- $71,250 USDC main award pot
- $3,750 USDC gas optimization award pot
- Join C4 Discord to register
- Submit findings using the C4 form
- Read our guidelines for more details
- Starts July 1, 2022 20:00 UTC
- Ends July 8, 2022 20:00 UTC
- The Juicebox contracts to be audited
The Juicebox protocol is a programmable treasury. Projects can use it to configure how its tokens should be minted when it receives funds, and under what conditions those funds can be distributed to preprogrammed addresses or reclaimed by its community. These rules can evolve over funding cycles, allowing people to bootstrap open-ended projects and add structure, constraints, extensions, and incentives over time as needed. The protocol is light enough for a group of friends, yet powerful enough for a global network of anons sharing thousands of ETH, ERC-20s, or other assets.
The protocol is nuanced, however. The goal of the protocol docs is for you to find any protocol related information that you're looking for. These docs should allow you to click around and get a real good deep dive, and should just as easily allow you to find overview information.
Watch the audit intro to learn more.
The Juicebox protocol is entirely unique. To understand how the protocol works, we highly suggest you read through the extensive documentation on http://info.juicebox.money. First, get an overview of the docs in the Learn section, then dive into the main functional routines in Build/Basics.
Please note: As a flexible and extensible fundraising protocol, Juicebox is aware of many attack vectors that are part of its design. Please make sure when reporting bugs that you are not including known risks addressed on the Risks page of the documentation. If you are unsure if something you've found constitutes a known risk, please feel free to reach out to a member of our team or report it anyway and we will evaluate the validity of the reported bug during the post-contest review phase.
If you have questions about the protocol or where to start, don't hesitate to reach out in our Discord or DM our development team (see Contact Information below).
Go to the Juicebox v2 Code4rena code repo and follow instructions in the readme.
| Contact | Discord | Telegram | |
|---|---|---|---|
| Jango | jango#0420 | me_jango | me_jango |
| DrGorilla | DrGorilla.eth#8862 | DrGorilla_md | DrGorilla_md |
| LuckyKoala | LuckyKoala#1024 | twodam_eth | |
| Nicholas | nicholas#7777 | nnnnicholas | nnnnicholas |
Consult the Juicebox Contracts here (commit 828bf2f). We HIGHLY ADVISE you consult the comprehensive and high quality Juicebox Documentation. Salient details are summarized below for convenience, but the real docs are where you should start.
The protocol is made up of 7 core contracts and 3 surface contracts. All of these contracts are in scope. For more information on these contracts and how they fit together, please visit the Architecture page of the docs.
Core contracts store all the independent components that make the protocol work.
| File | SLOC | Description |
|---|---|---|
| contracts/JBTokenStore.sol | 135 | Manage token minting, burning, and account balances. |
| contracts/JBFundingCycleStore.sol | 287 | Manages funding cycle scheduling. |
| contracts/JBProjects.sol | 42 | Stores project ownership and identifying information. |
| contracts/JBSplitsStore.sol | 101 | Stores splits information for all groups of each project. Projects can create split groups for directing percents of a total token allocation to any address, any other Juicebox project, or any contract that inherits from the IJBSplitAllocator interface. |
| contracts/JBPrices.sol | 26 | Manages and normalizes price feeds. |
| contracts/JBOperatorStore.sol | 50 | Stores operator permissions for all addresses. Addresses can give permissions to any other address to take specific indexed actions on their behalf. |
| contracts/JBDirectory.sol | 93 | Keeps a reference of which terminal contracts each project is currently accepting funds through, and which controller contract is managing each project's tokens and funding cycles. |
Surface contracts glue core contracts together and manage funds. Anyone can write new surface contracts for projects to use.
| File | SLOC | Description |
|---|---|---|
| contracts/JBController.sol | 361 | Stitches together funding cycles and community tokens, making sure all activity is accounted for and correct. |
| contracts/abstract/JBPayoutRedemptionPaymentTerminal.sol | 598 | Generic terminal managing all inflows and outflows of funds into the protocol ecosystem. |
| contracts/JBSingleTokenPaymentTerminalStore.sol | 314 | Manages all bookkeeping for inflows and outflows of funds from any IJBSingleTokenPaymentTerminal. |
| contracts/JBETHPaymentTerminal.sol | 39 | Manages all inflows and outflows of ETH funds into the protocol ecosystem. |
| contracts/JBERC20PaymentTerminal.sol | 42 | Manages all inflows and outflows of an ERC20 into the protocol ecosystem. |
| Total (Core + Surface contracts) | 2,088 |
All interfaces are in scope.
The protocol makes 1 external call to Chainlink to find ETH price in USD. If projects bring their own ERC-20, then the protocol will make calls to that contract.
See the libraries directory.
- @chainlink/contracts/src/v0.8/interfaces/AggregatorV3Interface.sol
- @openzeppelin/contracts/access/Ownable.sol
- @openzeppelin/contracts/security/ReentrancyGuard.sol
- @openzeppelin/contracts/token/ERC20/IERC20.sol
- @openzeppelin/contracts/token/ERC20/extensions/IERC20Metadata.sol
- @openzeppelin/contracts/token/ERC20/extensions/draft-ERC20Permit.sol
- @openzeppelin/contracts/token/ERC721/IERC721.sol
- @openzeppelin/contracts/token/ERC721/extensions/draft-ERC721Votes.sol
- @openzeppelin/contracts/utils/Address.sol
- @openzeppelin/contracts/utils/introspection/ERC165.sol
- @openzeppelin/contracts/utils/introspection/IERC165.sol
- @paulrberg/contracts/math/PRBMath.sol
- @paulrberg/contracts/math/PRBMathUD60x18.sol
The following utility contracts are out of scope.
- JBETHERC20ProjectPayer
- JBETHERC20ProjectPayerDeployer
- JBETHERC20SplitsPayer
- JBETHERC20SplitsPayerDeployer