@bananapus/omnichain-deployers-v6 0.0.17 β 0.0.19
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
# π Security Review β nana-omnichain-deployers-v6
|
|
2
|
+
|
|
3
|
+
---
|
|
4
|
+
|
|
5
|
+
## Scope
|
|
6
|
+
|
|
7
|
+
| | |
|
|
8
|
+
| -------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
|
9
|
+
| **Mode** | ALL / default |
|
|
10
|
+
| **Files reviewed** | `script/Deploy.s.sol` Β· `script/helpers/DeployersDeploymentLib.sol` Β· `src/JBOmnichainDeployer.sol`<br>`src/structs/JBDeployerHookConfig.sol` Β· `src/structs/JBOmnichain721Config.sol` Β· `src/structs/JBSuckerDeploymentConfig.sol`<br>`src/structs/JBTiered721HookConfig.sol` |
|
|
11
|
+
| **Confidence threshold (1-100)** | 75 |
|
|
12
|
+
|
|
13
|
+
---
|
|
14
|
+
|
|
15
|
+
## Findings
|
|
16
|
+
|
|
17
|
+
None.
|
|
18
|
+
|
|
19
|
+
---
|
|
20
|
+
|
|
21
|
+
Findings List
|
|
22
|
+
|
|
23
|
+
| # | Confidence | Title |
|
|
24
|
+
|---|---|---|
|
|
25
|
+
| - | - | None |
|
|
26
|
+
|
|
27
|
+
---
|
|
28
|
+
|
|
29
|
+
## Leads
|
|
30
|
+
|
|
31
|
+
_Vulnerability trails with concrete code smells where the full exploit path could not be completed in one analysis pass. These are not false positives β they are high-signal leads for manual review. Not scored._
|
|
32
|
+
|
|
33
|
+
- **Reflexive controller validation overstates what it proves** β `JBOmnichainDeployer._validateController` β Code smells: validation is anchored to `controller.DIRECTORY()` supplied by the same controller being checked, rather than to an immutable trusted directory β This did not survive to a finding because the path does not update the canonical project rulesets or directory, so I could not complete a live exploit that changes real terminal execution. It is still worth tightening or clarifying because the current comment implies stronger authenticity guarantees than the code actually enforces.
|
|
34
|
+
- **`launchRulesetsFor` semantics depend on upstream βfirst launch onlyβ behavior** β `JBOmnichainDeployer._launchRulesetsFor` β Code smells: the wrapper presents a generic launch entrypoint, but upstream `JBController.launchRulesetsFor` reverts once a project already has rulesets β I did not confirm a security impact, but the API/documentation boundary is easy to misuse and should remain regression-tested so integrations do not assume it can relaunch arbitrary existing projects.
|
|
35
|
+
- **Pay-hook composition assumes the 721 hook preserves its current return-shape invariants** β `JBOmnichainDeployer.beforePayRecordedWith` β Code smells: only `tiered721HookSpecs[0]` is consumed and `projectAmount` is clamped to zero if the returned split amount exceeds the payment amount β I could not prove an exploitable path in the current dependency set because the bundled 721 hook maintains the expected single-spec invariant. This remains a dependency-sensitive integration trail if the upstream hook contract or interface expectations ever change.
|
|
36
|
+
|
|
37
|
+
---
|
|
38
|
+
|
|
39
|
+
> β οΈ This review was performed by an AI assistant. AI analysis can never verify the complete absence of vulnerabilities and no guarantee of security is given. Team security reviews, bug bounty programs, and on-chain monitoring are strongly recommended. For a consultation regarding your projects' security, visit [https://www.pashov.com](https://www.pashov.com)
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@bananapus/omnichain-deployers-v6",
|
|
3
|
-
"version": "0.0.
|
|
3
|
+
"version": "0.0.19",
|
|
4
4
|
"license": "MIT",
|
|
5
5
|
"repository": {
|
|
6
6
|
"type": "git",
|
|
@@ -17,7 +17,7 @@
|
|
|
17
17
|
"artifacts": "source ./.env && npx sphinx artifacts --org-id 'ea165b21-7cdc-4d7b-be59-ecdd4c26bee4' --project-name 'nana-omnichain-deployers-v6'"
|
|
18
18
|
},
|
|
19
19
|
"dependencies": {
|
|
20
|
-
"@bananapus/721-hook-v6": "^0.0.
|
|
20
|
+
"@bananapus/721-hook-v6": "^0.0.28",
|
|
21
21
|
"@bananapus/address-registry-v6": "^0.0.16",
|
|
22
22
|
"@bananapus/buyback-hook-v6": "^0.0.24",
|
|
23
23
|
"@bananapus/core-v6": "^0.0.30",
|
|
@@ -235,8 +235,9 @@ abstract contract OmnichainForkTestBase is TestBaseWorkflow {
|
|
|
235
235
|
useReserveBeneficiaryAsDefault: false,
|
|
236
236
|
transfersPausable: false,
|
|
237
237
|
useVotingUnits: false,
|
|
238
|
-
|
|
239
|
-
|
|
238
|
+
cantBeRemoved: false,
|
|
239
|
+
cantIncreaseDiscountPercent: false,
|
|
240
|
+
cantBuyWithCredits: false,
|
|
240
241
|
splitPercent: SPLIT_PERCENT,
|
|
241
242
|
splits: tierSplits
|
|
242
243
|
});
|
|
@@ -73,8 +73,9 @@ contract TestOmnichain721QueueAndAdjust is OmnichainForkTestBase {
|
|
|
73
73
|
useReserveBeneficiaryAsDefault: false,
|
|
74
74
|
transfersPausable: false,
|
|
75
75
|
useVotingUnits: false,
|
|
76
|
-
|
|
77
|
-
|
|
76
|
+
cantBeRemoved: false,
|
|
77
|
+
cantIncreaseDiscountPercent: false,
|
|
78
|
+
cantBuyWithCredits: false,
|
|
78
79
|
splitPercent: 0,
|
|
79
80
|
splits: new JBSplit[](0)
|
|
80
81
|
});
|
|
@@ -149,8 +150,9 @@ contract TestOmnichain721QueueAndAdjust is OmnichainForkTestBase {
|
|
|
149
150
|
useReserveBeneficiaryAsDefault: false,
|
|
150
151
|
transfersPausable: false,
|
|
151
152
|
useVotingUnits: false,
|
|
152
|
-
|
|
153
|
-
|
|
153
|
+
cantBeRemoved: false,
|
|
154
|
+
cantIncreaseDiscountPercent: false,
|
|
155
|
+
cantBuyWithCredits: false,
|
|
154
156
|
splitPercent: 0,
|
|
155
157
|
splits: new JBSplit[](0)
|
|
156
158
|
});
|
|
@@ -197,8 +199,9 @@ contract TestOmnichain721QueueAndAdjust is OmnichainForkTestBase {
|
|
|
197
199
|
useReserveBeneficiaryAsDefault: false,
|
|
198
200
|
transfersPausable: false,
|
|
199
201
|
useVotingUnits: false,
|
|
200
|
-
|
|
201
|
-
|
|
202
|
+
cantBeRemoved: false,
|
|
203
|
+
cantIncreaseDiscountPercent: false,
|
|
204
|
+
cantBuyWithCredits: false,
|
|
202
205
|
splitPercent: 0,
|
|
203
206
|
splits: new JBSplit[](0)
|
|
204
207
|
});
|