npm - @bananapus/distributor-v6 - Versions diffs - 0.0.5 → 0.0.7 - Mend

@bananapus/distributor-v6 0.0.5 → 0.0.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

package/package.json +1 -1
package/src/JB721Distributor.sol +42 -11
package/src/JBDistributor.sol +17 -0
package/src/JBTokenDistributor.sol +15 -4
package/test/JB721Distributor.t.sol +5 -0
package/test/audit/CodexNemesisAccountingPoC.t.sol +22 -25
package/test/audit/CodexNemesisFreshSplitTokenMismatch.t.sol +133 -0
package/test/audit/CodexNemesisFreshVerification.t.sol +218 -0
package/test/audit/CodexNemesisPoC.t.sol +191 -0
package/test/audit/H26VotingPowerCap.t.sol +5 -0
package/test/audit/Pass12Fixes.t.sol +344 -0
package/test/audit/PostSnapshotMintTheft.t.sol +413 -0
package/test/audit/TokenMismatchFix.t.sol +295 -0
package/test/fork/TokenDistributorFork.t.sol +1 -1
package/test/invariant/JB721DistributorInvariant.t.sol +5 -0

package/test/audit/CodexNemesisFreshVerification.t.sol ADDED Viewed

@@ -0,0 +1,218 @@
+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.28;
+import {Test} from "forge-std/Test.sol";
+import {ERC20} from "@openzeppelin/contracts/token/ERC20/ERC20.sol";
+import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
+import {IERC165} from "@openzeppelin/contracts/utils/introspection/IERC165.sol";
+import {IJBDirectory} from "@bananapus/core-v6/src/interfaces/IJBDirectory.sol";
+import {IJBSplitHook} from "@bananapus/core-v6/src/interfaces/IJBSplitHook.sol";
+import {IJBTerminal} from "@bananapus/core-v6/src/interfaces/IJBTerminal.sol";
+import {JBSplit} from "@bananapus/core-v6/src/structs/JBSplit.sol";
+import {JBSplitHookContext} from "@bananapus/core-v6/src/structs/JBSplitHookContext.sol";
+import {JB721Tier} from "@bananapus/721-hook-v6/src/structs/JB721Tier.sol";
+import {JB721Distributor} from "../../src/JB721Distributor.sol";
+import {JBTokenDistributor} from "../../src/JBTokenDistributor.sol";
+contract CodexNemesisToken is ERC20 {
+    constructor() ERC20("Reward", "RWD") {}
+    function decimals() public pure override returns (uint8) {
+        return 6;
+    }
+    function mint(address to, uint256 amount) external {
+        _mint(to, amount);
+    }
+}
+contract CodexNemesisDirectory {
+    address public terminal;
+    IERC165 public controller;
+    function setTerminal(address terminal_) external {
+        terminal = terminal_;
+    }
+    function setController(IERC165 controller_) external {
+        controller = controller_;
+    }
+    function isTerminalOf(uint256, IJBTerminal terminal_) external view returns (bool) {
+        return address(terminal_) == terminal;
+    }
+    function controllerOf(uint256) external view returns (IERC165) {
+        return controller;
+    }
+}
+contract CodexNemesisVotes {
+    mapping(address account => uint256 votes) public votesOf;
+    uint256 public totalSupply;
+    function setVotes(address account, uint256 votes) external {
+        votesOf[account] = votes;
+    }
+    function setTotalSupply(uint256 totalSupply_) external {
+        totalSupply = totalSupply_;
+    }
+    function getPastVotes(address account, uint256) external view returns (uint256) {
+        return votesOf[account];
+    }
+    function getPastTotalSupply(uint256) external view returns (uint256) {
+        return totalSupply;
+    }
+}
+contract CodexNemesis721Store {
+    uint104 public votingUnits = 100;
+    function tierOfTokenId(address, uint256, bool) external view returns (JB721Tier memory tier) {
+        tier.votingUnits = votingUnits;
+        tier.initialSupply = 100;
+    }
+    /// @dev Returns 0 for all tokens (backward-compatible: allows vesting).
+    function mintBlockOf(address, uint256) external pure returns (uint256) {
+        return 0;
+    }
+}
+contract CodexNemesis721Checkpoints {
+    mapping(address account => uint256 votes) public votesOf;
+    uint256 public totalSupply;
+    function setVotes(address account, uint256 votes) external {
+        votesOf[account] = votes;
+    }
+    function setTotalSupply(uint256 totalSupply_) external {
+        totalSupply = totalSupply_;
+    }
+    function getPastVotes(address account, uint256) external view returns (uint256) {
+        return votesOf[account];
+    }
+    function getPastTotalSupply(uint256) external view returns (uint256) {
+        return totalSupply;
+    }
+}
+contract CodexNemesis721Hook {
+    CodexNemesis721Store public immutable STORE;
+    CodexNemesis721Checkpoints public immutable CHECKPOINTS;
+    mapping(uint256 tokenId => address owner) public ownerOf;
+    constructor(CodexNemesis721Store store, CodexNemesis721Checkpoints checkpoints) {
+        STORE = store;
+        CHECKPOINTS = checkpoints;
+    }
+    function mint(address owner, uint256 tokenId) external {
+        ownerOf[tokenId] = owner;
+    }
+    function burn(uint256 tokenId) external {
+        delete ownerOf[tokenId];
+    }
+}
+contract CodexNemesisFreshVerificationTest is Test {
+    uint256 internal constant PROJECT_ID = 1;
+    uint256 internal constant ROUND_DURATION = 1 days;
+    uint256 internal constant VESTING_ROUNDS = 1;
+    /// @notice Previously this test proved the attack worked. Now it proves the fix: sending ETH
+    /// with context.token set to an ERC-20 address reverts with TokenMismatch.
+    function test_nativeValueCanCreateUnbackedErc20CreditAndDrainOtherHookInventory() public {
+        address attacker = makeAddr("attacker");
+        address victimHook = makeAddr("victimHook");
+        uint256 rewardAmount = 100_000_000; // 100 units of a 6-decimal token.
+        CodexNemesisDirectory directory = new CodexNemesisDirectory();
+        directory.setTerminal(address(this));
+        JBTokenDistributor distributor =
+            new JBTokenDistributor(IJBDirectory(address(directory)), ROUND_DURATION, VESTING_ROUNDS);
+        CodexNemesisToken reward = new CodexNemesisToken();
+        CodexNemesisVotes stake = new CodexNemesisVotes();
+        stake.setVotes(attacker, 1 ether);
+        stake.setTotalSupply(1 ether);
+        reward.mint(address(this), rewardAmount);
+        reward.approve(address(distributor), rewardAmount);
+        distributor.fund(victimHook, IERC20(address(reward)), rewardAmount);
+        JBSplit memory split = JBSplit({
+            percent: 0,
+            projectId: 0,
+            beneficiary: payable(address(stake)),
+            preferAddToBalance: false,
+            lockedUntil: 0,
+            hook: IJBSplitHook(address(0))
+        });
+        JBSplitHookContext memory context = JBSplitHookContext({
+            token: address(reward),
+            amount: rewardAmount,
+            decimals: 6,
+            projectId: PROJECT_ID,
+            groupId: uint256(uint160(address(reward))),
+            split: split
+        });
+        // FIX VERIFIED: The attack now reverts because context.token != NATIVE_TOKEN when msg.value != 0.
+        vm.deal(address(this), rewardAmount);
+        vm.expectRevert(JBTokenDistributor.JBTokenDistributor_TokenMismatch.selector);
+        distributor.processSplitWith{value: rewardAmount}(context);
+        // Victim's balance remains intact — attack blocked.
+        assertEq(distributor.balanceOf(victimHook, IERC20(address(reward))), rewardAmount);
+        assertEq(reward.balanceOf(address(distributor)), rewardAmount);
+    }
+    function test_721LateMintedTokenCanClaimRoundSnapshotRewardsFromOwnersPastVotes() public {
+        address alice = makeAddr("alice");
+        CodexNemesisDirectory directory = new CodexNemesisDirectory();
+        JB721Distributor distributor =
+            new JB721Distributor(IJBDirectory(address(directory)), ROUND_DURATION, VESTING_ROUNDS);
+        CodexNemesisToken reward = new CodexNemesisToken();
+        CodexNemesis721Store store = new CodexNemesis721Store();
+        CodexNemesis721Checkpoints checkpoints = new CodexNemesis721Checkpoints();
+        CodexNemesis721Hook hook = new CodexNemesis721Hook(store, checkpoints);
+        reward.mint(address(this), 100 ether);
+        reward.approve(address(distributor), 100 ether);
+        distributor.fund(address(hook), IERC20(address(reward)), 100 ether);
+        hook.mint(alice, 1);
+        checkpoints.setVotes(alice, 100);
+        checkpoints.setTotalSupply(100);
+        distributor.poke();
+        hook.burn(1);
+        hook.mint(alice, 2);
+        uint256[] memory tokenIds = new uint256[](1);
+        tokenIds[0] = 2;
+        IERC20[] memory tokens = new IERC20[](1);
+        tokens[0] = IERC20(address(reward));
+        distributor.beginVesting(address(hook), tokenIds, tokens);
+        assertEq(distributor.claimedFor(address(hook), 2, IERC20(address(reward))), 100 ether);
+        vm.warp(block.timestamp + ROUND_DURATION);
+        vm.prank(alice);
+        distributor.collectVestedRewards(address(hook), tokenIds, tokens, alice);
+        assertEq(reward.balanceOf(alice), 100 ether);
+    }
+}

package/test/audit/CodexNemesisPoC.t.sol ADDED Viewed

@@ -0,0 +1,191 @@
+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.28;
+import {Test} from "forge-std/Test.sol";
+import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
+import {ERC20} from "@openzeppelin/contracts/token/ERC20/ERC20.sol";
+import {ERC20Votes} from "@openzeppelin/contracts/token/ERC20/extensions/ERC20Votes.sol";
+import {EIP712} from "@openzeppelin/contracts/utils/cryptography/EIP712.sol";
+import {IERC165} from "@openzeppelin/contracts/utils/introspection/IERC165.sol";
+import {IJBDirectory} from "@bananapus/core-v6/src/interfaces/IJBDirectory.sol";
+import {IJBTerminal} from "@bananapus/core-v6/src/interfaces/IJBTerminal.sol";
+import {IJBSplitHook} from "@bananapus/core-v6/src/interfaces/IJBSplitHook.sol";
+import {JBSplit} from "@bananapus/core-v6/src/structs/JBSplit.sol";
+import {JBSplitHookContext} from "@bananapus/core-v6/src/structs/JBSplitHookContext.sol";
+import {JB721Tier} from "@bananapus/721-hook-v6/src/structs/JB721Tier.sol";
+import {JB721TierFlags} from "@bananapus/721-hook-v6/src/structs/JB721TierFlags.sol";
+import {JB721Distributor} from "../../src/JB721Distributor.sol";
+import {JBDistributor} from "../../src/JBDistributor.sol";
+import {JBTokenDistributor} from "../../src/JBTokenDistributor.sol";
+import {H26MockDirectory, H26MockHook, H26MockRewardToken, H26MockStore} from "./H26VotingPowerCap.t.sol";
+contract CodexNemesisDirectory {
+    mapping(uint256 projectId => mapping(address terminal => bool)) public terminals;
+    mapping(uint256 projectId => address controller) public controllers;
+    function setTerminal(uint256 projectId, address terminal, bool isTerminal) external {
+        terminals[projectId][terminal] = isTerminal;
+    }
+    function setController(uint256 projectId, address controller) external {
+        controllers[projectId] = controller;
+    }
+    function isTerminalOf(uint256 projectId, IJBTerminal terminal) external view returns (bool) {
+        return terminals[projectId][address(terminal)];
+    }
+    function controllerOf(uint256 projectId) external view returns (IERC165) {
+        return IERC165(controllers[projectId]);
+    }
+}
+contract CodexNemesisRewardToken is ERC20 {
+    constructor() ERC20("Reward", "RWD") {}
+    function mint(address to, uint256 amount) external {
+        _mint(to, amount);
+    }
+}
+contract CodexNemesisVotesToken is ERC20, ERC20Votes {
+    constructor() ERC20("StakeToken", "STK") EIP712("StakeToken", "1") {}
+    function mint(address to, uint256 amount) external {
+        _mint(to, amount);
+    }
+    function _update(address from, address to, uint256 value) internal override(ERC20, ERC20Votes) {
+        super._update(from, to, value);
+    }
+}
+contract CodexNemesisPoCTest is Test {
+    uint256 constant ROUND_DURATION = 100;
+    uint256 constant VESTING_ROUNDS = 1;
+    function test_721OwnerVotingCapResetsAcrossBeginVestingCalls() public {
+        H26MockStore store = new H26MockStore();
+        H26MockHook hook = new H26MockHook(store);
+        H26MockDirectory directory = new H26MockDirectory();
+        JB721Distributor distributor =
+            new JB721Distributor(IJBDirectory(address(directory)), ROUND_DURATION, VESTING_ROUNDS);
+        H26MockRewardToken rewardToken = new H26MockRewardToken();
+        address alice = makeAddr("alice");
+        store.setMaxTierIdOf(1);
+        store.setTier(
+            1,
+            JB721Tier({
+                id: 1,
+                price: 1 ether,
+                remainingSupply: 7,
+                initialSupply: 10,
+                votingUnits: 50,
+                reserveFrequency: 0,
+                reserveBeneficiary: address(0),
+                encodedIPFSUri: bytes32(0),
+                category: 0,
+                discountPercent: 0,
+                flags: JB721TierFlags({
+                    allowOwnerMint: false,
+                    transfersPausable: false,
+                    cantBeRemoved: false,
+                    cantIncreaseDiscountPercent: false,
+                    cantBuyWithCredits: false
+                }),
+                splitPercent: 0,
+                resolvedUri: ""
+            })
+        );
+        store.setTokenTier(1, 1);
+        store.setTokenTier(2, 1);
+        store.setTokenTier(3, 1);
+        hook.setOwner(1, alice);
+        hook.setOwner(2, alice);
+        hook.setOwner(3, alice);
+        hook._checkpoints().setVotesOverride(alice, 100);
+        rewardToken.mint(address(this), 1500 ether);
+        rewardToken.approve(address(distributor), 1500 ether);
+        distributor.fund(address(hook), IERC20(address(rewardToken)), 1500 ether);
+        IERC20[] memory tokens = new IERC20[](1);
+        tokens[0] = IERC20(address(rewardToken));
+        uint256[] memory oneTokenId = new uint256[](1);
+        oneTokenId[0] = 1;
+        distributor.beginVesting(address(hook), oneTokenId, tokens);
+        oneTokenId[0] = 2;
+        distributor.beginVesting(address(hook), oneTokenId, tokens);
+        oneTokenId[0] = 3;
+        distributor.beginVesting(address(hook), oneTokenId, tokens);
+        uint256 claimed1 = distributor.claimedFor(address(hook), 1, IERC20(address(rewardToken)));
+        uint256 claimed2 = distributor.claimedFor(address(hook), 2, IERC20(address(rewardToken)));
+        uint256 claimed3 = distributor.claimedFor(address(hook), 3, IERC20(address(rewardToken)));
+        // H-24 FIX: With persistent consumed-votes tracking, the total claimed is now correctly
+        // capped at the owner's voting power (100 votes / 150 total stake * 1500 = 1000 ether).
+        assertEq(claimed1 + claimed2 + claimed3, 1000 ether);
+        assertLe(claimed1 + claimed2 + claimed3, 1000 ether);
+    }
+    function test_processSplitWithControllerPathCanCreditUnfundedBalanceAndDrainOtherHook() public {
+        CodexNemesisDirectory directory = new CodexNemesisDirectory();
+        JBTokenDistributor distributor =
+            new JBTokenDistributor(IJBDirectory(address(directory)), ROUND_DURATION, VESTING_ROUNDS);
+        CodexNemesisRewardToken rewardToken = new CodexNemesisRewardToken();
+        CodexNemesisVotesToken attackerVotes = new CodexNemesisVotesToken();
+        address attacker = makeAddr("attacker");
+        address maliciousController = makeAddr("maliciousController");
+        address victimHook = makeAddr("victimHook");
+        uint256 projectId = 1;
+        directory.setController(projectId, maliciousController);
+        rewardToken.mint(address(this), 1000 ether);
+        rewardToken.approve(address(distributor), 1000 ether);
+        distributor.fund(victimHook, IERC20(address(rewardToken)), 1000 ether);
+        attackerVotes.mint(attacker, 1000 ether);
+        vm.prank(attacker);
+        attackerVotes.delegate(attacker);
+        vm.roll(block.number + 1);
+        JBSplit memory split = JBSplit({
+            percent: 1_000_000_000,
+            projectId: 0,
+            beneficiary: payable(address(attackerVotes)),
+            preferAddToBalance: false,
+            lockedUntil: 0,
+            hook: IJBSplitHook(address(distributor))
+        });
+        JBSplitHookContext memory context = JBSplitHookContext({
+            token: address(rewardToken),
+            amount: 1000 ether,
+            decimals: 18,
+            projectId: projectId,
+            groupId: uint256(uint160(address(rewardToken))),
+            split: split
+        });
+        // C-6 FIX: The malicious controller did not actually transfer tokens, so the
+        // balance-delta check should revert with UnfundedSplitCredit.
+        vm.prank(maliciousController);
+        vm.expectRevert(JBDistributor.JBDistributor_UnfundedSplitCredit.selector);
+        distributor.processSplitWith(context);
+        // The victim hook's balance should remain intact.
+        assertEq(distributor.balanceOf(victimHook, IERC20(address(rewardToken))), 1000 ether);
+        // No balance should be credited to the attacker's hook.
+        assertEq(distributor.balanceOf(address(attackerVotes), IERC20(address(rewardToken))), 0);
+    }
+}

package/test/audit/H26VotingPowerCap.t.sol CHANGED Viewed

@@ -88,6 +88,11 @@ contract H26MockStore {
     function numberOfBurnedFor(address, uint256 tierId) external view returns (uint256) {
         return burned[tierId];
     }
+    /// @dev Returns 0 for all tokens (backward-compatible: allows vesting).
+    function mintBlockOf(address, uint256) external pure returns (uint256) {
+        return 0;
+    }
 }
 /// @notice Mock checkpoints with explicit per-address vote overrides for H-26 testing.