@bananapus/core-v6 0.0.30 → 0.0.32

package/src/JBTerminalStore.sol

@@ -110,6 +110,9 @@ contract JBTerminalStore is IJBTerminalStore {
     /// @dev Increases as projects use their allowance.
     /// @dev The used surplus allowance is represented as a fixed point number with the same amount of decimals as the
     /// terminal it applies to.
+    /// @dev Surplus allowance usage is keyed by `ruleset.id`, not cycle number. Implicit cycle progression
+    /// (duration-based auto-cycling) does not reset allowance — this is by design. Projects must queue a new ruleset
+    /// to get a fresh allowance.
     /// @custom:param terminal The terminal the surplus allowance applies to.
     /// @custom:param projectId The ID of the project to get the used surplus allowance of.
     /// @custom:param token The token the surplus allowance applies to in the terminal.
@@ -172,7 +175,7 @@ contract JBTerminalStore is IJBTerminalStore {
         }
 
         // Record each accounting context.
-        for (uint256 i; i < contexts.length; i++) {
+        for (uint256 i; i < contexts.length;) {
             JBAccountingContext calldata context = contexts[i];
 
             // Make sure the token accounting context isn't already set.
@@ -213,6 +216,9 @@ contract JBTerminalStore is IJBTerminalStore {
 
             // Add the context to the list.
             _accountingContextsOf[msg.sender][projectId].push(context);
+            unchecked {
+                ++i;
+            }
         }
     }
 
@@ -228,12 +234,12 @@ contract JBTerminalStore is IJBTerminalStore {
 
     /// @notice Records a cash out from a project.
     /// @dev Cashs out the project's tokens according to values provided by the ruleset's data hook. If the ruleset has
-    /// no
-    /// data hook, cashs out tokens along a cash out bonding curve that is a function of the number of tokens being
+    /// no data hook, cashs out tokens along a cash out bonding curve that is a function of the number of tokens being
     /// burned.
     /// @param holder The account that is cashing out tokens.
     /// @param projectId The ID of the project being cashing out from.
-    /// @param cashOutCount The number of project tokens to cash out, as a fixed point number with 18 decimals.
+    /// @param cashOutCount The number of project tokens to cash out, as supplied by the caller and later burned by the
+    /// terminal, as a fixed point number with 18 decimals.
     /// @param tokenToReclaim The token being reclaimed by the cash out.
     /// @param beneficiaryIsFeeless Whether the cash out's beneficiary is a feeless address. Passed through to data
     /// hooks so they can skip their own fees when value stays in the protocol (e.g. project-to-project routing).
@@ -277,26 +283,29 @@ contract JBTerminalStore is IJBTerminalStore {
 
         if (hookSpecifications.length != 0) {
             uint256 numberOfSpecifications = hookSpecifications.length;
-            for (uint256 i; i < numberOfSpecifications; i++) {
+            for (uint256 i; i < numberOfSpecifications;) {
                 uint256 specificationAmount = hookSpecifications[i].amount;
                 if (specificationAmount != 0) {
                     balanceDiff += specificationAmount;
                 }
+                unchecked {
+                    ++i;
+                }
             }
         }
 
+        // Cache the balance slot to avoid redundant storage reads.
+        uint256 currentBalance = balanceOf[msg.sender][projectId][tokenToReclaim];
+
         // The amount being reclaimed must be within the project's balance.
-        if (balanceDiff > balanceOf[msg.sender][projectId][tokenToReclaim]) {
-            revert JBTerminalStore_InadequateTerminalStoreBalance(
-                balanceDiff, balanceOf[msg.sender][projectId][tokenToReclaim]
-            );
+        if (balanceDiff > currentBalance) {
+            revert JBTerminalStore_InadequateTerminalStoreBalance(balanceDiff, currentBalance);
         }
 
         // Remove the reclaimed funds from the project's balance.
         if (balanceDiff != 0) {
             unchecked {
-                balanceOf[msg.sender][projectId][tokenToReclaim] =
-                    balanceOf[msg.sender][projectId][tokenToReclaim] - balanceDiff;
+                balanceOf[msg.sender][projectId][tokenToReclaim] = currentBalance - balanceDiff;
             }
         }
     }
@@ -338,8 +347,9 @@ contract JBTerminalStore is IJBTerminalStore {
 
         // Add the correct balance difference to the token balance of the project.
         if (balanceDiff != 0) {
-            balanceOf[msg.sender][projectId][amount.token] =
-                balanceOf[msg.sender][projectId][amount.token] + balanceDiff;
+            // Cache the balance slot to avoid redundant storage reads.
+            uint256 currentBalance = balanceOf[msg.sender][projectId][amount.token];
+            balanceOf[msg.sender][projectId][amount.token] = currentBalance + balanceDiff;
         }
     }
 
@@ -385,26 +395,20 @@ contract JBTerminalStore is IJBTerminalStore {
                 })
             });
 
-        // The amount being paid out must be available.
-        if (amountPaidOut > balanceOf[msg.sender][projectId][token]) {
-            revert JBTerminalStore_InadequateTerminalStoreBalance(
-                amountPaidOut, balanceOf[msg.sender][projectId][token]
-            );
-        }
+        // Cache the balance slot to avoid redundant storage reads.
+        uint256 currentBalance = balanceOf[msg.sender][projectId][token];
 
-        // Removed the paid out funds from the project's token balance.
-        unchecked {
-            balanceOf[msg.sender][projectId][token] = balanceOf[msg.sender][projectId][token] - amountPaidOut;
+        // The amount being paid out must be available.
+        if (amountPaidOut > currentBalance) {
+            revert JBTerminalStore_InadequateTerminalStoreBalance(amountPaidOut, currentBalance);
         }
 
         // The new total amount which has been paid out during this ruleset.
         uint256 newUsedPayoutLimitOf =
             usedPayoutLimitOf[msg.sender][projectId][token][ruleset.cycleNumber][currency] + amount;
 
-        // Store the new amount.
-        usedPayoutLimitOf[msg.sender][projectId][token][ruleset.cycleNumber][currency] = newUsedPayoutLimitOf;
-
         // Amount must be within what is still available to pay out.
+        // Validate BEFORE writing to storage to avoid wasting gas on SSTORE when the tx will revert.
         uint256 payoutLimit = IJBController(address(DIRECTORY.controllerOf(projectId))).FUND_ACCESS_LIMITS()
             .payoutLimitOf({
                 projectId: projectId, rulesetId: ruleset.id, terminal: msg.sender, token: token, currency: currency
@@ -414,6 +418,14 @@ contract JBTerminalStore is IJBTerminalStore {
         if (newUsedPayoutLimitOf > payoutLimit || payoutLimit == 0) {
             revert JBTerminalStore_InadequateControllerPayoutLimit(newUsedPayoutLimitOf, payoutLimit);
         }
+
+        // Removed the paid out funds from the project's token balance.
+        unchecked {
+            balanceOf[msg.sender][projectId][token] = currentBalance - amountPaidOut;
+        }
+
+        // Store the new used payout limit.
+        usedPayoutLimitOf[msg.sender][projectId][token][ruleset.cycleNumber][currency] = newUsedPayoutLimitOf;
     }
 
     /// @notice Records the migration of funds from this store.
@@ -493,17 +505,12 @@ contract JBTerminalStore is IJBTerminalStore {
         // The amount being used must be available in the surplus.
         if (usedAmount > surplus) revert JBTerminalStore_InadequateTerminalStoreBalance(usedAmount, surplus);
 
-        // Update the project's balance.
-        balanceOf[msg.sender][projectId][token] = balanceOf[msg.sender][projectId][token] - usedAmount;
-
         // Get a reference to the new used surplus allowance for this ruleset ID.
         uint256 newUsedSurplusAllowanceOf =
             usedSurplusAllowanceOf[msg.sender][projectId][token][ruleset.id][currency] + amount;
 
-        // Store the incremented value.
-        usedSurplusAllowanceOf[msg.sender][projectId][token][ruleset.id][currency] = newUsedSurplusAllowanceOf;
-
         // There must be sufficient surplus allowance available.
+        // Validate BEFORE writing to storage to avoid wasting gas on SSTORE when the tx will revert.
         uint256 surplusAllowance = IJBController(address(DIRECTORY.controllerOf(projectId))).FUND_ACCESS_LIMITS()
             .surplusAllowanceOf({
                 projectId: projectId, rulesetId: ruleset.id, terminal: msg.sender, token: token, currency: currency
@@ -513,6 +520,15 @@ contract JBTerminalStore is IJBTerminalStore {
         if (newUsedSurplusAllowanceOf > surplusAllowance || surplusAllowance == 0) {
             revert JBTerminalStore_InadequateControllerAllowance(newUsedSurplusAllowanceOf, surplusAllowance);
         }
+
+        // Cache the balance slot to avoid redundant storage reads.
+        uint256 currentBalance = balanceOf[msg.sender][projectId][token];
+
+        // Update the project's balance.
+        balanceOf[msg.sender][projectId][token] = currentBalance - usedAmount;
+
+        // Store the incremented value.
+        usedSurplusAllowanceOf[msg.sender][projectId][token][ruleset.id][currency] = newUsedSurplusAllowanceOf;
     }
 
     //*********************************************************************//
@@ -774,9 +790,17 @@ contract JBTerminalStore is IJBTerminalStore {
         override
         returns (uint256)
     {
+        // Fetch the current ruleset once — used for both surplus calculation and cash out tax rate.
+        JBRuleset memory ruleset = RULESETS.currentOf(projectId);
+
         // Aggregate surplus across the terminals, optionally filtered by the specified tokens.
         uint256 currentSurplus = _currentSurplusOf({
-            projectId: projectId, terminals: terminals, tokens: tokens, decimals: decimals, currency: currency
+            projectId: projectId,
+            terminals: terminals,
+            tokens: tokens,
+            decimals: decimals,
+            currency: currency,
+            ruleset: ruleset
         });
 
         // If there's no surplus, nothing can be reclaimed.
@@ -789,15 +813,12 @@ contract JBTerminalStore is IJBTerminalStore {
         // Can't cash out more tokens than are in the total supply.
         if (cashOutCount > totalSupply) return 0;
 
-        // Get the cash out tax rate from the current ruleset.
-        uint256 cashOutTaxRate = RULESETS.currentOf(projectId).cashOutTaxRate();
-
         // Return the amount of surplus terminal tokens that would be reclaimed.
         return JBCashOuts.cashOutFrom({
             surplus: currentSurplus,
             cashOutCount: cashOutCount,
             totalSupply: totalSupply,
-            cashOutTaxRate: cashOutTaxRate
+            cashOutTaxRate: ruleset.cashOutTaxRate()
         });
     }
 
@@ -806,6 +827,9 @@ contract JBTerminalStore is IJBTerminalStore {
     //*********************************************************************//
 
     /// @notice Computes the surplus relevant for a cash out (total or local, depending on ruleset flag).
+    /// @dev When `useTotalSurplusForCashOuts` is enabled, surplus is aggregated from ALL registered terminals without
+    /// validation. Projects MUST only register trusted terminals — an untrusted terminal can over-report surplus and
+    /// cause the executing terminal to overpay cash-outs.
     /// @param terminal The terminal the cash out is being recorded from.
     /// @param projectId The ID of the project being cashed out from.
     /// @param tokenToReclaim The token being reclaimed.
@@ -895,18 +919,23 @@ contract JBTerminalStore is IJBTerminalStore {
         JBAccountingContext memory accountingContext = _accountingContextForTokenOf[terminal][projectId][tokenToReclaim];
 
         // Get the total number of outstanding project tokens.
-        uint256 totalSupply =
+        uint256 effectiveTotalSupply =
             IJBController(address(DIRECTORY.controllerOf(projectId))).totalTokenSupplyWithReservedTokensOf(projectId);
 
         // Can't cash out more tokens than are in the supply.
-        if (cashOutCount > totalSupply) revert JBTerminalStore_InsufficientTokens(cashOutCount, totalSupply);
+        if (cashOutCount > effectiveTotalSupply) {
+            revert JBTerminalStore_InsufficientTokens(cashOutCount, effectiveTotalSupply);
+        }
 
-        // SECURITY NOTE: The data hook has absolute control over cash-out economics.
-        // It can set totalSupply, cashOutCount, and cashOutTaxRate to arbitrary values,
+        // SECURITY NOTE: The data hook has absolute control over cash-out pricing.
+        // It can set effectiveTotalSupply, effectiveCashOutCount, and cashOutTaxRate to arbitrary values,
         // completely overriding the terminal's bonding curve math. For example, setting
-        // totalSupply = surplus makes reclaimAmount = cashOutCount, bypassing the curve.
+        // effectiveTotalSupply = surplus makes reclaimAmount = effectiveCashOutCount, bypassing the curve.
+        // The terminal still burns the caller-supplied cashOutCount after pricing completes.
         // Project owners MUST audit their data hooks with the same rigor as the terminal.
 
+        uint256 effectiveCashOutCount = cashOutCount;
+
         // If the ruleset has a data hook which is enabled for cash outs, use it to derive a claim amount and memo.
         if (ruleset.useDataHookForCashOut() && ruleset.dataHook() != address(0)) {
             // Build the cash out context field-by-field — the struct has 11 fields, too many for a literal.
@@ -916,7 +945,7 @@ contract JBTerminalStore is IJBTerminalStore {
             context.projectId = projectId;
             context.rulesetId = ruleset.id;
             context.cashOutCount = cashOutCount;
-            context.totalSupply = totalSupply;
+            context.totalSupply = effectiveTotalSupply;
             context.surplus = JBTokenAmount({
                 token: accountingContext.token,
                 value: surplus,
@@ -928,14 +957,17 @@ contract JBTerminalStore is IJBTerminalStore {
             context.beneficiaryIsFeeless = beneficiaryIsFeeless;
             context.metadata = metadata;
 
-            (cashOutTaxRate, cashOutCount, totalSupply, hookSpecifications) =
+            (cashOutTaxRate, effectiveCashOutCount, effectiveTotalSupply, hookSpecifications) =
                 IJBRulesetDataHook(ruleset.dataHook()).beforeCashOutRecordedWith(context);
 
             // Noop specifications are informational only, so they can't also request forwarded funds.
-            for (uint256 i; i < hookSpecifications.length; i++) {
+            for (uint256 i; i < hookSpecifications.length;) {
                 if (hookSpecifications[i].noop && hookSpecifications[i].amount != 0) {
                     revert JBTerminalStore_NoopHookSpecHasAmount(hookSpecifications[i].amount);
                 }
+                unchecked {
+                    ++i;
+                }
             }
         } else {
             cashOutTaxRate = ruleset.cashOutTaxRate();
@@ -944,7 +976,10 @@ contract JBTerminalStore is IJBTerminalStore {
         // Apply the bonding curve to calculate how much of the surplus is reclaimable.
         if (surplus != 0) {
             reclaimAmount = JBCashOuts.cashOutFrom({
-                surplus: surplus, cashOutCount: cashOutCount, totalSupply: totalSupply, cashOutTaxRate: cashOutTaxRate
+                surplus: surplus,
+                cashOutCount: effectiveCashOutCount,
+                totalSupply: effectiveTotalSupply,
+                cashOutTaxRate: cashOutTaxRate
             });
         }
     }
@@ -1020,7 +1055,7 @@ contract JBTerminalStore is IJBTerminalStore {
         balanceDiff = amount.value;
 
         // Ensure that the specifications have valid amounts.
-        for (uint256 i; i < hookSpecifications.length; i++) {
+        for (uint256 i; i < hookSpecifications.length;) {
             if (hookSpecifications[i].noop && hookSpecifications[i].amount != 0) {
                 revert JBTerminalStore_NoopHookSpecHasAmount(hookSpecifications[i].amount);
             }
@@ -1036,6 +1071,9 @@ contract JBTerminalStore is IJBTerminalStore {
                 // Decrement the total amount being added to the local balance.
                 balanceDiff -= specifiedAmount;
             }
+            unchecked {
+                ++i;
+            }
         }
 
         // If there's no amount being recorded, there's nothing left to do.
@@ -1078,15 +1116,46 @@ contract JBTerminalStore is IJBTerminalStore {
         internal
         view
         returns (uint256 surplus)
+    {
+        // Fetch the ruleset once and delegate to the overload that accepts it.
+        return _currentSurplusOf({
+            projectId: projectId,
+            terminals: terminals,
+            tokens: tokens,
+            decimals: decimals,
+            currency: currency,
+            ruleset: RULESETS.currentOf(projectId)
+        });
+    }
+
+    /// @notice Gets the current surplus amount for a project across specified terminals and tokens, using a
+    /// pre-fetched ruleset.
+    /// @dev Use this overload when the caller already has the current ruleset to avoid a redundant
+    /// `RULESETS.currentOf()` call.
+    /// @param projectId The ID of the project to get surplus for.
+    /// @param terminals The terminals to include. If empty, all project terminals are used.
+    /// @param tokens The tokens to include. If empty, all tokens per terminal are used.
+    /// @param decimals The number of decimals to expect in the resulting fixed point number.
+    /// @param currency The currency the resulting amount should be in terms of.
+    /// @param ruleset The project's current ruleset.
+    /// @return surplus The current surplus amount.
+    function _currentSurplusOf(
+        uint256 projectId,
+        IJBTerminal[] memory terminals,
+        address[] memory tokens,
+        uint256 decimals,
+        uint256 currency,
+        JBRuleset memory ruleset
+    )
+        internal
+        view
+        returns (uint256 surplus)
     {
         // If specific terminals were provided, use them. Otherwise, get all terminals from the directory.
         IJBTerminal[] memory resolvedTerminals = terminals.length != 0 ? terminals : DIRECTORY.terminalsOf(projectId);
 
-        // The ruleset determines payout limits, which affect surplus. Fetch it once for all terminals.
-        JBRuleset memory ruleset = RULESETS.currentOf(projectId);
-
         // Sum surplus across each terminal.
-        for (uint256 i; i < resolvedTerminals.length; i++) {
+        for (uint256 i; i < resolvedTerminals.length;) {
             address terminal = address(resolvedTerminals[i]);
 
             // Build the list of accounting contexts to include in this terminal's surplus calculation.
@@ -1094,8 +1163,11 @@ contract JBTerminalStore is IJBTerminalStore {
             if (tokens.length != 0) {
                 // Specific tokens requested: look up each token's accounting context at this terminal.
                 accountingContexts = new JBAccountingContext[](tokens.length);
-                for (uint256 j; j < tokens.length; j++) {
+                for (uint256 j; j < tokens.length;) {
                     accountingContexts[j] = _accountingContextForTokenOf[terminal][projectId][tokens[j]];
+                    unchecked {
+                        ++j;
+                    }
                 }
             } else {
                 // No token filter: use all accounting contexts registered at this terminal.
@@ -1111,6 +1183,9 @@ contract JBTerminalStore is IJBTerminalStore {
                 targetDecimals: decimals,
                 targetCurrency: currency
             });
+            unchecked {
+                ++i;
+            }
         }
     }
 
@@ -1143,7 +1218,7 @@ contract JBTerminalStore is IJBTerminalStore {
         uint256 numberOfTokenAccountingContexts = accountingContexts.length;
 
         // Add payout limits from each token.
-        for (uint256 i; i < numberOfTokenAccountingContexts; i++) {
+        for (uint256 i; i < numberOfTokenAccountingContexts;) {
             uint256 tokenSurplus = _tokenSurplusFrom({
                 terminal: terminal,
                 projectId: projectId,
@@ -1154,6 +1229,9 @@ contract JBTerminalStore is IJBTerminalStore {
             });
             // Increment the surplus with any remaining balance.
             if (tokenSurplus > 0) surplus += tokenSurplus;
+            unchecked {
+                ++i;
+            }
         }
     }
 
@@ -1193,6 +1271,7 @@ contract JBTerminalStore is IJBTerminalStore {
             });
 
         // Add up all the balances.
+        // slither-disable-next-line calls-loop
         surplus = (surplus == 0 || accountingContext.currency == targetCurrency)
             ? surplus
             : mulDiv({
@@ -1208,6 +1287,7 @@ contract JBTerminalStore is IJBTerminalStore {
             });
 
         // Get a reference to the payout limit during the ruleset for the token.
+        // slither-disable-next-line calls-loop
         JBCurrencyAmount[] memory payoutLimits = IJBController(address(DIRECTORY.controllerOf(projectId)))
             .FUND_ACCESS_LIMITS()
             .payoutLimitsOf({
@@ -1218,7 +1298,7 @@ contract JBTerminalStore is IJBTerminalStore {
         uint256 numberOfPayoutLimits = payoutLimits.length;
 
         // Loop through each payout limit to determine the cumulative normalized payout limit remaining.
-        for (uint256 i; i < numberOfPayoutLimits; i++) {
+        for (uint256 i; i < numberOfPayoutLimits;) {
             JBCurrencyAmount memory payoutLimit = payoutLimits[i];
 
             // Set the payout limit value to the amount still available to pay out during the ruleset.
@@ -1247,6 +1327,7 @@ contract JBTerminalStore is IJBTerminalStore {
 
             // Convert the `payoutLimit`'s amount to be in terms of the provided currency.
             if (payoutLimit.amount != 0 && payoutLimit.currency != targetCurrency) {
+                // slither-disable-next-line calls-loop
                 uint256 converted = mulDiv({
                     x: payoutLimit.amount,
                     y: 10 ** _MAX_FIXED_POINT_FIDELITY, // Use `_MAX_FIXED_POINT_FIDELITY` to keep as much of the
@@ -1269,6 +1350,9 @@ contract JBTerminalStore is IJBTerminalStore {
             } else {
                 return 0;
             }
+            unchecked {
+                ++i;
+            }
         }
     }
 }

package/src/JBTokens.sol

@@ -253,9 +253,12 @@ contract JBTokens is JBControlled, IJBTokens {
         // Save a reference to whether there a token exists.
         bool tokensWereClaimed = token != IJBToken(address(0));
 
+        // Cache the total supply to avoid a redundant external call on revert.
+        uint256 supply = totalSupplyOf(projectId);
+
         // The total supply after minting can't exceed the maximum value storable in a uint208.
-        if (totalSupplyOf(projectId) + count > type(uint208).max) {
-            revert JBTokens_OverflowAlert(totalSupplyOf(projectId) + count, type(uint208).max);
+        if (supply + count > type(uint208).max) {
+            revert JBTokens_OverflowAlert(supply + count, type(uint208).max);
         }
 
         if (tokensWereClaimed) {

package/src/abstract/JBControlled.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity ^0.8.0;
+pragma solidity 0.8.28;
 
 import {IJBControlled} from "./../interfaces/IJBControlled.sol";
 import {IJBDirectory} from "./../interfaces/IJBDirectory.sol";
@@ -39,10 +39,17 @@ abstract contract JBControlled is IJBControlled {
         DIRECTORY = directory;
     }
 
+    //*********************************************************************//
+    // -------------------------- internal views ------------------------- //
+    //*********************************************************************//
+
     /// @notice Only allows the controller of the specified project to proceed.
     function _onlyControllerOf(uint256 projectId) internal view {
-        if (address(DIRECTORY.controllerOf(projectId)) != msg.sender) {
-            revert JBControlled_ControllerUnauthorized(address(DIRECTORY.controllerOf(projectId)));
+        // Cache the controller address to avoid a redundant external call on revert.
+        // slither-disable-next-line calls-loop
+        address controller = address(DIRECTORY.controllerOf(projectId));
+        if (controller != msg.sender) {
+            revert JBControlled_ControllerUnauthorized(controller);
         }
     }
 }

package/src/abstract/JBPermissioned.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity ^0.8.0;
+pragma solidity 0.8.28;
 
 import {Context} from "@openzeppelin/contracts/utils/Context.sol";
 

package/src/interfaces/IJBRulesetDataHook.sol

@@ -17,8 +17,9 @@ interface IJBRulesetDataHook is IERC165 {
     /// @notice Calculates data before a cash out is recorded in the terminal store.
     /// @param context The context passed to this data hook by the `cashOutTokensOf(...)` function.
     /// @return cashOutTaxRate The rate determining the reclaimable amount for a given surplus and token supply.
-    /// @return cashOutCount The number of tokens to consider cashed out.
-    /// @return totalSupply The total number of tokens to consider existing.
+    /// @return effectiveCashOutCount The effective token count to use for pricing the cash out. The terminal still
+    /// burns the caller-supplied token count.
+    /// @return effectiveTotalSupply The effective total supply to use for pricing the cash out.
     /// @return hookSpecifications The amount and data to send to cash out hooks instead of returning to the
     /// beneficiary.
     function beforeCashOutRecordedWith(JBBeforeCashOutRecordedContext calldata context)
@@ -26,8 +27,8 @@ interface IJBRulesetDataHook is IERC165 {
         view
         returns (
             uint256 cashOutTaxRate,
-            uint256 cashOutCount,
-            uint256 totalSupply,
+            uint256 effectiveCashOutCount,
+            uint256 effectiveTotalSupply,
             JBCashOutHookSpecification[] memory hookSpecifications
         );
 

package/src/libraries/JBCashOuts.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity ^0.8.17;
+pragma solidity 0.8.28;
 
 import {mulDiv} from "@prb/math/src/Common.sol";
 

package/src/libraries/JBConstants.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity ^0.8.0;
+pragma solidity 0.8.28;
 
 /// @notice Global constants used across Juicebox contracts.
 library JBConstants {

package/src/libraries/JBCurrencyIds.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity ^0.8.0;
+pragma solidity 0.8.28;
 
 library JBCurrencyIds {
     uint32 public constant ETH = 1;

package/src/libraries/JBFees.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity ^0.8.17;
+pragma solidity 0.8.28;
 
 import {mulDiv} from "@prb/math/src/Common.sol";
 

package/src/libraries/JBFixedPointNumber.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity ^0.8.17;
+pragma solidity 0.8.28;
 
 library JBFixedPointNumber {
     function adjustDecimals(uint256 value, uint256 decimals, uint256 targetDecimals) internal pure returns (uint256) {

package/src/libraries/JBMetadataResolver.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity ^0.8.17;
+pragma solidity 0.8.28;
 
 /**
  * @notice Library to parse and create metadata to store {id: data} entries.
@@ -214,7 +214,7 @@ library JBMetadataResolver {
         uint256 numberOfDatas = datas.length;
 
         // Add each metadata to the array, each padded to 32 bytes
-        for (uint256 i; i < numberOfDatas; i++) {
+        for (uint256 i; i < numberOfDatas;) {
             metadata = abi.encodePacked(metadata, datas[i]);
             paddedLength = metadata.length % JBMetadataResolver.WORD_SIZE == 0
                 ? metadata.length
@@ -223,6 +223,9 @@ library JBMetadataResolver {
             assembly ("memory-safe") {
                 mstore(metadata, paddedLength)
             }
+            unchecked {
+                ++i;
+            }
         }
     }
 

package/src/libraries/JBPayoutSplitGroupLib.sol

@@ -69,7 +69,7 @@ library JBPayoutSplitGroupLib {
         leftoverAmount = amount;
 
         // Transfer between all splits.
-        for (uint256 i; i < payoutSplits.length; i++) {
+        for (uint256 i; i < payoutSplits.length;) {
             // Get a reference to the split being iterated on.
             JBSplit memory split = payoutSplits[i];
 
@@ -77,6 +77,7 @@ library JBPayoutSplitGroupLib {
             uint256 payoutAmount = mulDiv(leftoverAmount, split.percent, leftoverPercentage);
 
             // The final payout amount after taking out any fees.
+            // slither-disable-next-line calls-loop
             uint256 netPayoutAmount = _sendPayoutToSplit({
                 store: store, split: split, projectId: projectId, token: token, amount: payoutAmount, caller: caller
             });
@@ -107,6 +108,9 @@ library JBPayoutSplitGroupLib {
                 netAmount: netPayoutAmount,
                 caller: caller
             });
+            unchecked {
+                ++i;
+            }
         }
     }
 
@@ -133,7 +137,7 @@ library JBPayoutSplitGroupLib {
         // split from DoS-ing the entire payout. Failed splits' amounts are returned to the project balance via
         // `recordAddedBalanceFor`. Payout limit consumption is correct because the project authorized the
         // distribution.
-        // slither-disable-next-line reentrancy-events
+        // slither-disable-next-line reentrancy-events,calls-loop
         try IJBPayoutSplitGroupExecutor(address(this))
             .executePayout({
                 split: split, projectId: projectId, token: token, amount: amount, originalMessageSender: caller
@@ -147,6 +151,7 @@ library JBPayoutSplitGroupLib {
             });
 
             // Add balance back to the project.
+            // slither-disable-next-line calls-loop
             store.recordAddedBalanceFor({projectId: projectId, token: token, amount: amount});
 
             // Since the payout failed the netPayoutAmount is zero.

package/src/libraries/JBRulesetMetadataResolver.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity ^0.8.17;
+pragma solidity 0.8.28;
 
 import {JBRuleset} from "./../structs/JBRuleset.sol";
 import {JBRulesetMetadata} from "./../structs/JBRulesetMetadata.sol";

package/src/libraries/JBSplitGroupIds.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity ^0.8.0;
+pragma solidity 0.8.28;
 
 /// @notice Group IDs that categorize splits.
 library JBSplitGroupIds {