@rev-net/core-v6 0.0.34 → 0.0.36

package/test/audit/CodexREVOwnerRemoteSurplusCurrencyMismatch.t.sol

@@ -0,0 +1,142 @@
+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.28;
+
+import "forge-std/Test.sol";
+import "@bananapus/core-v6/test/helpers/TestBaseWorkflow.sol";
+import {IJBBuybackHookRegistry} from "@bananapus/buyback-hook-v6/src/interfaces/IJBBuybackHookRegistry.sol";
+import {IJBCashOutHook} from "@bananapus/core-v6/src/interfaces/IJBCashOutHook.sol";
+import {IJBRulesetDataHook} from "@bananapus/core-v6/src/interfaces/IJBRulesetDataHook.sol";
+import {JBBeforeCashOutRecordedContext} from "@bananapus/core-v6/src/structs/JBBeforeCashOutRecordedContext.sol";
+import {JBBeforePayRecordedContext} from "@bananapus/core-v6/src/structs/JBBeforePayRecordedContext.sol";
+import {JBCashOutHookSpecification} from "@bananapus/core-v6/src/structs/JBCashOutHookSpecification.sol";
+import {JBPayHookSpecification} from "@bananapus/core-v6/src/structs/JBPayHookSpecification.sol";
+import {JBTokenAmount} from "@bananapus/core-v6/src/structs/JBTokenAmount.sol";
+import {JBRuleset} from "@bananapus/core-v6/src/structs/JBRuleset.sol";
+import {IJBSuckerRegistry} from "@bananapus/suckers-v6/src/interfaces/IJBSuckerRegistry.sol";
+import {IERC165} from "@openzeppelin/contracts/utils/introspection/IERC165.sol";
+import {PoolKey} from "@uniswap/v4-core/src/types/PoolKey.sol";
+
+import {REVOwner} from "../../src/REVOwner.sol";
+
+contract CurrencyAwareSuckerRegistry {
+    uint256 public expectedCurrency;
+    uint256 public remoteSupply;
+    uint256 public remoteSurplus;
+
+    function setRemoteValues(uint256 currency, uint256 supply, uint256 surplus) external {
+        expectedCurrency = currency;
+        remoteSupply = supply;
+        remoteSurplus = surplus;
+    }
+
+    function isSuckerOf(uint256, address) external pure returns (bool) {
+        return false;
+    }
+
+    function remoteTotalSupplyOf(uint256) external view returns (uint256) {
+        return remoteSupply;
+    }
+
+    function remoteSurplusOf(uint256, uint256, uint256 currency) external view returns (uint256) {
+        return currency == expectedCurrency ? remoteSurplus : 0;
+    }
+}
+
+contract EchoBuybackRegistry is IJBRulesetDataHook {
+    function beforeCashOutRecordedWith(JBBeforeCashOutRecordedContext calldata context)
+        external
+        pure
+        returns (
+            uint256 cashOutTaxRate,
+            uint256 cashOutCount,
+            uint256 totalSupply,
+            uint256 effectiveSurplusValue,
+            JBCashOutHookSpecification[] memory hookSpecifications
+        )
+    {
+        cashOutTaxRate = context.cashOutTaxRate;
+        cashOutCount = context.cashOutCount;
+        totalSupply = context.totalSupply;
+        effectiveSurplusValue = context.surplus.value;
+        hookSpecifications = new JBCashOutHookSpecification[](0);
+    }
+
+    function beforePayRecordedWith(JBBeforePayRecordedContext calldata context)
+        external
+        pure
+        returns (uint256 weight, JBPayHookSpecification[] memory hookSpecifications)
+    {
+        weight = context.weight;
+        hookSpecifications = new JBPayHookSpecification[](0);
+    }
+
+    function hasMintPermissionFor(uint256, JBRuleset calldata, address) external pure returns (bool) {
+        return false;
+    }
+
+    function setPoolFor(uint256, PoolKey calldata, uint256, address) external pure {}
+    function setPoolFor(uint256, uint24, int24, uint256, address) external pure {}
+    function initializePoolFor(uint256, uint24, int24, uint256, address, uint160) external pure {}
+
+    function supportsInterface(bytes4 interfaceId) external pure returns (bool) {
+        return interfaceId == type(IJBRulesetDataHook).interfaceId || interfaceId == type(IERC165).interfaceId;
+    }
+}
+
+contract CodexREVOwnerRemoteSurplusCurrencyMismatchTest is TestBaseWorkflow {
+    REVOwner internal ownerHook;
+    CurrencyAwareSuckerRegistry internal suckerRegistry;
+    EchoBuybackRegistry internal buybackRegistry;
+
+    uint32 internal constant ETH_CURRENCY = 1;
+
+    function setUp() public override {
+        super.setUp();
+
+        suckerRegistry = new CurrencyAwareSuckerRegistry();
+        buybackRegistry = new EchoBuybackRegistry();
+
+        ownerHook = new REVOwner(
+            IJBBuybackHookRegistry(address(buybackRegistry)),
+            jbDirectory(),
+            999_999,
+            IJBSuckerRegistry(address(suckerRegistry)),
+            address(0),
+            address(0)
+        );
+    }
+
+    function test_beforeCashOutRecordedWith_usesTokenAddressInsteadOfCurrencyForRemoteSurplus() public {
+        suckerRegistry.setRemoteValues(ETH_CURRENCY, 500 ether, 900 ether);
+
+        address usdToken = address(0xBEEF);
+
+        JBBeforeCashOutRecordedContext memory context = JBBeforeCashOutRecordedContext({
+            terminal: address(jbMultiTerminal()),
+            holder: address(0xCAFE),
+            projectId: 1,
+            rulesetId: 0,
+            cashOutCount: 100 ether,
+            totalSupply: 1000 ether,
+            surplus: JBTokenAmount({token: usdToken, value: 100 ether, decimals: 18, currency: ETH_CURRENCY}),
+            useTotalSurplus: true,
+            cashOutTaxRate: 0,
+            beneficiaryIsFeeless: false,
+            metadata: ""
+        });
+
+        (,, uint256 returnedSupply, uint256 returnedSurplus,) = ownerHook.beforeCashOutRecordedWith(context);
+
+        assertEq(returnedSupply, 1500 ether, "remote supply should still be included");
+        assertEq(
+            returnedSurplus,
+            100 ether,
+            "remote surplus is incorrectly dropped because REVOwner keys by token address instead of currency"
+        );
+        assertEq(
+            suckerRegistry.remoteSurplusOf(1, 18, ETH_CURRENCY),
+            900 ether,
+            "registry confirms surplus exists for the requested currency"
+        );
+    }
+}

package/test/audit/SupportsInterfaceTest.t.sol

@@ -0,0 +1,51 @@
+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.28;
+
+import {Test} from "forge-std/Test.sol";
+import {IJBBuybackHookRegistry} from "@bananapus/buyback-hook-v6/src/interfaces/IJBBuybackHookRegistry.sol";
+import {IJBCashOutHook} from "@bananapus/core-v6/src/interfaces/IJBCashOutHook.sol";
+import {IJBDirectory} from "@bananapus/core-v6/src/interfaces/IJBDirectory.sol";
+import {IJBRulesetDataHook} from "@bananapus/core-v6/src/interfaces/IJBRulesetDataHook.sol";
+import {IJBSuckerRegistry} from "@bananapus/suckers-v6/src/interfaces/IJBSuckerRegistry.sol";
+import {IERC165} from "@openzeppelin/contracts/utils/introspection/IERC165.sol";
+
+import {REVOwner} from "../../src/REVOwner.sol";
+
+/// @notice Regression test for missing IERC165 support: REVOwner.supportsInterface omits IERC165.
+contract AuditFixL17Test is Test {
+    REVOwner revOwner;
+
+    function setUp() public {
+        revOwner = new REVOwner(
+            IJBBuybackHookRegistry(makeAddr("buybackHook")),
+            IJBDirectory(makeAddr("directory")),
+            1, // feeRevnetId
+            IJBSuckerRegistry(makeAddr("suckerRegistry")),
+            makeAddr("loans"),
+            makeAddr("hiddenTokens")
+        );
+    }
+
+    /// @notice supportsInterface returns true for IERC165 (0x01ffc9a7).
+    function test_supportsInterface_IERC165() public view {
+        assertTrue(revOwner.supportsInterface(type(IERC165).interfaceId), "should support IERC165");
+        assertEq(type(IERC165).interfaceId, bytes4(0x01ffc9a7), "IERC165 interface ID should be 0x01ffc9a7");
+    }
+
+    /// @notice supportsInterface returns true for IJBRulesetDataHook.
+    function test_supportsInterface_IJBRulesetDataHook() public view {
+        assertTrue(
+            revOwner.supportsInterface(type(IJBRulesetDataHook).interfaceId), "should support IJBRulesetDataHook"
+        );
+    }
+
+    /// @notice supportsInterface returns true for IJBCashOutHook.
+    function test_supportsInterface_IJBCashOutHook() public view {
+        assertTrue(revOwner.supportsInterface(type(IJBCashOutHook).interfaceId), "should support IJBCashOutHook");
+    }
+
+    /// @notice supportsInterface returns false for an unsupported interface.
+    function test_supportsInterface_unsupported() public view {
+        assertFalse(revOwner.supportsInterface(bytes4(0xdeadbeef)), "should not support random interface");
+    }
+}

package/test/audit/TestFeeAllowanceLeak.t.sol

@@ -0,0 +1,197 @@
+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.28;
+
+import {ERC165} from "@openzeppelin/contracts/utils/introspection/ERC165.sol";
+import {IERC165} from "@openzeppelin/contracts/utils/introspection/IERC165.sol";
+import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
+import {IJBDirectory} from "@bananapus/core-v6/src/interfaces/IJBDirectory.sol";
+import {IJBTerminal} from "@bananapus/core-v6/src/interfaces/IJBTerminal.sol";
+import {IJBPayoutTerminal} from "@bananapus/core-v6/src/interfaces/IJBPayoutTerminal.sol";
+import {JBAccountingContext} from "@bananapus/core-v6/src/structs/JBAccountingContext.sol";
+import {JBConstants} from "@bananapus/core-v6/src/libraries/JBConstants.sol";
+import {JBRuleset} from "@bananapus/core-v6/src/structs/JBRuleset.sol";
+import {JBPayHookSpecification} from "@bananapus/core-v6/src/structs/JBPayHookSpecification.sol";
+import {REVLoanSource} from "../../src/structs/REVLoanSource.sol";
+import {REVLoansFeeRecovery} from "../REVLoansFeeRecovery.t.sol";
+
+contract StickyAllowanceFeeTerminal is ERC165, IJBPayoutTerminal {
+    IERC20 public immutable token;
+    address public immutable loans;
+    address public thief;
+    uint256 public stealAmount;
+
+    constructor(IERC20 _token, address _loans) {
+        token = _token;
+        loans = _loans;
+    }
+
+    function configureSteal(address _thief, uint256 _stealAmount) external {
+        thief = _thief;
+        stealAmount = _stealAmount;
+    }
+
+    function pay(
+        uint256,
+        address,
+        uint256,
+        address,
+        uint256,
+        string calldata,
+        bytes calldata
+    )
+        external
+        payable
+        override
+        returns (uint256)
+    {
+        uint256 amount = stealAmount;
+        if (amount != 0) {
+            stealAmount = 0;
+            token.transferFrom(loans, thief, amount);
+        }
+        return 0;
+    }
+
+    function accountingContextForTokenOf(uint256, address) external view override returns (JBAccountingContext memory) {
+        return JBAccountingContext({token: address(token), decimals: 6, currency: uint32(uint160(address(token)))});
+    }
+
+    function accountingContextsOf(uint256) external pure override returns (JBAccountingContext[] memory) {
+        return new JBAccountingContext[](0);
+    }
+
+    function addAccountingContextsFor(uint256, JBAccountingContext[] calldata) external override {}
+
+    function addToBalanceOf(
+        uint256,
+        address,
+        uint256,
+        bool,
+        string calldata,
+        bytes calldata
+    )
+        external
+        payable
+        override
+    {}
+
+    function currentSurplusOf(uint256, address[] calldata, uint256, uint256) external pure override returns (uint256) {
+        return 0;
+    }
+
+    function migrateBalanceOf(uint256, address, IJBTerminal) external pure override returns (uint256) {
+        return 0;
+    }
+
+    function sendPayoutsOf(uint256, address, uint256, uint256, uint256) external pure override returns (uint256) {
+        return 0;
+    }
+
+    function useAllowanceOf(
+        uint256,
+        address,
+        uint256,
+        uint256,
+        uint256,
+        address payable,
+        address payable,
+        string calldata
+    )
+        external
+        pure
+        override
+        returns (uint256)
+    {
+        return 0;
+    }
+
+    function previewPayFor(
+        uint256,
+        address,
+        uint256,
+        address,
+        bytes calldata
+    )
+        external
+        pure
+        override
+        returns (JBRuleset memory, uint256, uint256, JBPayHookSpecification[] memory)
+    {
+        JBRuleset memory ruleset;
+        return (ruleset, 0, 0, new JBPayHookSpecification[](0));
+    }
+
+    function supportsInterface(bytes4 interfaceId) public view override(ERC165, IERC165) returns (bool) {
+        return interfaceId == type(IJBTerminal).interfaceId || interfaceId == type(IJBPayoutTerminal).interfaceId
+            || super.supportsInterface(interfaceId);
+    }
+}
+
+contract TestFeeAllowanceLeak is REVLoansFeeRecovery {
+    StickyAllowanceFeeTerminal internal stickyFeeTerminal;
+    address internal attacker = makeAddr("attacker");
+
+    function _stickyFeeTerminal() internal returns (StickyAllowanceFeeTerminal) {
+        if (address(stickyFeeTerminal) == address(0)) {
+            stickyFeeTerminal = new StickyAllowanceFeeTerminal(TOKEN, address(LOANS_CONTRACT));
+        }
+        return stickyFeeTerminal;
+    }
+
+    /// @notice Verifies that stale allowance is cleared — the original exploit no longer works.
+    /// @dev Previously, a sticky fee terminal could accumulate reusable allowance across borrows.
+    ///      After the fix (_afterTransferTo clears allowance on success), the allowance is zero.
+    function test_feeTerminalCannotHarvestStaleAllowanceAfterFix() public {
+        StickyAllowanceFeeTerminal terminal = _stickyFeeTerminal();
+
+        vm.mockCall(
+            address(jbDirectory()),
+            abi.encodeWithSelector(IJBDirectory.primaryTerminalOf.selector, FEE_PROJECT_ID, address(TOKEN)),
+            abi.encode(address(terminal))
+        );
+
+        REVLoanSource memory source = REVLoanSource({token: address(TOKEN), terminal: jbMultiTerminal()});
+        uint256 payAmount = 1_000_000;
+
+        deal(address(TOKEN), USER, payAmount * 2);
+
+        vm.startPrank(USER);
+        TOKEN.approve(address(jbMultiTerminal()), payAmount * 2);
+        uint256 firstTokenCount = jbMultiTerminal().pay(REVNET_ID, address(TOKEN), payAmount, USER, 0, "", "");
+        vm.stopPrank();
+
+        _mockLoanPermission(USER);
+        vm.prank(USER);
+        LOANS_CONTRACT.borrowFrom(REVNET_ID, source, 0, firstTokenCount, payable(USER), 25, USER);
+
+        // Allowance is now cleared after successful fee payment.
+        uint256 allowanceAfterBorrow = TOKEN.allowance(address(LOANS_CONTRACT), address(stickyFeeTerminal));
+        assertEq(allowanceAfterBorrow, 0, "no stale allowance after successful borrow");
+
+        // The uncollected fee is still parked in REVLoans (terminal didn't pull it),
+        // but there's no allowance for the terminal to steal it later.
+        uint256 loansBalance = TOKEN.balanceOf(address(LOANS_CONTRACT));
+        assertGt(loansBalance, 0, "uncollected fee is parked in REVLoans");
+
+        // Second borrow — terminal tries to steal but can't because allowance is 0.
+        vm.prank(USER);
+        uint256 secondTokenCount = jbMultiTerminal().pay(REVNET_ID, address(TOKEN), payAmount, USER, 0, "", "");
+
+        terminal.configureSteal(attacker, loansBalance);
+
+        _mockLoanPermission(USER);
+        vm.prank(USER);
+        LOANS_CONTRACT.borrowFrom(REVNET_ID, source, 0, secondTokenCount, payable(USER), 25, USER);
+
+        // The attacker gets nothing — the steal attempt fails silently (transferFrom reverts,
+        // caught by _tryPayFee's try-catch).
+        assertEq(TOKEN.balanceOf(attacker), 0, "attacker cannot drain stale allowance");
+
+        // And the current borrow also leaves zero allowance.
+        assertEq(
+            TOKEN.allowance(address(LOANS_CONTRACT), address(terminal)),
+            0,
+            "no fresh stale allowance after second borrow"
+        );
+    }
+}