@bananapus/721-hook-v6 0.0.19 → 0.0.21

package/src/abstract/JB721Hook.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity 0.8.26;
+pragma solidity 0.8.28;
 
 import {IJBCashOutHook} from "@bananapus/core-v6/src/interfaces/IJBCashOutHook.sol";
 import {IJBDirectory} from "@bananapus/core-v6/src/interfaces/IJBDirectory.sol";
@@ -14,7 +14,6 @@ import {JBBeforePayRecordedContext} from "@bananapus/core-v6/src/structs/JBBefor
 import {JBCashOutHookSpecification} from "@bananapus/core-v6/src/structs/JBCashOutHookSpecification.sol";
 import {JBPayHookSpecification} from "@bananapus/core-v6/src/structs/JBPayHookSpecification.sol";
 import {JBRuleset} from "@bananapus/core-v6/src/structs/JBRuleset.sol";
-import {IERC2981} from "@openzeppelin/contracts/interfaces/IERC2981.sol";
 import {IERC165} from "@openzeppelin/contracts/utils/introspection/IERC165.sol";
 
 import {IJB721Hook} from "../interfaces/IJB721Hook.sol";
@@ -160,10 +159,11 @@ abstract contract JB721Hook is ERC721, IJB721Hook {
     /// @notice Indicates if this contract adheres to the specified interface.
     /// @dev See {IERC165-supportsInterface}.
     /// @param interfaceId The ID of the interface to check for adherence to.
+    // ERC-2981 royalty support was removed — no royaltyInfo implementation exists.
     function supportsInterface(bytes4 interfaceId) public view virtual override(ERC721, IERC165) returns (bool) {
         return interfaceId == type(IJB721Hook).interfaceId || interfaceId == type(IJBRulesetDataHook).interfaceId
             || interfaceId == type(IJBPayHook).interfaceId || interfaceId == type(IJBCashOutHook).interfaceId
-            || interfaceId == type(IERC2981).interfaceId || super.supportsInterface(interfaceId);
+            || super.supportsInterface(interfaceId);
     }
 
     /// @notice Calculates the cumulative cash out weight of all NFT token IDs.

package/src/libraries/JB721TiersHookLib.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity 0.8.26;
+pragma solidity 0.8.28;
 
 import {IJBDirectory} from "@bananapus/core-v6/src/interfaces/IJBDirectory.sol";
 import {IJBPrices} from "@bananapus/core-v6/src/interfaces/IJBPrices.sol";
@@ -249,7 +249,9 @@ library JB721TiersHookLib {
         uint256 pricingCurrency = uint256(uint32(packedPricingContext));
         if (amountCurrency == pricingCurrency) return (totalSplitAmount, splitMetadata);
 
-        if (address(prices) == address(0)) return (totalSplitAmount, splitMetadata);
+        // No price oracle available to convert between currencies. Return 0 to skip the split rather than
+        // forwarding an unconverted amount denominated in the wrong currency, which would over- or under-pay.
+        if (address(prices) == address(0)) return (0, splitMetadata);
 
         // forge-lint: disable-next-line(unsafe-typecast)
         uint256 pricingDecimals = uint256(uint8(packedPricingContext >> 32));
@@ -370,6 +372,12 @@ library JB721TiersHookLib {
     }
 
     /// @notice Distributes funds for a single tier's split group.
+    /// @dev Edge case: if both `_sendPayoutToSplit` returns false (reverting hook/terminal/beneficiary) AND the
+    /// subsequent `addToBalanceOf` call also reverts for the leftover amount, native ETH will remain stranded in the
+    /// hook contract with no recovery path. This requires two independent external call failures for the same split
+    /// payout and is a pre-existing documented edge case. ERC-20 tokens are not affected because failed
+    /// `addToBalanceOf` calls reset the approval. ERC-20 tokens remain in the hook contract. There is no built-in
+    /// recovery mechanism.
     function _distributeSingleSplit(
         IJBDirectory directory,
         IJBSplits splitsContract,
@@ -594,7 +602,13 @@ library JB721TiersHookLib {
                 (bool success,) = split.beneficiary.call{value: amount}("");
                 if (!success) return false;
             } else {
-                SafeERC20.safeTransfer({token: IERC20(token), to: split.beneficiary, value: amount});
+                // Use the same low-level call + returndata check as SafeERC20.safeTransfer, but return
+                // false on failure instead of reverting. This handles non-standard tokens (e.g. USDT)
+                // that return void, while routing failed transfers to the project's balance instead
+                // of bricking all payments.
+                (bool callSuccess, bytes memory returndata) =
+                    address(token).call(abi.encodeCall(IERC20.transfer, (split.beneficiary, amount)));
+                if (!callSuccess || (returndata.length != 0 && !abi.decode(returndata, (bool)))) return false;
             }
             return true;
         }

package/test/721HookAttacks.t.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity 0.8.26;
+pragma solidity 0.8.28;
 
 // forge-lint: disable-next-line(unaliased-plain-import)
 import "./utils/UnitTestSetup.sol";

package/test/E2E/Pay_Mint_Redeem_E2E.t.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity 0.8.26;
+pragma solidity 0.8.28;
 
 // forge-lint: disable-next-line(unaliased-plain-import)
 import "@openzeppelin/contracts/token/ERC721/IERC721.sol";

package/test/Fork.t.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity 0.8.26;
+pragma solidity 0.8.28;
 
 // forge-lint: disable-next-line(unaliased-plain-import)
 import "forge-std/Test.sol";

package/test/TestAuditGaps.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity 0.8.26;
+pragma solidity 0.8.28;
 
 // forge-lint: disable-next-line(unaliased-plain-import)
 import "./utils/UnitTestSetup.sol";

package/test/TestSafeTransferReentrancy.t.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity 0.8.26;
+pragma solidity 0.8.28;
 
 // forge-lint: disable-next-line(unaliased-plain-import)
 import "./utils/UnitTestSetup.sol";

package/test/TestVotingUnitsLifecycle.t.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity 0.8.26;
+pragma solidity 0.8.28;
 
 // forge-lint: disable-next-line(unaliased-plain-import)
 import "./utils/UnitTestSetup.sol";

package/test/audit/AuditRegressions.t.sol

@@ -0,0 +1,83 @@
+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.28;
+
+// Import the shared unit test setup which deploys a hook clone with 10 tiers.
+// forge-lint: disable-next-line(unaliased-plain-import)
+import "../utils/UnitTestSetup.sol";
+
+// Import IERC2981 to compute its interface ID for the supportsInterface test.
+import {IERC2981} from "@openzeppelin/contracts/interfaces/IERC2981.sol";
+
+/// @notice Regression tests covering three audit findings for nana-721-hook-v6.
+contract AuditRegressions is UnitTestSetup {
+    // -----------------------------------------------------------------------
+    // 1. Double-initialization guard
+    // -----------------------------------------------------------------------
+
+    /// @notice Calling initialize on an already-initialized clone must revert.
+    function test_doubleInitialization_reverts() public {
+        // The `hook` from setUp() is already initialized via the deployer.
+        // Expect a revert with AlreadyInitialized carrying the existing project ID.
+        vm.expectRevert(abi.encodeWithSelector(JB721TiersHook.JB721TiersHook_AlreadyInitialized.selector, projectId));
+
+        // Attempt to initialize the hook again with valid parameters — must revert.
+        hook.initialize(
+            projectId,
+            "AnotherName",
+            "AN",
+            baseUri,
+            IJB721TokenUriResolver(mockTokenUriResolver),
+            contractUri,
+            JB721InitTiersConfig({
+                tiers: new JB721TierConfig[](0), currency: uint32(uint160(JBConstants.NATIVE_TOKEN)), decimals: 18
+            }),
+            JB721TiersHookFlags({
+                preventOverspending: false,
+                issueTokensForSplits: false,
+                noNewTiersWithReserves: false,
+                noNewTiersWithVotes: false,
+                noNewTiersWithOwnerMinting: false
+            })
+        );
+    }
+
+    // -----------------------------------------------------------------------
+    // 2. recordSetDiscountPercentOf on a removed tier must revert
+    // -----------------------------------------------------------------------
+
+    /// @notice Setting the discount percent on a tier that has been removed must revert.
+    function test_setDiscountPercent_removedTier_reverts() public {
+        // The hook from setUp() has 10 tiers (IDs 1-10). Remove tier 1.
+        uint256[] memory tierIdsToRemove = new uint256[](1);
+
+        // Select tier 1 to remove.
+        tierIdsToRemove[0] = 1;
+
+        // Remove tier 1 as the hook owner.
+        vm.prank(owner);
+        hook.adjustTiers(new JB721TierConfig[](0), tierIdsToRemove);
+
+        // Expect a revert with TierRemoved when setting discount on the removed tier.
+        vm.expectRevert(abi.encodeWithSelector(JB721TiersHookStore.JB721TiersHookStore_TierRemoved.selector, 1));
+
+        // Attempt to set a discount on the removed tier — must revert.
+        vm.prank(owner);
+        hook.setDiscountPercentOf(1, 50);
+    }
+
+    // -----------------------------------------------------------------------
+    // 3. ERC-2981 supportsInterface returns false (support was removed)
+    // -----------------------------------------------------------------------
+
+    /// @notice supportsInterface must return false for IERC2981 since royalty support was removed.
+    function test_supportsInterface_erc2981_returnsFalse() public {
+        // Compute the IERC2981 interface ID from the imported interface.
+        bytes4 erc2981InterfaceId = type(IERC2981).interfaceId;
+
+        // Query supportsInterface on the hook.
+        bool supported = hook.supportsInterface(erc2981InterfaceId);
+
+        // Assert that ERC-2981 is NOT supported.
+        assertFalse(supported, "ERC-2981 must not be supported after royalty removal");
+    }
+}

package/test/audit/CodexNemesis_CrossCurrencySplitNoPrices.t.sol

@@ -0,0 +1,122 @@
+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.28;
+
+// forge-lint: disable-next-line(unaliased-plain-import)
+import "../utils/UnitTestSetup.sol";
+import {IJB721TokenUriResolver} from "../../src/interfaces/IJB721TokenUriResolver.sol";
+import {IJBDirectory} from "@bananapus/core-v6/src/interfaces/IJBDirectory.sol";
+import {IJBPermissions} from "@bananapus/core-v6/src/interfaces/IJBPermissions.sol";
+import {IJBPrices} from "@bananapus/core-v6/src/interfaces/IJBPrices.sol";
+import {IJBRulesets} from "@bananapus/core-v6/src/interfaces/IJBRulesets.sol";
+import {IJBSplits} from "@bananapus/core-v6/src/interfaces/IJBSplits.sol";
+import {JBBeforePayRecordedContext} from "@bananapus/core-v6/src/structs/JBBeforePayRecordedContext.sol";
+
+contract CodexNemesis_CrossCurrencySplitNoPrices is UnitTestSetup {
+    function test_crossCurrencySplit_withoutPrices_locksForwardedNativeFunds() public {
+        JB721TiersHook noPricesOrigin = new JB721TiersHook(
+            IJBDirectory(mockJBDirectory),
+            IJBPermissions(mockJBPermissions),
+            IJBPrices(address(0)),
+            IJBRulesets(mockJBRulesets),
+            store,
+            IJBSplits(mockJBSplits),
+            trustedForwarder
+        );
+
+        address noPricesProxy = makeAddr("noPricesProxy");
+        vm.etch(noPricesProxy, address(noPricesOrigin).code);
+        JB721TiersHook crossHook = JB721TiersHook(noPricesProxy);
+
+        (JB721TierConfig[] memory tierConfigs,) = _createTiers(defaultTierConfig, 1);
+        tierConfigs[0].price = 1 ether;
+        tierConfigs[0].splitPercent = 500_000_000; // 50%
+
+        crossHook.initialize(
+            projectId,
+            name,
+            symbol,
+            baseUri,
+            IJB721TokenUriResolver(mockTokenUriResolver),
+            contractUri,
+            JB721InitTiersConfig({tiers: tierConfigs, currency: uint32(USD()), decimals: 18}),
+            JB721TiersHookFlags({
+                preventOverspending: false,
+                issueTokensForSplits: false,
+                noNewTiersWithReserves: false,
+                noNewTiersWithVotes: false,
+                noNewTiersWithOwnerMinting: false
+            })
+        );
+
+        uint16[] memory tierIdsToMint = new uint16[](1);
+        tierIdsToMint[0] = 1;
+        bytes[] memory data = new bytes[](1);
+        data[0] = abi.encode(true, tierIdsToMint);
+        bytes4[] memory ids = new bytes4[](1);
+        ids[0] = metadataHelper.getId("pay", crossHook.METADATA_ID_TARGET());
+        bytes memory payerMetadata = metadataHelper.createMetadata(ids, data);
+
+        (uint256 weight, JBPayHookSpecification[] memory hookSpecifications) = crossHook.beforePayRecordedWith(
+            JBBeforePayRecordedContext({
+                terminal: mockTerminalAddress,
+                payer: beneficiary,
+                amount: JBTokenAmount({
+                    token: JBConstants.NATIVE_TOKEN,
+                    value: 1 ether,
+                    decimals: 18,
+                    currency: uint32(uint160(JBConstants.NATIVE_TOKEN))
+                }),
+                projectId: projectId,
+                rulesetId: 0,
+                beneficiary: beneficiary,
+                weight: 10e18,
+                reservedPercent: 0,
+                metadata: payerMetadata
+            })
+        );
+
+        // When PRICES is address(0) and currencies differ, convertSplitAmounts returns 0
+        // to avoid forwarding an unconverted amount in the wrong currency denomination.
+        // This means weight is NOT reduced (full weight) and no funds are forwarded.
+        assertEq(weight, 10e18, "weight unchanged when split conversion fails due to missing prices");
+        assertEq(hookSpecifications.length, 1, "one pay hook spec");
+        assertEq(hookSpecifications[0].amount, 0, "split amount is zero when prices unavailable for conversion");
+
+        mockAndExpect(
+            address(mockJBDirectory),
+            abi.encodeWithSelector(IJBDirectory.isTerminalOf.selector, projectId, mockTerminalAddress),
+            abi.encode(true)
+        );
+
+        JBAfterPayRecordedContext memory payContext = JBAfterPayRecordedContext({
+            payer: beneficiary,
+            projectId: projectId,
+            rulesetId: 0,
+            amount: JBTokenAmount({
+                token: JBConstants.NATIVE_TOKEN,
+                value: 1 ether,
+                decimals: 18,
+                currency: uint32(uint160(JBConstants.NATIVE_TOKEN))
+            }),
+            forwardedAmount: JBTokenAmount({
+                token: JBConstants.NATIVE_TOKEN,
+                value: hookSpecifications[0].amount,
+                decimals: 18,
+                currency: uint32(uint160(JBConstants.NATIVE_TOKEN))
+            }),
+            weight: weight,
+            newlyIssuedTokenCount: 0,
+            beneficiary: beneficiary,
+            hookMetadata: hookSpecifications[0].metadata,
+            payerMetadata: payerMetadata
+        });
+
+        vm.deal(mockTerminalAddress, 1 ether);
+        vm.prank(mockTerminalAddress);
+        crossHook.afterPayRecordedWith{value: hookSpecifications[0].amount}(payContext);
+
+        assertEq(crossHook.balanceOf(beneficiary), 0, "no NFTs minted (currency mismatch, no prices)");
+        assertEq(crossHook.payCreditsOf(beneficiary), 0, "no credits accrued (currency mismatch, no prices)");
+        assertEq(address(crossHook).balance, 0, "no funds forwarded to hook when split conversion returns zero");
+    }
+}

package/test/audit/USDTVoidReturnCompat.t.sol

@@ -0,0 +1,301 @@
+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.28;
+
+// Import the forge-std test framework.
+import {Test} from "forge-std/Test.sol";
+// Import IERC20 for the encodeCall used in the low-level call pattern.
+import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
+
+/// @notice Mimics USDT's void-returning transfer/transferFrom/approve behavior.
+/// @dev Identical to nana-core-v6/test/mock/MockUSDT.sol, inlined here to avoid cross-repo imports.
+contract MockUSDT {
+    // Token metadata matching USDT's 6-decimal convention.
+    string public name = "Mock Tether USD";
+    // Short ticker symbol for the mock token.
+    string public symbol = "USDT";
+    // USDT uses 6 decimals, not 18 like most ERC-20 tokens.
+    uint8 public decimals = 6;
+    // Running total of all minted tokens.
+    uint256 public totalSupply;
+
+    // Maps each address to its token balance.
+    mapping(address => uint256) public balanceOf;
+    // Maps owner => spender => allowance for delegated transfers.
+    mapping(address => mapping(address => uint256)) public allowance;
+
+    /// @notice Mints tokens to a recipient (test helper, not part of USDT interface).
+    /// @param to The address to receive newly minted tokens.
+    /// @param amount The number of tokens to mint.
+    function mint(address to, uint256 amount) external {
+        // Credit the recipient's balance with the minted amount.
+        balanceOf[to] += amount;
+        // Increase the total supply to reflect the new tokens.
+        totalSupply += amount;
+    }
+
+    /// @notice Sets the spender's allowance. Returns VOID like real USDT.
+    /// @param spender The address authorized to spend tokens.
+    /// @param amount The maximum amount the spender can transfer.
+    function approve(address spender, uint256 amount) external {
+        // Record the new allowance for the caller-spender pair.
+        allowance[msg.sender][spender] = amount;
+        // Use assembly to return without any data (void), matching USDT behavior.
+        assembly {
+            return(0, 0)
+        }
+    }
+
+    /// @notice Transfers tokens from caller to recipient. Returns VOID like real USDT.
+    /// @param to The address to receive the tokens.
+    /// @param amount The number of tokens to transfer.
+    function transfer(address to, uint256 amount) external {
+        // Ensure the sender has enough tokens to cover the transfer.
+        require(balanceOf[msg.sender] >= amount, "MockUSDT: insufficient balance");
+        // Debit the sender's balance by the transfer amount.
+        balanceOf[msg.sender] -= amount;
+        // Credit the recipient's balance with the transferred tokens.
+        balanceOf[to] += amount;
+        // Use assembly to return without any data (void), matching USDT behavior.
+        assembly {
+            return(0, 0)
+        }
+    }
+
+    /// @notice Transfers tokens on behalf of an owner. Returns VOID like real USDT.
+    /// @param from The address whose tokens are being spent.
+    /// @param to The address to receive the tokens.
+    /// @param amount The number of tokens to transfer.
+    function transferFrom(address from, address to, uint256 amount) external {
+        // Ensure the owner has enough tokens for the transfer.
+        require(balanceOf[from] >= amount, "MockUSDT: insufficient balance");
+        // Ensure the caller is authorized to spend at least this amount.
+        require(allowance[from][msg.sender] >= amount, "MockUSDT: insufficient allowance");
+        // Reduce the caller's remaining allowance by the transferred amount.
+        allowance[from][msg.sender] -= amount;
+        // Debit the owner's balance by the transfer amount.
+        balanceOf[from] -= amount;
+        // Credit the recipient's balance with the transferred tokens.
+        balanceOf[to] += amount;
+        // Use assembly to return without any data (void), matching USDT behavior.
+        assembly {
+            return(0, 0)
+        }
+    }
+}
+
+/// @notice Tests that JB721TiersHookLib's low-level call pattern (lines 605-611) handles
+/// void-returning tokens like USDT correctly.
+/// @dev The fix replaced `try IERC20.transfer()` with a low-level call that checks:
+///   1. The call succeeded (callSuccess == true)
+///   2. Either no data was returned (void) OR the returned data decodes to true
+/// This test exercises that exact pattern against a void-returning mock.
+contract USDTVoidReturnCompat is Test {
+    // The USDT mock token instance.
+    MockUSDT public usdt;
+    // Address that simulates the hook contract holding tokens for distribution.
+    address public hookCaller;
+    // Address that receives split payout funds.
+    address public splitBeneficiary;
+
+    function setUp() public {
+        // Deploy the void-returning USDT mock.
+        usdt = new MockUSDT();
+        // Label the USDT contract for clearer trace output.
+        vm.label(address(usdt), "MockUSDT");
+        // Create a caller address that simulates the hook distributing tokens.
+        hookCaller = makeAddr("hookCaller");
+        // Create a beneficiary address that receives split payouts.
+        splitBeneficiary = makeAddr("splitBeneficiary");
+    }
+
+    // =========================================================================
+    //  Test 1: The exact low-level call pattern from JB721TiersHookLib works
+    //          with void-returning tokens
+    // =========================================================================
+
+    /// @notice Proves the fixed transfer pattern handles USDT's void return.
+    /// @dev This replicates the exact code from JB721TiersHookLib lines 609-611:
+    ///   (bool callSuccess, bytes memory returndata) =
+    ///       address(token).call(abi.encodeCall(IERC20.transfer, (split.beneficiary, amount)));
+    ///   if (!callSuccess || (returndata.length != 0 && !abi.decode(returndata, (bool)))) return false;
+    function test_lowLevelTransfer_voidReturn_succeeds() public {
+        // The amount to transfer in the split payout.
+        uint256 amount = 500e6;
+        // Mint USDT to the hook caller (simulating tokens held by the 721 hook).
+        usdt.mint(hookCaller, amount);
+
+        // Execute the exact low-level call pattern from JB721TiersHookLib.
+        vm.prank(hookCaller);
+        // Encode the transfer call exactly as the library does.
+        (bool callSuccess, bytes memory returndata) =
+            address(usdt).call(abi.encodeCall(IERC20.transfer, (splitBeneficiary, amount)));
+
+        // Verify the low-level call did not revert.
+        assertTrue(callSuccess, "Low-level transfer call should succeed");
+
+        // Verify void return: USDT returns no data, so returndata.length should be 0.
+        assertEq(returndata.length, 0, "Void-returning token should return empty data");
+
+        // Verify the combined condition from line 611 evaluates correctly.
+        // For void returns: callSuccess=true, returndata.length=0, so the condition is false (no revert).
+        bool wouldRevert = !callSuccess || (returndata.length != 0 && !abi.decode(returndata, (bool)));
+        // The pattern should NOT flag this as a failure.
+        assertFalse(wouldRevert, "The fixed pattern should accept void returns as success");
+
+        // Verify the beneficiary actually received the tokens.
+        assertEq(usdt.balanceOf(splitBeneficiary), amount, "Beneficiary should receive the full transfer amount");
+        // Verify the caller's balance was debited.
+        assertEq(usdt.balanceOf(hookCaller), 0, "Caller should have zero balance after transfer");
+    }
+
+    // =========================================================================
+    //  Test 2: The pattern also works with standard bool-returning tokens
+    // =========================================================================
+
+    /// @notice Ensures the low-level call pattern still works with compliant ERC-20 tokens.
+    /// @dev A standard token returns abi.encode(true) — the pattern must accept this too.
+    function test_lowLevelTransfer_boolReturn_succeeds() public {
+        // Deploy a standard ERC-20 that returns bool (using forge's mock).
+        StandardMockERC20 standardToken = new StandardMockERC20();
+        // Label it for tracing.
+        vm.label(address(standardToken), "StandardERC20");
+        // The amount to transfer.
+        uint256 amount = 500e6;
+        // Mint tokens to the hook caller.
+        standardToken.mint(hookCaller, amount);
+
+        // Execute the exact low-level call pattern from JB721TiersHookLib.
+        vm.prank(hookCaller);
+        // Encode the transfer call.
+        (bool callSuccess, bytes memory returndata) =
+            address(standardToken).call(abi.encodeCall(IERC20.transfer, (splitBeneficiary, amount)));
+
+        // Verify the low-level call succeeded.
+        assertTrue(callSuccess, "Low-level transfer call should succeed for standard token");
+
+        // Standard tokens return 32 bytes encoding `true`.
+        assertEq(returndata.length, 32, "Standard token should return 32 bytes of data");
+
+        // Verify the combined condition correctly accepts a true return.
+        bool wouldRevert = !callSuccess || (returndata.length != 0 && !abi.decode(returndata, (bool)));
+        // Should NOT flag as failure since the decoded bool is true.
+        assertFalse(wouldRevert, "The pattern should accept bool(true) returns as success");
+
+        // Verify the beneficiary received the tokens.
+        assertEq(standardToken.balanceOf(splitBeneficiary), amount, "Beneficiary should receive tokens");
+    }
+
+    // =========================================================================
+    //  Test 3: The pattern correctly rejects a return-false token
+    // =========================================================================
+
+    /// @notice Ensures the pattern detects when a token returns false.
+    /// @dev A token that returns abi.encode(false) without reverting should be caught.
+    function test_lowLevelTransfer_returnsFalse_detected() public {
+        // Deploy a token that returns false on transfer.
+        ReturnFalseToken falseToken = new ReturnFalseToken();
+        // Label it for tracing.
+        vm.label(address(falseToken), "ReturnFalseToken");
+        // The amount doesn't matter since the token always returns false.
+        uint256 amount = 500e6;
+        // Mint tokens to the caller.
+        falseToken.mint(hookCaller, amount);
+
+        // Execute the exact low-level call pattern from JB721TiersHookLib.
+        vm.prank(hookCaller);
+        (bool callSuccess, bytes memory returndata) =
+            address(falseToken).call(abi.encodeCall(IERC20.transfer, (splitBeneficiary, amount)));
+
+        // The call itself succeeds (no revert), but the return value is false.
+        assertTrue(callSuccess, "Low-level call should not revert");
+
+        // Verify the combined condition catches the false return.
+        bool wouldRevert = !callSuccess || (returndata.length != 0 && !abi.decode(returndata, (bool)));
+        // The pattern SHOULD flag this as a failure.
+        assertTrue(wouldRevert, "The pattern should detect false return and flag failure");
+    }
+
+    // =========================================================================
+    //  Test 4: The pattern correctly handles a reverting token
+    // =========================================================================
+
+    /// @notice Ensures the pattern handles a reverting transfer gracefully.
+    /// @dev If the transfer reverts, callSuccess is false, and the pattern returns false.
+    function test_lowLevelTransfer_revert_detected() public {
+        // Use MockUSDT but don't give the caller any tokens — transfer will revert.
+        uint256 amount = 500e6;
+
+        // Execute the low-level call with insufficient balance.
+        vm.prank(hookCaller);
+        (bool callSuccess,) = address(usdt).call(abi.encodeCall(IERC20.transfer, (splitBeneficiary, amount)));
+
+        // The call should fail because the caller has zero balance.
+        assertFalse(callSuccess, "Transfer should fail with insufficient balance");
+    }
+}
+
+/// @notice A standard ERC-20 mock that returns true on transfer (compliant behavior).
+contract StandardMockERC20 {
+    // Token name for identification.
+    string public name = "Standard Mock";
+    // Token symbol.
+    string public symbol = "STD";
+    // Uses 6 decimals to match USDT comparison.
+    uint8 public decimals = 6;
+    // Running total supply.
+    uint256 public totalSupply;
+
+    // Balance mapping.
+    mapping(address => uint256) public balanceOf;
+    // Allowance mapping.
+    mapping(address => mapping(address => uint256)) public allowance;
+
+    /// @notice Mints tokens to a recipient (test helper).
+    function mint(address to, uint256 amount) external {
+        // Credit the recipient.
+        balanceOf[to] += amount;
+        // Increase total supply.
+        totalSupply += amount;
+    }
+
+    /// @notice Standard transfer that returns true.
+    function transfer(address to, uint256 amount) external returns (bool) {
+        // Check the sender has enough balance.
+        require(balanceOf[msg.sender] >= amount, "insufficient balance");
+        // Debit the sender.
+        balanceOf[msg.sender] -= amount;
+        // Credit the recipient.
+        balanceOf[to] += amount;
+        // Return true per ERC-20 spec.
+        return true;
+    }
+}
+
+/// @notice A mock ERC-20 that returns false on transfer without reverting.
+contract ReturnFalseToken {
+    // Token name for identification.
+    string public name = "Return False";
+    // Token symbol.
+    string public symbol = "RF";
+    // Uses 6 decimals.
+    uint8 public decimals = 6;
+    // Running total supply.
+    uint256 public totalSupply;
+
+    // Balance mapping.
+    mapping(address => uint256) public balanceOf;
+
+    /// @notice Mints tokens to a recipient (test helper).
+    function mint(address to, uint256 amount) external {
+        // Credit the recipient.
+        balanceOf[to] += amount;
+        // Increase total supply.
+        totalSupply += amount;
+    }
+
+    /// @notice Always returns false without reverting (malicious/broken token behavior).
+    function transfer(address, uint256) external pure returns (bool) {
+        // Return false to simulate a failed transfer that doesn't revert.
+        return false;
+    }
+}

package/test/fork/ERC20CashOutFork.t.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity 0.8.26;
+pragma solidity 0.8.28;
 
 // forge-lint: disable-next-line(unaliased-plain-import)
 import "forge-std/Test.sol";

package/test/fork/ERC20TierSplitFork.t.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity 0.8.26;
+pragma solidity 0.8.28;
 
 // forge-lint: disable-next-line(unaliased-plain-import)
 import "forge-std/Test.sol";

package/test/fork/IssueTokensForSplitsFork.t.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity 0.8.26;
+pragma solidity 0.8.28;
 
 // forge-lint: disable-next-line(unaliased-plain-import)
 import "forge-std/Test.sol";

package/test/invariants/TierLifecycleInvariant.t.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity 0.8.26;
+pragma solidity 0.8.28;
 
 // forge-lint: disable-next-line(unaliased-plain-import)
 import "forge-std/StdInvariant.sol";