@bananapus/omnichain-deployers-v6 0.0.60 → 0.0.62

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bananapus/omnichain-deployers-v6",
-  "version": "0.0.60",
+  "version": "0.0.62",
   "license": "MIT",
   "repository": {
     "type": "git",
@@ -24,16 +24,16 @@
     "artifacts": "source ./.env && npx sphinx artifacts --org-id 'ea165b21-7cdc-4d7b-be59-ecdd4c26bee4' --project-name 'nana-omnichain-deployers-v6'"
   },
   "dependencies": {
-    "@bananapus/721-hook-v6": "^0.0.69",
-    "@bananapus/core-v6": "^0.0.82",
+    "@bananapus/721-hook-v6": "^0.0.73",
+    "@bananapus/core-v6": "^0.0.86",
     "@bananapus/ownable-v6": "^0.0.39",
     "@bananapus/permission-ids-v6": "^0.0.31",
-    "@bananapus/suckers-v6": "^0.0.72",
+    "@bananapus/suckers-v6": "^0.0.73",
     "@openzeppelin/contracts": "5.6.1"
   },
   "devDependencies": {
-    "@bananapus/address-registry-v6": "^0.0.34",
-    "@bananapus/buyback-hook-v6": "^0.0.70",
+    "@bananapus/address-registry-v6": "^0.0.35",
+    "@bananapus/buyback-hook-v6": "^0.0.71",
     "@sphinx-labs/plugins": "0.33.3",
     "@uniswap/v4-core": "1.0.2"
   }

package/references/runtime.md

@@ -11,11 +11,14 @@
 3. On pay, it calls the 721 hook first, then the optional extra hook with the adjusted amount context.
 4. On cash out, it can short-circuit for suckers, otherwise it forwards into the configured hook stack in order.
 5. Mint permission queries can be granted by suckers or by the configured extra hook.
+6. Peer-chain adjusted account queries forward to the configured extra hook, but missing or malformed returns are
+   treated as no contribution.
 
 ## High-risk areas
 
 - Ruleset ID prediction: if the predicted ID is wrong, hook config can be stored under the wrong key.
 - Hook composition order: 721 logic runs before any extra hook, which affects both specs and accounting.
+- Hook metadata decoding: split-credit metadata must satisfy the full ABI tuple minimum before it is decoded.
 - Sucker exemptions: early-return cash-out behavior is intentional and should not be removed casually.
 - Carry-forward logic: queueing rulesets without new tiers intentionally reuses the latest 721 hook.
 - Meta-transaction sender handling: salt derivation uses `_msgSender()`, not raw `msg.sender`.

package/src/JBOmnichainDeployer.sol

@@ -557,7 +557,8 @@ contract JBOmnichainDeployer is
                 // When issueTokensForSplits is true and splits exist, this holds the weight portion
                 // attributable to tier splits — used to prevent split credit erasure if the extra
                 // hook (e.g. buyback) returns weight=0.
-                if (tiered721HookSpec.metadata.length >= 128) {
+                // The tuple's minimum ABI encoding is 160 bytes: 4 head words plus an empty `bytes` tail.
+                if (tiered721HookSpec.metadata.length >= 160) {
                     (,,, splitCreditWeight) = abi.decode(tiered721HookSpec.metadata, (address, address, bytes, uint256));
                 }
             }
@@ -709,12 +710,9 @@ contract JBOmnichainDeployer is
         (bool success, bytes memory data) = address(extraHook.dataHook)
             .staticcall(abi.encodeCall(IJBPeerChainAdjustedAccounts.peerChainAdjustedAccountsOf, (projectId)));
 
-        // A well-formed `(uint256, JBSourceContext[])` return is at least three words: the supply, the array offset,
-        // and the array length. Anything shorter (an empty return, a hook with no code, or a mismatched ABI) is
-        // treated as no contribution rather than letting the decode revert.
-        if (!success || data.length < 96) return (0, new JBSourceContext[](0));
+        if (!success) return (0, new JBSourceContext[](0));
 
-        return abi.decode(data, (uint256, JBSourceContext[]));
+        return _peerChainAdjustedAccountsFrom(data);
     }
 
     //*********************************************************************//
@@ -1058,6 +1056,98 @@ contract JBOmnichainDeployer is
         return ERC2771Context._msgSender();
     }
 
+    /// @notice Decodes a peer-chain adjusted accounting return, falling back to no contribution if malformed.
+    /// @param data The raw return data from an extra hook's `peerChainAdjustedAccountsOf` call.
+    /// @return supply The extra supply to include in `sourceTotalSupply`.
+    /// @return contexts The extra per-context surplus and balance to include in the snapshot, un-valued.
+    function _peerChainAdjustedAccountsFrom(bytes memory data)
+        internal
+        pure
+        returns (uint256 supply, JBSourceContext[] memory contexts)
+    {
+        // `data` is a Solidity `bytes` value. Its first memory word is the byte length, and the ABI return payload
+        // starts at `data + 32`.
+        //
+        // The payload for `(uint256, JBSourceContext[])` is:
+        //   word 0: supply
+        //   word 1: offset to the dynamic `contexts` array tail, relative to the payload start
+        //   tail word 0: contexts.length
+        //   tail words: each `JBSourceContext`, encoded as 4 ABI words.
+        //
+        // Anything shorter than the two tuple head words plus the array-length word cannot be decoded safely.
+        if (data.length < 96) return (0, new JBSourceContext[](0));
+
+        uint256 contextsOffset;
+        assembly ("memory-safe") {
+            // Skip the `bytes` length word, then read the first two ABI words from the payload head.
+            supply := mload(add(data, 32))
+            contextsOffset := mload(add(data, 64))
+        }
+
+        // The array tail must begin after the two-word tuple head, remain ABI-word aligned, and leave room for its own
+        // length word. If the offset points into the head, into the middle of a word, or past the buffer, a normal
+        // `abi.decode` would revert. This wrapper instead treats the optional hook contribution as absent.
+        if (contextsOffset < 64 || contextsOffset % 32 != 0 || contextsOffset > data.length - 32) {
+            return (0, new JBSourceContext[](0));
+        }
+
+        uint256 contextCount;
+        assembly ("memory-safe") {
+            // The offset is relative to the payload start (`data + 32`), not the start of the `bytes` object.
+            contextCount := mload(add(add(data, 32), contextsOffset))
+        }
+
+        // Skip the array-length word to reach the first encoded `JBSourceContext`.
+        uint256 contextsStart = contextsOffset + 32;
+        // Each `JBSourceContext` has four static ABI words: token, decimals, surplus, and balance. Check the count
+        // against the remaining bytes before allocating the array so a hostile length cannot force a large allocation
+        // or make the loop read past the returned buffer.
+        if (contextCount > (data.length - contextsStart) / 128) return (0, new JBSourceContext[](0));
+
+        contexts = new JBSourceContext[](contextCount);
+
+        for (uint256 i; i < contextCount; i++) {
+            // Move to the encoded struct for this index. The offset is still payload-relative.
+            uint256 contextOffset = contextsStart + i * 128;
+            bytes32 token;
+            uint256 decimals;
+            uint256 surplus;
+            uint256 contextBalance;
+
+            assembly ("memory-safe") {
+                // Point at the first word of this encoded struct and read its four ABI words directly.
+                let contextPointer := add(add(data, 32), contextOffset)
+                token := mload(contextPointer)
+                decimals := mload(add(contextPointer, 32))
+                surplus := mload(add(contextPointer, 64))
+                contextBalance := mload(add(contextPointer, 96))
+            }
+
+            // The ABI decoder would reject values that do not fit their declared Solidity types. Because this function
+            // decodes manually, it must enforce the same bounds before casting so malformed data cannot silently
+            // truncate into `uint8` or `uint128`.
+            if (decimals > type(uint8).max || surplus > type(uint128).max || contextBalance > type(uint128).max) {
+                return (0, new JBSourceContext[](0));
+            }
+
+            // Store the checked values using the struct's real types. At this point every read was inside the buffer
+            // and every narrowed cast has been proven safe.
+            // Casting to `uint8` is safe because the guard above rejected larger values.
+            // forge-lint: disable-next-line(unsafe-typecast)
+            uint8 checkedDecimals = uint8(decimals);
+            // Casting to `uint128` is safe because the guard above rejected larger values.
+            // forge-lint: disable-next-line(unsafe-typecast)
+            uint128 checkedSurplus = uint128(surplus);
+            // Casting to `uint128` is safe because the guard above rejected larger values.
+            // forge-lint: disable-next-line(unsafe-typecast)
+            uint128 checkedBalance = uint128(contextBalance);
+
+            contexts[i] = JBSourceContext({
+                token: token, decimals: checkedDecimals, surplus: checkedSurplus, balance: checkedBalance
+            });
+        }
+    }
+
     /// @notice Revert unless the trusted directory records `CONTROLLER` for `projectId`.
     /// @dev Use `allowUnset = true` as a pre-launch check: a fresh project with no controller wired yet is accepted.
     /// Use `allowUnset = false` as a post-launch check: `CONTROLLER` must be live in the directory.