- Total Prize Pool: $24,500 USDC
- HM awards: 15,000 USDC
- QA report awards: $1,000 USDC
- Bot Race report awards: $2,000 USDC
- Gas report awards: $2,000 USDC
- Judge awards: $2,400 USDC
- Lookout awards: $1,600 USDC
- Scout awards: $500 USDC
- Join C4 Discord to register
- Submit findings using the C4 form
- Read our guidelines for more details
- Starts May 18, 2023 20:00 UTC
- Ends May 22, 2023 20:00 UTC
Automated findings output for the audit can be found here.
Note for C4 wardens: Anything included in the automated findings output is considered a publicly known issue and is ineligible for awards.
juice-buyback provides a data source and delegate which maximise the project token received by the contributor when they call pay on the terminal. In order to do so, the delegate will either mint new tokens from the project ("vanilla" path, bypassing the delegate) or use the funds from pay to buy existing tokens in a Uniswap V3 pool ("buyback" path), depending on the best quote available at the time of the call.
This first iteration is optimised for ETH as terminal token.
To learn more about the Juicebox protocol, see our docs. To learn more about juice-buyback, see its README.
| Contract | SLOC | Purpose | Libraries used |
|---|---|---|---|
juice-buyback/contracts/JBXBuybackDelegate.sol |
160 | The buyback delegate | @openzeppelin/* @jbx-protocol/juice-contracts-v3/* @paulrberg/contracts/math/PRBMath.sol @uniswap/v3-core/* @uniswap/v3-periphery/contracts/interfaces/external/IWETH9.sol |
Other contracts.
- If you have a public code repo, please share it here: [`juice-buyback`](https://github.com/jbx-protocol/juice-buyback/)
- How many contracts are in scope?: 1
- Total SLoC for these contracts?: 160
- How many external imports are there?: 17
- How many separate interfaces and struct definitions are there for the contracts within scope?: 1
- Does most of your code generally use composition or inheritance?: Inheritance
- How many external calls?: 5
- What is the overall line coverage percentage provided by your tests?: 100
- Is there a need to understand a separate part of the codebase / get context in order to audit this part of the protocol?: yes
- Please describe required context: [Payment terminals](https://docs.juicebox.money/dev/learn/glossary/payment-terminal/), [pay delegates](https://docs.juicebox.money/dev/build/treasury-extensions/pay-delegate/), and [data sources](https://docs.juicebox.money/dev/learn/glossary/data-source/).
- Does it use an oracle?: no
- Does the token conform to the ERC20 standard?: yes
- Are there any novel or unique curve logic or mathematical models?: no
- Does it use a timelock function?: no
- Is it an NFT?: no
- Does it have an AMM?: no
- Is it a fork of a popular project?: no
- Does it use rollups?: no
- Is it multi-chain?: no
- Does it use a side-chain?: no
The Juicebox protocol is a programmable treasury. Projects can use it to configure how its tokens should be minted when it receives funds, and under what conditions those funds can be distributed to preprogrammed addresses or reclaimed by its community. These rules can evolve over funding cycles, allowing people to bootstrap open-ended projects and add structure, constraints, extensions, and incentives over time as needed.
When people pay a project, they interact with a payment terminal, a contract which controls the inflows and outflows of a certain token for every project which uses it. Projects can override the default payment terminal behavior through the use of data sources and delegates.
A data source is used to provide custom data to a payment terminal's pay (or redeem) function. Data sources must adhere to IJBFundingCycleDataSource.
A pay delegate includes a custom didPay(...) hook that will execute after all of the default protocol pay logic has successfully executed in the terminal contract. Pay delegates must adhere to IJBPayDelegate.
juice-buyback is an IJBPayDelegate and an IJBFundingCycleDataSource.
You can find the previous Code4rena contest covering the protocol, inlcuding the payment terminal here.
To run this repo, you'll need Foundry and NodeJS installed.
To install dependencies and run the tests:
# Clone the repository
git clone https://github.com/code-423n4/2023-05-juicebox.git
# Navigate to the buyback delegate's directory
cd 2023-05-juicebox/juice-buyback
# Install dependencies
npm install
# Run tests
forge test --gas-report