@bananapus/core-v6 0.0.30 → 0.0.32

package/src/JBMultiTerminal.sol

@@ -66,10 +66,9 @@ contract JBMultiTerminal is JBPermissioned, ERC2771Context, IJBMultiTerminal {
     error JBMultiTerminal_RecipientProjectTerminalNotFound(uint256 projectId, address token);
     error JBMultiTerminal_SplitHookInvalid(IJBSplitHook hook);
     error JBMultiTerminal_TerminalTokensIncompatible(uint256 projectId, address token, IJBTerminal terminal);
+    error JBMultiTerminal_TemporaryAllowanceNotConsumed(address token, address spender, uint256 allowance);
     error JBMultiTerminal_TokenNotAccepted(address token);
-    error JBMultiTerminal_UnderMinReturnedTokens(uint256 count, uint256 min);
-    error JBMultiTerminal_UnderMinTokensPaidOut(uint256 amount, uint256 min);
-    error JBMultiTerminal_UnderMinTokensReclaimed(uint256 amount, uint256 min);
+    error JBMultiTerminal_UnderMin(uint256 value, uint256 min);
 
     //*********************************************************************//
     // ------------------------- public constants ------------------------ //
@@ -208,8 +207,12 @@ contract JBMultiTerminal is JBPermissioned, ERC2771Context, IJBMultiTerminal {
         STORE.recordAccountingContextOf({projectId: projectId, contexts: accountingContexts});
 
         // Emit an event for each accounting context.
-        for (uint256 i; i < accountingContexts.length; i++) {
+        for (uint256 i; i < accountingContexts.length;) {
+            // slither-disable-next-line reentrancy-events
             emit SetAccountingContext({projectId: projectId, context: accountingContexts[i], caller: _msgSender()});
+            unchecked {
+                ++i;
+            }
         }
     }
 
@@ -251,7 +254,8 @@ contract JBMultiTerminal is JBPermissioned, ERC2771Context, IJBMultiTerminal {
     /// those tokens.
     /// @param holder The account whose tokens are being cashed out.
     /// @param projectId The ID of the project the project tokens belong to.
-    /// @param cashOutCount The number of project tokens to cash out, as a fixed point number with 18 decimals.
+    /// @param cashOutCount The number of project tokens to cash out and burn, as a fixed point number with 18
+    /// decimals.
     /// @param tokenToReclaim The token being reclaimed.
     /// @param minTokensReclaimed The minimum number of terminal tokens expected in return, as a fixed point number with
     /// the same number of decimals as this terminal. If the amount of tokens minted for the beneficiary would be less
@@ -289,9 +293,7 @@ contract JBMultiTerminal is JBPermissioned, ERC2771Context, IJBMultiTerminal {
         });
 
         // The amount being reclaimed must be at least as much as was expected.
-        if (reclaimAmount < minTokensReclaimed) {
-            revert JBMultiTerminal_UnderMinTokensReclaimed(reclaimAmount, minTokensReclaimed);
-        }
+        _checkMin({value: reclaimAmount, min: minTokensReclaimed});
     }
 
     /// @notice Executes a payout to a split.
@@ -349,6 +351,9 @@ contract JBMultiTerminal is JBPermissioned, ERC2771Context, IJBMultiTerminal {
             // If this terminal's token is the native token, send it in `msg.value`.
             split.hook.processSplitWith{value: payValue}(context);
 
+            // Revoke the temporary pull allowance now that the hook call has finished.
+            _afterTransferTo({to: address(split.hook), token: token});
+
             // Otherwise, if a project is specified, make a payment to it.
         } else if (split.projectId != 0) {
             // Get a reference to the terminal being used.
@@ -542,20 +547,8 @@ contract JBMultiTerminal is JBPermissioned, ERC2771Context, IJBMultiTerminal {
             // Transfer the balance minus the fee to the new terminal.
             uint256 migrationAmount = balance - feeAmount;
 
-            // Trigger any inherited pre-transfer logic.
-            // If this terminal's token is the native token, send it in `msg.value`.
-            // slither-disable-next-line reentrancy-events
-            uint256 payValue = _beforeTransferTo({to: address(to), token: token, amount: migrationAmount});
-
-            // Withdraw the balance to transfer to the new terminal.
-            // slither-disable-next-line reentrancy-events
-            to.addToBalanceOf{value: payValue}({
-                projectId: projectId,
-                token: token,
-                amount: migrationAmount,
-                shouldReturnHeldFees: false,
-                memo: "",
-                metadata: bytes("")
+            _externalAddToBalance({
+                terminal: to, projectId: projectId, token: token, amount: migrationAmount, metadata: bytes("")
             });
         }
     }
@@ -592,11 +585,15 @@ contract JBMultiTerminal is JBPermissioned, ERC2771Context, IJBMultiTerminal {
         // Get a reference to the beneficiary's balance before the payment.
         uint256 beneficiaryBalanceBefore = TOKENS.totalBalanceOf({holder: beneficiary, projectId: projectId});
 
+        // Accept the funds.
+        uint256 acceptedAmount =
+            _acceptFundsFor({projectId: projectId, token: token, amount: amount, metadata: metadata});
+
         // Pay the project.
         _pay({
             projectId: projectId,
             token: token,
-            amount: _acceptFundsFor(projectId, token, amount, metadata),
+            amount: acceptedAmount,
             payer: _msgSender(),
             beneficiary: beneficiary,
             memo: memo,
@@ -612,9 +609,7 @@ contract JBMultiTerminal is JBPermissioned, ERC2771Context, IJBMultiTerminal {
         }
 
         // The token count for the beneficiary must be greater than or equal to the specified minimum.
-        if (beneficiaryTokenCount < minReturnedTokens) {
-            revert JBMultiTerminal_UnderMinReturnedTokens(beneficiaryTokenCount, minReturnedTokens);
-        }
+        _checkMin({value: beneficiaryTokenCount, min: minReturnedTokens});
     }
 
     /// @notice Process any fees that are being held for the project.
@@ -639,7 +634,7 @@ contract JBMultiTerminal is JBPermissioned, ERC2771Context, IJBMultiTerminal {
 
         // Process each fee. Re-read the index and array length from storage each iteration to account for reentrant
         // calls that may have already advanced the index or cleaned up the array.
-        for (uint256 i; i < count; i++) {
+        for (uint256 i; i < count;) {
             // Read the current index from storage (not a cached value) to prevent reentrancy from
             // causing double-processing.
             uint256 currentIndex = _nextHeldFeeIndexOf[projectId][token];
@@ -654,10 +649,14 @@ contract JBMultiTerminal is JBPermissioned, ERC2771Context, IJBMultiTerminal {
             // if the current fee isn't yet unlocked.
             if (heldFee.unlockTimestamp > block.timestamp) break;
 
-            // Delete the entry to reclaim gas before the external call.
+            // Delete the entry and advance the index *before* the external call. This is intentional:
+            // 1. It prevents reentrancy from reprocessing the same fee.
+            // 2. If `_processFee` fails (try-catch), the fee amount is returned to the project's balance via
+            //    `_recordAddedBalanceFor` — the fee is forgiven rather than retried. This is a deliberate design
+            // choice: projects should not have funds permanently stuck because the fee route is misconfigured or
+            // reverting.
+            //    A `FeeReverted` event is emitted so the forgiveness is observable off-chain.
             delete _heldFeesOf[projectId][token][currentIndex];
-
-            // Update the index before the external call to prevent reentrancy from reprocessing the same fee.
             _nextHeldFeeIndexOf[projectId][token] = currentIndex + 1;
 
             // Process the fee.
@@ -670,6 +669,9 @@ contract JBMultiTerminal is JBPermissioned, ERC2771Context, IJBMultiTerminal {
                 feeTerminal: feeTerminal,
                 wasHeld: true
             });
+            unchecked {
+                ++i;
+            }
         }
 
         // If all held fees have been processed, reset the array and index entirely to bound storage growth.
@@ -715,9 +717,7 @@ contract JBMultiTerminal is JBPermissioned, ERC2771Context, IJBMultiTerminal {
         amountPaidOut = _sendPayoutsOf({projectId: projectId, token: token, amount: amount, currency: currency});
 
         // The amount being paid out must be at least as much as was expected.
-        if (amountPaidOut < minTokensPaidOut) {
-            revert JBMultiTerminal_UnderMinTokensPaidOut(amountPaidOut, minTokensPaidOut);
-        }
+        _checkMin({value: amountPaidOut, min: minTokensPaidOut});
     }
 
     /// @notice Allows a project to pay out funds from its surplus up to the current surplus allowance.
@@ -770,9 +770,7 @@ contract JBMultiTerminal is JBPermissioned, ERC2771Context, IJBMultiTerminal {
         });
 
         // The amount being withdrawn must be at least as much as was expected.
-        if (netAmountPaidOut < minTokensPaidOut) {
-            revert JBMultiTerminal_UnderMinTokensPaidOut(netAmountPaidOut, minTokensPaidOut);
-        }
+        _checkMin({value: netAmountPaidOut, min: minTokensPaidOut});
     }
 
     //*********************************************************************//
@@ -862,8 +860,11 @@ contract JBMultiTerminal is JBPermissioned, ERC2771Context, IJBMultiTerminal {
         heldFees = new JBFee[](count);
 
         // Copy the fees into the array.
-        for (uint256 i; i < count; i++) {
+        for (uint256 i; i < count;) {
             heldFees[i] = _heldFeesOf[projectId][token][startIndex + i];
+            unchecked {
+                ++i;
+            }
         }
     }
 
@@ -1022,6 +1023,7 @@ contract JBMultiTerminal is JBPermissioned, ERC2771Context, IJBMultiTerminal {
             // Set the allowance to `spend` tokens for the user.
             try PERMIT2.permit({owner: _msgSender(), permitSingle: permitSingle, signature: allowance.signature}) {}
             catch (bytes memory reason) {
+                // slither-disable-next-line reentrancy-events
                 emit Permit2AllowanceFailed(token, _msgSender(), reason);
             }
         }
@@ -1087,6 +1089,29 @@ contract JBMultiTerminal is JBPermissioned, ERC2771Context, IJBMultiTerminal {
         return 0;
     }
 
+    /// @notice Cap fee-free surplus at the project's remaining balance after an outflow.
+    /// @dev Non-fee-free funds are considered to leave first. Fee-free surplus only decreases when the remaining
+    /// balance can no longer support it. This prevents attackers from using outflows to drain the fee-free counter
+    /// and then cashing out without incurring fees.
+    /// @param projectId The ID of the project.
+    /// @param token The token whose fee-free surplus to cap.
+    function _capFeeFreeSurplus(uint256 projectId, address token) internal {
+        // Get the current fee-free surplus for this project/token pair.
+        uint256 feeFreeSurplus = _feeFreeSurplusOf[projectId][token];
+
+        // Nothing to cap if there's no fee-free surplus tracked.
+        if (feeFreeSurplus == 0) return;
+
+        // Get the project's remaining balance (already decremented by the store's record call).
+        uint256 remainingBalance = STORE.balanceOf({terminal: address(this), projectId: projectId, token: token});
+
+        // Cap fee-free surplus at the remaining balance.
+        if (feeFreeSurplus > remainingBalance) {
+            // slither-disable-next-line reentrancy-no-eth,reentrancy-eth,reentrancy-benign
+            _feeFreeSurplusOf[projectId][token] = remainingBalance;
+        }
+    }
+
     /// @notice Holders can cash out their tokens to reclaim some of a project's surplus, or to trigger rules determined
     /// by
     /// the project's current ruleset's data hook.
@@ -1122,13 +1147,16 @@ contract JBMultiTerminal is JBPermissioned, ERC2771Context, IJBMultiTerminal {
         // Keep a reference to the cash out tax rate being used.
         uint256 cashOutTaxRate;
 
+        // Cache whether the beneficiary is feeless.
+        bool beneficiaryIsFeeless = _isFeeless(beneficiary);
+
         // Record the cash out.
         (ruleset, reclaimAmount, cashOutTaxRate, hookSpecifications) = STORE.recordCashOutFor({
             holder: holder,
             projectId: projectId,
             cashOutCount: cashOutCount,
             tokenToReclaim: tokenToReclaim,
-            beneficiaryIsFeeless: _isFeeless(beneficiary),
+            beneficiaryIsFeeless: beneficiaryIsFeeless,
             metadata: metadata
         });
 
@@ -1144,7 +1172,7 @@ contract JBMultiTerminal is JBPermissioned, ERC2771Context, IJBMultiTerminal {
         // Send the reclaimed funds to the beneficiary.
         if (reclaimAmount != 0) {
             // Determine if a fee should be taken. Fees are not taken if the beneficiary is feeless.
-            if (!_isFeeless(beneficiary)) {
+            if (!beneficiaryIsFeeless) {
                 if (cashOutTaxRate != 0) {
                     // Non-zero tax: fees apply to the full reclaim amount.
                     amountEligibleForFees += reclaimAmount;
@@ -1154,6 +1182,7 @@ contract JBMultiTerminal is JBPermissioned, ERC2771Context, IJBMultiTerminal {
                     uint256 feeFreeSurplus = _feeFreeSurplusOf[projectId][tokenToReclaim];
                     if (feeFreeSurplus != 0) {
                         uint256 feeableAmount = reclaimAmount < feeFreeSurplus ? reclaimAmount : feeFreeSurplus;
+                        // slither-disable-next-line reentrancy-no-eth,reentrancy-eth,reentrancy-benign
                         _feeFreeSurplusOf[projectId][tokenToReclaim] = feeFreeSurplus - feeableAmount;
                         amountEligibleForFees += feeableAmount;
                         reclaimAmount -= JBFees.feeAmountFrom({amountBeforeFee: feeableAmount, feePercent: FEE});
@@ -1220,6 +1249,13 @@ contract JBMultiTerminal is JBPermissioned, ERC2771Context, IJBMultiTerminal {
         });
     }
 
+    /// @notice Revert if a value is less than the specified minimum.
+    /// @param value The value to compare against the minimum.
+    /// @param min The minimum acceptable value.
+    function _checkMin(uint256 value, uint256 min) internal pure {
+        if (value < min) revert JBMultiTerminal_UnderMin(value, min);
+    }
+
     /// @notice Fund a project either by calling this terminal's internal `addToBalance` function or by calling the
     /// recipient terminal's `addToBalance` function.
     /// @param terminal The terminal on which the project is expecting to receive funds.
@@ -1237,7 +1273,8 @@ contract JBMultiTerminal is JBPermissioned, ERC2771Context, IJBMultiTerminal {
     )
         internal
     {
-        // Call the internal method if this terminal is being used.
+        // Use the local internal path when staying on this terminal. Otherwise use the efficient external equivalent,
+        // which forwards value directly after granting a temporary pull allowance.
         if (terminal == IJBTerminal(address(this))) {
             _addToBalanceOf({
                 projectId: projectId,
@@ -1248,20 +1285,8 @@ contract JBMultiTerminal is JBPermissioned, ERC2771Context, IJBMultiTerminal {
                 metadata: metadata
             });
         } else {
-            // Trigger any inherited pre-transfer logic.
-            // Keep a reference to the amount that'll be paid as a `msg.value`.
-            // slither-disable-next-line reentrancy-events
-            uint256 payValue = _beforeTransferTo({to: address(terminal), token: token, amount: amount});
-
-            // Add to balance.
-            // If this terminal's token is the native token, send it in `msg.value`.
-            terminal.addToBalanceOf{value: payValue}({
-                projectId: projectId,
-                token: token,
-                amount: amount,
-                shouldReturnHeldFees: false,
-                memo: "",
-                metadata: metadata
+            _externalAddToBalance({
+                terminal: terminal, projectId: projectId, token: token, amount: amount, metadata: metadata
             });
         }
     }
@@ -1313,9 +1338,47 @@ contract JBMultiTerminal is JBPermissioned, ERC2771Context, IJBMultiTerminal {
                 memo: "",
                 metadata: metadata
             });
+
+            // Revoke the temporary pull allowance now that the recipient terminal call has finished.
+            _afterTransferTo({to: address(terminal), token: token});
         }
     }
 
+    /// @notice Fund a project on another terminal by granting a temporary pull allowance for this call only.
+    /// @param terminal The recipient terminal.
+    /// @param projectId The ID of the project being funded.
+    /// @param token The token being used.
+    /// @param amount The amount being funded.
+    /// @param metadata Additional metadata to include with the payment.
+    function _externalAddToBalance(
+        IJBTerminal terminal,
+        uint256 projectId,
+        address token,
+        uint256 amount,
+        bytes memory metadata
+    )
+        internal
+    {
+        // Trigger any inherited pre-transfer logic.
+        // Keep a reference to the amount that'll be paid as a `msg.value`.
+        // slither-disable-next-line reentrancy-events
+        uint256 payValue = _beforeTransferTo({to: address(terminal), token: token, amount: amount});
+
+        // Add to balance on the recipient terminal.
+        // If this terminal's token is the native token, send it in `msg.value`.
+        terminal.addToBalanceOf{value: payValue}({
+            projectId: projectId,
+            token: token,
+            amount: amount,
+            shouldReturnHeldFees: false,
+            memo: "",
+            metadata: metadata
+        });
+
+        // Revoke the temporary pull allowance now that the recipient terminal call has finished.
+        _afterTransferTo({to: address(terminal), token: token});
+    }
+
     /// @notice Fulfills a list of cash out hook specifications.
     /// @param projectId The ID of the project being cashed out from.
     /// @param beneficiaryReclaimAmount The number of tokens that are being cashed out from the project.
@@ -1356,12 +1419,18 @@ contract JBMultiTerminal is JBPermissioned, ERC2771Context, IJBMultiTerminal {
             cashOutMetadata: metadata
         });
 
-        for (uint256 i; i < specifications.length; i++) {
+        // slither-disable-next-line calls-loop
+        for (uint256 i; i < specifications.length;) {
             // Set the specification being iterated on.
             JBCashOutHookSpecification memory specification = specifications[i];
 
             // A noop specification is informational only and doesn't trigger the hook.
-            if (specification.noop) continue;
+            if (specification.noop) {
+                unchecked {
+                    ++i;
+                }
+                continue;
+            }
 
             // Get the fee for the specified amount.
             uint256 specificationAmountFee = _isFeeless(address(specification.hook))
@@ -1393,9 +1462,12 @@ contract JBMultiTerminal is JBPermissioned, ERC2771Context, IJBMultiTerminal {
             });
 
             // Fulfill the specification.
-            // slither-disable-next-line reentrancy-events
+            // slither-disable-next-line reentrancy-events,calls-loop
             specification.hook.afterCashOutRecordedWith{value: payValue}(context);
 
+            // Revoke the temporary pull allowance now that the hook call has finished.
+            _afterTransferTo({to: address(specification.hook), token: beneficiaryReclaimAmount.token});
+
             emit HookAfterRecordCashOut({
                 hook: specification.hook,
                 context: context,
@@ -1403,6 +1475,9 @@ contract JBMultiTerminal is JBPermissioned, ERC2771Context, IJBMultiTerminal {
                 fee: specificationAmountFee,
                 caller: _msgSender()
             });
+            unchecked {
+                ++i;
+            }
         }
     }
 
@@ -1442,12 +1517,18 @@ contract JBMultiTerminal is JBPermissioned, ERC2771Context, IJBMultiTerminal {
         });
 
         // Fulfill each specification through their pay hooks.
-        for (uint256 i; i < specifications.length; i++) {
+        // slither-disable-next-line calls-loop
+        for (uint256 i; i < specifications.length;) {
             // Set the specification being iterated on.
             JBPayHookSpecification memory specification = specifications[i];
 
             // A noop specification is informational only and doesn't trigger the hook.
-            if (specification.noop) continue;
+            if (specification.noop) {
+                unchecked {
+                    ++i;
+                }
+                continue;
+            }
 
             // Pass the correct token `forwardedAmount` to the hook.
             context.forwardedAmount = JBTokenAmount({
@@ -1468,15 +1549,21 @@ contract JBMultiTerminal is JBPermissioned, ERC2771Context, IJBMultiTerminal {
             });
 
             // Fulfill the specification.
-            // slither-disable-next-line reentrancy-events
+            // slither-disable-next-line reentrancy-events,calls-loop
             specification.hook.afterPayRecordedWith{value: payValue}(context);
 
+            // Revoke the temporary pull allowance now that the hook call has finished.
+            _afterTransferTo({to: address(specification.hook), token: tokenAmount.token});
+
             emit HookAfterRecordPay({
                 hook: specification.hook,
                 context: context,
                 specificationAmount: specification.amount,
                 caller: _msgSender()
             });
+            unchecked {
+                ++i;
+            }
         }
     }
 
@@ -1590,6 +1677,10 @@ contract JBMultiTerminal is JBPermissioned, ERC2771Context, IJBMultiTerminal {
                 caller: _msgSender()
             });
         } catch (bytes memory reason) {
+            // Fee processing failed — intentionally forgive the fee and return the amount to the project.
+            // The held-fee entry (if any) was already deleted by `processHeldFeesOf` before this call, so there is no
+            // retry path. This is by design: a broken or misconfigured fee route should not permanently lock project
+            // funds. The `FeeReverted` event makes this observable off-chain.
             emit FeeReverted({
                 projectId: projectId,
                 token: token,
@@ -1615,6 +1706,8 @@ contract JBMultiTerminal is JBPermissioned, ERC2771Context, IJBMultiTerminal {
     }
 
     /// @notice Returns held fees to the project who paid them based on the specified amount.
+    /// @dev Fee rounding during partial replenishment can zero out dust-level fee entries (< 40 wei at 2.5% fee).
+    /// This is accepted behavior — dust fees are economically insignificant.
     /// @param projectId The project held fees are being returned to.
     /// @param token The token that the held fees are in.
     /// @param amount The amount to base the calculation on, as a fixed point number with the same number of decimals
@@ -1641,7 +1734,7 @@ contract JBMultiTerminal is JBPermissioned, ERC2771Context, IJBMultiTerminal {
         uint256 newStartIndex = startIndex;
 
         // Process each fee.
-        for (uint256 i; i < count; i++) {
+        for (uint256 i; i < count;) {
             // Save the fee being iterated on.
             JBFee memory heldFee = _heldFeesOf[projectId][token][startIndex + i];
 
@@ -1675,6 +1768,9 @@ contract JBMultiTerminal is JBPermissioned, ERC2771Context, IJBMultiTerminal {
                     leftoverAmount = 0;
                 }
             }
+            unchecked {
+                ++i;
+            }
         }
 
         // Update the next held fee index.
@@ -1707,6 +1803,9 @@ contract JBMultiTerminal is JBPermissioned, ERC2771Context, IJBMultiTerminal {
         internal
         returns (uint256 amountPaidOut)
     {
+        // Cache the message sender.
+        address sender = _msgSender();
+
         // Keep a reference to the ruleset.
         JBRuleset memory ruleset;
 
@@ -1715,6 +1814,7 @@ contract JBMultiTerminal is JBPermissioned, ERC2771Context, IJBMultiTerminal {
             STORE.recordPayoutFor({projectId: projectId, token: token, amount: amount, currency: currency});
 
         // Cap fee-free surplus at remaining balance. Non-fee-free funds leave first.
+        // slither-disable-next-line reentrancy-no-eth,reentrancy-eth,reentrancy-benign
         _capFeeFreeSurplus({projectId: projectId, token: token});
 
         // Get a reference to the project's owner.
@@ -1739,7 +1839,7 @@ contract JBMultiTerminal is JBPermissioned, ERC2771Context, IJBMultiTerminal {
             token: token,
             rulesetId: ruleset.id,
             amount: amountPaidOut,
-            caller: _msgSender()
+            caller: sender
         });
 
         // Send any leftover funds to the project owner and update the fee tracking accordingly.
@@ -1758,6 +1858,7 @@ contract JBMultiTerminal is JBPermissioned, ERC2771Context, IJBMultiTerminal {
                     leftoverPayoutAmount -= fee;
                 }
             } catch (bytes memory reason) {
+                // slither-disable-next-line reentrancy-events
                 emit PayoutTransferReverted({
                     projectId: projectId,
                     addr: projectOwner,
@@ -1765,7 +1866,7 @@ contract JBMultiTerminal is JBPermissioned, ERC2771Context, IJBMultiTerminal {
                     amount: leftoverPayoutAmount - fee,
                     fee: fee,
                     reason: reason,
-                    caller: _msgSender()
+                    caller: sender
                 });
 
                 // Add balance back to the project.
@@ -1791,7 +1892,7 @@ contract JBMultiTerminal is JBPermissioned, ERC2771Context, IJBMultiTerminal {
             amountPaidOut: amountPaidOut,
             fee: feeTaken,
             netLeftoverPayoutAmount: leftoverPayoutAmount,
-            caller: _msgSender()
+            caller: sender
         });
     }
 
@@ -1916,6 +2017,7 @@ contract JBMultiTerminal is JBPermissioned, ERC2771Context, IJBMultiTerminal {
             STORE.recordUsedAllowanceOf({projectId: projectId, token: token, amount: amount, currency: currency});
 
         // Cap fee-free surplus at remaining balance. Non-fee-free funds leave first.
+        // slither-disable-next-line reentrancy-no-eth,reentrancy-eth,reentrancy-benign
         _capFeeFreeSurplus({projectId: projectId, token: token});
 
         // Take a fee from the `amountPaidOut`, if needed.
@@ -1952,32 +2054,24 @@ contract JBMultiTerminal is JBPermissioned, ERC2771Context, IJBMultiTerminal {
         }
     }
 
-    /// @notice Cap fee-free surplus at the project's remaining balance after an outflow.
-    /// @dev Non-fee-free funds are considered to leave first. Fee-free surplus only decreases when the remaining
-    /// balance can no longer support it. This prevents attackers from using outflows to drain the fee-free counter
-    /// and then cashing out without incurring fees.
-    /// @param projectId The ID of the project.
-    /// @param token The token whose fee-free surplus to cap.
-    function _capFeeFreeSurplus(uint256 projectId, address token) internal {
-        // Get the current fee-free surplus for this project/token pair.
-        uint256 feeFreeSurplus = _feeFreeSurplusOf[projectId][token];
-
-        // Nothing to cap if there's no fee-free surplus tracked.
-        if (feeFreeSurplus == 0) return;
-
-        // Get the project's remaining balance (already decremented by the store's record call).
-        uint256 remainingBalance = STORE.balanceOf({terminal: address(this), projectId: projectId, token: token});
-
-        // Cap fee-free surplus at the remaining balance.
-        if (feeFreeSurplus > remainingBalance) {
-            _feeFreeSurplusOf[projectId][token] = remainingBalance;
-        }
-    }
-
     //*********************************************************************//
     // -------------------------- internal views ------------------------- //
     //*********************************************************************//
 
+    /// @notice Logic to be triggered after transferring tokens from this terminal.
+    /// @dev Clears any allowance granted by `_beforeTransferTo` so receivers cannot retain pull access after the call.
+    /// @param to The address whose temporary pull allowance should be cleared.
+    /// @param token The token whose temporary allowance should be cleared.
+    function _afterTransferTo(address to, address token) internal view {
+        // Native-token transfers use `msg.value`, so there is no ERC-20 approval to clear.
+        if (token == JBConstants.NATIVE_TOKEN) return;
+
+        // Revert if the callee returned without consuming the full forwarded ERC-20 amount.
+        // slither-disable-next-line calls-loop
+        uint256 allowance = IERC20(token).allowance({owner: address(this), spender: to});
+        if (allowance != 0) revert JBMultiTerminal_TemporaryAllowanceNotConsumed(token, to, allowance);
+    }
+
     /// @notice Returns a project's accounting context for a token, reverting if it is not accepted.
     /// @param projectId The ID of the project to get the accounting context for.
     /// @param token The token to get the accounting context for.

package/src/JBPermissions.sol

@@ -160,7 +160,7 @@ contract JBPermissions is ERC2771Context, IJBPermissions {
 
         // Returns true for empty permission arrays by design (vacuous truth). An empty set of
         // required permissions is trivially satisfied. Callers should validate non-empty permission arrays if needed.
-        for (uint256 i; i < permissionIds.length; i++) {
+        for (uint256 i; i < permissionIds.length;) {
             // Set the permission being iterated on.
             uint256 permissionId = permissionIds[i];
 
@@ -176,6 +176,9 @@ contract JBPermissions is ERC2771Context, IJBPermissions {
             ) {
                 return false;
             }
+            unchecked {
+                ++i;
+            }
         }
         return true;
     }
@@ -210,29 +213,23 @@ contract JBPermissions is ERC2771Context, IJBPermissions {
         // Indexes above 255 don't exist
         if (permissionId > 255) revert JBPermissions_PermissionIdOutOfBounds(permissionId);
 
+        // Cache both permission slots upfront to avoid redundant storage reads.
+        uint256 projectPermissions = permissionsOf[operator][account][projectId];
+        uint256 wildcardPermissions =
+            includeWildcardProjectId ? permissionsOf[operator][account][WILDCARD_PROJECT_ID] : 0;
+
         // If the ROOT permission is set and should be included, return true.
         if (
             includeRoot
-                && (_includesPermission({
-                        permissions: permissionsOf[operator][account][projectId], permissionId: JBPermissionIds.ROOT
-                    })
-                    || (includeWildcardProjectId
-                        && _includesPermission({
-                            permissions: permissionsOf[operator][account][WILDCARD_PROJECT_ID],
-                            permissionId: JBPermissionIds.ROOT
-                        })))
+                && (_includesPermission({permissions: projectPermissions, permissionId: JBPermissionIds.ROOT})
+                    || _includesPermission({permissions: wildcardPermissions, permissionId: JBPermissionIds.ROOT}))
         ) {
             return true;
         }
 
         // Otherwise return the t/f flag of the specified id.
-        return _includesPermission({
-                permissions: permissionsOf[operator][account][projectId], permissionId: permissionId
-            })
-            || (includeWildcardProjectId
-                && _includesPermission({
-                    permissions: permissionsOf[operator][account][WILDCARD_PROJECT_ID], permissionId: permissionId
-                }));
+        return _includesPermission({permissions: projectPermissions, permissionId: permissionId})
+            || _includesPermission({permissions: wildcardPermissions, permissionId: permissionId});
     }
 
     //*********************************************************************//
@@ -251,13 +248,16 @@ contract JBPermissions is ERC2771Context, IJBPermissions {
     /// @param permissionIds The IDs of the permissions to pack.
     /// @return packed The packed value.
     function _packedPermissions(uint8[] calldata permissionIds) internal pure returns (uint256 packed) {
-        for (uint256 i; i < permissionIds.length; i++) {
+        for (uint256 i; i < permissionIds.length;) {
             // Set the permission being iterated on.
             uint256 permissionId = permissionIds[i];
 
             // Turn on the bit at the ID.
             // forge-lint: disable-next-line(incorrect-shift)
             packed |= 1 << permissionId;
+            unchecked {
+                ++i;
+            }
         }
     }
 }