@croptop/core-v6 0.0.41 → 0.0.43

package/README.md

@@ -53,7 +53,7 @@ Many Croptop bugs are really deployment-shape bugs or posting-policy bugs, not g
 1. `test/CTPublisher.t.sol`
 2. `test/CTDeployer.t.sol`
 3. `test/ClaimCollectionOwnership.t.sol`
-4. `test/audit/FeeFallbackBlackhole.t.sol`
+4. `test/regression/FeeFallbackBlackhole.t.sol`
 5. `test/regression/DuplicateUriFeeEvasion.t.sol`
 
 ## Integration Traps
@@ -105,7 +105,7 @@ src/
   interfaces/
   structs/
 test/
-  publisher, deployer, fork, attack, audit, metadata, and regression coverage
+  publisher, deployer, fork, attack, review, metadata, and regression coverage
 script/
   Deploy.s.sol
   ConfigureFeeProject.s.sol

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@croptop/core-v6",
-  "version": "0.0.41",
+  "version": "0.0.43",
   "license": "MIT",
   "repository": {
     "type": "git",
@@ -29,17 +29,17 @@
     "artifacts": "source ./.env && npx sphinx artifacts --org-id 'ea165b21-7cdc-4d7b-be59-ecdd4c26bee4' --project-name 'croptop-core-v6'"
   },
   "dependencies": {
-    "@bananapus/721-hook-v6": "0.0.43",
-    "@bananapus/core-v6": "0.0.39",
-    "@bananapus/ownable-v6": "0.0.24",
-    "@bananapus/permission-ids-v6": "0.0.22",
-    "@bananapus/router-terminal-v6": "0.0.36",
-    "@bananapus/suckers-v6": "0.0.33",
+    "@bananapus/721-hook-v6": "^0.0.47",
+    "@bananapus/core-v6": "^0.0.44",
+    "@bananapus/ownable-v6": "^0.0.24",
+    "@bananapus/permission-ids-v6": "^0.0.23",
+    "@bananapus/router-terminal-v6": "^0.0.37",
+    "@bananapus/suckers-v6": "^0.0.37",
     "@openzeppelin/contracts": "5.6.1",
-    "@rev-net/core-v6": "0.0.37"
+    "@rev-net/core-v6": "^0.0.45"
   },
   "devDependencies": {
-    "@bananapus/address-registry-v6": "0.0.25",
+    "@bananapus/address-registry-v6": "^0.0.25",
     "@sphinx-labs/plugins": "0.33.3"
   }
 }

package/references/runtime.md

@@ -24,4 +24,4 @@
 
 - [`test/CTPublisher.t.sol`](../test/CTPublisher.t.sol) and [`test/Test_MetadataGeneration.t.sol`](../test/Test_MetadataGeneration.t.sol) for content and metadata behavior.
 - [`test/CTDeployer.t.sol`](../test/CTDeployer.t.sol) and [`test/Fork.t.sol`](../test/Fork.t.sol) for live deployment assumptions.
-- [`test/CroptopAttacks.t.sol`](../test/CroptopAttacks.t.sol) and [`test/TestAuditGaps.sol`](../test/TestAuditGaps.sol) when the issue could be in publisher or deployer behavior rather than one isolated function.
+- [`test/CroptopAttacks.t.sol`](../test/CroptopAttacks.t.sol) and [`test/TestRegressionGaps.sol`](../test/TestRegressionGaps.sol) when the issue could be in publisher or deployer behavior rather than one isolated function.

package/script/ConfigureFeeProject.s.sol

@@ -355,19 +355,22 @@ contract ConfigureFeeProjectScript is Script, Sphinx {
     function deploy() public sphinx {
         FeeProjectConfig memory feeProjectConfig = getCroptopRevnetConfig();
 
-        // Approve the basic deployer to configure the project and transfer it.
-        core.projects.approve({to: address(revnet.basic_deployer), tokenId: FEE_PROJECT_ID});
-
-        // Deploy the NANA fee project.
-        revnet.basic_deployer
-            .deployFor({
-                revnetId: FEE_PROJECT_ID,
-                configuration: feeProjectConfig.configuration,
-                terminalConfigurations: feeProjectConfig.terminalConfigurations,
-                suckerDeploymentConfiguration: feeProjectConfig.suckerDeploymentConfiguration,
-                tiered721HookConfiguration: feeProjectConfig.hookConfiguration,
-                allowedPosts: feeProjectConfig.allowedPosts
-            });
+        // Only deploy if the project hasn't already been configured (restart-safe).
+        if (address(core.directory.controllerOf(FEE_PROJECT_ID)) == address(0)) {
+            // Approve the basic deployer to configure the project and transfer it.
+            core.projects.approve({to: address(revnet.basic_deployer), tokenId: FEE_PROJECT_ID});
+
+            // Deploy the NANA fee project.
+            revnet.basic_deployer
+                .deployFor({
+                    revnetId: FEE_PROJECT_ID,
+                    configuration: feeProjectConfig.configuration,
+                    terminalConfigurations: feeProjectConfig.terminalConfigurations,
+                    suckerDeploymentConfiguration: feeProjectConfig.suckerDeploymentConfiguration,
+                    tiered721HookConfiguration: feeProjectConfig.hookConfiguration,
+                    allowedPosts: feeProjectConfig.allowedPosts
+                });
+        }
     }
 
     function _isDeployed(

package/src/CTDeployer.sol

@@ -120,7 +120,8 @@ contract CTDeployer is ERC2771Context, JBPermissioned, IJBRulesetDataHook, IERC7
 
     /// @notice Claim ownership of the collection.
     /// @dev Two-step ownership transfer process:
-    ///   Step 1 (this function): Transfers hook ownership to the project via `transferOwnershipToProject()`.
+    ///   Step 1 (this function): Revokes the deployer-scoped permissions granted at launch, then transfers hook
+    ///     ownership to the project via `transferOwnershipToProject()`.
     ///     After this call, `hook.owner()` resolves dynamically through `PROJECTS.ownerOf(projectId)`.
     ///   Step 2 (caller must do separately): The project owner grants CTPublisher the `ADJUST_721_TIERS` permission
     ///     for the project so that `mintFrom()` continues to work.
@@ -132,11 +133,29 @@ contract CTDeployer is ERC2771Context, JBPermissioned, IJBRulesetDataHook, IERC7
         // Get the project ID of the hook.
         uint256 projectId = hook.PROJECT_ID();
 
+        // Keep a reference to the caller.
+        address caller = _msgSender();
+
         // Make sure the caller is the owner of the project.
-        if (PROJECTS.ownerOf(projectId) != _msgSender()) {
-            revert CTDeployer_NotOwnerOfProject({projectId: projectId, hook: address(hook), caller: _msgSender()});
+        if (PROJECTS.ownerOf(projectId) != caller) {
+            revert CTDeployer_NotOwnerOfProject({projectId: projectId, hook: address(hook), caller: caller});
         }
 
+        // Revoke the deployer-scoped permissions that were granted to the caller during deployment.
+        // These permissions (ADJUST_721_TIERS, SET_721_METADATA, MINT_721, SET_721_DISCOUNT_PERCENT) allowed the
+        // project owner to manage the hook while the deployer owned it. After transferring hook ownership to the
+        // project, these deployer-scoped grants are no longer needed and should be cleaned up to prevent stale
+        // permission leakage.
+        PERMISSIONS.setPermissionsFor({
+            account: address(this),
+            permissionsData: JBPermissionsData({
+                operator: caller,
+                // forge-lint: disable-next-line(unsafe-typecast)
+                projectId: uint64(projectId),
+                permissionIds: new uint8[](0)
+            })
+        });
+
         // Transfer the hook's ownership to the project.
         JBOwnable(address(hook)).transferOwnershipToProject(projectId);
     }
@@ -171,7 +190,6 @@ contract CTDeployer is ERC2771Context, JBPermissioned, IJBRulesetDataHook, IERC7
         projectId = PROJECTS.createFor(address(this));
 
         // Deploy a blank project.
-        // slither-disable-next-line reentrancy-benign
         hook = DEPLOYER.deployHookFor({
             projectId: projectId,
             deployTiersHookConfig: JBDeploy721TiersHookConfig({
@@ -200,7 +218,6 @@ contract CTDeployer is ERC2771Context, JBPermissioned, IJBRulesetDataHook, IERC7
         rulesetConfigurations[0].metadata.useDataHookForCashOut = true;
 
         // Launch the rulesets for the reserved project.
-        // slither-disable-next-line unused-return
         controller.launchRulesetsFor({
             projectId: projectId,
             projectUri: projectConfig.projectUri,
@@ -214,7 +231,7 @@ contract CTDeployer is ERC2771Context, JBPermissioned, IJBRulesetDataHook, IERC7
 
         // Configure allowed posts.
         if (projectConfig.allowedPosts.length > 0) {
-            _configurePostingCriteriaFor(address(hook), projectConfig.allowedPosts);
+            _configurePostingCriteriaFor({hook: address(hook), allowedPosts: projectConfig.allowedPosts});
         }
 
         // Deploy the suckers (if applicable).
@@ -226,7 +243,6 @@ contract CTDeployer is ERC2771Context, JBPermissioned, IJBRulesetDataHook, IERC7
 
             // Successful deployments are discoverable from the registry, and failures are reported without reverting
             // the project launch.
-            // slither-disable-next-line unused-return
             try SUCKER_REGISTRY.deploySuckersFor({
                 projectId: projectId,
                 salt: suckerSalt,
@@ -237,7 +253,6 @@ contract CTDeployer is ERC2771Context, JBPermissioned, IJBRulesetDataHook, IERC7
             // no-op
             }
             catch (bytes memory reason) {
-                // slither-disable-next-line reentrancy-events
                 emit CTDeployer_SuckerDeploymentFailed({projectId: projectId, salt: suckerSalt, reason: reason});
             }
         }
@@ -283,7 +298,6 @@ contract CTDeployer is ERC2771Context, JBPermissioned, IJBRulesetDataHook, IERC7
 
         // Deploy the suckers. The sucker registry performs its own permission check against this forwarding helper,
         // so an unapproved CTDeployer fails at the downstream registry boundary without an extra preflight read here.
-        // slither-disable-next-line unused-return
         suckers = SUCKER_REGISTRY.deploySuckersFor({
             projectId: projectId,
             salt: keccak256(abi.encode(suckerDeploymentConfiguration.salt, _msgSender())),
@@ -334,7 +348,6 @@ contract CTDeployer is ERC2771Context, JBPermissioned, IJBRulesetDataHook, IERC7
                 hookSpecifications
             );
         }
-        // slither-disable-next-line unused-return
         return hook.beforeCashOutRecordedWith(context);
     }
 
@@ -358,7 +371,6 @@ contract CTDeployer is ERC2771Context, JBPermissioned, IJBRulesetDataHook, IERC7
             return (context.weight, hookSpecifications);
         }
 
-        // slither-disable-next-line unused-return
         return hook.beforePayRecordedWith(context);
     }
 

package/src/CTPublisher.sol

@@ -32,19 +32,20 @@ contract CTPublisher is JBPermissioned, ERC2771Context, ICTPublisher {
     //*********************************************************************//
 
     error CTPublisher_DuplicatePost(bytes32 encodedIPFSUri);
-    error CTPublisher_EmptyEncodedIPFSUri();
+    error CTPublisher_EmptyEncodedIPFSUri(uint256 postIndex);
     error CTPublisher_InsufficientEthSent(uint256 expected, uint256 sent);
     error CTPublisher_MaxTotalSupplyLessThanMin(uint256 min, uint256 max);
     error CTPublisher_NotInAllowList(address addr, address[] allowedAddresses);
     error CTPublisher_PriceTooSmall(uint256 price, uint256 minimumPrice);
-    error CTPublisher_DuplicatePayMetadata();
+    error CTPublisher_DuplicatePayMetadata(bytes4 payMetadataId);
     error CTPublisher_FeePaymentFailed(uint256 feeAmount);
     error CTPublisher_SplitPercentExceedsMaximum(uint256 splitPercent, uint256 maximumSplitPercent);
     error CTPublisher_TotalSupplyTooBig(uint256 totalSupply, uint256 maximumTotalSupply);
     error CTPublisher_TotalSupplyTooSmall(uint256 totalSupply, uint256 minimumTotalSupply);
-    error CTPublisher_NoPosts();
-    error CTPublisher_UnauthorizedToPostInCategory();
-    error CTPublisher_ZeroTotalSupply();
+    error CTPublisher_NoPosts(address caller);
+    error CTPublisher_InvalidFeeBeneficiary();
+    error CTPublisher_UnauthorizedToPostInCategory(address hook, uint24 category);
+    error CTPublisher_ZeroTotalSupply(address hook, uint24 category);
 
     //*********************************************************************//
     // ------------------------- public constants ------------------------ //
@@ -133,7 +134,6 @@ contract CTPublisher is JBPermissioned, ERC2771Context, ICTPublisher {
             emit ConfigurePostingCriteria({hook: allowedPost.hook, allowedPost: allowedPost, caller: _msgSender()});
 
             // Enforce permissions.
-            // slither-disable-next-line reentrancy-events,calls-loop
             _requirePermissionFrom({
                 account: JBOwnable(allowedPost.hook).owner(),
                 projectId: IJB721TiersHook(allowedPost.hook).PROJECT_ID(),
@@ -142,14 +142,14 @@ contract CTPublisher is JBPermissioned, ERC2771Context, ICTPublisher {
 
             // Make sure there is a minimum supply.
             if (allowedPost.minimumTotalSupply == 0) {
-                revert CTPublisher_ZeroTotalSupply();
+                revert CTPublisher_ZeroTotalSupply({hook: allowedPost.hook, category: allowedPost.category});
             }
 
             // Make sure the minimum supply does not surpass the maximum supply.
             if (allowedPost.minimumTotalSupply > allowedPost.maximumTotalSupply) {
-                revert CTPublisher_MaxTotalSupplyLessThanMin(
-                    allowedPost.minimumTotalSupply, allowedPost.maximumTotalSupply
-                );
+                revert CTPublisher_MaxTotalSupplyLessThanMin({
+                    min: allowedPost.minimumTotalSupply, max: allowedPost.maximumTotalSupply
+                });
             }
 
             uint256 packed;
@@ -190,21 +190,22 @@ contract CTPublisher is JBPermissioned, ERC2771Context, ICTPublisher {
     /// @param additionalPayMetadata Metadata bytes that should be included in the pay function's metadata. This
     /// prepends the
     /// payload needed for NFT creation.
-    /// @param feeMetadata The metadata to send alongside the fee payment.
     function mintFrom(
         IJB721TiersHook hook,
         CTPost[] calldata posts,
         address nftBeneficiary,
         address feeBeneficiary,
-        bytes calldata additionalPayMetadata,
-        bytes calldata feeMetadata
+        bytes calldata additionalPayMetadata
     )
         external
         payable
         override
     {
         // Reject empty posts to prevent fee-free metadata shadowing.
-        if (posts.length == 0) revert CTPublisher_NoPosts();
+        if (posts.length == 0) revert CTPublisher_NoPosts(_msgSender());
+
+        // Reject address(0) as fee beneficiary to prevent burning fee project tokens.
+        if (feeBeneficiary == address(0)) revert CTPublisher_InvalidFeeBeneficiary();
 
         // Keep a reference to the amount being paid, which is msg.value minus the fee.
         uint256 payValue = msg.value;
@@ -218,7 +219,7 @@ contract CTPublisher is JBPermissioned, ERC2771Context, ICTPublisher {
         {
             // Setup the posts.
             (JB721TierConfig[] memory tiersToAdd, uint256[] memory tierIdsToMint, uint256 totalPrice) =
-                _setupPosts(hook, posts);
+                _setupPosts({hook: hook, posts: posts});
 
             if (projectId != FEE_PROJECT_ID) {
                 // Keep a reference to the fee that will be paid.
@@ -229,7 +230,7 @@ contract CTPublisher is JBPermissioned, ERC2771Context, ICTPublisher {
 
                 // Make sure enough ETH was sent to cover the fee.
                 if (payValue < fee) {
-                    revert CTPublisher_InsufficientEthSent(totalPrice + fee, msg.value);
+                    revert CTPublisher_InsufficientEthSent({expected: totalPrice + fee, sent: msg.value});
                 }
 
                 payValue -= fee;
@@ -237,11 +238,10 @@ contract CTPublisher is JBPermissioned, ERC2771Context, ICTPublisher {
 
             // Make sure the amount sent to this function is at least the specified price of the tier plus the fee.
             if (totalPrice > payValue) {
-                revert CTPublisher_InsufficientEthSent(totalPrice, msg.value);
+                revert CTPublisher_InsufficientEthSent({expected: totalPrice, sent: msg.value});
             }
 
             // Add the new tiers.
-            // slither-disable-next-line reentrancy-events
             hook.adjustTiers({tiersToAdd: tiersToAdd, tierIdsToRemove: new uint256[](0)});
 
             // Keep a reference to the metadata ID target.
@@ -251,9 +251,8 @@ contract CTPublisher is JBPermissioned, ERC2771Context, ICTPublisher {
             // tier selection, allowing the caller to mint arbitrary tiers.
             {
                 bytes4 payId = JBMetadataResolver.getId({purpose: "pay", target: metadataIdTarget});
-                // slither-disable-next-line unused-return
                 (bool exists,) = JBMetadataResolver.getDataFor({id: payId, metadata: additionalPayMetadata});
-                if (exists) revert CTPublisher_DuplicatePayMetadata();
+                if (exists) revert CTPublisher_DuplicatePayMetadata(payId);
             }
 
             // Create the metadata for the payment to specify the tier IDs that should be minted. We create manually the
@@ -290,7 +289,6 @@ contract CTPublisher is JBPermissioned, ERC2771Context, ICTPublisher {
                 DIRECTORY.primaryTerminalOf({projectId: projectId, token: JBConstants.NATIVE_TOKEN});
 
             // Make the payment.
-            // slither-disable-next-line unused-return
             projectTerminal.pay{value: payValue}({
                 projectId: projectId,
                 token: JBConstants.NATIVE_TOKEN,
@@ -314,7 +312,6 @@ contract CTPublisher is JBPermissioned, ERC2771Context, ICTPublisher {
 
             // Make the fee payment. If the fee sink is unavailable, refund the fee to the caller
             // rather than trapping or silently redirecting protocol funds.
-            // slither-disable-next-line unused-return
             try feeTerminal.pay{value: payValue}({
                 projectId: FEE_PROJECT_ID,
                 amount: payValue,
@@ -322,10 +319,9 @@ contract CTPublisher is JBPermissioned, ERC2771Context, ICTPublisher {
                 beneficiary: feeBeneficiary,
                 minReturnedTokens: 0,
                 memo: "",
-                metadata: feeMetadata
+                metadata: ""
             }) {}
             catch {
-                // slither-disable-next-line low-level-calls
                 (bool success,) = _msgSender().call{value: payValue}("");
                 if (!success) revert CTPublisher_FeePaymentFailed(payValue);
             }
@@ -365,7 +361,6 @@ contract CTPublisher is JBPermissioned, ERC2771Context, ICTPublisher {
 
             // If there's a tier ID stored, resolve it.
             if (tierId != 0) {
-                // slither-disable-next-line calls-loop
                 tiers[i] = IJB721TiersHook(hook).STORE().tierOf({hook: hook, id: tierId, includeResolvedUri: false});
             }
 
@@ -465,13 +460,13 @@ contract CTPublisher is JBPermissioned, ERC2771Context, ICTPublisher {
             // Make sure the post includes an encodedIPFSUri.
             // forge-lint: disable-next-line(unsafe-typecast)
             if (post.encodedIPFSUri == bytes32("")) {
-                revert CTPublisher_EmptyEncodedIPFSUri();
+                revert CTPublisher_EmptyEncodedIPFSUri({postIndex: i});
             }
 
             // Check for duplicate encodedIPFSUri within the same batch to prevent fee evasion.
             for (uint256 j; j < i;) {
                 if (posts[j].encodedIPFSUri == post.encodedIPFSUri) {
-                    revert CTPublisher_DuplicatePost(post.encodedIPFSUri);
+                    revert CTPublisher_DuplicatePost({encodedIPFSUri: post.encodedIPFSUri});
                 }
                 unchecked {
                     ++j;
@@ -488,10 +483,8 @@ contract CTPublisher is JBPermissioned, ERC2771Context, ICTPublisher {
                     // The cache can become stale if the tier was removed (via adjustTiers) or
                     // its URI was changed (via setMetadata). In either case, clear the stale
                     // mapping and fall through to create a new tier.
-                    // slither-disable-next-line calls-loop
                     JB721Tier memory cachedTier =
                         store.tierOf({hook: address(hook), id: tierId, includeResolvedUri: false});
-                    // slither-disable-next-line calls-loop
                     if (store.isTierRemoved(address(hook), tierId) || cachedTier.encodedIPFSUri != post.encodedIPFSUri)
                     {
                         delete tierIdForEncodedIPFSUriOf[address(hook)][post.encodedIPFSUri];
@@ -520,34 +513,40 @@ contract CTPublisher is JBPermissioned, ERC2771Context, ICTPublisher {
 
                     // Make sure the category being posted to allows publishing.
                     if (minimumTotalSupply == 0) {
-                        revert CTPublisher_UnauthorizedToPostInCategory();
+                        revert CTPublisher_UnauthorizedToPostInCategory({hook: address(hook), category: post.category});
                     }
 
                     // Make sure the price being paid for the post is at least the allowed minimum price.
                     if (post.price < minimumPrice) {
-                        revert CTPublisher_PriceTooSmall(post.price, minimumPrice);
+                        revert CTPublisher_PriceTooSmall({price: post.price, minimumPrice: minimumPrice});
                     }
 
                     // Make sure the total supply being made available for the post is at least the allowed minimum
                     // total supply.
                     if (post.totalSupply < minimumTotalSupply) {
-                        revert CTPublisher_TotalSupplyTooSmall(post.totalSupply, minimumTotalSupply);
+                        revert CTPublisher_TotalSupplyTooSmall({
+                            totalSupply: post.totalSupply, minimumTotalSupply: minimumTotalSupply
+                        });
                     }
 
                     // Make sure the total supply being made available for the post is at most the allowed maximum total
                     // supply.
                     if (post.totalSupply > maximumTotalSupply) {
-                        revert CTPublisher_TotalSupplyTooBig(post.totalSupply, maximumTotalSupply);
+                        revert CTPublisher_TotalSupplyTooBig({
+                            totalSupply: post.totalSupply, maximumTotalSupply: maximumTotalSupply
+                        });
                     }
 
                     // Make sure the split percent is within the allowed maximum.
                     if (post.splitPercent > maximumSplitPercent) {
-                        revert CTPublisher_SplitPercentExceedsMaximum(post.splitPercent, maximumSplitPercent);
+                        revert CTPublisher_SplitPercentExceedsMaximum({
+                            splitPercent: post.splitPercent, maximumSplitPercent: maximumSplitPercent
+                        });
                     }
 
                     // Make sure the address is allowed to post.
                     if (addresses.length != 0 && !_isAllowed({addrs: _msgSender(), addresses: addresses})) {
-                        revert CTPublisher_NotInAllowList(_msgSender(), addresses);
+                        revert CTPublisher_NotInAllowList({addr: _msgSender(), allowedAddresses: addresses});
                     }
                 }
 

package/src/interfaces/ICTPublisher.sol

@@ -93,14 +93,12 @@ interface ICTPublisher {
     /// @param nftBeneficiary The beneficiary of the NFT mints.
     /// @param feeBeneficiary The beneficiary of the fee project's tokens.
     /// @param additionalPayMetadata Extra metadata bytes to include in the payment.
-    /// @param feeMetadata Metadata to send alongside the fee payment.
     function mintFrom(
         IJB721TiersHook hook,
         CTPost[] calldata posts,
         address nftBeneficiary,
         address feeBeneficiary,
-        bytes calldata additionalPayMetadata,
-        bytes calldata feeMetadata
+        bytes calldata additionalPayMetadata
     )
         external
         payable;