npm - @bananapus/omnichain-deployers-v6 - Versions diffs - 0.0.61 → 0.0.62 - Mend

@bananapus/omnichain-deployers-v6 0.0.61 → 0.0.62

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/package.json +1 -1
package/references/runtime.md +3 -0
package/src/JBOmnichainDeployer.sol +96 -6

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@bananapus/omnichain-deployers-v6",
-  "version": "0.0.61",
+  "version": "0.0.62",
   "license": "MIT",
   "repository": {
     "type": "git",

package/references/runtime.md CHANGED Viewed

@@ -11,11 +11,14 @@
 3. On pay, it calls the 721 hook first, then the optional extra hook with the adjusted amount context.
 4. On cash out, it can short-circuit for suckers, otherwise it forwards into the configured hook stack in order.
 5. Mint permission queries can be granted by suckers or by the configured extra hook.
+6. Peer-chain adjusted account queries forward to the configured extra hook, but missing or malformed returns are
+   treated as no contribution.
 ## High-risk areas
 - Ruleset ID prediction: if the predicted ID is wrong, hook config can be stored under the wrong key.
 - Hook composition order: 721 logic runs before any extra hook, which affects both specs and accounting.
+- Hook metadata decoding: split-credit metadata must satisfy the full ABI tuple minimum before it is decoded.
 - Sucker exemptions: early-return cash-out behavior is intentional and should not be removed casually.
 - Carry-forward logic: queueing rulesets without new tiers intentionally reuses the latest 721 hook.
 - Meta-transaction sender handling: salt derivation uses `_msgSender()`, not raw `msg.sender`.

package/src/JBOmnichainDeployer.sol CHANGED Viewed

@@ -557,7 +557,8 @@ contract JBOmnichainDeployer is
                 // When issueTokensForSplits is true and splits exist, this holds the weight portion
                 // attributable to tier splits — used to prevent split credit erasure if the extra
                 // hook (e.g. buyback) returns weight=0.
-                if (tiered721HookSpec.metadata.length >= 128) {
+                // The tuple's minimum ABI encoding is 160 bytes: 4 head words plus an empty `bytes` tail.
+                if (tiered721HookSpec.metadata.length >= 160) {
                     (,,, splitCreditWeight) = abi.decode(tiered721HookSpec.metadata, (address, address, bytes, uint256));
                 }
             }
@@ -709,12 +710,9 @@ contract JBOmnichainDeployer is
         (bool success, bytes memory data) = address(extraHook.dataHook)
             .staticcall(abi.encodeCall(IJBPeerChainAdjustedAccounts.peerChainAdjustedAccountsOf, (projectId)));
-        // A well-formed `(uint256, JBSourceContext[])` return is at least three words: the supply, the array offset,
-        // and the array length. Anything shorter (an empty return, a hook with no code, or a mismatched ABI) is
-        // treated as no contribution rather than letting the decode revert.
-        if (!success || data.length < 96) return (0, new JBSourceContext[](0));
+        if (!success) return (0, new JBSourceContext[](0));
-        return abi.decode(data, (uint256, JBSourceContext[]));
+        return _peerChainAdjustedAccountsFrom(data);
     }
     //*********************************************************************//
@@ -1058,6 +1056,98 @@ contract JBOmnichainDeployer is
         return ERC2771Context._msgSender();
     }
+    /// @notice Decodes a peer-chain adjusted accounting return, falling back to no contribution if malformed.
+    /// @param data The raw return data from an extra hook's `peerChainAdjustedAccountsOf` call.
+    /// @return supply The extra supply to include in `sourceTotalSupply`.
+    /// @return contexts The extra per-context surplus and balance to include in the snapshot, un-valued.
+    function _peerChainAdjustedAccountsFrom(bytes memory data)
+        internal
+        pure
+        returns (uint256 supply, JBSourceContext[] memory contexts)
+    {
+        // `data` is a Solidity `bytes` value. Its first memory word is the byte length, and the ABI return payload
+        // starts at `data + 32`.
+        //
+        // The payload for `(uint256, JBSourceContext[])` is:
+        //   word 0: supply
+        //   word 1: offset to the dynamic `contexts` array tail, relative to the payload start
+        //   tail word 0: contexts.length
+        //   tail words: each `JBSourceContext`, encoded as 4 ABI words.
+        //
+        // Anything shorter than the two tuple head words plus the array-length word cannot be decoded safely.
+        if (data.length < 96) return (0, new JBSourceContext[](0));
+        uint256 contextsOffset;
+        assembly ("memory-safe") {
+            // Skip the `bytes` length word, then read the first two ABI words from the payload head.
+            supply := mload(add(data, 32))
+            contextsOffset := mload(add(data, 64))
+        }
+        // The array tail must begin after the two-word tuple head, remain ABI-word aligned, and leave room for its own
+        // length word. If the offset points into the head, into the middle of a word, or past the buffer, a normal
+        // `abi.decode` would revert. This wrapper instead treats the optional hook contribution as absent.
+        if (contextsOffset < 64 || contextsOffset % 32 != 0 || contextsOffset > data.length - 32) {
+            return (0, new JBSourceContext[](0));
+        }
+        uint256 contextCount;
+        assembly ("memory-safe") {
+            // The offset is relative to the payload start (`data + 32`), not the start of the `bytes` object.
+            contextCount := mload(add(add(data, 32), contextsOffset))
+        }
+        // Skip the array-length word to reach the first encoded `JBSourceContext`.
+        uint256 contextsStart = contextsOffset + 32;
+        // Each `JBSourceContext` has four static ABI words: token, decimals, surplus, and balance. Check the count
+        // against the remaining bytes before allocating the array so a hostile length cannot force a large allocation
+        // or make the loop read past the returned buffer.
+        if (contextCount > (data.length - contextsStart) / 128) return (0, new JBSourceContext[](0));
+        contexts = new JBSourceContext[](contextCount);
+        for (uint256 i; i < contextCount; i++) {
+            // Move to the encoded struct for this index. The offset is still payload-relative.
+            uint256 contextOffset = contextsStart + i * 128;
+            bytes32 token;
+            uint256 decimals;
+            uint256 surplus;
+            uint256 contextBalance;
+            assembly ("memory-safe") {
+                // Point at the first word of this encoded struct and read its four ABI words directly.
+                let contextPointer := add(add(data, 32), contextOffset)
+                token := mload(contextPointer)
+                decimals := mload(add(contextPointer, 32))
+                surplus := mload(add(contextPointer, 64))
+                contextBalance := mload(add(contextPointer, 96))
+            }
+            // The ABI decoder would reject values that do not fit their declared Solidity types. Because this function
+            // decodes manually, it must enforce the same bounds before casting so malformed data cannot silently
+            // truncate into `uint8` or `uint128`.
+            if (decimals > type(uint8).max || surplus > type(uint128).max || contextBalance > type(uint128).max) {
+                return (0, new JBSourceContext[](0));
+            }
+            // Store the checked values using the struct's real types. At this point every read was inside the buffer
+            // and every narrowed cast has been proven safe.
+            // Casting to `uint8` is safe because the guard above rejected larger values.
+            // forge-lint: disable-next-line(unsafe-typecast)
+            uint8 checkedDecimals = uint8(decimals);
+            // Casting to `uint128` is safe because the guard above rejected larger values.
+            // forge-lint: disable-next-line(unsafe-typecast)
+            uint128 checkedSurplus = uint128(surplus);
+            // Casting to `uint128` is safe because the guard above rejected larger values.
+            // forge-lint: disable-next-line(unsafe-typecast)
+            uint128 checkedBalance = uint128(contextBalance);
+            contexts[i] = JBSourceContext({
+                token: token, decimals: checkedDecimals, surplus: checkedSurplus, balance: checkedBalance
+            });
+        }
+    }
     /// @notice Revert unless the trusted directory records `CONTROLLER` for `projectId`.
     /// @dev Use `allowUnset = true` as a pre-launch check: a fresh project with no controller wired yet is accepted.
     /// Use `allowUnset = false` as a post-launch check: `CONTROLLER` must be live in the directory.