@croptop/core-v6 0.0.23 → 0.0.24

package/ADMINISTRATION.md

@@ -142,6 +142,6 @@ What admins CANNOT do:
 
 8. **No admin can modify existing tier prices.** Once a tier is created via `_setupPosts()`, the price is set in the `JB721TiersHookStore`. CTPublisher uses the stored price for fee calculation on subsequent mints (not `post.price`). See H-19 fix.
 
-9. **No admin can drain CTPublisher funds.** CTPublisher has no `withdraw()` function and no `receive()` / `fallback()`. The only ETH that enters the contract is during `mintFrom()` and it is fully routed to the project terminal and fee terminal within the same transaction.
+9. **No admin can drain CTPublisher funds.** CTPublisher has no `withdraw()` function and no `receive()` / `fallback()`. The only ETH that enters the contract is during `mintFrom()` and it is fully routed to the project terminal and fee terminal (or fallback recipients) within the same transaction. The fee terminal payment is wrapped in try-catch with fallback to `feeBeneficiary` then `msg.sender`, so ETH is never stranded by a fee terminal failure.
 
 10. **Sucker registry trust is irrevocable.** The `MAP_SUCKER_TOKEN` permission is granted at CTDeployer construction with `projectId: 0` (wildcard). There is no function to revoke this permission from within CTDeployer.

package/ARCHITECTURE.md

@@ -65,7 +65,7 @@ Publisher → CTPublisher.mintFrom(hook, posts[], nftBeneficiary, feeBeneficiary
   → adjustTiers on the 721 hook to add new tiers
   → Pay the project terminal: payValue = msg.value - fee
      Metadata encodes tier IDs to mint, so the 721 hook mints one NFT per post
-  → Pay fee to FEE_PROJECT_ID terminal with remaining balance
+  → Pay pre-computed fee to FEE_PROJECT_ID terminal (try-catch; falls back to feeBeneficiary, then msg.sender)
 ```
 
 ### Allowed Post Rules

package/AUDIT_INSTRUCTIONS.md

@@ -71,7 +71,7 @@ Quick reference for where the money is:
 | Fee-free cashout | `CTDeployer.beforeCashOutRecordedWith()` | Full treasury value | Only legitimate suckers (via registry) get 0% tax |
 | Unauthorized minting | `CTDeployer.hasMintPermissionFor()` | Arbitrary token minting | Only registered suckers get mint permission |
 | Tier spam | `CTPublisher._setupPosts()` | Gas griefing, hook degradation | Allowlist + price/supply floors gate tier creation |
-| Fee routing failure | `CTPublisher.mintFrom()` residual balance | Fee project loses 5% | `address(this).balance` after project payment is sent to fee project |
+| Fee routing failure | `CTPublisher.mintFrom()` pre-computed fee | Fee project loses 5% | Pre-computed fee (`msg.value - payValue`) sent via try-catch to fee terminal, with fallback to `feeBeneficiary` then `msg.sender` |
 
 ---
 
@@ -126,9 +126,11 @@ Poster calls mintFrom(hook, posts[], nftBeneficiary, feeBeneficiary, additionalP
 8. Look up project's primary ETH terminal via DIRECTORY               [line 393-394]
    terminal.pay{value: payValue}(...)                                 [line 398-406]
 
-9. If address(this).balance != 0:                                     [line 413]
-   Look up fee project's primary ETH terminal                        [line 415-416]
-   feeTerminal.pay{value: address(this).balance}(...)                [line 420-428]
+9. payValue = msg.value - payValue (pre-computed fee)                  [line 411]
+   If payValue != 0:                                                   [line 414]
+   Look up fee project's primary ETH terminal                        [line 416-417]
+   try feeTerminal.pay{value: payValue}(...) {}                      [line 421-429]
+   catch { feeBeneficiary.call{value}; fallback msg.sender.call }    [line 430-437]
 ```
 
 ### Fee Calculation
@@ -137,7 +139,7 @@ Poster calls mintFrom(hook, posts[], nftBeneficiary, feeBeneficiary, additionalP
 - Fee = `totalPrice / 20` (integer division, truncates)
 - Maximum rounding loss: 19 wei per transaction
 - Fee is deducted from `msg.value` before the project payment
-- Residual `address(this).balance` (fee + any force-sent ETH) goes to fee project
+- Pre-computed fee (`msg.value - payValue`) goes to fee terminal via try-catch, with fallback to `feeBeneficiary` then `msg.sender`
 - Fee is skipped entirely when `projectId == FEE_PROJECT_ID`
 
 ---
@@ -338,8 +340,8 @@ Check that no realistic usage pattern could cause a revert due to gas limits. Th
 2. **Fee deduction and routing** (CTPublisher.sol lines 336-428). Verify:
    - `payValue = msg.value - (totalPrice / FEE_DIVISOR)` cannot underflow
    - The check `totalPrice > payValue` correctly prevents underpayment
-   - `address(this).balance` after the project payment equals exactly the fee amount (plus any force-sent ETH)
-   - The fee terminal payment cannot silently fail
+   - The pre-computed fee (`msg.value - payValue`) equals exactly the intended fee amount, independent of `address(this).balance`
+   - The fee terminal payment is wrapped in try-catch with fallback to `feeBeneficiary` then `msg.sender` — verify the fallback chain cannot lose ETH
 
 3. **Data hook proxy forwarding** (CTDeployer.sol lines 132-169). Verify:
    - `dataHookOf[projectId]` is always set before any pay/cashout can occur for that project
@@ -375,7 +377,7 @@ Check that no realistic usage pattern could cause a revert due to gas limits. Th
 
 11. **`uint64` project ID cast** in CTProjectOwner (line 77) and CTDeployer (line 344). Both now use `uint64`. Confirm no truncation risk for realistic project IDs.
 
-12. **Force-sent ETH routing** (CTPublisher.sol lines 413-428). Confirm this is the intended behavior and cannot be exploited.
+12. **Force-sent ETH stranding** (CTPublisher.sol lines 409-438). Fee is now pre-computed from `msg.value`, not `address(this).balance`. Force-sent ETH remains stranded. Confirm this is acceptable and the try-catch fallback chain cannot lose ETH from `msg.value`.
 
 13. **Allowlist overwrite behavior** (CTPublisher.sol lines 289-296). Verify that `delete` followed by `push` loop correctly replaces the array with no residual state.
 
@@ -391,7 +393,7 @@ These properties should hold across all operations. They are suitable targets fo
 
 2. **No fee for fee project:** When `projectId == FEE_PROJECT_ID`, the full `msg.value` is sent to the project terminal (zero deducted for fees).
 
-3. **ETH conservation:** For every `mintFrom()` call, `msg.value == payValue + feeAmount + dust`, where `dust <= 19 wei`. No ETH remains in the CTPublisher contract after the call completes (unless an external `selfdestruct` force-sends ETH between the two `pay()` calls).
+3. **ETH conservation:** For every `mintFrom()` call, `msg.value == payValue + feeAmount + dust`, where `dust <= 19 wei`. The fee amount is pre-computed as `msg.value - payValue` and routed via try-catch to the fee terminal, then `feeBeneficiary`, then `msg.sender`. No ETH from `msg.value` is lost. Force-sent ETH (via `selfdestruct`) is not routed and remains stranded in the contract.
 
 ### Posting Invariants
 
@@ -447,7 +449,7 @@ ETHEREUM_RPC_URL=<your-rpc> forge test --match-contract ForkTest --fork-url $ETH
 
 ### Coverage Gaps (no existing tests)
 
-- Force-sent ETH handling via selfdestruct
+- Force-sent ETH handling via selfdestruct (fee is now pre-computed from `msg.value`, not `address(this).balance`, so force-sent ETH remains stranded)
 - `deployProjectFor` front-running race condition
 - Multiple hooks sharing the same CTPublisher instance
 - Cross-category posting in a single batch (different categories, different allowlists)

package/CHANGE_LOG.md

@@ -242,6 +242,10 @@ No field changes. Import path updated from `@bananapus/suckers-v5` to `@bananapu
 ### `CTPublisher.mintFrom` — Named Arguments
 - **v6:** Uses named arguments for `DIRECTORY.primaryTerminalOf(...)`, `hook.adjustTiers(...)`, `JBMetadataResolver.getId(...)`, and `_isAllowed(...)`.
 
+### `CTPublisher.mintFrom` — Fee Payment Resilience (Audit Remediation)
+- **Previous:** Fee terminal payment was a bare `feeTerminal.pay{value}()` call. If the fee terminal reverted, the entire `mintFrom()` transaction reverted, blocking all mints.
+- **Current:** Fee amount is pre-computed as `msg.value - payValue` (no longer relies on `address(this).balance`). The fee terminal payment is wrapped in try-catch. On failure, the fee is sent to `feeBeneficiary` via low-level call. If that also fails, the fee is sent to `msg.sender`. A broken fee terminal never blocks mints.
+
 ### NatDoc / Comments
 - **v6:** Adds extensive NatDoc comments to all interface functions, events, and struct fields. Adds `forge-lint` disable comments for mixed-case variables. Adds explanatory comments for design decisions (e.g., fee rounding behavior, force-sent ETH handling, category irrevocability, linear scan scaling).
 

package/README.md

@@ -56,7 +56,7 @@ Every `mintFrom` call collects a 5% fee on the total tier price. The fee is calc
 
 - If the project being posted to **is** the fee project, no fee is collected (avoids circular payments).
 - Integer division truncates, so the fee loses up to 19 wei of dust per mint.
-- Any ETH remaining in the contract after the main payment (including force-sent ETH) is forwarded to the fee project terminal.
+- The fee amount is pre-computed as `msg.value - payValue` (not derived from `address(this).balance`), so force-sent ETH does not affect fee routing. The fee terminal payment is wrapped in try-catch with a fallback to `feeBeneficiary` then `msg.sender`.
 
 ### One-Click Deployment
 
@@ -173,4 +173,4 @@ script/
 - **Fee skipping:** When `projectId == FEE_PROJECT_ID`, no fee is collected. This is intentional but means the fee project itself never pays Croptop fees.
 - **Allowlist scaling:** `_isAllowed()` uses linear scan over the address allowlist. Large allowlists (100+ addresses) increase gas costs proportionally.
 - **Tier reuse via IPFS URI:** If the same encoded IPFS URI has already been minted, the existing tier is reused rather than creating a new one. This prevents duplicate content but means a poster cannot create a second tier with the same content.
-- **Exact payment edge case:** `mintFrom` sends the remaining contract balance as the fee payment after the main payment. If exactly the right amount is sent (no remainder), the fee transfer is skipped.
+- **Fee terminal failure:** The fee terminal payment is wrapped in try-catch. If the fee terminal reverts, the fee is sent to `feeBeneficiary` via low-level call, then to `msg.sender` if that also fails. A broken fee terminal never blocks mints, but the fee project loses revenue during the outage.

package/RISKS.md

@@ -14,6 +14,7 @@
 - **Fee evasion via duplicate posts across hooks.** `tierIdForEncodedIPFSUriOf` is keyed per hook. The same `encodedIPFSUri` can be posted to different hooks without duplicate detection, potentially creating fee-arbitrage opportunities.
 - **Fee calculation rounding.** Fee is `totalPrice / FEE_DIVISOR` (FEE_DIVISOR=20, so 5% fee). Integer division truncates, losing up to 19 wei per post. Negligible individually but could compound across many micro-priced posts. Explicit validation: reverts `CTPublisher_InsufficientEthSent` if `msg.value < fee` (before subtraction) or if `msg.value - fee < totalPrice` (after subtraction).
 - **Pre-computed fee routing.** `CTPublisher.mintFrom` computes the fee as `msg.value - payValue` before the external payment call, so the fee amount is determined from `msg.value` alone. Force-sent ETH (via selfdestruct) does not affect fee calculation.
+- **Try-catch fee payment.** The fee terminal payment is wrapped in try-catch. If the fee terminal reverts, the fee is sent to `feeBeneficiary` via low-level call. If that also fails, the fee is sent to `msg.sender`. This means a broken fee terminal does not block mints, but the fee project may lose fee revenue during the outage.
 - **Split percent manipulation.** Posters can set `splitPercent` up to `maximumSplitPercent`. Splits route funds away from the project treasury to poster-specified addresses. If `maximumSplitPercent` is set high, posters can redirect most of the tier revenue.
 
 ## 3. Access Control
@@ -33,8 +34,8 @@
 
 ## 5. Reentrancy Surface
 
-- **`mintFrom` external call chain.** `mintFrom` makes three categories of external calls: (1) `hook.adjustTiers()` to create new tiers, (2) `terminal.pay{value}()` to pay the project, (3) `terminal.pay{value}()` to pay the fee project. The first `terminal.pay` can trigger pay hooks on the target project, which could call back into `CTPublisher`. However, `mintFrom` has no mutable state between the tier adjustment and the payment — `totalPrice` and `payValue` are computed from local variables before the external calls. A re-entrant `mintFrom` call would process independently.
-- **Fee payment ordering.** The fee is sent AFTER the main payment (line ordering in `mintFrom`). If the main payment's pay hook re-enters and calls `mintFrom` again, the fee for the first call has not yet been sent. This is safe because the fee is pre-computed from `msg.value` before the external call (`msg.value - payValue`), and each call independently computes its own fee from its own `msg.value`. Force-sent ETH (via selfdestruct) does not affect fee calculation since the fee is derived from `msg.value`, not `address(this).balance`.
+- **`mintFrom` external call chain.** `mintFrom` makes three categories of external calls: (1) `hook.adjustTiers()` to create new tiers, (2) `terminal.pay{value}()` to pay the project, (3) `feeTerminal.pay{value}()` to pay the fee project (wrapped in try-catch, with fallback to `feeBeneficiary.call` then `msg.sender.call`). The first `terminal.pay` can trigger pay hooks on the target project, which could call back into `CTPublisher`. However, `mintFrom` has no mutable state between the tier adjustment and the payment — `totalPrice` and `payValue` are computed from local variables before the external calls. A re-entrant `mintFrom` call would process independently.
+- **Fee payment ordering.** The fee is sent AFTER the main payment (line ordering in `mintFrom`). If the main payment's pay hook re-enters and calls `mintFrom` again, the fee for the first call has not yet been sent. This is safe because the fee is pre-computed from `msg.value` before the external call (`msg.value - payValue`), and each call independently computes its own fee from its own `msg.value`. Force-sent ETH (via selfdestruct) does not affect fee calculation since the fee is derived from `msg.value`, not `address(this).balance`. The fee terminal payment is wrapped in try-catch, so a reverting fee terminal does not block the mint — the fee falls back to `feeBeneficiary` then `msg.sender`.
 - **No `ReentrancyGuard`.** The publisher relies on independent local state per call. This is safe for the current implementation but fragile if mutable contract storage is added in future versions.
 
 ## 6. Integration Risks
@@ -43,7 +44,7 @@
 - **No mechanism for hook migration.** `dataHookOf` is written once in `deployProjectFor` and never updated. If the data hook becomes compromised, there is no governance path to replace it without deploying a new project.
 - **Tier ID prediction.** `_setupPosts` predicts new tier IDs as `maxTierIdOf(hook) + 1 + i`. If another transaction adds tiers between `maxTierIdOf` read and `adjustTiers` execution, tier IDs shift and the wrong tiers are minted. This is a race condition in concurrent posting.
 - **CTProjectOwner accepts any project NFT.** `onERC721Received` grants `ADJUST_721_TIERS` to `PUBLISHER` for whatever tokenId is received. If a non-Croptop project is accidentally transferred to `CTProjectOwner`, the publisher gains tier adjustment permission for it.
-- **Fee payment destination.** Fees are routed to `FEE_PROJECT_ID` via its primary terminal. If the fee project changes its terminal or token acceptance, fee payments could fail and block all minting.
+- **Fee payment destination.** Fees are routed to `FEE_PROJECT_ID` via its primary terminal. If the fee project changes its terminal or token acceptance, fee payments will fail. However, the fee terminal payment is wrapped in try-catch: on failure, the fee is sent to `feeBeneficiary` via low-level call, then to `msg.sender` if that also fails. Minting is never blocked by a broken fee terminal, but the fee project loses revenue during the outage.
 
 ## 7. Accepted Behaviors
 

package/SKILLS.md

@@ -127,7 +127,7 @@ Permissioned NFT publishing system that lets anyone post content as 721 tiers to
 1. **Bit-packed allowances.** Allowances are packed into a single `uint256`: price in bits 0-103, min supply in 104-135, max supply in 136-167, max split percent in 168-199. Reading with wrong bit widths silently returns wrong values.
 2. **Fee is 1/20, not a percentage.** `FEE_DIVISOR = 20` means fee = `totalPrice / 20` = 5%. Integer division truncates (rounding down favors payer).
 3. **Fee skipped for fee project.** When `projectId == FEE_PROJECT_ID`, no fee is deducted. This prevents self-referential fee loops.
-4. **Fee payment uses contract balance.** After the main payment, `mintFrom` sends `address(this).balance` as the fee. If the main payment uses exact funds (no remainder), the fee transfer is skipped entirely.
+4. **Fee payment is pre-computed and try-catch wrapped.** After the main payment, `mintFrom` computes the fee as `msg.value - payValue` and sends it to the fee terminal via try-catch. If the fee terminal reverts, the fee falls back to `feeBeneficiary.call{value}`, then `msg.sender.call{value}`. A broken fee terminal never blocks mints.
 5. **Tier reuse by IPFS URI.** If an encoded IPFS URI was already minted on the hook, the existing tier ID is reused instead of creating a new tier. The poster still gets a mint of the existing tier. The fee is calculated from the actual tier price stored on-chain (not from `post.price`), preventing fee evasion (H-19 fix).
 6. **Stale tier mapping cleanup.** If a tier was removed externally via `adjustTiers()`, the `tierIdForEncodedIPFSUriOf` mapping is automatically cleared when the same IPFS URI is posted again, allowing a new tier to be created (L-52 fix).
 7. **Array resizing via assembly.** `_setupPosts` resizes `tiersToAdd` via inline assembly when some posts reuse existing tiers. The `tierIdsToMint` array is NOT resized and may contain zeros for pre-existing tiers.

package/USER_JOURNEYS.md

@@ -168,11 +168,19 @@ Build JBMetadataResolver-compatible metadata with tier IDs and referral ID.
 projectTerminal.pay{value: payValue}(projectId, NATIVE_TOKEN, payValue, nftBeneficiary, 0, "Minted from Croptop", mintMetadata)
 ```
 
-**Phase 6: Fee payment** (lines 413-429)
+**Phase 6: Fee payment** (lines 409-438)
 
 ```
-if (address(this).balance != 0) {
-    feeTerminal.pay{value: address(this).balance}(FEE_PROJECT_ID, ...)
+payValue = msg.value - payValue   // reuse payValue for pre-computed fee amount
+
+if (payValue != 0) {
+    feeTerminal = DIRECTORY.primaryTerminalOf(FEE_PROJECT_ID, NATIVE_TOKEN)
+    try feeTerminal.pay{value: payValue}(FEE_PROJECT_ID, ...) {}
+    catch {
+        // Fallback: send fee to feeBeneficiary, then msg.sender
+        feeBeneficiary.call{value: payValue}("")
+        // If that fails too, msg.sender.call{value: payValue}("")
+    }
 }
 ```
 
@@ -205,9 +213,9 @@ if (address(this).balance != 0) {
 - **Empty posts array:** `_setupPosts` returns with `totalPrice = 0`, `tiersToAdd` and `tierIdsToMint` both empty. `adjustTiers` is called with an empty array (no-op). The project terminal receives `msg.value` (no fee deducted since `totalPrice / 20 = 0`). The fee terminal receives nothing.
 - **All posts reuse existing tiers:** No new tiers are created. `tiersToAdd` is resized to length 0 via assembly. `adjustTiers` is a no-op. Fees are calculated from on-chain tier prices.
 - **Mixed new and existing tiers:** `tiersToAdd` is resized via assembly to contain only new tiers. `tierIdsToMint` contains a mix of new and existing IDs.
-- **`msg.value` exceeds required amount:** Excess ETH is sent to the fee project (via `address(this).balance`). The poster overpays the fee project.
-- **`msg.value` is exactly right:** `address(this).balance` after the project payment equals the fee. Fee project receives the correct amount.
-- **`projectId == FEE_PROJECT_ID`:** No fee is deducted. Full `msg.value` goes to the project terminal. `address(this).balance` is 0 after the project payment (no fee payment occurs).
+- **`msg.value` exceeds required amount:** Excess ETH goes to the fee project via the pre-computed fee (`msg.value - payValue`). The poster overpays the fee project.
+- **`msg.value` is exactly right:** The pre-computed fee amount equals the expected fee. Fee project receives the correct amount.
+- **`projectId == FEE_PROJECT_ID`:** No fee is deducted. Full `msg.value` goes to the project terminal. The pre-computed fee is 0 (no fee payment occurs).
 - **Tier price is 0:** Posting criteria allow `minimumPrice = 0`. A post with `price = 0` creates a free tier. Fee on a free tier is 0. The poster sends 0 ETH (or only ETH for other posts in the batch).
 - **`nftBeneficiary = address(0)`:** The terminal payment may succeed (depending on terminal implementation), but the NFTs would be minted to `address(0)`, effectively burning them.
 - **`hook.adjustTiers()` reverts:** The entire transaction reverts. No state changes are committed. The poster's ETH is returned.
@@ -329,20 +337,29 @@ When `projectId == FEE_PROJECT_ID`, the fee calculation is skipped entirely. The
 
 ### Fee Routing
 
-After the project payment completes:
+After the project payment completes, the fee amount is pre-computed as `msg.value - payValue`:
 
 ```solidity
-if (address(this).balance != 0) {
+payValue = msg.value - payValue;  // reuse payValue for the pre-computed fee amount
+
+if (payValue != 0) {
     IJBTerminal feeTerminal = DIRECTORY.primaryTerminalOf(FEE_PROJECT_ID, NATIVE_TOKEN);
-    feeTerminal.pay{value: address(this).balance}({
+    try feeTerminal.pay{value: payValue}({
         projectId: FEE_PROJECT_ID,
-        amount: address(this).balance,
+        amount: payValue,
         token: NATIVE_TOKEN,
         beneficiary: feeBeneficiary,
         minReturnedTokens: 0,
         memo: "",
         metadata: feeMetadata
-    });
+    }) {}
+    catch {
+        // Fallback: send fee to feeBeneficiary, then msg.sender if that fails too.
+        (bool success,) = feeBeneficiary.call{value: payValue}("");
+        if (!success) {
+            (success,) = msg.sender.call{value: payValue}("");
+        }
+    }
 }
 ```
 
@@ -368,10 +385,10 @@ The `feeBeneficiary` parameter in `mintFrom()` determines who receives the fee p
 
 ### Edge Cases
 
-- **Fee project has no primary terminal:** `DIRECTORY.primaryTerminalOf()` returns `address(0)`. The `pay()` call to address(0) reverts. The entire `mintFrom()` transaction reverts (including the project payment).
-- **Fee terminal reverts:** Same as above -- entire `mintFrom()` reverts. No state changes persist.
-- **`address(this).balance == 0` after project payment:** This happens when `fee == 0` (e.g., `totalPrice < FEE_DIVISOR` or `projectId == FEE_PROJECT_ID`). The fee payment is skipped entirely.
-- **Force-sent ETH (via `selfdestruct`):** If ETH was force-sent to CTPublisher before the `mintFrom()` call, it is included in `address(this).balance` and routed to the fee project. CTPublisher has no `receive()` or `fallback()`, so normal sends revert. Only `selfdestruct` (deprecated post-Dencun) can force-send ETH.
+- **Fee project has no primary terminal:** `DIRECTORY.primaryTerminalOf()` returns `address(0)`. The `pay()` call to address(0) reverts inside the try-catch. The fee falls back to `feeBeneficiary.call{value}`, then `msg.sender.call{value}`. The main project payment is not affected.
+- **Fee terminal reverts:** The fee terminal payment is wrapped in try-catch. If the fee terminal reverts, the fee is sent to `feeBeneficiary` via low-level call. If that also fails, the fee is sent to `msg.sender`. The main project payment is never rolled back due to a fee terminal failure. The fee project loses revenue during the outage.
+- **Pre-computed fee is 0:** This happens when `fee == 0` (e.g., `totalPrice < FEE_DIVISOR` or `projectId == FEE_PROJECT_ID`). The fee payment is skipped entirely.
+- **Force-sent ETH (via `selfdestruct`):** The fee amount is now pre-computed as `msg.value - payValue` rather than using `address(this).balance`. Force-sent ETH does not affect fee calculation or routing. CTPublisher has no `receive()` or `fallback()`, so normal sends revert. Only `selfdestruct` (deprecated post-Dencun) can force-send ETH, and it remains in the contract.
 
 ---
 

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@croptop/core-v6",
-    "version": "0.0.23",
+    "version": "0.0.24",
     "license": "MIT",
     "repository": {
         "type": "git",

package/src/CTPublisher.sol

@@ -416,9 +416,9 @@ contract CTPublisher is JBPermissioned, ERC2771Context, ICTPublisher {
             IJBTerminal feeTerminal =
                 DIRECTORY.primaryTerminalOf({projectId: FEE_PROJECT_ID, token: JBConstants.NATIVE_TOKEN});
 
-            // Make the fee payment.
+            // Make the fee payment. Wrapped in try-catch so a reverting fee terminal doesn't block mints.
             // slither-disable-next-line unused-return
-            feeTerminal.pay{value: payValue}({
+            try feeTerminal.pay{value: payValue}({
                 projectId: FEE_PROJECT_ID,
                 amount: payValue,
                 token: JBConstants.NATIVE_TOKEN,
@@ -426,7 +426,16 @@ contract CTPublisher is JBPermissioned, ERC2771Context, ICTPublisher {
                 minReturnedTokens: 0,
                 memo: "",
                 metadata: feeMetadata
-            });
+            }) {}
+            catch {
+                // If the fee payment fails, send the fee to the beneficiary instead.
+                (bool success,) = feeBeneficiary.call{value: payValue}("");
+                if (!success) {
+                    // If that also fails, send to the msg.sender.
+                    // slither-disable-next-line low-level-calls
+                    (success,) = msg.sender.call{value: payValue}("");
+                }
+            }
         }
     }