@croptop/core-v6 0.0.16 → 0.0.18

package/CHANGE_LOG.md

@@ -0,0 +1,253 @@
+# croptop-core-v6 Changelog (v5 → v6)
+
+This document describes all changes between `croptop-core` (v5) and `croptop-core-v6` (v6).
+
+---
+
+## 1. Breaking Changes
+
+### Solidity Version
+- Compiler version bumped from `0.8.23` to `0.8.26` across all implementation contracts (`CTDeployer`, `CTProjectOwner`, `CTPublisher`).
+
+### Dependency Namespace Migration
+All imports updated from v5 to v6 namespaces:
+- `@bananapus/core-v5` → `@bananapus/core-v6`
+- `@bananapus/721-hook-v5` → `@bananapus/721-hook-v6`
+- `@bananapus/ownable-v5` → `@bananapus/ownable-v6`
+- `@bananapus/permission-ids-v5` → `@bananapus/permission-ids-v6`
+- `@bananapus/suckers-v5` → `@bananapus/suckers-v6`
+
+### `ICTPublisher.allowanceFor` Return Signature Changed
+- **v5:** Returns 4 values — `(uint256 minimumPrice, uint256 minimumTotalSupply, uint256 maximumTotalSupply, address[] memory allowedAddresses)`
+- **v6:** Returns 5 values — `(uint256 minimumPrice, uint256 minimumTotalSupply, uint256 maximumTotalSupply, uint256 maximumSplitPercent, address[] memory allowedAddresses)`
+- The new `maximumSplitPercent` return value is inserted before `allowedAddresses`. Any consumer destructuring this return value will break.
+
+### `ICTPublisher.mintFrom` Parameter Data Location Changed
+- **v5:** `CTPost[] memory posts`
+- **v6:** `CTPost[] calldata posts`
+
+### `CTPost` Struct Has New Fields
+- **v5:** `{ bytes32 encodedIPFSUri, uint32 totalSupply, uint104 price, uint24 category }`
+- **v6:** `{ bytes32 encodedIPFSUri, uint32 totalSupply, uint104 price, uint24 category, uint32 splitPercent, JBSplit[] splits }`
+- Adds `splitPercent` (uint32) and `splits` (JBSplit[] from `@bananapus/core-v6`). This changes the ABI encoding of `CTPost` and all functions that accept it.
+
+### `CTAllowedPost` Struct Has New Field
+- **v5:** `{ address hook, uint24 category, uint104 minimumPrice, uint32 minimumTotalSupply, uint32 maximumTotalSupply, address[] allowedAddresses }`
+- **v6:** `{ address hook, uint24 category, uint104 minimumPrice, uint32 minimumTotalSupply, uint32 maximumTotalSupply, uint32 maximumSplitPercent, address[] allowedAddresses }`
+- Adds `maximumSplitPercent` (uint32) before `allowedAddresses`. This changes the ABI encoding of `CTAllowedPost` and all functions that accept it.
+
+### `CTDeployerAllowedPost` Struct Has New Field
+- **v5:** `{ uint24 category, uint104 minimumPrice, uint32 minimumTotalSupply, uint32 maximumTotalSupply, address[] allowedAddresses }`
+- **v6:** `{ uint24 category, uint104 minimumPrice, uint32 minimumTotalSupply, uint32 maximumTotalSupply, uint32 maximumSplitPercent, address[] allowedAddresses }`
+- Adds `maximumSplitPercent` (uint32) before `allowedAddresses`, mirroring `CTAllowedPost`.
+
+### `CTProjectOwner.onERC721Received` — `projectId` Cast Width Changed
+- **v5:** `projectId: uint56(tokenId)`
+- **v6:** `projectId: uint64(tokenId)`
+- This aligns with the v6 `JBPermissionsData` struct which uses `uint64` for `projectId` (was `uint56` in v5).
+
+### `CTDeployer.deployProjectFor` — Data Hook and Cash Out Behavior Changed
+- **v5:** Sets `metadata.dataHook = address(hook)` (the 721 hook itself is the data hook). Does NOT set `cashOutTaxRate` or `useDataHookForCashOut`.
+- **v6:** Sets `metadata.dataHook = address(this)` (the CTDeployer itself is the data hook). Sets `metadata.cashOutTaxRate = JBConstants.MAX_CASH_OUT_TAX_RATE` and `metadata.useDataHookForCashOut = true`.
+- The CTDeployer now acts as a data hook proxy, forwarding pay/cashout calls to the stored `dataHookOf[projectId]`, while intercepting sucker cash outs to grant 0% tax rate. This is a fundamental architectural change.
+
+### `JB721InitTiersConfig` — `prices` Field Removed
+- **v5:** `JB721InitTiersConfig({ tiers, currency, decimals, prices: controller.PRICES() })`
+- **v6:** `JB721InitTiersConfig({ tiers, currency, decimals })` — the `prices` field no longer exists in the v6 721 hook config struct.
+
+### `JB721TiersHookFlags` — New `issueTokensForSplits` Flag
+- **v5:** `JB721TiersHookFlags({ noNewTiersWithReserves, noNewTiersWithVotes, noNewTiersWithOwnerMinting, preventOverspending })`
+- **v6:** Adds `issueTokensForSplits: false` as a fifth flag.
+
+### `ICTDeployer.deployProjectFor` — Parameter Renamed
+- **v5:** `projectConfigurations` parameter name
+- **v6:** `projectConfig` parameter name
+
+---
+
+## 2. New Features
+
+### Split Percent Support for Posts
+Posts can now include a `splitPercent` and an array of `splits` (JBSplit[]) that route a percentage of the tier's price to specified recipients when the NFT is minted. This is enforced against a per-category `maximumSplitPercent` configured by the project owner.
+
+- `CTPost.splitPercent` — percent of tier price to route to splits (out of `JBConstants.SPLITS_TOTAL_PERCENT`).
+- `CTPost.splits` — the split recipients for the tier.
+- `CTAllowedPost.maximumSplitPercent` — the maximum split percent a poster can set (0 = splits not allowed).
+- `CTDeployerAllowedPost.maximumSplitPercent` — same as above, for deployer-configured posts.
+- `JB721TierConfig` in v6 now accepts `splitPercent` and `splits` fields, which are populated from the post.
+
+### Duplicate Post Detection
+- v6 adds an explicit duplicate check within `_setupPosts`: if two posts in the same batch share the same `encodedIPFSUri`, the transaction reverts with `CTPublisher_DuplicatePost`. This prevents fee evasion by submitting duplicate URIs in a single `mintFrom` call.
+
+### Stale Tier Cleanup
+- v6 adds logic to detect when a tier referenced by `tierIdForEncodedIPFSUriOf` has been removed externally (via `adjustTiers`). If `hook.STORE().isTierRemoved()` returns true, the stale mapping is deleted and a new tier is created for that URI.
+
+### Fee Evasion Prevention for Existing Tiers
+- **v5:** When minting from an existing tier, `totalPrice` was accumulated using `post.price` (user-supplied).
+- **v6:** When minting from an existing tier, `totalPrice` is accumulated using the actual tier price fetched from `store.tierOf()`. This prevents a caller from passing `price=0` for an existing tier to evade fees.
+
+### CTDeployer as Data Hook Proxy
+- The CTDeployer now implements the data hook pattern directly, acting as a proxy that forwards `beforePayRecordedWith` and `beforeCashOutRecordedWith` to the stored `dataHookOf[projectId]`. For cash outs from suckers (verified via `SUCKER_REGISTRY.isSuckerOf`), it returns 0% tax rate, enabling sucker-based cross-chain operations without cash out taxes.
+
+---
+
+## 3. Event Changes
+
+No event signatures were changed. Both versions emit the same two events:
+- `ConfigurePostingCriteria(address indexed hook, CTAllowedPost allowedPost, address caller)` — note that the `CTAllowedPost` struct gained a `maximumSplitPercent` field, which changes the ABI encoding of this event's data.
+- `Mint(uint256 indexed projectId, IJB721TiersHook indexed hook, address indexed nftBeneficiary, address feeBeneficiary, CTPost[] posts, uint256 postValue, uint256 txValue, address caller)` — note that the `CTPost` struct gained `splitPercent` and `splits` fields, which changes the ABI encoding of this event's data.
+
+---
+
+## 4. Error Changes
+
+### New Errors
+
+| Error | Contract | Description |
+|-------|----------|-------------|
+| `CTPublisher_DuplicatePost(bytes32 encodedIPFSUri)` | `CTPublisher` | Reverts when two posts in the same `mintFrom` batch share the same encoded IPFS URI. |
+| `CTPublisher_SplitPercentExceedsMaximum(uint256 splitPercent, uint256 maximumSplitPercent)` | `CTPublisher` | Reverts when a post's split percent exceeds the category's configured maximum. |
+
+### Unchanged Errors
+- `CTDeployer_NotOwnerOfProject(uint256 projectId, address hook, address caller)` — unchanged.
+- `CTPublisher_EmptyEncodedIPFSUri()` — unchanged.
+- `CTPublisher_InsufficientEthSent(uint256 expected, uint256 sent)` — signature unchanged; v6 adds an explicit fee validation check before the subtraction (`if (payValue < fee) revert`) so this error now fires with a descriptive message instead of a panic on underflow.
+- `CTPublisher_MaxTotalSupplyLessThanMin(uint256 min, uint256 max)` — unchanged.
+- `CTPublisher_NotInAllowList(address addr, address[] allowedAddresses)` — unchanged.
+- `CTPublisher_PriceTooSmall(uint256 price, uint256 minimumPrice)` — unchanged.
+- `CTPublisher_TotalSupplyTooBig(uint256 totalSupply, uint256 maximumTotalSupply)` — unchanged.
+- `CTPublisher_TotalSupplyTooSmall(uint256 totalSupply, uint256 minimumTotalSupply)` — unchanged.
+- `CTPublisher_UnauthorizedToPostInCategory()` — unchanged.
+- `CTPublisher_ZeroTotalSupply()` — unchanged.
+
+---
+
+## 5. Struct Changes
+
+### `CTPost`
+| Field | v5 | v6 |
+|-------|----|----|
+| `encodedIPFSUri` | `bytes32` | `bytes32` |
+| `totalSupply` | `uint32` | `uint32` |
+| `price` | `uint104` | `uint104` |
+| `category` | `uint24` | `uint24` |
+| `splitPercent` | -- | `uint32` (new) |
+| `splits` | -- | `JBSplit[]` (new) |
+
+New import: `JBSplit` from `@bananapus/core-v6/src/structs/JBSplit.sol`.
+
+### `CTAllowedPost`
+| Field | v5 | v6 |
+|-------|----|----|
+| `hook` | `address` | `address` |
+| `category` | `uint24` | `uint24` |
+| `minimumPrice` | `uint104` | `uint104` |
+| `minimumTotalSupply` | `uint32` | `uint32` |
+| `maximumTotalSupply` | `uint32` | `uint32` |
+| `maximumSplitPercent` | -- | `uint32` (new) |
+| `allowedAddresses` | `address[]` | `address[]` |
+
+### `CTDeployerAllowedPost`
+| Field | v5 | v6 |
+|-------|----|----|
+| `category` | `uint24` | `uint24` |
+| `minimumPrice` | `uint104` | `uint104` |
+| `minimumTotalSupply` | `uint32` | `uint32` |
+| `maximumTotalSupply` | `uint32` | `uint32` |
+| `maximumSplitPercent` | -- | `uint32` (new) |
+| `allowedAddresses` | `address[]` | `address[]` |
+
+### `CTProjectConfig`
+No field changes. Import path updated from `@bananapus/core-v5` to `@bananapus/core-v6` for `JBTerminalConfig`.
+
+### `CTSuckerDeploymentConfig`
+No field changes. Import path updated from `@bananapus/suckers-v5` to `@bananapus/suckers-v6` for `JBSuckerDeployerConfig`.
+
+---
+
+## 6. Implementation Changes (Non-Interface)
+
+### `CTPublisher._setupPosts`
+
+#### Store Reference Caching
+- **v5:** Calls `hook.STORE().maxTierIdOf(...)` inline, accessing the store through the hook each time.
+- **v6:** Caches `IJB721TiersHookStore store = hook.STORE()` once and reuses it. Also imports `IJB721TiersHookStore` explicitly.
+
+#### Duplicate Post Detection
+- **v6 only:** Adds an O(n^2) check at the start of each post iteration that scans all previous posts for matching `encodedIPFSUri`. Reverts with `CTPublisher_DuplicatePost` on match.
+
+#### Stale Tier Recovery
+- **v5:** If `tierIdForEncodedIPFSUriOf` returns a nonzero tier ID, it is used unconditionally.
+- **v6:** Checks `hook.STORE().isTierRemoved(address(hook), tierId)`. If removed, deletes the stale mapping and falls through to create a new tier.
+
+#### Fee-Accurate Price for Existing Tiers
+- **v5:** `totalPrice += post.price` for all posts (new and existing).
+- **v6:** For existing tiers, `totalPrice += store.tierOf(...).price` (uses actual on-chain price). For new tiers, `totalPrice += post.price`.
+
+#### Split Validation
+- **v6 only:** Checks `post.splitPercent > maximumSplitPercent` and reverts with `CTPublisher_SplitPercentExceedsMaximum` if exceeded.
+
+#### `JB721TierConfig` Construction
+- **v5:** 14 fields in `JB721TierConfig`.
+- **v6:** 16 fields — adds `splitPercent: post.splitPercent` and `splits: post.splits`.
+
+### `CTPublisher.allowanceFor` — Packed Storage Layout Extended
+- **v5:** Packs 3 fields into `_packedAllowanceFor`: bits 0-103 (minimumPrice), 104-135 (minimumTotalSupply), 136-167 (maximumTotalSupply). Total: 168 bits.
+- **v6:** Packs 4 fields: bits 0-103, 104-135, 136-167 as before, plus bits 168-199 (maximumSplitPercent, 32 bits). Total: 200 bits.
+
+### `CTPublisher.configurePostingCriteriaFor` — Packs `maximumSplitPercent`
+- **v6 only:** Adds `packed |= uint256(allowedPost.maximumSplitPercent) << 168;` when storing allowance data.
+
+### `CTDeployer._configurePostingCriteriaFor` — Passes `maximumSplitPercent`
+- **v5:** `CTAllowedPost` construction has 6 fields.
+- **v6:** `CTAllowedPost` construction has 7 fields — adds `maximumSplitPercent: post.maximumSplitPercent`.
+
+### `CTDeployer.deployProjectFor` — Ruleset Configuration Changes
+- **v5:** Sets `metadata.dataHook = address(hook)` and `metadata.useDataHookForPay = true`.
+- **v6:** Sets `metadata.cashOutTaxRate = JBConstants.MAX_CASH_OUT_TAX_RATE`, `metadata.dataHook = address(this)`, `metadata.useDataHookForPay = true`, and `metadata.useDataHookForCashOut = true`. Imports `JBConstants` for this.
+
+### `CTDeployer.deployProjectFor` — Named Arguments in Function Calls
+- **v6:** Uses named arguments consistently (e.g., `PROJECTS.transferFrom({from: ..., to: ..., tokenId: ...})` instead of positional arguments).
+
+### `CTDeployer` — Function Ordering
+- **v5:** `beforePayRecordedWith` appears before `beforeCashOutRecordedWith` in source.
+- **v6:** `beforeCashOutRecordedWith` appears before `beforePayRecordedWith`. Similarly, `claimCollectionOwnershipOf` appears before `deployProjectFor` in v6 (reversed from v5).
+
+### `CTDeployer.beforeCashOutRecordedWith` — Named Arguments
+- **v5:** `SUCKER_REGISTRY.isSuckerOf(context.projectId, context.holder)`
+- **v6:** `SUCKER_REGISTRY.isSuckerOf({projectId: context.projectId, addr: context.holder})`
+
+### `CTDeployer.hasMintPermissionFor` — Named Arguments
+- **v5:** `SUCKER_REGISTRY.isSuckerOf(projectId, addr)`
+- **v6:** `SUCKER_REGISTRY.isSuckerOf({projectId: projectId, addr: addr})`
+
+### `CTPublisher.tiersFor` — Named Arguments
+- **v5:** `IJB721TiersHook(hook).STORE().tierOf(hook, tierId, false)`
+- **v6:** `IJB721TiersHook(hook).STORE().tierOf({hook: hook, id: tierId, includeResolvedUri: false})`
+
+### `CTPublisher.mintFrom` — Named Arguments
+- **v6:** Uses named arguments for `DIRECTORY.primaryTerminalOf(...)`, `hook.adjustTiers(...)`, `JBMetadataResolver.getId(...)`, and `_isAllowed(...)`.
+
+### NatDoc / Comments
+- **v6:** Adds extensive NatDoc comments to all interface functions, events, and struct fields. Adds `forge-lint` disable comments for mixed-case variables. Adds explanatory comments for design decisions (e.g., fee rounding behavior, force-sent ETH handling, category irrevocability, linear scan scaling).
+
+---
+
+## 7. Migration Table
+
+| v5 Identifier | v6 Identifier | Change |
+|---------------|---------------|--------|
+| `CTPost.{4 fields}` | `CTPost.{6 fields}` | Added `splitPercent`, `splits` |
+| `CTAllowedPost.{6 fields}` | `CTAllowedPost.{7 fields}` | Added `maximumSplitPercent` |
+| `CTDeployerAllowedPost.{5 fields}` | `CTDeployerAllowedPost.{6 fields}` | Added `maximumSplitPercent` |
+| `ICTPublisher.allowanceFor` (4 returns) | `ICTPublisher.allowanceFor` (5 returns) | Added `maximumSplitPercent` return |
+| `ICTPublisher.mintFrom(... CTPost[] memory ...)` | `ICTPublisher.mintFrom(... CTPost[] calldata ...)` | `memory` → `calldata` |
+| `CTProjectOwner`: `uint56(tokenId)` | `CTProjectOwner`: `uint64(tokenId)` | Cast width for projectId |
+| `CTDeployer`: `dataHook = address(hook)` | `CTDeployer`: `dataHook = address(this)` | CTDeployer is now the data hook |
+| `CTDeployer`: no cashout config | `CTDeployer`: `cashOutTaxRate = MAX`, `useDataHookForCashOut = true` | Enables sucker 0% tax cashout |
+| `JB721InitTiersConfig`: has `prices` | `JB721InitTiersConfig`: no `prices` | Field removed in v6 721 hook |
+| `JB721TiersHookFlags`: 4 flags | `JB721TiersHookFlags`: 5 flags | Added `issueTokensForSplits` |
+| -- | `CTPublisher_DuplicatePost` | New error |
+| -- | `CTPublisher_SplitPercentExceedsMaximum` | New error |
+| Solidity `0.8.23` | Solidity `0.8.26` | Compiler bump |
+| `@bananapus/*-v5` | `@bananapus/*-v6` | All dependency namespaces |

package/RISKS.md

@@ -1,238 +1,49 @@
-# croptop-core-v6 -- Risks
+# RISKS.md -- croptop-core-v6
 
-Deep implementation-level risk analysis. References are to source files under `src/` and test files under `test/`.
+## 1. Trust Assumptions
 
-## Trust Assumptions
+- **Trusted forwarder.** ERC-2771 `_msgSender()` is trusted in both CTPublisher and CTDeployer for permission checks, allowlist validation, and payment routing. A compromised forwarder can post as any allowed address, deploy projects as any owner, and redirect payments.
+- **CTDeployer as permanent data hook proxy.** `CTDeployer` sets itself as the data hook for projects it deploys. `dataHookOf[projectId]` is set once during `deployProjectFor` and has no setter to update it. If the underlying data hook needs to change, there is no mechanism to do so without redeploying.
+- **Sucker registry.** `CTDeployer.beforeCashOutRecordedWith` trusts `SUCKER_REGISTRY.isSuckerOf()` for 0% tax cashouts, same risk as the omnichain deployer.
+- **CTProjectOwner as burn target.** Projects transferred to `CTProjectOwner` grant `ADJUST_721_TIERS` to `PUBLISHER`. The project NFT cannot be recovered -- this is intentional but irreversible.
+- **JBDirectory / Terminal resolution.** `CTPublisher.mintFrom` resolves terminals via `DIRECTORY.primaryTerminalOf()`. A compromised directory could redirect payment and fee flows.
 
-### 1. CTDeployer as Data Hook (CRITICAL trust surface)
+## 2. Economic / Manipulation Risks
 
-CTDeployer acts as `IJBRulesetDataHook` for every project it deploys (`CTDeployer.sol` line 290: `rulesetConfigurations[0].metadata.dataHook = address(this)`). This means:
+- **Fee evasion via duplicate posts across hooks.** `tierIdForEncodedIPFSUriOf` is keyed per hook. The same `encodedIPFSUri` can be posted to different hooks without duplicate detection, potentially creating fee-arbitrage opportunities.
+- **Fee calculation rounding.** Fee is `totalPrice / FEE_DIVISOR` (FEE_DIVISOR=20, so 5% fee). Integer division truncates, losing up to 19 wei per post. Negligible individually but could compound across many micro-priced posts. Explicit validation: reverts `CTPublisher_InsufficientEthSent` if `msg.value < fee` (before subtraction) or if `msg.value - fee < totalPrice` (after subtraction).
+- **Balance-based fee routing.** `CTPublisher.mintFrom` sends fees based on `address(this).balance` after the main payment. Force-sent ETH (via selfdestruct) is routed to the fee project.
+- **Split percent manipulation.** Posters can set `splitPercent` up to `maximumSplitPercent`. Splits route funds away from the project treasury to poster-specified addresses. If `maximumSplitPercent` is set high, posters can redirect most of the tier revenue.
 
-- All pay and cashout calls for every CTDeployer-launched project are routed through CTDeployer's `beforePayRecordedWith()` (line 162) and `beforeCashOutRecordedWith()` (line 134).
-- CTDeployer forwards these to `dataHookOf[projectId]` (line 152, 170), which is the JB721TiersHook.
-- If CTDeployer has a bug, all Croptop projects are affected simultaneously.
-- `dataHookOf` is write-once (no setter function), so a bug cannot be patched per-project.
+## 3. Access Control
 
-### 2. Sucker Registry (MEDIUM trust surface)
+- **Allowlist is O(n) linear scan.** `_isAllowed` iterates the entire allowlist array. Acceptable for small lists but gas-expensive for large allowlists. No Merkle proof alternative.
+- **Categories cannot be disabled.** Once `configurePostingCriteriaFor` is called for a category, it can only be restricted by setting very high `minimumPrice` or `minimumTotalSupply`, but never fully removed.
+- **CTDeployer grants broad permissions.** Constructor grants `MAP_SUCKER_TOKEN` (wildcard, projectId=0) to sucker registry and `ADJUST_721_TIERS` (wildcard, projectId=0) to publisher. These permissions apply to ALL projects deployed by this CTDeployer instance.
+- **CTDeployer.deployProjectFor permission gap.** No explicit permission check -- anyone can call `deployProjectFor` and create a project. A griefer could deploy many projects with arbitrary owners.
+- **CTDeployer.claimCollectionOwnershipOf.** Only checks `PROJECTS.ownerOf(projectId) == _msgSender()`. No Juicebox permission check. If the project NFT is transferred, the new owner can claim collection ownership. After claiming, the project owner must grant CTPublisher the `ADJUST_721_TIERS` permission for the project so that `mintFrom()` continues to work — without this, all subsequent posts revert.
 
-`CTDeployer.beforeCashOutRecordedWith()` at line 146 trusts `SUCKER_REGISTRY.isSuckerOf()` to determine whether a cashout should be tax-free. If the sucker registry is compromised or returns `true` for an attacker's address, that address can cash out with zero tax from any Croptop project.
+## 4. DoS Vectors
 
-### 3. JBPermissions (HIGH trust surface)
+- **Large batch posts.** `_setupPosts` iterates all posts with O(n^2) duplicate detection (inner loop `j < i`). A batch of 100+ posts has quadratic gas growth.
+- **External hook calls in loops.** `_setupPosts` calls `hook.STORE().tierOf()` and `hook.STORE().isTierRemoved()` inside the post loop. A reverting or gas-expensive store blocks the entire mint.
+- **Terminal resolution failure.** If `DIRECTORY.primaryTerminalOf()` returns `address(0)` for the project or fee project, the `pay()` call will revert with a low-level error.
+- **adjustTiers revert.** `hook.adjustTiers()` can revert if tiers violate category ordering constraints or other hook-level rules. This blocks the entire `mintFrom` call.
 
-Both CTDeployer and CTPublisher inherit `JBPermissioned` and rely on `_requirePermissionFrom()` for access control. The JBPermissions contract is a shared singleton. If compromised, all permission-gated functions across all projects lose access control.
+## 5. Integration Risks
 
-### 4. JB721TiersHookStore (MEDIUM trust surface)
+- **CTDeployer forwards all pay/cashout calls to `dataHookOf`.** `beforePayRecordedWith` and `beforeCashOutRecordedWith` delegate to the stored data hook without try-catch. If the data hook reverts, all payments/cashouts for the project are blocked.
+- **No mechanism for hook migration.** `dataHookOf` is written once in `deployProjectFor` and never updated. If the data hook becomes compromised, there is no governance path to replace it without deploying a new project.
+- **Tier ID prediction.** `_setupPosts` predicts new tier IDs as `maxTierIdOf(hook) + 1 + i`. If another transaction adds tiers between `maxTierIdOf` read and `adjustTiers` execution, tier IDs shift and the wrong tiers are minted. This is a race condition in concurrent posting.
+- **CTProjectOwner accepts any project NFT.** `onERC721Received` grants `ADJUST_721_TIERS` to `PUBLISHER` for whatever tokenId is received. If a non-Croptop project is accidentally transferred to `CTProjectOwner`, the publisher gains tier adjustment permission for it.
+- **Fee payment destination.** Fees are routed to `FEE_PROJECT_ID` via its primary terminal. If the fee project changes its terminal or token acceptance, fee payments could fail and block all minting.
 
-CTPublisher reads tier data from the hook's store at `_setupPosts()` line 477 (`store.tierOf(address(hook), tierId, false).price`) and line 469 (`hook.STORE().isTierRemoved()`). If the store returns incorrect data, fee calculations and tier reuse logic break.
+## 6. Invariants to Verify
 
-### 5. Publisher-Set Splits (MEDIUM trust surface)
-
-Publishers set their own `splitPercent` and `splits` array in `CTPost` (line 544, `CTPublisher.sol`). While `splitPercent` is bounded by `maximumSplitPercent` (line 518-519), the actual `splits` array contents are not validated against the percent. The JB721TiersHook and JBSplits contracts downstream are responsible for enforcing that splits sum correctly.
-
-### 6. ERC2771 Trusted Forwarder (LOW trust surface)
-
-Both CTDeployer and CTPublisher use `ERC2771Context` with a trusted forwarder set at construction. If the trusted forwarder is compromised, any `_msgSender()` check can be spoofed, bypassing all permission checks. Mitigated by setting `trustedForwarder = address(0)` in deployments that don't need meta-transactions.
-
-## Audited Findings (Nemesis Audit)
-
-### Fixed: NM-001 -- Duplicate URI Fee Evasion (MEDIUM, FIXED)
-
-**Location:** `CTPublisher._setupPosts()` lines 454-469
-**Test:** `test/regression/M6_DuplicateUriFeeEvasion.t.sol`
-
-**Root cause:** Two posts with the same `encodedIPFSUri` in a single `mintFrom()` batch caused a desync between `tierIdForEncodedIPFSUriOf` (written at line 552 during iteration) and the hook store (updated only after `adjustTiers()` is called at line 338). The second post found a non-zero tier ID, but `store.tierOf()` returned `price=0` because the tier hadn't been committed yet.
-
-**Attack scenario:**
-1. Attacker calls `mintFrom()` with two identical `encodedIPFSUri` posts, each priced at 1 ETH.
-2. First post: `totalPrice += 1 ether`. Mapping written.
-3. Second post: Finds mapping, reads `store.tierOf().price = 0`. `totalPrice` stays at 1 ETH.
-4. Fee calculated on 1 ETH instead of 2 ETH. Attacker evades 50% of fees.
-
-**Fix applied:** Explicit duplicate detection loop at lines 454-458. Reverts with `CTPublisher_DuplicatePost(encodedIPFSUri)` if any two posts in the batch share an `encodedIPFSUri`.
-
-**Test coverage:** 5 tests covering adjacent duplicates, non-adjacent duplicates, distinct URIs, single posts, and fuzz over arbitrary URI pairs.
-
-### Fixed: H-19 -- Fee Evasion on Existing Tier Mints (HIGH, FIXED)
-
-**Location:** `CTPublisher._setupPosts()` line 477
-**Test:** `test/regression/H19_FeeEvasion.t.sol`
-
-**Root cause:** When a post reused an existing tier (same `encodedIPFSUri`), the fee was calculated from `post.price` (attacker-controlled) instead of the actual tier price stored on-chain. An attacker could set `post.price = 0` for existing tiers to evade the 5% fee entirely.
-
-**Fix applied:** For existing tiers, `totalPrice` accumulates `store.tierOf(address(hook), tierId, false).price` (line 477) -- the on-chain price -- not `post.price`.
-
-**Test coverage:** 2 tests: one proving the attacker can't send 0 ETH for existing tiers, one proving the exact fee boundary (1.05 ETH required for a 1 ETH tier).
-
-### Fixed: L-52 -- Stale Tier ID Mapping After External Removal (LOW, FIXED)
-
-**Location:** `CTPublisher._setupPosts()` lines 466-470
-**Test:** `test/regression/L52_StaleTierIdMapping.t.sol`
-
-**Root cause:** If a tier was removed externally via `adjustTiers()`, the `tierIdForEncodedIPFSUriOf` mapping still pointed to the removed tier ID. Subsequent posts with the same URI would try to mint from a removed tier.
-
-**Fix applied:** Before reusing a tier, `isTierRemoved()` is checked (line 469). If true, the stale mapping is deleted (line 470), and the post falls through to create a new tier.
-
-**Test coverage:** 2 tests: mapping cleared on removal, mapping preserved when tier still exists.
-
-### Open: NM-005 -- uint56 vs uint64 Project ID Cast (LOW, NOT FIXED)
-
-**Location:** `CTProjectOwner.sol` line 72 vs `CTDeployer.sol` line 337
-
-CTProjectOwner casts `tokenId` to `uint56`, while CTDeployer casts `projectId` to `uint64` in `JBPermissionsData`. No practical impact since project IDs are sequential and won't exceed 2^56, but the inconsistency should be harmonized.
-
-### Open: NM-006 -- Cannot Fully Disable Posting for a Category (LOW, NOT FIXED)
-
-**Location:** `CTPublisher.configurePostingCriteriaFor()` line 250-252
-
-`minimumTotalSupply` must be > 0, so once a category is enabled, there is no clean way to disable it. Workaround: set `minimumPrice` to `type(uint104).max` and `minimumTotalSupply = maximumTotalSupply = 1`.
-
-## Active Risk Analysis
-
-### R-1: Tier Spam via Permissionless Posting
-
-**Severity:** MEDIUM
-**Location:** `CTPublisher.mintFrom()` line 297, `_setupPosts()` line 419
-**Tested:** Partially (CroptopAttacks.t.sol tests input validation, not volume)
-
-**Description:** When `allowedAddresses` is empty (line 523 condition not met), anyone can call `mintFrom()` and create new tiers as long as they meet price/supply criteria. Each `mintFrom()` call can include multiple posts, each creating a new tier. There is no per-address rate limit or maximum tier count.
-
-**Impact:** An attacker can create thousands of tiers on a project's hook, increasing gas costs for all tier-related operations (enumeration, minting, removal). The JB721TiersHookStore uses a linked list for tiers, making enumeration O(n).
-
-**Mitigation:** Project owners should use allowlists for categories. The `minimumPrice` floor provides an economic barrier. Each new tier costs the poster the tier price + 5% fee.
-
-### R-2: Fee Rounding Loss (Dust)
-
-**Severity:** INFORMATIONAL
-**Location:** `CTPublisher.mintFrom()` line 328
-**Tested:** No dedicated test
-
-**Description:** Fee calculation `totalPrice / FEE_DIVISOR` uses integer division, which truncates. For `totalPrice = 39 wei`, the fee is `1 wei` instead of `1.95 wei`. This consistently rounds in the payer's favor (fee project receives slightly less).
-
-**Quantification:** Maximum dust loss per transaction is `FEE_DIVISOR - 1 = 19 wei`. For practical ETH amounts (>= 0.001 ETH), this is < 0.000002% underpayment.
-
-### R-3: Allowlist Linear Scan Gas Scaling
-
-**Severity:** LOW
-**Location:** `CTPublisher._isAllowed()` lines 200-210
-**Tested:** No gas benchmarks in test suite
-
-**Description:** Allowlist checking is O(n) linear scan. For an allowlist of 1000 addresses, each `mintFrom()` call pays ~3000 gas per address checked (1000 * 3 gas/comparison) = ~3M additional gas. The EVM block gas limit (~30M on mainnet) imposes an effective cap of ~10,000 addresses before a `mintFrom()` transaction becomes infeasible.
-
-**Mitigation:** Document the recommendation of < 100 addresses per allowlist (comment at line 197). A Merkle proof pattern would scale better but adds complexity.
-
-### R-4: Force-Sent ETH Routed to Fee Project
-
-**Severity:** LOW (NM-004 from audit)
-**Location:** `CTPublisher.mintFrom()` lines 389-404
-**Tested:** No dedicated test
-
-**Description:** If ETH is force-sent to CTPublisher via `selfdestruct` from another contract, it gets included in `address(this).balance` (line 397) and is sent to the fee project terminal on the next `mintFrom()` call. CTPublisher has no `receive()` or `fallback()`, so normal sends revert. Only `selfdestruct` (deprecated in future Ethereum hard forks) can force-send ETH.
-
-**Impact:** The fee project receives a windfall. No funds are lost to attackers. The mint caller is not charged extra (fee is subtracted from `msg.value` before the main payment, and the residual balance goes to fees).
-
-### R-5: Data Hook Proxy Forwarding Failure
-
-**Severity:** MEDIUM
-**Location:** `CTDeployer.beforeCashOutRecordedWith()` line 152, `beforePayRecordedWith()` line 170
-**Tested:** No unit test for forwarding failure
-
-**Description:** CTDeployer forwards data hook calls to `dataHookOf[projectId]`, which is set to the JB721TiersHook. If the hook reverts (e.g., due to a bug or an upgrade in dependent contracts), all pay and cashout operations for the project will revert. There is no try-catch wrapping these forwards.
-
-**Impact:** A broken or upgraded hook can DoS all payments and cashouts for a project. Since `dataHookOf` has no setter, the project is permanently bricked in this scenario.
-
-**Mitigation:** The hook is a deterministic deployment (Create2) with no upgrade mechanism, reducing the likelihood of unexpected behavior changes.
-
-### R-6: CTProjectOwner Accepts Transfers (Not Just Mints)
-
-**Severity:** LOW
-**Location:** `CTProjectOwner.onERC721Received()` line 47-77
-**Tested:** No negative test for transfer vs mint
-
-**Description:** Unlike `CTDeployer.onERC721Received()` (which checks `from != address(0)` at line 201), `CTProjectOwner.onERC721Received()` only checks that `msg.sender == address(PROJECTS)` (line 62). It does NOT check `from == address(0)`. This means any holder can `safeTransferFrom` their project NFT to `CTProjectOwner`, effectively burning their project ownership. While this is the intended use case (burn-lock), there is no confirmation dialog or cooling period.
-
-**Impact:** A project owner who accidentally transfers their project to CTProjectOwner loses ownership permanently with no recovery mechanism.
-
-### R-7: Sucker Fee-Free Cashout Trust Chain
-
-**Severity:** MEDIUM
-**Location:** `CTDeployer.beforeCashOutRecordedWith()` line 146
-**Tested:** No adversarial test for sucker impersonation
-
-**Description:** The fee-free cashout path relies entirely on `SUCKER_REGISTRY.isSuckerOf({projectId, addr: context.holder})`. The trust chain is:
-
-1. `SUCKER_REGISTRY` must correctly track deployed suckers.
-2. `allowSuckerDeployer()` on the registry must only be callable by the registry owner.
-3. Deployed suckers must not be compromisable.
-
-If any link breaks, an attacker could register a malicious address as a "sucker" and cash out any Croptop project's treasury at 0% tax rate.
-
-**Mitigation:** The sucker registry is operated by the protocol multisig. The `MAP_SUCKER_TOKEN` permission granted at CTDeployer construction (line 107) is wildcard (`projectId: 0`), which is necessary for cross-chain functionality but broadens the blast radius.
-
-### R-8: No Input Validation on `splits` Array Contents
-
-**Severity:** LOW
-**Location:** `CTPublisher._setupPosts()` line 544-545
-**Tested:** Split percent bounds are tested (`CTPublisher.t.sol`, `CroptopAttacks.t.sol`), but split array contents are not
-
-**Description:** While `splitPercent` is validated against `maximumSplitPercent` (line 518-519), the actual `splits` array (line 545) is passed through to the JB721TierConfig without validation. CTPublisher does not verify:
-- That split beneficiaries are non-zero addresses.
-- That split percentages sum to `SPLITS_TOTAL_PERCENT`.
-- That split hooks are valid contracts.
-
-**Mitigation:** The JB721TiersHook and JBSplits contracts downstream validate split configurations. CTPublisher relies on these downstream checks.
-
-### R-9: Project Deployment Front-Running
-
-**Severity:** LOW
-**Location:** `CTDeployer.deployProjectFor()` line 260
-**Tested:** Fork test in `Fork.t.sol` but no front-running test
-
-**Description:** `deployProjectFor()` calculates the expected project ID as `PROJECTS.count() + 1` (line 260) and asserts it matches the actual ID returned by `launchProjectFor()` (line 296). If another project is created between the `count()` read and the `launchProjectFor()` call (front-running), the assertion fails and the entire transaction reverts.
-
-**Impact:** No fund loss. The deployment simply fails and must be retried. An attacker would pay gas to front-run with no economic benefit.
-
-### R-10: Metadata Assembly Correctness
-
-**Severity:** INFORMATIONAL
-**Location:** `CTPublisher.mintFrom()` lines 355-357
-**Tested:** `test/Test_MetadataGeneration.t.sol`
-
-**Description:** `FEE_PROJECT_ID` is written into the first 32 bytes of `mintMetadata` via inline assembly `mstore`. This overwrites whatever was previously in that position (the metadata length prefix is at offset 0, the first data word is at offset 32). The test file confirms this produces valid metadata that can be parsed by `JBMetadataResolver.getDataFor()`.
-
-**Verified as correct:** False positive FF-002 from the Nemesis audit confirmed this is intentional per the JBMetadataResolver referral ID format.
-
-## Test Coverage Summary
-
-| Risk Area | Test File | Coverage |
-|-----------|-----------|----------|
-| Posting criteria round-trip | `CTPublisher.t.sol` | 11 tests including fuzz |
-| Permission enforcement | `CTPublisher.t.sol`, `CroptopAttacks.t.sol` | 3 tests |
-| Input validation (price, supply, URI) | `CroptopAttacks.t.sol` | 6 tests |
-| Split percent enforcement | `CTPublisher.t.sol`, `CroptopAttacks.t.sol` | 10 tests including fuzz |
-| Fee evasion (existing tiers) | `H19_FeeEvasion.t.sol` | 2 regression tests |
-| Fee evasion (duplicate URIs) | `M6_DuplicateUriFeeEvasion.t.sol` | 5 tests including fuzz |
-| Stale tier mapping | `L52_StaleTierIdMapping.t.sol` | 2 regression tests |
-| Metadata generation | `Test_MetadataGeneration.t.sol` | 1 test |
-| Full deployment integration | `Fork.t.sol` | 2 fork tests |
-| Data hook proxy forwarding | -- | **Not tested** |
-| Force-sent ETH handling | -- | **Not tested** |
-| Allowlist gas scaling | -- | **Not tested** |
-| Sucker fee-free cashout abuse | -- | **Not tested** |
-| CTProjectOwner transfer vs mint | -- | **Not tested** |
-| Front-running `deployProjectFor` | -- | **Not tested** |
-
-## Invariants
-
-These invariants should hold for all Croptop operations:
-
-1. **Fee invariant:** For any `mintFrom()` where `projectId != FEE_PROJECT_ID`, the fee project receives exactly `totalPrice / FEE_DIVISOR` (minus rounding dust of at most 19 wei).
-
-2. **Posting criteria invariant:** A `mintFrom()` call succeeds only if every post satisfies: `price >= minimumPrice`, `totalSupply >= minimumTotalSupply`, `totalSupply <= maximumTotalSupply`, `splitPercent <= maximumSplitPercent`, and (if allowlist non-empty) `msg.sender in allowedAddresses`.
-
-3. **Tier uniqueness invariant (post-fix):** Within a single `mintFrom()` batch, no two posts can have the same `encodedIPFSUri`.
-
-4. **Fee calculation invariant (post-fix):** For existing tiers, the fee is based on `store.tierOf().price` (on-chain price), not `post.price` (user-supplied).
-
-5. **Ownership invariant:** CTDeployer owns the project NFT only transiently during `deployProjectFor()`. By the end of the function, ownership is always transferred to the specified `owner`.
-
-6. **Data hook immutability invariant:** `dataHookOf[projectId]` is set exactly once (during `deployProjectFor`) and never modified afterward.
+- `tierIdForEncodedIPFSUriOf[hook][encodedIPFSUri]` is set exactly once per (hook, encodedIPFSUri) pair and points to a valid, non-removed tier.
+- `totalPrice` accumulated in `_setupPosts` equals the sum of prices for all posts (new tier price for new posts, existing tier price for existing posts).
+- Fee amount: `msg.value - payValue == totalPrice / FEE_DIVISOR` (within 19 wei rounding).
+- For every configured category, `minimumTotalSupply <= maximumTotalSupply` and `minimumTotalSupply > 0`.
+- Packed allowance encoding/decoding round-trips correctly for all valid input ranges.
+- After `CTDeployer.deployProjectFor`, the project NFT is owned by `owner`, and `dataHookOf[projectId]` is the deployed 721 hook.
+- `CTProjectOwner` only grants `ADJUST_721_TIERS` permission, never broader permissions.

package/SKILLS.md

@@ -33,7 +33,7 @@ Permissioned NFT publishing system that lets anyone post content as 721 tiers to
 | Function | What it does |
 |----------|-------------|
 | `CTDeployer.deployProjectFor(owner, projectConfig, suckerDeploymentConfiguration, controller)` | Deploys a new Juicebox project with a 721 tiers hook, configures posting criteria, optionally deploys suckers, and transfers project ownership to the specified owner. Uses `CTDeployer` as data hook proxy. Returns `(projectId, hook)`. |
-| `CTDeployer.claimCollectionOwnershipOf(hook)` | Transfers hook ownership to the project via `JBOwnable.transferOwnershipToProject`. Only callable by the project owner. |
+| `CTDeployer.claimCollectionOwnershipOf(hook)` | Transfers hook ownership to the project via `JBOwnable.transferOwnershipToProject`. Only callable by the project owner. After claiming, the project owner must grant CTPublisher `ADJUST_721_TIERS` permission for the project so that `mintFrom()` continues to work. |
 | `CTDeployer.deploySuckersFor(projectId, suckerDeploymentConfiguration)` | Deploys new cross-chain suckers for an existing project. Requires `DEPLOY_SUCKERS` permission. |
 
 ### Data Hook Proxy