring phase (past start time)
         vm.warp(defifaData.start + 1);
@@ -1007,7 +1002,7 @@ contract DefifaGovernorTest is JBTest, TestBaseWorkflow {
 
         vm.expectRevert(abi.encodeWithSignature("DefifaGovernor_UnownedProposedCashoutValue()"));
         // Forward time so proposals can be created
-        uint256 _proposalId = _governor.submitScorecardFor(_gameId, scorecards);
+        _governor.submitScorecardFor(_gameId, scorecards);
     }
 
     // function testWhenPhaseIsAlreadyQueued() public {
@@ -1256,7 +1251,6 @@ contract DefifaGovernorTest is JBTest, TestBaseWorkflow {
         assertEq(_refundUser.balance, 0);
         // The user should have have a token
         assertEq(_hook.balanceOf(_refundUser), 1);
-        uint256 _numberBurned = _hook.store().numberOfBurnedFor(address(_hook), _tierId);
         // Craft the metadata: redeem the tokenId
         bytes memory cashOutMetadata;
         {
@@ -1305,7 +1299,7 @@ contract DefifaGovernorTest is JBTest, TestBaseWorkflow {
         return (_tierId * 1_000_000_000) + _tokenNumber;
     }
 
-    function _buildPayMetadata(bytes memory metadata) internal returns (bytes memory) {
+    function _buildPayMetadata(bytes memory metadata) internal view returns (bytes memory) {
         // Build the metadata using the tiers to mint and the overspending flag.
         bytes[] memory data = new bytes[](1);
         data[0] = metadata;
@@ -1318,7 +1312,7 @@ contract DefifaGovernorTest is JBTest, TestBaseWorkflow {
         return metadataHelper().createMetadata(ids, data);
     }
 
-    function _buildCashOutMetadata(bytes memory metadata) internal returns (bytes memory) {
+    function _buildCashOutMetadata(bytes memory metadata) internal view returns (bytes memory) {
         // Build the metadata using the tiers to mint and the overspending flag.
         bytes[] memory data = new bytes[](1);
         data[0] = metadata;

package/test/{DefifaHook_AuditFindings.t.sol → DefifaHookRegressions.t.sol}

@@ -30,18 +30,18 @@ import {DefifaTierParams} from "../src/structs/DefifaTierParams.sol";
 import {DefifaTierCashOutWeight} from "../src/structs/DefifaTierCashOutWeight.sol";
 
 /// @dev Helper to read block.timestamp via an external call, bypassing the via-ir optimizer's timestamp caching.
-contract TimestampReaderAudit {
+contract TimestampReaderRegressions {
     function timestamp() external view returns (uint256) {
         return block.timestamp;
     }
 }
 
-/// @title DefifaHook_AuditFindings
+/// @title DefifaHookRegressions
 /// @notice Regression tests for audit findings in DefifaHook.
-contract DefifaHook_AuditFindings is JBTest, TestBaseWorkflow {
+contract DefifaHookRegressions is JBTest, TestBaseWorkflow {
     using JBRulesetMetadataResolver for JBRuleset;
 
-    TimestampReaderAudit private _tsReader = new TimestampReaderAudit();
+    TimestampReaderRegressions private _tsReader = new TimestampReaderRegressions();
 
     address _protocolFeeProjectTokenAccount;
     address _defifaProjectTokenAccount;
@@ -364,7 +364,7 @@ contract DefifaHook_AuditFindings is JBTest, TestBaseWorkflow {
         return (_tierId * 1_000_000_000) + _tokenNumber;
     }
 
-    function _buildPayMetadata(bytes memory metadata) internal returns (bytes memory) {
+    function _buildPayMetadata(bytes memory metadata) internal view returns (bytes memory) {
         bytes[] memory data = new bytes[](1);
         data[0] = metadata;
         bytes4[] memory ids = new bytes4[](1);

package/test/DefifaNoContest.t.sol

@@ -892,7 +892,7 @@ contract DefifaNoContestTest is JBTest, TestBaseWorkflow {
             });
     }
 
-    function _cashOutMeta(uint256 tid, uint256 tnum) internal returns (bytes memory) {
+    function _cashOutMeta(uint256 tid, uint256 tnum) internal view returns (bytes memory) {
         uint256[] memory cid = new uint256[](1);
         cid[0] = (tid * 1_000_000_000) + tnum;
         bytes[] memory data = new bytes[](1);

package/test/DefifaSecurity.t.sol

@@ -678,7 +678,7 @@ contract DefifaSecurityTest is JBTest, TestBaseWorkflow {
             });
     }
 
-    function _cashOutMeta(uint256 tid, uint256 tnum) internal returns (bytes memory) {
+    function _cashOutMeta(uint256 tid, uint256 tnum) internal view returns (bytes memory) {
         uint256[] memory cid = new uint256[](1);
         cid[0] = (tid * 1_000_000_000) + tnum;
         bytes[] memory data = new bytes[](1);