Round 5: Deep curiosity audit with fresh codebase
All previous findings (Rounds 1-4) resolved. Fresh approach with 7 parallel strategies targeting under-explored areas.
Strategies Executed
| # |
Strategy |
Repos/Areas |
Result |
| 1 |
Defifa game lifecycle audit |
defifa/ |
1 CRITICAL candidate → verified WORKS (store defaults votingUnits to price) |
| 2 |
Croptop publishing audit |
croptop-core-v6/ |
Clean — 3 Low, 7 Informational, no exploitable vulnerabilities |
| 3 |
deploy-all-v6 wiring audit |
deploy-all-v6/ |
1 HIGH — Resume.sol missing entire Tempo chain support |
| 4 |
6 ecosystem sequence replay |
Cross-repo traces |
All 6 sequences verified sound — no new cross-boundary bugs |
| 5 |
Random walker (5 walks) |
Cross-repo boundary tracing |
0 new verified findings (buyback reserved% INVALID) |
| 6 |
Gas efficiency audit |
Hot paths across core/hooks |
6 optimizations — up to ~30k gas/payment savings |
| 7 |
Small peripheral repos |
address-registry, project-handles, fee-deployer |
Clean — 1 Medium operational (fee project terminal not locked) |
Submitted Findings
Key Observations
Defifa is well-architected. The staged prediction-game system has correct phase gating, BWA attestation resists self-voting, pot conservation holds (conservative rounding), and the quorum/grace-period design is sound. The governance system works correctly because the 721 hook store defaults votingUnits to tier price when useVotingUnits: false.
Croptop is well-defended. All previously identified attack vectors (fee evasion, duplicate URI, stale tier reuse, reentrancy, empty-post bypass) are properly handled. The only notable design tradeoffs are intentional (project owners can bypass criteria via direct hook access, CTProjectOwner is an irreversible burn lock).
The 6 ecosystem sequences confirm the architecture is sound. Each trace through pay→hook→cashout, payout→split→re-entry, cross-currency pricing, sucker bridging, deployer→registry→runtime, and swap-vs-mint routing found no exploitable cross-boundary bugs. The state-before-interaction pattern (balance updates before external calls) correctly prevents reentrancy-based extraction across all sequences.
deploy-all-v6 is the weakest link. The Resume.s.sol file has significant drift from Deploy.s.sol, specifically missing all Tempo chain support. This violates invariant #3 (resume converges to same state as deploy). The Verify.s.sol also lacks sucker deployer allowlist checks.
Gas optimizations are meaningful. The buyback hook path redundantly resolves currentRulesetOf() twice per payment — once in beforePayRecordedWith and once in afterPayRecordedWith. This is the single largest gas waste (~16-30k gas per revnet payment). Combined with the double _hasDataHookMintPermissionFor call in JBController, the total savings potential is ~21-33k gas per payment.
Small Peripheral Repos
| Repo |
Verdict |
Notes |
| JBAddressRegistry |
Clean |
Write-once provenance, RLP encoding correct across all nonce ranges |
| JBProjectHandles |
Clean |
Setter isolation holds, namehash correct per EIP-137, dot validation prevents injection |
| Fee Project Deployer |
1 Medium (operational) |
Terminal configuration not locked post-deployment — documented in code comments but not enforced |
Cumulative Audit Stats (Rounds 1-5)
| Round |
Strategy |
Agents |
Findings Submitted |
Invalid/Overstated |
| 1 |
Deep dive + personas |
5 |
15 initial → 1 valid |
14 |
| 2 |
Component decomposition |
15 |
3 (H, M, M) |
0 |
| 3 |
Cross-cutting attack chains |
9 |
1 (M) |
1 |
| 4 |
Multi-strategy (8 strategies) |
10 |
2 (M, L) |
7 |
| 5 |
Deep curiosity (7 strategies) |
7+ |
2 (H, GAS) |
5 |
| Total |
|
46+ |
9 verified findings |
27 |
Verified findings: #73 (HIGH), #74 (M), #75 (M), #77 (M), #79 (M), #80 (LOW), #84 (HIGH), #85 (GAS)
Audit conducted using AUDIT_INSTRUCTIONS.md engine with Claude Code
Round 5: Deep curiosity audit with fresh codebase
All previous findings (Rounds 1-4) resolved. Fresh approach with 7 parallel strategies targeting under-explored areas.
Strategies Executed
Submitted Findings
Key Observations
Defifa is well-architected. The staged prediction-game system has correct phase gating, BWA attestation resists self-voting, pot conservation holds (conservative rounding), and the quorum/grace-period design is sound. The governance system works correctly because the 721 hook store defaults
votingUnitsto tier price whenuseVotingUnits: false.Croptop is well-defended. All previously identified attack vectors (fee evasion, duplicate URI, stale tier reuse, reentrancy, empty-post bypass) are properly handled. The only notable design tradeoffs are intentional (project owners can bypass criteria via direct hook access, CTProjectOwner is an irreversible burn lock).
The 6 ecosystem sequences confirm the architecture is sound. Each trace through pay→hook→cashout, payout→split→re-entry, cross-currency pricing, sucker bridging, deployer→registry→runtime, and swap-vs-mint routing found no exploitable cross-boundary bugs. The state-before-interaction pattern (balance updates before external calls) correctly prevents reentrancy-based extraction across all sequences.
deploy-all-v6 is the weakest link. The Resume.s.sol file has significant drift from Deploy.s.sol, specifically missing all Tempo chain support. This violates invariant #3 (resume converges to same state as deploy). The Verify.s.sol also lacks sucker deployer allowlist checks.
Gas optimizations are meaningful. The buyback hook path redundantly resolves
currentRulesetOf()twice per payment — once inbeforePayRecordedWithand once inafterPayRecordedWith. This is the single largest gas waste (~16-30k gas per revnet payment). Combined with the double_hasDataHookMintPermissionForcall in JBController, the total savings potential is ~21-33k gas per payment.Small Peripheral Repos
Cumulative Audit Stats (Rounds 1-5)
Verified findings: #73 (HIGH), #74 (M), #75 (M), #77 (M), #79 (M), #80 (LOW), #84 (HIGH), #85 (GAS)
Audit conducted using AUDIT_INSTRUCTIONS.md engine with Claude Code