@bananapus/core-v6 0.0.1

package/test/AuditExploits.t.sol

@@ -0,0 +1,2710 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.6;
+
+import /* {*} from */ "./helpers/TestBaseWorkflow.sol";
+import {JBCashOuts} from "../src/libraries/JBCashOuts.sol";
+
+/// @notice Exploit PoC tests for critical vulnerability scenarios in Juicebox V5.
+/// @dev These tests target specific edge cases and potential vulnerabilities identified during audit.
+contract AuditExploits_Local is TestBaseWorkflow {
+    //*********************************************************************//
+    // ----------------------------- storage ----------------------------- //
+    //*********************************************************************//
+
+    IJBController private _controller;
+    IJBMultiTerminal private _terminal;
+    JBTokens private _tokens;
+    MetadataResolverHelper private _metadataHelper;
+    uint112 private _weight;
+    uint256 private _projectId;
+    address private _projectOwner;
+    address private _beneficiary;
+
+    //*********************************************************************//
+    // ------------------------------ setup ------------------------------ //
+    //*********************************************************************//
+
+    function setUp() public override {
+        super.setUp();
+
+        _projectOwner = multisig();
+        _beneficiary = beneficiary();
+        _controller = jbController();
+        _terminal = jbMultiTerminal();
+        _tokens = jbTokens();
+        _metadataHelper = metadataHelper();
+        _weight = 1000 * 10 ** 18;
+    }
+
+    //*********************************************************************//
+    // ----------- helpers: project launch with various configs ---------- //
+    //*********************************************************************//
+
+    /// @notice Launches a project with a given cashOutTaxRate and reservedPercent, no payout limits.
+    function _launchProject(uint16 cashOutTaxRate, uint16 reservedPercent) internal returns (uint256 projectId) {
+        JBRulesetMetadata memory metadata = JBRulesetMetadata({
+            reservedPercent: reservedPercent,
+            cashOutTaxRate: cashOutTaxRate,
+            baseCurrency: uint32(uint160(JBConstants.NATIVE_TOKEN)),
+            pausePay: false,
+            pauseCreditTransfers: false,
+            allowOwnerMinting: true,
+            allowSetCustomToken: true,
+            allowTerminalMigration: false,
+            allowSetTerminals: false,
+            ownerMustSendPayouts: false,
+            allowSetController: false,
+            allowAddAccountingContext: true,
+            allowAddPriceFeed: false,
+            holdFees: false,
+            useTotalSurplusForCashOuts: false,
+            useDataHookForPay: false,
+            useDataHookForCashOut: false,
+            dataHook: address(0),
+            metadata: 0
+        });
+
+        JBRulesetConfig[] memory rulesetConfig = new JBRulesetConfig[](1);
+        rulesetConfig[0].mustStartAtOrAfter = 0;
+        rulesetConfig[0].duration = 0;
+        rulesetConfig[0].weight = _weight;
+        rulesetConfig[0].weightCutPercent = 0;
+        rulesetConfig[0].approvalHook = IJBRulesetApprovalHook(address(0));
+        rulesetConfig[0].metadata = metadata;
+        rulesetConfig[0].splitGroups = new JBSplitGroup[](0);
+        rulesetConfig[0].fundAccessLimitGroups = new JBFundAccessLimitGroup[](0);
+
+        JBTerminalConfig[] memory terminalConfigurations = new JBTerminalConfig[](1);
+        JBAccountingContext[] memory tokensToAccept = new JBAccountingContext[](1);
+        tokensToAccept[0] = JBAccountingContext({
+            token: JBConstants.NATIVE_TOKEN, decimals: 18, currency: uint32(uint160(JBConstants.NATIVE_TOKEN))
+        });
+        terminalConfigurations[0] = JBTerminalConfig({terminal: _terminal, accountingContextsToAccept: tokensToAccept});
+
+        // Create project #1 to collect fees (if it does not exist yet).
+        _controller.launchProjectFor({
+            owner: address(420),
+            projectUri: "feeCollector",
+            rulesetConfigurations: rulesetConfig,
+            terminalConfigurations: terminalConfigurations,
+            memo: ""
+        });
+
+        // Create the actual test project.
+        projectId = _controller.launchProjectFor({
+            owner: _projectOwner,
+            projectUri: "testProject",
+            rulesetConfigurations: rulesetConfig,
+            terminalConfigurations: terminalConfigurations,
+            memo: ""
+        });
+    }
+
+    /// @notice Launches a project with payout limits set.
+    function _launchProjectWithPayoutLimit(
+        uint16 cashOutTaxRate,
+        uint224 payoutLimit
+    )
+        internal
+        returns (uint256 projectId)
+    {
+        JBRulesetMetadata memory metadata = JBRulesetMetadata({
+            reservedPercent: 0,
+            cashOutTaxRate: cashOutTaxRate,
+            baseCurrency: uint32(uint160(JBConstants.NATIVE_TOKEN)),
+            pausePay: false,
+            pauseCreditTransfers: false,
+            allowOwnerMinting: true,
+            allowSetCustomToken: true,
+            allowTerminalMigration: false,
+            allowSetTerminals: false,
+            ownerMustSendPayouts: false,
+            allowSetController: false,
+            allowAddAccountingContext: true,
+            allowAddPriceFeed: false,
+            holdFees: false,
+            useTotalSurplusForCashOuts: false,
+            useDataHookForPay: false,
+            useDataHookForCashOut: false,
+            dataHook: address(0),
+            metadata: 0
+        });
+
+        JBCurrencyAmount[] memory payoutLimits = new JBCurrencyAmount[](1);
+        payoutLimits[0] = JBCurrencyAmount({amount: payoutLimit, currency: uint32(uint160(JBConstants.NATIVE_TOKEN))});
+
+        JBFundAccessLimitGroup[] memory fundAccessLimitGroup = new JBFundAccessLimitGroup[](1);
+        fundAccessLimitGroup[0] = JBFundAccessLimitGroup({
+            terminal: address(_terminal),
+            token: JBConstants.NATIVE_TOKEN,
+            payoutLimits: payoutLimits,
+            surplusAllowances: new JBCurrencyAmount[](0)
+        });
+
+        JBRulesetConfig[] memory rulesetConfig = new JBRulesetConfig[](1);
+        rulesetConfig[0].mustStartAtOrAfter = 0;
+        rulesetConfig[0].duration = 0;
+        rulesetConfig[0].weight = _weight;
+        rulesetConfig[0].weightCutPercent = 0;
+        rulesetConfig[0].approvalHook = IJBRulesetApprovalHook(address(0));
+        rulesetConfig[0].metadata = metadata;
+        rulesetConfig[0].splitGroups = new JBSplitGroup[](0);
+        rulesetConfig[0].fundAccessLimitGroups = fundAccessLimitGroup;
+
+        JBTerminalConfig[] memory terminalConfigurations = new JBTerminalConfig[](1);
+        JBAccountingContext[] memory tokensToAccept = new JBAccountingContext[](1);
+        tokensToAccept[0] = JBAccountingContext({
+            token: JBConstants.NATIVE_TOKEN, decimals: 18, currency: uint32(uint160(JBConstants.NATIVE_TOKEN))
+        });
+        terminalConfigurations[0] = JBTerminalConfig({terminal: _terminal, accountingContextsToAccept: tokensToAccept});
+
+        // Create project #1 to collect fees (if it does not exist yet).
+        _controller.launchProjectFor({
+            owner: address(420),
+            projectUri: "feeCollector",
+            rulesetConfigurations: rulesetConfig,
+            terminalConfigurations: terminalConfigurations,
+            memo: ""
+        });
+
+        // Create the actual test project.
+        projectId = _controller.launchProjectFor({
+            owner: _projectOwner,
+            projectUri: "testProject",
+            rulesetConfigurations: rulesetConfig,
+            terminalConfigurations: terminalConfigurations,
+            memo: ""
+        });
+    }
+
+    //*********************************************************************//
+    // -- Test 1: _sliceBytes Memory Corruption (JBMetadataResolver) ---- //
+    //*********************************************************************//
+
+    /// @notice Tests the _sliceBytes bug where `lt(i, end)` is used instead of `lt(i, length)`.
+    /// @dev When start > 0, the loop copies `end` bytes instead of `end - start` bytes (the actual
+    ///      length), writing past the allocated memory region. This test demonstrates that the
+    ///      returned data is still correct (Solidity's ABI decoder reads based on `length`, not
+    ///      allocation size), but the over-copy corrupts the free memory pointer region.
+    function test_sliceBytes_memorySafety() public view {
+        // Create metadata with 3 entries to force non-trivial offsets.
+        bytes4[] memory ids = new bytes4[](3);
+        bytes[] memory datas = new bytes[](3);
+
+        ids[0] = bytes4(0xAAAAAAAA);
+        ids[1] = bytes4(0xBBBBBBBB);
+        ids[2] = bytes4(0xCCCCCCCC);
+
+        // Each data entry is 32 bytes (one word).
+        datas[0] = abi.encode(uint256(111));
+        datas[1] = abi.encode(uint256(222));
+        datas[2] = abi.encode(uint256(333));
+
+        bytes memory metadata = _metadataHelper.createMetadata(ids, datas);
+
+        // Retrieve each entry and verify correctness. Even though _sliceBytes over-copies, the
+        // returned bytes have the correct `length` field, so abi.decode reads the right data.
+        (bool found1, bytes memory data1) = _metadataHelper.getDataFor(ids[0], metadata);
+        (bool found2, bytes memory data2) = _metadataHelper.getDataFor(ids[1], metadata);
+        (bool found3, bytes memory data3) = _metadataHelper.getDataFor(ids[2], metadata);
+
+        assertTrue(found1, "ID 0xAAAAAAAA not found");
+        assertTrue(found2, "ID 0xBBBBBBBB not found");
+        assertTrue(found3, "ID 0xCCCCCCCC not found");
+
+        assertEq(abi.decode(data1, (uint256)), 111, "data1 mismatch");
+        assertEq(abi.decode(data2, (uint256)), 222, "data2 mismatch");
+        assertEq(abi.decode(data3, (uint256)), 333, "data3 mismatch");
+    }
+
+    /// @notice Demonstrates the _sliceBytes over-copy with large offsets.
+    /// @dev When slicing from a non-zero start with end >> start, the loop iterates `end` times
+    ///      (not `end - start` times), copying extra bytes beyond the allocated output buffer.
+    ///      This test creates metadata where data for the last ID starts at a high offset,
+    ///      exercising the worst case of the over-copy.
+    function test_sliceBytes_overcopy_with_large_offset() public view {
+        // Create metadata with entries of increasing data sizes to push offsets higher.
+        bytes4[] memory ids = new bytes4[](3);
+        bytes[] memory datas = new bytes[](3);
+
+        ids[0] = bytes4(0x11111111);
+        ids[1] = bytes4(0x22222222);
+        ids[2] = bytes4(0x33333333);
+
+        // First data: 3 words (96 bytes)
+        datas[0] = abi.encode(uint256(1), uint256(2), uint256(3));
+        // Second data: 3 words (96 bytes)
+        datas[1] = abi.encode(uint256(4), uint256(5), uint256(6));
+        // Third data: 1 word (32 bytes) -- but starts at a high offset
+        datas[2] = abi.encode(uint256(7));
+
+        bytes memory metadata = _metadataHelper.createMetadata(ids, datas);
+
+        // The third entry starts at a high offset. When getDataFor calls _sliceBytes(metadata, offset*32, end),
+        // the loop runs for `end` iterations (not `end - offset*32`), over-copying.
+        (bool found, bytes memory data) = _metadataHelper.getDataFor(ids[2], metadata);
+        assertTrue(found, "ID 0x33333333 not found");
+        assertEq(abi.decode(data, (uint256)), 7, "data for id3 mismatch");
+
+        // Verify earlier entries are also correct.
+        (bool found0, bytes memory data0) = _metadataHelper.getDataFor(ids[0], metadata);
+        assertTrue(found0, "ID 0x11111111 not found");
+        (uint256 a, uint256 b, uint256 c) = abi.decode(data0, (uint256, uint256, uint256));
+        assertEq(a, 1);
+        assertEq(b, 2);
+        assertEq(c, 3);
+    }
+
+    /// @notice Test that _sliceBytes memory over-copy does not corrupt subsequent allocations
+    ///         when the returned data is used alongside new allocations.
+    /// @dev This is an indirect demonstration. After calling getDataFor (which internally calls
+    ///      _sliceBytes with the over-copy), we allocate new memory and verify it is not corrupted
+    ///      by the over-written bytes. Because the free memory pointer is advanced by `length`
+    ///      (the correct amount), the next allocation starts at the end of the intended region,
+    ///      which may have been overwritten by the over-copy.
+    function test_sliceBytes_no_corruption_of_subsequent_alloc() public view {
+        bytes4[] memory ids = new bytes4[](2);
+        bytes[] memory datas = new bytes[](2);
+
+        ids[0] = bytes4(0xDEADBEEF);
+        ids[1] = bytes4(0xCAFEBABE);
+
+        // 2-word data for each.
+        datas[0] = abi.encode(uint256(0xDEAD), uint256(0xBEEF));
+        datas[1] = abi.encode(uint256(0xCAFE), uint256(0xBABE));
+
+        bytes memory metadata = _metadataHelper.createMetadata(ids, datas);
+
+        // Retrieve second entry (which has start > 0, triggering the over-copy).
+        (bool found, bytes memory data) = _metadataHelper.getDataFor(ids[1], metadata);
+        assertTrue(found);
+
+        (uint256 val1, uint256 val2) = abi.decode(data, (uint256, uint256));
+        assertEq(val1, 0xCAFE, "val1 mismatch after getDataFor");
+        assertEq(val2, 0xBABE, "val2 mismatch after getDataFor");
+
+        // Now allocate new memory and check it is clean. In Solidity, new allocations should
+        // start with zeroed memory. If _sliceBytes over-wrote past the free pointer, this could
+        // contain stale data from the copy loop.
+        uint256[] memory freshAlloc = new uint256[](2);
+        assertEq(freshAlloc[0], 0, "fresh allocation[0] should be zero");
+        assertEq(freshAlloc[1], 0, "fresh allocation[1] should be zero");
+    }
+
+    //*********************************************************************//
+    // --- Test 2: REVDeployer beforePayRecordedWith OOB (C-2) ---------- //
+    //*********************************************************************//
+
+    /// @notice Demonstrates that REVDeployer.beforePayRecordedWith writes to index [1] of the
+    ///         hookSpecifications array even when the array has size 1 (no tiered721Hook, but
+    ///         buybackHook is present).
+    /// @dev We cannot directly test REVDeployer here (it's in a separate package), but we can
+    ///      demonstrate the array indexing pattern that causes the OOB revert.
+    ///      This test mirrors the exact logic from REVDeployer lines 248-258.
+    function test_revDeployer_hookSpecifications_oob_pattern() public {
+        // Simulate the condition: usesBuybackHook=true, usesTiered721Hook=false.
+        bool usesBuybackHook = true;
+        bool usesTiered721Hook = false;
+
+        // This is the exact allocation from REVDeployer line 249:
+        // hookSpecifications = new JBPayHookSpecification[]((usesTiered721Hook ? 1 : 0) + (usesBuybackHook ? 1 : 0));
+        uint256 arraySize = (usesTiered721Hook ? 1 : 0) + (usesBuybackHook ? 1 : 0);
+
+        // Array has size 1.
+        assertEq(arraySize, 1, "array should be size 1");
+
+        JBPayHookSpecification[] memory hookSpecifications = new JBPayHookSpecification[](arraySize);
+
+        // Line 253: if (usesTiered721Hook) hookSpecifications[0] = ... -- SKIPPED (false)
+
+        // Line 258: if (usesBuybackHook) hookSpecifications[1] = buybackHookSpecifications[0];
+        // This writes to index 1 of a size-1 array. In Solidity 0.8.x, this reverts with
+        // a panic (index out of bounds).
+        if (usesBuybackHook) {
+            // This WILL revert with an index out of bounds panic.
+            vm.expectRevert();
+            // We need to trigger the revert in a way forge can catch. Use a low-level call to
+            // ourselves with a helper function.
+            this.externalWriteToIndex1(hookSpecifications);
+        }
+    }
+
+    /// @notice External helper to trigger the array OOB write. Forge's vm.expectRevert()
+    ///         requires a call boundary to catch the panic.
+    function externalWriteToIndex1(JBPayHookSpecification[] memory specs) external pure {
+        // This will revert with Panic(0x32) -- array index out of bounds.
+        specs[1] = JBPayHookSpecification({hook: IJBPayHook(address(0)), amount: 0, metadata: ""});
+    }
+
+    /// @notice Verify that when BOTH hooks are present, the array size is 2 and no OOB occurs.
+    function test_revDeployer_hookSpecifications_no_oob_when_both_present() public pure {
+        bool usesBuybackHook = true;
+        bool usesTiered721Hook = true;
+
+        uint256 arraySize = (usesTiered721Hook ? 1 : 0) + (usesBuybackHook ? 1 : 0);
+        assertEq(arraySize, 2, "array should be size 2 when both hooks present");
+
+        JBPayHookSpecification[] memory hookSpecifications = new JBPayHookSpecification[](arraySize);
+
+        // Both writes are valid.
+        hookSpecifications[0] = JBPayHookSpecification({hook: IJBPayHook(address(0)), amount: 0, metadata: ""});
+        hookSpecifications[1] = JBPayHookSpecification({hook: IJBPayHook(address(0)), amount: 0, metadata: ""});
+    }
+
+    /// @notice Verify that when neither hook is present, no write occurs.
+    function test_revDeployer_hookSpecifications_no_hooks() public pure {
+        bool usesBuybackHook = false;
+        bool usesTiered721Hook = false;
+
+        uint256 arraySize = (usesTiered721Hook ? 1 : 0) + (usesBuybackHook ? 1 : 0);
+        assertEq(arraySize, 0, "array should be size 0 when no hooks");
+    }
+
+    //*********************************************************************//
+    // --------- Test 3: JBCashOuts bonding curve edge cases ------------ //
+    //*********************************************************************//
+
+    /// @notice When cashOutCount == totalSupply, the entire surplus should be returned regardless
+    ///         of the cashOutTaxRate.
+    function test_cashOuts_fullSupplyCashOut_returnsEntireSurplus() public pure {
+        uint256 surplus = 100 ether;
+        uint256 totalSupply = 1000e18;
+        uint256 cashOutCount = totalSupply; // Cashing out everything.
+
+        // Even with a high tax rate, cashing out the full supply returns the full surplus.
+        uint256 reclaimable = JBCashOuts.cashOutFrom({
+            surplus: surplus,
+            cashOutCount: cashOutCount,
+            totalSupply: totalSupply,
+            cashOutTaxRate: JBConstants.MAX_CASH_OUT_TAX_RATE / 2 // 50% tax
+        });
+
+        assertEq(reclaimable, surplus, "full supply cash out should return entire surplus");
+    }
+
+    /// @notice When cashOutTaxRate == MAX_CASH_OUT_TAX_RATE (10_000), the function should return 0.
+    function test_cashOuts_maxTaxRate_returnsZero() public pure {
+        uint256 surplus = 100 ether;
+        uint256 totalSupply = 1000e18;
+        uint256 cashOutCount = 500e18;
+
+        uint256 reclaimable = JBCashOuts.cashOutFrom({
+            surplus: surplus,
+            cashOutCount: cashOutCount,
+            totalSupply: totalSupply,
+            cashOutTaxRate: JBConstants.MAX_CASH_OUT_TAX_RATE // 100% tax
+        });
+
+        assertEq(reclaimable, 0, "max tax rate should return 0");
+    }
+
+    /// @notice When cashOutTaxRate == 0, the full linear proportion should be returned.
+    function test_cashOuts_zeroTaxRate_returnsLinear() public pure {
+        uint256 surplus = 100 ether;
+        uint256 totalSupply = 1000e18;
+        uint256 cashOutCount = 250e18; // 25% of supply.
+
+        uint256 reclaimable = JBCashOuts.cashOutFrom({
+            surplus: surplus, cashOutCount: cashOutCount, totalSupply: totalSupply, cashOutTaxRate: 0
+        });
+
+        // Linear: surplus * cashOutCount / totalSupply = 100 * 250 / 1000 = 25 ether.
+        assertEq(reclaimable, 25 ether, "zero tax should return linear proportion");
+    }
+
+    /// @notice Dust attack: very small cashOutCount that rounds to 0 reclaim.
+    function test_cashOuts_dustAttack_roundsToZero() public pure {
+        uint256 surplus = 1 ether; // 1e18
+        uint256 totalSupply = type(uint208).max; // Huge supply.
+        uint256 cashOutCount = 1; // Single token unit.
+
+        uint256 reclaimable = JBCashOuts.cashOutFrom({
+            surplus: surplus,
+            cashOutCount: cashOutCount,
+            totalSupply: totalSupply,
+            cashOutTaxRate: JBConstants.MAX_CASH_OUT_TAX_RATE / 2
+        });
+
+        // With huge totalSupply and tiny cashOutCount, the reclaim rounds to 0.
+        assertEq(reclaimable, 0, "dust amount should round to 0");
+    }
+
+    /// @notice Bonding curve invariant: sequential cash outs should never yield more total value
+    ///         than a single equivalent cash out, and vice versa (for the same total tokens).
+    /// @dev With a non-zero tax rate, the bonding curve penalizes early exiters relative to a
+    ///      single large exit. Verify that splitting a cash out into two parts returns <= the
+    ///      amount from a single combined cash out.
+    function test_cashOuts_sequentialVsSingle_invariant() public pure {
+        uint256 surplus = 100 ether;
+        uint256 totalSupply = 1000e18;
+        uint256 cashOutTaxRate = 5000; // 50%
+
+        // Single cash out of 500 tokens.
+        uint256 singleReclaim = JBCashOuts.cashOutFrom({
+            surplus: surplus, cashOutCount: 500e18, totalSupply: totalSupply, cashOutTaxRate: cashOutTaxRate
+        });
+
+        // Sequential: first cash out 250 tokens.
+        uint256 firstReclaim = JBCashOuts.cashOutFrom({
+            surplus: surplus, cashOutCount: 250e18, totalSupply: totalSupply, cashOutTaxRate: cashOutTaxRate
+        });
+
+        // After the first cash out, surplus and supply are reduced.
+        uint256 newSurplus = surplus - firstReclaim;
+        uint256 newTotalSupply = totalSupply - 250e18;
+
+        // Second cash out of remaining 250 tokens.
+        uint256 secondReclaim = JBCashOuts.cashOutFrom({
+            surplus: newSurplus, cashOutCount: 250e18, totalSupply: newTotalSupply, cashOutTaxRate: cashOutTaxRate
+        });
+
+        uint256 totalSequentialReclaim = firstReclaim + secondReclaim;
+
+        // The bonding curve with tax rate > 0 should give less to sequential cash outs than a
+        // single large one (or at most equal). This is because the first casher-out "leaves"
+        // some value in the pool for the remaining holders.
+        assertLe(
+            totalSequentialReclaim, singleReclaim, "sequential cash outs should not yield more than single equivalent"
+        );
+    }
+
+    /// @notice Fuzz the bonding curve: verify key properties across random inputs.
+    function testFuzz_cashOuts_properties(
+        uint256 surplus,
+        uint256 cashOutCount,
+        uint256 totalSupply,
+        uint16 cashOutTaxRate
+    )
+        public
+        pure
+    {
+        // Bound inputs to reasonable ranges.
+        surplus = bound(surplus, 1, 1e30);
+        totalSupply = bound(totalSupply, 1, type(uint208).max);
+        cashOutCount = bound(cashOutCount, 1, totalSupply);
+        cashOutTaxRate = uint16(bound(uint256(cashOutTaxRate), 0, JBConstants.MAX_CASH_OUT_TAX_RATE));
+
+        uint256 reclaimable = JBCashOuts.cashOutFrom({
+            surplus: surplus, cashOutCount: cashOutCount, totalSupply: totalSupply, cashOutTaxRate: cashOutTaxRate
+        });
+
+        // Property 1: reclaim should never exceed surplus.
+        assertLe(reclaimable, surplus, "reclaimable must not exceed surplus");
+
+        // Property 2: if cashOutCount == totalSupply and taxRate != MAX, reclaim == surplus.
+        if (cashOutCount == totalSupply && cashOutTaxRate != JBConstants.MAX_CASH_OUT_TAX_RATE) {
+            assertEq(reclaimable, surplus, "full redemption should return full surplus");
+        }
+
+        // Property 3: if cashOutTaxRate == MAX, reclaim == 0.
+        if (cashOutTaxRate == JBConstants.MAX_CASH_OUT_TAX_RATE) {
+            assertEq(reclaimable, 0, "max tax rate should always return 0");
+        }
+    }
+
+    //*********************************************************************//
+    // -------- Test 4: JBMultiTerminal balance invariants --------------- //
+    //*********************************************************************//
+
+    /// @notice After pay + cashOut, the terminal balance + amounts sent out should equal the
+    ///         original amount paid in (accounting for fees).
+    function test_terminal_balanceInvariant_payAndCashOut() public {
+        uint256 projectId = _launchProject({cashOutTaxRate: 5000, reservedPercent: 0});
+
+        vm.prank(_projectOwner);
+        _controller.deployERC20For(projectId, "TestToken", "TT", bytes32(0));
+
+        uint112 payAmount = 10 ether;
+        vm.deal(_beneficiary, payAmount);
+
+        // Pay the project.
+        vm.prank(_beneficiary);
+        _terminal.pay{value: payAmount}({
+            projectId: projectId,
+            amount: payAmount,
+            token: JBConstants.NATIVE_TOKEN,
+            beneficiary: _beneficiary,
+            minReturnedTokens: 0,
+            memo: "test",
+            metadata: new bytes(0)
+        });
+
+        // Verify terminal balance equals the payment amount.
+        uint256 terminalBalance = jbTerminalStore().balanceOf(address(_terminal), projectId, JBConstants.NATIVE_TOKEN);
+        assertEq(terminalBalance, payAmount, "terminal balance should equal pay amount");
+
+        // Get beneficiary token balance.
+        uint256 tokenBalance = _tokens.totalBalanceOf(_beneficiary, projectId);
+        assertGt(tokenBalance, 0, "beneficiary should have tokens");
+
+        // Record beneficiary ETH balance before cash out.
+        uint256 ethBefore = _beneficiary.balance;
+
+        // Cash out all tokens.
+        vm.prank(_beneficiary);
+        uint256 reclaimAmount = _terminal.cashOutTokensOf({
+            holder: _beneficiary,
+            projectId: projectId,
+            cashOutCount: tokenBalance,
+            tokenToReclaim: JBConstants.NATIVE_TOKEN,
+            minTokensReclaimed: 0,
+            beneficiary: payable(_beneficiary),
+            metadata: new bytes(0)
+        });
+
+        uint256 ethReceived = _beneficiary.balance - ethBefore;
+        assertEq(ethReceived, reclaimAmount, "ETH received should match reclaim amount");
+
+        // After cash out, the terminal balance should be reduced by the gross reclaim amount
+        // (which includes the fee portion that stays in the terminal for the fee project).
+        uint256 terminalBalanceAfter =
+            jbTerminalStore().balanceOf(address(_terminal), projectId, JBConstants.NATIVE_TOKEN);
+
+        // Balance invariant: terminal balance after + gross reclaim == terminal balance before.
+        // The gross reclaim includes the fee, which goes to the fee project's balance in the same
+        // terminal. So we check: terminalBalanceAfter + reclaimAmount + fee == payAmount.
+        // Since fee = grossReclaim - netReclaim, and grossReclaim is deducted from balance:
+        // terminalBalanceAfter <= payAmount (always).
+        assertLe(terminalBalanceAfter, payAmount, "balance after should not exceed pay amount");
+
+        // When cashing out 100% of supply, the bonding curve returns the full surplus
+        // regardless of tax rate. The fee is taken from the reclaim, so the project's
+        // balance goes to 0, and the fee project receives the fee portion.
+        // terminalBalanceAfter == 0 for the project is expected when cashing out full supply.
+    }
+
+    /// @notice Verify that surplus calculation correctly excludes payout limits.
+    function test_terminal_surplusExcludesPayoutLimit() public {
+        uint224 payoutLimit = 5 ether;
+        uint256 projectId = _launchProjectWithPayoutLimit({cashOutTaxRate: 0, payoutLimit: payoutLimit});
+
+        vm.prank(_projectOwner);
+        _controller.deployERC20For(projectId, "TestToken", "TT", bytes32(0));
+
+        uint112 payAmount = 20 ether;
+        vm.deal(_beneficiary, payAmount);
+
+        // Pay the project.
+        vm.prank(_beneficiary);
+        _terminal.pay{value: payAmount}({
+            projectId: projectId,
+            amount: payAmount,
+            token: JBConstants.NATIVE_TOKEN,
+            beneficiary: _beneficiary,
+            minReturnedTokens: 0,
+            memo: "test",
+            metadata: new bytes(0)
+        });
+
+        // The surplus should be payAmount - payoutLimit = 15 ether.
+        JBAccountingContext[] memory contexts = new JBAccountingContext[](1);
+        contexts[0] = JBAccountingContext({
+            token: JBConstants.NATIVE_TOKEN, decimals: 18, currency: uint32(uint160(JBConstants.NATIVE_TOKEN))
+        });
+
+        uint256 surplus = jbTerminalStore()
+            .currentSurplusOf({
+                terminal: address(_terminal),
+                projectId: projectId,
+                accountingContexts: contexts,
+                decimals: 18,
+                currency: uint32(uint160(JBConstants.NATIVE_TOKEN))
+            });
+
+        assertEq(surplus, payAmount - payoutLimit, "surplus should be pay amount minus payout limit");
+    }
+
+    /// @notice Verify that hook specifications cannot exceed the payment amount.
+    /// @dev The terminal store checks that the sum of hook specification amounts does not exceed
+    ///      the payment value. We test this by verifying the error exists in the logic.
+    function test_terminal_hookSpecsCannotExceedPayment() public pure {
+        // This test verifies the check at JBTerminalStore line 679:
+        // `if (specifiedAmount > balanceDiff) revert JBTerminalStore_InvalidAmountToForwardHook(...)`
+        //
+        // The invariant is that the sum of all hook spec amounts cannot exceed the original payment.
+        // This is enforced by the terminal store, not by the terminal itself.
+        //
+        // We verify this property by checking the JBCashOuts library directly: the reclaimable
+        // amount is always bounded by the surplus.
+        uint256 surplus = 10 ether;
+        uint256 reclaimable =
+            JBCashOuts.cashOutFrom({surplus: surplus, cashOutCount: 500e18, totalSupply: 1000e18, cashOutTaxRate: 0});
+
+        // With 0 tax rate and 50% of supply, should get 50% of surplus.
+        assertEq(reclaimable, 5 ether, "should get 50% of surplus");
+        assertLe(reclaimable, surplus, "reclaimable should never exceed surplus");
+    }
+
+    /// @notice Full integration: pay, send payouts (up to limit), then cash out remaining surplus.
+    function test_terminal_payPayoutCashOut_fullCycle() public {
+        uint224 payoutLimit = 3 ether;
+        uint256 projectId = _launchProjectWithPayoutLimit({
+            cashOutTaxRate: 0, // No tax so we can verify exact amounts.
+            payoutLimit: payoutLimit
+        });
+
+        vm.prank(_projectOwner);
+        _controller.deployERC20For(projectId, "TestToken", "TT", bytes32(0));
+
+        uint112 payAmount = 10 ether;
+        vm.deal(_beneficiary, payAmount);
+
+        // Pay the project.
+        vm.prank(_beneficiary);
+        _terminal.pay{value: payAmount}({
+            projectId: projectId,
+            amount: payAmount,
+            token: JBConstants.NATIVE_TOKEN,
+            beneficiary: _beneficiary,
+            minReturnedTokens: 0,
+            memo: "pay",
+            metadata: new bytes(0)
+        });
+
+        // Send payouts (up to the 3 ETH limit).
+        vm.prank(_projectOwner);
+        uint256 amountPaidOut = _terminal.sendPayoutsOf({
+            projectId: projectId,
+            token: JBConstants.NATIVE_TOKEN,
+            amount: payoutLimit,
+            currency: uint32(uint160(JBConstants.NATIVE_TOKEN)),
+            minTokensPaidOut: 0
+        });
+
+        // Payouts should be approximately the payout limit (minus fees paid to the fee project).
+        assertGt(amountPaidOut, 0, "should have paid out something");
+
+        // Terminal balance should have decreased.
+        uint256 terminalBalanceAfterPayout =
+            jbTerminalStore().balanceOf(address(_terminal), projectId, JBConstants.NATIVE_TOKEN);
+        assertLt(terminalBalanceAfterPayout, payAmount, "balance should decrease after payout");
+
+        // Cash out all remaining tokens.
+        uint256 tokenBalance = _tokens.totalBalanceOf(_beneficiary, projectId);
+        vm.prank(_beneficiary);
+        uint256 reclaimAmount = _terminal.cashOutTokensOf({
+            holder: _beneficiary,
+            projectId: projectId,
+            cashOutCount: tokenBalance,
+            tokenToReclaim: JBConstants.NATIVE_TOKEN,
+            minTokensReclaimed: 0,
+            beneficiary: payable(_beneficiary),
+            metadata: new bytes(0)
+        });
+
+        // After full cash out (0 tax rate, cashing out 100% of supply), the entire remaining
+        // surplus should be returned.
+        uint256 terminalBalanceAfterCashOut =
+            jbTerminalStore().balanceOf(address(_terminal), projectId, JBConstants.NATIVE_TOKEN);
+
+        // With 0 tax and full supply cash out, project balance should be 0 (all surplus returned).
+        assertEq(terminalBalanceAfterCashOut, 0, "project balance should be 0 after full cashout");
+    }
+
+    //*********************************************************************//
+    // -------------- Test 5: JBTokens supply invariant ----------------- //
+    //*********************************************************************//
+
+    /// @notice Verify that totalSupplyOf == totalCreditSupplyOf + token.totalSupply().
+    function test_tokens_supplyInvariant_afterPay() public {
+        uint256 projectId = _launchProject({cashOutTaxRate: 0, reservedPercent: 0});
+
+        vm.prank(_projectOwner);
+        _controller.deployERC20For(projectId, "TestToken", "TT", bytes32(0));
+
+        uint112 payAmount = 5 ether;
+        vm.deal(_beneficiary, payAmount);
+
+        vm.prank(_beneficiary);
+        _terminal.pay{value: payAmount}({
+            projectId: projectId,
+            amount: payAmount,
+            token: JBConstants.NATIVE_TOKEN,
+            beneficiary: _beneficiary,
+            minReturnedTokens: 0,
+            memo: "supply test",
+            metadata: new bytes(0)
+        });
+
+        // After payment, tokens are minted. If ERC20 is deployed, they are minted as ERC20 (not credits).
+        uint256 totalSupply = _tokens.totalSupplyOf(projectId);
+        uint256 totalCreditSupply = _tokens.totalCreditSupplyOf(projectId);
+        IJBToken token = _tokens.tokenOf(projectId);
+
+        uint256 erc20Supply = token != IJBToken(address(0)) ? token.totalSupply() : 0;
+
+        assertEq(
+            totalSupply,
+            totalCreditSupply + erc20Supply,
+            "totalSupplyOf must equal totalCreditSupplyOf + token.totalSupply()"
+        );
+
+        // Also verify beneficiary balance consistency.
+        uint256 beneficiaryTotal = _tokens.totalBalanceOf(_beneficiary, projectId);
+        uint256 beneficiaryCredits = _tokens.creditBalanceOf(_beneficiary, projectId);
+        uint256 beneficiaryErc20 = token != IJBToken(address(0)) ? token.balanceOf(_beneficiary) : 0;
+
+        assertEq(
+            beneficiaryTotal, beneficiaryCredits + beneficiaryErc20, "totalBalanceOf must equal credits + ERC20 balance"
+        );
+    }
+
+    /// @notice Verify supply invariant when paying BEFORE deploying ERC20 (credits only).
+    function test_tokens_supplyInvariant_creditsOnly() public {
+        uint256 projectId = _launchProject({cashOutTaxRate: 0, reservedPercent: 0});
+
+        // Do NOT deploy ERC20 yet -- tokens will be minted as credits.
+
+        uint112 payAmount = 5 ether;
+        vm.deal(_beneficiary, payAmount);
+
+        vm.prank(_beneficiary);
+        _terminal.pay{value: payAmount}({
+            projectId: projectId,
+            amount: payAmount,
+            token: JBConstants.NATIVE_TOKEN,
+            beneficiary: _beneficiary,
+            minReturnedTokens: 0,
+            memo: "credits test",
+            metadata: new bytes(0)
+        });
+
+        // Since no ERC20 is deployed, all tokens should be credits.
+        uint256 totalSupply = _tokens.totalSupplyOf(projectId);
+        uint256 totalCreditSupply = _tokens.totalCreditSupplyOf(projectId);
+
+        assertEq(totalSupply, totalCreditSupply, "with no ERC20, total supply should equal credit supply");
+        assertEq(
+            _tokens.creditBalanceOf(_beneficiary, projectId), totalCreditSupply, "all credits belong to beneficiary"
+        );
+    }
+
+    /// @notice Verify that claimTokensFor does not create or destroy tokens: it converts credits
+    ///         to ERC20 tokens 1:1, maintaining the total supply invariant.
+    function test_tokens_claimTokens_preservesSupply() public {
+        uint256 projectId = _launchProject({cashOutTaxRate: 0, reservedPercent: 0});
+
+        // Pay first (without ERC20 deployed, so credits are minted).
+        uint112 payAmount = 5 ether;
+        vm.deal(_beneficiary, payAmount);
+
+        vm.prank(_beneficiary);
+        _terminal.pay{value: payAmount}({
+            projectId: projectId,
+            amount: payAmount,
+            token: JBConstants.NATIVE_TOKEN,
+            beneficiary: _beneficiary,
+            minReturnedTokens: 0,
+            memo: "claim test",
+            metadata: new bytes(0)
+        });
+
+        uint256 totalSupplyBefore = _tokens.totalSupplyOf(projectId);
+        uint256 creditsBefore = _tokens.creditBalanceOf(_beneficiary, projectId);
+        assertGt(creditsBefore, 0, "beneficiary should have credits");
+
+        // Now deploy ERC20.
+        vm.prank(_projectOwner);
+        _controller.deployERC20For(projectId, "TestToken", "TT", bytes32(0));
+
+        // Claim all credits as ERC20 tokens.
+        vm.prank(_beneficiary);
+        _controller.claimTokensFor({
+            holder: _beneficiary, projectId: projectId, tokenCount: creditsBefore, beneficiary: _beneficiary
+        });
+
+        // After claiming, credits should be 0 and ERC20 balance should equal former credits.
+        uint256 creditsAfter = _tokens.creditBalanceOf(_beneficiary, projectId);
+        assertEq(creditsAfter, 0, "credits should be 0 after claiming");
+
+        IJBToken token = _tokens.tokenOf(projectId);
+        uint256 erc20Balance = token.balanceOf(_beneficiary);
+        assertEq(erc20Balance, creditsBefore, "ERC20 balance should equal former credits");
+
+        // Total supply should be unchanged.
+        uint256 totalSupplyAfter = _tokens.totalSupplyOf(projectId);
+        assertEq(totalSupplyAfter, totalSupplyBefore, "total supply must not change after claiming");
+
+        // Credit supply should be 0.
+        uint256 creditSupplyAfter = _tokens.totalCreditSupplyOf(projectId);
+        assertEq(creditSupplyAfter, 0, "credit supply should be 0 after claiming all");
+
+        // Final invariant check.
+        assertEq(totalSupplyAfter, creditSupplyAfter + token.totalSupply(), "totalSupply == creditSupply + erc20Supply");
+    }
+
+    /// @notice Verify supply invariant with multiple holders.
+    function test_tokens_supplyInvariant_multipleHolders() public {
+        uint256 projectId = _launchProject({cashOutTaxRate: 0, reservedPercent: 0});
+
+        vm.prank(_projectOwner);
+        _controller.deployERC20For(projectId, "TestToken", "TT", bytes32(0));
+
+        address holder1 = address(0x1001);
+        address holder2 = address(0x1002);
+        address holder3 = address(0x1003);
+
+        vm.deal(holder1, 3 ether);
+        vm.deal(holder2, 5 ether);
+        vm.deal(holder3, 7 ether);
+
+        // Three payments from different holders.
+        vm.prank(holder1);
+        _terminal.pay{value: 3 ether}({
+            projectId: projectId,
+            amount: 3 ether,
+            token: JBConstants.NATIVE_TOKEN,
+            beneficiary: holder1,
+            minReturnedTokens: 0,
+            memo: "",
+            metadata: new bytes(0)
+        });
+
+        vm.prank(holder2);
+        _terminal.pay{value: 5 ether}({
+            projectId: projectId,
+            amount: 5 ether,
+            token: JBConstants.NATIVE_TOKEN,
+            beneficiary: holder2,
+            minReturnedTokens: 0,
+            memo: "",
+            metadata: new bytes(0)
+        });
+
+        vm.prank(holder3);
+        _terminal.pay{value: 7 ether}({
+            projectId: projectId,
+            amount: 7 ether,
+            token: JBConstants.NATIVE_TOKEN,
+            beneficiary: holder3,
+            minReturnedTokens: 0,
+            memo: "",
+            metadata: new bytes(0)
+        });
+
+        // Verify that the sum of all individual balances equals the total supply.
+        uint256 bal1 = _tokens.totalBalanceOf(holder1, projectId);
+        uint256 bal2 = _tokens.totalBalanceOf(holder2, projectId);
+        uint256 bal3 = _tokens.totalBalanceOf(holder3, projectId);
+        uint256 totalSupply = _tokens.totalSupplyOf(projectId);
+
+        assertEq(bal1 + bal2 + bal3, totalSupply, "sum of balances must equal total supply");
+
+        // Verify the invariant.
+        uint256 creditSupply = _tokens.totalCreditSupplyOf(projectId);
+        IJBToken token = _tokens.tokenOf(projectId);
+        uint256 erc20Supply = token.totalSupply();
+
+        assertEq(totalSupply, creditSupply + erc20Supply, "totalSupply == creditSupply + erc20Supply");
+    }
+
+    /// @notice Burn tokens and verify supply invariant is maintained.
+    function test_tokens_supplyInvariant_afterBurn() public {
+        uint256 projectId = _launchProject({cashOutTaxRate: 0, reservedPercent: 0});
+
+        vm.prank(_projectOwner);
+        _controller.deployERC20For(projectId, "TestToken", "TT", bytes32(0));
+
+        uint112 payAmount = 10 ether;
+        vm.deal(_beneficiary, payAmount);
+
+        vm.prank(_beneficiary);
+        _terminal.pay{value: payAmount}({
+            projectId: projectId,
+            amount: payAmount,
+            token: JBConstants.NATIVE_TOKEN,
+            beneficiary: _beneficiary,
+            minReturnedTokens: 0,
+            memo: "burn test",
+            metadata: new bytes(0)
+        });
+
+        uint256 totalSupplyBefore = _tokens.totalSupplyOf(projectId);
+        uint256 burnAmount = totalSupplyBefore / 3;
+
+        // Burn some tokens.
+        vm.prank(_beneficiary);
+        _controller.burnTokensOf({holder: _beneficiary, projectId: projectId, tokenCount: burnAmount, memo: "burning"});
+
+        uint256 totalSupplyAfter = _tokens.totalSupplyOf(projectId);
+        assertEq(totalSupplyAfter, totalSupplyBefore - burnAmount, "supply should decrease by burn amount");
+
+        // Invariant still holds.
+        uint256 creditSupply = _tokens.totalCreditSupplyOf(projectId);
+        IJBToken token = _tokens.tokenOf(projectId);
+        uint256 erc20Supply = token.totalSupply();
+        assertEq(totalSupplyAfter, creditSupply + erc20Supply, "invariant: totalSupply == creditSupply + erc20Supply");
+    }
+
+    //*********************************************************************//
+    // ====== CRITICAL EXPLOIT PoC TESTS ================================ //
+    //*********************************************************************//
+
+    //*********************************************************************//
+    // --- [C-5] Zero-Supply Cash Out Drains Entire Surplus ------------- //
+    //*********************************************************************//
+
+    /// @notice PoC: When totalSupply == 0 and surplus > 0, calling cashOutTokensOf with
+    ///         cashOutCount = 0 returns the ENTIRE surplus without burning any tokens.
+    /// @dev Attack flow:
+    ///      1. Project is funded via addToBalanceOf (no tokens minted)
+    ///      2. Attacker calls cashOutTokensOf with cashOutCount=0
+    ///      3. JBCashOuts.cashOutFrom: 0 >= 0 → true → returns full surplus
+    ///      4. JBMultiTerminal: cashOutCount != 0 is false → no burn
+    ///      5. Attacker receives full surplus minus fee
+    function test_C5_zeroSupplyCashOut_drainsEntireSurplus() public {
+        // --- Setup: create a project with 0% cash out tax ---
+        uint256 projectId = _launchProject({cashOutTaxRate: 0, reservedPercent: 0});
+
+        // --- Fund the project via addToBalanceOf (this does NOT mint tokens) ---
+        uint256 fundAmount = 10 ether;
+        vm.deal(address(this), fundAmount);
+
+        _terminal.addToBalanceOf{value: fundAmount}({
+            projectId: projectId,
+            token: JBConstants.NATIVE_TOKEN,
+            amount: fundAmount,
+            shouldReturnHeldFees: false,
+            memo: "Funding treasury without minting tokens",
+            metadata: new bytes(0)
+        });
+
+        // --- Verify preconditions ---
+        // Terminal balance == fundAmount
+        uint256 terminalBalance = jbTerminalStore().balanceOf(address(_terminal), projectId, JBConstants.NATIVE_TOKEN);
+        assertEq(terminalBalance, fundAmount, "terminal should hold the funded amount");
+
+        // Total supply == 0 (no tokens minted via addToBalanceOf)
+        uint256 totalSupply = _tokens.totalSupplyOf(projectId);
+        assertEq(totalSupply, 0, "total supply should be 0 - no tokens were minted");
+
+        // --- Verify the library-level fix ---
+        // After fix: cashOutCount == 0 → early return 0
+        uint256 reclaimFromLibrary =
+            JBCashOuts.cashOutFrom({surplus: fundAmount, cashOutCount: 0, totalSupply: 0, cashOutTaxRate: 0});
+        assertEq(reclaimFromLibrary, 0, "FIX CONFIRMED: cashOutFrom(surplus, 0, 0, rate) returns 0");
+
+        // --- Verify the exploit is now blocked ---
+        address attacker = makeAddr("attacker");
+
+        uint256 attackerEthBefore = attacker.balance;
+
+        // Attacker calls cashOutTokensOf with cashOutCount=0.
+        // After fix: they burn 0 tokens and receive nothing.
+        vm.prank(attacker);
+        uint256 reclaimAmount = _terminal.cashOutTokensOf({
+            holder: attacker,
+            projectId: projectId,
+            cashOutCount: 0,
+            tokenToReclaim: JBConstants.NATIVE_TOKEN,
+            minTokensReclaimed: 0,
+            beneficiary: payable(attacker),
+            metadata: new bytes(0)
+        });
+
+        uint256 attackerEthAfter = attacker.balance;
+        uint256 ethReceived = attackerEthAfter - attackerEthBefore;
+
+        // --- Verify the exploit is blocked ---
+        assertEq(reclaimAmount, 0, "FIX: attacker receives nothing when cashing out 0 tokens");
+        assertEq(ethReceived, 0, "FIX: no ETH transferred to attacker");
+
+        // Terminal balance should be unchanged — not drained.
+        uint256 terminalBalanceAfter =
+            jbTerminalStore().balanceOf(address(_terminal), projectId, JBConstants.NATIVE_TOKEN);
+        assertEq(terminalBalanceAfter, fundAmount, "FIX: terminal balance preserved");
+
+        // Attacker never had any tokens.
+        uint256 attackerTokens = _tokens.totalBalanceOf(attacker, projectId);
+        assertEq(attackerTokens, 0, "attacker never held any tokens");
+    }
+
+    /// @notice PoC variant: Same attack but with a cash out tax rate.
+    ///         Even with a tax, the attacker drains surplus (fee goes to project #1).
+    function test_C5_zeroSupplyCashOut_withTaxRate() public {
+        // 50% cash out tax rate
+        uint256 projectId = _launchProject({cashOutTaxRate: 5000, reservedPercent: 0});
+
+        uint256 fundAmount = 10 ether;
+        vm.deal(address(this), fundAmount);
+
+        _terminal.addToBalanceOf{value: fundAmount}({
+            projectId: projectId,
+            token: JBConstants.NATIVE_TOKEN,
+            amount: fundAmount,
+            shouldReturnHeldFees: false,
+            memo: "Funding treasury",
+            metadata: new bytes(0)
+        });
+
+        // Verify: total supply is 0.
+        assertEq(_tokens.totalSupplyOf(projectId), 0, "total supply should be 0");
+
+        // After fix: cashOutCount == 0 → early return 0, regardless of tax rate.
+        uint256 reclaimFromLibrary =
+            JBCashOuts.cashOutFrom({surplus: fundAmount, cashOutCount: 0, totalSupply: 0, cashOutTaxRate: 5000});
+        assertEq(reclaimFromLibrary, 0, "FIX: 0 returned even with 50% tax when cashOutCount=0");
+
+        // Verify exploit is blocked.
+        address attacker = makeAddr("attacker");
+        uint256 attackerEthBefore = attacker.balance;
+
+        vm.prank(attacker);
+        uint256 reclaimAmount = _terminal.cashOutTokensOf({
+            holder: attacker,
+            projectId: projectId,
+            cashOutCount: 0,
+            tokenToReclaim: JBConstants.NATIVE_TOKEN,
+            minTokensReclaimed: 0,
+            beneficiary: payable(attacker),
+            metadata: new bytes(0)
+        });
+
+        uint256 ethReceived = attacker.balance - attackerEthBefore;
+
+        // After fix: attacker gets nothing.
+        assertEq(ethReceived, 0, "FIX: attacker receives nothing with 0 tokens burned");
+        assertEq(reclaimAmount, 0, "FIX: reclaim is 0");
+    }
+
+    /// @notice PoC variant: Repeatable attack. After all tokens are burned, attacker drains surplus.
+    function test_C5_zeroSupplyCashOut_afterAllTokensBurned() public {
+        uint256 projectId = _launchProject({cashOutTaxRate: 0, reservedPercent: 0});
+
+        vm.prank(_projectOwner);
+        _controller.deployERC20For(projectId, "TestToken", "TT", bytes32(0));
+
+        // Legitimate user pays 10 ETH, gets tokens.
+        uint112 payAmount = 10 ether;
+        vm.deal(_beneficiary, payAmount);
+
+        vm.prank(_beneficiary);
+        _terminal.pay{value: payAmount}({
+            projectId: projectId,
+            amount: payAmount,
+            token: JBConstants.NATIVE_TOKEN,
+            beneficiary: _beneficiary,
+            minReturnedTokens: 0,
+            memo: "legitimate payment",
+            metadata: new bytes(0)
+        });
+
+        uint256 tokenBalance = _tokens.totalBalanceOf(_beneficiary, projectId);
+        assertGt(tokenBalance, 0, "beneficiary should have tokens");
+
+        // Beneficiary burns ALL their tokens (not cashing out — just burning).
+        vm.prank(_beneficiary);
+        _controller.burnTokensOf({
+            holder: _beneficiary, projectId: projectId, tokenCount: tokenBalance, memo: "burning all"
+        });
+
+        // Now: totalSupply == 0, but terminal still has 10 ETH balance.
+        assertEq(_tokens.totalSupplyOf(projectId), 0, "total supply should be 0 after burn");
+
+        uint256 terminalBalance = jbTerminalStore().balanceOf(address(_terminal), projectId, JBConstants.NATIVE_TOKEN);
+        assertEq(terminalBalance, payAmount, "terminal should still hold 10 ETH");
+
+        // Attacker tries to exploit the zero-supply state.
+        address attacker = makeAddr("attacker");
+
+        vm.prank(attacker);
+        uint256 stolen = _terminal.cashOutTokensOf({
+            holder: attacker,
+            projectId: projectId,
+            cashOutCount: 0,
+            tokenToReclaim: JBConstants.NATIVE_TOKEN,
+            minTokensReclaimed: 0,
+            beneficiary: payable(attacker),
+            metadata: new bytes(0)
+        });
+
+        // After fix: cashing out 0 tokens returns 0, treasury is safe.
+        assertEq(stolen, 0, "FIX: attacker cannot steal funds after tokens were burned");
+        assertEq(attacker.balance, 0, "FIX: attacker receives no ETH");
+    }
+
+    //*********************************************************************//
+    // --- [C-2] REVDeployer.beforePayRecordedWith Array OOB (Enhanced)-- //
+    //*********************************************************************//
+
+    /// @notice PoC: Demonstrates the exact Solidity panic that occurs in REVDeployer when
+    ///         usesTiered721Hook=false and usesBuybackHook=true.
+    ///         This mirrors REVDeployer.sol lines 248-258 exactly.
+    function test_C2_beforePayRecordedWith_fullOOBPattern() public {
+        // Simulate all 4 combinations and verify only the problematic one reverts.
+        bool[4] memory tiered = [false, true, false, true];
+        bool[4] memory buyback = [false, false, true, true];
+        bool[4] memory shouldRevert = [false, false, true, false];
+
+        for (uint256 i; i < 4; i++) {
+            bool usesT = tiered[i];
+            bool usesB = buyback[i];
+
+            uint256 size = (usesT ? 1 : 0) + (usesB ? 1 : 0);
+            JBPayHookSpecification[] memory specs = new JBPayHookSpecification[](size);
+
+            // Replicate REVDeployer logic exactly:
+            // if (usesTiered721Hook) hookSpecifications[0] = ...
+            if (usesT) {
+                specs[0] = JBPayHookSpecification({hook: IJBPayHook(address(0xdead)), amount: 1 ether, metadata: ""});
+            }
+
+            // if (usesBuybackHook) hookSpecifications[1] = ... // ALWAYS index 1!
+            if (usesB) {
+                if (shouldRevert[i]) {
+                    // This case: usesT=false, usesB=true → size=1, writing to [1] → PANIC
+                    vm.expectRevert();
+                    this.externalWriteToIndex1(specs);
+                } else {
+                    // usesT=true, usesB=true → size=2, writing to [1] → OK
+                    specs[1] =
+                        JBPayHookSpecification({hook: IJBPayHook(address(0xbeef)), amount: 2 ether, metadata: ""});
+                }
+            }
+        }
+    }
+
+    //*********************************************************************//
+    // --- [C-4] REVDeployer.hasMintPermissionFor address(0) call ------- //
+    //*********************************************************************//
+
+    /// @notice PoC: Demonstrates that calling a function on address(0) reverts.
+    ///         This mirrors REVDeployer.sol line 353 where buybackHook.hasMintPermissionFor(...)
+    ///         is called when buybackHookOf[revnetId] == address(0).
+    function test_C4_hasMintPermissionFor_callOnAddressZero() public {
+        // The bug is in the short-circuit evaluation of:
+        //   addr == loansOf[revnetId]              // false (addr is some real address)
+        //   || addr == address(buybackHook)         // false (buybackHook is address(0), addr is not)
+        //   || buybackHook.hasMintPermissionFor(...) // REVERTS — calling on address(0)
+        //   || _isSuckerOf(...)                      // never reached
+
+        // Demonstrate that calling an interface method on address(0) reverts.
+        address zeroAddress = address(0);
+
+        // In Solidity, calling a function on address(0) makes a call to the zero address.
+        // Since there's no contract deployed there, the call returns empty data.
+        // For an external view call expecting a bool return, Solidity's ABI decoder reverts
+        // on empty return data.
+        vm.expectRevert();
+        this.externalCallHasMintPermissionOnZero(zeroAddress);
+    }
+
+    /// @notice External helper to trigger the address(0) call.
+    function externalCallHasMintPermissionOnZero(address target) external view {
+        // This simulates buybackHook.hasMintPermissionFor(revnetId, ruleset, addr)
+        // where buybackHook == address(0).
+
+        // Construct the call data for IJBRulesetDataHook.hasMintPermissionFor
+        JBRuleset memory dummyRuleset;
+        dummyRuleset.id = 1;
+
+        // Low-level call to address(0) — will return empty bytes, causing decode to fail.
+        (bool success, bytes memory data) = target.staticcall(
+            abi.encodeWithSelector(IJBRulesetDataHook.hasMintPermissionFor.selector, 1, dummyRuleset, address(0x1234))
+        );
+
+        // The call succeeds (returns false from empty contract) but has no return data.
+        // Solidity's interface-based call would revert because it expects abi-encoded bool.
+        if (success && data.length < 32) {
+            revert("C-4 confirmed: call to address(0) returns empty data, ABI decode reverts");
+        }
+        if (!success) {
+            revert("C-4 confirmed: call to address(0) reverted directly");
+        }
+    }
+
+    //*********************************************************************//
+    // --- [C-1] REVLoans uint112 Truncation Pattern -------------------- //
+    //*********************************************************************//
+
+    /// @notice PoC: Demonstrates silent uint112 truncation.
+    ///         This mirrors REVLoans.sol lines 922-923 where:
+    ///           loan.amount = uint112(newBorrowAmount);
+    ///           loan.collateral = uint112(newCollateralCount);
+    function test_C1_uint112SilentTruncation() public pure {
+        // Values that exceed uint112.max
+        uint256 hugeCollateral = uint256(type(uint112).max) + 1000 ether;
+        uint256 hugeBorrow = uint256(type(uint112).max) + 500 ether;
+
+        // Silent truncation — Solidity 0.8.x does NOT revert on explicit downcasts!
+        uint112 truncatedCollateral = uint112(hugeCollateral);
+        uint112 truncatedBorrow = uint112(hugeBorrow);
+
+        // The truncated values are dramatically smaller.
+        assertLt(uint256(truncatedCollateral), hugeCollateral, "collateral was silently truncated");
+        assertLt(uint256(truncatedBorrow), hugeBorrow, "borrow amount was silently truncated");
+
+        // Quantify the loss: the attacker deposited hugeCollateral but the loan only records
+        // the truncated amount. The difference is permanently lost from the attacker's perspective,
+        // but the attacker already received the full borrow amount.
+        uint256 collateralLoss = hugeCollateral - uint256(truncatedCollateral);
+        uint256 borrowProfit = hugeBorrow - uint256(truncatedBorrow);
+
+        // The attacker profits by (hugeBorrow - truncatedBorrow) in surplus extraction:
+        // They received `hugeBorrow` worth of tokens but only need to repay `truncatedBorrow`.
+        assertGt(borrowProfit, 0, "attacker profits from truncation");
+        assertGt(collateralLoss, 0, "collateral accounting is corrupted");
+
+        // Demonstrate the exploit math:
+        // If attacker repays truncatedBorrow (tiny), they get back truncatedCollateral (tiny).
+        // But they already received hugeBorrow worth of funds from the surplus.
+        // Net theft = hugeBorrow - truncatedBorrow
+        assertGt(borrowProfit, 999 ether, "EXPLOIT: attacker steals >999 ETH from truncation of 1000 ETH overflow");
+    }
+
+    //*********************************************************************//
+    // --- [C-3] REVLoans Reentrancy Pattern ----------------------------- //
+    //*********************************************************************//
+
+    /// @notice PoC: Demonstrates the CEI violation pattern in REVLoans._adjust.
+    ///         The contract makes external calls (useAllowanceOf, feeTerminal.pay, _transferFrom)
+    ///         BEFORE writing loan.amount and loan.collateral at lines 921-923.
+    ///
+    ///         This test demonstrates the reentrancy window using a mock contract.
+    ///
+    /// @dev The actual exploit requires a full REVLoans deployment which is in revnet-core-v5.
+    ///      This test demonstrates the PATTERN: external call before state write.
+    function test_C3_reentrancyPattern_externalCallBeforeStateWrite() public {
+        // Deploy a mock "victim" contract that follows the vulnerable pattern.
+        ReentrancyVictim victim = new ReentrancyVictim();
+
+        // Fund the victim.
+        vm.deal(address(victim), 20 ether);
+
+        // Deploy the attacker.
+        ReentrancyAttacker attacker = new ReentrancyAttacker(victim);
+
+        // The attacker borrows. The victim sends ETH before updating state.
+        // The attacker re-enters during the ETH transfer and borrows again
+        // against the stale state.
+        attacker.attack();
+
+        // The attacker extracted more than they should have.
+        assertGt(
+            address(attacker).balance,
+            10 ether,
+            "EXPLOIT: attacker extracted more than single borrow allows (re-entered)"
+        );
+
+        // The victim was drained below expected.
+        assertLt(address(victim).balance, 10 ether, "victim was over-drained");
+    }
+
+    //*********************************************************************//
+    // --- [M-1] Held Fee Reentrancy ----------------------------------- //
+    //*********************************************************************//
+
+    /// @notice PoC: Verifies that the M-1 held fee reentrancy fix works correctly.
+    ///         A reentrant fee terminal calls back into processHeldFeesOf during pay().
+    ///         Before the fix, the same fee would be processed twice. After the fix,
+    ///         the index is advanced before the external call (CEI pattern), so the
+    ///         reentrant call processes zero fees.
+    function test_M1_heldFeeReentrancy_blocked() public {
+        // --- Step 1: Launch fee project (project #1) with the standard terminal ---
+        JBTerminalConfig[] memory terminalConfigurations = new JBTerminalConfig[](1);
+        JBAccountingContext[] memory tokensToAccept = new JBAccountingContext[](1);
+        tokensToAccept[0] = JBAccountingContext({
+            token: JBConstants.NATIVE_TOKEN, decimals: 18, currency: uint32(uint160(JBConstants.NATIVE_TOKEN))
+        });
+        terminalConfigurations[0] = JBTerminalConfig({terminal: _terminal, accountingContextsToAccept: tokensToAccept});
+
+        JBRulesetConfig[] memory feeRulesetConfig = new JBRulesetConfig[](1);
+        feeRulesetConfig[0].mustStartAtOrAfter = 0;
+        feeRulesetConfig[0].duration = 0;
+        feeRulesetConfig[0].weight = _weight;
+        feeRulesetConfig[0].metadata = JBRulesetMetadata({
+            reservedPercent: 0,
+            cashOutTaxRate: 0,
+            baseCurrency: uint32(uint160(JBConstants.NATIVE_TOKEN)),
+            pausePay: false,
+            pauseCreditTransfers: false,
+            allowOwnerMinting: false,
+            allowSetCustomToken: false,
+            allowTerminalMigration: false,
+            allowSetTerminals: true,
+            ownerMustSendPayouts: false,
+            allowSetController: false,
+            allowAddAccountingContext: true,
+            allowAddPriceFeed: false,
+            holdFees: false,
+            useTotalSurplusForCashOuts: false,
+            useDataHookForPay: false,
+            useDataHookForCashOut: false,
+            dataHook: address(0),
+            metadata: 0
+        });
+        feeRulesetConfig[0].splitGroups = new JBSplitGroup[](0);
+        feeRulesetConfig[0].fundAccessLimitGroups = new JBFundAccessLimitGroup[](0);
+
+        address feeProjectOwner = makeAddr("feeProjectOwner");
+        uint256 feeProjectId = _controller.launchProjectFor({
+            owner: feeProjectOwner,
+            projectUri: "feeProject",
+            rulesetConfigurations: feeRulesetConfig,
+            terminalConfigurations: terminalConfigurations,
+            memo: ""
+        });
+        assertEq(feeProjectId, 1, "fee project should be #1");
+
+        // --- Step 2: Launch test project with holdFees=true and surplus allowance ---
+        JBRulesetMetadata memory testMetadata = JBRulesetMetadata({
+            reservedPercent: 0,
+            cashOutTaxRate: 0,
+            baseCurrency: uint32(uint160(JBConstants.NATIVE_TOKEN)),
+            pausePay: false,
+            pauseCreditTransfers: false,
+            allowOwnerMinting: true,
+            allowSetCustomToken: false,
+            allowTerminalMigration: false,
+            allowSetTerminals: false,
+            ownerMustSendPayouts: false,
+            allowSetController: false,
+            allowAddAccountingContext: true,
+            allowAddPriceFeed: false,
+            holdFees: true, // KEY: hold fees so we can process them later
+            useTotalSurplusForCashOuts: false,
+            useDataHookForPay: false,
+            useDataHookForCashOut: false,
+            dataHook: address(0),
+            metadata: 0
+        });
+
+        JBCurrencyAmount[] memory surplusAllowances = new JBCurrencyAmount[](1);
+        surplusAllowances[0] = JBCurrencyAmount({amount: 10 ether, currency: uint32(uint160(JBConstants.NATIVE_TOKEN))});
+
+        JBFundAccessLimitGroup[] memory fundAccessLimits = new JBFundAccessLimitGroup[](1);
+        fundAccessLimits[0] = JBFundAccessLimitGroup({
+            terminal: address(_terminal),
+            token: JBConstants.NATIVE_TOKEN,
+            payoutLimits: new JBCurrencyAmount[](0),
+            surplusAllowances: surplusAllowances
+        });
+
+        JBRulesetConfig[] memory testRulesetConfig = new JBRulesetConfig[](1);
+        testRulesetConfig[0].mustStartAtOrAfter = 0;
+        testRulesetConfig[0].duration = 0;
+        testRulesetConfig[0].weight = _weight;
+        testRulesetConfig[0].metadata = testMetadata;
+        testRulesetConfig[0].splitGroups = new JBSplitGroup[](0);
+        testRulesetConfig[0].fundAccessLimitGroups = fundAccessLimits;
+
+        uint256 projectId = _controller.launchProjectFor({
+            owner: _projectOwner,
+            projectUri: "testProject",
+            rulesetConfigurations: testRulesetConfig,
+            terminalConfigurations: terminalConfigurations,
+            memo: ""
+        });
+
+        // --- Step 3: Fund the project and use allowance twice to create 2 held fees ---
+        vm.deal(address(this), 10 ether);
+        _terminal.pay{value: 10 ether}({
+            projectId: projectId,
+            amount: 10 ether,
+            token: JBConstants.NATIVE_TOKEN,
+            beneficiary: _beneficiary,
+            minReturnedTokens: 0,
+            memo: "fund",
+            metadata: new bytes(0)
+        });
+
+        // Use allowance to create held fees (holdFees=true means fee is held, not processed immediately).
+        vm.startPrank(_projectOwner);
+        _terminal.useAllowanceOf({
+            projectId: projectId,
+            amount: 1 ether,
+            currency: uint32(uint160(JBConstants.NATIVE_TOKEN)),
+            token: JBConstants.NATIVE_TOKEN,
+            minTokensPaidOut: 0,
+            beneficiary: payable(_projectOwner),
+            feeBeneficiary: payable(_projectOwner),
+            memo: "allowance1"
+        });
+        _terminal.useAllowanceOf({
+            projectId: projectId,
+            amount: 1 ether,
+            currency: uint32(uint160(JBConstants.NATIVE_TOKEN)),
+            token: JBConstants.NATIVE_TOKEN,
+            minTokensPaidOut: 0,
+            beneficiary: payable(_projectOwner),
+            feeBeneficiary: payable(_projectOwner),
+            memo: "allowance2"
+        });
+        vm.stopPrank();
+
+        // Verify 2 held fees exist.
+        JBFee[] memory heldFees = _terminal.heldFeesOf(projectId, JBConstants.NATIVE_TOKEN, 100);
+        assertEq(heldFees.length, 2, "should have 2 held fees");
+
+        // --- Step 4: Deploy reentrant fee terminal and set it as primary for fee project ---
+        ReentrantFeeTerminal reentrantTerminal =
+            new ReentrantFeeTerminal(_terminal, projectId, JBConstants.NATIVE_TOKEN);
+
+        // Set the reentrant terminal as a terminal + primary terminal for fee project.
+        IJBTerminal[] memory newTerminals = new IJBTerminal[](2);
+        newTerminals[0] = _terminal; // Keep original
+        newTerminals[1] = IJBTerminal(address(reentrantTerminal));
+
+        vm.startPrank(feeProjectOwner);
+        jbDirectory().setTerminalsOf(feeProjectId, newTerminals);
+        jbDirectory()
+            .setPrimaryTerminalOf(feeProjectId, JBConstants.NATIVE_TOKEN, IJBTerminal(address(reentrantTerminal)));
+        vm.stopPrank();
+
+        // --- Step 5: Warp past fee holding period and process ---
+        vm.warp(block.timestamp + 2_419_200 + 1); // 28 days + 1 second
+
+        // Record terminal ETH before processing.
+        uint256 terminalBalanceBefore = address(_terminal).balance;
+
+        // Process both held fees.
+        _terminal.processHeldFeesOf(projectId, JBConstants.NATIVE_TOKEN, 100);
+
+        // --- Step 6: Verify the fix ---
+        // The reentrant terminal's pay() was called for each fee.
+        // On the first call, it reentered processHeldFeesOf.
+        // With the fix (CEI): the reentrant call sees the index already advanced,
+        // so it only processes the remaining fees (not the same fee again).
+        // Total pay calls should be exactly 2 (one per held fee), not 3+ (which would indicate double-processing).
+        assertEq(
+            reentrantTerminal.payCallCount(), 2, "M-1 FIX: exactly 2 pay calls (no double-processing from reentrancy)"
+        );
+
+        // Held fees should all be consumed.
+        JBFee[] memory remainingFees = _terminal.heldFeesOf(projectId, JBConstants.NATIVE_TOKEN, 100);
+        assertEq(remainingFees.length, 0, "all held fees should be processed");
+    }
+
+    /// @notice Verify processHeldFeesOf correctly handles partial unlock (some locked, some unlocked).
+    function test_M1_partialLockedFees() public {
+        // Launch fee project.
+        JBTerminalConfig[] memory terminalConfigurations = new JBTerminalConfig[](1);
+        JBAccountingContext[] memory tokensToAccept = new JBAccountingContext[](1);
+        tokensToAccept[0] = JBAccountingContext({
+            token: JBConstants.NATIVE_TOKEN, decimals: 18, currency: uint32(uint160(JBConstants.NATIVE_TOKEN))
+        });
+        terminalConfigurations[0] = JBTerminalConfig({terminal: _terminal, accountingContextsToAccept: tokensToAccept});
+
+        JBRulesetConfig[] memory feeRulesetConfig = new JBRulesetConfig[](1);
+        feeRulesetConfig[0].mustStartAtOrAfter = 0;
+        feeRulesetConfig[0].duration = 0;
+        feeRulesetConfig[0].weight = _weight;
+        feeRulesetConfig[0].metadata = JBRulesetMetadata({
+            reservedPercent: 0,
+            cashOutTaxRate: 0,
+            baseCurrency: uint32(uint160(JBConstants.NATIVE_TOKEN)),
+            pausePay: false,
+            pauseCreditTransfers: false,
+            allowOwnerMinting: false,
+            allowSetCustomToken: false,
+            allowTerminalMigration: false,
+            allowSetTerminals: false,
+            ownerMustSendPayouts: false,
+            allowSetController: false,
+            allowAddAccountingContext: true,
+            allowAddPriceFeed: false,
+            holdFees: false,
+            useTotalSurplusForCashOuts: false,
+            useDataHookForPay: false,
+            useDataHookForCashOut: false,
+            dataHook: address(0),
+            metadata: 0
+        });
+        feeRulesetConfig[0].splitGroups = new JBSplitGroup[](0);
+        feeRulesetConfig[0].fundAccessLimitGroups = new JBFundAccessLimitGroup[](0);
+
+        _controller.launchProjectFor({
+            owner: makeAddr("feeOwner"),
+            projectUri: "fee",
+            rulesetConfigurations: feeRulesetConfig,
+            terminalConfigurations: terminalConfigurations,
+            memo: ""
+        });
+
+        // Launch test project with holdFees.
+        JBRulesetMetadata memory testMetadata = JBRulesetMetadata({
+            reservedPercent: 0,
+            cashOutTaxRate: 0,
+            baseCurrency: uint32(uint160(JBConstants.NATIVE_TOKEN)),
+            pausePay: false,
+            pauseCreditTransfers: false,
+            allowOwnerMinting: true,
+            allowSetCustomToken: false,
+            allowTerminalMigration: false,
+            allowSetTerminals: false,
+            ownerMustSendPayouts: false,
+            allowSetController: false,
+            allowAddAccountingContext: true,
+            allowAddPriceFeed: false,
+            holdFees: true,
+            useTotalSurplusForCashOuts: false,
+            useDataHookForPay: false,
+            useDataHookForCashOut: false,
+            dataHook: address(0),
+            metadata: 0
+        });
+
+        JBCurrencyAmount[] memory surplusAllowances = new JBCurrencyAmount[](1);
+        surplusAllowances[0] = JBCurrencyAmount({amount: 10 ether, currency: uint32(uint160(JBConstants.NATIVE_TOKEN))});
+
+        JBFundAccessLimitGroup[] memory fundAccessLimits = new JBFundAccessLimitGroup[](1);
+        fundAccessLimits[0] = JBFundAccessLimitGroup({
+            terminal: address(_terminal),
+            token: JBConstants.NATIVE_TOKEN,
+            payoutLimits: new JBCurrencyAmount[](0),
+            surplusAllowances: surplusAllowances
+        });
+
+        JBRulesetConfig[] memory testRulesetConfig = new JBRulesetConfig[](1);
+        testRulesetConfig[0].mustStartAtOrAfter = 0;
+        testRulesetConfig[0].duration = 0;
+        testRulesetConfig[0].weight = _weight;
+        testRulesetConfig[0].metadata = testMetadata;
+        testRulesetConfig[0].splitGroups = new JBSplitGroup[](0);
+        testRulesetConfig[0].fundAccessLimitGroups = fundAccessLimits;
+
+        uint256 projectId = _controller.launchProjectFor({
+            owner: _projectOwner,
+            projectUri: "testProject",
+            rulesetConfigurations: testRulesetConfig,
+            terminalConfigurations: terminalConfigurations,
+            memo: ""
+        });
+
+        // Fund and create first held fee.
+        vm.deal(address(this), 10 ether);
+        _terminal.pay{value: 10 ether}({
+            projectId: projectId,
+            amount: 10 ether,
+            token: JBConstants.NATIVE_TOKEN,
+            beneficiary: _beneficiary,
+            minReturnedTokens: 0,
+            memo: "fund",
+            metadata: new bytes(0)
+        });
+
+        vm.prank(_projectOwner);
+        _terminal.useAllowanceOf({
+            projectId: projectId,
+            amount: 1 ether,
+            currency: uint32(uint160(JBConstants.NATIVE_TOKEN)),
+            token: JBConstants.NATIVE_TOKEN,
+            minTokensPaidOut: 0,
+            beneficiary: payable(_projectOwner),
+            feeBeneficiary: payable(_projectOwner),
+            memo: "allowance1"
+        });
+
+        // Warp 14 days (halfway through holding period).
+        vm.warp(block.timestamp + 14 days);
+
+        // Create second held fee (this one will be locked when we process at day 28).
+        vm.prank(_projectOwner);
+        _terminal.useAllowanceOf({
+            projectId: projectId,
+            amount: 1 ether,
+            currency: uint32(uint160(JBConstants.NATIVE_TOKEN)),
+            token: JBConstants.NATIVE_TOKEN,
+            minTokensPaidOut: 0,
+            beneficiary: payable(_projectOwner),
+            feeBeneficiary: payable(_projectOwner),
+            memo: "allowance2"
+        });
+
+        // Verify 2 held fees.
+        JBFee[] memory heldFees = _terminal.heldFeesOf(projectId, JBConstants.NATIVE_TOKEN, 100);
+        assertEq(heldFees.length, 2, "should have 2 held fees");
+
+        // Warp to 28 days + 1 from the start (first fee unlocked, second still locked 14 more days).
+        vm.warp(block.timestamp + 14 days + 1);
+
+        // Process all — should only process the first (unlocked) fee and stop at the second (locked).
+        _terminal.processHeldFeesOf(projectId, JBConstants.NATIVE_TOKEN, 100);
+
+        // Only 1 fee should remain (the locked one).
+        JBFee[] memory remainingFees = _terminal.heldFeesOf(projectId, JBConstants.NATIVE_TOKEN, 100);
+        assertEq(remainingFees.length, 1, "one fee should still be locked");
+
+        // Warp past second fee's unlock.
+        vm.warp(block.timestamp + 14 days + 1);
+
+        // Process the remaining fee.
+        _terminal.processHeldFeesOf(projectId, JBConstants.NATIVE_TOKEN, 100);
+
+        // All fees processed.
+        JBFee[] memory finalFees = _terminal.heldFeesOf(projectId, JBConstants.NATIVE_TOKEN, 100);
+        assertEq(finalFees.length, 0, "all fees should be processed");
+    }
+
+    //*********************************************************************//
+    // --- [H-3] Approval Hook Revert DoS (NEW - no test existed) ------- //
+    //*********************************************************************//
+
+    /// @notice PoC: A malicious approval hook that reverts on approvalStatusOf() causes
+    ///         currentOf() to revert when the NEXT ruleset (queued or auto-cycled) needs
+    ///         approval from the hook. This permanently freezes the project.
+    ///         Affects JBRulesets (NOT fixed).
+    function test_H3_approvalHookRevertDoS() public {
+        // Deploy a malicious approval hook that always reverts
+        MaliciousApprovalHook maliciousHook = new MaliciousApprovalHook();
+
+        JBTerminalConfig[] memory terminalConfigurations = new JBTerminalConfig[](1);
+        JBAccountingContext[] memory tokensToAccept = new JBAccountingContext[](1);
+        tokensToAccept[0] = JBAccountingContext({
+            token: JBConstants.NATIVE_TOKEN, decimals: 18, currency: uint32(uint160(JBConstants.NATIVE_TOKEN))
+        });
+        terminalConfigurations[0] = JBTerminalConfig({terminal: _terminal, accountingContextsToAccept: tokensToAccept});
+
+        // Launch fee collector
+        JBRulesetConfig[] memory feeConfig = new JBRulesetConfig[](1);
+        feeConfig[0].mustStartAtOrAfter = 0;
+        feeConfig[0].duration = 0;
+        feeConfig[0].weight = 1000e18;
+        feeConfig[0].metadata = JBRulesetMetadata({
+            reservedPercent: 0,
+            cashOutTaxRate: 0,
+            baseCurrency: uint32(uint160(JBConstants.NATIVE_TOKEN)),
+            pausePay: false,
+            pauseCreditTransfers: false,
+            allowOwnerMinting: false,
+            allowSetCustomToken: false,
+            allowTerminalMigration: false,
+            allowSetTerminals: false,
+            ownerMustSendPayouts: false,
+            allowSetController: false,
+            allowAddAccountingContext: true,
+            allowAddPriceFeed: false,
+            holdFees: false,
+            useTotalSurplusForCashOuts: false,
+            useDataHookForPay: false,
+            useDataHookForCashOut: false,
+            dataHook: address(0),
+            metadata: 0
+        });
+        feeConfig[0].splitGroups = new JBSplitGroup[](0);
+        feeConfig[0].fundAccessLimitGroups = new JBFundAccessLimitGroup[](0);
+
+        _controller.launchProjectFor({
+            owner: address(420),
+            projectUri: "feeCollector",
+            rulesetConfigurations: feeConfig,
+            terminalConfigurations: terminalConfigurations,
+            memo: ""
+        });
+
+        // Launch project with FIRST ruleset that has the malicious hook (30-day duration).
+        // The hook is on the FIRST ruleset - it gates approval of any NEXT ruleset.
+        // When the first ruleset expires and auto-cycles, _approvalStatusOf is called
+        // on the auto-cycled ruleset, which queries the FIRST ruleset's approval hook.
+        JBRulesetConfig[] memory rulesetConfig = new JBRulesetConfig[](1);
+        rulesetConfig[0].mustStartAtOrAfter = 0;
+        rulesetConfig[0].duration = 30 days;
+        rulesetConfig[0].weight = _weight;
+        rulesetConfig[0].weightCutPercent = 0;
+        rulesetConfig[0].approvalHook = IJBRulesetApprovalHook(address(maliciousHook));
+        rulesetConfig[0].metadata = JBRulesetMetadata({
+            reservedPercent: 0,
+            cashOutTaxRate: 0,
+            baseCurrency: uint32(uint160(JBConstants.NATIVE_TOKEN)),
+            pausePay: false,
+            pauseCreditTransfers: false,
+            allowOwnerMinting: true,
+            allowSetCustomToken: true,
+            allowTerminalMigration: false,
+            allowSetTerminals: false,
+            ownerMustSendPayouts: false,
+            allowSetController: false,
+            allowAddAccountingContext: true,
+            allowAddPriceFeed: false,
+            holdFees: false,
+            useTotalSurplusForCashOuts: false,
+            useDataHookForPay: false,
+            useDataHookForCashOut: false,
+            dataHook: address(0),
+            metadata: 0
+        });
+        rulesetConfig[0].splitGroups = new JBSplitGroup[](0);
+        rulesetConfig[0].fundAccessLimitGroups = new JBFundAccessLimitGroup[](0);
+
+        uint256 projectId = _controller.launchProjectFor({
+            owner: _projectOwner,
+            projectUri: "doSProject",
+            rulesetConfigurations: rulesetConfig,
+            terminalConfigurations: terminalConfigurations,
+            memo: ""
+        });
+
+        // During the first ruleset, currentOf works fine (basedOnId == 0 -> Empty status, no hook call)
+        JBRuleset memory initialRuleset = jbRulesets().currentOf(projectId);
+        assertGt(initialRuleset.id, 0, "project should have active ruleset initially");
+
+        // Queue a second ruleset (which will need approval from the first ruleset's hook)
+        JBRulesetConfig[] memory queuedConfig = new JBRulesetConfig[](1);
+        queuedConfig[0].mustStartAtOrAfter = 0;
+        queuedConfig[0].duration = 30 days;
+        queuedConfig[0].weight = _weight / 2;
+        queuedConfig[0].weightCutPercent = 0;
+        queuedConfig[0].approvalHook = IJBRulesetApprovalHook(address(0));
+        queuedConfig[0].metadata = rulesetConfig[0].metadata;
+        queuedConfig[0].splitGroups = new JBSplitGroup[](0);
+        queuedConfig[0].fundAccessLimitGroups = new JBFundAccessLimitGroup[](0);
+
+        vm.prank(_projectOwner);
+        _controller.queueRulesetsOf({projectId: projectId, rulesetConfigurations: queuedConfig, memo: ""});
+
+        // Warp past the first ruleset's duration + approval hook's DURATION
+        vm.warp(block.timestamp + 31 days + 1 days + 1);
+
+        // After fix: the malicious hook's revert is caught by try/catch.
+        // currentOf no longer reverts — it treats the approval as Failed and falls back
+        // to the most recent approved ruleset. The project is NOT frozen.
+        JBRuleset memory currentRuleset = jbRulesets().currentOf(projectId);
+        assertGt(currentRuleset.id, 0, "H-3 FIX: project is not frozen, currentOf succeeds");
+    }
+
+    //*********************************************************************//
+    // --- [C-5] V5.1 Regression: Verify Fix Works ---------------------- //
+    //*********************************************************************//
+
+    /// @notice Verify that the C-5 zero-supply cash-out exploit is still present in V5.0
+    ///         but the V5.1 rulesets should handle rulesets correctly (C-5 is a different
+    ///         bug from the rulesets fix - C-5 is in JBCashOuts library).
+    /// @dev Confirms the C-5 fix: cashing out 0 tokens returns 0, not the full surplus.
+    function test_C5_v51_zeroSupplyCashOut_fixedInLibrary() public pure {
+        // C-5 was in JBCashOuts.cashOutFrom: when cashOutCount=0 and totalSupply=0,
+        // the function returned the full surplus instead of 0.
+        // The fix adds an early return of 0 when cashOutCount == 0.
+        uint256 reclaimFromLibrary =
+            JBCashOuts.cashOutFrom({surplus: 10 ether, cashOutCount: 0, totalSupply: 0, cashOutTaxRate: 0});
+
+        // Cashing out 0 tokens should return 0, not the full surplus.
+        assertEq(reclaimFromLibrary, 0, "C-5 FIX: cashOutFrom(surplus, 0, 0, rate) should return 0");
+    }
+
+    /// @notice Verify C-5 does not manifest when totalSupply > 0 (normal operation).
+    function test_C5_v51_normalOperation_cashOut_safe() public pure {
+        // With non-zero supply and non-zero cashOutCount, the bonding curve works correctly
+        uint256 reclaimable =
+            JBCashOuts.cashOutFrom({surplus: 10 ether, cashOutCount: 500e18, totalSupply: 1000e18, cashOutTaxRate: 0});
+
+        // With 0% tax rate and 50% of supply, should get 50% of surplus
+        assertEq(reclaimable, 5 ether, "normal cash out should work correctly");
+    }
+
+    //*********************************************************************//
+    // --- [L-5] Held Fees Storage Cleanup ------------------------------ //
+    //*********************************************************************//
+
+    /// @notice Verifies that processHeldFeesOf deletes processed entries and resets array+index when done.
+    function test_L5_heldFeesStorageCleanup() public {
+        // Launch fee project.
+        JBTerminalConfig[] memory terminalConfigurations = new JBTerminalConfig[](1);
+        JBAccountingContext[] memory tokensToAccept = new JBAccountingContext[](1);
+        tokensToAccept[0] = JBAccountingContext({
+            token: JBConstants.NATIVE_TOKEN, decimals: 18, currency: uint32(uint160(JBConstants.NATIVE_TOKEN))
+        });
+        terminalConfigurations[0] = JBTerminalConfig({terminal: _terminal, accountingContextsToAccept: tokensToAccept});
+
+        JBRulesetConfig[] memory feeRulesetConfig = new JBRulesetConfig[](1);
+        feeRulesetConfig[0].mustStartAtOrAfter = 0;
+        feeRulesetConfig[0].duration = 0;
+        feeRulesetConfig[0].weight = _weight;
+        feeRulesetConfig[0].metadata = JBRulesetMetadata({
+            reservedPercent: 0,
+            cashOutTaxRate: 0,
+            baseCurrency: uint32(uint160(JBConstants.NATIVE_TOKEN)),
+            pausePay: false,
+            pauseCreditTransfers: false,
+            allowOwnerMinting: false,
+            allowSetCustomToken: false,
+            allowTerminalMigration: false,
+            allowSetTerminals: false,
+            ownerMustSendPayouts: false,
+            allowSetController: false,
+            allowAddAccountingContext: true,
+            allowAddPriceFeed: false,
+            holdFees: false,
+            useTotalSurplusForCashOuts: false,
+            useDataHookForPay: false,
+            useDataHookForCashOut: false,
+            dataHook: address(0),
+            metadata: 0
+        });
+        feeRulesetConfig[0].splitGroups = new JBSplitGroup[](0);
+        feeRulesetConfig[0].fundAccessLimitGroups = new JBFundAccessLimitGroup[](0);
+
+        _controller.launchProjectFor({
+            owner: makeAddr("feeOwner"),
+            projectUri: "fee",
+            rulesetConfigurations: feeRulesetConfig,
+            terminalConfigurations: terminalConfigurations,
+            memo: ""
+        });
+
+        // Launch project with holdFees.
+        JBRulesetMetadata memory testMetadata = JBRulesetMetadata({
+            reservedPercent: 0,
+            cashOutTaxRate: 0,
+            baseCurrency: uint32(uint160(JBConstants.NATIVE_TOKEN)),
+            pausePay: false,
+            pauseCreditTransfers: false,
+            allowOwnerMinting: true,
+            allowSetCustomToken: false,
+            allowTerminalMigration: false,
+            allowSetTerminals: false,
+            ownerMustSendPayouts: false,
+            allowSetController: false,
+            allowAddAccountingContext: true,
+            allowAddPriceFeed: false,
+            holdFees: true,
+            useTotalSurplusForCashOuts: false,
+            useDataHookForPay: false,
+            useDataHookForCashOut: false,
+            dataHook: address(0),
+            metadata: 0
+        });
+
+        JBCurrencyAmount[] memory surplusAllowances = new JBCurrencyAmount[](1);
+        surplusAllowances[0] = JBCurrencyAmount({amount: 10 ether, currency: uint32(uint160(JBConstants.NATIVE_TOKEN))});
+
+        JBFundAccessLimitGroup[] memory fundAccessLimits = new JBFundAccessLimitGroup[](1);
+        fundAccessLimits[0] = JBFundAccessLimitGroup({
+            terminal: address(_terminal),
+            token: JBConstants.NATIVE_TOKEN,
+            payoutLimits: new JBCurrencyAmount[](0),
+            surplusAllowances: surplusAllowances
+        });
+
+        JBRulesetConfig[] memory testRulesetConfig = new JBRulesetConfig[](1);
+        testRulesetConfig[0].mustStartAtOrAfter = 0;
+        testRulesetConfig[0].duration = 0;
+        testRulesetConfig[0].weight = _weight;
+        testRulesetConfig[0].metadata = testMetadata;
+        testRulesetConfig[0].splitGroups = new JBSplitGroup[](0);
+        testRulesetConfig[0].fundAccessLimitGroups = fundAccessLimits;
+
+        uint256 projectId = _controller.launchProjectFor({
+            owner: _projectOwner,
+            projectUri: "testProject",
+            rulesetConfigurations: testRulesetConfig,
+            terminalConfigurations: terminalConfigurations,
+            memo: ""
+        });
+
+        // Fund and create 3 held fees.
+        vm.deal(address(this), 10 ether);
+        _terminal.pay{value: 10 ether}({
+            projectId: projectId,
+            amount: 10 ether,
+            token: JBConstants.NATIVE_TOKEN,
+            beneficiary: _beneficiary,
+            minReturnedTokens: 0,
+            memo: "fund",
+            metadata: new bytes(0)
+        });
+
+        vm.startPrank(_projectOwner);
+        for (uint256 i; i < 3; i++) {
+            _terminal.useAllowanceOf({
+                projectId: projectId,
+                amount: 1 ether,
+                currency: uint32(uint160(JBConstants.NATIVE_TOKEN)),
+                token: JBConstants.NATIVE_TOKEN,
+                minTokensPaidOut: 0,
+                beneficiary: payable(_projectOwner),
+                feeBeneficiary: payable(_projectOwner),
+                memo: "allowance"
+            });
+        }
+        vm.stopPrank();
+
+        // Verify 3 held fees.
+        JBFee[] memory fees = _terminal.heldFeesOf(projectId, JBConstants.NATIVE_TOKEN, 100);
+        assertEq(fees.length, 3, "should have 3 held fees");
+
+        // Warp past unlock.
+        vm.warp(block.timestamp + 2_419_200 + 1);
+
+        // Process all 3.
+        _terminal.processHeldFeesOf(projectId, JBConstants.NATIVE_TOKEN, 100);
+
+        // After processing all, the array should be fully reset (not just emptied).
+        JBFee[] memory remaining = _terminal.heldFeesOf(projectId, JBConstants.NATIVE_TOKEN, 100);
+        assertEq(remaining.length, 0, "L-5: all fees processed and array cleaned");
+
+        // Creating new fees after cleanup should work from index 0 (array was reset).
+        vm.deal(address(this), 2 ether);
+        _terminal.pay{value: 2 ether}({
+            projectId: projectId,
+            amount: 2 ether,
+            token: JBConstants.NATIVE_TOKEN,
+            beneficiary: _beneficiary,
+            minReturnedTokens: 0,
+            memo: "fund2",
+            metadata: new bytes(0)
+        });
+        vm.prank(_projectOwner);
+        _terminal.useAllowanceOf({
+            projectId: projectId,
+            amount: 1 ether,
+            currency: uint32(uint160(JBConstants.NATIVE_TOKEN)),
+            token: JBConstants.NATIVE_TOKEN,
+            minTokensPaidOut: 0,
+            beneficiary: payable(_projectOwner),
+            feeBeneficiary: payable(_projectOwner),
+            memo: "allowance-after-cleanup"
+        });
+
+        // Should have 1 new fee (not 4 = 3 deleted + 1 new).
+        JBFee[] memory newFees = _terminal.heldFeesOf(projectId, JBConstants.NATIVE_TOKEN, 100);
+        assertEq(newFees.length, 1, "L-5: new fee after array reset works correctly");
+    }
+
+    //*********************************************************************//
+    // --- [L-8] Ruleset Start Time After Base Ruleset ------------------ //
+    //*********************************************************************//
+
+    /// @notice Verifies that a queued ruleset's start time is bumped to at least
+    ///         the base ruleset's start time (L-8 fix).
+    function test_L8_rulesetStartsAfterBaseRuleset() public {
+        // Launch fee project.
+        JBTerminalConfig[] memory terminalConfigurations = new JBTerminalConfig[](1);
+        JBAccountingContext[] memory tokensToAccept = new JBAccountingContext[](1);
+        tokensToAccept[0] = JBAccountingContext({
+            token: JBConstants.NATIVE_TOKEN, decimals: 18, currency: uint32(uint160(JBConstants.NATIVE_TOKEN))
+        });
+        terminalConfigurations[0] = JBTerminalConfig({terminal: _terminal, accountingContextsToAccept: tokensToAccept});
+
+        JBRulesetConfig[] memory rulesetConfig = new JBRulesetConfig[](1);
+        rulesetConfig[0].mustStartAtOrAfter = 0;
+        rulesetConfig[0].duration = 30 days;
+        rulesetConfig[0].weight = _weight;
+        rulesetConfig[0].metadata = JBRulesetMetadata({
+            reservedPercent: 0,
+            cashOutTaxRate: 0,
+            baseCurrency: uint32(uint160(JBConstants.NATIVE_TOKEN)),
+            pausePay: false,
+            pauseCreditTransfers: false,
+            allowOwnerMinting: true,
+            allowSetCustomToken: false,
+            allowTerminalMigration: false,
+            allowSetTerminals: false,
+            ownerMustSendPayouts: false,
+            allowSetController: false,
+            allowAddAccountingContext: true,
+            allowAddPriceFeed: false,
+            holdFees: false,
+            useTotalSurplusForCashOuts: false,
+            useDataHookForPay: false,
+            useDataHookForCashOut: false,
+            dataHook: address(0),
+            metadata: 0
+        });
+        rulesetConfig[0].splitGroups = new JBSplitGroup[](0);
+        rulesetConfig[0].fundAccessLimitGroups = new JBFundAccessLimitGroup[](0);
+
+        _controller.launchProjectFor({
+            owner: makeAddr("feeOwner"),
+            projectUri: "fee",
+            rulesetConfigurations: rulesetConfig,
+            terminalConfigurations: terminalConfigurations,
+            memo: ""
+        });
+
+        // Launch project with 30-day duration ruleset.
+        uint256 projectId = _controller.launchProjectFor({
+            owner: _projectOwner,
+            projectUri: "testProject",
+            rulesetConfigurations: rulesetConfig,
+            terminalConfigurations: terminalConfigurations,
+            memo: ""
+        });
+
+        // Get the first ruleset's start time.
+        JBRuleset memory firstRuleset = jbRulesets().currentOf(projectId);
+        uint256 firstStart = firstRuleset.start;
+        assertGt(firstStart, 0, "first ruleset should have a start time");
+
+        // Queue a second ruleset with mustStartAtOrAfter=0 (meaning "as soon as possible").
+        // Without the L-8 fix, this could theoretically derive a start before the base ruleset.
+        JBRulesetConfig[] memory secondConfig = new JBRulesetConfig[](1);
+        secondConfig[0].mustStartAtOrAfter = 0; // Key: asking for earliest possible
+        secondConfig[0].duration = 30 days;
+        secondConfig[0].weight = _weight / 2;
+        secondConfig[0].metadata = rulesetConfig[0].metadata;
+        secondConfig[0].splitGroups = new JBSplitGroup[](0);
+        secondConfig[0].fundAccessLimitGroups = new JBFundAccessLimitGroup[](0);
+
+        vm.prank(_projectOwner);
+        _controller.queueRulesetsOf({projectId: projectId, rulesetConfigurations: secondConfig, memo: ""});
+
+        // Get the queued ruleset.
+        (JBRuleset memory queued,) = jbRulesets().latestQueuedOf(projectId);
+
+        // L-8 fix: the queued ruleset must start at or after the base ruleset's start.
+        assertGe(queued.start, firstStart, "L-8: queued ruleset must start at or after base ruleset");
+
+        // It should start at the next cycle boundary (firstStart + duration).
+        assertEq(queued.start, firstStart + 30 days, "queued ruleset starts at next cycle boundary");
+    }
+
+    //*********************************************************************//
+    // --- [H-4] Pending Reserves Inflate cashOutWeight (property test)-- //
+    //*********************************************************************//
+
+    //*********************************************************************//
+    // ====== CROSS-CHAIN COMPATIBILITY (Celo/Tempo) =================== //
+    //*********************************************************************//
+
+    /// @notice Helper: launches a project with only MockERC20 (6 decimals, simulating USDC on Tempo).
+    ///         No NATIVE_TOKEN accounting context is registered.
+    function _launchProjectERC20(uint16 cashOutTaxRate, uint16 reservedPercent) internal returns (uint256 projectId) {
+        MockERC20 token = usdcToken();
+
+        JBRulesetMetadata memory metadata = JBRulesetMetadata({
+            reservedPercent: reservedPercent,
+            cashOutTaxRate: cashOutTaxRate,
+            baseCurrency: uint32(uint160(address(token))),
+            pausePay: false,
+            pauseCreditTransfers: false,
+            allowOwnerMinting: true,
+            allowSetCustomToken: true,
+            allowTerminalMigration: false,
+            allowSetTerminals: false,
+            ownerMustSendPayouts: false,
+            allowSetController: false,
+            allowAddAccountingContext: true,
+            allowAddPriceFeed: false,
+            holdFees: false,
+            useTotalSurplusForCashOuts: false,
+            useDataHookForPay: false,
+            useDataHookForCashOut: false,
+            dataHook: address(0),
+            metadata: 0
+        });
+
+        JBRulesetConfig[] memory rulesetConfig = new JBRulesetConfig[](1);
+        rulesetConfig[0].mustStartAtOrAfter = 0;
+        rulesetConfig[0].duration = 0;
+        rulesetConfig[0].weight = _weight;
+        rulesetConfig[0].weightCutPercent = 0;
+        rulesetConfig[0].approvalHook = IJBRulesetApprovalHook(address(0));
+        rulesetConfig[0].metadata = metadata;
+        rulesetConfig[0].splitGroups = new JBSplitGroup[](0);
+        rulesetConfig[0].fundAccessLimitGroups = new JBFundAccessLimitGroup[](0);
+
+        JBTerminalConfig[] memory terminalConfigurations = new JBTerminalConfig[](1);
+        JBAccountingContext[] memory tokensToAccept = new JBAccountingContext[](1);
+        tokensToAccept[0] =
+            JBAccountingContext({token: address(token), decimals: 6, currency: uint32(uint160(address(token)))});
+        terminalConfigurations[0] = JBTerminalConfig({terminal: _terminal, accountingContextsToAccept: tokensToAccept});
+
+        // Create project #1 to collect fees (if it does not exist yet).
+        // Fee project also uses ERC-20 only (but a different terminal config for simplicity).
+        JBTerminalConfig[] memory feeTermConfigs = new JBTerminalConfig[](1);
+        JBAccountingContext[] memory feeTokens = new JBAccountingContext[](1);
+        feeTokens[0] = JBAccountingContext({
+            token: JBConstants.NATIVE_TOKEN, decimals: 18, currency: uint32(uint160(JBConstants.NATIVE_TOKEN))
+        });
+        feeTermConfigs[0] = JBTerminalConfig({terminal: _terminal, accountingContextsToAccept: feeTokens});
+
+        _controller.launchProjectFor({
+            owner: address(420),
+            projectUri: "feeCollector",
+            rulesetConfigurations: rulesetConfig,
+            terminalConfigurations: feeTermConfigs,
+            memo: ""
+        });
+
+        // Create the actual test project with ERC-20 only.
+        projectId = _controller.launchProjectFor({
+            owner: _projectOwner,
+            projectUri: "erc20OnlyProject",
+            rulesetConfigurations: rulesetConfig,
+            terminalConfigurations: terminalConfigurations,
+            memo: ""
+        });
+    }
+
+    /// @notice Helper: launches an ERC-20-only project with payout limits.
+    function _launchProjectERC20WithPayoutLimit(
+        uint16 cashOutTaxRate,
+        uint224 payoutLimit
+    )
+        internal
+        returns (uint256 projectId)
+    {
+        MockERC20 token = usdcToken();
+
+        JBRulesetMetadata memory metadata = JBRulesetMetadata({
+            reservedPercent: 0,
+            cashOutTaxRate: cashOutTaxRate,
+            baseCurrency: uint32(uint160(address(token))),
+            pausePay: false,
+            pauseCreditTransfers: false,
+            allowOwnerMinting: true,
+            allowSetCustomToken: true,
+            allowTerminalMigration: false,
+            allowSetTerminals: false,
+            ownerMustSendPayouts: false,
+            allowSetController: false,
+            allowAddAccountingContext: true,
+            allowAddPriceFeed: false,
+            holdFees: false,
+            useTotalSurplusForCashOuts: false,
+            useDataHookForPay: false,
+            useDataHookForCashOut: false,
+            dataHook: address(0),
+            metadata: 0
+        });
+
+        JBCurrencyAmount[] memory payoutLimits = new JBCurrencyAmount[](1);
+        payoutLimits[0] = JBCurrencyAmount({amount: payoutLimit, currency: uint32(uint160(address(token)))});
+
+        JBFundAccessLimitGroup[] memory fundAccessLimitGroup = new JBFundAccessLimitGroup[](1);
+        fundAccessLimitGroup[0] = JBFundAccessLimitGroup({
+            terminal: address(_terminal),
+            token: address(token),
+            payoutLimits: payoutLimits,
+            surplusAllowances: new JBCurrencyAmount[](0)
+        });
+
+        JBRulesetConfig[] memory rulesetConfig = new JBRulesetConfig[](1);
+        rulesetConfig[0].mustStartAtOrAfter = 0;
+        rulesetConfig[0].duration = 0;
+        rulesetConfig[0].weight = _weight;
+        rulesetConfig[0].weightCutPercent = 0;
+        rulesetConfig[0].approvalHook = IJBRulesetApprovalHook(address(0));
+        rulesetConfig[0].metadata = metadata;
+        rulesetConfig[0].splitGroups = new JBSplitGroup[](0);
+        rulesetConfig[0].fundAccessLimitGroups = fundAccessLimitGroup;
+
+        JBTerminalConfig[] memory terminalConfigurations = new JBTerminalConfig[](1);
+        JBAccountingContext[] memory tokensToAccept = new JBAccountingContext[](1);
+        tokensToAccept[0] =
+            JBAccountingContext({token: address(token), decimals: 6, currency: uint32(uint160(address(token)))});
+        terminalConfigurations[0] = JBTerminalConfig({terminal: _terminal, accountingContextsToAccept: tokensToAccept});
+
+        // Fee project.
+        JBTerminalConfig[] memory feeTermConfigs = new JBTerminalConfig[](1);
+        JBAccountingContext[] memory feeTokens = new JBAccountingContext[](1);
+        feeTokens[0] = JBAccountingContext({
+            token: JBConstants.NATIVE_TOKEN, decimals: 18, currency: uint32(uint160(JBConstants.NATIVE_TOKEN))
+        });
+        feeTermConfigs[0] = JBTerminalConfig({terminal: _terminal, accountingContextsToAccept: feeTokens});
+
+        _controller.launchProjectFor({
+            owner: address(420),
+            projectUri: "feeCollector",
+            rulesetConfigurations: rulesetConfig,
+            terminalConfigurations: feeTermConfigs,
+            memo: ""
+        });
+
+        projectId = _controller.launchProjectFor({
+            owner: _projectOwner,
+            projectUri: "erc20OnlyProject",
+            rulesetConfigurations: rulesetConfig,
+            terminalConfigurations: terminalConfigurations,
+            memo: ""
+        });
+    }
+
+    //*********************************************************************//
+    // --- [COMPAT] ERC-20-Only Project Tests (Tempo Compatibility) ----- //
+    //*********************************************************************//
+
+    /// @notice Full lifecycle: pay with ERC-20, verify token minting, cash out, verify ERC-20 returned.
+    ///         Simulates a project on Tempo where only stablecoins are used.
+    function test_erc20OnlyProject_payAndCashOut() public {
+        uint256 projectId = _launchProjectERC20({cashOutTaxRate: 0, reservedPercent: 0});
+        MockERC20 token = usdcToken();
+
+        vm.prank(_projectOwner);
+        _controller.deployERC20For(projectId, "TestToken", "TT", bytes32(0));
+
+        // Mint USDC to beneficiary and approve terminal.
+        uint256 payAmount = 1000e6; // 1000 USDC (6 decimals)
+        token.mint(_beneficiary, payAmount);
+        vm.prank(_beneficiary);
+        token.approve(address(_terminal), payAmount);
+
+        // Pay the project with ERC-20 (msg.value = 0).
+        vm.prank(_beneficiary);
+        _terminal.pay{value: 0}({
+            projectId: projectId,
+            amount: payAmount,
+            token: address(token),
+            beneficiary: _beneficiary,
+            minReturnedTokens: 0,
+            memo: "erc20 pay",
+            metadata: new bytes(0)
+        });
+
+        // Verify terminal balance.
+        uint256 terminalBalance = jbTerminalStore().balanceOf(address(_terminal), projectId, address(token));
+        assertEq(terminalBalance, payAmount, "terminal should hold the ERC-20 payment");
+
+        // Verify tokens were minted.
+        uint256 tokenBalance = _tokens.totalBalanceOf(_beneficiary, projectId);
+        assertGt(tokenBalance, 0, "beneficiary should have project tokens after ERC-20 pay");
+
+        // Cash out all tokens — should receive ERC-20 back.
+        uint256 usdcBefore = token.balanceOf(_beneficiary);
+
+        vm.prank(_beneficiary);
+        uint256 reclaimAmount = _terminal.cashOutTokensOf({
+            holder: _beneficiary,
+            projectId: projectId,
+            cashOutCount: tokenBalance,
+            tokenToReclaim: address(token),
+            minTokensReclaimed: 0,
+            beneficiary: payable(_beneficiary),
+            metadata: new bytes(0)
+        });
+
+        uint256 usdcReceived = token.balanceOf(_beneficiary) - usdcBefore;
+        assertEq(usdcReceived, reclaimAmount, "USDC received should match reclaim amount");
+
+        // With 0% tax and full supply cash out, should get full amount back.
+        assertEq(reclaimAmount, payAmount, "full cash out should return full ERC-20 amount");
+    }
+
+    /// @notice Confirm msg.value=0 with ERC-20 doesn't trigger the NoMsgValueAllowed revert.
+    function test_erc20Payment_zeroMsgValue_succeeds() public {
+        uint256 projectId = _launchProjectERC20({cashOutTaxRate: 0, reservedPercent: 0});
+        MockERC20 token = usdcToken();
+
+        uint256 payAmount = 500e6;
+        token.mint(_beneficiary, payAmount);
+        vm.prank(_beneficiary);
+        token.approve(address(_terminal), payAmount);
+
+        // Pay with msg.value = 0 — should succeed.
+        vm.prank(_beneficiary);
+        _terminal.pay{value: 0}({
+            projectId: projectId,
+            amount: payAmount,
+            token: address(token),
+            beneficiary: _beneficiary,
+            minReturnedTokens: 0,
+            memo: "zero msg.value",
+            metadata: new bytes(0)
+        });
+
+        uint256 tokenBalance = _tokens.totalBalanceOf(_beneficiary, projectId);
+        assertGt(tokenBalance, 0, "payment with 0 msg.value should succeed for ERC-20");
+    }
+
+    /// @notice Confirm msg.value > 0 with ERC-20 correctly reverts with NoMsgValueAllowed.
+    function test_erc20Payment_nonZeroMsgValue_reverts() public {
+        uint256 projectId = _launchProjectERC20({cashOutTaxRate: 0, reservedPercent: 0});
+        MockERC20 token = usdcToken();
+
+        uint256 payAmount = 500e6;
+        token.mint(_beneficiary, payAmount);
+        vm.prank(_beneficiary);
+        token.approve(address(_terminal), payAmount);
+
+        // Pay with msg.value > 0 for an ERC-20 token — should revert.
+        vm.deal(_beneficiary, 1 ether);
+        vm.prank(_beneficiary);
+        vm.expectRevert(abi.encodeWithSelector(JBMultiTerminal.JBMultiTerminal_NoMsgValueAllowed.selector, 1 ether));
+        _terminal.pay{value: 1 ether}({
+            projectId: projectId,
+            amount: payAmount,
+            token: address(token),
+            beneficiary: _beneficiary,
+            minReturnedTokens: 0,
+            memo: "should revert",
+            metadata: new bytes(0)
+        });
+    }
+
+    /// @notice Payouts distributed in ERC-20 to split beneficiaries.
+    function test_erc20OnlyProject_sendPayouts() public {
+        uint224 payoutLimit = 300e6; // 300 USDC
+        uint256 projectId = _launchProjectERC20WithPayoutLimit({cashOutTaxRate: 0, payoutLimit: payoutLimit});
+        MockERC20 token = usdcToken();
+
+        // Fund the project.
+        uint256 payAmount = 1000e6;
+        token.mint(_beneficiary, payAmount);
+        vm.prank(_beneficiary);
+        token.approve(address(_terminal), payAmount);
+
+        vm.prank(_beneficiary);
+        _terminal.pay{value: 0}({
+            projectId: projectId,
+            amount: payAmount,
+            token: address(token),
+            beneficiary: _beneficiary,
+            minReturnedTokens: 0,
+            memo: "fund for payouts",
+            metadata: new bytes(0)
+        });
+
+        // Verify terminal balance.
+        uint256 balanceBefore = jbTerminalStore().balanceOf(address(_terminal), projectId, address(token));
+        assertEq(balanceBefore, payAmount, "terminal should hold full payment");
+
+        // Send payouts. Since no splits are configured, payouts go to the project owner.
+        // The fee terminal for project #1 does NOT accept this ERC-20, so the fee
+        // processing will fail in try/catch and the fee stays with the project.
+        vm.prank(_projectOwner);
+        uint256 amountPaidOut = _terminal.sendPayoutsOf({
+            projectId: projectId,
+            token: address(token),
+            amount: payoutLimit,
+            currency: uint32(uint160(address(token))),
+            minTokensPaidOut: 0
+        });
+
+        assertGt(amountPaidOut, 0, "should have paid out ERC-20 tokens");
+
+        // Terminal balance should have decreased.
+        uint256 balanceAfter = jbTerminalStore().balanceOf(address(_terminal), projectId, address(token));
+        assertLt(balanceAfter, balanceBefore, "balance should decrease after payout");
+    }
+
+    /// @notice Confirm NATIVE_TOKEN with decimals != 18 is rejected by addAccountingContextsFor.
+    function test_nativeToken_wrongDecimals_reverts() public {
+        // Launch a minimal project first.
+        JBRulesetMetadata memory metadata = JBRulesetMetadata({
+            reservedPercent: 0,
+            cashOutTaxRate: 0,
+            baseCurrency: uint32(uint160(JBConstants.NATIVE_TOKEN)),
+            pausePay: false,
+            pauseCreditTransfers: false,
+            allowOwnerMinting: true,
+            allowSetCustomToken: true,
+            allowTerminalMigration: false,
+            allowSetTerminals: false,
+            ownerMustSendPayouts: false,
+            allowSetController: false,
+            allowAddAccountingContext: true,
+            allowAddPriceFeed: false,
+            holdFees: false,
+            useTotalSurplusForCashOuts: false,
+            useDataHookForPay: false,
+            useDataHookForCashOut: false,
+            dataHook: address(0),
+            metadata: 0
+        });
+
+        JBRulesetConfig[] memory rulesetConfig = new JBRulesetConfig[](1);
+        rulesetConfig[0].mustStartAtOrAfter = 0;
+        rulesetConfig[0].duration = 0;
+        rulesetConfig[0].weight = _weight;
+        rulesetConfig[0].metadata = metadata;
+        rulesetConfig[0].splitGroups = new JBSplitGroup[](0);
+        rulesetConfig[0].fundAccessLimitGroups = new JBFundAccessLimitGroup[](0);
+
+        // Launch with NO accounting contexts initially.
+        JBTerminalConfig[] memory terminalConfigurations = new JBTerminalConfig[](1);
+        terminalConfigurations[0] =
+            JBTerminalConfig({terminal: _terminal, accountingContextsToAccept: new JBAccountingContext[](0)});
+
+        // Fee project.
+        _controller.launchProjectFor({
+            owner: address(420),
+            projectUri: "feeCollector",
+            rulesetConfigurations: rulesetConfig,
+            terminalConfigurations: terminalConfigurations,
+            memo: ""
+        });
+
+        uint256 projectId = _controller.launchProjectFor({
+            owner: _projectOwner,
+            projectUri: "testDecimals",
+            rulesetConfigurations: rulesetConfig,
+            terminalConfigurations: terminalConfigurations,
+            memo: ""
+        });
+
+        // Try to add NATIVE_TOKEN with decimals = 6 (wrong — native is 18).
+        JBAccountingContext[] memory wrongContexts = new JBAccountingContext[](1);
+        wrongContexts[0] = JBAccountingContext({
+            token: JBConstants.NATIVE_TOKEN, decimals: 6, currency: uint32(uint160(JBConstants.NATIVE_TOKEN))
+        });
+
+        vm.prank(_projectOwner);
+        vm.expectRevert(JBMultiTerminal.JBMultiTerminal_AccountingContextDecimalsMismatch.selector);
+        _terminal.addAccountingContextsFor(projectId, wrongContexts);
+    }
+
+    /// @notice Surplus calculation and fee processing with ERC-20.
+    ///         Fee bounces back via try/catch since fee project has no ERC-20 terminal.
+    function test_erc20OnlyProject_surplusAndFees() public {
+        uint256 projectId = _launchProjectERC20({cashOutTaxRate: 5000, reservedPercent: 0});
+        MockERC20 token = usdcToken();
+
+        vm.prank(_projectOwner);
+        _controller.deployERC20For(projectId, "TestToken", "TT", bytes32(0));
+
+        // Pay 1000 USDC.
+        uint256 payAmount = 1000e6;
+        token.mint(_beneficiary, payAmount);
+        vm.prank(_beneficiary);
+        token.approve(address(_terminal), payAmount);
+
+        vm.prank(_beneficiary);
+        _terminal.pay{value: 0}({
+            projectId: projectId,
+            amount: payAmount,
+            token: address(token),
+            beneficiary: _beneficiary,
+            minReturnedTokens: 0,
+            memo: "surplus test",
+            metadata: new bytes(0)
+        });
+
+        // Check surplus — should equal the full balance since no payout limits.
+        JBAccountingContext[] memory contexts = new JBAccountingContext[](1);
+        contexts[0] =
+            JBAccountingContext({token: address(token), decimals: 6, currency: uint32(uint160(address(token)))});
+
+        uint256 surplus = jbTerminalStore()
+            .currentSurplusOf({
+                terminal: address(_terminal),
+                projectId: projectId,
+                accountingContexts: contexts,
+                decimals: 6,
+                currency: uint32(uint160(address(token)))
+            });
+
+        assertEq(surplus, payAmount, "surplus should equal full payment (no payout limits)");
+
+        // Cash out with 50% tax — fee processing will attempt to pay the fee project.
+        // Fee project (#1) does NOT accept this ERC-20, so the fee payment reverts in try/catch.
+        // The fee amount stays as a held fee on this project.
+        uint256 tokenBalance = _tokens.totalBalanceOf(_beneficiary, projectId);
+        uint256 usdcBefore = token.balanceOf(_beneficiary);
+
+        vm.prank(_beneficiary);
+        uint256 reclaimAmount = _terminal.cashOutTokensOf({
+            holder: _beneficiary,
+            projectId: projectId,
+            cashOutCount: tokenBalance,
+            tokenToReclaim: address(token),
+            minTokensReclaimed: 0,
+            beneficiary: payable(_beneficiary),
+            metadata: new bytes(0)
+        });
+
+        uint256 usdcReceived = token.balanceOf(_beneficiary) - usdcBefore;
+
+        // Cashing out 100% of supply → full surplus regardless of tax rate.
+        // But a fee is taken from the gross reclaim, so net < gross.
+        assertGt(reclaimAmount, 0, "should receive ERC-20 from cash out");
+        assertEq(usdcReceived, reclaimAmount, "USDC received should match reclaim");
+
+        // Verify terminal balance is reduced. The fee bounced back (fee project has no ERC-20
+        // terminal), so the project retains the fee amount as held fees returned to balance.
+        uint256 balanceAfter = jbTerminalStore().balanceOf(address(_terminal), projectId, address(token));
+        uint256 feeAmount = JBFees.feeAmountFrom({amountBeforeFee: payAmount, feePercent: _terminal.FEE()});
+        assertEq(balanceAfter, feeAmount, "project balance should equal bounced-back fee amount");
+    }
+
+    //*********************************************************************//
+    // --- [H-4] Pending Reserves Inflate cashOutWeight (property test)-- //
+    //*********************************************************************//
+
+    /// @notice Property: cashOut reclaim with pending reserves <= cashOut reclaim after reserves distributed.
+    /// @dev When there are pending reserved tokens that haven't been distributed, they should
+    ///      not inflate the denominator used for cash-out calculations.
+    function test_H4_pendingReserves_cashOutProperty() public {
+        // Launch project with 50% reserved rate
+        uint256 projectId = _launchProject({cashOutTaxRate: 0, reservedPercent: 5000});
+
+        vm.prank(_projectOwner);
+        _controller.deployERC20For(projectId, "TestToken", "TT", bytes32(0));
+
+        // Pay the project - this triggers reserved token accumulation
+        vm.deal(_beneficiary, 10 ether);
+        vm.prank(_beneficiary);
+        _terminal.pay{value: 10 ether}({
+            projectId: projectId,
+            amount: 10 ether,
+            token: JBConstants.NATIVE_TOKEN,
+            beneficiary: _beneficiary,
+            minReturnedTokens: 0,
+            memo: "H-4 test",
+            metadata: new bytes(0)
+        });
+
+        uint256 tokenBalance = _tokens.totalBalanceOf(_beneficiary, projectId);
+        assertGt(tokenBalance, 0, "beneficiary should have tokens");
+
+        // Check pending reserved tokens
+        uint256 pendingReserved = _controller.pendingReservedTokenBalanceOf(projectId);
+
+        // Record surplus before distributing reserves
+        JBAccountingContext[] memory contexts = new JBAccountingContext[](1);
+        contexts[0] = JBAccountingContext({
+            token: JBConstants.NATIVE_TOKEN, decimals: 18, currency: uint32(uint160(JBConstants.NATIVE_TOKEN))
+        });
+
+        uint256 supplyBefore = _tokens.totalSupplyOf(projectId);
+        uint256 surplusBefore = jbTerminalStore()
+            .currentSurplusOf({
+                terminal: address(_terminal),
+                projectId: projectId,
+                accountingContexts: contexts,
+                decimals: 18,
+                currency: uint32(uint160(JBConstants.NATIVE_TOKEN))
+            });
+
+        // Calculate reclaimable BEFORE distributing reserves
+        uint256 reclaimBefore = jbTerminalStore()
+            .currentReclaimableSurplusOf({
+                projectId: projectId, cashOutCount: tokenBalance, totalSupply: supplyBefore, surplus: surplusBefore
+            });
+
+        // Now distribute reserved tokens
+        if (pendingReserved > 0) {
+            _controller.sendReservedTokensToSplitsOf(projectId);
+        }
+
+        uint256 supplyAfter = _tokens.totalSupplyOf(projectId);
+        uint256 surplusAfter = jbTerminalStore()
+            .currentSurplusOf({
+                terminal: address(_terminal),
+                projectId: projectId,
+                accountingContexts: contexts,
+                decimals: 18,
+                currency: uint32(uint160(JBConstants.NATIVE_TOKEN))
+            });
+
+        // Calculate reclaimable AFTER distributing reserves
+        uint256 reclaimAfter = jbTerminalStore()
+            .currentReclaimableSurplusOf({
+                projectId: projectId, cashOutCount: tokenBalance, totalSupply: supplyAfter, surplus: surplusAfter
+            });
+
+        // Property: The surplus should be the same (distributing reserves doesn't change ETH balance)
+        assertEq(surplusAfter, surplusBefore, "surplus should not change after distributing reserves");
+
+        // Property: After distributing reserves, totalSupply increases but the beneficiary's
+        // share decreases, so reclaimable should decrease or stay the same.
+        // With 0% cashOutTaxRate and linear redemption: reclaimable = surplus * tokens / totalSupply
+        // After reserves: totalSupply is larger, so reclaimable is smaller.
+        assertLe(reclaimAfter, reclaimBefore, "H-4 property: reclaim after reserves distributed <= reclaim before");
+    }
+}
+
+/// @notice Mock contract demonstrating the REVLoans reentrancy pattern.
+///         Mimics the CEI violation: sends ETH before updating state.
+contract ReentrancyVictim {
+    uint256 public totalBorrowed;
+    uint256 public maxBorrowable = 10 ether;
+
+    function borrow(address payable beneficiary, uint256 amount) external {
+        // Check (stale if reentered)
+        require(totalBorrowed + amount <= maxBorrowable, "exceeds limit");
+
+        // External call BEFORE state update (mirrors REVLoans._addTo → _transferFrom)
+        (bool sent,) = beneficiary.call{value: amount}("");
+        require(sent, "transfer failed");
+
+        // State update AFTER external call (mirrors REVLoans._adjust lines 921-923)
+        totalBorrowed += amount;
+    }
+
+    receive() external payable {}
+}
+
+/// @notice Attacker contract that re-enters the victim during ETH receive.
+contract ReentrancyAttacker {
+    ReentrancyVictim public victim;
+    uint256 public attackCount;
+    uint256 public constant BORROW_AMOUNT = 5 ether;
+
+    constructor(ReentrancyVictim _victim) {
+        victim = _victim;
+    }
+
+    function attack() external {
+        attackCount = 0;
+        victim.borrow(payable(address(this)), BORROW_AMOUNT);
+    }
+
+    receive() external payable {
+        attackCount++;
+        // Re-enter on first callback. The victim's totalBorrowed hasn't been updated yet.
+        if (attackCount < 3 && address(victim).balance >= BORROW_AMOUNT) {
+            victim.borrow(payable(address(this)), BORROW_AMOUNT);
+        }
+    }
+}
+
+/// @notice Malicious fee terminal that reenters processHeldFeesOf during pay(), demonstrating M-1.
+contract ReentrantFeeTerminal is ERC165 {
+    IJBMultiTerminal public immutable victim;
+    uint256 public immutable targetProjectId;
+    address public immutable targetToken;
+    uint256 public payCallCount;
+
+    constructor(IJBMultiTerminal _victim, uint256 _targetProjectId, address _targetToken) {
+        victim = _victim;
+        targetProjectId = _targetProjectId;
+        targetToken = _targetToken;
+    }
+
+    /// @notice Called by the victim terminal to process a fee. Reenters processHeldFeesOf.
+    function pay(
+        uint256,
+        address,
+        uint256,
+        address,
+        uint256,
+        string calldata,
+        bytes calldata
+    )
+        external
+        payable
+        returns (uint256)
+    {
+        payCallCount++;
+        // Reenter: try to process more held fees from the same project.
+        if (payCallCount == 1) {
+            victim.processHeldFeesOf(targetProjectId, targetToken, 100);
+        }
+        return 0;
+    }
+
+    function accountingContextForTokenOf(uint256, address) external pure returns (JBAccountingContext memory) {
+        return JBAccountingContext({
+            token: JBConstants.NATIVE_TOKEN, decimals: 18, currency: uint32(uint160(JBConstants.NATIVE_TOKEN))
+        });
+    }
+
+    function accountingContextsOf(uint256) external pure returns (JBAccountingContext[] memory) {
+        JBAccountingContext[] memory contexts = new JBAccountingContext[](1);
+        contexts[0] = JBAccountingContext({
+            token: JBConstants.NATIVE_TOKEN, decimals: 18, currency: uint32(uint160(JBConstants.NATIVE_TOKEN))
+        });
+        return contexts;
+    }
+
+    function supportsInterface(bytes4 interfaceId) public view override returns (bool) {
+        return interfaceId == type(IJBTerminal).interfaceId || super.supportsInterface(interfaceId);
+    }
+
+    receive() external payable {}
+}
+
+/// @notice Malicious approval hook that always reverts, demonstrating H-3 DoS.
+contract MaliciousApprovalHook is ERC165, IJBRulesetApprovalHook {
+    function DURATION() external pure override returns (uint256) {
+        return 1 days;
+    }
+
+    function approvalStatusOf(uint256, JBRuleset memory) external pure override returns (JBApprovalStatus) {
+        revert("MALICIOUS_HOOK_REVERT");
+    }
+
+    function supportsInterface(bytes4 interfaceId) public view override(ERC165, IERC165) returns (bool) {
+        return interfaceId == type(IJBRulesetApprovalHook).interfaceId || super.supportsInterface(interfaceId);
+    }
+}