Support fee delegation

[koo-virtuals]

Note

Medium Risk
Medium risk because it adds new on-chain state/entrypoint in BondingV5 and broadens Multicall3 withdrawal permissions from owner-only to owner-or-admin, which affects fund custody controls.

Overview
Launchpad V5 tokens can now be marked as fee-delegated at prelaunch time. BondingV5 adds preLaunchV2 and stores a new isFeeDelegation[token] flag, and AgentTaxV2 treats this flag as an additional “special launch type” eligible for recipient updates.

Admin custody surface is expanded in multicall3. Token/ETH withdrawal helpers are changed from onlyOwner to onlyOwnerOrAdmin.

Dev tooling/config is updated: Hardhat adds a dedicated compile config for BondingV5 and enables allowUnlimitedContractSize in local hardhat, Uniswap V3 packages are added, and new scripts deploy a minimal Uniswap V3 stack + liquidity on testnet and mint mock USDC; the PR also adds forge-std as a git submodule and a new BSC testnet OpenZeppelin upgrades manifest.

^{Reviewed by Cursor Bugbot for commit 58b49b6. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix prepared a fix for the issue found in the latest run.

• ✅ Fixed: Missing privileged launcher check for fee delegation tokens
  • Added isFeeDelegation(tokenAddress_) to the privileged-launcher gate in BondingV5.launch() so fee delegation launches now enforce backend-ordered tax recipient updates before trading.

Or push these changes by commenting:

@cursor push db7d86cada

Preview (db7d86cada)

diff --git a/contracts/launchpadv2/BondingV5.sol b/contracts/launchpadv2/BondingV5.sol
--- a/contracts/launchpadv2/BondingV5.sol
+++ b/contracts/launchpadv2/BondingV5.sol
@@ -519,9 +519,14 @@
             revert InvalidInput();
         }
 
-        // X_LAUNCH, ACP_SKILL, and Project60days: taxRecipient (AgentTax) must be updated by the backend
+        // X_LAUNCH, ACP_SKILL, Project60days, and fee delegation: taxRecipient (AgentTax) must be updated by the backend
         // before trading starts; only privileged backend wallets may call launch() so that ordering is enforced.
-        if (isProject60days(tokenAddress_) || isProjectXLaunch(tokenAddress_) || isAcpSkillLaunch(tokenAddress_)) {
+        if (
+            isProject60days(tokenAddress_) ||
+            isProjectXLaunch(tokenAddress_) ||
+            isAcpSkillLaunch(tokenAddress_) ||
+            isFeeDelegation(tokenAddress_)
+        ) {
             if (!bondingConfig.isPrivilegedLauncher(msg.sender)) {
                 revert UnauthorizedLauncher();
             }

_{This Bugbot Autofix run was free. To enable autofix for future PRs, go to the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 58b49b6. Configure here.}

[cursor]

Missing privileged launcher check for fee delegation tokens

Medium Severity

In AgentTaxV2.updateCreatorForSpecialLaunchAgents, isFeeDelegation is added to the isSpecialLaunch check alongside isProject60days, isProjectXLaunch, and isAcpSkillLaunch. However, the launch() function in BondingV5 only enforces the privileged launcher check for the original three types — isFeeDelegation tokens are omitted. The comment at launch() explicitly states that the backend must update the tax recipient before trading starts, enforced via the privileged check. Fee delegation tokens bypass this ordering guarantee, creating a race condition where anyone can call launch() before the backend updates the tax recipient.

Additional Locations (1)

• contracts/tax/AgentTaxV2.sol#L249-L255

 

^{Reviewed by Cursor Bugbot for commit 58b49b6. Configure here.}