@bananapus/address-registry-v6 0.0.21 → 0.0.25

package/AUDIT_INSTRUCTIONS.md

@@ -8,7 +8,7 @@ Find issues that:
 
 - let callers register contracts under the wrong deployer
 - break determinism or uniqueness assumptions around registration
-- let a malicious deployer spoof provenance for contracts it did not create
+- let callers spoof provenance for contracts the claimed deployer did not create
 - create truncation-related collisions or stale mapping assumptions
 
 ## Scope
@@ -35,8 +35,8 @@ The registry maps deployed addresses to the deployer that created them. Downstre
 
 | Role | Powers | How constrained |
 |------|--------|-----------------|
-| Deployer | Register contracts as its outputs | Must prove authentic deployment provenance |
-| Registry reader | Trust provenance for privileged decisions | Must not observe spoofable or mutable history |
+| Registrant | Register contracts by supplying deterministic deployment inputs | Must supply inputs that reconstruct an already-deployed contract address |
+| Registry reader | Interpret provenance for downstream decisions | Must pair provenance with an external trust model |
 
 ## Integration Assumptions
 
@@ -47,7 +47,7 @@ The registry maps deployed addresses to the deployer that created them. Downstre
 ## Critical Invariants
 
 1. Provenance cannot be forged.  
-   Only the actual deployer path the registry intends to trust may create a successful registration for a contract.
+   Only inputs matching the actual deployer path may create a successful registration for a contract.
 2. One contract maps to one authoritative deployer record.  
    No aliasing or overwrite path should let a later caller replace provenance unexpectedly.
 3. Registration metadata is stable.  

package/STYLE_GUIDE.md

@@ -419,7 +419,7 @@ jobs:
           submodules: recursive
       - uses: actions/setup-node@v4
         with:
-          node-version: 22.4.x
+          node-version: 25.9.0
       - name: Install npm dependencies
         run: npm install --omit=dev
       - name: Install Foundry
@@ -470,13 +470,13 @@ jobs:
           submodules: recursive
       - uses: actions/setup-node@v4
         with:
-          node-version: latest
+          node-version: 25.9.0
       - name: Install npm dependencies
         run: npm install --omit=dev
       - name: Install Foundry
         uses: foundry-rs/foundry-toolchain@v1
       - name: Run slither
-        uses: crytic/slither-action@v0.3.1
+        uses: crytic/slither-action@v0.4.1
         with:
             slither-config: slither-ci.config.json
             fail-on: medium
@@ -515,7 +515,7 @@ jobs:
   },
   "dependencies": { ... },
   "devDependencies": {
-    "@sphinx-labs/plugins": "^0.33.2"
+    "@sphinx-labs/plugins": "0.33.3"
   }
 }
 ```

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bananapus/address-registry-v6",
-  "version": "0.0.21",
+  "version": "0.0.25",
   "license": "MIT",
   "repository": {
     "type": "git",
@@ -18,9 +18,9 @@
     "artifacts": "source ./.env && npx sphinx artifacts --org-id 'ea165b21-7cdc-4d7b-be59-ecdd4c26bee4' --project-name 'nana-address-registry-v6'"
   },
   "dependencies": {
-    "@openzeppelin/contracts": "^5.6.1"
+    "@sphinx-labs/contracts": "0.23.1"
   },
   "devDependencies": {
-    "@sphinx-labs/plugins": "^0.33.2"
+    "@sphinx-labs/plugins": "0.33.3"
   }
 }

package/script/Deploy.s.sol

@@ -4,7 +4,7 @@ pragma solidity 0.8.28;
 import {Sphinx} from "@sphinx-labs/contracts/contracts/foundry/SphinxPlugin.sol";
 import {Script} from "forge-std/Script.sol";
 
-import {JBAddressRegistry} from "src/JBAddressRegistry.sol";
+import {JBAddressRegistry} from "../src/JBAddressRegistry.sol";
 
 contract Deploy is Script, Sphinx {
     bytes32 constant ADDRESS_REGISTRY_SALT = "_JBAddressRegistryV6_";

package/src/JBAddressRegistry.sol

@@ -3,14 +3,12 @@ pragma solidity 0.8.28;
 
 import {IJBAddressRegistry} from "./interfaces/IJBAddressRegistry.sol";
 
-/// @notice Frontend clients need a way to verify that a Juicebox contract has a deployer they trust.
-/// `JBAddressRegistry` allows any contract deployed with `create` or `create2` to publicly register its deployer's
-/// address. Whoever deploys
-/// a contract is responsible for registering it.
-/// @dev `JBAddressRegistry` is intended for registering the deployers of Juicebox pay/redeem hooks, but does not
-/// enforce adherence to an interface, and can be used for any `create`/`create2` deployer.
-/// @dev The addresses of the deployed contracts are computed deterministically based on the deployer's address, and a
-/// nonce (for `create`) or `create2` salt and deployment bytecode (for `create2`).
+/// @notice A public registry that records who deployed a given contract. Anyone can register a contract's deployer,
+/// and anyone can look it up — enabling frontend clients and other contracts to verify that a Juicebox hook or
+/// extension was deployed by a trusted source.
+/// @dev Supports both `create` (deployer + nonce) and `create2` (deployer + salt + bytecode) deployments. The
+/// registry computes the expected contract address deterministically and verifies that code exists there before
+/// recording the deployer. Each address can only be registered once.
 contract JBAddressRegistry is IJBAddressRegistry {
     //*********************************************************************//
     // --------------------------- custom errors ------------------------- //
@@ -34,19 +32,20 @@ contract JBAddressRegistry is IJBAddressRegistry {
     // --------------------- public stored properties -------------------- //
     //*********************************************************************//
 
-    /// @notice Returns the deployer of a given contract which has been registered.
+    /// @notice Look up who deployed a registered contract. Returns `address(0)` if the contract hasn't been
+    /// registered.
     /// @dev Whoever deploys a contract is responsible for registering it.
-    /// @custom:param addr The address of the contract to get the deployer of.
+    /// @custom:param addr The address of the contract to check.
     mapping(address addr => address deployer) public override deployerOf;
 
     //*********************************************************************//
     // ---------------------- external transactions ---------------------- //
     //*********************************************************************//
 
-    /// @notice Register a deployed contract's address.
-    /// @dev The contract must be deployed using `create`.
-    /// @param deployer The address of the contract's deployer.
-    /// @param nonce The nonce used to deploy the contract.
+    /// @notice Register a contract that was deployed with `create` (standard deployment). The registry computes the
+    /// expected address from the deployer and nonce, then verifies code exists there.
+    /// @param deployer The address that deployed the contract.
+    /// @param nonce The deployer's transaction nonce at the time of deployment.
     function registerAddress(address deployer, uint256 nonce) external override {
         // Calculate the address of the contract, assuming it was deployed using `create` with the specified nonce.
         address hook = _addressFrom({origin: deployer, nonce: nonce});
@@ -55,14 +54,14 @@ contract JBAddressRegistry is IJBAddressRegistry {
         _registerAddress({addr: hook, deployer: deployer});
     }
 
-    /// @notice Register a deployed contract's address.
-    /// @dev The contract must be deployed using `create2`.
+    /// @notice Register a contract that was deployed with `create2` (deterministic deployment). The registry computes
+    /// the expected address from the deployer, salt, and bytecode, then verifies code exists there.
     /// @dev The `create2` salt is determined by the deployer's logic. The deployment bytecode can be retrieved offchain
     /// (from the deployment transaction) or onchain (with `abi.encodePacked(type(deployedContract).creationCode,
     /// abi.encode(constructorArguments))`).
-    /// @param deployer The address of the contract's deployer.
-    /// @param salt The `create2` salt used to deploy the contract.
-    /// @param bytecode The contract's deployment bytecode, including the constructor arguments.
+    /// @param deployer The address that deployed the contract.
+    /// @param salt The `create2` salt used during deployment.
+    /// @param bytecode The full deployment bytecode, including constructor arguments.
     function registerAddress(address deployer, bytes32 salt, bytes calldata bytecode) external override {
         // Calculate the address of the contract using the provided `create2` salt and deployment bytecode.
         address hook =
@@ -72,6 +71,26 @@ contract JBAddressRegistry is IJBAddressRegistry {
         _registerAddress({addr: hook, deployer: deployer});
     }
 
+    //*********************************************************************//
+    // ------------------------ internal functions ----------------------- //
+    //*********************************************************************//
+
+    /// @notice Register a contract's deployer in the `deployerOf` mapping.
+    /// @param addr The deployed contract's address.
+    /// @param deployer The deployer's address.
+    function _registerAddress(address addr, address deployer) internal {
+        // The registry only records non-zero deployers.
+        if (deployer == address(0)) revert JBAddressRegistry_ZeroDeployer();
+        // The address must already contain runtime code before it can be registered.
+        if (addr.code.length == 0) revert JBAddressRegistry_AddressNotDeployed(addr);
+        // Each address can only be registered once.
+        if (deployerOf[addr] != address(0)) revert JBAddressRegistry_AlreadyRegistered(addr);
+
+        deployerOf[addr] = deployer;
+
+        emit AddressRegistered({addr: addr, deployer: deployer, caller: msg.sender});
+    }
+
     //*********************************************************************//
     // -------------------------- internal views ------------------------- //
     //*********************************************************************//
@@ -126,24 +145,4 @@ contract JBAddressRegistry is IJBAddressRegistry {
             addr := mload(0)
         }
     }
-
-    //*********************************************************************//
-    // ------------------------ internal functions ----------------------- //
-    //*********************************************************************//
-
-    /// @notice Register a contract's deployer in the `deployerOf` mapping.
-    /// @param addr The deployed contract's address.
-    /// @param deployer The deployer's address.
-    function _registerAddress(address addr, address deployer) internal {
-        // The registry only records non-zero deployers.
-        if (deployer == address(0)) revert JBAddressRegistry_ZeroDeployer();
-        // The address must already contain runtime code before it can be registered.
-        if (addr.code.length == 0) revert JBAddressRegistry_AddressNotDeployed(addr);
-        // Each address can only be registered once.
-        if (deployerOf[addr] != address(0)) revert JBAddressRegistry_AlreadyRegistered(addr);
-
-        deployerOf[addr] = deployer;
-
-        emit AddressRegistered({addr: addr, deployer: deployer, caller: msg.sender});
-    }
 }

package/src/interfaces/IJBAddressRegistry.sol

@@ -1,27 +1,28 @@
 // SPDX-License-Identifier: MIT
 pragma solidity ^0.8.0;
 
-/// @notice A registry that maps deployed contract addresses to their deployers.
+/// @notice A registry that maps deployed contract addresses to their deployers, allowing anyone to verify who deployed
+/// a given contract. Primarily used to verify the trustworthiness of Juicebox hooks and extensions.
 interface IJBAddressRegistry {
-    /// @notice Emitted when a contract address is registered.
+    /// @notice Emitted when a contract's deployer is registered.
     /// @param addr The address of the registered contract.
-    /// @param deployer The address of the contract's deployer.
+    /// @param deployer The address that deployed the contract.
     /// @param caller The address that called the register function.
     event AddressRegistered(address indexed addr, address indexed deployer, address caller);
 
-    /// @notice Returns the deployer of a given contract which has been registered.
-    /// @param addr The address of the contract to get the deployer of.
-    /// @return deployer The deployer of the contract.
+    /// @notice Look up who deployed a registered contract.
+    /// @param addr The address of the contract to check.
+    /// @return deployer The address that deployed the contract, or `address(0)` if not registered.
     function deployerOf(address addr) external view returns (address deployer);
 
-    /// @notice Register a contract deployed with `create`.
-    /// @param deployer The address of the contract's deployer.
-    /// @param nonce The nonce used to deploy the contract.
+    /// @notice Register a contract that was deployed with `create` (standard deployment).
+    /// @param deployer The address that deployed the contract.
+    /// @param nonce The deployer's transaction nonce at the time of deployment.
     function registerAddress(address deployer, uint256 nonce) external;
 
-    /// @notice Register a contract deployed with `create2`.
-    /// @param deployer The address of the contract's deployer.
-    /// @param salt The `create2` salt used to deploy the contract.
-    /// @param bytecode The contract's deployment bytecode, including the constructor arguments.
+    /// @notice Register a contract that was deployed with `create2` (deterministic deployment).
+    /// @param deployer The address that deployed the contract.
+    /// @param salt The `create2` salt used during deployment.
+    /// @param bytecode The full deployment bytecode, including constructor arguments.
     function registerAddress(address deployer, bytes32 salt, bytes calldata bytecode) external;
 }

package/test/audit/CodexFrontRunRegistrationDoS.t.sol

@@ -3,7 +3,7 @@ pragma solidity 0.8.28;
 
 import {Test} from "forge-std/Test.sol";
 
-import {JBAddressRegistry} from "src/JBAddressRegistry.sol";
+import {JBAddressRegistry} from "../../src/JBAddressRegistry.sol";
 
 contract CodexFrontRunRegistrationDoSTest is Test {
     JBAddressRegistry internal registry;

package/test/audit/CodexUnauthorizedRegistrar.t.sol

@@ -3,7 +3,7 @@ pragma solidity 0.8.28;
 
 import {Test} from "forge-std/Test.sol";
 
-import {JBAddressRegistry} from "src/JBAddressRegistry.sol";
+import {JBAddressRegistry} from "../../src/JBAddressRegistry.sol";
 
 contract CodexUnauthorizedRegistrarTest is Test {
     JBAddressRegistry internal registry;

package/test/audit/ZeroDeployerRegistration.t.sol

@@ -3,7 +3,7 @@ pragma solidity 0.8.28;
 
 import {Test} from "forge-std/Test.sol";
 
-import {JBAddressRegistry} from "src/JBAddressRegistry.sol";
+import {JBAddressRegistry} from "../../src/JBAddressRegistry.sol";
 
 contract ZeroDeployerRegistrationTest is Test {
     JBAddressRegistry internal registry;