@bananapus/distributor-v6 0.0.6 → 0.0.7

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bananapus/distributor-v6",
-  "version": "0.0.6",
+  "version": "0.0.7",
   "license": "MIT",
   "repository": {
     "type": "git",

package/src/JB721Distributor.sol

@@ -6,6 +6,7 @@ import {IJB721TiersHook} from "@bananapus/721-hook-v6/src/interfaces/IJB721Tiers
 import {IJBDirectory} from "@bananapus/core-v6/src/interfaces/IJBDirectory.sol";
 import {IJBSplitHook} from "@bananapus/core-v6/src/interfaces/IJBSplitHook.sol";
 import {IJBTerminal} from "@bananapus/core-v6/src/interfaces/IJBTerminal.sol";
+import {JBConstants} from "@bananapus/core-v6/src/libraries/JBConstants.sol";
 import {JBSplitHookContext} from "@bananapus/core-v6/src/structs/JBSplitHookContext.sol";
 import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
 import {SafeERC20} from "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";
@@ -32,6 +33,9 @@ contract JB721Distributor is JBDistributor, IJB721Distributor {
     // --------------------------- custom errors ------------------------- //
     //*********************************************************************//
 
+    /// @notice Thrown when native ETH is sent but context.token is not NATIVE_TOKEN.
+    error JB721Distributor_TokenMismatch();
+
     /// @notice Thrown when the caller is not a terminal or controller for the project.
     error JB721Distributor_Unauthorized();
 
@@ -133,6 +137,8 @@ contract JB721Distributor is JBDistributor, IJB721Distributor {
                 _balanceOf[hook][IERC20(context.token)] += context.amount;
             }
         } else if (msg.value != 0) {
+            // Validate that context.token matches NATIVE_TOKEN to prevent cross-booking attacks.
+            if (context.token != JBConstants.NATIVE_TOKEN) revert JB721Distributor_TokenMismatch();
             // Native ETH: credit actual value received.
             _balanceOf[hook][IERC20(context.token)] += msg.value;
             _accountedBalanceOf[IERC20(context.token)] += msg.value;
@@ -259,16 +265,14 @@ contract JB721Distributor is JBDistributor, IJB721Distributor {
         uint256 votingUnits =
             IJB721TiersHook(hook)
         .STORE()
-        .tierOfTokenId({hook: hook, tokenId: tokenId, includeResolvedUri: false})
-        .votingUnits;
+        .tierOfTokenId({hook: hook, tokenId: tokenId, includeResolvedUri: false}).votingUnits;
 
         // Use the checkpoints module to verify the token's owner had voting power at the round's snapshot block.
         // If they had no voting power at that time, this token was minted or acquired after the round started
         // and is not eligible for this round's rewards.
-        IJB721Checkpoints checkpoints = IJB721TiersHook(hook).CHECKPOINTS();
         address owner = IERC721(hook).ownerOf(tokenId);
-        uint256 pastVotes =
-            IVotes(address(checkpoints)).getPastVotes({account: owner, timepoint: roundSnapshotBlock[currentRound()]});
+        uint256 pastVotes = IVotes(address(IJB721TiersHook(hook).CHECKPOINTS()))
+            .getPastVotes({account: owner, timepoint: roundSnapshotBlock[currentRound()]});
 
         // If the owner had no voting power at round start, the token is ineligible.
         // slither-disable-next-line incorrect-equality
@@ -344,8 +348,7 @@ contract JB721Distributor is JBDistributor, IJB721Distributor {
         uint256 votingUnits =
             IJB721TiersHook(ctx.hook)
         .STORE()
-        .tierOfTokenId({hook: ctx.hook, tokenId: tokenId, includeResolvedUri: false})
-        .votingUnits;
+        .tierOfTokenId({hook: ctx.hook, tokenId: tokenId, includeResolvedUri: false}).votingUnits;
 
         // Look up the owner, verify snapshot eligibility, and find or create the owner's tracking slot.
         uint256 ownerIndex;

package/src/JBTokenDistributor.sol

@@ -4,6 +4,7 @@ pragma solidity 0.8.28;
 import {IJBDirectory} from "@bananapus/core-v6/src/interfaces/IJBDirectory.sol";
 import {IJBSplitHook} from "@bananapus/core-v6/src/interfaces/IJBSplitHook.sol";
 import {IJBTerminal} from "@bananapus/core-v6/src/interfaces/IJBTerminal.sol";
+import {JBConstants} from "@bananapus/core-v6/src/libraries/JBConstants.sol";
 import {JBSplitHookContext} from "@bananapus/core-v6/src/structs/JBSplitHookContext.sol";
 import {IVotes} from "@openzeppelin/contracts/governance/utils/IVotes.sol";
 import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
@@ -30,6 +31,9 @@ contract JBTokenDistributor is JBDistributor, IJBTokenDistributor {
     /// @notice Thrown when a tokenId has non-zero upper bits (above 160), which would alias to the same staker address.
     error JBTokenDistributor_InvalidTokenId();
 
+    /// @notice Thrown when native ETH is sent but context.token is not NATIVE_TOKEN.
+    error JBTokenDistributor_TokenMismatch();
+
     /// @notice Thrown when the caller is not a terminal or controller for the project.
     error JBTokenDistributor_Unauthorized();
 
@@ -102,6 +106,8 @@ contract JBTokenDistributor is JBDistributor, IJBTokenDistributor {
                 _balanceOf[hook][IERC20(context.token)] += context.amount;
             }
         } else if (msg.value != 0) {
+            // Validate that context.token matches NATIVE_TOKEN to prevent cross-booking attacks.
+            if (context.token != JBConstants.NATIVE_TOKEN) revert JBTokenDistributor_TokenMismatch();
             // Native ETH: credit actual value received.
             _balanceOf[hook][IERC20(context.token)] += msg.value;
             _accountedBalanceOf[IERC20(context.token)] += msg.value;

package/test/JB721Distributor.t.sol

@@ -153,6 +153,7 @@ contract MockStore {
     mapping(uint256 tierId => JB721Tier) public tiers;
     mapping(uint256 tierId => uint256) public burned;
     mapping(uint256 tokenId => uint256 tierId) public tokenTiers;
+    mapping(address hook => mapping(uint256 tokenId => uint256)) public mintBlockOf;
 
     function setMaxTierIdOf(uint256 maxTierId) external {
         maxTier = maxTierId;
@@ -185,6 +186,10 @@ contract MockStore {
     function numberOfBurnedFor(address, uint256 tierId) external view returns (uint256) {
         return burned[tierId];
     }
+
+    function setMintBlock(address hook, uint256 tokenId, uint256 blockNum) external {
+        mintBlockOf[hook][tokenId] = blockNum;
+    }
 }
 
 contract JB721DistributorTest is Test {

package/test/audit/CodexNemesisAccountingPoC.t.sol

@@ -83,6 +83,11 @@ contract CodexNemesisStore {
     function tierOfTokenId(address, uint256 tokenId, bool) external view returns (JB721Tier memory) {
         return tiers[tokenTiers[tokenId]];
     }
+
+    /// @dev Returns 0 for all tokens (backward-compatible: allows vesting).
+    function mintBlockOf(address, uint256) external pure returns (uint256) {
+        return 0;
+    }
 }
 
 contract CodexNemesisCheckpoints {

package/test/audit/CodexNemesisFreshSplitTokenMismatch.t.sol

@@ -0,0 +1,133 @@
+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.28;
+
+import {Test} from "forge-std/Test.sol";
+
+import {IJBDirectory} from "@bananapus/core-v6/src/interfaces/IJBDirectory.sol";
+import {IJBProjects} from "@bananapus/core-v6/src/interfaces/IJBProjects.sol";
+import {IJBTerminal} from "@bananapus/core-v6/src/interfaces/IJBTerminal.sol";
+import {IJBSplitHook} from "@bananapus/core-v6/src/interfaces/IJBSplitHook.sol";
+import {JBSplit} from "@bananapus/core-v6/src/structs/JBSplit.sol";
+import {JBSplitHookContext} from "@bananapus/core-v6/src/structs/JBSplitHookContext.sol";
+import {IERC165} from "@openzeppelin/contracts/utils/introspection/IERC165.sol";
+import {ERC20} from "@openzeppelin/contracts/token/ERC20/ERC20.sol";
+import {ERC20Votes} from "@openzeppelin/contracts/token/ERC20/extensions/ERC20Votes.sol";
+import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
+import {EIP712} from "@openzeppelin/contracts/utils/cryptography/EIP712.sol";
+
+import {JBTokenDistributor} from "../../src/JBTokenDistributor.sol";
+
+contract NemesisRewardToken is ERC20 {
+    constructor() ERC20("Reward", "RWD") {}
+
+    function mint(address to, uint256 amount) external {
+        _mint(to, amount);
+    }
+}
+
+contract NemesisStakeToken is ERC20, ERC20Votes {
+    constructor() ERC20("Stake", "STK") EIP712("Stake", "1") {}
+
+    function mint(address to, uint256 amount) external {
+        _mint(to, amount);
+    }
+
+    function _update(address from, address to, uint256 value) internal override(ERC20, ERC20Votes) {
+        super._update(from, to, value);
+    }
+}
+
+contract NemesisDirectory is IJBDirectory {
+    mapping(uint256 projectId => IJBTerminal terminal) public terminalOf;
+    mapping(uint256 projectId => IERC165 controller) public override controllerOf;
+
+    function setTerminal(uint256 projectId, IJBTerminal terminal) external {
+        terminalOf[projectId] = terminal;
+    }
+
+    function PROJECTS() external pure returns (IJBProjects) {
+        return IJBProjects(address(0));
+    }
+
+    function isAllowedToSetFirstController(address) external pure returns (bool) {
+        return false;
+    }
+
+    function isTerminalOf(uint256 projectId, IJBTerminal terminal) external view returns (bool) {
+        return terminalOf[projectId] == terminal;
+    }
+
+    function primaryTerminalOf(uint256, address) external pure returns (IJBTerminal) {
+        return IJBTerminal(address(0));
+    }
+
+    function terminalsOf(uint256 projectId) external view returns (IJBTerminal[] memory terminals) {
+        terminals = new IJBTerminal[](1);
+        terminals[0] = terminalOf[projectId];
+    }
+
+    function setControllerOf(uint256, IERC165) external {}
+    function setIsAllowedToSetFirstController(address, bool) external {}
+    function setPrimaryTerminalOf(uint256, address, IJBTerminal) external {}
+    function setTerminalsOf(uint256, IJBTerminal[] calldata) external {}
+}
+
+    contract CodexNemesisFreshSplitTokenMismatchTest is Test {
+        JBTokenDistributor distributor;
+        NemesisDirectory directory;
+        NemesisRewardToken reward;
+        NemesisStakeToken stake;
+
+        address attacker = address(0xA11CE);
+        address attackerTerminal = address(0xBEEF);
+        address victimHook = address(0xCAFE);
+
+        function setUp() public {
+            directory = new NemesisDirectory();
+            distributor = new JBTokenDistributor(IJBDirectory(address(directory)), 1 days, 1);
+            reward = new NemesisRewardToken();
+            stake = new NemesisStakeToken();
+
+            directory.setTerminal(1, IJBTerminal(attackerTerminal));
+
+            reward.mint(address(this), 100 ether);
+            reward.approve(address(distributor), 100 ether);
+            distributor.fund(victimHook, reward, 100 ether);
+
+            stake.mint(attacker, 1 ether);
+            vm.prank(attacker);
+            stake.delegate(attacker);
+            vm.roll(block.number + 1);
+        }
+
+        /// @notice Previously this test proved the attack worked. Now it proves the fix: sending ETH
+        /// with context.token set to an ERC-20 address reverts with TokenMismatch.
+        function test_authorizedTerminalCanBackFakeErc20CreditWithEthAndDrainVictimInventory() public {
+            vm.deal(attackerTerminal, 50 ether);
+
+            JBSplit memory split = JBSplit({
+                percent: 0,
+                projectId: 0,
+                beneficiary: payable(address(stake)),
+                preferAddToBalance: false,
+                lockedUntil: 0,
+                hook: IJBSplitHook(address(distributor))
+            });
+            JBSplitHookContext memory context = JBSplitHookContext({
+                token: address(reward),
+                amount: 50 ether,
+                decimals: 18,
+                projectId: 1,
+                groupId: uint256(uint160(address(reward))),
+                split: split
+            });
+
+            // FIX VERIFIED: The attack now reverts because context.token != NATIVE_TOKEN when msg.value != 0.
+            vm.prank(attackerTerminal);
+            vm.expectRevert(JBTokenDistributor.JBTokenDistributor_TokenMismatch.selector);
+            distributor.processSplitWith{value: 50 ether}(context);
+
+            // Victim's balance remains intact.
+            assertEq(distributor.balanceOf(victimHook, reward), 100 ether);
+        }
+    }

package/test/audit/CodexNemesisFreshVerification.t.sol

@@ -0,0 +1,218 @@
+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.28;
+
+import {Test} from "forge-std/Test.sol";
+import {ERC20} from "@openzeppelin/contracts/token/ERC20/ERC20.sol";
+import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
+import {IERC165} from "@openzeppelin/contracts/utils/introspection/IERC165.sol";
+
+import {IJBDirectory} from "@bananapus/core-v6/src/interfaces/IJBDirectory.sol";
+import {IJBSplitHook} from "@bananapus/core-v6/src/interfaces/IJBSplitHook.sol";
+import {IJBTerminal} from "@bananapus/core-v6/src/interfaces/IJBTerminal.sol";
+import {JBSplit} from "@bananapus/core-v6/src/structs/JBSplit.sol";
+import {JBSplitHookContext} from "@bananapus/core-v6/src/structs/JBSplitHookContext.sol";
+import {JB721Tier} from "@bananapus/721-hook-v6/src/structs/JB721Tier.sol";
+
+import {JB721Distributor} from "../../src/JB721Distributor.sol";
+import {JBTokenDistributor} from "../../src/JBTokenDistributor.sol";
+
+contract CodexNemesisToken is ERC20 {
+    constructor() ERC20("Reward", "RWD") {}
+
+    function decimals() public pure override returns (uint8) {
+        return 6;
+    }
+
+    function mint(address to, uint256 amount) external {
+        _mint(to, amount);
+    }
+}
+
+contract CodexNemesisDirectory {
+    address public terminal;
+    IERC165 public controller;
+
+    function setTerminal(address terminal_) external {
+        terminal = terminal_;
+    }
+
+    function setController(IERC165 controller_) external {
+        controller = controller_;
+    }
+
+    function isTerminalOf(uint256, IJBTerminal terminal_) external view returns (bool) {
+        return address(terminal_) == terminal;
+    }
+
+    function controllerOf(uint256) external view returns (IERC165) {
+        return controller;
+    }
+}
+
+contract CodexNemesisVotes {
+    mapping(address account => uint256 votes) public votesOf;
+    uint256 public totalSupply;
+
+    function setVotes(address account, uint256 votes) external {
+        votesOf[account] = votes;
+    }
+
+    function setTotalSupply(uint256 totalSupply_) external {
+        totalSupply = totalSupply_;
+    }
+
+    function getPastVotes(address account, uint256) external view returns (uint256) {
+        return votesOf[account];
+    }
+
+    function getPastTotalSupply(uint256) external view returns (uint256) {
+        return totalSupply;
+    }
+}
+
+contract CodexNemesis721Store {
+    uint104 public votingUnits = 100;
+
+    function tierOfTokenId(address, uint256, bool) external view returns (JB721Tier memory tier) {
+        tier.votingUnits = votingUnits;
+        tier.initialSupply = 100;
+    }
+
+    /// @dev Returns 0 for all tokens (backward-compatible: allows vesting).
+    function mintBlockOf(address, uint256) external pure returns (uint256) {
+        return 0;
+    }
+}
+
+contract CodexNemesis721Checkpoints {
+    mapping(address account => uint256 votes) public votesOf;
+    uint256 public totalSupply;
+
+    function setVotes(address account, uint256 votes) external {
+        votesOf[account] = votes;
+    }
+
+    function setTotalSupply(uint256 totalSupply_) external {
+        totalSupply = totalSupply_;
+    }
+
+    function getPastVotes(address account, uint256) external view returns (uint256) {
+        return votesOf[account];
+    }
+
+    function getPastTotalSupply(uint256) external view returns (uint256) {
+        return totalSupply;
+    }
+}
+
+contract CodexNemesis721Hook {
+    CodexNemesis721Store public immutable STORE;
+    CodexNemesis721Checkpoints public immutable CHECKPOINTS;
+    mapping(uint256 tokenId => address owner) public ownerOf;
+
+    constructor(CodexNemesis721Store store, CodexNemesis721Checkpoints checkpoints) {
+        STORE = store;
+        CHECKPOINTS = checkpoints;
+    }
+
+    function mint(address owner, uint256 tokenId) external {
+        ownerOf[tokenId] = owner;
+    }
+
+    function burn(uint256 tokenId) external {
+        delete ownerOf[tokenId];
+    }
+}
+
+contract CodexNemesisFreshVerificationTest is Test {
+    uint256 internal constant PROJECT_ID = 1;
+    uint256 internal constant ROUND_DURATION = 1 days;
+    uint256 internal constant VESTING_ROUNDS = 1;
+
+    /// @notice Previously this test proved the attack worked. Now it proves the fix: sending ETH
+    /// with context.token set to an ERC-20 address reverts with TokenMismatch.
+    function test_nativeValueCanCreateUnbackedErc20CreditAndDrainOtherHookInventory() public {
+        address attacker = makeAddr("attacker");
+        address victimHook = makeAddr("victimHook");
+        uint256 rewardAmount = 100_000_000; // 100 units of a 6-decimal token.
+
+        CodexNemesisDirectory directory = new CodexNemesisDirectory();
+        directory.setTerminal(address(this));
+
+        JBTokenDistributor distributor =
+            new JBTokenDistributor(IJBDirectory(address(directory)), ROUND_DURATION, VESTING_ROUNDS);
+        CodexNemesisToken reward = new CodexNemesisToken();
+        CodexNemesisVotes stake = new CodexNemesisVotes();
+        stake.setVotes(attacker, 1 ether);
+        stake.setTotalSupply(1 ether);
+
+        reward.mint(address(this), rewardAmount);
+        reward.approve(address(distributor), rewardAmount);
+        distributor.fund(victimHook, IERC20(address(reward)), rewardAmount);
+
+        JBSplit memory split = JBSplit({
+            percent: 0,
+            projectId: 0,
+            beneficiary: payable(address(stake)),
+            preferAddToBalance: false,
+            lockedUntil: 0,
+            hook: IJBSplitHook(address(0))
+        });
+        JBSplitHookContext memory context = JBSplitHookContext({
+            token: address(reward),
+            amount: rewardAmount,
+            decimals: 6,
+            projectId: PROJECT_ID,
+            groupId: uint256(uint160(address(reward))),
+            split: split
+        });
+
+        // FIX VERIFIED: The attack now reverts because context.token != NATIVE_TOKEN when msg.value != 0.
+        vm.deal(address(this), rewardAmount);
+        vm.expectRevert(JBTokenDistributor.JBTokenDistributor_TokenMismatch.selector);
+        distributor.processSplitWith{value: rewardAmount}(context);
+
+        // Victim's balance remains intact — attack blocked.
+        assertEq(distributor.balanceOf(victimHook, IERC20(address(reward))), rewardAmount);
+        assertEq(reward.balanceOf(address(distributor)), rewardAmount);
+    }
+
+    function test_721LateMintedTokenCanClaimRoundSnapshotRewardsFromOwnersPastVotes() public {
+        address alice = makeAddr("alice");
+
+        CodexNemesisDirectory directory = new CodexNemesisDirectory();
+        JB721Distributor distributor =
+            new JB721Distributor(IJBDirectory(address(directory)), ROUND_DURATION, VESTING_ROUNDS);
+        CodexNemesisToken reward = new CodexNemesisToken();
+        CodexNemesis721Store store = new CodexNemesis721Store();
+        CodexNemesis721Checkpoints checkpoints = new CodexNemesis721Checkpoints();
+        CodexNemesis721Hook hook = new CodexNemesis721Hook(store, checkpoints);
+
+        reward.mint(address(this), 100 ether);
+        reward.approve(address(distributor), 100 ether);
+        distributor.fund(address(hook), IERC20(address(reward)), 100 ether);
+
+        hook.mint(alice, 1);
+        checkpoints.setVotes(alice, 100);
+        checkpoints.setTotalSupply(100);
+        distributor.poke();
+
+        hook.burn(1);
+        hook.mint(alice, 2);
+
+        uint256[] memory tokenIds = new uint256[](1);
+        tokenIds[0] = 2;
+        IERC20[] memory tokens = new IERC20[](1);
+        tokens[0] = IERC20(address(reward));
+
+        distributor.beginVesting(address(hook), tokenIds, tokens);
+
+        assertEq(distributor.claimedFor(address(hook), 2, IERC20(address(reward))), 100 ether);
+
+        vm.warp(block.timestamp + ROUND_DURATION);
+        vm.prank(alice);
+        distributor.collectVestedRewards(address(hook), tokenIds, tokens, alice);
+
+        assertEq(reward.balanceOf(alice), 100 ether);
+    }
+}

package/test/audit/H26VotingPowerCap.t.sol

@@ -88,6 +88,11 @@ contract H26MockStore {
     function numberOfBurnedFor(address, uint256 tierId) external view returns (uint256) {
         return burned[tierId];
     }
+
+    /// @dev Returns 0 for all tokens (backward-compatible: allows vesting).
+    function mintBlockOf(address, uint256) external pure returns (uint256) {
+        return 0;
+    }
 }
 
 /// @notice Mock checkpoints with explicit per-address vote overrides for H-26 testing.

package/test/audit/PostSnapshotMintTheft.t.sol

@@ -0,0 +1,413 @@
+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.28;
+
+import {Test} from "forge-std/Test.sol";
+
+import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
+import {ERC20} from "@openzeppelin/contracts/token/ERC20/ERC20.sol";
+import {JB721Tier} from "@bananapus/721-hook-v6/src/structs/JB721Tier.sol";
+import {JB721TierFlags} from "@bananapus/721-hook-v6/src/structs/JB721TierFlags.sol";
+
+import {IJBDirectory} from "@bananapus/core-v6/src/interfaces/IJBDirectory.sol";
+import {IJBTerminal} from "@bananapus/core-v6/src/interfaces/IJBTerminal.sol";
+import {IERC165} from "@openzeppelin/contracts/utils/introspection/IERC165.sol";
+
+import {JB721Distributor} from "../../src/JB721Distributor.sol";
+import {JBDistributor} from "../../src/JBDistributor.sol";
+
+// --- Mocks ---------------------------------------------------------------
+
+contract VPCapMockDirectory {
+    mapping(uint256 => mapping(address => bool)) public terminals;
+
+    function setTerminal(uint256 projectId, address terminal, bool isTerminal) external {
+        terminals[projectId][terminal] = isTerminal;
+    }
+
+    function isTerminalOf(uint256 projectId, IJBTerminal terminal) external view returns (bool) {
+        return terminals[projectId][address(terminal)];
+    }
+
+    function controllerOf(uint256) external pure returns (IERC165) {
+        return IERC165(address(0));
+    }
+}
+
+contract VPCapMockToken is ERC20 {
+    constructor() ERC20("Reward", "RWD") {}
+
+    function mint(address to, uint256 amount) external {
+        _mint(to, amount);
+    }
+}
+
+contract VPCapMockStore {
+    uint256 public maxTier;
+    mapping(uint256 => JB721Tier) public tiers;
+    mapping(uint256 => uint256) public burned;
+    mapping(uint256 => uint256) public tokenTiers;
+
+    function setMaxTierIdOf(uint256 v) external {
+        maxTier = v;
+    }
+
+    function maxTierIdOf(address) external view returns (uint256) {
+        return maxTier;
+    }
+
+    function setTier(uint256 tierId, JB721Tier memory tier) external {
+        tiers[tierId] = tier;
+    }
+
+    function tierOf(address, uint256 id, bool) external view returns (JB721Tier memory) {
+        return tiers[id];
+    }
+
+    function setTokenTier(uint256 tokenId, uint256 tierId) external {
+        tokenTiers[tokenId] = tierId;
+    }
+
+    function tierOfTokenId(address, uint256 tokenId, bool) external view returns (JB721Tier memory) {
+        return tiers[tokenTiers[tokenId]];
+    }
+
+    function setBurnedFor(uint256 tierId, uint256 count) external {
+        burned[tierId] = count;
+    }
+
+    function numberOfBurnedFor(address, uint256 tierId) external view returns (uint256) {
+        return burned[tierId];
+    }
+}
+
+contract VPCapMockCheckpoints {
+    VPCapMockStore public store;
+    address public hookAddr;
+
+    uint256 public totalSupplyOverride;
+
+    mapping(address => uint256) public votesOverride;
+    mapping(address => bool) public votesOverrideSet;
+
+    constructor(VPCapMockStore _store, address _hook) {
+        store = _store;
+        hookAddr = _hook;
+    }
+
+    function setTotalSupplyOverride(uint256 value) external {
+        totalSupplyOverride = value;
+    }
+
+    function setVotesOverride(address account, uint256 value) external {
+        votesOverride[account] = value;
+        votesOverrideSet[account] = true;
+    }
+
+    function getPastTotalSupply(uint256) external view returns (uint256 total) {
+        if (totalSupplyOverride != 0) return totalSupplyOverride;
+        uint256 max = store.maxTier();
+        for (uint256 i = 1; i <= max; i++) {
+            JB721Tier memory tier = store.tierOf(hookAddr, i, false);
+            if (tier.id == 0 || tier.initialSupply == 0) continue;
+            uint256 b = store.burned(i);
+            uint256 held = tier.initialSupply - tier.remainingSupply - b;
+            total += held * tier.votingUnits;
+        }
+    }
+
+    function getPastVotes(address account, uint256) external view returns (uint256) {
+        if (votesOverrideSet[account]) return votesOverride[account];
+        return 0; // Default: no historical votes (realistic behavior).
+    }
+}
+
+contract VPCapMockHook {
+    VPCapMockStore public immutable _store;
+    VPCapMockCheckpoints public _checkpoints;
+    mapping(uint256 => address) public owners;
+
+    constructor(VPCapMockStore s) {
+        _store = s;
+        _checkpoints = new VPCapMockCheckpoints(s, address(this));
+    }
+
+    // solhint-disable-next-line func-name-mixedcase
+    function STORE() external view returns (VPCapMockStore) {
+        return _store;
+    }
+
+    // solhint-disable-next-line func-name-mixedcase
+    function CHECKPOINTS() external view returns (VPCapMockCheckpoints) {
+        return _checkpoints;
+    }
+
+    function ownerOf(uint256 tokenId) external view returns (address) {
+        address o = owners[tokenId];
+        require(o != address(0), "ERC721: invalid token ID");
+        return o;
+    }
+
+    function setOwner(uint256 tokenId, address owner) external {
+        owners[tokenId] = owner;
+    }
+}
+
+// --- Tests ---------------------------------------------------------------
+
+/// @title VotingPowerCapSufficiencyTest
+/// @notice Proves that the `_consumedVotesOf` tracking against `getPastVotes` is sufficient
+/// to prevent post-snapshot minted NFTs from extracting excess rewards — no `mintBlockOf`
+/// storage on the 721 hook is needed.
+///
+/// Key invariant: an owner's total vested rewards are bounded by their historical voting
+/// power at the snapshot block, regardless of which specific tokens they vest.
+contract VotingPowerCapSufficiencyTest is Test {
+    JB721Distributor distributor;
+    VPCapMockToken rewardToken;
+    VPCapMockHook hook;
+    VPCapMockStore store;
+    VPCapMockDirectory directory;
+
+    address alice = makeAddr("alice");
+    address bob = makeAddr("bob");
+    address charlie = makeAddr("charlie");
+
+    uint256 constant ROUND_DURATION = 100;
+    uint256 constant VESTING_ROUNDS = 4;
+
+    function setUp() public {
+        store = new VPCapMockStore();
+        hook = new VPCapMockHook(store);
+        directory = new VPCapMockDirectory();
+        distributor = new JB721Distributor(IJBDirectory(address(directory)), ROUND_DURATION, VESTING_ROUNDS);
+
+        directory.setTerminal(1, address(this), true);
+        rewardToken = new VPCapMockToken();
+
+        JB721TierFlags memory flags;
+        store.setMaxTierIdOf(1);
+
+        // Tier 1: votingUnits=100, 2 minted (initialSupply=10, remainingSupply=8).
+        store.setTier(
+            1,
+            JB721Tier({
+                id: 1,
+                price: 1 ether,
+                remainingSupply: 8,
+                initialSupply: 10,
+                votingUnits: 100,
+                reserveFrequency: 0,
+                reserveBeneficiary: address(0),
+                encodedIPFSUri: bytes32(0),
+                category: 0,
+                discountPercent: 0,
+                flags: flags,
+                splitPercent: 0,
+                resolvedUri: ""
+            })
+        );
+
+        // Token 1 -> alice, Token 2 -> bob (both pre-snapshot).
+        store.setTokenTier(1, 1);
+        hook.setOwner(1, alice);
+        store.setTokenTier(2, 1);
+        hook.setOwner(2, bob);
+
+        // Set realistic historical voting power: each holder had 100 at snapshot.
+        hook._checkpoints().setVotesOverride(alice, 100);
+        hook._checkpoints().setVotesOverride(bob, 100);
+        // Charlie has 0 voting power at snapshot (default).
+
+        // Fix total supply at 200 so post-snapshot mints don't inflate denominator.
+        hook._checkpoints().setTotalSupplyOverride(200);
+    }
+
+    function _advanceToRound(uint256 round) internal {
+        uint256 target = distributor.roundStartTimestamp(round) + 1;
+        if (block.timestamp < target) vm.warp(target);
+        vm.roll(block.number + 1);
+    }
+
+    function _fundHook(uint256 amount) internal {
+        rewardToken.mint(address(this), amount);
+        rewardToken.approve(address(distributor), amount);
+        distributor.fund(address(hook), IERC20(address(rewardToken)), amount);
+    }
+
+    /// @notice Post-snapshot mint cannot extract more than the owner's historical voting power.
+    /// Alice has 100 votes at snapshot. She mints token 3 after snapshot and vests both.
+    /// Total extraction: 500 ether (capped at 100/200 of pool), NOT 1000 ether.
+    function test_votingPowerCap_preventsOverExtraction() public {
+        _fundHook(1000 ether);
+        _advanceToRound(1);
+        distributor.poke();
+
+        // AFTER snapshot: Alice mints token 3.
+        vm.roll(block.number + 5);
+        store.setTokenTier(3, 1);
+        hook.setOwner(3, alice);
+
+        // Alice vests both tokens 1 (pre-snapshot) and 3 (post-snapshot).
+        uint256[] memory tokenIds = new uint256[](2);
+        tokenIds[0] = 1;
+        tokenIds[1] = 3;
+        IERC20[] memory tokens = new IERC20[](1);
+        tokens[0] = IERC20(address(rewardToken));
+
+        distributor.beginVesting(address(hook), tokenIds, tokens);
+
+        // Token 1 consumed all 100 votes. Token 3 gets 0 (budget exhausted).
+        uint256 token1Claimed = distributor.claimedFor(address(hook), 1, IERC20(address(rewardToken)));
+        uint256 token3Claimed = distributor.claimedFor(address(hook), 3, IERC20(address(rewardToken)));
+
+        assertEq(token1Claimed, 500 ether, "Token 1 gets full share (100/200)");
+        assertEq(token3Claimed, 0, "Token 3 gets 0 (voting power budget exhausted)");
+    }
+
+    /// @notice Vesting only a post-snapshot token still capped by historical votes.
+    /// Alice skips token 1, vests only token 3 (post-snapshot). Gets 500 ether through it.
+    /// Then token 1 gets 0 because the budget is spent. Total: still 500.
+    function test_votingPowerCap_postSnapshotOnlyToken_sameTotal() public {
+        _fundHook(1000 ether);
+        _advanceToRound(1);
+        distributor.poke();
+
+        // AFTER snapshot: Alice mints token 3.
+        vm.roll(block.number + 5);
+        store.setTokenTier(3, 1);
+        hook.setOwner(3, alice);
+
+        // Alice vests ONLY token 3 (post-snapshot).
+        uint256[] memory tokenIds = new uint256[](1);
+        tokenIds[0] = 3;
+        IERC20[] memory tokens = new IERC20[](1);
+        tokens[0] = IERC20(address(rewardToken));
+
+        distributor.beginVesting(address(hook), tokenIds, tokens);
+
+        uint256 token3Claimed = distributor.claimedFor(address(hook), 3, IERC20(address(rewardToken)));
+        assertEq(token3Claimed, 500 ether, "Token 3 vests using Alice's historical 100 votes");
+
+        // Now vest token 1. Alice's budget is already consumed.
+        tokenIds[0] = 1;
+        distributor.beginVesting(address(hook), tokenIds, tokens);
+
+        uint256 token1Claimed = distributor.claimedFor(address(hook), 1, IERC20(address(rewardToken)));
+        assertEq(token1Claimed, 0, "Token 1 gets 0 (budget spent on token 3)");
+
+        // Total: 500 ether — exactly what Alice is entitled to.
+        assertEq(token3Claimed + token1Claimed, 500 ether, "Total extraction bounded by historical votes");
+    }
+
+    /// @notice No historical voting power → zero rewards, even with a valid NFT.
+    function test_votingPowerCap_noHistoricalVotes_zeroRewards() public {
+        _fundHook(1000 ether);
+        _advanceToRound(1);
+        distributor.poke();
+
+        // AFTER snapshot: Charlie (0 votes at snapshot) mints token 3.
+        vm.roll(block.number + 5);
+        store.setTokenTier(3, 1);
+        hook.setOwner(3, charlie);
+
+        uint256[] memory tokenIds = new uint256[](1);
+        tokenIds[0] = 3;
+        IERC20[] memory tokens = new IERC20[](1);
+        tokens[0] = IERC20(address(rewardToken));
+
+        distributor.beginVesting(address(hook), tokenIds, tokens);
+
+        uint256 claimed = distributor.claimedFor(address(hook), 3, IERC20(address(rewardToken)));
+        assertEq(claimed, 0, "No historical votes = no rewards");
+    }
+
+    /// @notice Multiple post-snapshot tokens still bounded by historical voting power.
+    /// Alice mints 3 new tokens after snapshot. Total extraction: still 500 ether.
+    function test_votingPowerCap_multiplePostSnapshotTokens_bounded() public {
+        _fundHook(1000 ether);
+        _advanceToRound(1);
+        distributor.poke();
+
+        // AFTER snapshot: Alice mints tokens 3, 4, 5.
+        vm.roll(block.number + 5);
+        for (uint256 i = 3; i <= 5; i++) {
+            store.setTokenTier(i, 1);
+            hook.setOwner(i, alice);
+        }
+
+        // Alice vests all her tokens (1 pre-snapshot + 3 post-snapshot).
+        uint256[] memory tokenIds = new uint256[](4);
+        tokenIds[0] = 1;
+        tokenIds[1] = 3;
+        tokenIds[2] = 4;
+        tokenIds[3] = 5;
+        IERC20[] memory tokens = new IERC20[](1);
+        tokens[0] = IERC20(address(rewardToken));
+
+        distributor.beginVesting(address(hook), tokenIds, tokens);
+
+        uint256 total;
+        for (uint256 i; i < tokenIds.length; i++) {
+            total += distributor.claimedFor(address(hook), tokenIds[i], IERC20(address(rewardToken)));
+        }
+
+        assertEq(total, 500 ether, "4 tokens but still capped at 100/200 of pool");
+    }
+
+    /// @notice Burn-and-remint: Alice burns pre-snapshot token, mints replacement after.
+    /// Total extraction: still 500 ether (same as if she kept the original).
+    function test_votingPowerCap_burnAndRemint_bounded() public {
+        _fundHook(1000 ether);
+        _advanceToRound(1);
+        distributor.poke();
+
+        // Simulate burn of token 1 (ownerOf reverts for burned tokens).
+        hook.setOwner(1, address(0));
+
+        // AFTER snapshot: Alice mints token 3 as replacement.
+        vm.roll(block.number + 5);
+        store.setTokenTier(3, 1);
+        hook.setOwner(3, alice);
+
+        // Vest token 3 only (token 1 is burned).
+        uint256[] memory tokenIds = new uint256[](1);
+        tokenIds[0] = 3;
+        IERC20[] memory tokens = new IERC20[](1);
+        tokens[0] = IERC20(address(rewardToken));
+
+        distributor.beginVesting(address(hook), tokenIds, tokens);
+
+        uint256 claimed = distributor.claimedFor(address(hook), 3, IERC20(address(rewardToken)));
+        assertEq(claimed, 500 ether, "Replacement token capped at Alice's historical 100 votes");
+    }
+
+    /// @notice Cross-owner isolation: Alice's post-snapshot mint doesn't affect Bob's rewards.
+    function test_votingPowerCap_crossOwnerIsolation() public {
+        _fundHook(1000 ether);
+        _advanceToRound(1);
+        distributor.poke();
+
+        // AFTER snapshot: Alice mints token 3.
+        vm.roll(block.number + 5);
+        store.setTokenTier(3, 1);
+        hook.setOwner(3, alice);
+
+        // Vest all three tokens.
+        uint256[] memory tokenIds = new uint256[](3);
+        tokenIds[0] = 1; // alice
+        tokenIds[1] = 2; // bob
+        tokenIds[2] = 3; // alice (post-snapshot)
+        IERC20[] memory tokens = new IERC20[](1);
+        tokens[0] = IERC20(address(rewardToken));
+
+        distributor.beginVesting(address(hook), tokenIds, tokens);
+
+        uint256 aliceTotal = distributor.claimedFor(address(hook), 1, IERC20(address(rewardToken)))
+            + distributor.claimedFor(address(hook), 3, IERC20(address(rewardToken)));
+        uint256 bobTotal = distributor.claimedFor(address(hook), 2, IERC20(address(rewardToken)));
+
+        assertEq(aliceTotal, 500 ether, "Alice gets exactly her 100/200 share");
+        assertEq(bobTotal, 500 ether, "Bob gets exactly his 100/200 share");
+        assertEq(aliceTotal + bobTotal, 1000 ether, "Full pool distributed, no over-extraction");
+    }
+}

package/test/audit/TokenMismatchFix.t.sol

@@ -0,0 +1,295 @@
+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.28;
+
+import {Test} from "forge-std/Test.sol";
+
+import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
+import {ERC20} from "@openzeppelin/contracts/token/ERC20/ERC20.sol";
+import {ERC20Votes} from "@openzeppelin/contracts/token/ERC20/extensions/ERC20Votes.sol";
+import {EIP712} from "@openzeppelin/contracts/utils/cryptography/EIP712.sol";
+import {IERC165} from "@openzeppelin/contracts/utils/introspection/IERC165.sol";
+
+import {IJBDirectory} from "@bananapus/core-v6/src/interfaces/IJBDirectory.sol";
+import {IJBTerminal} from "@bananapus/core-v6/src/interfaces/IJBTerminal.sol";
+import {IJBSplitHook} from "@bananapus/core-v6/src/interfaces/IJBSplitHook.sol";
+import {JBSplit} from "@bananapus/core-v6/src/structs/JBSplit.sol";
+import {JBSplitHookContext} from "@bananapus/core-v6/src/structs/JBSplitHookContext.sol";
+import {JBConstants} from "@bananapus/core-v6/src/libraries/JBConstants.sol";
+
+import {JBTokenDistributor} from "../../src/JBTokenDistributor.sol";
+import {JB721Distributor} from "../../src/JB721Distributor.sol";
+import {JBDistributor} from "../../src/JBDistributor.sol";
+
+// =========================================================================
+// Mock contracts
+// =========================================================================
+
+/// @notice Mock JB directory for token mismatch tests.
+contract TMMockDirectory {
+    mapping(uint256 projectId => mapping(address terminal => bool)) public terminals;
+    mapping(uint256 projectId => address controller) public controllers;
+
+    function setTerminal(uint256 projectId, address terminal, bool isTerminal) external {
+        terminals[projectId][terminal] = isTerminal;
+    }
+
+    function setController(uint256 projectId, address controller) external {
+        controllers[projectId] = controller;
+    }
+
+    function isTerminalOf(uint256 projectId, IJBTerminal terminal) external view returns (bool) {
+        return terminals[projectId][address(terminal)];
+    }
+
+    function controllerOf(uint256 projectId) external view returns (IERC165) {
+        return IERC165(controllers[projectId]);
+    }
+}
+
+/// @notice Simple ERC20 token representing a victim's deposited ERC-20.
+contract TMVictimToken is ERC20 {
+    constructor() ERC20("VictimToken", "VICTIM") {}
+
+    function mint(address to, uint256 amount) external {
+        _mint(to, amount);
+    }
+}
+
+/// @notice ERC20Votes token for staking.
+contract TMVotesToken is ERC20, ERC20Votes {
+    constructor() ERC20("StakeToken", "STK") EIP712("StakeToken", "1") {}
+
+    function mint(address to, uint256 amount) external {
+        _mint(to, amount);
+    }
+
+    function _update(address from, address to, uint256 value) internal override(ERC20, ERC20Votes) {
+        super._update(from, to, value);
+    }
+}
+
+// =========================================================================
+// Test: JBTokenDistributor token mismatch vulnerability
+// =========================================================================
+
+/// @notice Proves the ETH-to-ERC20 cross-booking vulnerability is fixed in JBTokenDistributor.
+/// @dev The attack: a malicious terminal sends ETH (msg.value != 0) but sets context.token to an
+/// arbitrary ERC-20 address. Without the fix, the ETH amount would be credited under that ERC-20's
+/// balance mapping, effectively stealing another hook's ERC-20 balance.
+contract TokenMismatchTokenDistributorTest is Test {
+    TMMockDirectory directory;
+    TMVictimToken victimToken;
+    TMVotesToken votesToken;
+    JBTokenDistributor distributor;
+
+    address attacker = makeAddr("attacker");
+    address victim = makeAddr("victim");
+    address terminal = makeAddr("terminal");
+    address hook;
+    uint256 projectId = 1;
+
+    uint256 constant ROUND_DURATION = 100;
+    uint256 constant VESTING_ROUNDS = 4;
+
+    function setUp() public {
+        directory = new TMMockDirectory();
+        victimToken = new TMVictimToken();
+        votesToken = new TMVotesToken();
+
+        directory.setTerminal(projectId, terminal, true);
+
+        distributor = new JBTokenDistributor(IJBDirectory(address(directory)), ROUND_DURATION, VESTING_ROUNDS);
+
+        hook = address(votesToken);
+    }
+
+    /// @notice Helper to build a JBSplitHookContext.
+    function _buildContext(address token, uint256 amount) internal view returns (JBSplitHookContext memory) {
+        JBSplit memory split = JBSplit({
+            percent: 1_000_000_000,
+            projectId: 0,
+            beneficiary: payable(hook),
+            preferAddToBalance: false,
+            lockedUntil: 0,
+            hook: IJBSplitHook(address(distributor))
+        });
+
+        return JBSplitHookContext({
+            token: token, amount: amount, decimals: 18, projectId: projectId, groupId: 0, split: split
+        });
+    }
+
+    /// @notice Proves the fix: sending ETH with context.token set to an ERC-20 address reverts.
+    function test_tokenMismatch_ethWithErc20Token_reverts() public {
+        // Attacker constructs a context claiming the token is victimToken (an ERC-20),
+        // but sends ETH as msg.value.
+        JBSplitHookContext memory context = _buildContext(address(victimToken), 1 ether);
+
+        // Fund the terminal with ETH for the attack.
+        vm.deal(terminal, 10 ether);
+
+        // The attack should now revert with TokenMismatch.
+        vm.prank(terminal);
+        vm.expectRevert(JBTokenDistributor.JBTokenDistributor_TokenMismatch.selector);
+        distributor.processSplitWith{value: 1 ether}(context);
+    }
+
+    /// @notice Proves that legitimate native ETH splits (context.token == NATIVE_TOKEN) still work.
+    function test_tokenMismatch_ethWithNativeToken_succeeds() public {
+        JBSplitHookContext memory context = _buildContext(JBConstants.NATIVE_TOKEN, 1 ether);
+
+        vm.deal(terminal, 10 ether);
+
+        vm.prank(terminal);
+        distributor.processSplitWith{value: 1 ether}(context);
+
+        // Balance should be credited under NATIVE_TOKEN.
+        assertEq(
+            distributor.balanceOf(hook, IERC20(JBConstants.NATIVE_TOKEN)),
+            1 ether,
+            "Native ETH split should credit balance under NATIVE_TOKEN"
+        );
+    }
+
+    /// @notice Demonstrates the attack scenario that the fix prevents: without the fix,
+    /// an attacker could steal the victim's ERC-20 balance by sending ETH with a fake token.
+    function test_tokenMismatch_attackScenario_cannotStealErc20Balance() public {
+        // Step 1: Victim legitimately deposits ERC-20 tokens via the terminal.
+        uint256 victimAmount = 100 ether;
+        victimToken.mint(terminal, victimAmount);
+
+        JBSplitHookContext memory legitimateContext = _buildContext(address(victimToken), victimAmount);
+
+        vm.startPrank(terminal);
+        victimToken.approve(address(distributor), victimAmount);
+        distributor.processSplitWith(legitimateContext);
+        vm.stopPrank();
+
+        // Verify victim's ERC-20 balance is properly recorded.
+        assertEq(
+            distributor.balanceOf(hook, IERC20(address(victimToken))),
+            victimAmount,
+            "Victim's ERC-20 balance should be credited"
+        );
+
+        // Step 2: Attacker tries to send 1 ETH but have it credited as victimToken.
+        // This would allow the attacker to inflate the victimToken balance and steal from others.
+        JBSplitHookContext memory attackContext = _buildContext(address(victimToken), 1 ether);
+
+        vm.deal(terminal, 10 ether);
+        vm.prank(terminal);
+        vm.expectRevert(JBTokenDistributor.JBTokenDistributor_TokenMismatch.selector);
+        distributor.processSplitWith{value: 1 ether}(attackContext);
+
+        // Balance remains unchanged — attack blocked.
+        assertEq(
+            distributor.balanceOf(hook, IERC20(address(victimToken))),
+            victimAmount,
+            "Victim's ERC-20 balance must not change after blocked attack"
+        );
+    }
+}
+
+// =========================================================================
+// Test: JB721Distributor token mismatch vulnerability
+// =========================================================================
+
+/// @notice Proves the ETH-to-ERC20 cross-booking vulnerability is fixed in JB721Distributor.
+contract TokenMismatch721DistributorTest is Test {
+    TMMockDirectory directory;
+    TMVictimToken victimToken;
+    JB721Distributor distributor;
+
+    address terminal = makeAddr("terminal");
+    address hook = makeAddr("nft-hook");
+    uint256 projectId = 1;
+
+    uint256 constant ROUND_DURATION = 100;
+    uint256 constant VESTING_ROUNDS = 4;
+
+    function setUp() public {
+        directory = new TMMockDirectory();
+        victimToken = new TMVictimToken();
+
+        directory.setTerminal(projectId, terminal, true);
+
+        distributor = new JB721Distributor(IJBDirectory(address(directory)), ROUND_DURATION, VESTING_ROUNDS);
+    }
+
+    /// @notice Helper to build a JBSplitHookContext.
+    function _buildContext(address token, uint256 amount) internal view returns (JBSplitHookContext memory) {
+        JBSplit memory split = JBSplit({
+            percent: 1_000_000_000,
+            projectId: 0,
+            beneficiary: payable(hook),
+            preferAddToBalance: false,
+            lockedUntil: 0,
+            hook: IJBSplitHook(address(distributor))
+        });
+
+        return JBSplitHookContext({
+            token: token, amount: amount, decimals: 18, projectId: projectId, groupId: 0, split: split
+        });
+    }
+
+    /// @notice Proves the fix: sending ETH with context.token set to an ERC-20 address reverts.
+    function test_tokenMismatch_721_ethWithErc20Token_reverts() public {
+        JBSplitHookContext memory context = _buildContext(address(victimToken), 1 ether);
+
+        vm.deal(terminal, 10 ether);
+
+        vm.prank(terminal);
+        vm.expectRevert(JB721Distributor.JB721Distributor_TokenMismatch.selector);
+        distributor.processSplitWith{value: 1 ether}(context);
+    }
+
+    /// @notice Proves that legitimate native ETH splits still work for JB721Distributor.
+    function test_tokenMismatch_721_ethWithNativeToken_succeeds() public {
+        JBSplitHookContext memory context = _buildContext(JBConstants.NATIVE_TOKEN, 1 ether);
+
+        vm.deal(terminal, 10 ether);
+
+        vm.prank(terminal);
+        distributor.processSplitWith{value: 1 ether}(context);
+
+        // Balance should be credited under NATIVE_TOKEN.
+        assertEq(
+            distributor.balanceOf(hook, IERC20(JBConstants.NATIVE_TOKEN)),
+            1 ether,
+            "Native ETH split should credit balance under NATIVE_TOKEN"
+        );
+    }
+
+    /// @notice Full attack scenario blocked on JB721Distributor.
+    function test_tokenMismatch_721_attackScenario_cannotStealErc20Balance() public {
+        // Step 1: Legitimate ERC-20 deposit.
+        uint256 victimAmount = 50 ether;
+        victimToken.mint(terminal, victimAmount);
+
+        JBSplitHookContext memory legitimateContext = _buildContext(address(victimToken), victimAmount);
+
+        vm.startPrank(terminal);
+        victimToken.approve(address(distributor), victimAmount);
+        distributor.processSplitWith(legitimateContext);
+        vm.stopPrank();
+
+        assertEq(
+            distributor.balanceOf(hook, IERC20(address(victimToken))), victimAmount, "Victim balance should be credited"
+        );
+
+        // Step 2: Attack — send ETH but claim it as victimToken.
+        JBSplitHookContext memory attackContext = _buildContext(address(victimToken), 1 ether);
+
+        vm.deal(terminal, 10 ether);
+        vm.prank(terminal);
+        vm.expectRevert(JB721Distributor.JB721Distributor_TokenMismatch.selector);
+        distributor.processSplitWith{value: 1 ether}(attackContext);
+
+        // Balance unaffected.
+        assertEq(
+            distributor.balanceOf(hook, IERC20(address(victimToken))),
+            victimAmount,
+            "Balance must remain unchanged after blocked attack"
+        );
+    }
+}

package/test/fork/TokenDistributorFork.t.sol

@@ -87,7 +87,7 @@ contract TokenDistributorForkTest is Test {
     IPermit2 constant PERMIT2 = IPermit2(0x000000000022D473030F116dDEE9F6B43aC78BA3);
 
     function setUp() public {
-        vm.createSelectFork("ethereum");
+        vm.createSelectFork("ethereum", 24_981_600);
 
         // Create labeled addresses and ensure they're clean EOAs (no mainnet code).
         multisig = makeAddr("test_distributor_multisig");

package/test/invariant/JB721DistributorInvariant.t.sol

@@ -90,6 +90,11 @@ contract InvariantMockStore {
     function numberOfBurnedFor(address, uint256 tierId) external view returns (uint256) {
         return burned[tierId];
     }
+
+    /// @dev Returns 0 for all tokens (backward-compatible: allows vesting).
+    function mintBlockOf(address, uint256) external pure returns (uint256) {
+        return 0;
+    }
 }
 
 /// @notice Mock JB directory for invariant testing.