Verify a decision

{"actor":"system:backfill","investigation_id":"aa4a488c-c321-4985-82b4-91bf919259f1","kind":"publish","page_slug":"juicebox-v3","published_at":"2026-05-29T02:53:07.053Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Juicebox V3","sections":[{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://docs.juicebox.money/dev/v3/resources/versioning/","type":"other","url":""},{"credibility":3,"name":"https://defillama.com/protocol/juicebox-v3","type":"other","url":""},{"credibility":3,"name":"https://juicebox.money/","type":"other","url":""},{"credibility":3,"name":"https://cryptoslate.com/has-decentralized-crowdfunding-for-daos-finally-arrived-with-juicebox/","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://code4rena.com/reports/2022-10-juicebox","type":"other","url":""},{"credibility":3,"name":"https://code4rena.com/reports/2023-05-juicebox","type":"other","url":""},{"credibility":3,"name":"https://docs.juicebox.money/assets/files/certik-audit-report-12b48328d22ac38207dad74162cac1db.pdf/","type":"other","url":""},{"credibility":3,"name":"https://github.com/code-423n4/2022-10-juicebox-findings/issues/193","type":"other","url":""},{"credibility":3,"name":"https://github.com/code-423n4/2023-05-juicebox-findings/issues/236","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://docs.juicebox.money/dev/v3/resources/versioning/","type":"other","url":""},{"credibility":3,"name":"https://github.com/jbx-protocol/juice-contracts-v2-code4rena/blob/main/security/postmortem/5.24.2022.md","type":"other","url":""},{"credibility":3,"name":"https://defillama.com/protocol/juicebox","type":"other","url":""},{"credibility":3,"name":"https://defillama.com/protocol/juicebox-v3","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://cryptoslate.com/has-decentralized-crowdfunding-for-daos-finally-arrived-with-juicebox/","type":"other","url":""},{"credibility":3,"name":"https://cointelegraph.com/news/assange-dao-crypto-activities-suspicious-caution","type":"other","url":""},{"credibility":3,"name":"https://watcher.guru/news/assangedao-to-rug-pull-community-reacts-to-unexplained-eth-transfers","type":"other","url":""},{"credibility":3,"name":"https://github.com/code-423n4/2022-07-juicebox-findings/issues/170","type":"other","url":""},{"credibility":3,"name":"https://medium.com/coinmonks/assangedao-accusations-highlight-danger-of-mixing-activism-investing-9e5e7e44b6c8","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://docs.juicebox.money/dao/","type":"other","url":""},{"credibility":3,"name":"https://www.mexc.com/price/juicebox/tokenomics","type":"other","url":""},{"credibility":3,"name":"https://blog.juicebox.money/juicebox-protocol-tokenomics/","type":"other","url":""},{"credibility":3,"name":"https://www.coinbase.com/price/juicebox","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://defillama.com/protocol/juicebox-v3","type":"other","url":""},{"credibility":3,"name":"https://defillama.com/protocol/juicebox","type":"other","url":""},{"credibility":3,"name":"https://en.wikipedia.org/wiki/ZachXBT","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://docs.juicebox.money/dev/v3/resources/versioning/","type":"other","url":""},{"credibility":3,"name":"https://cryptoslate.com/has-decentralized-crowdfunding-for-daos-finally-arrived-with-juicebox/","type":"other","url":""},{"credibility":3,"name":"https://medium.com/coinmonks/assangedao-accusations-highlight-danger-of-mixing-activism-investing-9e5e7e44b6c8","type":"other","url":""}]}],"sources_used":[],"summary":"Juicebox is an Ethereum-based programmable treasury and crowdfunding protocol first launched in July 2021 by a pseudonymous developer known as Jango, enabling projects to raise ETH, issue contributor tokens, and manage on-chain treasuries without intermediaries. V3 is the third major iteration of the core contracts, deployed in September 2022, and subsequently patched through versions 3.1, 3.1.1, and 3.1.2 to address a series of high-severity and critical accounting vulnerabilities. A protocol logic exploit in April 2026 resulted in an alleged $52,000 loss via a borrowFrom spoof attack, and the platform's permissionless architecture has enabled misuse by bad actors operating fraudulent fundraising projects.","timeline":[{"date":"2021-07-01","event":"Juicebox protocol V1 launched on Ethereum mainnet by pseudonymous developer Jango.","source":""},{"date":"2021-08-18","event":"Low-severity bug discovered in V1 affecting reserved rate calculations for projects that received payments with a reserved rate of 0% before later reconfiguring to a non-zero reserved rate.","source":""},{"date":"2021-11-18","event":"ConstitutionDAO raises approximately $46 million in ETH through Juicebox to bid on a copy of the U.S. Constitution at Sotheby's; bid is unsuccessful.","source":""},{"date":"2022-02-01","event":"AssangeDAO raises approximately 17,423 ETH (then roughly $53 million) via Juicebox, becoming the largest DAO fundraiser on the platform at the time.","source":""},{"date":"2022-04-09","event":"AssangeDAO multi-signature wallet transfers 583.755 ETH without community approval, triggering fraud allegations and calls for legal action against the founding team.","source":""},{"date":"2022-03-29","event":"Certik publishes security assessment of Juicebox V2 contracts, flagging project owner's ability to send ETH to arbitrary addresses and recommending multi-sig and timelock controls.","source":""},{"date":"2022-05-24","event":"Medium-severity bug in JBFundingCycleStore triggered by successive reconfigurations in rolled-over funding cycles; contracts redeployed May 25 and project migration completed by May 28.","source":""},{"date":"2022-07-01","event":"Code4rena V2 audit identifies honeypot vulnerability allowing project owners to trap contributor funds.","source":""},{"date":"2022-09-20","event":"Juicebox V3 deployed to Ethereum mainnet following audits by PeckShield, Certik, and Code4rena.","source":""},{"date":"2022-10-23","event":"Code4rena competitive audit of Juicebox V3 closes; 13 unique vulnerabilities identified including 5 HIGH severity findings covering fund loss, reserve token underflow, honeypot exploitability, and NFT redemption weight miscalculation.","source":""},{"date":"2023-02-17","event":"JuiceboxDAO approves JBP-341 to address high-severity bug discovered during V3 JBX migration contract deployment.","source":""},{"date":"2023-02-21","event":"Juicebox V3.1 deployed to Ethereum mainnet with JBETHPaymentTerminal3_1 and JBController3_1 to address the high-severity migration bug and additional security risks.","source":""},{"date":"2023-05-22","event":"Code4rena audit of Juicebox Buyback Delegate closes; 3 medium-severity issues found including partial Uniswap V3 swap execution and slippage protection gaps.","source":""},{"date":"2023-06-30","event":"Juicebox V3.1.1 deployed, fixing low-severity payout revert bug and adding gas optimizations.","source":""},{"date":"2023-08-15","event":"Juicebox V3.1.2 deployed, fixing critical fee accounting error where protocol miscalculated expected deposit amounts after payout returns, leaving projects financially underfunded.","source":""},{"date":"2026-04-20","event":"Juicebox V3 suffers alleged $52,000 loss via a borrowFrom spoof attack on Ethereum, classified by DeFiLlama as a Protocol Logic exploit.","source":""}]},"v":1}