@bananapus/distributor-v6 0.0.4 → 0.0.6

package/.github/pull_request_template.md

@@ -13,7 +13,7 @@ What new trust boundary, failure mode, operational dependency, or integration ca
 - [ ] Updated `/v6/evm/RISKS.md` because ecosystem behavior changed
 - [ ] If no `RISKS.md` update was needed, I explained why in this PR
 
-Reference: [`/v6/evm/docs/RISKS_MAINTENANCE.md`](../docs/RISKS_MAINTENANCE.md)
+Reference: [`/v6/evm/RISKS_MAINTENANCE.md`](../../RISKS_MAINTENANCE.md)
 
 ## Checklist
 

package/.github/workflows/test.yml

@@ -22,5 +22,7 @@ jobs:
         uses: foundry-rs/foundry-toolchain@v1
       - name: Run tests
         run: forge test --fail-fast --summary --detailed --skip "*/script/**"
+        env:
+          RPC_ETHEREUM_MAINNET: ${{ secrets.RPC_ETHEREUM_MAINNET }}
       - name: Check contract sizes
         run: forge build --sizes --skip "*/test/**" --skip "*/script/**" --skip SphinxUtils

package/USER_JOURNEYS.md

@@ -55,6 +55,8 @@ This repo distributes already-owned assets over time. It snapshots stake, starts
 2. The distributor snapshots the relevant balance and stake source.
 3. Vesting entries become claimable over the configured schedule.
 
+**Snapshot timing:** The snapshot for each round is taken when the previous round first sees activity (`poke`, `beginVesting`, or `collectVestedRewards`). To be included in round N's distribution, make sure your tokens are held and delegated before anyone interacts with round N-1. In practice, keep your delegation current — if it is set before the previous round's activity begins, your voting power will be counted for the next round.
+
 **Failure Modes**
 - zero total stake
 - bad deployment parameters such as zero round duration or zero vesting rounds

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bananapus/distributor-v6",
-  "version": "0.0.4",
+  "version": "0.0.6",
   "license": "MIT",
   "repository": {
     "type": "git",
@@ -17,9 +17,9 @@
     "deploy:testnets": "source ./.env && npx sphinx propose ./script/Deploy.s.sol --networks testnets"
   },
   "dependencies": {
-    "@bananapus/721-hook-v6": "^0.0.36",
-    "@bananapus/core-v6": "^0.0.34",
-    "@bananapus/permission-ids-v6": "^0.0.17",
+    "@bananapus/721-hook-v6": "^0.0.38",
+    "@bananapus/core-v6": "^0.0.36",
+    "@bananapus/permission-ids-v6": "^0.0.19",
     "@openzeppelin/contracts": "^5.6.1",
     "@prb/math": "^4.1.0"
   },

package/src/JB721Distributor.sol

@@ -55,6 +55,19 @@ contract JB721Distributor is JBDistributor, IJB721Distributor {
     /// @notice The JB directory used to verify terminal/controller callers.
     IJBDirectory public immutable DIRECTORY;
 
+    //*********************************************************************//
+    // -------------------- internal stored properties ------------------- //
+    //*********************************************************************//
+
+    /// @notice Tracks voting power consumed per hook/token/round/owner to prevent cap resets across calls.
+    /// @custom:param hook The hook address.
+    /// @custom:param token The reward token.
+    /// @custom:param releaseRound The vesting release round.
+    /// @custom:param owner The NFT owner.
+    mapping(
+        address hook => mapping(IERC20 token => mapping(uint256 releaseRound => mapping(address owner => uint256)))
+    ) internal _consumedVotesOf;
+
     //*********************************************************************//
     // -------------------------- constructor ---------------------------- //
     //*********************************************************************//
@@ -108,16 +121,21 @@ contract JB721Distributor is JBDistributor, IJB721Distributor {
                 // Use balance delta to handle fee-on-transfer tokens correctly.
                 uint256 balanceBefore = IERC20(context.token).balanceOf(address(this));
                 IERC20(context.token).safeTransferFrom(msg.sender, address(this), context.amount);
-                _balanceOf[hook][IERC20(context.token)] += IERC20(context.token).balanceOf(address(this))
-                - balanceBefore;
+                uint256 delta = IERC20(context.token).balanceOf(address(this)) - balanceBefore;
+                _balanceOf[hook][IERC20(context.token)] += delta;
+                _accountedBalanceOf[IERC20(context.token)] += delta;
             } else {
-                // Controller-prepaid path: the controller sends tokens directly before calling processSplitWith.
-                // Credit the declared amount since the tokens are already held by this contract.
+                // Controller-prepaid path: verify actual unaccounted balance covers the declared amount.
+                uint256 actual = IERC20(context.token).balanceOf(address(this));
+                uint256 unaccounted = actual - _accountedBalanceOf[IERC20(context.token)];
+                if (unaccounted < context.amount) revert JBDistributor_UnfundedSplitCredit();
+                _accountedBalanceOf[IERC20(context.token)] += context.amount;
                 _balanceOf[hook][IERC20(context.token)] += context.amount;
             }
         } else if (msg.value != 0) {
             // Native ETH: credit actual value received.
             _balanceOf[hook][IERC20(context.token)] += msg.value;
+            _accountedBalanceOf[IERC20(context.token)] += msg.value;
         }
     }
 
@@ -194,6 +212,14 @@ contract JB721Distributor is JBDistributor, IJB721Distributor {
                 ++j;
             }
         }
+
+        // Persist consumed voting power to storage to prevent cap resets across calls.
+        for (uint256 k; k < uniqueCount;) {
+            _consumedVotesOf[hook][token][vestingReleaseRound][owners[k]] = consumed[k];
+            unchecked {
+                ++k;
+            }
+        }
     }
 
     //*********************************************************************//
@@ -354,6 +380,8 @@ contract JB721Distributor is JBDistributor, IJB721Distributor {
             if (!found) {
                 ownerIndex = newUniqueCount;
                 owners[newUniqueCount] = owner;
+                // Initialize from persistent storage to prevent cap resets across calls.
+                consumed[newUniqueCount] = _consumedVotesOf[ctx.hook][ctx.token][ctx.vestingReleaseRound][owner];
                 unchecked {
                     ++newUniqueCount;
                 }

package/src/JBDistributor.sol

@@ -27,9 +27,18 @@ abstract contract JBDistributor is IJBDistributor {
     /// @notice Thrown when the caller does not have access to the token.
     error JBDistributor_NoAccess();
 
+    /// @notice Thrown when the round duration is zero.
+    error JBDistributor_InvalidRoundDuration();
+
     /// @notice Thrown when there is nothing to distribute for a token in the current round.
     error JBDistributor_NothingToDistribute();
 
+    /// @notice Thrown when a controller-prepaid split credit is not backed by actual token balance.
+    error JBDistributor_UnfundedSplitCredit();
+
+    /// @notice Thrown when unexpected native ETH is sent with an ERC-20 operation.
+    error JBDistributor_UnexpectedNativeValue();
+
     //*********************************************************************//
     // ------------------------- public constants ------------------------ //
     //*********************************************************************//
@@ -80,6 +89,10 @@ abstract contract JBDistributor is IJBDistributor {
     // -------------------- internal stored properties ------------------- //
     //*********************************************************************//
 
+    /// @notice The total accounted balance of each token across all hooks.
+    /// @custom:param token The token to check the accounted balance of.
+    mapping(IERC20 token => uint256) internal _accountedBalanceOf;
+
     /// @notice The balance of a token held for a specific hook's stakers.
     /// @custom:param hook The hook whose balance to check.
     /// @custom:param token The token to check the balance of.
@@ -99,6 +112,7 @@ abstract contract JBDistributor is IJBDistributor {
     /// @param roundDuration_ The duration of each round, specified in seconds.
     /// @param vestingRounds_ The number of rounds until tokens are fully vested.
     constructor(uint256 roundDuration_, uint256 vestingRounds_) {
+        if (roundDuration_ == 0) revert JBDistributor_InvalidRoundDuration();
         startingTimestamp = block.timestamp;
         roundDuration = roundDuration_;
         vestingRounds = vestingRounds_;
@@ -162,12 +176,14 @@ abstract contract JBDistributor is IJBDistributor {
         if (address(token) == JBConstants.NATIVE_TOKEN) {
             amount = msg.value;
         } else {
+            if (msg.value != 0) revert JBDistributor_UnexpectedNativeValue();
             // Use balance delta to handle fee-on-transfer tokens correctly.
             uint256 balanceBefore = token.balanceOf(address(this));
             token.safeTransferFrom(msg.sender, address(this), amount);
             amount = token.balanceOf(address(this)) - balanceBefore;
         }
         _balanceOf[hook][token] += amount;
+        _accountedBalanceOf[token] += amount;
     }
 
     /// @notice Record the snapshot block for the current round. Callable by anyone (keepers, frontends).
@@ -465,6 +481,7 @@ abstract contract JBDistributor is IJBDistributor {
                 if (ownerClaim) {
                     // Decrement the hook's balance and transfer tokens out.
                     _balanceOf[hook][token] -= totalTokenAmount;
+                    _accountedBalanceOf[token] -= totalTokenAmount;
 
                     if (address(token) == JBConstants.NATIVE_TOKEN) {
                         // slither-disable-next-line arbitrary-send-eth,reentrancy-eth

package/src/JBTokenDistributor.sol

@@ -90,16 +90,21 @@ contract JBTokenDistributor is JBDistributor, IJBTokenDistributor {
                 // Use balance delta to handle fee-on-transfer tokens correctly.
                 uint256 balanceBefore = IERC20(context.token).balanceOf(address(this));
                 IERC20(context.token).safeTransferFrom(msg.sender, address(this), context.amount);
-                _balanceOf[hook][IERC20(context.token)] += IERC20(context.token).balanceOf(address(this))
-                - balanceBefore;
+                uint256 delta = IERC20(context.token).balanceOf(address(this)) - balanceBefore;
+                _balanceOf[hook][IERC20(context.token)] += delta;
+                _accountedBalanceOf[IERC20(context.token)] += delta;
             } else {
-                // Controller-prepaid path: the controller sends tokens directly before calling processSplitWith.
-                // Credit the declared amount since the tokens are already held by this contract.
+                // Controller-prepaid path: verify actual unaccounted balance covers the declared amount.
+                uint256 actual = IERC20(context.token).balanceOf(address(this));
+                uint256 unaccounted = actual - _accountedBalanceOf[IERC20(context.token)];
+                if (unaccounted < context.amount) revert JBDistributor_UnfundedSplitCredit();
+                _accountedBalanceOf[IERC20(context.token)] += context.amount;
                 _balanceOf[hook][IERC20(context.token)] += context.amount;
             }
         } else if (msg.value != 0) {
             // Native ETH: credit actual value received.
             _balanceOf[hook][IERC20(context.token)] += msg.value;
+            _accountedBalanceOf[IERC20(context.token)] += msg.value;
         }
     }
 

package/test/audit/CodexNemesisAccountingPoC.t.sol

@@ -0,0 +1,339 @@
+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.28;
+
+import {Test} from "forge-std/Test.sol";
+import {stdError} from "forge-std/StdError.sol";
+
+import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
+import {ERC20} from "@openzeppelin/contracts/token/ERC20/ERC20.sol";
+import {ERC20Votes} from "@openzeppelin/contracts/token/ERC20/extensions/ERC20Votes.sol";
+import {EIP712} from "@openzeppelin/contracts/utils/cryptography/EIP712.sol";
+import {IERC165} from "@openzeppelin/contracts/utils/introspection/IERC165.sol";
+
+import {IJBDirectory} from "@bananapus/core-v6/src/interfaces/IJBDirectory.sol";
+import {IJBSplitHook} from "@bananapus/core-v6/src/interfaces/IJBSplitHook.sol";
+import {IJBTerminal} from "@bananapus/core-v6/src/interfaces/IJBTerminal.sol";
+import {JBSplit} from "@bananapus/core-v6/src/structs/JBSplit.sol";
+import {JBSplitHookContext} from "@bananapus/core-v6/src/structs/JBSplitHookContext.sol";
+import {JB721Tier} from "@bananapus/721-hook-v6/src/structs/JB721Tier.sol";
+import {JB721TierFlags} from "@bananapus/721-hook-v6/src/structs/JB721TierFlags.sol";
+
+import {JBDistributor} from "../../src/JBDistributor.sol";
+import {JB721Distributor} from "../../src/JB721Distributor.sol";
+import {JBTokenDistributor} from "../../src/JBTokenDistributor.sol";
+
+contract CodexNemesisDirectory {
+    mapping(uint256 projectId => mapping(address terminal => bool)) public terminals;
+    mapping(uint256 projectId => address controller) public controllers;
+
+    function setTerminal(uint256 projectId, address terminal, bool isTerminal) external {
+        terminals[projectId][terminal] = isTerminal;
+    }
+
+    function setController(uint256 projectId, address controller) external {
+        controllers[projectId] = controller;
+    }
+
+    function isTerminalOf(uint256 projectId, IJBTerminal terminal) external view returns (bool) {
+        return terminals[projectId][address(terminal)];
+    }
+
+    function controllerOf(uint256 projectId) external view returns (IERC165) {
+        return IERC165(controllers[projectId]);
+    }
+}
+
+contract CodexNemesisRewardToken is ERC20 {
+    constructor() ERC20("Reward", "RWD") {}
+
+    function mint(address to, uint256 amount) external {
+        _mint(to, amount);
+    }
+}
+
+contract CodexNemesisVotesToken is ERC20, ERC20Votes {
+    constructor() ERC20("Votes", "VOTE") EIP712("Votes", "1") {}
+
+    function mint(address to, uint256 amount) external {
+        _mint(to, amount);
+    }
+
+    function _update(address from, address to, uint256 value) internal override(ERC20, ERC20Votes) {
+        super._update(from, to, value);
+    }
+}
+
+contract CodexNemesisStore {
+    uint256 public maxTier;
+    mapping(uint256 tierId => JB721Tier) public tiers;
+    mapping(uint256 tokenId => uint256 tierId) public tokenTiers;
+
+    function setMaxTierIdOf(uint256 maxTierId) external {
+        maxTier = maxTierId;
+    }
+
+    function setTier(uint256 tierId, JB721Tier memory tier) external {
+        tiers[tierId] = tier;
+    }
+
+    function setTokenTier(uint256 tokenId, uint256 tierId) external {
+        tokenTiers[tokenId] = tierId;
+    }
+
+    function tierOfTokenId(address, uint256 tokenId, bool) external view returns (JB721Tier memory) {
+        return tiers[tokenTiers[tokenId]];
+    }
+}
+
+contract CodexNemesisCheckpoints {
+    uint256 public totalSupplyAtSnapshot;
+    mapping(address account => uint256 votes) public votesAtSnapshot;
+
+    function setTotalSupply(uint256 totalSupply) external {
+        totalSupplyAtSnapshot = totalSupply;
+    }
+
+    function setVotes(address account, uint256 votes) external {
+        votesAtSnapshot[account] = votes;
+    }
+
+    function getPastTotalSupply(uint256) external view returns (uint256) {
+        return totalSupplyAtSnapshot;
+    }
+
+    function getPastVotes(address account, uint256) external view returns (uint256) {
+        return votesAtSnapshot[account];
+    }
+}
+
+contract CodexNemesisHook {
+    CodexNemesisStore public immutable STORE;
+    CodexNemesisCheckpoints public immutable CHECKPOINTS;
+
+    mapping(uint256 tokenId => address owner) public owners;
+
+    constructor(CodexNemesisStore store, CodexNemesisCheckpoints checkpoints) {
+        STORE = store;
+        CHECKPOINTS = checkpoints;
+    }
+
+    function ownerOf(uint256 tokenId) external view returns (address) {
+        address owner = owners[tokenId];
+        require(owner != address(0), "NO_OWNER");
+        return owner;
+    }
+
+    function setOwner(uint256 tokenId, address owner) external {
+        owners[tokenId] = owner;
+    }
+}
+
+contract CodexNemesisAccountingPoCTest is Test {
+    uint256 internal constant PROJECT_ID = 1;
+    uint256 internal constant ROUND_DURATION = 100;
+    uint256 internal constant VESTING_ROUNDS = 4;
+
+    address internal attacker = makeAddr("attacker");
+    address internal honest = makeAddr("honest");
+    address internal maliciousController = makeAddr("maliciousController");
+
+    CodexNemesisDirectory internal directory;
+    CodexNemesisRewardToken internal rewardToken;
+
+    function setUp() public {
+        directory = new CodexNemesisDirectory();
+        rewardToken = new CodexNemesisRewardToken();
+        directory.setController(PROJECT_ID, maliciousController);
+    }
+
+    function test_controllerCanCreditUndeliveredTokensAndDrainRealInventory() public {
+        JBTokenDistributor distributor =
+            new JBTokenDistributor(IJBDirectory(address(directory)), ROUND_DURATION, VESTING_ROUNDS);
+        CodexNemesisVotesToken votesToken = new CodexNemesisVotesToken();
+
+        votesToken.mint(attacker, 10 ether);
+        votesToken.mint(honest, 990 ether);
+
+        vm.prank(attacker);
+        votesToken.delegate(attacker);
+        vm.prank(honest);
+        votesToken.delegate(honest);
+        vm.roll(block.number + 1);
+
+        rewardToken.mint(address(this), 1000 ether);
+        rewardToken.approve(address(distributor), 1000 ether);
+        distributor.fund(address(votesToken), IERC20(address(rewardToken)), 1000 ether);
+
+        JBSplit memory split = JBSplit({
+            percent: 1_000_000_000,
+            projectId: 0,
+            beneficiary: payable(address(votesToken)),
+            preferAddToBalance: false,
+            lockedUntil: 0,
+            hook: IJBSplitHook(address(distributor))
+        });
+        JBSplitHookContext memory fakeContext = JBSplitHookContext({
+            token: address(rewardToken),
+            amount: 99_000 ether,
+            decimals: 18,
+            projectId: PROJECT_ID,
+            groupId: 0,
+            split: split
+        });
+
+        // C-6 FIX: The malicious controller did not actually transfer tokens, so the
+        // balance-delta check reverts with UnfundedSplitCredit.
+        vm.prank(maliciousController);
+        vm.expectRevert(JBDistributor.JBDistributor_UnfundedSplitCredit.selector);
+        distributor.processSplitWith(fakeContext);
+
+        // The real balance should remain intact — the attack was blocked.
+        assertEq(rewardToken.balanceOf(address(distributor)), 1000 ether, "balance unchanged after blocked attack");
+        assertEq(
+            distributor.balanceOf(address(votesToken), IERC20(address(rewardToken))),
+            1000 ether,
+            "tracked balance was not inflated"
+        );
+    }
+
+    function test_721LateMintCanUseOwnersPastVotesAndDrainRound() public {
+        JB721Distributor distributor =
+            new JB721Distributor(IJBDirectory(address(directory)), ROUND_DURATION, VESTING_ROUNDS);
+        CodexNemesisStore store = new CodexNemesisStore();
+        CodexNemesisCheckpoints checkpoints = new CodexNemesisCheckpoints();
+        CodexNemesisHook hook = new CodexNemesisHook(store, checkpoints);
+
+        JB721TierFlags memory flags;
+        store.setMaxTierIdOf(1);
+        store.setTier({
+            tierId: 1,
+            tier: JB721Tier({
+                id: 1,
+                price: 1 ether,
+                remainingSupply: 97,
+                initialSupply: 100,
+                votingUnits: 100,
+                reserveFrequency: 0,
+                reserveBeneficiary: address(0),
+                encodedIPFSUri: bytes32(0),
+                category: 0,
+                discountPercent: 0,
+                flags: flags,
+                splitPercent: 0,
+                resolvedUri: ""
+            })
+        });
+
+        store.setTokenTier(1, 1);
+        store.setTokenTier(2, 1);
+        store.setTokenTier(3, 1);
+        hook.setOwner(1, attacker);
+        hook.setOwner(2, attacker);
+        hook.setOwner(3, attacker);
+
+        checkpoints.setTotalSupply(100);
+        checkpoints.setVotes(attacker, 100);
+
+        rewardToken.mint(address(this), 1000 ether);
+        rewardToken.approve(address(distributor), 1000 ether);
+        distributor.fund(address(hook), IERC20(address(rewardToken)), 1000 ether);
+
+        IERC20[] memory tokens = new IERC20[](1);
+        tokens[0] = IERC20(address(rewardToken));
+
+        uint256[] memory firstLateMint = new uint256[](1);
+        firstLateMint[0] = 2;
+        distributor.beginVesting(address(hook), firstLateMint, tokens);
+
+        assertEq(distributor.claimedFor(address(hook), 2, tokens[0]), 1000 ether);
+        assertEq(
+            distributor.totalVestingAmountOf(address(hook), tokens[0]),
+            distributor.balanceOf(address(hook), tokens[0]),
+            "one post-snapshot token consumed the whole snapshot"
+        );
+
+        vm.warp(distributor.roundStartTimestamp(VESTING_ROUNDS) + 1);
+        vm.roll(block.number + 1);
+        vm.prank(attacker);
+        distributor.collectVestedRewards(address(hook), firstLateMint, tokens, attacker);
+
+        assertEq(rewardToken.balanceOf(attacker), 1000 ether, "one late-minted token drained the funded balance");
+        assertEq(rewardToken.balanceOf(address(distributor)), 0, "honest snapshot stake is left unfunded");
+    }
+
+    function test_721SnapshotVotesCanBeReusedAcrossSeparateLateMintClaims() public {
+        JB721Distributor distributor =
+            new JB721Distributor(IJBDirectory(address(directory)), ROUND_DURATION, VESTING_ROUNDS);
+        CodexNemesisStore store = new CodexNemesisStore();
+        CodexNemesisCheckpoints checkpoints = new CodexNemesisCheckpoints();
+        CodexNemesisHook hook = new CodexNemesisHook(store, checkpoints);
+
+        JB721TierFlags memory flags;
+        store.setMaxTierIdOf(1);
+        store.setTier({
+            tierId: 1,
+            tier: JB721Tier({
+                id: 1,
+                price: 1 ether,
+                remainingSupply: 97,
+                initialSupply: 100,
+                votingUnits: 100,
+                reserveFrequency: 0,
+                reserveBeneficiary: address(0),
+                encodedIPFSUri: bytes32(0),
+                category: 0,
+                discountPercent: 0,
+                flags: flags,
+                splitPercent: 0,
+                resolvedUri: ""
+            })
+        });
+
+        store.setTokenTier(1, 1);
+        store.setTokenTier(2, 1);
+        store.setTokenTier(3, 1);
+        hook.setOwner(1, attacker);
+        hook.setOwner(2, attacker);
+        hook.setOwner(3, attacker);
+
+        checkpoints.setTotalSupply(100);
+        checkpoints.setVotes(attacker, 100);
+
+        rewardToken.mint(address(this), 1000 ether);
+        rewardToken.approve(address(distributor), 1000 ether);
+        distributor.fund(address(hook), IERC20(address(rewardToken)), 1000 ether);
+
+        IERC20[] memory tokens = new IERC20[](1);
+        tokens[0] = IERC20(address(rewardToken));
+
+        uint256[] memory firstLateMint = new uint256[](1);
+        firstLateMint[0] = 2;
+        distributor.beginVesting(address(hook), firstLateMint, tokens);
+
+        uint256[] memory secondLateMint = new uint256[](1);
+        secondLateMint[0] = 3;
+        distributor.beginVesting(address(hook), secondLateMint, tokens);
+
+        // H-24 FIX: With persistent consumed-votes tracking, the second beginVesting sees
+        // that all 100 votes are already consumed, so token 3 gets 0 reward.
+        assertEq(distributor.claimedFor(address(hook), 2, tokens[0]), 1000 ether);
+        assertEq(distributor.claimedFor(address(hook), 3, tokens[0]), 0, "votes already consumed, no double-claim");
+        assertEq(
+            distributor.totalVestingAmountOf(address(hook), tokens[0]),
+            1000 ether,
+            "total vesting capped at funded balance"
+        );
+        assertLe(
+            distributor.totalVestingAmountOf(address(hook), tokens[0]),
+            distributor.balanceOf(address(hook), tokens[0]),
+            "vesting obligations do not exceed funded balance"
+        );
+
+        // Collection should succeed without underflow.
+        vm.warp(distributor.roundStartTimestamp(VESTING_ROUNDS) + 1);
+        vm.roll(block.number + 1);
+        vm.prank(attacker);
+        distributor.collectVestedRewards(address(hook), firstLateMint, tokens, attacker);
+        assertEq(rewardToken.balanceOf(attacker), 1000 ether, "attacker gets only their fair share");
+    }
+}