Contest ran 1 July 20228 July 2022

7 day contest

Juicebox V2 contest

The decentralized fundraising and treasury protocol.

$75,000 USDC

Total Awards

Juicebox V2 contest details

Juicebox Protocol

What is Juicebox?

The Juicebox protocol is a programmable treasury. Projects can use it to configure how its tokens should be minted when it receives funds, and under what conditions those funds can be distributed to preprogrammed addresses or reclaimed by its community. These rules can evolve over funding cycles, allowing people to bootstrap open-ended projects and add structure, constraints, extensions, and incentives over time as needed. The protocol is light enough for a group of friends, yet powerful enough for a global network of anons sharing thousands of ETH, ERC-20s, or other assets.

The protocol is nuanced, however. The goal of the protocol docs is for you to find any protocol related information that you're looking for. These docs should allow you to click around and get a real good deep dive, and should just as easily allow you to find overview information.

Watch the audit intro to learn more.

How to approach the Juicebox Code4rena audit

The Juicebox protocol is entirely unique. To understand how the protocol works, we highly suggest you read through the extensive documentation on First, get an overview of the docs in the Learn section, then dive into the main functional routines in Build/Basics.

Please note: As a flexible and extensible fundraising protocol, Juicebox is aware of many attack vectors that are part of its design. Please make sure when reporting bugs that you are not including known risks addressed on the Risks page of the documentation. If you are unsure if something you've found constitutes a known risk, please feel free to reach out to a member of our team or report it anyway and we will evaluate the validity of the reported bug during the post-contest review phase.

If you have questions about the protocol or where to start, don't hesitate to reach out in our Discord or DM our development team (see Contact Information below).

How to setup the project

Go to the Juicebox v2 Code4rena code repo and follow instructions in the readme.

Contact Information


Contest Scope

Consult the Juicebox Contracts here (commit 828bf2f). We HIGHLY ADVISE you consult the comprehensive and high quality Juicebox Documentation. Salient details are summarized below for convenience, but the real docs are where you should start.

In Scope

The protocol is made up of 7 core contracts and 3 surface contracts. All of these contracts are in scope. For more information on these contracts and how they fit together, please visit the Architecture page of the docs.

Core contracts

Core contracts store all the independent components that make the protocol work.

contracts/JBTokenStore.sol135Manage token minting, burning, and account balances.
contracts/JBFundingCycleStore.sol287Manages funding cycle scheduling.
contracts/JBProjects.sol42Stores project ownership and identifying information.
contracts/JBSplitsStore.sol101Stores splits information for all groups of each project. Projects can create split groups for directing percents of a total token allocation to any address, any other Juicebox project, or any contract that inherits from the IJBSplitAllocator interface.
contracts/JBPrices.sol26Manages and normalizes price feeds.
contracts/JBOperatorStore.sol50Stores operator permissions for all addresses. Addresses can give permissions to any other address to take specific indexed actions on their behalf.
contracts/JBDirectory.sol93Keeps a reference of which terminal contracts each project is currently accepting funds through, and which controller contract is managing each project's tokens and funding cycles.

Surface contracts

Surface contracts glue core contracts together and manage funds. Anyone can write new surface contracts for projects to use.

contracts/JBController.sol361Stitches together funding cycles and community tokens, making sure all activity is accounted for and correct.
contracts/abstract/JBPayoutRedemptionPaymentTerminal.sol598Generic terminal managing all inflows and outflows of funds into the protocol ecosystem.
contracts/JBSingleTokenPaymentTerminalStore.sol314Manages all bookkeeping for inflows and outflows of funds from any IJBSingleTokenPaymentTerminal.
contracts/JBETHPaymentTerminal.sol39Manages all inflows and outflows of ETH funds into the protocol ecosystem.
contracts/JBERC20PaymentTerminal.sol42Manages all inflows and outflows of an ERC20 into the protocol ecosystem.
Total (Core + Surface contracts)2,088


All interfaces are in scope.

External calls

The protocol makes 1 external call to Chainlink to find ETH price in USD. If projects bring their own ERC-20, then the protocol will make calls to that contract.


See the libraries directory.

  • @chainlink/contracts/src/v0.8/interfaces/AggregatorV3Interface.sol
  • @openzeppelin/contracts/access/Ownable.sol
  • @openzeppelin/contracts/security/ReentrancyGuard.sol
  • @openzeppelin/contracts/token/ERC20/IERC20.sol
  • @openzeppelin/contracts/token/ERC20/extensions/IERC20Metadata.sol
  • @openzeppelin/contracts/token/ERC20/extensions/draft-ERC20Permit.sol
  • @openzeppelin/contracts/token/ERC721/IERC721.sol
  • @openzeppelin/contracts/token/ERC721/extensions/draft-ERC721Votes.sol
  • @openzeppelin/contracts/utils/Address.sol
  • @openzeppelin/contracts/utils/introspection/ERC165.sol
  • @openzeppelin/contracts/utils/introspection/IERC165.sol
  • @paulrberg/contracts/math/PRBMath.sol
  • @paulrberg/contracts/math/PRBMathUD60x18.sol

Out of Scope

The following utility contracts are out of scope.

  • JBETHERC20ProjectPayer
  • JBETHERC20ProjectPayerDeployer
  • JBETHERC20SplitsPayer
  • JBETHERC20SplitsPayerDeployer