@bananapus/distributor-v6 0.0.5 → 0.0.7

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bananapus/distributor-v6",
-  "version": "0.0.5",
+  "version": "0.0.7",
   "license": "MIT",
   "repository": {
     "type": "git",

package/src/JB721Distributor.sol

@@ -6,6 +6,7 @@ import {IJB721TiersHook} from "@bananapus/721-hook-v6/src/interfaces/IJB721Tiers
 import {IJBDirectory} from "@bananapus/core-v6/src/interfaces/IJBDirectory.sol";
 import {IJBSplitHook} from "@bananapus/core-v6/src/interfaces/IJBSplitHook.sol";
 import {IJBTerminal} from "@bananapus/core-v6/src/interfaces/IJBTerminal.sol";
+import {JBConstants} from "@bananapus/core-v6/src/libraries/JBConstants.sol";
 import {JBSplitHookContext} from "@bananapus/core-v6/src/structs/JBSplitHookContext.sol";
 import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
 import {SafeERC20} from "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";
@@ -32,6 +33,9 @@ contract JB721Distributor is JBDistributor, IJB721Distributor {
     // --------------------------- custom errors ------------------------- //
     //*********************************************************************//
 
+    /// @notice Thrown when native ETH is sent but context.token is not NATIVE_TOKEN.
+    error JB721Distributor_TokenMismatch();
+
     /// @notice Thrown when the caller is not a terminal or controller for the project.
     error JB721Distributor_Unauthorized();
 
@@ -55,6 +59,19 @@ contract JB721Distributor is JBDistributor, IJB721Distributor {
     /// @notice The JB directory used to verify terminal/controller callers.
     IJBDirectory public immutable DIRECTORY;
 
+    //*********************************************************************//
+    // -------------------- internal stored properties ------------------- //
+    //*********************************************************************//
+
+    /// @notice Tracks voting power consumed per hook/token/round/owner to prevent cap resets across calls.
+    /// @custom:param hook The hook address.
+    /// @custom:param token The reward token.
+    /// @custom:param releaseRound The vesting release round.
+    /// @custom:param owner The NFT owner.
+    mapping(
+        address hook => mapping(IERC20 token => mapping(uint256 releaseRound => mapping(address owner => uint256)))
+    ) internal _consumedVotesOf;
+
     //*********************************************************************//
     // -------------------------- constructor ---------------------------- //
     //*********************************************************************//
@@ -108,16 +125,23 @@ contract JB721Distributor is JBDistributor, IJB721Distributor {
                 // Use balance delta to handle fee-on-transfer tokens correctly.
                 uint256 balanceBefore = IERC20(context.token).balanceOf(address(this));
                 IERC20(context.token).safeTransferFrom(msg.sender, address(this), context.amount);
-                _balanceOf[hook][IERC20(context.token)] += IERC20(context.token).balanceOf(address(this))
-                - balanceBefore;
+                uint256 delta = IERC20(context.token).balanceOf(address(this)) - balanceBefore;
+                _balanceOf[hook][IERC20(context.token)] += delta;
+                _accountedBalanceOf[IERC20(context.token)] += delta;
             } else {
-                // Controller-prepaid path: the controller sends tokens directly before calling processSplitWith.
-                // Credit the declared amount since the tokens are already held by this contract.
+                // Controller-prepaid path: verify actual unaccounted balance covers the declared amount.
+                uint256 actual = IERC20(context.token).balanceOf(address(this));
+                uint256 unaccounted = actual - _accountedBalanceOf[IERC20(context.token)];
+                if (unaccounted < context.amount) revert JBDistributor_UnfundedSplitCredit();
+                _accountedBalanceOf[IERC20(context.token)] += context.amount;
                 _balanceOf[hook][IERC20(context.token)] += context.amount;
             }
         } else if (msg.value != 0) {
+            // Validate that context.token matches NATIVE_TOKEN to prevent cross-booking attacks.
+            if (context.token != JBConstants.NATIVE_TOKEN) revert JB721Distributor_TokenMismatch();
             // Native ETH: credit actual value received.
             _balanceOf[hook][IERC20(context.token)] += msg.value;
+            _accountedBalanceOf[IERC20(context.token)] += msg.value;
         }
     }
 
@@ -194,6 +218,14 @@ contract JB721Distributor is JBDistributor, IJB721Distributor {
                 ++j;
             }
         }
+
+        // Persist consumed voting power to storage to prevent cap resets across calls.
+        for (uint256 k; k < uniqueCount;) {
+            _consumedVotesOf[hook][token][vestingReleaseRound][owners[k]] = consumed[k];
+            unchecked {
+                ++k;
+            }
+        }
     }
 
     //*********************************************************************//
@@ -233,16 +265,14 @@ contract JB721Distributor is JBDistributor, IJB721Distributor {
         uint256 votingUnits =
             IJB721TiersHook(hook)
         .STORE()
-        .tierOfTokenId({hook: hook, tokenId: tokenId, includeResolvedUri: false})
-        .votingUnits;
+        .tierOfTokenId({hook: hook, tokenId: tokenId, includeResolvedUri: false}).votingUnits;
 
         // Use the checkpoints module to verify the token's owner had voting power at the round's snapshot block.
         // If they had no voting power at that time, this token was minted or acquired after the round started
         // and is not eligible for this round's rewards.
-        IJB721Checkpoints checkpoints = IJB721TiersHook(hook).CHECKPOINTS();
         address owner = IERC721(hook).ownerOf(tokenId);
-        uint256 pastVotes =
-            IVotes(address(checkpoints)).getPastVotes({account: owner, timepoint: roundSnapshotBlock[currentRound()]});
+        uint256 pastVotes = IVotes(address(IJB721TiersHook(hook).CHECKPOINTS()))
+            .getPastVotes({account: owner, timepoint: roundSnapshotBlock[currentRound()]});
 
         // If the owner had no voting power at round start, the token is ineligible.
         // slither-disable-next-line incorrect-equality
@@ -318,8 +348,7 @@ contract JB721Distributor is JBDistributor, IJB721Distributor {
         uint256 votingUnits =
             IJB721TiersHook(ctx.hook)
         .STORE()
-        .tierOfTokenId({hook: ctx.hook, tokenId: tokenId, includeResolvedUri: false})
-        .votingUnits;
+        .tierOfTokenId({hook: ctx.hook, tokenId: tokenId, includeResolvedUri: false}).votingUnits;
 
         // Look up the owner, verify snapshot eligibility, and find or create the owner's tracking slot.
         uint256 ownerIndex;
@@ -354,6 +383,8 @@ contract JB721Distributor is JBDistributor, IJB721Distributor {
             if (!found) {
                 ownerIndex = newUniqueCount;
                 owners[newUniqueCount] = owner;
+                // Initialize from persistent storage to prevent cap resets across calls.
+                consumed[newUniqueCount] = _consumedVotesOf[ctx.hook][ctx.token][ctx.vestingReleaseRound][owner];
                 unchecked {
                     ++newUniqueCount;
                 }

package/src/JBDistributor.sol

@@ -27,9 +27,18 @@ abstract contract JBDistributor is IJBDistributor {
     /// @notice Thrown when the caller does not have access to the token.
     error JBDistributor_NoAccess();
 
+    /// @notice Thrown when the round duration is zero.
+    error JBDistributor_InvalidRoundDuration();
+
     /// @notice Thrown when there is nothing to distribute for a token in the current round.
     error JBDistributor_NothingToDistribute();
 
+    /// @notice Thrown when a controller-prepaid split credit is not backed by actual token balance.
+    error JBDistributor_UnfundedSplitCredit();
+
+    /// @notice Thrown when unexpected native ETH is sent with an ERC-20 operation.
+    error JBDistributor_UnexpectedNativeValue();
+
     //*********************************************************************//
     // ------------------------- public constants ------------------------ //
     //*********************************************************************//
@@ -80,6 +89,10 @@ abstract contract JBDistributor is IJBDistributor {
     // -------------------- internal stored properties ------------------- //
     //*********************************************************************//
 
+    /// @notice The total accounted balance of each token across all hooks.
+    /// @custom:param token The token to check the accounted balance of.
+    mapping(IERC20 token => uint256) internal _accountedBalanceOf;
+
     /// @notice The balance of a token held for a specific hook's stakers.
     /// @custom:param hook The hook whose balance to check.
     /// @custom:param token The token to check the balance of.
@@ -99,6 +112,7 @@ abstract contract JBDistributor is IJBDistributor {
     /// @param roundDuration_ The duration of each round, specified in seconds.
     /// @param vestingRounds_ The number of rounds until tokens are fully vested.
     constructor(uint256 roundDuration_, uint256 vestingRounds_) {
+        if (roundDuration_ == 0) revert JBDistributor_InvalidRoundDuration();
         startingTimestamp = block.timestamp;
         roundDuration = roundDuration_;
         vestingRounds = vestingRounds_;
@@ -162,12 +176,14 @@ abstract contract JBDistributor is IJBDistributor {
         if (address(token) == JBConstants.NATIVE_TOKEN) {
             amount = msg.value;
         } else {
+            if (msg.value != 0) revert JBDistributor_UnexpectedNativeValue();
             // Use balance delta to handle fee-on-transfer tokens correctly.
             uint256 balanceBefore = token.balanceOf(address(this));
             token.safeTransferFrom(msg.sender, address(this), amount);
             amount = token.balanceOf(address(this)) - balanceBefore;
         }
         _balanceOf[hook][token] += amount;
+        _accountedBalanceOf[token] += amount;
     }
 
     /// @notice Record the snapshot block for the current round. Callable by anyone (keepers, frontends).
@@ -465,6 +481,7 @@ abstract contract JBDistributor is IJBDistributor {
                 if (ownerClaim) {
                     // Decrement the hook's balance and transfer tokens out.
                     _balanceOf[hook][token] -= totalTokenAmount;
+                    _accountedBalanceOf[token] -= totalTokenAmount;
 
                     if (address(token) == JBConstants.NATIVE_TOKEN) {
                         // slither-disable-next-line arbitrary-send-eth,reentrancy-eth

package/src/JBTokenDistributor.sol

@@ -4,6 +4,7 @@ pragma solidity 0.8.28;
 import {IJBDirectory} from "@bananapus/core-v6/src/interfaces/IJBDirectory.sol";
 import {IJBSplitHook} from "@bananapus/core-v6/src/interfaces/IJBSplitHook.sol";
 import {IJBTerminal} from "@bananapus/core-v6/src/interfaces/IJBTerminal.sol";
+import {JBConstants} from "@bananapus/core-v6/src/libraries/JBConstants.sol";
 import {JBSplitHookContext} from "@bananapus/core-v6/src/structs/JBSplitHookContext.sol";
 import {IVotes} from "@openzeppelin/contracts/governance/utils/IVotes.sol";
 import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
@@ -30,6 +31,9 @@ contract JBTokenDistributor is JBDistributor, IJBTokenDistributor {
     /// @notice Thrown when a tokenId has non-zero upper bits (above 160), which would alias to the same staker address.
     error JBTokenDistributor_InvalidTokenId();
 
+    /// @notice Thrown when native ETH is sent but context.token is not NATIVE_TOKEN.
+    error JBTokenDistributor_TokenMismatch();
+
     /// @notice Thrown when the caller is not a terminal or controller for the project.
     error JBTokenDistributor_Unauthorized();
 
@@ -90,16 +94,23 @@ contract JBTokenDistributor is JBDistributor, IJBTokenDistributor {
                 // Use balance delta to handle fee-on-transfer tokens correctly.
                 uint256 balanceBefore = IERC20(context.token).balanceOf(address(this));
                 IERC20(context.token).safeTransferFrom(msg.sender, address(this), context.amount);
-                _balanceOf[hook][IERC20(context.token)] += IERC20(context.token).balanceOf(address(this))
-                - balanceBefore;
+                uint256 delta = IERC20(context.token).balanceOf(address(this)) - balanceBefore;
+                _balanceOf[hook][IERC20(context.token)] += delta;
+                _accountedBalanceOf[IERC20(context.token)] += delta;
             } else {
-                // Controller-prepaid path: the controller sends tokens directly before calling processSplitWith.
-                // Credit the declared amount since the tokens are already held by this contract.
+                // Controller-prepaid path: verify actual unaccounted balance covers the declared amount.
+                uint256 actual = IERC20(context.token).balanceOf(address(this));
+                uint256 unaccounted = actual - _accountedBalanceOf[IERC20(context.token)];
+                if (unaccounted < context.amount) revert JBDistributor_UnfundedSplitCredit();
+                _accountedBalanceOf[IERC20(context.token)] += context.amount;
                 _balanceOf[hook][IERC20(context.token)] += context.amount;
             }
         } else if (msg.value != 0) {
+            // Validate that context.token matches NATIVE_TOKEN to prevent cross-booking attacks.
+            if (context.token != JBConstants.NATIVE_TOKEN) revert JBTokenDistributor_TokenMismatch();
             // Native ETH: credit actual value received.
             _balanceOf[hook][IERC20(context.token)] += msg.value;
+            _accountedBalanceOf[IERC20(context.token)] += msg.value;
         }
     }
 

package/test/JB721Distributor.t.sol

@@ -153,6 +153,7 @@ contract MockStore {
     mapping(uint256 tierId => JB721Tier) public tiers;
     mapping(uint256 tierId => uint256) public burned;
     mapping(uint256 tokenId => uint256 tierId) public tokenTiers;
+    mapping(address hook => mapping(uint256 tokenId => uint256)) public mintBlockOf;
 
     function setMaxTierIdOf(uint256 maxTierId) external {
         maxTier = maxTierId;
@@ -185,6 +186,10 @@ contract MockStore {
     function numberOfBurnedFor(address, uint256 tierId) external view returns (uint256) {
         return burned[tierId];
     }
+
+    function setMintBlock(address hook, uint256 tokenId, uint256 blockNum) external {
+        mintBlockOf[hook][tokenId] = blockNum;
+    }
 }
 
 contract JB721DistributorTest is Test {

package/test/audit/CodexNemesisAccountingPoC.t.sol

@@ -18,6 +18,7 @@ import {JBSplitHookContext} from "@bananapus/core-v6/src/structs/JBSplitHookCont
 import {JB721Tier} from "@bananapus/721-hook-v6/src/structs/JB721Tier.sol";
 import {JB721TierFlags} from "@bananapus/721-hook-v6/src/structs/JB721TierFlags.sol";
 
+import {JBDistributor} from "../../src/JBDistributor.sol";
 import {JB721Distributor} from "../../src/JB721Distributor.sol";
 import {JBTokenDistributor} from "../../src/JBTokenDistributor.sol";
 
@@ -82,6 +83,11 @@ contract CodexNemesisStore {
     function tierOfTokenId(address, uint256 tokenId, bool) external view returns (JB721Tier memory) {
         return tiers[tokenTiers[tokenId]];
     }
+
+    /// @dev Returns 0 for all tokens (backward-compatible: allows vesting).
+    function mintBlockOf(address, uint256) external pure returns (uint256) {
+        return 0;
+    }
 }
 
 contract CodexNemesisCheckpoints {
@@ -180,31 +186,19 @@ contract CodexNemesisAccountingPoCTest is Test {
             split: split
         });
 
+        // C-6 FIX: The malicious controller did not actually transfer tokens, so the
+        // balance-delta check reverts with UnfundedSplitCredit.
         vm.prank(maliciousController);
+        vm.expectRevert(JBDistributor.JBDistributor_UnfundedSplitCredit.selector);
         distributor.processSplitWith(fakeContext);
 
-        assertEq(rewardToken.balanceOf(address(distributor)), 1000 ether, "no additional reward tokens arrived");
+        // The real balance should remain intact — the attack was blocked.
+        assertEq(rewardToken.balanceOf(address(distributor)), 1000 ether, "balance unchanged after blocked attack");
         assertEq(
             distributor.balanceOf(address(votesToken), IERC20(address(rewardToken))),
-            100_000 ether,
-            "tracked balance was inflated by context.amount"
+            1000 ether,
+            "tracked balance was not inflated"
         );
-
-        uint256[] memory tokenIds = new uint256[](1);
-        tokenIds[0] = uint256(uint160(attacker));
-        IERC20[] memory tokens = new IERC20[](1);
-        tokens[0] = IERC20(address(rewardToken));
-
-        distributor.beginVesting(address(votesToken), tokenIds, tokens);
-        assertEq(distributor.claimedFor(address(votesToken), tokenIds[0], tokens[0]), 1000 ether);
-
-        vm.warp(distributor.roundStartTimestamp(VESTING_ROUNDS) + 1);
-        vm.roll(block.number + 1);
-        vm.prank(attacker);
-        distributor.collectVestedRewards(address(votesToken), tokenIds, tokens, attacker);
-
-        assertEq(rewardToken.balanceOf(attacker), 1000 ether, "attacker drained the real inventory");
-        assertEq(rewardToken.balanceOf(address(distributor)), 0, "honest claimants are left unfunded");
     }
 
     function test_721LateMintCanUseOwnersPastVotesAndDrainRound() public {
@@ -325,23 +319,26 @@ contract CodexNemesisAccountingPoCTest is Test {
         secondLateMint[0] = 3;
         distributor.beginVesting(address(hook), secondLateMint, tokens);
 
+        // H-24 FIX: With persistent consumed-votes tracking, the second beginVesting sees
+        // that all 100 votes are already consumed, so token 3 gets 0 reward.
         assertEq(distributor.claimedFor(address(hook), 2, tokens[0]), 1000 ether);
-        assertEq(distributor.claimedFor(address(hook), 3, tokens[0]), 1000 ether);
+        assertEq(distributor.claimedFor(address(hook), 3, tokens[0]), 0, "votes already consumed, no double-claim");
         assertEq(
             distributor.totalVestingAmountOf(address(hook), tokens[0]),
-            2000 ether,
-            "same 100 snapshot votes were consumed twice in separate calls"
+            1000 ether,
+            "total vesting capped at funded balance"
         );
-        assertGt(
+        assertLe(
             distributor.totalVestingAmountOf(address(hook), tokens[0]),
             distributor.balanceOf(address(hook), tokens[0]),
-            "vesting obligations exceed funded balance"
+            "vesting obligations do not exceed funded balance"
         );
 
+        // Collection should succeed without underflow.
         vm.warp(distributor.roundStartTimestamp(VESTING_ROUNDS) + 1);
         vm.roll(block.number + 1);
         vm.prank(attacker);
-        vm.expectRevert(stdError.arithmeticError);
         distributor.collectVestedRewards(address(hook), firstLateMint, tokens, attacker);
+        assertEq(rewardToken.balanceOf(attacker), 1000 ether, "attacker gets only their fair share");
     }
 }

package/test/audit/CodexNemesisFreshSplitTokenMismatch.t.sol

@@ -0,0 +1,133 @@
+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.28;
+
+import {Test} from "forge-std/Test.sol";
+
+import {IJBDirectory} from "@bananapus/core-v6/src/interfaces/IJBDirectory.sol";
+import {IJBProjects} from "@bananapus/core-v6/src/interfaces/IJBProjects.sol";
+import {IJBTerminal} from "@bananapus/core-v6/src/interfaces/IJBTerminal.sol";
+import {IJBSplitHook} from "@bananapus/core-v6/src/interfaces/IJBSplitHook.sol";
+import {JBSplit} from "@bananapus/core-v6/src/structs/JBSplit.sol";
+import {JBSplitHookContext} from "@bananapus/core-v6/src/structs/JBSplitHookContext.sol";
+import {IERC165} from "@openzeppelin/contracts/utils/introspection/IERC165.sol";
+import {ERC20} from "@openzeppelin/contracts/token/ERC20/ERC20.sol";
+import {ERC20Votes} from "@openzeppelin/contracts/token/ERC20/extensions/ERC20Votes.sol";
+import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
+import {EIP712} from "@openzeppelin/contracts/utils/cryptography/EIP712.sol";
+
+import {JBTokenDistributor} from "../../src/JBTokenDistributor.sol";
+
+contract NemesisRewardToken is ERC20 {
+    constructor() ERC20("Reward", "RWD") {}
+
+    function mint(address to, uint256 amount) external {
+        _mint(to, amount);
+    }
+}
+
+contract NemesisStakeToken is ERC20, ERC20Votes {
+    constructor() ERC20("Stake", "STK") EIP712("Stake", "1") {}
+
+    function mint(address to, uint256 amount) external {
+        _mint(to, amount);
+    }
+
+    function _update(address from, address to, uint256 value) internal override(ERC20, ERC20Votes) {
+        super._update(from, to, value);
+    }
+}
+
+contract NemesisDirectory is IJBDirectory {
+    mapping(uint256 projectId => IJBTerminal terminal) public terminalOf;
+    mapping(uint256 projectId => IERC165 controller) public override controllerOf;
+
+    function setTerminal(uint256 projectId, IJBTerminal terminal) external {
+        terminalOf[projectId] = terminal;
+    }
+
+    function PROJECTS() external pure returns (IJBProjects) {
+        return IJBProjects(address(0));
+    }
+
+    function isAllowedToSetFirstController(address) external pure returns (bool) {
+        return false;
+    }
+
+    function isTerminalOf(uint256 projectId, IJBTerminal terminal) external view returns (bool) {
+        return terminalOf[projectId] == terminal;
+    }
+
+    function primaryTerminalOf(uint256, address) external pure returns (IJBTerminal) {
+        return IJBTerminal(address(0));
+    }
+
+    function terminalsOf(uint256 projectId) external view returns (IJBTerminal[] memory terminals) {
+        terminals = new IJBTerminal[](1);
+        terminals[0] = terminalOf[projectId];
+    }
+
+    function setControllerOf(uint256, IERC165) external {}
+    function setIsAllowedToSetFirstController(address, bool) external {}
+    function setPrimaryTerminalOf(uint256, address, IJBTerminal) external {}
+    function setTerminalsOf(uint256, IJBTerminal[] calldata) external {}
+}
+
+    contract CodexNemesisFreshSplitTokenMismatchTest is Test {
+        JBTokenDistributor distributor;
+        NemesisDirectory directory;
+        NemesisRewardToken reward;
+        NemesisStakeToken stake;
+
+        address attacker = address(0xA11CE);
+        address attackerTerminal = address(0xBEEF);
+        address victimHook = address(0xCAFE);
+
+        function setUp() public {
+            directory = new NemesisDirectory();
+            distributor = new JBTokenDistributor(IJBDirectory(address(directory)), 1 days, 1);
+            reward = new NemesisRewardToken();
+            stake = new NemesisStakeToken();
+
+            directory.setTerminal(1, IJBTerminal(attackerTerminal));
+
+            reward.mint(address(this), 100 ether);
+            reward.approve(address(distributor), 100 ether);
+            distributor.fund(victimHook, reward, 100 ether);
+
+            stake.mint(attacker, 1 ether);
+            vm.prank(attacker);
+            stake.delegate(attacker);
+            vm.roll(block.number + 1);
+        }
+
+        /// @notice Previously this test proved the attack worked. Now it proves the fix: sending ETH
+        /// with context.token set to an ERC-20 address reverts with TokenMismatch.
+        function test_authorizedTerminalCanBackFakeErc20CreditWithEthAndDrainVictimInventory() public {
+            vm.deal(attackerTerminal, 50 ether);
+
+            JBSplit memory split = JBSplit({
+                percent: 0,
+                projectId: 0,
+                beneficiary: payable(address(stake)),
+                preferAddToBalance: false,
+                lockedUntil: 0,
+                hook: IJBSplitHook(address(distributor))
+            });
+            JBSplitHookContext memory context = JBSplitHookContext({
+                token: address(reward),
+                amount: 50 ether,
+                decimals: 18,
+                projectId: 1,
+                groupId: uint256(uint160(address(reward))),
+                split: split
+            });
+
+            // FIX VERIFIED: The attack now reverts because context.token != NATIVE_TOKEN when msg.value != 0.
+            vm.prank(attackerTerminal);
+            vm.expectRevert(JBTokenDistributor.JBTokenDistributor_TokenMismatch.selector);
+            distributor.processSplitWith{value: 50 ether}(context);
+
+            // Victim's balance remains intact.
+            assertEq(distributor.balanceOf(victimHook, reward), 100 ether);
+        }
+    }