Audit log

Every state-changing event for Juicebox V3: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

1. #1publishby system:backfill

   2026-05-29 02:53:07Z
   Score: ? → ? (no score change)
   anchoranchored

   chain

   ●mainnet-betaslot 422,851,207

   sig

   ZpwEm5cpMAyX…jUUua7YTcopyexplorer ↗

   hash

   4htsUf2W8hVw…2R33wTSBcopysha256 → base58

   verifying row…full verify ↗

   canonical bytes (7781 B) ▸

   {"actor":"system:backfill","investigation_id":"aa4a488c-c321-4985-82b4-91bf919259f1","kind":"publish","page_slug":"juicebox-v3","published_at":"2026-05-29T02:53:07.053Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Juicebox V3","sections":[{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://docs.juicebox.money/dev/v3/resources/versioning/","type":"other","url":""},{"credibility":3,"name":"https://defillama.com/protocol/juicebox-v3","type":"other","url":""},{"credibility":3,"name":"https://juicebox.money/","type":"other","url":""},{"credibility":3,"name":"https://cryptoslate.com/has-decentralized-crowdfunding-for-daos-finally-arrived-with-juicebox/","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://code4rena.com/reports/2022-10-juicebox","type":"other","url":""},{"credibility":3,"name":"https://code4rena.com/reports/2023-05-juicebox","type":"other","url":""},{"credibility":3,"name":"https://docs.juicebox.money/assets/files/certik-audit-report-12b48328d22ac38207dad74162cac1db.pdf/","type":"other","url":""},{"credibility":3,"name":"https://github.com/code-423n4/2022-10-juicebox-findings/issues/193","type":"other","url":""},{"credibility":3,"name":"https://github.com/code-423n4/2023-05-juicebox-findings/issues/236","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://docs.juicebox.money/dev/v3/resources/versioning/","type":"other","url":""},{"credibility":3,"name":"https://github.com/jbx-protocol/juice-contracts-v2-code4rena/blob/main/security/postmortem/5.24.2022.md","type":"other","url":""},{"credibility":3,"name":"https://defillama.com/protocol/juicebox","type":"other","url":""},{"credibility":3,"name":"https://defillama.com/protocol/juicebox-v3","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://cryptoslate.com/has-decentralized-crowdfunding-for-daos-finally-arrived-with-juicebox/","type":"other","url":""},{"credibility":3,"name":"https://cointelegraph.com/news/assange-dao-crypto-activities-suspicious-caution","type":"other","url":""},{"credibility":3,"name":"https://watcher.guru/news/assangedao-to-rug-pull-community-reacts-to-unexplained-eth-transfers","type":"other","url":""},{"credibility":3,"name":"https://github.com/code-423n4/2022-07-juicebox-findings/issues/170","type":"other","url":""},{"credibility":3,"name":"https://medium.com/coinmonks/assangedao-accusations-highlight-danger-of-mixing-activism-investing-9e5e7e44b6c8","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://docs.juicebox.money/dao/","type":"other","url":""},{"credibility":3,"name":"https://www.mexc.com/price/juicebox/tokenomics","type":"other","url":""},{"credibility":3,"name":"https://blog.juicebox.money/juicebox-protocol-tokenomics/","type":"other","url":""},{"credibility":3,"name":"https://www.coinbase.com/price/juicebox","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://defillama.com/protocol/juicebox-v3","type":"other","url":""},{"credibility":3,"name":"https://defillama.com/protocol/juicebox","type":"other","url":""},{"credibility":3,"name":"https://en.wikipedia.org/wiki/ZachXBT","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://docs.juicebox.money/dev/v3/resources/versioning/","type":"other","url":""},{"credibility":3,"name":"https://cryptoslate.com/has-decentralized-crowdfunding-for-daos-finally-arrived-with-juicebox/","type":"other","url":""},{"credibility":3,"name":"https://medium.com/coinmonks/assangedao-accusations-highlight-danger-of-mixing-activism-investing-9e5e7e44b6c8","type":"other","url":""}]}],"sources_used":[],"summary":"Juicebox is an Ethereum-based programmable treasury and crowdfunding protocol first launched in July 2021 by a pseudonymous developer known as Jango, enabling projects to raise ETH, issue contributor tokens, and manage on-chain treasuries without intermediaries. V3 is the third major iteration of the core contracts, deployed in September 2022, and subsequently patched through versions 3.1, 3.1.1, and 3.1.2 to address a series of high-severity and critical accounting vulnerabilities. A protocol logic exploit in April 2026 resulted in an alleged $52,000 loss via a borrowFrom spoof attack, and the platform's permissionless architecture has enabled misuse by bad actors operating fraudulent fundraising projects.","timeline":[{"date":"2021-07-01","event":"Juicebox protocol V1 launched on Ethereum mainnet by pseudonymous developer Jango.","source":""},{"date":"2021-08-18","event":"Low-severity bug discovered in V1 affecting reserved rate calculations for projects that received payments with a reserved rate of 0% before later reconfiguring to a non-zero reserved rate.","source":""},{"date":"2021-11-18","event":"ConstitutionDAO raises approximately $46 million in ETH through Juicebox to bid on a copy of the U.S. Constitution at Sotheby's; bid is unsuccessful.","source":""},{"date":"2022-02-01","event":"AssangeDAO raises approximately 17,423 ETH (then roughly $53 million) via Juicebox, becoming the largest DAO fundraiser on the platform at the time.","source":""},{"date":"2022-04-09","event":"AssangeDAO multi-signature wallet transfers 583.755 ETH without community approval, triggering fraud allegations and calls for legal action against the founding team.","source":""},{"date":"2022-03-29","event":"Certik publishes security assessment of Juicebox V2 contracts, flagging project owner's ability to send ETH to arbitrary addresses and recommending multi-sig and timelock controls.","source":""},{"date":"2022-05-24","event":"Medium-severity bug in JBFundingCycleStore triggered by successive reconfigurations in rolled-over funding cycles; contracts redeployed May 25 and project migration completed by May 28.","source":""},{"date":"2022-07-01","event":"Code4rena V2 audit identifies honeypot vulnerability allowing project owners to trap contributor funds.","source":""},{"date":"2022-09-20","event":"Juicebox V3 deployed to Ethereum mainnet following audits by PeckShield, Certik, and Code4rena.","source":""},{"date":"2022-10-23","event":"Code4rena competitive audit of Juicebox V3 closes; 13 unique vulnerabilities identified including 5 HIGH severity findings covering fund loss, reserve token underflow, honeypot exploitability, and NFT redemption weight miscalculation.","source":""},{"date":"2023-02-17","event":"JuiceboxDAO approves JBP-341 to address high-severity bug discovered during V3 JBX migration contract deployment.","source":""},{"date":"2023-02-21","event":"Juicebox V3.1 deployed to Ethereum mainnet with JBETHPaymentTerminal3_1 and JBController3_1 to address the high-severity migration bug and additional security risks.","source":""},{"date":"2023-05-22","event":"Code4rena audit of Juicebox Buyback Delegate closes; 3 medium-severity issues found including partial Uniswap V3 swap execution and slippage protection gaps.","source":""},{"date":"2023-06-30","event":"Juicebox V3.1.1 deployed, fixing low-severity payout revert bug and adding gas optimizations.","source":""},{"date":"2023-08-15","event":"Juicebox V3.1.2 deployed, fixing critical fee accounting error where protocol miscalculated expected deposit amounts after payout returns, leaving projects financially underfunded.","source":""},{"date":"2026-04-20","event":"Juicebox V3 suffers alleged $52,000 loss via a borrowFrom spoof attack on Ethereum, classified by DeFiLlama as a Protocol Logic exploit.","source":""}]},"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision 4cf78a42-bbcc-46fb-bf52-12f9e50da872copy
2. #2reviewby reviewerreviewer

   2026-06-03 14:21:07Z
   Score: 48 → 48 (no score change)
   The Juicebox V3 investigation page is largely accurate on verifiable historical facts: protocol launch dates, fundraiser amounts, audit findings counts and dates, and patching history are all well-sourced. The main accuracy issues are: (1) the V3.1.2 fee accounting bug is described as 'critical' but official Juicebox documentation classifies it as medium severity; (2) V3 is said to have been audited by PeckShield before deployment but no PeckShield V3 audit could be confirmed; (3) the April 2026 $52,000 exploit claim is unverifiable beyond DeFiLlama's hacks database and lacks any corroborating primary source. All seven section bodies are empty, meaning the investigation's structured content consists solely of summary and timeline.
   anchoranchored

   chain

   ●mainnet-betaslot 424,043,680

   sig

   2jzaAVtqeLoz…u3fBfxC4copyexplorer ↗

   hash

   E6aZnQ8rzEcE…EhSAFGTicopysha256 → base58

   verifying row…full verify ↗

   canonical bytes (1087 B) ▸

   {"actor":"reviewer","decided_at":"2026-06-03T14:21:06.968Z","decision":"review","investigation_id":"aa4a488c-c321-4985-82b4-91bf919259f1","new_score":48,"page_slug":"juicebox-v3","prev_score":48,"reason":"The Juicebox V3 investigation page is largely accurate on verifiable historical facts: protocol launch dates, fundraiser amounts, audit findings counts and dates, and patching history are all well-sourced. The main accuracy issues are: (1) the V3.1.2 fee accounting bug is described as 'critical' but official Juicebox documentation classifies it as medium severity; (2) V3 is said to have been audited by PeckShield before deployment but no PeckShield V3 audit could be confirmed; (3) the April 2026 $52,000 exploit claim is unverifiable beyond DeFiLlama's hacks database and lacks any corroborating primary source. All seven section bodies are empty, meaning the investigation's structured content consists solely of summary and timeline.","score_delta":0,"sequence_num":2,"submission_content_hash":null,"submission_id":null,"submission_kind":null,"submission_valence":null,"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision 24d9571f-9820-431b-b804-10ec220fe1abcopy
3. #3review reviseby judgejudge

   2026-06-03 14:21:07Z
   Score: 48 → 40 (-8)
   The page's historical record is largely accurate — 13 of 20 claims are confirmed by Tier 1 and Tier 2 sources. However, claim_findings[2] and claim_findings[14] both overstate the severity of the V3.1.2 fee accounting bug as 'critical' when official Juicebox documentation (Tier 1) classifies it as medium severity with only ~0.006 ETH of actual financial impact. claim_findings[12] (V3 pre-deployment audit roster) is only partially supportable: the CertiK audit cited belongs to V2, the Code4rena audit ran after V3 deployed, and no PeckShield V3 audit was found. The two unverifiable claims (claim_findings[3] and claim_findings[15]) both concern the April 2026 $52,000 exploit, which lacks any corroborating source beyond an inaccessible DeFiLlama entry — this is the most recent and risk-relevant event on the page. Additionally, all seven structured section bodies are empty, meaning the investigation's substantive content is confined to the summary and timeline; this structural gap prevents a full factual review and should be resolved.
   anchoranchored

   chain

   ●mainnet-betaslot 424,043,684

   sig

   8mksASHdi44P…T7TJVBVXcopyexplorer ↗

   hash

   J7PhxdWvDpyJ…i1jA1KqKcopysha256 → base58

   verifying row…full verify ↗

   canonical bytes (1397 B) ▸

   {"actor":"judge","decided_at":"2026-06-03T14:21:06.968Z","decision":"review_revise","investigation_id":"aa4a488c-c321-4985-82b4-91bf919259f1","new_score":40,"page_slug":"juicebox-v3","prev_score":48,"reason":"The page's historical record is largely accurate — 13 of 20 claims are confirmed by Tier 1 and Tier 2 sources. However, claim_findings[2] and claim_findings[14] both overstate the severity of the V3.1.2 fee accounting bug as 'critical' when official Juicebox documentation (Tier 1) classifies it as medium severity with only ~0.006 ETH of actual financial impact. claim_findings[12] (V3 pre-deployment audit roster) is only partially supportable: the CertiK audit cited belongs to V2, the Code4rena audit ran after V3 deployed, and no PeckShield V3 audit was found. The two unverifiable claims (claim_findings[3] and claim_findings[15]) both concern the April 2026 $52,000 exploit, which lacks any corroborating source beyond an inaccessible DeFiLlama entry — this is the most recent and risk-relevant event on the page. Additionally, all seven structured section bodies are empty, meaning the investigation's substantive content is confined to the summary and timeline; this structural gap prevents a full factual review and should be resolved.","score_delta":-8,"sequence_num":3,"submission_content_hash":null,"submission_id":null,"submission_kind":null,"submission_valence":null,"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision c90838dc-9f65-4bf9-b173-847689141518copy