npm - @bannynet/core-v6 - Versions diffs - 0.0.14 → 0.0.15 - Mend

@bannynet/core-v6 0.0.14 → 0.0.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/ARCHITECTURE.md +2 -0
package/RISKS.md +5 -1
package/assets/findings/banny-retail-v6-pashov-ai-audit-report-20260330-102839.md +34 -0
package/package.json +2 -2
package/script/Add.Denver.s.sol +1 -1
package/script/Drop1.s.sol +1 -1
package/test/audit/BurnedBodyStrandsAssets.t.sol +158 -0

package/ARCHITECTURE.md CHANGED Viewed

@@ -96,3 +96,5 @@ For IPFS-backed assets without on-chain SVG content, the resolver falls back to
 **Fixed category ordering for outfit layering.** Outfits must be passed in ascending category order (2-17) and only one outfit per category is allowed. This constraint eliminates ambiguity in SVG z-ordering -- the category number directly determines the layer position. It also enables the resolver to insert default accessories (necklace, eyes, mouth) at the correct z-position when no custom one is equipped and no full-head item occludes them.
 **Equipped assets travel with the body.** When a body NFT is transferred, all equipped outfits and backgrounds remain attached. The new owner inherits them and can unequip to receive the outfit NFTs. This was chosen over auto-unequip to preserve the dressed Banny as a complete visual unit, but it means sellers should unequip valuable outfits before listing.
+**Outfits burn with the body.** When a body NFT is burned, equipped outfits and backgrounds held by the resolver become permanently unrecoverable. There is no recovery function — outfits share the body's fate. Users must unequip outfits before burning the body if they want to keep them.

package/RISKS.md CHANGED Viewed

@@ -63,6 +63,10 @@ For permanently unrecoverable assets (burned NFTs, removed tiers), the retained
 `tokenUriOf` constructs full SVGs on-chain with string concatenation. Measured gas ceiling: ~609K gas for the worst case (9 non-conflicting outfits + background with on-chain SVG content), well within typical RPC node limits (30M+). Regression test: `test_tokenUri_gasSnapshot_9outfits` in `test/TestQALastMile.t.sol`.
-### 7.4 Reentrancy in non-guarded functions is harmless
+### 7.4 Outfits burn alongside the body
+When a banny body NFT is burned (e.g. via cash-out), any equipped outfits and backgrounds held by the resolver are permanently unrecoverable. The resolver has no recovery function and this is intentional — outfits are part of the body's identity and share its fate. Users who want to preserve outfits must unequip them before burning the body.
+### 7.5 Reentrancy in non-guarded functions is harmless
 `lockOutfitChangesFor` and all view functions (`tokenUriOf`, `svgOf`) are not protected by `nonReentrant`. A malicious hook's `STORE().tierOfTokenId()` could re-enter `lockOutfitChangesFor` during a `tokenUriOf` call, but this is harmless -- `lockOutfitChangesFor` only extends the lock timestamp (monotonically non-decreasing) and has no state that could be corrupted by reentrancy. The view functions themselves are read-only at the contract level (no storage writes), so reentrancy through them cannot extract value.

package/assets/findings/banny-retail-v6-pashov-ai-audit-report-20260330-102839.md ADDED Viewed

@@ -0,0 +1,34 @@
+# 🔐 Security Review — banny-retail-v6
+---
+## Scope
+|                                  |                                                                                                                           |
+| -------------------------------- | ------------------------------------------------------------------------------------------------------------------------- |
+| **Mode**                         | ALL / default                                                                                                             |
+| **Files reviewed**               | `Add.Denver.s.sol` · `Deploy.s.sol` · `Drop1.s.sol`<br>`BannyverseDeploymentLib.sol` · `MigrationHelper.sol` · `Banny721TokenUriResolver.sol` |
+| **Confidence threshold (1-100)** | 75                                                                                                                        |
+---
+## Findings
+_No confirmed findings._
+---
+Findings List
+| # | Confidence | Title |
+|---|---|---|
+---
+## Leads
+_None._
+---
+> ⚠️ This review was performed by an AI assistant. AI analysis can never verify the complete absence of vulnerabilities and no guarantee of security is given. Team security reviews, bug bounty programs, and on-chain monitoring are strongly recommended. For a consultation regarding your projects' security, visit [https://www.pashov.com](https://www.pashov.com)

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
     "name": "@bannynet/core-v6",
-    "version": "0.0.14",
+    "version": "0.0.15",
     "license": "MIT",
     "repository": {
         "type": "git",
@@ -27,7 +27,7 @@
         "@bananapus/suckers-v6": "^0.0.18",
         "@croptop/core-v6": "^0.0.23",
         "@openzeppelin/contracts": "^5.6.1",
-        "@rev-net/core-v6": "^0.0.18",
+        "@rev-net/core-v6": "^0.0.21",
         "keccak": "^3.0.4"
     },
     "devDependencies": {

package/script/Add.Denver.s.sol CHANGED Viewed

@@ -44,7 +44,7 @@ contract Drop1Script is Script, Sphinx {
         );
         // Get the hook address by using the deployer.
-        hook = JB721TiersHook(address(revnet.basic_deployer.tiered721HookOf(bannyverse.revnetId)));
+        hook = JB721TiersHook(address(revnet.owner.tiered721HookOf(bannyverse.revnetId)));
         deploy();
     }

package/script/Drop1.s.sol CHANGED Viewed

@@ -44,7 +44,7 @@ contract Drop1Script is Script, Sphinx {
         );
         // Get the hook address by using the deployer.
-        hook = JB721TiersHook(address(revnet.basic_deployer.tiered721HookOf(bannyverse.revnetId)));
+        hook = JB721TiersHook(address(revnet.owner.tiered721HookOf(bannyverse.revnetId)));
         deploy();
     }

package/test/audit/BurnedBodyStrandsAssets.t.sol ADDED Viewed

@@ -0,0 +1,158 @@
+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.28;
+import {Test} from "forge-std/Test.sol";
+import {JB721Tier} from "@bananapus/721-hook-v6/src/structs/JB721Tier.sol";
+import {IERC721Receiver} from "@openzeppelin/contracts/token/ERC721/IERC721Receiver.sol";
+import {Banny721TokenUriResolver} from "../../src/Banny721TokenUriResolver.sol";
+contract MockBurnableHook is Test {
+    mapping(uint256 => address) public owners;
+    mapping(address => mapping(address => bool)) public isApprovedForAll;
+    address public immutable MOCK_STORE;
+    constructor(address store) {
+        MOCK_STORE = store;
+    }
+    function STORE() external view returns (address) {
+        return MOCK_STORE;
+    }
+    function setOwner(uint256 tokenId, address owner) external {
+        owners[tokenId] = owner;
+    }
+    function ownerOf(uint256 tokenId) external view returns (address) {
+        address owner = owners[tokenId];
+        require(owner != address(0), "ERC721: token does not exist");
+        return owner;
+    }
+    function burn(uint256 tokenId) external {
+        owners[tokenId] = address(0);
+    }
+    function setApprovalForAll(address operator, bool approved) external {
+        isApprovedForAll[msg.sender][operator] = approved;
+    }
+    function safeTransferFrom(address from, address to, uint256 tokenId) external {
+        address owner = owners[tokenId];
+        require(owner != address(0), "ERC721: token does not exist");
+        require(
+            msg.sender == owner || msg.sender == from || isApprovedForAll[from][msg.sender], "MockHook: not authorized"
+        );
+        owners[tokenId] = to;
+        if (to.code.length > 0) {
+            bytes4 retval = IERC721Receiver(to).onERC721Received(msg.sender, from, tokenId, "");
+            require(retval == IERC721Receiver.onERC721Received.selector, "MockHook: receiver rejected");
+        }
+    }
+    function pricingContext() external pure returns (uint256, uint256) {
+        return (1, 18);
+    }
+    function baseURI() external pure returns (string memory) {
+        return "ipfs://";
+    }
+}
+contract MockBurnableStore {
+    mapping(address => mapping(uint256 => JB721Tier)) public tiers;
+    function setTier(address hook, uint256 tokenId, JB721Tier memory tier) external {
+        tiers[hook][tokenId] = tier;
+    }
+    function tierOfTokenId(address hook, uint256 tokenId, bool) external view returns (JB721Tier memory) {
+        return tiers[hook][tokenId];
+    }
+    function encodedIPFSUriOf(address, uint256) external pure returns (bytes32) {
+        return bytes32(0);
+    }
+}
+contract BurnedBodyStrandsAssetsTest is Test {
+    Banny721TokenUriResolver resolver;
+    MockBurnableHook hook;
+    MockBurnableStore store;
+    address deployer = makeAddr("deployer");
+    address alice = makeAddr("alice");
+    uint256 constant BODY1 = 1_000_000_001;
+    uint256 constant BODY2 = 1_000_000_002;
+    uint256 constant BACKGROUND = 2_000_000_001;
+    uint256 constant OUTFIT = 3_000_000_001;
+    function setUp() public {
+        store = new MockBurnableStore();
+        hook = new MockBurnableHook(address(store));
+        vm.prank(deployer);
+        resolver = new Banny721TokenUriResolver(
+            "<path/>", "<necklace/>", "<mouth/>", "<eyes/>", "<alieneyes/>", deployer, address(0)
+        );
+        _setupTier(BODY1, 1, 0);
+        _setupTier(BODY2, 1, 0);
+        _setupTier(BACKGROUND, 2, 1);
+        _setupTier(OUTFIT, 3, 2);
+        hook.setOwner(BODY1, alice);
+        hook.setOwner(BODY2, alice);
+        hook.setOwner(BACKGROUND, alice);
+        hook.setOwner(OUTFIT, alice);
+        vm.prank(alice);
+        hook.setApprovalForAll(address(resolver), true);
+    }
+    function test_burningDressedBodyPermanentlyStrandsAttachedAssets() public {
+        uint256[] memory outfitIds = new uint256[](1);
+        outfitIds[0] = OUTFIT;
+        vm.prank(alice);
+        resolver.decorateBannyWith(address(hook), BODY1, BACKGROUND, outfitIds);
+        assertEq(resolver.userOf(address(hook), BACKGROUND), BODY1);
+        assertEq(resolver.wearerOf(address(hook), OUTFIT), BODY1);
+        hook.burn(BODY1);
+        vm.expectRevert(bytes("ERC721: token does not exist"));
+        vm.prank(alice);
+        resolver.decorateBannyWith(address(hook), BODY2, BACKGROUND, outfitIds);
+        uint256[] memory emptyOutfits = new uint256[](0);
+        vm.expectRevert(bytes("ERC721: token does not exist"));
+        vm.prank(alice);
+        resolver.decorateBannyWith(address(hook), BODY1, 0, emptyOutfits);
+    }
+    function _setupTier(uint256 tokenId, uint32 tierId, uint24 category) internal {
+        JB721Tier memory tier = JB721Tier({
+            id: tierId,
+            price: 0.01 ether,
+            remainingSupply: 100,
+            initialSupply: 100,
+            votingUnits: 0,
+            reserveFrequency: 0,
+            reserveBeneficiary: address(0),
+            encodedIPFSUri: bytes32(0),
+            category: category,
+            discountPercent: 0,
+            allowOwnerMint: false,
+            transfersPausable: false,
+            cannotBeRemoved: false,
+            cannotIncreaseDiscountPercent: false,
+            splitPercent: 0,
+            resolvedUri: ""
+        });
+        store.setTier(address(hook), tokenId, tier);
+    }
+}