@croptop/core-v6 0.0.28 → 0.0.29

package/ADMINISTRATION.md

@@ -161,7 +161,7 @@ What admins CANNOT do:
 
 4. **Project owners cannot disable Croptop posting entirely for a category.** `configurePostingCriteriaFor()` requires `minimumTotalSupply > 0`. The workaround is to set an astronomically high `minimumPrice` with `minimumTotalSupply = maximumTotalSupply = 1`. See finding NM-006.
 
-5. **Project owners cannot bypass posting criteria to mint directly through CTPublisher.** They must use `mintFrom()` like anyone else, which enforces all configured rules. However, owners can adjust tiers directly on the hook (bypassing CTPublisher) if they have `ADJUST_721_TIERS` permission.
+5. **Project owners cannot bypass posting criteria through `CTPublisher`, but they may still bypass the publisher surface entirely.** `mintFrom()` enforces all configured rules. Separately, the initial owner/operator can hold direct hook-management permissions from `CTDeployer`, which lets them adjust tiers or mint without going through `CTPublisher` until ownership is claimed away or permissions are narrowed.
 
 6. **CTPublisher cannot mint without paying.** `mintFrom()` requires `msg.value >= totalPrice + fee`. There is no free-mint path through CTPublisher.
 
@@ -169,6 +169,6 @@ What admins CANNOT do:
 
 8. **No admin can modify existing tier prices.** Once a tier is created via `_setupPosts()`, the price is set in the `JB721TiersHookStore`. CTPublisher uses the stored price for fee calculation on subsequent mints (not `post.price`). See H-19 fix.
 
-9. **No admin can drain CTPublisher funds.** CTPublisher has no `withdraw()` function and no `receive()` / `fallback()`. The only ETH that enters the contract is during `mintFrom()` and it is fully routed to the project terminal and fee terminal (or fallback recipients) within the same transaction. The fee terminal payment is wrapped in try-catch with fallback to `feeBeneficiary` then `msg.sender`, so ETH is never stranded by a fee terminal failure.
+9. **No admin can drain CTPublisher funds.** CTPublisher has no `withdraw()` function and no `receive()` / `fallback()`. The only ETH that enters the contract is during `mintFrom()` and it is fully routed to the project terminal and fee terminal (or refunded to the caller if the fee terminal reverts) within the same transaction. If that refund also fails, the mint reverts rather than trapping ETH in the publisher.
 
 10. **Sucker registry trust is irrevocable.** The `MAP_SUCKER_TOKEN` permission is granted at CTDeployer construction with `projectId: 0` (wildcard). There is no function to revoke this permission from within CTDeployer.

package/ARCHITECTURE.md

@@ -30,7 +30,7 @@ poster
   -> publisher validates each post against project-defined criteria
   -> publisher calls the 721 hook to create or reuse tiers
   -> project terminal receives the publish payment
-  -> fee project receives the fixed fee slice
+  -> fee project receives the fixed fee slice, or `_msgSender()` is refunded that fee if the fee terminal rejects it
   -> first copy of each created tier is minted to the poster
 ```
 
@@ -46,6 +46,7 @@ creator
 
 - A post is valid only if it satisfies the configured category, price, supply, split, and allowlist constraints.
 - Fee routing must be computed from the payment value, not transient contract balance, so forced ETH cannot distort the fee.
+- Fee routing must not strand ETH in `CTPublisher`. If the fee terminal rejects payment, the fee is refunded to `_msgSender()`; if that refund fails, the mint reverts.
 - `CTProjectOwner` only makes sense as a lock, not a flexible admin layer. Once a project is burn-locked, Croptop becomes the only intended tier-adjustment path.
 - Publishing should not bypass the 721 hook's own invariants around tier creation and minting.
 
@@ -53,7 +54,7 @@ creator
 
 - Post validation is spread across category rules, split limits, supply bounds, and optional allowlists.
 - `CTDeployer` is subtle because it is both a launch helper and, in some flows, a runtime hook proxy.
-- Fee routing has multiple fallback paths and needs to stay value-conserving under failure.
+- Fee routing is intentionally liveness-first: it prefers refunding `_msgSender()` over blocking the mint when the fee terminal is down, but still reverts if the refund itself cannot be delivered.
 
 ## Dependencies
 

package/README.md

@@ -14,7 +14,9 @@ Croptop is built around three ideas:
 - publishers call `mintFrom` to create or reuse 721 tiers that represent their post
 - a one-click deployer can create a full Juicebox project, its 721 hook configuration, and its posting rules in a single transaction
 
-Every mint collects a 5% Croptop fee unless the target project is itself the fee project.
+Every mint collects a 5% Croptop fee unless the target project is itself the fee project. If the configured fee
+terminal rejects that fee payment, Croptop refunds the fee portion to `_msgSender()` and still lets the publish
+continue. If `_msgSender()` cannot receive ETH, the mint reverts.
 
 Use this repo when the product is "permissioned publishing on a Juicebox project." Do not use it when you only need plain 721 tier sales; that belongs in `nana-721-hook-v6`.
 
@@ -62,6 +64,9 @@ Useful scripts:
 
 Deployments are handled through Sphinx using the environments configured in the repo scripts. `CTDeployer` can also compose cross-chain sucker deployments when the target publishing project needs omnichain support.
 
+The deploy script now expects an explicit nonzero `FEE_PROJECT_ID` for canonical deployments. It does not safely
+autodiscover a fee project by scanning existing project IDs.
+
 ## Repository Layout
 
 ```text
@@ -82,6 +87,7 @@ script/
 ## Risks And Notes
 
 - posting criteria are only as safe as the project owner configures them
-- fee routing depends on the designated fee project remaining correctly configured
+- fee routing depends on the designated fee project remaining correctly configured; if its terminal rejects payments,
+  Croptop refunds the fee to `_msgSender()` instead of trapping ETH in `CTPublisher`
 - burn-lock ownership is intentionally irreversible and should only be used when immutability is desired
 - duplicate-content and stale-tier edge cases are guarded by tests, but integrations should still treat metadata reuse carefully

package/RISKS.md

@@ -31,7 +31,7 @@ This file focuses on the publishing, fee-routing, and hook-composition risks tha
 - **Fee evasion via duplicate posts across hooks.** `tierIdForEncodedIPFSUriOf` is keyed per hook. The same `encodedIPFSUri` can be posted to different hooks without duplicate detection, potentially creating fee-arbitrage opportunities.
 - **Fee calculation rounding.** Fee is `totalPrice / FEE_DIVISOR` (FEE_DIVISOR=20, so 5% fee). Integer division truncates, losing up to 19 wei per post. Negligible individually but could compound across many micro-priced posts. Explicit validation: reverts `CTPublisher_InsufficientEthSent` if `msg.value < fee` (before subtraction) or if `msg.value - fee < totalPrice` (after subtraction).
 - **Pre-computed fee routing.** `CTPublisher.mintFrom` computes the fee as `msg.value - payValue` before the external payment call, so the fee amount is determined from `msg.value` alone. Force-sent ETH (via selfdestruct) does not affect fee calculation.
-- **Try-catch fee payment.** The fee terminal payment is wrapped in try-catch. If the fee terminal reverts, the fee is sent to `feeBeneficiary` via low-level call. If that also fails, the fee is sent to `msg.sender`. This means a broken fee terminal does not block mints, but the fee project may lose fee revenue during the outage.
+- **Fee terminal fallback refunds the caller.** If the configured fee terminal cannot accept the fee payment, `mintFrom` refunds the fee portion to `_msgSender()`. This preserves mint liveness for normal callers, but relayers or contracts that cannot receive ETH will still cause the mint to revert.
 - **Split percent manipulation.** Posters can set `splitPercent` up to `maximumSplitPercent`. Splits route funds away from the project treasury to poster-specified addresses. If `maximumSplitPercent` is set high, posters can redirect most of the tier revenue.
 
 ## 3. Access Control
@@ -61,7 +61,7 @@ This file focuses on the publishing, fee-routing, and hook-composition risks tha
 - **No mechanism for hook migration.** `dataHookOf` is written once in `deployProjectFor` and never updated. If the data hook becomes compromised, there is no governance path to replace it without deploying a new project.
 - **Tier ID prediction.** `_setupPosts` predicts new tier IDs as `maxTierIdOf(hook) + 1 + i`. If another transaction adds tiers between `maxTierIdOf` read and `adjustTiers` execution, tier IDs shift and the wrong tiers are minted. This is a race condition in concurrent posting.
 - **CTProjectOwner accepts any project NFT.** `onERC721Received` grants `ADJUST_721_TIERS` to `PUBLISHER` for whatever tokenId is received. If a non-Croptop project is accidentally transferred to `CTProjectOwner`, the publisher gains tier adjustment permission for it.
-- **Fee payment destination.** Fees are routed to `FEE_PROJECT_ID` via its primary terminal. If the fee project changes its terminal or token acceptance, fee payments will fail. However, the fee terminal payment is wrapped in try-catch: on failure, the fee is sent to `feeBeneficiary` via low-level call, then to `msg.sender` if that also fails. Minting is never blocked by a broken fee terminal, but the fee project loses revenue during the outage.
+- **Fee payment destination.** Fees are routed to `FEE_PROJECT_ID` via its primary terminal. If the fee project changes its terminal or token acceptance incompatibly, `mintFrom` attempts to refund the fee to `_msgSender()`. If the caller cannot receive ETH, the mint reverts.
 
 ## 7. Accepted Behaviors
 
@@ -73,6 +73,13 @@ This file focuses on the publishing, fee-routing, and hook-composition risks tha
 
 `_setupPosts` predicts new tier IDs as `maxTierIdOf(hook) + 1 + i`. A concurrent `adjustTiers` call between the `maxTierIdOf` read and the `adjustTiers` execution shifts all predicted IDs, causing the wrong tiers to be minted. This is a known race condition. Mitigation is at the application layer: frontends should use nonce-based transaction ordering or warn users about concurrent posting. The hook-level `adjustTiers` is atomic (all-or-nothing), so a failed prediction reverts the entire batch cleanly.
 
+### 7.3 Project owners can bypass the publisher surface while they retain direct hook permissions
+
+`CTDeployer.deployProjectFor` intentionally grants the initial owner/operator enough hook permissions to manage the
+collection directly. That means the owner can bypass `CTPublisher`'s policy and fee path until ownership is moved into
+another authority surface or those permissions are narrowed. This is an accepted product tradeoff and should be treated
+as part of the trust model, not as a hidden invariant enforced by `CTPublisher`.
+
 ## 8. Invariants to Verify
 
 - `tierIdForEncodedIPFSUriOf[hook][encodedIPFSUri]` is set exactly once per (hook, encodedIPFSUri) pair and points to a valid, non-removed tier.

package/USER_JOURNEYS.md

@@ -26,9 +26,9 @@
 **Flow**
 1. The publisher calls `mintFrom(...)` or the equivalent publishing surface with the content URI and pricing data.
 2. `CTPublisher` checks the post against category rules and fee policy.
-3. It creates or reuses the underlying 721 tier, mints the first copy, and routes both project revenue and the Croptop fee.
+3. It creates or reuses the underlying 721 tier, mints the first copy, and routes both project revenue and the Croptop fee. If the fee terminal is unavailable, the fee is refunded to `_msgSender()` instead.
 
-**Failure cases that matter:** duplicate URIs, split configurations that evade fees, stale tier mappings, and publisher inputs that satisfy the 721 hook but violate Croptop's stricter publishing rules.
+**Failure cases that matter:** duplicate URIs, split configurations that evade fees, stale tier mappings, publisher inputs that satisfy the 721 hook but violate Croptop's stricter publishing rules, and callers that cannot receive ETH when a fee refund fallback is needed.
 
 ## Journey 3: Launch A New Croptop Project End To End
 

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@croptop/core-v6",
-    "version": "0.0.28",
+  "version": "0.0.29",
     "license": "MIT",
     "repository": {
         "type": "git",
@@ -17,12 +17,11 @@
     },
     "dependencies": {
         "@bananapus/721-hook-v6": "^0.0.30",
-        "@bananapus/address-registry-v6": "^0.0.16",
-        "@bananapus/buyback-hook-v6": "^0.0.24",
-        "@bananapus/core-v6": "^0.0.30",
+        "@bananapus/buyback-hook-v6": "^0.0.25",
+        "@bananapus/core-v6": "^0.0.31",
         "@bananapus/ownable-v6": "^0.0.16",
         "@bananapus/permission-ids-v6": "^0.0.15",
-        "@bananapus/router-terminal-v6": "^0.0.24",
+        "@bananapus/router-terminal-v6": "^0.0.25",
         "@bananapus/suckers-v6": "^0.0.20",
         "@openzeppelin/contracts": "^5.6.1"
     },

package/script/Deploy.s.sol

@@ -64,29 +64,10 @@ contract DeployScript is Script, Sphinx {
     }
 
     function deploy() public sphinx {
-        // If the fee project id is 0, then we want to deploy a new fee project — but only if the publisher
-        // singleton doesn't already exist. Re-running with FEE_PROJECT_ID=0 would create a second fee project
-        // with different CREATE2 addresses, stranding the previous suite.
-        if (FEE_PROJECT_ID == 0) {
-            // Check if the publisher already exists by scanning existing project IDs.
-            uint256 _existingCount = core.projects.count();
-            bool _found;
-            for (uint256 _candidateId = 1; _candidateId <= _existingCount; _candidateId++) {
-                (, bool _exists) = _isDeployed({
-                    salt: PUBLISHER_SALT,
-                    creationCode: type(CTPublisher).creationCode,
-                    arguments: abi.encode(core.directory, core.permissions, _candidateId, TRUSTED_FORWARDER)
-                });
-                if (_exists) {
-                    FEE_PROJECT_ID = _candidateId;
-                    _found = true;
-                    break;
-                }
-            }
-            if (!_found) {
-                FEE_PROJECT_ID = core.projects.createFor(safeAddress());
-            }
-        }
+        // Canonical Croptop deployments must bind fees to an explicit fee project. Autodiscovering the first
+        // matching publisher by scanning project IDs is unsafe because a preexisting publisher can pin fees to
+        // the wrong project forever.
+        require(FEE_PROJECT_ID != 0, "explicit fee project id required");
 
         CTPublisher publisher;
         {

package/src/CTDeployer.sol

@@ -248,6 +248,9 @@ contract CTDeployer is ERC2771Context, JBPermissioned, IJBRulesetDataHook, IERC7
     }
 
     /// @notice Deploy a simple project meant to receive posts from Croptop templates.
+    /// @dev The initial project owner is intentionally granted direct hook-management permissions from
+    /// `CTDeployer`. This means the owner/operator can bypass the Croptop publisher path and interact
+    /// with the hook directly if they choose to. That is an explicit product tradeoff.
     /// @param owner The address that'll own the project.
     /// @param projectConfig The configuration for the project.
     /// @param suckerDeploymentConfiguration The configuration for the suckers to deploy.
@@ -342,7 +345,8 @@ contract CTDeployer is ERC2771Context, JBPermissioned, IJBRulesetDataHook, IERC7
         // These permissions are granted from CTDeployer (address(this)) to the initial owner.
         // The hook checks permissions against hook.owner(), which after claimCollectionOwnershipOf() resolves
         // dynamically via PROJECTS.ownerOf(projectId). Before claiming, CTDeployer is the static hook owner,
-        // so these permissions allow the project owner to manage tiers through CTDeployer.
+        // so these permissions allow the project owner to manage tiers through CTDeployer. As a tradeoff,
+        // the owner can also bypass the Croptop publisher surface until ownership is claimed away.
         uint8[] memory permissionIds = new uint8[](4);
         permissionIds[0] = JBPermissionIds.ADJUST_721_TIERS;
         permissionIds[1] = JBPermissionIds.SET_721_METADATA;

package/src/CTPublisher.sol

@@ -34,6 +34,7 @@ contract CTPublisher is JBPermissioned, ERC2771Context, ICTPublisher {
     error CTPublisher_MaxTotalSupplyLessThanMin(uint256 min, uint256 max);
     error CTPublisher_NotInAllowList(address addr, address[] allowedAddresses);
     error CTPublisher_PriceTooSmall(uint256 price, uint256 minimumPrice);
+    error CTPublisher_FeePaymentFailed(uint256 feeAmount);
     error CTPublisher_SplitPercentExceedsMaximum(uint256 splitPercent, uint256 maximumSplitPercent);
     error CTPublisher_TotalSupplyTooBig(uint256 totalSupply, uint256 maximumTotalSupply);
     error CTPublisher_TotalSupplyTooSmall(uint256 totalSupply, uint256 minimumTotalSupply);
@@ -417,7 +418,8 @@ contract CTPublisher is JBPermissioned, ERC2771Context, ICTPublisher {
             IJBTerminal feeTerminal =
                 DIRECTORY.primaryTerminalOf({projectId: FEE_PROJECT_ID, token: JBConstants.NATIVE_TOKEN});
 
-            // Make the fee payment. Wrapped in try-catch so a reverting fee terminal doesn't block mints.
+            // Make the fee payment. If the fee sink is unavailable, refund the fee to the caller
+            // rather than trapping or silently redirecting protocol funds.
             // slither-disable-next-line unused-return
             try feeTerminal.pay{value: payValue}({
                 projectId: FEE_PROJECT_ID,
@@ -429,13 +431,9 @@ contract CTPublisher is JBPermissioned, ERC2771Context, ICTPublisher {
                 metadata: feeMetadata
             }) {}
             catch {
-                // If the fee payment fails, send the fee to the beneficiary instead.
-                (bool success,) = feeBeneficiary.call{value: payValue}("");
-                if (!success) {
-                    // If that also fails, send to the msg.sender.
-                    // slither-disable-next-line low-level-calls
-                    (success,) = msg.sender.call{value: payValue}("");
-                }
+                // slither-disable-next-line low-level-calls
+                (bool success,) = _msgSender().call{value: payValue}("");
+                if (!success) revert CTPublisher_FeePaymentFailed(payValue);
             }
         }
     }

package/test/audit/DeployerPermissionBypass.t.sol

@@ -0,0 +1,213 @@
+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.28;
+
+// forge-lint: disable-next-line(unaliased-plain-import)
+import "forge-std/Test.sol";
+
+import {IJB721TiersHookDeployer} from "@bananapus/721-hook-v6/src/interfaces/IJB721TiersHookDeployer.sol";
+import {JBDeploy721TiersHookConfig} from "@bananapus/721-hook-v6/src/structs/JBDeploy721TiersHookConfig.sol";
+import {IJB721TiersHook} from "@bananapus/721-hook-v6/src/interfaces/IJB721TiersHook.sol";
+import {JB721TierConfig} from "@bananapus/721-hook-v6/src/structs/JB721TierConfig.sol";
+import {JBPermissioned} from "@bananapus/core-v6/src/abstract/JBPermissioned.sol";
+import {IJBController} from "@bananapus/core-v6/src/interfaces/IJBController.sol";
+import {IJBDirectory} from "@bananapus/core-v6/src/interfaces/IJBDirectory.sol";
+import {IJBPermissions} from "@bananapus/core-v6/src/interfaces/IJBPermissions.sol";
+import {IJBProjects} from "@bananapus/core-v6/src/interfaces/IJBProjects.sol";
+import {JBPermissions} from "@bananapus/core-v6/src/JBPermissions.sol";
+import {JBRulesetConfig} from "@bananapus/core-v6/src/structs/JBRulesetConfig.sol";
+import {JBTerminalConfig} from "@bananapus/core-v6/src/structs/JBTerminalConfig.sol";
+import {JBPermissionIds} from "@bananapus/permission-ids-v6/src/JBPermissionIds.sol";
+import {IJBSuckerRegistry} from "@bananapus/suckers-v6/src/interfaces/IJBSuckerRegistry.sol";
+import {JBSuckerDeployerConfig} from "@bananapus/suckers-v6/src/structs/JBSuckerDeployerConfig.sol";
+
+import {CTDeployer} from "../../src/CTDeployer.sol";
+import {CTPublisher} from "../../src/CTPublisher.sol";
+import {ICTPublisher} from "../../src/interfaces/ICTPublisher.sol";
+import {CTDeployerAllowedPost} from "../../src/structs/CTDeployerAllowedPost.sol";
+import {CTProjectConfig} from "../../src/structs/CTProjectConfig.sol";
+import {CTSuckerDeploymentConfig} from "../../src/structs/CTSuckerDeploymentConfig.sol";
+
+contract MockProjects {
+    uint256 public countValue;
+    address public ownerOfProject;
+
+    function setCount(uint256 count_) external {
+        countValue = count_;
+    }
+
+    function setOwner(address owner_) external {
+        ownerOfProject = owner_;
+    }
+
+    function count() external view returns (uint256) {
+        return countValue;
+    }
+
+    function ownerOf(uint256) external view returns (address) {
+        return ownerOfProject;
+    }
+
+    function transferFrom(address, address to, uint256) external {
+        ownerOfProject = to;
+    }
+}
+
+contract MockController {
+    MockProjects public immutable PROJECTS;
+    // forge-lint: disable-next-line(screaming-snake-case-immutable)
+    uint256 public immutable nextProjectId;
+
+    constructor(MockProjects projects_, uint256 nextProjectId_) {
+        PROJECTS = projects_;
+        nextProjectId = nextProjectId_;
+    }
+
+    function launchProjectFor(
+        address,
+        string calldata,
+        JBRulesetConfig[] calldata,
+        JBTerminalConfig[] calldata,
+        string calldata
+    )
+        external
+        view
+        returns (uint256)
+    {
+        return nextProjectId;
+    }
+}
+
+contract MockSuckerRegistry {
+    function isSuckerOf(uint256, address) external pure returns (bool) {
+        return false;
+    }
+
+    function deploySuckersFor(
+        uint256,
+        bytes32,
+        JBSuckerDeployerConfig[] calldata
+    )
+        external
+        pure
+        returns (address[] memory suckers)
+    {
+        return suckers;
+    }
+}
+
+contract PermissionedHook is JBPermissioned {
+    // forge-lint: disable-next-line(screaming-snake-case-immutable)
+    address public immutable ownerAccount;
+    // forge-lint: disable-next-line(screaming-snake-case-immutable)
+    uint256 public immutable projectId;
+    bool public adjusted;
+
+    constructor(IJBPermissions permissions, address ownerAccount_, uint256 projectId_) JBPermissioned(permissions) {
+        ownerAccount = ownerAccount_;
+        projectId = projectId_;
+    }
+
+    // forge-lint: disable-next-line(mixed-case-function)
+    function PROJECT_ID() external view returns (uint256) {
+        return projectId;
+    }
+
+    function owner() external view returns (address) {
+        return ownerAccount;
+    }
+
+    function adjustTiers(JB721TierConfig[] calldata, uint256[] calldata) external {
+        _requirePermissionFrom(ownerAccount, projectId, JBPermissionIds.ADJUST_721_TIERS);
+        adjusted = true;
+    }
+}
+
+contract MockHookDeployer {
+    IJB721TiersHook public hook;
+
+    function setHook(IJB721TiersHook hook_) external {
+        hook = hook_;
+    }
+
+    function deployHookFor(
+        uint256,
+        JBDeploy721TiersHookConfig calldata,
+        bytes32
+    )
+        external
+        view
+        returns (IJB721TiersHook)
+    {
+        return hook;
+    }
+}
+
+contract DeployerPermissionBypassTest is Test {
+    JBPermissions permissions;
+    MockProjects projects;
+    MockHookDeployer hookDeployer;
+    MockSuckerRegistry suckerRegistry;
+    MockController controller;
+    CTPublisher publisher;
+    CTDeployer deployer;
+    PermissionedHook hook;
+
+    address owner = makeAddr("owner");
+
+    function setUp() public {
+        permissions = new JBPermissions(address(0));
+        projects = new MockProjects();
+        projects.setCount(5);
+        hookDeployer = new MockHookDeployer();
+        suckerRegistry = new MockSuckerRegistry();
+        publisher = new CTPublisher(IJBDirectory(makeAddr("directory")), permissions, 1, address(0));
+        deployer = new CTDeployer(
+            permissions,
+            IJBProjects(address(projects)),
+            IJB721TiersHookDeployer(address(hookDeployer)),
+            ICTPublisher(address(publisher)),
+            IJBSuckerRegistry(address(suckerRegistry)),
+            address(0)
+        );
+        hook = new PermissionedHook(permissions, address(deployer), 6);
+        hookDeployer.setHook(IJB721TiersHook(address(hook)));
+        controller = new MockController(projects, 6);
+    }
+
+    function test_projectOwnerCanBypassCroptopAndCallHookDirectlyAfterDeployment() public {
+        CTDeployerAllowedPost[] memory allowedPosts = new CTDeployerAllowedPost[](1);
+        allowedPosts[0] = CTDeployerAllowedPost({
+            category: 1,
+            minimumPrice: 1 ether,
+            minimumTotalSupply: 10,
+            maximumTotalSupply: 10,
+            maximumSplitPercent: 0,
+            allowedAddresses: new address[](0)
+        });
+
+        CTProjectConfig memory config = CTProjectConfig({
+            terminalConfigurations: new JBTerminalConfig[](0),
+            projectUri: "ipfs://project",
+            allowedPosts: allowedPosts,
+            contractUri: "ipfs://contract",
+            name: "Croptop",
+            symbol: "CT",
+            salt: bytes32(0)
+        });
+
+        CTSuckerDeploymentConfig memory suckerConfig =
+            CTSuckerDeploymentConfig({deployerConfigurations: new JBSuckerDeployerConfig[](0), salt: bytes32(0)});
+
+        deployer.deployProjectFor(owner, config, suckerConfig, IJBController(address(controller)));
+
+        assertEq(projects.ownerOf(6), owner, "deployment should hand the project NFT to the owner");
+
+        JB721TierConfig[] memory arbitraryTiers = new JB721TierConfig[](0);
+        uint256[] memory removals = new uint256[](0);
+
+        vm.prank(owner);
+        PermissionedHook(address(hook)).adjustTiers(arbitraryTiers, removals);
+
+        assertTrue(hook.adjusted(), "project owner can mutate the hook without going through Croptop");
+    }
+}

package/test/audit/FeeFallbackBlackhole.t.sol

@@ -0,0 +1,263 @@
+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.28;
+
+// forge-lint: disable-next-line(unaliased-plain-import)
+import "forge-std/Test.sol";
+
+import {IJB721TiersHook} from "@bananapus/721-hook-v6/src/interfaces/IJB721TiersHook.sol";
+import {IJB721TiersHookStore} from "@bananapus/721-hook-v6/src/interfaces/IJB721TiersHookStore.sol";
+import {JB721Tier} from "@bananapus/721-hook-v6/src/structs/JB721Tier.sol";
+import {JB721TierConfig} from "@bananapus/721-hook-v6/src/structs/JB721TierConfig.sol";
+import {IJBDirectory} from "@bananapus/core-v6/src/interfaces/IJBDirectory.sol";
+import {IJBPermissions} from "@bananapus/core-v6/src/interfaces/IJBPermissions.sol";
+import {IJBTerminal} from "@bananapus/core-v6/src/interfaces/IJBTerminal.sol";
+import {JBPermissionsData} from "@bananapus/core-v6/src/structs/JBPermissionsData.sol";
+import {JBSplit} from "@bananapus/core-v6/src/structs/JBSplit.sol";
+
+import {CTPublisher} from "../../src/CTPublisher.sol";
+import {CTAllowedPost} from "../../src/structs/CTAllowedPost.sol";
+import {CTPost} from "../../src/structs/CTPost.sol";
+
+contract BlackholeMockPermissions is IJBPermissions {
+    // forge-lint: disable-next-line(mixed-case-function)
+    function WILDCARD_PROJECT_ID() external pure returns (uint256) {
+        return 0;
+    }
+
+    function permissionsOf(address, address, uint256) external pure returns (uint256) {
+        return 0;
+    }
+
+    function hasPermission(address, address, uint256, uint256, bool, bool) external pure returns (bool) {
+        return true;
+    }
+
+    function hasPermissions(address, address, uint256, uint256[] calldata, bool, bool) external pure returns (bool) {
+        return true;
+    }
+
+    function setPermissionsFor(address, JBPermissionsData calldata) external {}
+}
+
+contract BlackholeMockStore {
+    function maxTierIdOf(address) external pure returns (uint256) {
+        return 0;
+    }
+
+    function isTierRemoved(address, uint256) external pure returns (bool) {
+        return false;
+    }
+
+    function tierOf(address, uint256, bool) external pure returns (JB721Tier memory tier) {
+        return tier;
+    }
+}
+
+contract BlackholeMockHook {
+    uint256 public immutable PROJECT_ID;
+    IJB721TiersHookStore public immutable STORE;
+    address public immutable OWNER;
+
+    constructor(uint256 projectId, IJB721TiersHookStore store_, address owner_) {
+        PROJECT_ID = projectId;
+        STORE = store_;
+        OWNER = owner_;
+    }
+
+    function adjustTiers(JB721TierConfig[] calldata, uint256[] calldata) external {}
+
+    function METADATA_ID_TARGET() external view returns (address) {
+        return address(this);
+    }
+
+    function owner() external view returns (address) {
+        return OWNER;
+    }
+}
+
+contract AcceptingProjectTerminal {
+    uint256 public totalReceived;
+
+    function pay(
+        uint256,
+        address,
+        uint256,
+        address,
+        uint256,
+        string calldata,
+        bytes calldata
+    )
+        external
+        payable
+        returns (uint256)
+    {
+        totalReceived += msg.value;
+        return 0;
+    }
+}
+
+contract RevertingFeeTerminal {
+    error FeeTerminalDown();
+
+    function pay(
+        uint256,
+        address,
+        uint256,
+        address,
+        uint256,
+        string calldata,
+        bytes calldata
+    )
+        external
+        payable
+        returns (uint256)
+    {
+        revert FeeTerminalDown();
+    }
+}
+
+contract BlackholeDirectory {
+    address public projectTerminal;
+    address public feeTerminal;
+
+    function setTerminals(address projectTerminal_, address feeTerminal_) external {
+        projectTerminal = projectTerminal_;
+        feeTerminal = feeTerminal_;
+    }
+
+    function primaryTerminalOf(uint256 projectId, address) external view returns (IJBTerminal) {
+        return IJBTerminal(projectId == 1 ? feeTerminal : projectTerminal);
+    }
+}
+
+contract RejectingFeeBeneficiary {
+    receive() external payable {
+        revert("no fee");
+    }
+}
+
+contract RejectingMintCaller {
+    function execute(
+        CTPublisher publisher,
+        IJB721TiersHook hook,
+        CTPost[] memory posts,
+        address nftBeneficiary,
+        address feeBeneficiary
+    )
+        external
+        payable
+    {
+        publisher.mintFrom{value: msg.value}(hook, posts, nftBeneficiary, feeBeneficiary, bytes(""), bytes(""));
+    }
+
+    receive() external payable {
+        revert("no refund");
+    }
+}
+
+contract AcceptingMintCaller {
+    function execute(
+        CTPublisher publisher,
+        IJB721TiersHook hook,
+        CTPost[] memory posts,
+        address nftBeneficiary,
+        address feeBeneficiary
+    )
+        external
+        payable
+    {
+        publisher.mintFrom{value: msg.value}(hook, posts, nftBeneficiary, feeBeneficiary, bytes(""), bytes(""));
+    }
+
+    receive() external payable {}
+}
+
+contract FeeFallbackBlackholeTest is Test {
+    BlackholeMockPermissions permissions;
+    BlackholeDirectory directory;
+    BlackholeMockStore store;
+    BlackholeMockHook hook;
+    AcceptingProjectTerminal projectTerminal;
+    RevertingFeeTerminal feeTerminal;
+    RejectingFeeBeneficiary feeBeneficiary;
+    RejectingMintCaller caller;
+    AcceptingMintCaller acceptingCaller;
+    CTPublisher publisher;
+
+    function setUp() public {
+        permissions = new BlackholeMockPermissions();
+        directory = new BlackholeDirectory();
+        store = new BlackholeMockStore();
+        hook = new BlackholeMockHook(2, IJB721TiersHookStore(address(store)), address(this));
+        projectTerminal = new AcceptingProjectTerminal();
+        feeTerminal = new RevertingFeeTerminal();
+        feeBeneficiary = new RejectingFeeBeneficiary();
+        caller = new RejectingMintCaller();
+        acceptingCaller = new AcceptingMintCaller();
+        publisher = new CTPublisher(IJBDirectory(address(directory)), permissions, 1, address(0));
+
+        directory.setTerminals(address(projectTerminal), address(feeTerminal));
+
+        CTAllowedPost[] memory allowedPosts = new CTAllowedPost[](1);
+        allowedPosts[0] = CTAllowedPost({
+            hook: address(hook),
+            category: 1,
+            minimumPrice: 1,
+            minimumTotalSupply: 1,
+            maximumTotalSupply: type(uint32).max,
+            maximumSplitPercent: 0,
+            allowedAddresses: new address[](0)
+        });
+        publisher.configurePostingCriteriaFor(allowedPosts);
+
+        vm.deal(address(caller), 105);
+        vm.deal(address(acceptingCaller), 105);
+    }
+
+    function test_feePaymentFailure_refundsMsgSenderAndPreservesMint() public {
+        CTPost[] memory posts = new CTPost[](1);
+        posts[0] = CTPost({
+            encodedIPFSUri: keccak256("post"),
+            totalSupply: 1,
+            price: 100,
+            category: 1,
+            splitPercent: 0,
+            splits: new JBSplit[](0)
+        });
+
+        vm.prank(address(acceptingCaller));
+        acceptingCaller.execute{value: 105}(
+            publisher, IJB721TiersHook(address(hook)), posts, address(this), address(feeBeneficiary)
+        );
+
+        assertEq(projectTerminal.totalReceived(), 100, "main project payment should still succeed");
+        assertEq(address(feeTerminal).balance, 0, "fee terminal should receive nothing after reverting");
+        assertEq(address(feeBeneficiary).balance, 0, "fee beneficiary should receive nothing");
+        assertEq(address(acceptingCaller).balance, 5, "caller should receive the refunded fee");
+        assertEq(address(publisher).balance, 0, "publisher should not retain trapped fees");
+    }
+
+    function test_feePaymentFailure_revertsIfMsgSenderRejectsRefund() public {
+        CTPost[] memory posts = new CTPost[](1);
+        posts[0] = CTPost({
+            encodedIPFSUri: keccak256("post"),
+            totalSupply: 1,
+            price: 100,
+            category: 1,
+            splitPercent: 0,
+            splits: new JBSplit[](0)
+        });
+
+        vm.prank(address(caller));
+        vm.expectRevert(abi.encodeWithSelector(CTPublisher.CTPublisher_FeePaymentFailed.selector, 5));
+        caller.execute{value: 105}(
+            publisher, IJB721TiersHook(address(hook)), posts, address(this), address(feeBeneficiary)
+        );
+
+        assertEq(projectTerminal.totalReceived(), 0, "main project payment should roll back with the fee failure");
+        assertEq(address(feeTerminal).balance, 0, "fee terminal should receive nothing after reverting");
+        assertEq(address(feeBeneficiary).balance, 0, "fee beneficiary should receive nothing");
+        assertEq(address(caller).balance, 105, "caller should retain funds when the mint reverts");
+        assertEq(address(publisher).balance, 0, "publisher should not retain trapped fees");
+    }
+}