@bananapus/omnichain-deployers-v6 0.0.28 → 0.0.30

package/RISKS.md

@@ -1,81 +1,97 @@
 # Omnichain Deployers Risk Register
 
-This file focuses on the risks in the deployer layer that launches Juicebox projects across chains while composing 721 hooks, suckers, and optional custom data hooks.
+This file covers the risks in the deployer layer that launches Juicebox projects across chains while composing 721 hooks, suckers, and optional custom data hooks.
 
-## How to use this file
+## How To Use This File
 
-- Read `Priority risks` first; they capture the highest-blast-radius deployment and cash-out assumptions.
-- Use the detailed sections for access control, integration, and reentrancy analysis.
-- Treat `Invariants to Verify` as required checks for any new omnichain deployment flow.
+- Read `Priority risks` first. They capture the highest-blast-radius deployment and cash-out assumptions.
+- Treat `Invariants to verify` as required checks for any new omnichain deployment flow.
 
-## Priority risks
+## Priority Risks
 
 | Priority | Risk | Why it matters | Primary controls |
 |----------|------|----------------|------------------|
 | P0 | Registry-trusted sucker bypass | This deployer gives suckers privileged cash-out behavior based on registry answers. A bad registry entry can affect many projects. | Registry allowlists, deployment verification, and explicit registry scrutiny. |
 | P1 | Cross-chain deployment drift | Omnichain assumptions fail if chain-specific wiring, peers, or composed hooks do not match. | Deterministic deploy ordering, parity checks, and post-deploy peer verification. |
-| P1 | Data-hook composition mistakes | The deployer wraps or forwards custom data hooks; a bad composition can alter pay or cash-out semantics unexpectedly. | Integration tests for wrapped hooks and careful review of forwarding logic. |
-
+| P1 | Data-hook composition mistakes | The deployer wraps or forwards custom data hooks. A bad composition can alter pay or cash-out semantics unexpectedly. | Integration tests and careful forwarding review. |
 
 ## 1. Trust Assumptions
 
-- **Trusted forwarder.** ERC-2771 `_msgSender()` is trusted to append the real sender. A compromised forwarder can impersonate any address for `deploySuckersFor`, `launchProjectFor`, `queueRulesetsOf`, and `launchRulesetsFor`.
-- **Sucker registry.** `SUCKER_REGISTRY.isSuckerOf()` is the sole gatekeeper for 0% cashout tax and mint permission. A compromised or malicious registry lets any address bypass cashout taxes and mint tokens freely.
-- **Controller trust.** The deployer passes an arbitrary `IJBController controller` parameter. `_validateController` checks `controller.DIRECTORY().controllerOf(projectId)` (a reflexive lookup through the controller's own directory reference), but during `launchProjectFor` the project does not yet exist, so no pre-launch controller validation is possible. The post-launch safeguard is the explicit project-ID match check on `controller.launchProjectFor(...)`.
-- **Extra data hooks.** Arbitrary `IJBRulesetDataHook` addresses from ruleset metadata are stored and called directly from the deployer's pay/cash-out wrapper paths. A malicious hook can return arbitrary weight, cashout tax rate, or hook specifications, and can also consume all available gas or revert.
+- **Trusted forwarder is trusted.**
+- **Sucker registry answers are trusted.**
+- **Controller trust matters.**
+- **Extra data hooks are trusted code.**
 
-## 2. Economic / Manipulation Risks
+## 2. Economic Risks
 
-- **Sucker cashout bypass.** Any address registered as a sucker for a project gets 0% cashout tax rate and full reclaim. If a malicious sucker is registered (via compromised `SUCKER_REGISTRY`), it can drain the project's surplus.
-- **Weight manipulation via extra data hook.** `beforePayRecordedWith` forwards to the extra data hook, which can return any `weight`. A malicious hook can inflate token minting or set weight=0 to block minting.
-- **721 hook amount splitting.** The deployer computes `projectAmount = context.amount.value - totalSplitAmount`. The 721 hook's returned weight (already adjusted for splits via `JB721TiersHookLib.calculateWeight`) is used directly -- no proportional scaling is applied. If the 721 hook returns a `totalSplitAmount >= context.amount.value`, `projectAmount` is set to 0 and weight becomes 0 -- no tokens are minted for the payment.
-- **Cross-chain sender dependence in sucker deployment salts.** `deploySuckersFor` salts deployments with `keccak256(abi.encode(userSalt, _msgSender()))`. This prevents replay collisions, but it also means the same logical project deployed by different operators on different chains will not get matching deterministic sucker addresses.
+- **Sucker cashout bypass exists for registered suckers.**
+- **Extra data hooks can manipulate weight or cash-out behavior.**
+- **721 hook amount splitting can zero out project amount in edge cases.**
+- **Cross-chain sender dependence affects deterministic sucker salts.**
 
 ## 3. Access Control
 
-- **Wildcard MAP_SUCKER_TOKEN permission.** Constructor grants `SUCKER_REGISTRY` the `MAP_SUCKER_TOKEN` permission with `projectId=0` (wildcard). This grants the registry token-mapping rights across all projects ever deployed through this deployer.
-- **Permission checks on `launchRulesetsFor`.** Requires both `LAUNCH_RULESETS` and `SET_TERMINALS` from the project owner. If an operator has one but not the other, the call reverts. No combined permission ID exists.
-- **No permission check on `launchProjectFor`.** Anyone can call it because a new project is being created. The `owner` parameter receives the project NFT -- verify frontends do not allow this to be set to unexpected addresses.
+- **Wildcard `MAP_SUCKER_TOKEN` permission is broad.**
+- **`launchRulesetsFor` requires combined permissions.**
+- **`launchProjectFor` is intentionally permissionless for new projects.**
 
 ## 4. DoS Vectors
 
-- **Ruleset ID collision.** `_setup721` stores hook configs at `block.timestamp + i`. If `latestRulesetIdOf >= block.timestamp` (rulesets already queued this block), `queueRulesetsOf` reverts with `RulesetIdsUnpredictable`. An attacker who queues rulesets in the same block as the legitimate owner can front-run and block their queue attempt. Gas impact: `queueRulesetsOf` costs ~200-400k gas per ruleset queued. The collision only occurs when two transactions queue rulesets in the same block for the same project — race condition window is one block (~12 seconds on L1, 2 seconds on L2).
-- **External hook revert.** `beforePayRecordedWith` and `beforeCashOutRecordedWith` call external hooks without try-catch. A reverting hook blocks all payments or cashouts for that project/ruleset. For cash-outs, if the 721 hook reverts, the custom hook is never reached (the revert propagates before it). Gas impact: the direct call into the extra data hook has no gas limit, so a gas-griefing hook can consume the entire transaction gas. The 721 hook call is similarly unbounded.
-- **721 hook deployment revert.** `HOOK_DEPLOYER.deployHookFor` is called without try-catch. A failing deployment blocks the entire project launch.
-- **Unexpected safe NFT receipt reverts, but non-safe transfers can still strand assets.** `onERC721Received` only accepts `PROJECTS` NFTs. Safe transfers of any other ERC-721 revert instead of being accepted. The narrower residual risk is `transferFrom` or other non-safe delivery into the deployer, which bypasses the receiver hook and has no generalized rescue path.
+- **Ruleset ID collision can block queueing.**
+- **External hook reverts can block pay or cash-out flows.**
+- **721 hook deployment revert blocks launch.**
+- **Non-safe NFT transfers can still strand assets.**
 
 ## 5. Reentrancy Surface
 
-- **`launchProjectFor` external call chain.** The function makes external calls to: (1) `_deploy721Hook()` via `HOOK_DEPLOYER.deployHookFor()` (deploys 721 hook clone), (2) `controller.launchProjectFor()` (creates project, deploys rulesets), (3) `JBOwnable(hook).transferOwnershipToProject()` (transfers hook ownership to the new project), (4) `SUCKER_REGISTRY.deploySuckersFor()` (deploys suckers if configured), (5) `PROJECTS.transferFrom()` (transfers the project NFT to the owner). None of these calls are try-catch wrapped — a revert in any of them fails the entire launch. Reentrancy from the controller callback during project creation could call back into `launchProjectFor`, but the new project would get a different ID (monotonically incrementing), so state corruption is not possible.
-- **`beforePayRecordedWith` delegates to external hooks.** Calls `IJBRulesetDataHook(tiered721Hook).beforePayRecordedWith(context)` (not try-caught) and optionally calls the extra data hook directly. The 721 hook and extra hook can execute arbitrary code. At callback time, no deployer state has been modified (the deployer is stateless during payments — it only routes). Reentrancy through the pay path processes as an independent payment.
-- **`beforeCashOutRecordedWith` delegates to external hooks.** Same pattern as pay: calls the 721 hook (not try-caught), then optionally the extra data hook. Sucker check via `SUCKER_REGISTRY.isSuckerOf` is a view call. No deployer state is modified during cashouts.
-- **No `ReentrancyGuard`.** Safe because the deployer is effectively stateless during pay/cashout operations — it reads `_tiered721HookOf` and `_extraDataHookOf` mappings but never writes them outside of deployment functions.
+- **`launchProjectFor` makes several external calls in sequence.**
+- **`beforePayRecordedWith` delegates to external hooks.**
+- **`beforeCashOutRecordedWith` delegates to external hooks.**
+- **There is no `ReentrancyGuard`.** The deployer relies on being effectively stateless during pay and cash-out operations.
 
 ## 6. Integration Risks
 
-- **Hook config keyed by predicted rulesetId.** Configs stored at `block.timestamp + i` must match the actual rulesetId assigned by the controller. If the controller assigns different IDs (e.g., due to approval hook delays), the stored configs become unreachable -- payments/cashouts fall through to default behavior (no 721 handling, no extra hook).
-- **Carried-forward 721 hook on queue.** When `tiers.length == 0`, `queueRulesetsOf` carries forward the hook from a previous ruleset. The source is selected by first checking `latestQueuedOf(projectId)` — if the queued ruleset's approval status is `Approved` or `Empty` and it has a stored hook config, that config is used. Otherwise it falls back to `currentOf(projectId)`. If neither has a hook deployed through this deployer, the mapping is empty and the call reverts with `JBOmnichainDeployer_InvalidHook`. The `useDataHookForCashOut` flag is also preserved from whichever source ruleset is selected.
-- **ERC721Receiver restriction.** `onERC721Received` only accepts from `PROJECTS`. Non-project NFTs sent via `safeTransferFrom` revert cleanly; non-safe transfers can still become stuck because the deployer has no generalized rescue function.
-- **Empty simplified launch config reverts.** The convenience overload that derives a default 721 config from `rulesetConfigurations[0]` reverts with `JBOmnichainDeployer_NoRulesetConfigurations()` when called with an empty ruleset array.
-- **Cross-reference: sucker registration.** The deployer grants `MAP_SUCKER_TOKEN` to `SUCKER_REGISTRY` with `projectId=0` (wildcard). This means the registry can map tokens for ALL projects deployed through this deployer. See [nana-suckers-v6 RISKS.md](../nana-suckers-v6/RISKS.md) for the full sucker lifecycle risks.
-- **Cross-reference: core reentrancy.** The deployer delegates to `JBController` and `JBMultiTerminal` for all fund operations. See [nana-core-v6 RISKS.md](../nana-core-v6/RISKS.md) section 3 for the reentrancy surface of these contracts.
+- **Hook config is keyed by predicted ruleset ID.**
+- **Carried-forward 721 hook behavior on queue depends on prior ruleset state.**
+- **ERC721Receiver restrictions are narrow but non-safe transfers can still strand assets.**
+- **Empty simplified launch config reverts.**
 
-## 7. Invariants to Verify
+## 7. Invariants To Verify
 
-- For any project launched through this deployer, `DIRECTORY.controllerOf(projectId)` matches the controller used during launch.
-- `_tiered721HookOf[projectId][rulesetId]` is non-zero for every rulesetId created through this deployer.
-- Sucker cashouts always receive 0% tax rate (no path where `isSuckerOf` returns true but tax > 0).
-- `beforePayRecordedWith` uses the 721 hook's weight directly (already split-adjusted by `JB721TiersHookLib.calculateWeight`), so no additional scaling is applied.
-- Self-reference prevention: `rulesetConfigurations[i].metadata.dataHook` cannot be `address(this)` after `_setup721`.
-- Project NFT ownership: after `_launchProjectFor`, the project NFT is owned by `owner`, not the deployer.
-- `deploySuckersFor` uses the same `_msgSender()` on every chain when deterministic cross-chain peer symmetry is expected.
+- launched projects point at the intended controller
+- stored 721 hook config exists for every ruleset created through this deployer
+- sucker cashouts always get the intended zero-tax path
+- self-reference prevention holds after setup
+- the project NFT ends owned by the intended owner
 
 ## 8. Accepted Behaviors
 
-### 8.1 Controller validation skipped during `launchProjectFor` (by design)
+### 8.1 Controller validation is skipped during initial launch
+
+Pre-launch controller validation is impossible because the project does not yet exist. The accepted safeguard is the post-launch project ID match check.
+
+### 8.2 Registered suckers receive 0% cashout tax
+
+This is intentional and shares the same trust boundary as the sucker registry.
+
+## 9. Accepted Security Risks
+
+Documented risks that were reviewed and accepted.
+
+### Configuration Risks
+
+**Unvalidated extra data hooks can brick live flows.** *(Minor)*
+Extra data hooks provided by the project owner in `_setup721` configuration can fail and brick live pay/cashout flows. Accepted because this is self-inflicted misconfiguration — only the project owner can set these hooks.
+
+**Missing hook721 alias check enables double invocation.** *(Minor)*
+If the project owner configures the 721 hook as both the primary hook and as an extra data hook, it could be invoked twice. Accepted because this is self-inflicted misconfiguration — the deployer correctly processes each hook independently.
+
+### Hook Selection
 
-`_validateController` checks `controller.DIRECTORY().controllerOf(projectId)` to verify the provided controller matches the project's registered controller. During `launchProjectFor`, the project does not yet exist, so no directory entry exists and no pre-launch validation is possible. The accepted safeguard is the explicit `ProjectIdMismatch` check immediately after `controller.launchProjectFor()` returns. This is accepted because: (1) the project is created atomically within the same transaction, (2) the caller provides the controller address, so they choose their own trust boundary, and (3) validating against a non-existent project would always fail, making the check useless.
+**ApprovalExpected rulesets excluded from hook carry-forward.**
+When no new tiers are provided, the deployer carries forward the 721 hook from the most recent approved ruleset. Rulesets with `ApprovalExpected` status are intentionally excluded even though they may become active. Hook selection is irreversible — if the pending ruleset is later rejected by the approval hook, we'd have locked in a hook from a ruleset that never became active. The deployer falls back to the current (already-approved) ruleset in this case.
 
-### 8.2 Suckers receive 0% cashout tax (shared with revnet-core)
+### Cross-Chain Deployment
 
-`beforeCashOutRecordedWith` returns `cashOutTaxRate = 0` for addresses registered in `SUCKER_REGISTRY`. This is the same trust model as REVDeployer. The security boundary is the sucker registry — only addresses deployed through authorized deployers receive this privilege. See [revnet-core-v6 RISKS.md](../revnet-core-v6/RISKS.md) section 4 for the full sucker bypass analysis.
+**`_msgSender()` in deployment salt breaks cross-chain determinism.** *(Minor)*
+`deploySuckersFor` includes `_msgSender()` in the CREATE2 salt, which means the same deployment from different callers produces different addresses across chains. Accepted because this is intentional replay protection — prevents frontrunning of cross-chain deployments.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bananapus/omnichain-deployers-v6",
-  "version": "0.0.28",
+  "version": "0.0.30",
   "license": "MIT",
   "repository": {
     "type": "git",
@@ -17,17 +17,17 @@
     "artifacts": "source ./.env && npx sphinx artifacts --org-id 'ea165b21-7cdc-4d7b-be59-ecdd4c26bee4' --project-name 'nana-omnichain-deployers-v6'"
   },
   "dependencies": {
-    "@bananapus/721-hook-v6": "^0.0.35",
-    "@bananapus/buyback-hook-v6": "^0.0.27",
-    "@bananapus/core-v6": "^0.0.34",
-    "@bananapus/ownable-v6": "^0.0.17",
-    "@bananapus/permission-ids-v6": "^0.0.17",
-    "@bananapus/suckers-v6": "^0.0.25",
+    "@bananapus/721-hook-v6": "^0.0.41",
+    "@bananapus/buyback-hook-v6": "^0.0.30",
+    "@bananapus/core-v6": "^0.0.36",
+    "@bananapus/ownable-v6": "^0.0.20",
+    "@bananapus/permission-ids-v6": "^0.0.19",
+    "@bananapus/suckers-v6": "^0.0.28",
     "@openzeppelin/contracts": "^5.6.1",
     "@uniswap/v4-core": "^1.0.2"
   },
   "devDependencies": {
-    "@bananapus/address-registry-v6": "^0.0.17",
+    "@bananapus/address-registry-v6": "^0.0.20",
     "@sphinx-labs/plugins": "^0.33.2"
   }
 }

package/script/Deploy.s.sol

@@ -8,6 +8,7 @@ import {CoreDeployment, CoreDeploymentLib} from "@bananapus/core-v6/script/helpe
 import {Hook721Deployment, Hook721DeploymentLib} from "@bananapus/721-hook-v6/script/helpers/Hook721DeploymentLib.sol";
 import {SuckerDeployment, SuckerDeploymentLib} from "@bananapus/suckers-v6/script/helpers/SuckerDeploymentLib.sol";
 
+import {IJBDirectory} from "@bananapus/core-v6/src/interfaces/IJBDirectory.sol";
 import {JBOmnichainDeployer} from "src/JBOmnichainDeployer.sol";
 
 contract Deploy is Script, Sphinx {
@@ -61,7 +62,12 @@ contract Deploy is Script, Sphinx {
                 salt: NANA_OMNICHAIN_DEPLOYER_SALT,
                 creationCode: type(JBOmnichainDeployer).creationCode,
                 arguments: abi.encode(
-                    suckers.registry, hook.hook_deployer, core.permissions, core.projects, core.trustedForwarder
+                    suckers.registry,
+                    hook.hook_deployer,
+                    core.permissions,
+                    core.projects,
+                    core.directory,
+                    core.trustedForwarder
                 ),
                 deployer: safeAddress()
             })) {
@@ -70,6 +76,7 @@ contract Deploy is Script, Sphinx {
                 hookDeployer: hook.hook_deployer,
                 permissions: core.permissions,
                 projects: core.projects,
+                directory: IJBDirectory(address(core.directory)),
                 trustedForwarder: core.trustedForwarder
             });
         }

package/src/JBOmnichainDeployer.sol

@@ -6,6 +6,7 @@ import {IJB721TiersHookDeployer} from "@bananapus/721-hook-v6/src/interfaces/IJB
 import {JBApprovalStatus} from "@bananapus/core-v6/src/enums/JBApprovalStatus.sol";
 import {JBPermissioned} from "@bananapus/core-v6/src/abstract/JBPermissioned.sol";
 import {IJBController} from "@bananapus/core-v6/src/interfaces/IJBController.sol";
+import {IJBDirectory} from "@bananapus/core-v6/src/interfaces/IJBDirectory.sol";
 import {IJBPermissions} from "@bananapus/core-v6/src/interfaces/IJBPermissions.sol";
 import {IJBProjects} from "@bananapus/core-v6/src/interfaces/IJBProjects.sol";
 import {IJBRulesetDataHook} from "@bananapus/core-v6/src/interfaces/IJBRulesetDataHook.sol";
@@ -29,6 +30,7 @@ import {JBDeployerHookConfig} from "./structs/JBDeployerHookConfig.sol";
 import {JBOmnichain721Config} from "./structs/JBOmnichain721Config.sol";
 import {JBSuckerDeploymentConfig} from "./structs/JBSuckerDeploymentConfig.sol";
 import {JBTiered721HookConfig} from "./structs/JBTiered721HookConfig.sol";
+import {mulDiv} from "@prb/math/src/Common.sol";
 
 /// @notice Deploys, manages, and operates Juicebox projects with suckers.
 // Project NFTs sent to this contract are not recoverable. The deployer does not
@@ -79,6 +81,10 @@ contract JBOmnichainDeployer is
     /// @notice Deploys and tracks suckers for projects.
     IJBSuckerRegistry public immutable SUCKER_REGISTRY;
 
+    /// @notice The directory used to validate controllers. Stored as immutable to prevent a user-provided
+    /// controller from returning a fake directory that confirms itself.
+    IJBDirectory public immutable DIRECTORY;
+
     //*********************************************************************//
     // -------------------- internal stored properties ------------------- //
     //*********************************************************************//
@@ -101,12 +107,14 @@ contract JBOmnichainDeployer is
     /// @param hookDeployer The deployer to use for project's tiered ERC-721 hooks.
     /// @param permissions The permissions to use for the contract.
     /// @param projects The projects to use for the contract.
+    /// @param directory The directory used to validate controllers against a trusted source.
     /// @param trustedForwarder The trusted forwarder for the ERC2771Context.
     constructor(
         IJBSuckerRegistry suckerRegistry,
         IJB721TiersHookDeployer hookDeployer,
         IJBPermissions permissions,
         IJBProjects projects,
+        IJBDirectory directory,
         address trustedForwarder
     )
         JBPermissioned(permissions)
@@ -115,6 +123,7 @@ contract JBOmnichainDeployer is
         PROJECTS = projects;
         SUCKER_REGISTRY = suckerRegistry;
         HOOK_DEPLOYER = hookDeployer;
+        DIRECTORY = directory;
 
         // Give the sucker registry permission to map tokens for all revnets.
         uint8[] memory permissionIds = new uint8[](1);
@@ -426,10 +435,10 @@ contract JBOmnichainDeployer is
         // If a 721 hook is set and opted into cash out handling, let it adjust the cash out parameters.
         if (address(tiered721Config.hook) != address(0) && tiered721Config.useDataHookForCashOut) {
             // Forward to the 721 hook. It may change the tax rate, count, and return hook specs.
-            // We discard the inner hook's effectiveSurplusValue — this contract computes the cross-chain values.
-            // We also discard its totalSupply since this contract computes the cross-chain supply.
+            // Capture the 721 hook's totalSupply and effectiveSurplusValue — NFT cash-outs should use
+            // local-only denominators so holders reclaim against local surplus, not omnichain surplus.
             // slither-disable-next-line unused-return
-            (cashOutTaxRate, cashOutCount,,, tiered721HookSpecifications) =
+            (cashOutTaxRate, cashOutCount, totalSupply, effectiveSurplusValue, tiered721HookSpecifications) =
                 IJBRulesetDataHook(address(tiered721Config.hook)).beforeCashOutRecordedWith(context);
         }
 
@@ -444,16 +453,23 @@ contract JBOmnichainDeployer is
             // Build a mutable copy of the context with the latest values (possibly updated by the 721 hook).
             JBBeforeCashOutRecordedContext memory hookContext = context;
             hookContext.cashOutTaxRate = cashOutTaxRate;
-            hookContext.cashOutCount = cashOutCount;
             hookContext.totalSupply = totalSupply;
             hookContext.surplus.value = effectiveSurplusValue;
 
-            // Forward to the extra hook. It may further change the tax rate, count, and return hook specs.
-            // We discard the inner hook's effectiveSurplusValue — this contract computes the cross-chain values.
-            // We also discard its totalSupply since this contract computes the cross-chain supply.
-            // slither-disable-next-line unused-return
-            (cashOutTaxRate, cashOutCount,,, extraHookSpecifications) =
-                extraHook.dataHook.beforeCashOutRecordedWith(hookContext);
+            // Forward to the extra hook. It may further change the tax rate and return hook specs.
+            // We always discard totalSupply and effectiveSurplusValue — this contract computes
+            // cross-chain values for both. When the 721 hook is active, we also discard cashOutCount
+            // because the 721 hook redefines both cashOutCount and totalSupply as NFT cash-out weights
+            // (sum of tier prices), not fungible token counts. Letting the extra hook override
+            // cashOutCount would corrupt NFT pricing in the bonding curve.
+            if (address(tiered721Config.hook) != address(0) && tiered721Config.useDataHookForCashOut) {
+                // slither-disable-next-line unused-return
+                (cashOutTaxRate,,,, extraHookSpecifications) = extraHook.dataHook.beforeCashOutRecordedWith(hookContext);
+            } else {
+                // slither-disable-next-line unused-return
+                (cashOutTaxRate, cashOutCount,,, extraHookSpecifications) =
+                    extraHook.dataHook.beforeCashOutRecordedWith(hookContext);
+            }
         }
 
         // If neither hook returned any specifications, return the adjusted values with no hook specs.
@@ -502,6 +518,8 @@ contract JBOmnichainDeployer is
         bool hasTiered721Spec;
         // The weight returned by the 721 hook (already scaled for splits).
         uint256 tiered721Weight;
+        // The weight attributable to tier splits when issueTokensForSplits is true.
+        uint256 splitCreditWeight;
         // Whether a 721 hook is configured for this project's ruleset.
         bool has721Hook;
         if (address(tiered721Config.hook) != address(0)) {
@@ -518,6 +536,14 @@ contract JBOmnichainDeployer is
                 hasTiered721Spec = true;
                 tiered721HookSpec = tiered721HookSpecs[0];
                 totalSplitAmount = tiered721HookSpec.amount;
+
+                // Decode splitCreditWeight from the 721 hook's metadata (4th field).
+                // When issueTokensForSplits is true and splits exist, this holds the weight portion
+                // attributable to tier splits — used to prevent split credit erasure if the extra
+                // hook (e.g. buyback) returns weight=0.
+                if (tiered721HookSpec.metadata.length >= 128) {
+                    (,,, splitCreditWeight) = abi.decode(tiered721HookSpec.metadata, (address, address, bytes, uint256));
+                }
             }
         }
 
@@ -533,11 +559,27 @@ contract JBOmnichainDeployer is
             if (address(extraHook.dataHook) != address(0) && extraHook.useDataHookForPay) {
                 JBBeforePayRecordedContext memory hookContext = context;
                 hookContext.amount.value = projectAmount;
-                // Pass the 721 hook's weight (which accounts for split deductions) so the data hook
-                // makes its decisions (e.g. mint-vs-swap) based on the correct post-split weight.
-                if (has721Hook) hookContext.weight = tiered721Weight;
+                // Pass the original context.weight — NOT the 721 hook's split-adjusted weight.
+                // The extra hook (e.g. buyback) applies its own weight logic; using the 721 hook's
+                // already-split-adjusted weight would double-discount the split ratio.
                 (weight, dataHookSpecs) = extraHook.dataHook.beforePayRecordedWith(hookContext);
                 customHookCalled = true;
+
+                // The custom hook (e.g. buyback) returned a weight based on the original context.weight.
+                // If the 721 hook scaled weight down for tier splits, apply the same ratio so the terminal
+                // doesn't over-mint tokens relative to the funds actually entering the project.
+                // When issueTokensForSplits is true, tiered721Weight == context.weight and the ratio is 1x.
+                if (has721Hook && context.weight > 0 && tiered721Weight != context.weight) {
+                    weight = mulDiv(weight, tiered721Weight, context.weight);
+                }
+
+                // When the extra hook returns weight=0 (e.g. buyback found no profitable swap) but tier
+                // splits exist with issueTokensForSplits=true, the split credit must still mint fungible tokens.
+                // The split credit weight is independent of buyback routing — it represents the token issuance
+                // for funds forwarded to tier split beneficiaries.
+                if (weight == 0 && splitCreditWeight > 0) {
+                    weight = splitCreditWeight;
+                }
             }
         }
 
@@ -715,8 +757,9 @@ contract JBOmnichainDeployer is
             });
         }
 
-        // Transfer ownership of the project to the owner.
-        PROJECTS.transferFrom({from: address(this), to: owner, tokenId: projectId});
+        // Transfer ownership of the project to the owner. Uses safeTransferFrom so contract receivers
+        // get an onERC721Received callback.
+        PROJECTS.safeTransferFrom({from: address(this), to: owner, tokenId: projectId});
     }
 
     /// @notice Internal implementation of `launchRulesetsFor`.
@@ -804,6 +847,9 @@ contract JBOmnichainDeployer is
             {
                 // First try the latest queued ruleset — if it's been explicitly approved
                 // (or has no approval hook), its hook config should take precedence.
+                // Conservative: only use Approved or Empty status. ApprovalExpected is intentionally
+                // excluded because hook selection is irreversible — if the pending ruleset is later rejected
+                // by the approval hook, we'd have locked in a hook from a ruleset that never became active.
                 (JBRuleset memory latestQueued, JBApprovalStatus approvalStatus) =
                     controller.RULESETS().latestQueuedOf(projectId);
                 if (
@@ -920,13 +966,12 @@ contract JBOmnichainDeployer is
     }
 
     /// @notice Validates that the provided controller matches the project's controller in the directory.
-    /// @dev The reflexive lookup (controller.DIRECTORY().controllerOf()) is intentional — it confirms the
-    /// caller-provided controller is the one the directory recognizes for this project, preventing a
-    /// malicious controller from being passed in.
+    /// @dev Uses the immutable DIRECTORY instead of querying the controller, preventing a malicious
+    /// controller from returning a fake directory that confirms itself.
     /// @param projectId The ID of the project to validate the controller for.
     /// @param controller The controller to validate.
     function _validateController(uint256 projectId, IJBController controller) internal view {
-        address current = address(controller.DIRECTORY().controllerOf(projectId));
+        address current = address(DIRECTORY.controllerOf(projectId));
         // Allow address(0) for fresh projects that haven't launched rulesets yet.
         if (current != address(0) && current != address(controller)) {
             revert JBOmnichainDeployer_ControllerMismatch();

package/test/JBOmnichainDeployer.t.sol

@@ -42,6 +42,7 @@ contract TestJBOmnichainDeployer is Test {
     IJBProjects projects = IJBProjects(makeAddr("projects"));
     IJBSuckerRegistry suckerRegistry = IJBSuckerRegistry(makeAddr("suckerRegistry"));
     IJB721TiersHookDeployer hookDeployer = IJB721TiersHookDeployer(makeAddr("hookDeployer"));
+    IJBDirectory directory = IJBDirectory(makeAddr("directory"));
 
     address projectOwner = makeAddr("projectOwner");
     address sucker = makeAddr("sucker");
@@ -63,6 +64,7 @@ contract TestJBOmnichainDeployer is Test {
             hookDeployer,
             permissions,
             projects,
+            directory,
             address(0) // trustedForwarder
         );
 
@@ -331,11 +333,7 @@ contract TestJBOmnichainDeployer is Test {
 
     function test_launchRulesetsFor_simplified_usesDefaultCurrency() public {
         IJBController controller = IJBController(makeAddr("controller"));
-        IJBDirectory directory = IJBDirectory(makeAddr("directory"));
 
-        vm.mockCall(
-            address(controller), abi.encodeWithSelector(IJBController.DIRECTORY.selector), abi.encode(directory)
-        );
         vm.mockCall(
             address(directory),
             abi.encodeWithSelector(IJBDirectory.controllerOf.selector, projectId),
@@ -369,7 +367,6 @@ contract TestJBOmnichainDeployer is Test {
     function test_queueRulesetsOf_simplified_carriesForwardHook() public {
         // First launch a project so there's a hook to carry forward.
         IJBController controller = IJBController(makeAddr("controller"));
-        IJBDirectory directory = IJBDirectory(makeAddr("directory"));
         IJBRulesets rulesets = IJBRulesets(makeAddr("rulesets"));
 
         vm.mockCall(address(projects), abi.encodeWithSelector(IJBProjects.count.selector), abi.encode(uint256(41)));
@@ -391,9 +388,6 @@ contract TestJBOmnichainDeployer is Test {
         deployer.launchProjectFor(projectOwner, "test", configs, terminals, "", _emptySuckerConfig(), controller);
 
         // Now set up mocks for queueRulesetsOf.
-        vm.mockCall(
-            address(controller), abi.encodeWithSelector(IJBController.DIRECTORY.selector), abi.encode(directory)
-        );
         vm.mockCall(
             address(directory),
             abi.encodeWithSelector(IJBDirectory.controllerOf.selector, projectId),
@@ -462,7 +456,6 @@ contract TestJBOmnichainDeployer is Test {
     function test_queueRulesetsOf_carryForward_preservesCashOutFlag() public {
         // --- Step 1: Launch a project with useDataHookForCashOut = true ---
         IJBController controller = IJBController(makeAddr("controller"));
-        IJBDirectory directory = IJBDirectory(makeAddr("directory"));
         IJBRulesets rulesets = IJBRulesets(makeAddr("rulesets"));
 
         vm.mockCall(address(projects), abi.encodeWithSelector(IJBProjects.count.selector), abi.encode(uint256(41)));
@@ -495,9 +488,6 @@ contract TestJBOmnichainDeployer is Test {
         assertTrue(initialCashOutFlag, "initial launch should store useDataHookForCashOut = true");
 
         // --- Step 2: Queue a new ruleset with no tiers (carry-forward) ---
-        vm.mockCall(
-            address(controller), abi.encodeWithSelector(IJBController.DIRECTORY.selector), abi.encode(directory)
-        );
         vm.mockCall(
             address(directory),
             abi.encodeWithSelector(IJBDirectory.controllerOf.selector, projectId),

package/test/JBOmnichainDeployerGuard.t.sol

@@ -126,6 +126,7 @@ contract JBOmnichainDeployerGuardTest is TestBaseWorkflow {
             IJB721TiersHookDeployer(mockHookDeployerAddr),
             IJBPermissions(address(jbPermissions())),
             IJBProjects(address(jbProjects())),
+            IJBDirectory(address(jbDirectory())),
             trustedForwarder()
         );
 
@@ -262,11 +263,11 @@ contract JBOmnichainDeployerGuardTest is TestBaseWorkflow {
             .setPermissionsFor(
                 owner,
                 JBPermissionsData({
-                    operator: address(deployer),
-                    // forge-lint: disable-next-line(unsafe-typecast)
-                    projectId: uint64(projectId),
-                    permissionIds: permissionIds
-                })
+                operator: address(deployer),
+                // forge-lint: disable-next-line(unsafe-typecast)
+                projectId: uint64(projectId),
+                permissionIds: permissionIds
+            })
             );
     }
 
@@ -302,9 +303,10 @@ contract JBOmnichainDeployerGuardTest is TestBaseWorkflow {
 
         JBRulesetConfig[] memory rulesets = _makeRulesetConfigs(1);
 
-        // Should succeed without reverting.
         JBOmnichain721Config memory empty721;
-        deployer.queueRulesetsOf(projectId, empty721, rulesets, "queue", IJBController(address(jbController())));
+        (uint256 rulesetId,) =
+            deployer.queueRulesetsOf(projectId, empty721, rulesets, "queue", IJBController(address(jbController())));
+        assertGt(rulesetId, 0, "Queued ruleset ID must be non-zero");
     }
 
     /// @notice Queue rulesets reverts when called in the same block as launch
@@ -362,6 +364,41 @@ contract JBOmnichainDeployerGuardTest is TestBaseWorkflow {
 
         // Now should succeed.
         JBOmnichain721Config memory empty721b;
-        deployer.queueRulesetsOf(projectId, empty721b, rulesets, "ok-now", IJBController(address(jbController())));
+        (uint256 rulesetId,) =
+            deployer.queueRulesetsOf(projectId, empty721b, rulesets, "ok-now", IJBController(address(jbController())));
+        assertGt(rulesetId, 0, "Queued ruleset ID must be non-zero after warping past conflict");
+    }
+
+    /// @notice When no new tiers are provided and no latestQueued exists (single launch ruleset that
+    ///         became the current ruleset), the hook is carried forward from the current ruleset (lines 862-864).
+    function test_queueRulesetsOf_carriesForwardFromCurrent_whenNoLatestQueued() public {
+        // Launch with 1 ruleset — this deploys a 721 hook stored for the launch ruleset.
+        uint256 projectId = _launchProject(1);
+        uint256 launchRulesetId = block.timestamp;
+        _grantDeployerQueuePermission(projectId);
+
+        // Verify the 721 hook was stored for the launch ruleset.
+        (IJB721TiersHook launchHook,) = deployer.tiered721HookOf(projectId, launchRulesetId);
+        assertEq(address(launchHook), mockHookAddr, "Launch ruleset should have 721 hook stored");
+
+        // Warp forward so the launched ruleset is the current active one and the guard passes.
+        vm.warp(block.timestamp + 1 days);
+
+        // Queue a new ruleset with NO new tiers → triggers carry-forward logic.
+        JBRulesetConfig[] memory rulesets = _makeRulesetConfigs(1);
+        JBOmnichain721Config memory empty721;
+        (uint256 queuedRulesetId,) = deployer.queueRulesetsOf(
+            projectId, empty721, rulesets, "carry-forward", IJBController(address(jbController()))
+        );
+
+        assertGt(queuedRulesetId, 0, "Queued ruleset ID must be non-zero");
+
+        // Verify the hook was carried forward to the new queued ruleset.
+        (IJB721TiersHook carriedHook,) = deployer.tiered721HookOf(projectId, queuedRulesetId);
+        assertEq(
+            address(carriedHook),
+            address(launchHook),
+            "Queued ruleset should carry forward the 721 hook from the current ruleset"
+        );
     }
 }

package/test/OmnichainDeployerAttacks.t.sol

@@ -4,6 +4,7 @@ pragma solidity 0.8.28;
 import {Test} from "forge-std/Test.sol";
 
 import {IJBController} from "@bananapus/core-v6/src/interfaces/IJBController.sol";
+import {IJBDirectory} from "@bananapus/core-v6/src/interfaces/IJBDirectory.sol";
 import {IJBPermissions} from "@bananapus/core-v6/src/interfaces/IJBPermissions.sol";
 import {IJBProjects} from "@bananapus/core-v6/src/interfaces/IJBProjects.sol";
 import {IJBRulesetDataHook} from "@bananapus/core-v6/src/interfaces/IJBRulesetDataHook.sol";
@@ -97,6 +98,7 @@ contract OmnichainDeployerAttacks is Test {
     IJBProjects projects = IJBProjects(makeAddr("projects"));
     IJBSuckerRegistry suckerRegistry = IJBSuckerRegistry(makeAddr("suckerRegistry"));
     IJB721TiersHookDeployer hookDeployer = IJB721TiersHookDeployer(makeAddr("hookDeployer"));
+    IJBDirectory directory = IJBDirectory(makeAddr("directory"));
 
     address projectOwner = makeAddr("projectOwner");
     address sucker = makeAddr("sucker");
@@ -119,7 +121,7 @@ contract OmnichainDeployerAttacks is Test {
             address(permissions), abi.encodeWithSelector(IJBPermissions.setPermissionsFor.selector), abi.encode()
         );
 
-        deployer = new JBOmnichainDeployer(suckerRegistry, hookDeployer, permissions, projects, address(0));
+        deployer = new JBOmnichainDeployer(suckerRegistry, hookDeployer, permissions, projects, directory, address(0));
 
         // Default mocks.
         vm.mockCall(