@bananapus/core-v6 0.0.15 → 0.0.17

package/test/TestFeeFreeCashOutBypass.sol

@@ -0,0 +1,617 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.6;
+
+import {TestBaseWorkflow} from "./helpers/TestBaseWorkflow.sol";
+import {JBTokens} from "../src/JBTokens.sol";
+import {IJBController} from "../src/interfaces/IJBController.sol";
+import {IJBMultiTerminal} from "../src/interfaces/IJBMultiTerminal.sol";
+import {IJBSplitHook} from "../src/interfaces/IJBSplitHook.sol";
+import {JBConstants} from "../src/libraries/JBConstants.sol";
+import {JBAccountingContext} from "../src/structs/JBAccountingContext.sol";
+import {JBCurrencyAmount} from "../src/structs/JBCurrencyAmount.sol";
+import {JBFundAccessLimitGroup} from "../src/structs/JBFundAccessLimitGroup.sol";
+import {JBRulesetConfig} from "../src/structs/JBRulesetConfig.sol";
+import {JBRulesetMetadata} from "../src/structs/JBRulesetMetadata.sol";
+import {JBSplit} from "../src/structs/JBSplit.sol";
+import {JBSplitGroup} from "../src/structs/JBSplitGroup.sol";
+import {JBTerminalConfig} from "../src/structs/JBTerminalConfig.sol";
+import {mulDiv} from "@prb/math/src/Common.sol";
+
+/// @notice Tests that the fee-free cashout bypass via same-terminal round-trip is closed:
+/// fees apply on cashout up to the cumulative fee-free payout amount, then deplete.
+contract TestFeeFreeCashOutBypass is TestBaseWorkflow {
+    IJBController private _controller;
+    IJBMultiTerminal private _terminal;
+    JBTokens private _tokens;
+
+    address private _projectOwner;
+    address private _attacker;
+
+    // Project A: sends payouts to project B via same terminal.
+    uint256 private _projectIdA;
+    // Project B: pass-through project with cashOutTaxRate = 0.
+    uint256 private _projectIdB;
+
+    uint112 private _weight = 1000 * 10 ** 18;
+    uint224 private _payoutLimit = 10 ether;
+
+    function setUp() public override {
+        super.setUp();
+
+        _projectOwner = multisig();
+        _attacker = makeAddr("attacker");
+        _controller = jbController();
+        _terminal = jbMultiTerminal();
+        _tokens = jbTokens();
+
+        // Shared terminal config.
+        JBTerminalConfig[] memory _terminalConfigurations = new JBTerminalConfig[](1);
+        JBAccountingContext[] memory _tokensToAccept = new JBAccountingContext[](1);
+        _tokensToAccept[0] = JBAccountingContext({
+            token: JBConstants.NATIVE_TOKEN, decimals: 18, currency: uint32(uint160(JBConstants.NATIVE_TOKEN))
+        });
+        _terminalConfigurations[0] =
+            JBTerminalConfig({terminal: _terminal, accountingContextsToAccept: _tokensToAccept});
+
+        // --- Fee-receiving project (project #1) ---
+        JBRulesetConfig[] memory _feeRulesetConfig = new JBRulesetConfig[](1);
+        _feeRulesetConfig[0].mustStartAtOrAfter = 0;
+        _feeRulesetConfig[0].duration = 0;
+        _feeRulesetConfig[0].weight = _weight;
+        _feeRulesetConfig[0].metadata = _zeroTaxMetadata();
+        _feeRulesetConfig[0].splitGroups = new JBSplitGroup[](0);
+        _feeRulesetConfig[0].fundAccessLimitGroups = new JBFundAccessLimitGroup[](0);
+
+        _controller.launchProjectFor({
+            owner: address(420),
+            projectUri: "fee-project",
+            rulesetConfigurations: _feeRulesetConfig,
+            terminalConfigurations: _terminalConfigurations,
+            memo: ""
+        });
+
+        // --- Project B: pass-through, cashOutTaxRate = 0 ---
+        JBRulesetConfig[] memory _bRulesetConfig = new JBRulesetConfig[](1);
+        _bRulesetConfig[0].mustStartAtOrAfter = 0;
+        _bRulesetConfig[0].duration = 0;
+        _bRulesetConfig[0].weight = _weight;
+        _bRulesetConfig[0].metadata = _zeroTaxMetadata();
+        _bRulesetConfig[0].splitGroups = new JBSplitGroup[](0);
+        _bRulesetConfig[0].fundAccessLimitGroups = new JBFundAccessLimitGroup[](0);
+
+        _projectIdB = _controller.launchProjectFor({
+            owner: _projectOwner,
+            projectUri: "project-b",
+            rulesetConfigurations: _bRulesetConfig,
+            terminalConfigurations: _terminalConfigurations,
+            memo: ""
+        });
+
+        // --- Project A: routes 100% payouts to project B (same terminal) ---
+        JBSplit[] memory _splits = new JBSplit[](1);
+        _splits[0] = JBSplit({
+            preferAddToBalance: false,
+            percent: JBConstants.SPLITS_TOTAL_PERCENT,
+            // forge-lint: disable-next-line(unsafe-typecast)
+            projectId: uint64(_projectIdB),
+            beneficiary: payable(_attacker),
+            lockedUntil: 0,
+            hook: IJBSplitHook(address(0))
+        });
+
+        JBSplitGroup[] memory _splitGroups = new JBSplitGroup[](1);
+        _splitGroups[0] = JBSplitGroup({groupId: uint32(uint160(JBConstants.NATIVE_TOKEN)), splits: _splits});
+
+        JBFundAccessLimitGroup[] memory _fundAccessLimitGroup = new JBFundAccessLimitGroup[](1);
+        JBCurrencyAmount[] memory _payoutLimits = new JBCurrencyAmount[](1);
+        _payoutLimits[0] = JBCurrencyAmount({amount: _payoutLimit, currency: uint32(uint160(JBConstants.NATIVE_TOKEN))});
+        _fundAccessLimitGroup[0] = JBFundAccessLimitGroup({
+            terminal: address(_terminal),
+            token: JBConstants.NATIVE_TOKEN,
+            payoutLimits: _payoutLimits,
+            surplusAllowances: new JBCurrencyAmount[](0)
+        });
+
+        JBRulesetConfig[] memory _aRulesetConfig = new JBRulesetConfig[](1);
+        _aRulesetConfig[0].mustStartAtOrAfter = 0;
+        _aRulesetConfig[0].duration = 0;
+        _aRulesetConfig[0].weight = _weight;
+        _aRulesetConfig[0].metadata = _zeroTaxMetadata();
+        _aRulesetConfig[0].splitGroups = _splitGroups;
+        _aRulesetConfig[0].fundAccessLimitGroups = _fundAccessLimitGroup;
+
+        _projectIdA = _controller.launchProjectFor({
+            owner: _projectOwner,
+            projectUri: "project-a",
+            rulesetConfigurations: _aRulesetConfig,
+            terminalConfigurations: _terminalConfigurations,
+            memo: ""
+        });
+    }
+
+    /// @notice After an intra-terminal payout from A → B, cashing out from B charges a fee
+    /// even though B has cashOutTaxRate = 0.
+    function testCashOutChargesFeeAfterFeeFreePayout() external {
+        uint256 payAmount = 10 ether;
+        vm.deal(_attacker, payAmount);
+
+        // Deploy ERC-20 for project B so the attacker can cash out.
+        vm.prank(_projectOwner);
+        _controller.deployERC20For(_projectIdB, "ProjectB", "PB", bytes32(0));
+
+        // Step 1: Pay project A.
+        vm.prank(_attacker);
+        _terminal.pay{value: payAmount}({
+            projectId: _projectIdA,
+            amount: payAmount,
+            token: JBConstants.NATIVE_TOKEN,
+            beneficiary: _attacker,
+            minReturnedTokens: 0,
+            memo: "",
+            metadata: new bytes(0)
+        });
+
+        // Step 2: Project A sends payouts → funds route to project B (same terminal, fee-free).
+        _terminal.sendPayoutsOf({
+            projectId: _projectIdA,
+            amount: _payoutLimit,
+            currency: uint32(uint160(JBConstants.NATIVE_TOKEN)),
+            token: JBConstants.NATIVE_TOKEN,
+            minTokensPaidOut: 0
+        });
+
+        // The attacker now has tokens in project B (from the pay-in routed by the split).
+        uint256 attackerTokenBalance = _tokens.totalBalanceOf(_attacker, _projectIdB);
+        assertGt(attackerTokenBalance, 0, "attacker should have project B tokens");
+
+        // Step 3: Cash out from project B.
+        vm.prank(_attacker);
+        uint256 reclaimAmount = _terminal.cashOutTokensOf({
+            holder: _attacker,
+            projectId: _projectIdB,
+            cashOutCount: attackerTokenBalance,
+            tokenToReclaim: JBConstants.NATIVE_TOKEN,
+            minTokensReclaimed: 0,
+            beneficiary: payable(_attacker),
+            metadata: new bytes(0)
+        });
+
+        // With cashOutTaxRate = 0 the gross reclaim equals the full terminal balance (the payout amount).
+        // A 2.5% fee must have been charged, so net = gross * (1 - 2.5%).
+        uint256 expectedFee = mulDiv(_payoutLimit, 25, 1000); // 2.5% of 10 ETH
+        uint256 expectedNet = _payoutLimit - expectedFee;
+        assertApproxEqAbs(reclaimAmount, expectedNet, 2, "fee should be charged on cashout");
+        assertLt(reclaimAmount, _payoutLimit, "attacker should not get full amount (fee must apply)");
+    }
+
+    /// @notice Direct pay-in → cashout with cashOutTaxRate = 0 remains fee-free (no payout flag set).
+    function testCashOutRemainsFeeFreForDirectPayIn() external {
+        uint256 payAmount = 10 ether;
+        address user = makeAddr("user");
+        vm.deal(user, payAmount);
+
+        // Deploy ERC-20 for project B.
+        vm.prank(_projectOwner);
+        _controller.deployERC20For(_projectIdB, "ProjectB", "PB", bytes32(0));
+
+        // Pay directly into project B (no payout from another project).
+        vm.prank(user);
+        _terminal.pay{value: payAmount}({
+            projectId: _projectIdB,
+            amount: payAmount,
+            token: JBConstants.NATIVE_TOKEN,
+            beneficiary: user,
+            minReturnedTokens: 0,
+            memo: "",
+            metadata: new bytes(0)
+        });
+
+        uint256 userTokenBalance = _tokens.totalBalanceOf(user, _projectIdB);
+        assertGt(userTokenBalance, 0, "user should have project B tokens");
+
+        // Cash out — should be fee-free since no intra-terminal payout was received.
+        vm.prank(user);
+        uint256 reclaimAmount = _terminal.cashOutTokensOf({
+            holder: user,
+            projectId: _projectIdB,
+            cashOutCount: userTokenBalance,
+            tokenToReclaim: JBConstants.NATIVE_TOKEN,
+            minTokensReclaimed: 0,
+            beneficiary: payable(user),
+            metadata: new bytes(0)
+        });
+
+        // With cashOutTaxRate = 0, full cashout returns the entire surplus 1:1.
+        // No fee should be charged.
+        assertEq(reclaimAmount, payAmount, "direct pay-in cashout should be fee-free");
+    }
+
+    /// @notice After the fee-free surplus is fully consumed, subsequent direct pay-ins cash out fee-free.
+    function testSurplusDepletionRestoresFeeFreeCashOut() external {
+        uint256 payAmount = 10 ether;
+        vm.deal(_attacker, payAmount * 2);
+
+        vm.prank(_projectOwner);
+        _controller.deployERC20For(_projectIdB, "ProjectB", "PB", bytes32(0));
+
+        // Pay project A and trigger payout → accumulates fee-free surplus on project B.
+        vm.prank(_attacker);
+        _terminal.pay{value: payAmount}({
+            projectId: _projectIdA,
+            amount: payAmount,
+            token: JBConstants.NATIVE_TOKEN,
+            beneficiary: _attacker,
+            minReturnedTokens: 0,
+            memo: "",
+            metadata: new bytes(0)
+        });
+        _terminal.sendPayoutsOf({
+            projectId: _projectIdA,
+            amount: _payoutLimit,
+            currency: uint32(uint160(JBConstants.NATIVE_TOKEN)),
+            token: JBConstants.NATIVE_TOKEN,
+            minTokensPaidOut: 0
+        });
+
+        // Cash out all tokens from project B — fee applied against fee-free surplus, which is now depleted.
+        uint256 tokensFromPayout = _tokens.totalBalanceOf(_attacker, _projectIdB);
+        vm.prank(_attacker);
+        uint256 firstReclaim = _terminal.cashOutTokensOf({
+            holder: _attacker,
+            projectId: _projectIdB,
+            cashOutCount: tokensFromPayout,
+            tokenToReclaim: JBConstants.NATIVE_TOKEN,
+            minTokensReclaimed: 0,
+            beneficiary: payable(_attacker),
+            metadata: new bytes(0)
+        });
+        // First cashout should have had a fee deducted.
+        assertLt(firstReclaim, _payoutLimit, "first cashout should have fee deducted");
+
+        // Now pay project B directly with fresh funds.
+        vm.prank(_attacker);
+        _terminal.pay{value: payAmount}({
+            projectId: _projectIdB,
+            amount: payAmount,
+            token: JBConstants.NATIVE_TOKEN,
+            beneficiary: _attacker,
+            minReturnedTokens: 0,
+            memo: "",
+            metadata: new bytes(0)
+        });
+
+        uint256 newTokens = _tokens.totalBalanceOf(_attacker, _projectIdB);
+        assertGt(newTokens, 0, "attacker should have new tokens");
+
+        // Cash out again — surplus is depleted, so this direct pay-in should be fee-free.
+        vm.prank(_attacker);
+        uint256 secondReclaim = _terminal.cashOutTokensOf({
+            holder: _attacker,
+            projectId: _projectIdB,
+            cashOutCount: newTokens,
+            tokenToReclaim: JBConstants.NATIVE_TOKEN,
+            minTokensReclaimed: 0,
+            beneficiary: payable(_attacker),
+            metadata: new bytes(0)
+        });
+
+        // After surplus depletion, direct pay-in cashout should be fee-free.
+        assertEq(secondReclaim, payAmount, "direct pay-in cashout should be fee-free after surplus depleted");
+    }
+
+    /// @notice Fee-free surplus only covers the exact payout amount — partial cashout leaves remainder.
+    function testPartialCashOutConsumesPartialSurplus() external {
+        uint256 payAmount = 10 ether;
+        vm.deal(_attacker, payAmount);
+
+        vm.prank(_projectOwner);
+        _controller.deployERC20For(_projectIdB, "ProjectB", "PB", bytes32(0));
+
+        // Pay project A and trigger payout → 10 ETH fee-free surplus on project B.
+        vm.prank(_attacker);
+        _terminal.pay{value: payAmount}({
+            projectId: _projectIdA,
+            amount: payAmount,
+            token: JBConstants.NATIVE_TOKEN,
+            beneficiary: _attacker,
+            minReturnedTokens: 0,
+            memo: "",
+            metadata: new bytes(0)
+        });
+        _terminal.sendPayoutsOf({
+            projectId: _projectIdA,
+            amount: _payoutLimit,
+            currency: uint32(uint160(JBConstants.NATIVE_TOKEN)),
+            token: JBConstants.NATIVE_TOKEN,
+            minTokensPaidOut: 0
+        });
+
+        // Cash out half the tokens — should consume roughly half the fee-free surplus.
+        uint256 totalTokens = _tokens.totalBalanceOf(_attacker, _projectIdB);
+        uint256 halfTokens = totalTokens / 2;
+
+        vm.prank(_attacker);
+        uint256 firstReclaim = _terminal.cashOutTokensOf({
+            holder: _attacker,
+            projectId: _projectIdB,
+            cashOutCount: halfTokens,
+            tokenToReclaim: JBConstants.NATIVE_TOKEN,
+            minTokensReclaimed: 0,
+            beneficiary: payable(_attacker),
+            metadata: new bytes(0)
+        });
+        // First half-cashout should have fee deducted (fee-free surplus partially consumed).
+        assertLt(firstReclaim, _payoutLimit / 2, "partial cashout should have fee deducted");
+
+        // Cash out the remaining tokens — should also have fee (remaining surplus covers it).
+        uint256 remainingTokens = _tokens.totalBalanceOf(_attacker, _projectIdB);
+        vm.prank(_attacker);
+        uint256 secondReclaim = _terminal.cashOutTokensOf({
+            holder: _attacker,
+            projectId: _projectIdB,
+            cashOutCount: remainingTokens,
+            tokenToReclaim: JBConstants.NATIVE_TOKEN,
+            minTokensReclaimed: 0,
+            beneficiary: payable(_attacker),
+            metadata: new bytes(0)
+        });
+        // Second cashout also has fee deducted from remaining surplus.
+        assertLt(secondReclaim, firstReclaim + 1 ether, "second partial cashout should also have fee");
+    }
+
+    /// @notice Griefing with a tiny payout only costs the victim fees on that tiny amount.
+    function testGriefingWithTinyPayoutIsScoped() external {
+        address victim = makeAddr("victim");
+        vm.deal(victim, 10 ether);
+        vm.deal(_attacker, 1); // 1 wei for the griefing payout
+
+        vm.prank(_projectOwner);
+        _controller.deployERC20For(_projectIdB, "ProjectB", "PB", bytes32(0));
+
+        // Victim pays directly into project B.
+        vm.prank(victim);
+        _terminal.pay{value: 10 ether}({
+            projectId: _projectIdB,
+            amount: 10 ether,
+            token: JBConstants.NATIVE_TOKEN,
+            beneficiary: victim,
+            minReturnedTokens: 0,
+            memo: "",
+            metadata: new bytes(0)
+        });
+
+        // Attacker triggers a 1 wei payout to project B via project A to set fee-free surplus.
+        // First fund project A with 1 wei.
+        vm.prank(_attacker);
+        _terminal.pay{value: 1}({
+            projectId: _projectIdA,
+            amount: 1,
+            token: JBConstants.NATIVE_TOKEN,
+            beneficiary: _attacker,
+            minReturnedTokens: 0,
+            memo: "",
+            metadata: new bytes(0)
+        });
+        _terminal.sendPayoutsOf({
+            projectId: _projectIdA,
+            amount: 1,
+            currency: uint32(uint160(JBConstants.NATIVE_TOKEN)),
+            token: JBConstants.NATIVE_TOKEN,
+            minTokensPaidOut: 0
+        });
+
+        // Victim cashes out — fee should only apply to 1 wei of surplus, not their full 10 ETH.
+        uint256 victimTokens = _tokens.totalBalanceOf(victim, _projectIdB);
+        vm.prank(victim);
+        uint256 reclaimAmount = _terminal.cashOutTokensOf({
+            holder: victim,
+            projectId: _projectIdB,
+            cashOutCount: victimTokens,
+            tokenToReclaim: JBConstants.NATIVE_TOKEN,
+            minTokensReclaimed: 0,
+            beneficiary: payable(victim),
+            metadata: new bytes(0)
+        });
+
+        // Fee on 1 wei is 0 (rounds down). Victim should get essentially their full amount back.
+        // The key assertion: victim is NOT penalized with a fee on their full 10 ETH.
+        uint256 feeOn1Wei = mulDiv(1, 25, 1000); // 0 (rounds down)
+        assertGe(reclaimAmount, 10 ether - feeOn1Wei - 1, "griefing should cost at most fee on 1 wei");
+    }
+
+    /// @notice Non-zero cashOutTaxRate applies fees to the full reclaim, ignoring surplus.
+    function testNonZeroTaxRateIgnoresSurplus() external {
+        uint256 payAmount = 10 ether;
+        vm.deal(_attacker, payAmount);
+
+        // Launch project C with cashOutTaxRate = 5000 (50%).
+        JBTerminalConfig[] memory _terminalConfigurations = new JBTerminalConfig[](1);
+        JBAccountingContext[] memory _tokensToAccept = new JBAccountingContext[](1);
+        _tokensToAccept[0] = JBAccountingContext({
+            token: JBConstants.NATIVE_TOKEN, decimals: 18, currency: uint32(uint160(JBConstants.NATIVE_TOKEN))
+        });
+        _terminalConfigurations[0] =
+            JBTerminalConfig({terminal: _terminal, accountingContextsToAccept: _tokensToAccept});
+
+        JBRulesetMetadata memory taxMeta = _zeroTaxMetadata();
+        taxMeta.cashOutTaxRate = 5000; // 50%
+
+        JBRulesetConfig[] memory _cRulesetConfig = new JBRulesetConfig[](1);
+        _cRulesetConfig[0].mustStartAtOrAfter = 0;
+        _cRulesetConfig[0].duration = 0;
+        _cRulesetConfig[0].weight = _weight;
+        _cRulesetConfig[0].metadata = taxMeta;
+        _cRulesetConfig[0].splitGroups = new JBSplitGroup[](0);
+        _cRulesetConfig[0].fundAccessLimitGroups = new JBFundAccessLimitGroup[](0);
+
+        uint256 projectIdC = _controller.launchProjectFor({
+            owner: _projectOwner,
+            projectUri: "project-c",
+            rulesetConfigurations: _cRulesetConfig,
+            terminalConfigurations: _terminalConfigurations,
+            memo: ""
+        });
+
+        vm.prank(_projectOwner);
+        _controller.deployERC20For(projectIdC, "ProjectC", "PC", bytes32(0));
+
+        // Pay and cash out — non-zero tax rate means full fee applies (surplus irrelevant).
+        vm.prank(_attacker);
+        _terminal.pay{value: payAmount}({
+            projectId: projectIdC,
+            amount: payAmount,
+            token: JBConstants.NATIVE_TOKEN,
+            beneficiary: _attacker,
+            minReturnedTokens: 0,
+            memo: "",
+            metadata: new bytes(0)
+        });
+
+        uint256 tokens = _tokens.totalBalanceOf(_attacker, projectIdC);
+        vm.prank(_attacker);
+        uint256 reclaimAmount = _terminal.cashOutTokensOf({
+            holder: _attacker,
+            projectId: projectIdC,
+            cashOutCount: tokens,
+            tokenToReclaim: JBConstants.NATIVE_TOKEN,
+            minTokensReclaimed: 0,
+            beneficiary: payable(_attacker),
+            metadata: new bytes(0)
+        });
+
+        // With non-zero tax, the 2.5% fee applies to the full bonding curve output.
+        // Full cashout (count == supply) returns the entire surplus regardless of tax rate,
+        // so gross = 10 ETH, fee = 2.5%, net = 9.75 ETH.
+        assertLt(reclaimAmount, payAmount, "non-zero tax should charge fee on full amount");
+        uint256 expectedFee = mulDiv(payAmount, 25, 1000);
+        uint256 expectedNet = payAmount - expectedFee;
+        assertApproxEqAbs(reclaimAmount, expectedNet, 2, "fee should apply to full bonding curve output");
+    }
+
+    /// @notice Multiple payouts accumulate fee-free surplus correctly.
+    function testMultiplePayoutsAccumulateSurplus() external {
+        uint256 payAmount = 10 ether;
+        // Need to fund project A twice, so give attacker enough.
+        vm.deal(_attacker, payAmount * 2);
+
+        vm.prank(_projectOwner);
+        _controller.deployERC20For(_projectIdB, "ProjectB", "PB", bytes32(0));
+
+        // First payout cycle: pay A, send payouts → 10 ETH fee-free surplus on B.
+        vm.prank(_attacker);
+        _terminal.pay{value: payAmount}({
+            projectId: _projectIdA,
+            amount: payAmount,
+            token: JBConstants.NATIVE_TOKEN,
+            beneficiary: _attacker,
+            minReturnedTokens: 0,
+            memo: "",
+            metadata: new bytes(0)
+        });
+        _terminal.sendPayoutsOf({
+            projectId: _projectIdA,
+            amount: _payoutLimit,
+            currency: uint32(uint160(JBConstants.NATIVE_TOKEN)),
+            token: JBConstants.NATIVE_TOKEN,
+            minTokensPaidOut: 0
+        });
+
+        // Queue a new ruleset so the payout limit resets for the next cycle.
+        JBSplit[] memory _splits = new JBSplit[](1);
+        _splits[0] = JBSplit({
+            preferAddToBalance: false,
+            percent: JBConstants.SPLITS_TOTAL_PERCENT,
+            // forge-lint: disable-next-line(unsafe-typecast)
+            projectId: uint64(_projectIdB),
+            beneficiary: payable(_attacker),
+            lockedUntil: 0,
+            hook: IJBSplitHook(address(0))
+        });
+        JBSplitGroup[] memory _splitGroups = new JBSplitGroup[](1);
+        _splitGroups[0] = JBSplitGroup({groupId: uint32(uint160(JBConstants.NATIVE_TOKEN)), splits: _splits});
+
+        JBCurrencyAmount[] memory _payoutLimits = new JBCurrencyAmount[](1);
+        _payoutLimits[0] = JBCurrencyAmount({amount: _payoutLimit, currency: uint32(uint160(JBConstants.NATIVE_TOKEN))});
+        JBFundAccessLimitGroup[] memory _fundAccessLimitGroup = new JBFundAccessLimitGroup[](1);
+        _fundAccessLimitGroup[0] = JBFundAccessLimitGroup({
+            terminal: address(_terminal),
+            token: JBConstants.NATIVE_TOKEN,
+            payoutLimits: _payoutLimits,
+            surplusAllowances: new JBCurrencyAmount[](0)
+        });
+
+        JBRulesetConfig[] memory _newRuleset = new JBRulesetConfig[](1);
+        _newRuleset[0].mustStartAtOrAfter = 0;
+        _newRuleset[0].duration = 0;
+        _newRuleset[0].weight = _weight;
+        _newRuleset[0].metadata = _zeroTaxMetadata();
+        _newRuleset[0].splitGroups = _splitGroups;
+        _newRuleset[0].fundAccessLimitGroups = _fundAccessLimitGroup;
+
+        vm.prank(_projectOwner);
+        _controller.queueRulesetsOf({projectId: _projectIdA, rulesetConfigurations: _newRuleset, memo: ""});
+
+        // Second payout cycle: pay A again, send payouts → another 10 ETH, total 20 ETH surplus.
+        vm.prank(_attacker);
+        _terminal.pay{value: payAmount}({
+            projectId: _projectIdA,
+            amount: payAmount,
+            token: JBConstants.NATIVE_TOKEN,
+            beneficiary: _attacker,
+            minReturnedTokens: 0,
+            memo: "",
+            metadata: new bytes(0)
+        });
+        _terminal.sendPayoutsOf({
+            projectId: _projectIdA,
+            amount: _payoutLimit,
+            currency: uint32(uint160(JBConstants.NATIVE_TOKEN)),
+            token: JBConstants.NATIVE_TOKEN,
+            minTokensPaidOut: 0
+        });
+
+        // Cash out all tokens from B — fee should apply to the full 20 ETH surplus.
+        uint256 allTokens = _tokens.totalBalanceOf(_attacker, _projectIdB);
+        vm.prank(_attacker);
+        uint256 reclaimAmount = _terminal.cashOutTokensOf({
+            holder: _attacker,
+            projectId: _projectIdB,
+            cashOutCount: allTokens,
+            tokenToReclaim: JBConstants.NATIVE_TOKEN,
+            minTokensReclaimed: 0,
+            beneficiary: payable(_attacker),
+            metadata: new bytes(0)
+        });
+
+        // The 2.5% fee should apply to the entire reclaim (covered by 20 ETH surplus).
+        // Gross reclaim ≈ 20 ETH (full balance of B), fee = 2.5% of that.
+        assertLt(reclaimAmount, 20 ether, "fee should be charged on accumulated surplus");
+        uint256 expectedFee = mulDiv(20 ether, 25, 1000);
+        uint256 expectedNet = 20 ether - expectedFee;
+        assertApproxEqAbs(reclaimAmount, expectedNet, 2, "fee should apply to full 20 ETH surplus");
+    }
+
+    function _zeroTaxMetadata() internal pure returns (JBRulesetMetadata memory) {
+        return JBRulesetMetadata({
+            reservedPercent: 0,
+            cashOutTaxRate: 0,
+            baseCurrency: uint32(uint160(JBConstants.NATIVE_TOKEN)),
+            pausePay: false,
+            pauseCreditTransfers: false,
+            allowOwnerMinting: false,
+            allowSetCustomToken: false,
+            allowTerminalMigration: false,
+            allowSetTerminals: false,
+            ownerMustSendPayouts: false,
+            allowSetController: false,
+            allowAddAccountingContext: true,
+            allowAddPriceFeed: false,
+            holdFees: false,
+            useTotalSurplusForCashOuts: false,
+            useDataHookForPay: false,
+            useDataHookForCashOut: false,
+            dataHook: address(0),
+            metadata: 0
+        });
+    }
+}

package/test/TestFeeProcessingFailure.sol

@@ -1,7 +1,22 @@
 // SPDX-License-Identifier: MIT
 pragma solidity ^0.8.6;
 
-import /* {*} from */ "./helpers/TestBaseWorkflow.sol";
+import {TestBaseWorkflow} from "./helpers/TestBaseWorkflow.sol";
+import {JBMultiTerminal} from "../src/JBMultiTerminal.sol";
+import {JBTerminalStore} from "../src/JBTerminalStore.sol";
+import {JBTokens} from "../src/JBTokens.sol";
+import {IJBController} from "../src/interfaces/IJBController.sol";
+import {IJBRulesetApprovalHook} from "../src/interfaces/IJBRulesetApprovalHook.sol";
+import {IJBTerminal} from "../src/interfaces/IJBTerminal.sol";
+import {JBConstants} from "../src/libraries/JBConstants.sol";
+import {JBFees} from "../src/libraries/JBFees.sol";
+import {JBAccountingContext} from "../src/structs/JBAccountingContext.sol";
+import {JBCurrencyAmount} from "../src/structs/JBCurrencyAmount.sol";
+import {JBFundAccessLimitGroup} from "../src/structs/JBFundAccessLimitGroup.sol";
+import {JBRulesetConfig} from "../src/structs/JBRulesetConfig.sol";
+import {JBRulesetMetadata} from "../src/structs/JBRulesetMetadata.sol";
+import {JBSplitGroup} from "../src/structs/JBSplitGroup.sol";
+import {JBTerminalConfig} from "../src/structs/JBTerminalConfig.sol";
 
 /// @notice Tests for the fee processing try-catch path in JBMultiTerminal.
 /// Proves that when fee payment reverts, the fee amount is credited back to

package/test/TestFees.sol

@@ -1,7 +1,20 @@
 // SPDX-License-Identifier: MIT
 pragma solidity ^0.8.6;
 
-import /* {*} from */ "./helpers/TestBaseWorkflow.sol";
+import {TestBaseWorkflow} from "./helpers/TestBaseWorkflow.sol";
+import {IJBController} from "../src/interfaces/IJBController.sol";
+import {IJBMultiTerminal} from "../src/interfaces/IJBMultiTerminal.sol";
+import {IJBRulesetApprovalHook} from "../src/interfaces/IJBRulesetApprovalHook.sol";
+import {IJBRulesets} from "../src/interfaces/IJBRulesets.sol";
+import {JBConstants} from "../src/libraries/JBConstants.sol";
+import {JBAccountingContext} from "../src/structs/JBAccountingContext.sol";
+import {JBCurrencyAmount} from "../src/structs/JBCurrencyAmount.sol";
+import {JBFee} from "../src/structs/JBFee.sol";
+import {JBFundAccessLimitGroup} from "../src/structs/JBFundAccessLimitGroup.sol";
+import {JBRulesetConfig} from "../src/structs/JBRulesetConfig.sol";
+import {JBRulesetMetadata} from "../src/structs/JBRulesetMetadata.sol";
+import {JBSplitGroup} from "../src/structs/JBSplitGroup.sol";
+import {JBTerminalConfig} from "../src/structs/JBTerminalConfig.sol";
 
 // Projects can be launched.
 contract TestFees_Local is TestBaseWorkflow {