Juicebox Buyback Delegate audit details

  • Total Prize Pool: $24,500 USDC
    • HM awards: 15,000 USDC
    • QA report awards: $1,000 USDC
    • Bot Race report awards: $2,000 USDC
    • Gas report awards: $2,000 USDC
    • Judge awards: $2,400 USDC
    • Lookout awards: $1,600 USDC
    • Scout awards: $500 USDC
  • Join C4 Discord to register
  • Submit findings using the C4 form
  • Read our guidelines for more details
  • Starts May 18, 2023 20:00 UTC
  • Ends May 22, 2023 20:00 UTC

Automated Findings / Publicly Known Issues

Automated findings output for the audit can be found here.

Note for C4 wardens: Anything included in the automated findings output is considered a publicly known issue and is ineligible for awards.

Overview

juice-buyback provides a data source and delegate which maximise the project token received by the contributor when they call pay on the terminal. In order to do so, the delegate will either mint new tokens from the project ("vanilla" path, bypassing the delegate) or use the funds from pay to buy existing tokens in a Uniswap V3 pool ("buyback" path), depending on the best quote available at the time of the call.

This first iteration is optimised for ETH as terminal token.

To learn more about the Juicebox protocol, see our docs. To learn more about juice-buyback, see its README.

Scope

Contract SLOC Purpose Libraries used
juice-buyback/contracts/JBXBuybackDelegate.sol 160 The buyback delegate @openzeppelin/* @jbx-protocol/juice-contracts-v3/* @paulrberg/contracts/math/PRBMath.sol @uniswap/v3-core/* @uniswap/v3-periphery/contracts/interfaces/external/IWETH9.sol

Out of scope

Other contracts.

Additional Context

Scoping Details

- If you have a public code repo, please share it here: [`juice-buyback`](https://github.com/jbx-protocol/juice-buyback/)
- How many contracts are in scope?: 1
- Total SLoC for these contracts?:  160
- How many external imports are there?:  17
- How many separate interfaces and struct definitions are there for the contracts within scope?:  1
- Does most of your code generally use composition or inheritance?: Inheritance
- How many external calls?: 5
- What is the overall line coverage percentage provided by your tests?: 100
- Is there a need to understand a separate part of the codebase / get context in order to audit this part of the protocol?: yes
- Please describe required context: [Payment terminals](https://docs.juicebox.money/dev/learn/glossary/payment-terminal/), [pay delegates](https://docs.juicebox.money/dev/build/treasury-extensions/pay-delegate/), and [data sources](https://docs.juicebox.money/dev/learn/glossary/data-source/).
- Does it use an oracle?: no
- Does the token conform to the ERC20 standard?: yes
- Are there any novel or unique curve logic or mathematical models?: no
- Does it use a timelock function?: no
- Is it an NFT?: no
- Does it have an AMM?: no
- Is it a fork of a popular project?: no
- Does it use rollups?: no
- Is it multi-chain?: no
- Does it use a side-chain?: no

About Juicebox

The Juicebox protocol is a programmable treasury. Projects can use it to configure how its tokens should be minted when it receives funds, and under what conditions those funds can be distributed to preprogrammed addresses or reclaimed by its community. These rules can evolve over funding cycles, allowing people to bootstrap open-ended projects and add structure, constraints, extensions, and incentives over time as needed.

When people pay a project, they interact with a payment terminal, a contract which controls the inflows and outflows of a certain token for every project which uses it. Projects can override the default payment terminal behavior through the use of data sources and delegates.

A data source is used to provide custom data to a payment terminal's pay (or redeem) function. Data sources must adhere to IJBFundingCycleDataSource.

A pay delegate includes a custom didPay(...) hook that will execute after all of the default protocol pay logic has successfully executed in the terminal contract. Pay delegates must adhere to IJBPayDelegate.

juice-buyback is an IJBPayDelegate and an IJBFundingCycleDataSource.

You can find the previous Code4rena contest covering the protocol, inlcuding the payment terminal here.

Tests

To run this repo, you'll need Foundry and NodeJS installed.

To install dependencies and run the tests:

# Clone the repository
git clone https://github.com/code-423n4/2023-05-juicebox.git

# Navigate to the buyback delegate's directory
cd 2023-05-juicebox/juice-buyback

# Install dependencies
npm install

# Run tests
forge test --gas-report