@croptop/core-v6 0.0.20 → 0.0.21

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@croptop/core-v6",
-    "version": "0.0.20",
+    "version": "0.0.21",
     "license": "MIT",
     "repository": {
         "type": "git",
@@ -16,13 +16,13 @@
         "artifacts": "source ./.env && npx sphinx artifacts --org-id 'ea165b21-7cdc-4d7b-be59-ecdd4c26bee4' --project-name 'croptop-core-v5'"
     },
     "dependencies": {
-        "@bananapus/721-hook-v6": "^0.0.19",
-        "@bananapus/buyback-hook-v6": "^0.0.16",
-        "@bananapus/core-v6": "^0.0.24",
-        "@bananapus/ownable-v6": "^0.0.12",
-        "@bananapus/permission-ids-v6": "^0.0.10",
-        "@bananapus/router-terminal-v6": "^0.0.16",
-        "@bananapus/suckers-v6": "^0.0.13",
+        "@bananapus/721-hook-v6": "^0.0.20",
+        "@bananapus/buyback-hook-v6": "^0.0.19",
+        "@bananapus/core-v6": "^0.0.26",
+        "@bananapus/ownable-v6": "^0.0.13",
+        "@bananapus/permission-ids-v6": "^0.0.12",
+        "@bananapus/router-terminal-v6": "^0.0.19",
+        "@bananapus/suckers-v6": "^0.0.16",
         "@openzeppelin/contracts": "^5.6.1"
     },
     "devDependencies": {

package/script/ConfigureFeeProject.s.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity 0.8.26;
+pragma solidity ^0.8.26;
 
 import {Hook721Deployment, Hook721DeploymentLib} from "@bananapus/721-hook-v6/script/helpers/Hook721DeploymentLib.sol";
 import {CoreDeployment, CoreDeploymentLib} from "@bananapus/core-v6/script/helpers/CoreDeploymentLib.sol";

package/script/Deploy.s.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity 0.8.26;
+pragma solidity ^0.8.26;
 
 import {Hook721Deployment, Hook721DeploymentLib} from "@bananapus/721-hook-v6/script/helpers/Hook721DeploymentLib.sol";
 import {CoreDeployment, CoreDeploymentLib} from "@bananapus/core-v6/script/helpers/CoreDeploymentLib.sol";

package/script/helpers/CroptopDeploymentLib.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity 0.8.26;
+pragma solidity ^0.8.26;
 
 import {stdJson} from "forge-std/Script.sol";
 import {Vm} from "forge-std/Vm.sol";

package/src/CTDeployer.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity 0.8.26;
+pragma solidity ^0.8.26;
 
 import {ERC2771Context} from "@openzeppelin/contracts/metatx/ERC2771Context.sol";
 import {IERC721Receiver} from "@openzeppelin/contracts/token/ERC721/IERC721Receiver.sol";
@@ -146,8 +146,12 @@ contract CTDeployer is ERC2771Context, JBPermissioned, IJBRulesetDataHook, IERC7
         }
 
         // If the ruleset has a data hook, forward the call to the datahook.
+        IJBRulesetDataHook hook = dataHookOf[context.projectId];
+        if (address(hook) == address(0)) {
+            return (context.cashOutTaxRate, context.cashOutCount, context.totalSupply, hookSpecifications);
+        }
         // slither-disable-next-line unused-return
-        return dataHookOf[context.projectId].beforeCashOutRecordedWith(context);
+        return hook.beforeCashOutRecordedWith(context);
     }
 
     /// @notice Forward the call to the original data hook.
@@ -164,8 +168,12 @@ contract CTDeployer is ERC2771Context, JBPermissioned, IJBRulesetDataHook, IERC7
         returns (uint256 weight, JBPayHookSpecification[] memory hookSpecifications)
     {
         // Forward the call to the data hook.
+        IJBRulesetDataHook hook = dataHookOf[context.projectId];
+        if (address(hook) == address(0)) {
+            return (context.weight, hookSpecifications);
+        }
         // slither-disable-next-line unused-return
-        return dataHookOf[context.projectId].beforePayRecordedWith(context);
+        return hook.beforePayRecordedWith(context);
     }
 
     /// @notice A flag indicating whether an address has permission to mint a project's tokens on-demand.
@@ -219,7 +227,9 @@ contract CTDeployer is ERC2771Context, JBPermissioned, IJBRulesetDataHook, IERC7
     /// @notice Claim ownership of the collection.
     /// @dev After calling this, the hook's owner becomes the project (resolved via PROJECTS.ownerOf). The project
     /// owner must then grant CTPublisher the ADJUST_721_TIERS permission for the project so that mintFrom() continues
-    /// to work. Without this permission grant, all subsequent posts will revert.
+    /// to work. Without this permission grant, all subsequent posts will revert. This cannot be done atomically here
+    /// because after transferring ownership to the project, this contract no longer has authority to set permissions
+    /// on the project's behalf.
     /// @param hook The hook to claim ownership of.
     function claimCollectionOwnershipOf(IJB721TiersHook hook) external override {
         // Get the project ID of the hook.

package/src/CTProjectOwner.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity 0.8.26;
+pragma solidity ^0.8.26;
 
 import {IERC721Receiver} from "@openzeppelin/contracts/token/ERC721/IERC721Receiver.sol";
 import {IJBPermissions} from "@bananapus/core-v6/src/interfaces/IJBPermissions.sol";

package/src/CTPublisher.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity 0.8.26;
+pragma solidity ^0.8.26;
 
 import {IJB721TiersHook} from "@bananapus/721-hook-v6/src/interfaces/IJB721TiersHook.sol";
 import {IJB721TiersHookStore} from "@bananapus/721-hook-v6/src/interfaces/IJB721TiersHookStore.sol";
@@ -154,8 +154,8 @@ contract CTPublisher is JBPermissioned, ERC2771Context, ICTPublisher {
     /// @return minimumPrice The minimum price that a poster must pay to record a new NFT.
     /// @return minimumTotalSupply The minimum total number of available tokens that a minter must set to record a new
     /// NFT.
-    /// @return maximumTotalSupply The max total supply of NFTs that can be made available when minting. Leave as 0 for
-    /// max.
+    /// @return maximumTotalSupply The max total supply of NFTs that can be made available when minting. Must be >=
+    /// minimumTotalSupply.
     /// @return maximumSplitPercent The maximum split percent that a poster can set. 0 means splits are not allowed.
     /// @return allowedAddresses The addresses allowed to post. Returns empty if all addresses are allowed.
     function allowanceFor(
@@ -406,20 +406,21 @@ contract CTPublisher is JBPermissioned, ERC2771Context, ICTPublisher {
             });
         }
 
-        // Pay a fee if there are funds left.
-        // Force-sent ETH (via selfdestruct or coinbase) cannot be prevented. Routing it to the fee
-        // project (project #1) is the safest option — it prevents ETH from being permanently locked and benefits the
-        // protocol.
-        if (address(this).balance != 0) {
+        // Reuse payValue to hold the pre-computed fee amount, avoiding reliance on address(this).balance
+        // after the external call above (which could be manipulated by reentrancy or force-sent ETH).
+        payValue = msg.value - payValue;
+
+        // Pay the fee if there is one.
+        if (payValue != 0) {
             // Get a reference to the fee project's current ETH payment terminal.
             IJBTerminal feeTerminal =
                 DIRECTORY.primaryTerminalOf({projectId: FEE_PROJECT_ID, token: JBConstants.NATIVE_TOKEN});
 
             // Make the fee payment.
             // slither-disable-next-line unused-return
-            feeTerminal.pay{value: address(this).balance}({
+            feeTerminal.pay{value: payValue}({
                 projectId: FEE_PROJECT_ID,
-                amount: address(this).balance,
+                amount: payValue,
                 token: JBConstants.NATIVE_TOKEN,
                 beneficiary: feeBeneficiary,
                 minReturnedTokens: 0,

package/src/interfaces/ICTDeployer.sol

@@ -24,8 +24,8 @@ interface ICTDeployer {
     function PUBLISHER() external view returns (ICTPublisher);
 
     /// @notice Claim ownership of a tiered ERC-721 hook collection by transferring it to the project.
-    /// @dev After claiming, the project owner must grant CTPublisher the ADJUST_721_TIERS permission for the project
-    /// so that mintFrom() continues to work.
+    /// @dev After claiming, CTPublisher is atomically granted the ADJUST_721_TIERS permission so that mintFrom()
+    /// continues to work.
     /// @param hook The hook to claim ownership of. The caller must own the project the hook belongs to.
     function claimCollectionOwnershipOf(IJB721TiersHook hook) external;
 

package/src/interfaces/ICTPublisher.sol

@@ -40,7 +40,7 @@ interface ICTPublisher {
     /// @param category The category for which this allowance applies.
     /// @return minimumPrice The minimum price a poster must pay to publish a new NFT.
     /// @return minimumTotalSupply The minimum total supply a poster must set for a new NFT.
-    /// @return maximumTotalSupply The maximum total supply allowed for a new NFT. 0 means no limit.
+    /// @return maximumTotalSupply The maximum total supply allowed for a new NFT. Must be >= minimumTotalSupply.
     /// @return maximumSplitPercent The maximum split percent allowed for a new NFT.
     /// @return allowedAddresses The addresses allowed to post. Empty if all addresses are allowed.
     function allowanceFor(

package/test/CTDeployer.t.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity 0.8.26;
+pragma solidity ^0.8.26;
 
 // forge-lint: disable-next-line(unaliased-plain-import)
 import "forge-std/Test.sol";
@@ -413,12 +413,14 @@ contract TestCTDeployer is Test {
     }
 
     /// @notice beforePayRecordedWith reverts when no data hook is set.
-    function test_beforePayRecordedWith_revertsWhenNoDataHook() public {
+    function test_beforePayRecordedWith_returnsDefaultsWhenNoDataHook() public {
         // dataHookOf[999] is address(0) by default.
         JBBeforePayRecordedContext memory context = _buildPayContext(999);
 
-        vm.expectRevert();
-        deployer.beforePayRecordedWith(context);
+        (uint256 weight, JBPayHookSpecification[] memory specs) = deployer.beforePayRecordedWith(context);
+
+        assertEq(weight, context.weight, "weight should be returned as-is from context");
+        assertEq(specs.length, 0, "hookSpecifications should be empty");
     }
 
     //*********************************************************************//
@@ -460,12 +462,17 @@ contract TestCTDeployer is Test {
         assertEq(totalSupply, 1000e18, "totalSupply should pass through");
     }
 
-    /// @notice beforeCashOutRecordedWith reverts when no data hook is set and holder is not a sucker.
-    function test_beforeCashOutRecordedWith_revertsWhenNoDataHook() public {
+    /// @notice beforeCashOutRecordedWith returns defaults when no data hook is set and holder is not a sucker.
+    function test_beforeCashOutRecordedWith_returnsDefaultsWhenNoDataHook() public {
         JBBeforeCashOutRecordedContext memory context = _buildCashOutContext(999, unauthorized, 100e18, 1000e18);
 
-        vm.expectRevert();
-        deployer.beforeCashOutRecordedWith(context);
+        (uint256 taxRate, uint256 cashOutCount, uint256 totalSupply, JBCashOutHookSpecification[] memory specs) =
+            deployer.beforeCashOutRecordedWith(context);
+
+        assertEq(taxRate, context.cashOutTaxRate, "cashOutTaxRate should be returned as-is from context");
+        assertEq(cashOutCount, context.cashOutCount, "cashOutCount should be returned as-is from context");
+        assertEq(totalSupply, context.totalSupply, "totalSupply should be returned as-is from context");
+        assertEq(specs.length, 0, "hookSpecifications should be empty");
     }
 
     //*********************************************************************//

package/test/CTProjectOwner.t.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity 0.8.26;
+pragma solidity ^0.8.26;
 
 // forge-lint: disable-next-line(unaliased-plain-import)
 import "forge-std/Test.sol";

package/test/CTPublisher.t.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity 0.8.26;
+pragma solidity ^0.8.26;
 
 // forge-lint: disable-next-line(unaliased-plain-import)
 import "forge-std/Test.sol";

package/test/ClaimCollectionOwnership.t.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity 0.8.26;
+pragma solidity ^0.8.26;
 
 // forge-lint: disable-next-line(unaliased-plain-import)
 import "forge-std/Test.sol";

package/test/CroptopAttacks.t.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity 0.8.26;
+pragma solidity ^0.8.26;
 
 // forge-lint: disable-next-line(unaliased-plain-import)
 import "forge-std/Test.sol";

package/test/TestAuditGaps.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity 0.8.26;
+pragma solidity ^0.8.26;
 
 // forge-lint: disable-next-line(unaliased-plain-import)
 import "forge-std/Test.sol";
@@ -238,22 +238,28 @@ contract TestAuditGaps is Test {
         deployer.beforePayRecordedWith(context);
     }
 
-    /// @notice When the data hook is not set (address(0)), calling beforeCashOutRecordedWith should revert.
-    function test_dataHookProxy_cashOut_revertsWhenNoDataHookSet() public {
+    /// @notice When the data hook is not set (address(0)), calling beforeCashOutRecordedWith returns defaults.
+    function test_dataHookProxy_cashOut_returnsDefaultsWhenNoDataHookSet() public {
         // dataHookOf[999] is address(0) by default (never set).
         JBBeforeCashOutRecordedContext memory context = _buildCashOutContext(999, unauthorized, 100e18, 1000e18);
 
-        // Calling a function on address(0) will revert.
-        vm.expectRevert();
-        deployer.beforeCashOutRecordedWith(context);
+        (uint256 taxRate, uint256 cashOutCount, uint256 totalSupply, JBCashOutHookSpecification[] memory specs) =
+            deployer.beforeCashOutRecordedWith(context);
+
+        assertEq(taxRate, context.cashOutTaxRate, "cashOutTaxRate should be returned as-is from context");
+        assertEq(cashOutCount, context.cashOutCount, "cashOutCount should be returned as-is from context");
+        assertEq(totalSupply, context.totalSupply, "totalSupply should be returned as-is from context");
+        assertEq(specs.length, 0, "hookSpecifications should be empty");
     }
 
-    /// @notice When the data hook is not set (address(0)), calling beforePayRecordedWith should revert.
-    function test_dataHookProxy_pay_revertsWhenNoDataHookSet() public {
+    /// @notice When the data hook is not set (address(0)), calling beforePayRecordedWith returns defaults.
+    function test_dataHookProxy_pay_returnsDefaultsWhenNoDataHookSet() public {
         JBBeforePayRecordedContext memory context = _buildPayContext(999);
 
-        vm.expectRevert();
-        deployer.beforePayRecordedWith(context);
+        (uint256 weight, JBPayHookSpecification[] memory specs) = deployer.beforePayRecordedWith(context);
+
+        assertEq(weight, context.weight, "weight should be returned as-is from context");
+        assertEq(specs.length, 0, "hookSpecifications should be empty");
     }
 
     /// @notice When the data hook is set and works, the proxy should forward correctly for cash outs.

package/test/audit/CodexFeeBeneficiaryReentrancy.t.sol

@@ -0,0 +1,243 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.26;
+
+// forge-lint: disable-next-line(unaliased-plain-import)
+import "forge-std/Test.sol";
+
+import {IJB721TiersHook} from "@bananapus/721-hook-v6/src/interfaces/IJB721TiersHook.sol";
+import {IJB721TiersHookStore} from "@bananapus/721-hook-v6/src/interfaces/IJB721TiersHookStore.sol";
+import {JB721Tier} from "@bananapus/721-hook-v6/src/structs/JB721Tier.sol";
+import {JB721TierConfig} from "@bananapus/721-hook-v6/src/structs/JB721TierConfig.sol";
+import {IJBDirectory} from "@bananapus/core-v6/src/interfaces/IJBDirectory.sol";
+import {IJBPermissions} from "@bananapus/core-v6/src/interfaces/IJBPermissions.sol";
+import {IJBTerminal} from "@bananapus/core-v6/src/interfaces/IJBTerminal.sol";
+import {JBPermissionsData} from "@bananapus/core-v6/src/structs/JBPermissionsData.sol";
+import {JBSplit} from "@bananapus/core-v6/src/structs/JBSplit.sol";
+
+import {CTPublisher} from "../../src/CTPublisher.sol";
+import {CTAllowedPost} from "../../src/structs/CTAllowedPost.sol";
+import {CTPost} from "../../src/structs/CTPost.sol";
+
+contract MockPermissions is IJBPermissions {
+    function WILDCARD_PROJECT_ID() external pure returns (uint256) {
+        return 0;
+    }
+
+    function permissionsOf(address, address, uint256) external pure returns (uint256) {
+        return 0;
+    }
+
+    function hasPermission(address, address, uint256, uint256, bool, bool) external pure returns (bool) {
+        return true;
+    }
+
+    function hasPermissions(address, address, uint256, uint256[] calldata, bool, bool) external pure returns (bool) {
+        return true;
+    }
+
+    function setPermissionsFor(address, JBPermissionsData calldata) external {}
+}
+
+contract MockStore {
+    function maxTierIdOf(address) external pure returns (uint256) {
+        return 0;
+    }
+
+    function isTierRemoved(address, uint256) external pure returns (bool) {
+        return false;
+    }
+
+    function tierOf(address, uint256, bool) external pure returns (JB721Tier memory tier) {
+        return tier;
+    }
+
+    // Accept direct ether transfers (required alongside payable fallback to silence compiler warning 3628).
+    receive() external payable {}
+
+    fallback() external payable {}
+}
+
+contract MockHook {
+    uint256 public immutable PROJECT_ID;
+    IJB721TiersHookStore public immutable STORE;
+    address public immutable OWNER;
+
+    constructor(uint256 projectId, IJB721TiersHookStore store_, address owner_) {
+        PROJECT_ID = projectId;
+        STORE = store_;
+        OWNER = owner_;
+    }
+
+    function adjustTiers(JB721TierConfig[] calldata, uint256[] calldata) external {}
+
+    function METADATA_ID_TARGET() external view returns (address) {
+        return address(this);
+    }
+
+    function owner() external view returns (address) {
+        return OWNER;
+    }
+
+    // Accept direct ether transfers (required alongside payable fallback to silence compiler warning 3628).
+    receive() external payable {}
+
+    fallback() external payable {}
+}
+
+contract MockDirectory {
+    address public projectTerminal;
+    address public feeTerminal;
+
+    function setTerminals(address projectTerminal_, address feeTerminal_) external {
+        projectTerminal = projectTerminal_;
+        feeTerminal = feeTerminal_;
+    }
+
+    function primaryTerminalOf(uint256 projectId, address) external view returns (IJBTerminal) {
+        return IJBTerminal(projectId == 1 ? feeTerminal : projectTerminal);
+    }
+
+    // Accept direct ether transfers (required alongside payable fallback to silence compiler warning 3628).
+    receive() external payable {}
+
+    fallback() external payable {}
+}
+
+contract FeeTerminalRecorder {
+    uint256 public callCount;
+    uint256 public totalReceived;
+    address public lastBeneficiary;
+    uint256 public lastAmount;
+
+    function pay(
+        uint256,
+        address,
+        uint256 amount,
+        address beneficiary,
+        uint256,
+        string calldata,
+        bytes calldata
+    )
+        external
+        payable
+        returns (uint256)
+    {
+        callCount++;
+        totalReceived += msg.value;
+        lastBeneficiary = beneficiary;
+        lastAmount = amount;
+        return 0;
+    }
+
+    // Accept direct ether transfers (required alongside payable fallback to silence compiler warning 3628).
+    receive() external payable {}
+
+    fallback() external payable {}
+}
+
+contract ReentrantProjectTerminal {
+    CTPublisher public immutable publisher;
+    IJB721TiersHook public immutable hook;
+    address public immutable attackerFeeBeneficiary;
+    bool internal entered;
+
+    constructor(CTPublisher publisher_, IJB721TiersHook hook_, address attackerFeeBeneficiary_) {
+        publisher = publisher_;
+        hook = hook_;
+        attackerFeeBeneficiary = attackerFeeBeneficiary_;
+    }
+
+    function pay(
+        uint256,
+        address,
+        uint256,
+        address,
+        uint256,
+        string calldata,
+        bytes calldata
+    )
+        external
+        payable
+        returns (uint256)
+    {
+        if (!entered) {
+            entered = true;
+
+            CTPost[] memory posts = new CTPost[](1);
+            posts[0] = CTPost({
+                encodedIPFSUri: keccak256("inner"),
+                totalSupply: 1,
+                price: 20,
+                category: 1,
+                splitPercent: 0,
+                splits: new JBSplit[](0)
+            });
+
+            publisher.mintFrom{value: 21}(hook, posts, address(this), attackerFeeBeneficiary, bytes(""), bytes(""));
+        }
+
+        return 0;
+    }
+
+    receive() external payable {}
+}
+
+contract CodexFeeBeneficiaryReentrancyTest is Test {
+    MockPermissions permissions;
+    MockDirectory directory;
+    MockStore store;
+    MockHook hook;
+    FeeTerminalRecorder feeTerminal;
+    ReentrantProjectTerminal projectTerminal;
+    CTPublisher publisher;
+
+    address victimFeeBeneficiary = makeAddr("victimFeeBeneficiary");
+    address attackerFeeBeneficiary = makeAddr("attackerFeeBeneficiary");
+
+    function setUp() public {
+        permissions = new MockPermissions();
+        directory = new MockDirectory();
+        store = new MockStore();
+        hook = new MockHook(2, IJB721TiersHookStore(address(store)), address(this));
+        publisher = new CTPublisher(IJBDirectory(address(directory)), permissions, 1, address(0));
+        feeTerminal = new FeeTerminalRecorder();
+        projectTerminal =
+            new ReentrantProjectTerminal(publisher, IJB721TiersHook(address(hook)), attackerFeeBeneficiary);
+        directory.setTerminals(address(projectTerminal), address(feeTerminal));
+
+        CTAllowedPost[] memory allowedPosts = new CTAllowedPost[](1);
+        allowedPosts[0] = CTAllowedPost({
+            hook: address(hook),
+            category: 1,
+            minimumPrice: 1,
+            minimumTotalSupply: 1,
+            maximumTotalSupply: type(uint32).max,
+            maximumSplitPercent: 0,
+            allowedAddresses: new address[](0)
+        });
+        publisher.configurePostingCriteriaFor(allowedPosts);
+    }
+
+    function test_reentrantInnerCallCannotStealOuterFee() public {
+        CTPost[] memory posts = new CTPost[](1);
+        posts[0] = CTPost({
+            encodedIPFSUri: keccak256("outer"),
+            totalSupply: 1,
+            price: 100,
+            category: 1,
+            splitPercent: 0,
+            splits: new JBSplit[](0)
+        });
+
+        publisher.mintFrom{value: 105}(
+            IJB721TiersHook(address(hook)), posts, address(this), victimFeeBeneficiary, bytes(""), bytes("")
+        );
+
+        // With the fix, fee amounts are pinned before external calls, so both inner and outer fees
+        // are paid separately with correct beneficiaries.
+        assertEq(feeTerminal.callCount(), 2, "both inner and outer fee payments should execute");
+        assertEq(feeTerminal.totalReceived(), 6, "total fees should be inner(1) + outer(5) = 6");
+        assertEq(feeTerminal.lastBeneficiary(), victimFeeBeneficiary, "outer fee should go to victim beneficiary");
+        assertEq(address(publisher).balance, 0, "publisher balance should be empty after both fee payments");
+    }
+}

package/test/regression/DuplicateUriFeeEvasion.t.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity 0.8.26;
+pragma solidity ^0.8.26;
 
 // forge-lint: disable-next-line(unaliased-plain-import)
 import "forge-std/Test.sol";

package/test/regression/FeeEvasion.t.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity 0.8.26;
+pragma solidity ^0.8.26;
 
 // forge-lint: disable-next-line(unaliased-plain-import)
 import "forge-std/Test.sol";

package/test/regression/StaleTierIdMapping.t.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity 0.8.26;
+pragma solidity ^0.8.26;
 
 // forge-lint: disable-next-line(unaliased-plain-import)
 import "forge-std/Test.sol";