npm - @bannynet/core-v6 - Versions diffs - 0.0.18 → 0.0.19 - Mend

@bannynet/core-v6 0.0.18 → 0.0.19

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/package.json +7 -7
package/src/Banny721TokenUriResolver.sol +102 -52
package/test/audit/AntiStrandingRetention.t.sol +25 -0
package/test/audit/BurnedBodyStrandsAssets.t.sol +1 -0
package/test/audit/MigrationHelperVerificationBypass.t.sol +102 -0
package/assets/findings/banny-retail-v6-pashov-ai-audit-report-20260330-102839.md +0 -34

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
     "name": "@bannynet/core-v6",
-    "version": "0.0.18",
+  "version": "0.0.19",
     "license": "MIT",
     "repository": {
         "type": "git",
@@ -21,13 +21,13 @@
     },
     "dependencies": {
         "@bananapus/721-hook-v6": "^0.0.30",
-        "@bananapus/core-v6": "^0.0.28",
-        "@bananapus/permission-ids-v6": "^0.0.14",
-        "@bananapus/router-terminal-v6": "^0.0.21",
-        "@bananapus/suckers-v6": "^0.0.18",
-        "@croptop/core-v6": "^0.0.28",
+        "@bananapus/core-v6": "^0.0.31",
+        "@bananapus/permission-ids-v6": "^0.0.15",
+        "@bananapus/router-terminal-v6": "^0.0.25",
+        "@bananapus/suckers-v6": "^0.0.20",
+        "@croptop/core-v6": "^0.0.29",
         "@openzeppelin/contracts": "^5.6.1",
-        "@rev-net/core-v6": "^0.0.24",
+        "@rev-net/core-v6": "^0.0.26",
         "keccak": "^3.0.4"
     },
     "devDependencies": {

package/src/Banny721TokenUriResolver.sol CHANGED Viewed

@@ -748,6 +748,16 @@ contract Banny721TokenUriResolver is
         name = string.concat(name, "UPC #", uint256(product.id).toString());
     }
+    /// @notice Check if a value is present in an array.
+    /// @param value The value to search for.
+    /// @param array The array to search in.
+    /// @return found True if the value was found.
+    function _isInArray(uint256 value, uint256[] memory array) internal pure returns (bool found) {
+        for (uint256 i; i < array.length; i++) {
+            if (array[i] == value) return true;
+        }
+    }
     /// @notice Returns the standard dimension SVG containing dynamic contents and SVG metadata.
     /// @param contents The contents of the SVG
     /// @return svg The SVG contents.
@@ -923,6 +933,52 @@ contract Banny721TokenUriResolver is
         return _storeOf(hook).tierOfTokenId({hook: hook, tokenId: tokenId, includeResolvedUri: false});
     }
+    /// @notice Revert if an equipped asset is being reassigned away from a locked source body.
+    /// @param hook The hook storing the assets.
+    /// @param bannyBodyId The body currently using the asset.
+    /// @param exemptBodyId The destination body currently being decorated.
+    function _revertIfBodyLocked(address hook, uint256 bannyBodyId, uint256 exemptBodyId) internal view {
+        if (bannyBodyId != 0 && bannyBodyId != exemptBodyId && outfitLockedUntil[hook][bannyBodyId] > block.timestamp) {
+            revert Banny721TokenUriResolver_OutfitChangesLocked();
+        }
+    }
+    /// @notice Sort outfit IDs in ascending category order.
+    /// @dev Retained outfits are merged back in after failed transfers, so the merged list can become unsorted even
+    /// when the caller provided the new outfits in canonical order. Rendering logic depends on category progression.
+    /// @param hook The 721 hook whose tier categories determine sort order.
+    /// @param outfitIds The outfit token IDs to sort in-place by ascending category.
+    function _sortOutfitsByCategory(address hook, uint256[] memory outfitIds) internal view {
+        // Treat each element after index 0 as the next value to insert into the already-sorted prefix.
+        for (uint256 i = 1; i < outfitIds.length; i++) {
+            // Cache the current outfit ID so we can shift larger-category entries to the right around it.
+            uint256 outfitId = outfitIds[i];
+            // Look up the current outfit's category once and compare against earlier entries while inserting it.
+            uint256 category = _productOfTokenId({hook: hook, tokenId: outfitId}).category;
+            // Walk backward through the sorted prefix until the insertion point is found.
+            uint256 j = i;
+            while (j != 0) {
+                // Load the previous outfit that may need to move one slot to the right.
+                uint256 previousId = outfitIds[j - 1];
+                // Compare by category because canonical outfit ordering is category order, not token ID order.
+                uint256 previousCategory = _productOfTokenId({hook: hook, tokenId: previousId}).category;
+                // Stop once the previous category is already ordered before or equal to the current one.
+                if (previousCategory <= category) break;
+                // Shift the larger-category outfit right to make room for the current outfit.
+                outfitIds[j] = previousId;
+                unchecked {
+                    // Safe because the loop guard ensures `j` is non-zero before decrementing.
+                    --j;
+                }
+            }
+            // Write the cached outfit into the insertion point that preserves ascending category order.
+            outfitIds[j] = outfitId;
+        }
+    }
     /// @notice The store of the hook.
     /// @param hook The hook to get the store of.
     /// @return store The store of the hook.
@@ -948,6 +1004,48 @@ contract Banny721TokenUriResolver is
         );
     }
+    /// @notice Validate that an array of outfit IDs does not violate category exclusivity rules.
+    /// @dev HEAD is exclusive with EYES, GLASSES, MOUTH, and HEADTOP. SUIT is exclusive with SUIT_TOP and
+    /// SUIT_BOTTOM. The array does not need to be sorted.
+    /// @param hook The hook storing the assets.
+    /// @param outfitIds The outfit IDs to validate.
+    function _validateCategoryExclusivity(address hook, uint256[] memory outfitIds) internal view {
+        // Track whether a full-coverage item has been seen for each exclusive group.
+        bool hasHead;
+        bool hasSuit;
+        // Track whether a partial/accessory item has been seen for each exclusive group.
+        bool hasHeadAccessory;
+        bool hasSuitPiece;
+        // Scan every outfit and classify it into one of the two exclusive groups.
+        for (uint256 i; i < outfitIds.length; i++) {
+            // Look up the tier category for this outfit token.
+            uint256 category = _productOfTokenId({hook: hook, tokenId: outfitIds[i]}).category;
+            if (category == _HEAD_CATEGORY) {
+                // A full HEAD covers the entire head area (eyes, glasses, mouth, headtop).
+                hasHead = true;
+            } else if (
+                category == _EYES_CATEGORY || category == _GLASSES_CATEGORY || category == _MOUTH_CATEGORY
+                    || category == _HEADTOP_CATEGORY
+            ) {
+                // Individual face/head accessories that would be hidden by a full HEAD.
+                hasHeadAccessory = true;
+            } else if (category == _SUIT_CATEGORY) {
+                // A full SUIT covers both the top and bottom body areas.
+                hasSuit = true;
+            } else if (category == _SUIT_TOP_CATEGORY || category == _SUIT_BOTTOM_CATEGORY) {
+                // Individual top or bottom pieces that would conflict with a full SUIT.
+                hasSuitPiece = true;
+            }
+        }
+        // A full HEAD and individual head accessories cannot coexist — the head would hide the accessories.
+        if (hasHead && hasHeadAccessory) revert Banny721TokenUriResolver_HeadAlreadyAdded();
+        // A full SUIT and individual suit pieces cannot coexist — the suit would hide the pieces.
+        if (hasSuit && hasSuitPiece) revert Banny721TokenUriResolver_SuitAlreadyAdded();
+    }
     //*********************************************************************//
     // ---------------------- external transactions ---------------------- //
     //*********************************************************************//
@@ -1156,16 +1254,6 @@ contract Banny721TokenUriResolver is
     // ---------------------- internal transactions ---------------------- //
     //*********************************************************************//
-    /// @notice Revert if an equipped asset is being reassigned away from a locked source body.
-    /// @param hook The hook storing the assets.
-    /// @param bannyBodyId The body currently using the asset.
-    /// @param exemptBodyId The destination body currently being decorated.
-    function _revertIfBodyLocked(address hook, uint256 bannyBodyId, uint256 exemptBodyId) internal view {
-        if (bannyBodyId != 0 && bannyBodyId != exemptBodyId && outfitLockedUntil[hook][bannyBodyId] > block.timestamp) {
-            revert Banny721TokenUriResolver_OutfitChangesLocked();
-        }
-    }
     /// @notice Add a background to a banny body.
     /// @param hook The hook storing the assets.
     /// @param bannyBodyId The ID of the banny body being dressed.
@@ -1464,53 +1552,15 @@ contract Banny721TokenUriResolver is
             // Revalidate category exclusivity on the merged set. Retained outfits may conflict with the new outfits
             // (e.g., a retained HEAD outfit combined with new EYES/GLASSES/MOUTH/HEADTOP outfits).
             _validateCategoryExclusivity({hook: hook, outfitIds: mergedOutfitIds});
+            // Restore canonical category ordering before persisting, since retained outfits are appended after the
+            // caller-supplied set.
+            _sortOutfitsByCategory({hook: hook, outfitIds: mergedOutfitIds});
+            // Persist the merged-and-sorted attachment list so later reads and redecorations see a stable order.
             _attachedOutfitIdsOf[hook][bannyBodyId] = mergedOutfitIds;
         }
     }
-    /// @notice Validate that an array of outfit IDs does not violate category exclusivity rules.
-    /// @dev HEAD is exclusive with EYES, GLASSES, MOUTH, and HEADTOP. SUIT is exclusive with SUIT_TOP and
-    /// SUIT_BOTTOM. The array does not need to be sorted.
-    /// @param hook The hook storing the assets.
-    /// @param outfitIds The outfit IDs to validate.
-    function _validateCategoryExclusivity(address hook, uint256[] memory outfitIds) internal view {
-        bool hasHead;
-        bool hasSuit;
-        bool hasHeadAccessory;
-        bool hasSuitPiece;
-        for (uint256 i; i < outfitIds.length; i++) {
-            uint256 category = _productOfTokenId({hook: hook, tokenId: outfitIds[i]}).category;
-            if (category == _HEAD_CATEGORY) {
-                hasHead = true;
-            } else if (
-                category == _EYES_CATEGORY || category == _GLASSES_CATEGORY || category == _MOUTH_CATEGORY
-                    || category == _HEADTOP_CATEGORY
-            ) {
-                hasHeadAccessory = true;
-            } else if (category == _SUIT_CATEGORY) {
-                hasSuit = true;
-            } else if (category == _SUIT_TOP_CATEGORY || category == _SUIT_BOTTOM_CATEGORY) {
-                hasSuitPiece = true;
-            }
-        }
-        if (hasHead && hasHeadAccessory) revert Banny721TokenUriResolver_HeadAlreadyAdded();
-        if (hasSuit && hasSuitPiece) revert Banny721TokenUriResolver_SuitAlreadyAdded();
-    }
-    /// @notice Check if a value is present in an array.
-    /// @param value The value to search for.
-    /// @param array The array to search in.
-    /// @return found True if the value was found.
-    function _isInArray(uint256 value, uint256[] memory array) internal pure returns (bool found) {
-        for (uint256 i; i < array.length; i++) {
-            if (array[i] == value) return true;
-        }
-    }
     /// @notice Transfer a token from one address to another.
     /// @param hook The 721 contract of the token being transferred.
     /// @param from The address to transfer the token from.

package/test/audit/AntiStrandingRetention.t.sol CHANGED Viewed

@@ -265,6 +265,31 @@ contract AntiStrandingRetentionTest is Test {
         assertEq(resolver.wearerOf(address(hook), HEAD_TOKEN), BODY_TOKEN, "head still worn");
     }
+    // -----------------------------------------------------------------------
+    // Test 4b: Retained outfits are re-sorted before being stored
+    // -----------------------------------------------------------------------
+    function test_retainedOutfitsAreResortedBeforeStorage() public {
+        // Give the rejecting contract ownership so returns to the owner will fail and force retention.
+        _setOwnerForAll(address(nonReceiver));
+        nonReceiver.approveResolver(hook, address(resolver));
+        // Equip a lower-category outfit first so it becomes the retained item in the next decoration.
+        uint256[] memory necklaceOnly = new uint256[](1);
+        necklaceOnly[0] = NECKLACE_TOKEN;
+        nonReceiver.decorate(resolver, address(hook), BODY_TOKEN, 0, necklaceOnly);
+        // Add a higher-category outfit while the necklace return fails, forcing the stored list to be merged.
+        uint256[] memory headOnly = new uint256[](1);
+        headOnly[0] = HEAD_TOKEN;
+        nonReceiver.decorate(resolver, address(hook), BODY_TOKEN, 0, headOnly);
+        // The merged list should be stored in ascending category order, not append order.
+        (, uint256[] memory currentOutfits) = resolver.assetIdsOf(address(hook), BODY_TOKEN);
+        assertEq(currentOutfits.length, 2, "both outfits should remain attached");
+        assertEq(currentOutfits[0], NECKLACE_TOKEN, "lower-category retained outfit should stay first");
+        assertEq(currentOutfits[1], HEAD_TOKEN, "higher-category new outfit should stay second");
+    }
     // -----------------------------------------------------------------------
     // Test 5: Recovery path --make contract receivable, retry decoration
     // -----------------------------------------------------------------------

package/test/audit/BurnedBodyStrandsAssets.t.sol CHANGED Viewed

@@ -72,6 +72,7 @@ contract MockBurnableStore {
         return tiers[hook][tokenId];
     }
+    // forge-lint: disable-next-line(mixed-case-function)
     function encodedIPFSUriOf(address, uint256) external pure returns (bytes32) {
         return bytes32(0);
     }

package/test/audit/MigrationHelperVerificationBypass.t.sol ADDED Viewed

@@ -0,0 +1,102 @@
+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.28;
+import {Test} from "forge-std/Test.sol";
+import {IJB721TiersHookStore} from "@bananapus/721-hook-v6/src/interfaces/IJB721TiersHookStore.sol";
+import {MigrationHelper} from "../../script/helpers/MigrationHelper.sol";
+contract MigrationHelperVerificationBypassTest is Test {
+    address internal constant ALICE = address(0xA11CE);
+    address internal constant FALLBACK_RESOLVER = address(0xFA11BAC);
+    MockStore internal v4Store;
+    MockStore internal v5Store;
+    MockHook internal v4Hook;
+    MockHook internal v5Hook;
+    MigrationHelperHarness internal harness;
+    function setUp() public {
+        v4Store = new MockStore();
+        v5Store = new MockStore();
+        v4Hook = new MockHook(address(v4Store));
+        v5Hook = new MockHook(address(v5Store));
+        harness = new MigrationHelperHarness();
+    }
+    function test_verifyTierBalances_skipsAllOwnersForTierWhenFallbackResolverOwnsAnyOfTier() public {
+        address[] memory owners = new address[](1);
+        owners[0] = ALICE;
+        uint256[] memory tierIds = new uint256[](1);
+        tierIds[0] = 7;
+        // Alice is over-allocated in V5 versus V4 for tier 7.
+        v4Store.setTierBalance(address(v4Hook), ALICE, 7, 1);
+        v5Store.setTierBalance(address(v5Hook), ALICE, 7, 2);
+        // One unrelated V4 token of the same tier sits in the fallback resolver.
+        v4Store.setTierBalance(address(v4Hook), FALLBACK_RESOLVER, 7, 1);
+        // Intended behavior would reject Alice's inflation, but the helper skips the tier entirely.
+        harness.verifyTierBalances(address(v5Hook), address(v4Hook), FALLBACK_RESOLVER, owners, tierIds);
+    }
+    function test_verifyTierBalances_revertsWhenFallbackResolverDoesNotOwnTier() public {
+        address[] memory owners = new address[](1);
+        owners[0] = ALICE;
+        uint256[] memory tierIds = new uint256[](1);
+        tierIds[0] = 7;
+        v4Store.setTierBalance(address(v4Hook), ALICE, 7, 1);
+        v5Store.setTierBalance(address(v5Hook), ALICE, 7, 2);
+        vm.expectRevert(
+            bytes(
+                "V5 tier balance exceeds V4: owner=0x00000000000000000000000000000000000a11ce tier=7 v4Balance=1 v5Balance=2"
+            )
+        );
+        harness.verifyTierBalances(address(v5Hook), address(v4Hook), FALLBACK_RESOLVER, owners, tierIds);
+    }
+}
+contract MigrationHelperHarness {
+    function verifyTierBalances(
+        address hookAddress,
+        address v4HookAddress,
+        address v4FallbackResolverAddress,
+        address[] memory owners,
+        uint256[] memory tierIds
+    )
+        external
+        view
+    {
+        MigrationHelper.verifyTierBalances(hookAddress, v4HookAddress, v4FallbackResolverAddress, owners, tierIds);
+    }
+}
+contract MockHook {
+    address internal immutable _store;
+    constructor(address store) {
+        _store = store;
+    }
+    function STORE() external view returns (IJB721TiersHookStore) {
+        return IJB721TiersHookStore(_store);
+    }
+}
+contract MockStore {
+    mapping(address hook => mapping(address owner => mapping(uint256 tierId => uint256))) internal _tierBalanceOf;
+    function setTierBalance(address hook, address owner, uint256 tierId, uint256 balance) external {
+        _tierBalanceOf[hook][owner][tierId] = balance;
+    }
+    function tierBalanceOf(address hook, address owner, uint256 tierId) external view returns (uint256) {
+        return _tierBalanceOf[hook][owner][tierId];
+    }
+}

package/assets/findings/banny-retail-v6-pashov-ai-audit-report-20260330-102839.md DELETED Viewed

@@ -1,34 +0,0 @@
-# 🔐 Security Review — banny-retail-v6
----
-## Scope
-|                                  |                                                                                                                           |
-| -------------------------------- | ------------------------------------------------------------------------------------------------------------------------- |
-| **Mode**                         | ALL / default                                                                                                             |
-| **Files reviewed**               | `Add.Denver.s.sol` · `Deploy.s.sol` · `Drop1.s.sol`<br>`BannyverseDeploymentLib.sol` · `MigrationHelper.sol` · `Banny721TokenUriResolver.sol` |
-| **Confidence threshold (1-100)** | 75                                                                                                                        |
----
-## Findings
-_No confirmed findings._
----
-Findings List
-| # | Confidence | Title |
-|---|---|---|
----
-## Leads
-_None._
----
-> ⚠️ This review was performed by an AI assistant. AI analysis can never verify the complete absence of vulnerabilities and no guarantee of security is given. Team security reviews, bug bounty programs, and on-chain monitoring are strongly recommended. For a consultation regarding your projects' security, visit [https://www.pashov.com](https://www.pashov.com)