@bananapus/core-v6 0.0.33 → 0.0.34

package/ADMINISTRATION.md

@@ -78,10 +78,10 @@ Admin privileges and their scope in nana-core-v6.
 - **How assigned:** Set at JBFeelessAddresses deployment via the Ownable constructor. Transferable via `Ownable.transferOwnership()`.
 - **Scope:** Protocol-wide. Controls which addresses are exempt from protocol fees.
 
-### JBERC20 Owner
+### JBERC20 Access Control
 
-- **How assigned:** Set to the `JBTokens` contract address when a project's ERC-20 is deployed or initialized.
-- **Scope:** Single token contract. Only the owner (JBTokens) can mint and burn tokens.
+- **How assigned:** The `TOKENS` reference is set to the `JBTokens` contract address during `initialize()`. `PERMISSIONS` and `PROJECTS` are constructor immutables inherited from `JBPermissioned` and the implementation contract respectively.
+- **Scope:** Single token contract. Only the `JBTokens` contract (via the `onlyTokens` modifier) can mint, burn, and update token metadata. Project owners or operators with the `SIGN_FOR_ERC20` permission can authorize ERC-1271 signatures.
 
 ### Omnichain Ruleset Operator
 
@@ -211,10 +211,11 @@ Admin privileges and their scope in nana-core-v6.
 
 | Function | Required Role | Permission ID | Scope | What It Does |
 |----------|--------------|---------------|-------|-------------|
-| `mint` | Contract owner (JBTokens) | N/A (onlyOwner) | Per token | Mints new tokens to an address. |
-| `burn` | Contract owner (JBTokens) | N/A (onlyOwner) | Per token | Burns tokens from an address. |
-| `initialize` | Anyone (once) | N/A | Per token | Initializes the token name, symbol, and owner. Can only be called once. |
-| `setMetadata` | Contract owner (JBTokens) | N/A (onlyOwner) | Per token | Updates the token's name and symbol. |
+| `mint` | JBTokens contract | N/A (onlyTokens) | Per token | Mints new tokens to an address. |
+| `burn` | JBTokens contract | N/A (onlyTokens) | Per token | Burns tokens from an address. |
+| `initialize` | Anyone (once) | N/A | Per token | Initializes the token name, symbol, and JBTokens contract reference. Can only be called once. |
+| `setMetadata` | JBTokens contract | N/A (onlyTokens) | Per token | Updates the token's name and symbol. |
+| `isValidSignature` | Anyone (view) | `SIGN_FOR_ERC20` | Per token | Validates ERC-1271 signatures for project owner or permitted operators. |
 
 ### JBTerminalStore
 

package/RISKS.md

@@ -174,7 +174,44 @@ No `ReentrancyGuard` is used. The system relies on state ordering and the `Inade
 
 - `JBTerminalStore.recordAddedBalanceFor` has **no access control**. Any address can call it. The balance is keyed by `msg.sender` (the terminal address), so only a terminal can inflate its own recorded balance. This is safe as long as all terminals correctly track their actual holdings. A buggy or malicious terminal implementation could call `recordAddedBalanceFor` without actually receiving tokens, inflating the recorded balance above actual holdings.
 
-## 8. Invariants to Verify
+## 8. Accepted Behaviors
+
+### 8.1 Cross-terminal surplus is an explicit trust boundary
+
+When a project enables `useTotalSurplusForCashOuts`, core intentionally stops treating a single terminal's local
+balance as the full economic truth and instead trusts every registered terminal's reported surplus. This means a
+project can get richer cash-out pricing from value held elsewhere, but it also means a bad or economically
+incompatible terminal can distort the aggregate. This is accepted because cross-terminal projects explicitly opt into
+shared treasury semantics; the alternative is forcing every terminal to behave as an isolated silo. Projects should
+only enable this mode when all participating terminals are mutually trusted and economically compatible.
+
+### 8.2 Held-fee forgiveness on failed fee routing is fail-open by design
+
+Core intentionally prefers liveness over strict protocol fee collection. If project `#1` cannot accept a fee payment,
+`_processFee` returns the fee amount to the originating project's balance instead of locking funds. For held fees,
+`processHeldFeesOf` advances the queue before retrying the payment, so a failed held-fee processing attempt
+permanently forgives that fee. This is accepted because a broken fee route should not brick project treasury flows.
+The tradeoff is explicit revenue leakage for the fee beneficiary when the fee route is unavailable or incompletely
+wired.
+
+### 8.3 Surplus allowance is ruleset-scoped, not implicit-cycle-scoped
+
+`usedSurplusAllowanceOf` is keyed by terminal, project, token, ruleset, and currency rather than by an independently
+incrementing "cycle" counter. For projects whose rulesets roll forward implicitly without a new ruleset ID, allowance
+usage carries forward until a new ruleset actually takes effect. This is accepted because surplus allowance is meant
+to be tied to the active ruleset's economics, not to a synthetic cycle abstraction layered on top of an unchanged
+ruleset. Integrators that expect per-cycle resets should queue distinct rulesets instead of relying on implicit
+rollover.
+
+### 8.4 Core deployment alone leaves fee routing fail-open until periphery wiring completes
+
+Core contracts are intentionally deployable before project `#1` is fully operational. Until the fee project's
+controller, terminals, and accounting contexts are wired, fee-bearing flows remain fail-open: fees are forgiven back
+to the originating project rather than trapped. This is accepted because deployment sequencing across repos is staged,
+and the protocol prioritizes keeping project flows live during rollout over enforcing fee collection before the fee
+beneficiary is ready.
+
+## 9. Invariants to Verify
 
 These should hold at all times and are the most productive targets for formal verification or invariant testing:
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bananapus/core-v6",
-  "version": "0.0.33",
+  "version": "0.0.34",
   "license": "MIT",
   "repository": {
     "type": "git",
@@ -26,7 +26,7 @@
     "artifacts": "source ./.env && npx sphinx artifacts --org-id 'ea165b21-7cdc-4d7b-be59-ecdd4c26bee4' --project-name 'nana-core-v6'"
   },
   "dependencies": {
-    "@bananapus/permission-ids-v6": "^0.0.15",
+    "@bananapus/permission-ids-v6": "^0.0.17",
     "@chainlink/contracts": "^1.5.0",
     "@openzeppelin/contracts": "^5.6.1",
     "@prb/math": "^4.1.1",

package/references/entrypoints.md

@@ -21,7 +21,7 @@ The core Juicebox V6 protocol on EVM: a modular system for launching treasury-ba
 | `JBSplits` | Split configurations per project/ruleset/group. Packed storage for gas efficiency. |
 | `JBFundAccessLimits` | Payout limits and surplus allowances per project/ruleset/terminal/token. |
 | `JBPrices` | Price feed registry with project-specific and protocol-wide default feeds. Immutable once set. |
-| `JBERC20` | Cloneable ERC-20 with Votes + Permit. Owned by `JBTokens`. Deployed via `Clones.clone()`. |
+| `JBERC20` | Cloneable ERC-20 with Votes + Permit + ERC-1271. Controlled by `JBTokens` via `onlyTokens`. Deployed via `Clones.clone()`. |
 | `JBFeelessAddresses` | Allowlist for fee-exempt addresses. |
 | `JBChainlinkV3PriceFeed` | Chainlink AggregatorV3 price feed with staleness threshold. Rejects negative/zero prices, incomplete rounds (`updatedAt == 0`), and stale answers carried from previous rounds (`answeredInRound < roundId`). |
 | `JBChainlinkV3SequencerPriceFeed` | L2 sequencer-aware Chainlink feed (Optimism/Arbitrum) with grace period after restart. Treats any non-zero sequencer answer as down (`answer != 0`). |

package/script/Deploy.s.sol

@@ -85,7 +85,8 @@ contract Deploy is Script, Sphinx {
             trustedForwarder: TRUSTED_FORWARDER
         });
         JBTokens tokens = new JBTokens{salt: keccak256(abi.encode(CORE_DEPLOYMENT_NONCE))}({
-            directory: directory, token: new JBERC20{salt: keccak256(abi.encode(CORE_DEPLOYMENT_NONCE))}()
+            directory: directory,
+            token: new JBERC20{salt: keccak256(abi.encode(CORE_DEPLOYMENT_NONCE))}(permissions, projects)
         });
 
         new JBFundAccessLimits{salt: keccak256(abi.encode(CORE_DEPLOYMENT_NONCE))}(directory);

package/src/JBERC20.sol

@@ -1,27 +1,50 @@
 // SPDX-License-Identifier: MIT
 pragma solidity 0.8.28;
 
-import {Ownable} from "@openzeppelin/contracts/access/Ownable.sol";
 import {ERC20} from "@openzeppelin/contracts/token/ERC20/ERC20.sol";
 import {ERC20Permit, Nonces} from "@openzeppelin/contracts/token/ERC20/extensions/ERC20Permit.sol";
 import {ERC20Votes} from "@openzeppelin/contracts/token/ERC20/extensions/ERC20Votes.sol";
+import {ECDSA} from "@openzeppelin/contracts/utils/cryptography/ECDSA.sol";
+import {IERC1271} from "@openzeppelin/contracts/interfaces/IERC1271.sol";
 import {Nonces} from "@openzeppelin/contracts/utils/Nonces.sol";
 
+import {JBPermissionIds} from "@bananapus/permission-ids-v6/src/JBPermissionIds.sol";
+import {JBPermissioned} from "./abstract/JBPermissioned.sol";
+import {IJBPermissions} from "./interfaces/IJBPermissions.sol";
+import {IJBProjects} from "./interfaces/IJBProjects.sol";
 import {IJBToken} from "./interfaces/IJBToken.sol";
+import {IJBTokens} from "./interfaces/IJBTokens.sol";
 
 /// @notice An ERC-20 token that can be used by a project in `JBTokens` and `JBController`.
 /// @dev By default, a project uses "credits" to track balances. Once a project sets their `IJBToken` using
 /// `JBController.deployERC20For(...)` or `JBController.setTokenFor(...)`, credits can be redeemed to claim tokens.
 /// @dev `JBController.deployERC20For(...)` deploys a `JBERC20` contract and sets it as the project's token.
-contract JBERC20 is ERC20Votes, ERC20Permit, Ownable, IJBToken {
+contract JBERC20 is ERC20Votes, ERC20Permit, JBPermissioned, IERC1271, IJBToken {
     //*********************************************************************//
     // --------------------------- custom errors ------------------------- //
     //*********************************************************************//
 
     error JBERC20_AlreadyInitialized();
+    error JBERC20_Unauthorized();
 
     //*********************************************************************//
-    // --------------------- internal stored properties ------------------ //
+    // --------------- public immutable stored properties ---------------- //
+    //*********************************************************************//
+
+    /// @notice The projects contract used to resolve project ownership.
+    IJBProjects public immutable PROJECTS;
+
+    //*********************************************************************//
+    // --------------------- public stored properties -------------------- //
+    //*********************************************************************//
+
+    /// @notice The JBTokens contract that owns this token.
+    /// @dev Set via `initialize` because JBERC20 is deployed before JBTokens (circular dependency).
+    // forge-lint: disable-next-line(mixed-case-variable)
+    IJBTokens public TOKENS;
+
+    //*********************************************************************//
+    // -------------------- private stored properties -------------------- //
     //*********************************************************************//
 
     /// @notice The token's name.
@@ -38,8 +61,29 @@ contract JBERC20 is ERC20Votes, ERC20Permit, Ownable, IJBToken {
 
     /// @dev Set `_name` on the implementation contract to prevent it from being initialized directly.
     /// Clones start with empty `_name`, so `initialize(...)` works only on clones.
-    constructor() Ownable(address(this)) ERC20("invalid", "invalid") ERC20Permit("JBToken") {
+    /// @param permissions The permissions contract.
+    /// @param projects The projects contract.
+    constructor(
+        IJBPermissions permissions,
+        IJBProjects projects
+    )
+        ERC20("invalid", "invalid")
+        ERC20Permit("JBToken")
+        JBPermissioned(permissions)
+    {
         _name = "invalid";
+        PROJECTS = projects;
+    }
+
+    //*********************************************************************//
+    // --------------------------- modifiers ---------------------------- //
+    //*********************************************************************//
+
+    /// @notice Only the JBTokens contract can call this function.
+    // forge-lint: disable-next-line(unwrapped-modifier-logic)
+    modifier onlyTokens() {
+        if (msg.sender != address(TOKENS)) revert JBERC20_Unauthorized();
+        _;
     }
 
     //*********************************************************************//
@@ -47,51 +91,32 @@ contract JBERC20 is ERC20Votes, ERC20Permit, Ownable, IJBToken {
     //*********************************************************************//
 
     /// @notice Burn some outstanding tokens.
-    /// @dev Can only be called by this contract's owner.
+    /// @dev Can only be called by the JBTokens contract.
     /// @param account The address to burn tokens from.
     /// @param amount The amount of tokens to burn, as a fixed point number with 18 decimals.
-    function burn(address account, uint256 amount) external override onlyOwner {
+    function burn(address account, uint256 amount) external override onlyTokens {
         return _burn({account: account, value: amount});
     }
 
     /// @notice Mints more of this token.
-    /// @dev Can only be called by this contract's owner.
+    /// @dev Can only be called by the JBTokens contract.
     /// @param account The address to mint the new tokens to.
     /// @param amount The amount of tokens to mint, as a fixed point number with 18 decimals.
-    function mint(address account, uint256 amount) external override onlyOwner {
+    function mint(address account, uint256 amount) external override onlyTokens {
         return _mint({account: account, value: amount});
     }
 
     /// @notice Sets the token's name and symbol.
-    /// @dev Can only be called by this contract's owner.
+    /// @dev Can only be called by the JBTokens contract.
     /// @param name_ The new name.
     /// @param symbol_ The new symbol.
-    function setMetadata(string memory name_, string memory symbol_) external override onlyOwner {
-        _name = name_;
-        _symbol = symbol_;
-    }
-
-    //*********************************************************************//
-    // ----------------------- public transactions ----------------------- //
-    //*********************************************************************//
-
-    /// @notice Initializes the token.
-    /// @param name_ The token's name.
-    /// @param symbol_ The token's symbol.
-    /// @param owner The token contract's owner.
-    function initialize(string memory name_, string memory symbol_, address owner) public override {
-        // Prevent re-initialization by reverting if a name is already set or if the provided name is empty.
-        if (bytes(_name).length != 0 || bytes(name_).length == 0) revert JBERC20_AlreadyInitialized();
-
+    function setMetadata(string memory name_, string memory symbol_) external override onlyTokens {
         _name = name_;
         _symbol = symbol_;
-
-        // Transfer ownership to the owner.
-        _transferOwnership(owner);
     }
 
     //*********************************************************************//
-    // ------------------------- external views -------------------------- //
+    // ----------------------- external views ---------------------------- //
     //*********************************************************************//
 
     /// @notice This token can only be added to a project when its created by the `JBTokens` contract.
@@ -99,6 +124,35 @@ contract JBERC20 is ERC20Votes, ERC20Permit, Ownable, IJBToken {
         return false;
     }
 
+    /// @notice Validates a signature on behalf of this token contract (ERC-1271).
+    /// @dev Allows the project owner or an operator with `SIGN_FOR_ERC20` permission to sign messages on behalf of
+    /// this token. Useful for Etherscan contract verification and other off-chain signature flows.
+    /// @param hash The hash of the data being signed.
+    /// @param signature The signature to validate.
+    /// @return magicValue `0x1626ba7e` if the signature is valid, `0xffffffff` otherwise.
+    function isValidSignature(bytes32 hash, bytes memory signature) external view override returns (bytes4 magicValue) {
+        // Recover the signer from the signature. Return invalid if recovery fails.
+        // slither-disable-next-line unused-return
+        (address signer, ECDSA.RecoverError error,) = ECDSA.tryRecover(hash, signature);
+        if (error != ECDSA.RecoverError.NoError) return 0xffffffff;
+
+        // Get the project ID this token belongs to.
+        uint256 projectId = TOKENS.projectIdOf(IJBToken(address(this)));
+
+        // Get the project owner (the NFT holder).
+        address projectOwner = PROJECTS.ownerOf(projectId);
+
+        // Valid if the signer is the project owner or has the SIGN_FOR_ERC20 permission.
+        if (_hasPermissionFrom({
+                operator: signer,
+                account: projectOwner,
+                projectId: projectId,
+                permissionId: JBPermissionIds.SIGN_FOR_ERC20
+            })) return IERC1271.isValidSignature.selector;
+
+        return 0xffffffff;
+    }
+
     //*********************************************************************//
     // -------------------------- public views --------------------------- //
     //*********************************************************************//
@@ -137,6 +191,23 @@ contract JBERC20 is ERC20Votes, ERC20Permit, Ownable, IJBToken {
         return super.totalSupply();
     }
 
+    //*********************************************************************//
+    // ----------------------- public transactions ----------------------- //
+    //*********************************************************************//
+
+    /// @notice Initializes the token.
+    /// @param name_ The token's name.
+    /// @param symbol_ The token's symbol.
+    /// @param tokens The JBTokens contract that manages this token.
+    function initialize(string memory name_, string memory symbol_, address tokens) public override {
+        // Prevent re-initialization by reverting if a name is already set or if the provided name is empty.
+        if (bytes(_name).length != 0 || bytes(name_).length == 0) revert JBERC20_AlreadyInitialized();
+
+        _name = name_;
+        _symbol = symbol_;
+        TOKENS = IJBTokens(tokens);
+    }
+
     //*********************************************************************//
     // ---------------------- internal transactions ---------------------- //
     //*********************************************************************//

package/src/JBTerminalStore.sol

@@ -599,6 +599,8 @@ contract JBTerminalStore is IJBTerminalStore {
         JBRuleset memory ruleset = RULESETS.currentOf(projectId);
 
         // Return the amount of surplus terminal tokens that would be reclaimed.
+        // NOTE: This view does not run the data hook, so it cannot reflect a cross-chain totalSupply override.
+        // For accurate omnichain estimates, use the data hook or simulate recordCashOutFor.
         return JBCashOuts.cashOutFrom({
             surplus: surplus,
             cashOutCount: cashOutCount,
@@ -814,6 +816,8 @@ contract JBTerminalStore is IJBTerminalStore {
         if (cashOutCount > totalSupply) return 0;
 
         // Return the amount of surplus terminal tokens that would be reclaimed.
+        // NOTE: This view does not run the data hook, so it cannot reflect a cross-chain totalSupply override.
+        // For accurate omnichain estimates, use the data hook or simulate recordCashOutFor.
         return JBCashOuts.cashOutFrom({
             surplus: currentSurplus,
             cashOutCount: cashOutCount,
@@ -877,6 +881,54 @@ contract JBTerminalStore is IJBTerminalStore {
         });
     }
 
+    /// @notice Calls the data hook, validates noop specifications, and computes the bonding curve reclaim amount.
+    /// @dev Extracted from `_computeCashOutFrom` to keep it under the EVM stack depth limit (16 slots).
+    /// @param ruleset The current ruleset (used to resolve the data hook address).
+    /// @param context The fully-populated cash out context to forward to the data hook.
+    /// @param surplus The locally available surplus (used as a cap — can't reclaim more than what's on-chain here).
+    /// @return reclaimAmount The amount of surplus tokens reclaimable after the bonding curve and cap.
+    /// @return cashOutTaxRate The cash out tax rate returned by the data hook.
+    /// @return hookSpecifications The hook specifications returned by the data hook.
+    function _cashOutWithDataHook(
+        JBRuleset memory ruleset,
+        JBBeforeCashOutRecordedContext memory context,
+        uint256 surplus
+    )
+        internal
+        view
+        returns (uint256 reclaimAmount, uint256 cashOutTaxRate, JBCashOutHookSpecification[] memory hookSpecifications)
+    {
+        // Ask the data hook for the effective bonding curve parameters and any hook specifications.
+        uint256 effectiveCashOutCount;
+        uint256 effectiveTotalSupply;
+        uint256 effectiveSurplusValue;
+        (cashOutTaxRate, effectiveCashOutCount, effectiveTotalSupply, effectiveSurplusValue, hookSpecifications) =
+            IJBRulesetDataHook(ruleset.dataHook()).beforeCashOutRecordedWith(context);
+
+        // Noop specifications are informational only, so they can't also request forwarded funds.
+        for (uint256 i; i < hookSpecifications.length;) {
+            if (hookSpecifications[i].noop && hookSpecifications[i].amount != 0) {
+                revert JBTerminalStore_NoopHookSpecHasAmount(hookSpecifications[i].amount);
+            }
+            unchecked {
+                ++i;
+            }
+        }
+
+        // Apply the bonding curve to calculate how much of the surplus is reclaimable.
+        if (surplus != 0) {
+            reclaimAmount = JBCashOuts.cashOutFrom({
+                surplus: effectiveSurplusValue,
+                cashOutCount: effectiveCashOutCount,
+                totalSupply: effectiveTotalSupply,
+                cashOutTaxRate: cashOutTaxRate
+            });
+
+            // Cap at local surplus — can't reclaim more than what's locally available.
+            if (reclaimAmount > surplus) reclaimAmount = surplus;
+        }
+    }
+
     /// @notice Computes cash out results without writing state.
     /// @param terminal The terminal recording the cash out.
     /// @param holder The account that is cashing out tokens.
@@ -934,8 +986,6 @@ contract JBTerminalStore is IJBTerminalStore {
         // The terminal still burns the caller-supplied cashOutCount after pricing completes.
         // Project owners MUST audit their data hooks with the same rigor as the terminal.
 
-        uint256 effectiveCashOutCount = cashOutCount;
-
         // If the ruleset has a data hook which is enabled for cash outs, use it to derive a claim amount and memo.
         if (ruleset.useDataHookForCashOut() && ruleset.dataHook() != address(0)) {
             // Build the cash out context field-by-field — the struct has 11 fields, too many for a literal.
@@ -957,30 +1007,21 @@ contract JBTerminalStore is IJBTerminalStore {
             context.beneficiaryIsFeeless = beneficiaryIsFeeless;
             context.metadata = metadata;
 
-            (cashOutTaxRate, effectiveCashOutCount, effectiveTotalSupply, hookSpecifications) =
-                IJBRulesetDataHook(ruleset.dataHook()).beforeCashOutRecordedWith(context);
-
-            // Noop specifications are informational only, so they can't also request forwarded funds.
-            for (uint256 i; i < hookSpecifications.length;) {
-                if (hookSpecifications[i].noop && hookSpecifications[i].amount != 0) {
-                    revert JBTerminalStore_NoopHookSpecHasAmount(hookSpecifications[i].amount);
-                }
-                unchecked {
-                    ++i;
-                }
-            }
+            // Hook call + bonding curve in a helper to stay under the stack depth limit.
+            (reclaimAmount, cashOutTaxRate, hookSpecifications) =
+                _cashOutWithDataHook({ruleset: ruleset, context: context, surplus: surplus});
         } else {
             cashOutTaxRate = ruleset.cashOutTaxRate();
-        }
 
-        // Apply the bonding curve to calculate how much of the surplus is reclaimable.
-        if (surplus != 0) {
-            reclaimAmount = JBCashOuts.cashOutFrom({
-                surplus: surplus,
-                cashOutCount: effectiveCashOutCount,
-                totalSupply: effectiveTotalSupply,
-                cashOutTaxRate: cashOutTaxRate
-            });
+            // Apply the bonding curve to calculate how much of the surplus is reclaimable.
+            if (surplus != 0) {
+                reclaimAmount = JBCashOuts.cashOutFrom({
+                    surplus: surplus,
+                    cashOutCount: cashOutCount,
+                    totalSupply: effectiveTotalSupply,
+                    cashOutTaxRate: cashOutTaxRate
+                });
+            }
         }
     }
 

package/src/JBTokens.sol

@@ -228,7 +228,7 @@ contract JBTokens is JBControlled, IJBTokens {
         });
 
         // Initialize the token.
-        token.initialize({name: name, symbol: symbol, owner: address(this)});
+        token.initialize({name: name, symbol: symbol, tokens: address(this)});
     }
 
     /// @notice Mint (create) new tokens or credits.

package/src/abstract/JBPermissioned.sol

@@ -34,6 +34,34 @@ abstract contract JBPermissioned is Context, IJBPermissioned {
     // -------------------------- internal views ------------------------- //
     //*********************************************************************//
 
+    /// @notice Check whether an operator is the account or has the relevant permission.
+    /// @param operator The address to check.
+    /// @param account The account to allow.
+    /// @param projectId The project ID to check the permission under.
+    /// @param permissionId The required permission ID. The operator must have this permission within the specified
+    /// project ID.
+    /// @return Whether the operator is the account or has the permission.
+    function _hasPermissionFrom(
+        address operator,
+        address account,
+        uint256 projectId,
+        uint256 permissionId
+    )
+        internal
+        view
+        returns (bool)
+    {
+        return operator == account
+            || PERMISSIONS.hasPermission({
+                operator: operator,
+                account: account,
+                projectId: projectId,
+                permissionId: permissionId,
+                includeRoot: true,
+                includeWildcardProjectId: true
+            });
+    }
+
     /// @notice Require the message sender to be the account or have the relevant permission.
     /// @param account The account to allow.
     /// @param projectId The project ID to check the permission under.

package/src/interfaces/IJBRulesetDataHook.sol

@@ -19,7 +19,11 @@ interface IJBRulesetDataHook is IERC165 {
     /// @return cashOutTaxRate The rate determining the reclaimable amount for a given surplus and token supply.
     /// @return effectiveCashOutCount The effective token count to use for pricing the cash out. The terminal still
     /// burns the caller-supplied token count.
-    /// @return effectiveTotalSupply The effective total supply to use for pricing the cash out.
+    /// @return effectiveTotalSupply The effective total supply to use for both the proportional reclaim and tax
+    /// calculations. For omnichain projects, this should include tokens on other chains so the tax cannot be bypassed.
+    /// @return effectiveSurplusValue The surplus value to use for the bonding curve calculation, denominated in the
+    /// same token, decimals, and currency as `context.surplus`. The terminal caps the reclaim at locally available
+    /// funds.
     /// @return hookSpecifications The amount and data to send to cash out hooks instead of returning to the
     /// beneficiary.
     function beforeCashOutRecordedWith(JBBeforeCashOutRecordedContext calldata context)
@@ -29,6 +33,7 @@ interface IJBRulesetDataHook is IERC165 {
             uint256 cashOutTaxRate,
             uint256 effectiveCashOutCount,
             uint256 effectiveTotalSupply,
+            uint256 effectiveSurplusValue,
             JBCashOutHookSpecification[] memory hookSpecifications
         );
 

package/src/interfaces/IJBToken.sol

@@ -26,11 +26,11 @@ interface IJBToken {
     /// @param amount The amount of tokens to burn.
     function burn(address account, uint256 amount) external;
 
-    /// @notice Initializes the token with a name, symbol, and owner.
+    /// @notice Initializes the token with a name, symbol, and the JBTokens contract.
     /// @param name The token's name.
     /// @param symbol The token's symbol.
-    /// @param owner The token contract's owner.
-    function initialize(string memory name, string memory symbol, address owner) external;
+    /// @param tokens The JBTokens contract that manages this token.
+    function initialize(string memory name, string memory symbol, address tokens) external;
 
     /// @notice Mints tokens to an account.
     /// @param account The address to mint tokens to.

package/test/TestCashOutHooks.sol

@@ -207,7 +207,11 @@ contract TestCashOutHooks_Local is TestBaseWorkflow {
             _DATA_HOOK,
             abi.encodeWithSelector(IJBRulesetDataHook.beforeCashOutRecordedWith.selector),
             abi.encode(
-                _ruleset.cashOutTaxRate(), _beneficiaryTokenBalance / 2, _beneficiaryTokenBalance, _specifications
+                _ruleset.cashOutTaxRate(),
+                _beneficiaryTokenBalance / 2,
+                _beneficiaryTokenBalance,
+                _nativePayAmount,
+                _specifications
             )
         );
 
@@ -322,7 +326,13 @@ contract TestCashOutHooks_Local is TestBaseWorkflow {
         vm.mockCall(
             _DATA_HOOK,
             abi.encodeWithSelector(IJBRulesetDataHook.beforeCashOutRecordedWith.selector),
-            abi.encode(_customCashOutTaxRate, _customCashOutCount, _customTotalSupply, _specifications)
+            abi.encode(
+                _customCashOutTaxRate,
+                _customCashOutCount,
+                _customTotalSupply,
+                _nativeTerminalBalance, // Same as _nativePayAmount (no payouts); avoids stack depth limit.
+                _specifications
+            )
         );
 
         _terminal.cashOutTokensOf({

package/test/TestDataHookFuzzing.sol

@@ -261,12 +261,12 @@ contract TestDataHookFuzzing_Local is TestBaseWorkflow {
         uint256 cashOutCount = tokenBalance / 2;
         _hookTotalSupply = bound(_hookTotalSupply, cashOutCount, tokenBalance * 10);
 
-        // Data hook returns: cashOutTaxRate=0, cashOutCount=half, custom totalSupply, no hook specs.
+        // Data hook returns: cashOutTaxRate=0, cashOutCount=half, custom totalSupply, local surplus, no hook specs.
         JBCashOutHookSpecification[] memory _emptyCashOutSpecs = new JBCashOutHookSpecification[](0);
         vm.mockCall(
             _DATA_HOOK,
             abi.encodeWithSelector(IJBRulesetDataHook.beforeCashOutRecordedWith.selector),
-            abi.encode(uint256(0), cashOutCount, _hookTotalSupply, _emptyCashOutSpecs)
+            abi.encode(uint256(0), cashOutCount, _hookTotalSupply, _payAmount, _emptyCashOutSpecs)
         );
 
         uint256 balanceBefore = address(this).balance;
@@ -336,7 +336,7 @@ contract TestDataHookFuzzing_Local is TestBaseWorkflow {
         vm.mockCall(
             _DATA_HOOK,
             abi.encodeWithSelector(IJBRulesetDataHook.beforeCashOutRecordedWith.selector),
-            abi.encode(uint256(0), cashOutCount, tokenBalance, _specs)
+            abi.encode(uint256(0), cashOutCount, tokenBalance, _payAmount, _specs)
         );
 
         // Mock the cash out hook call.
@@ -500,7 +500,7 @@ contract TestDataHookFuzzing_Local is TestBaseWorkflow {
         vm.mockCall(
             _DATA_HOOK,
             abi.encodeWithSelector(IJBRulesetDataHook.beforeCashOutRecordedWith.selector),
-            abi.encode(uint256(0), tokenBalance, tokenBalance, _specs)
+            abi.encode(uint256(0), tokenBalance, tokenBalance, _payAmount, _specs)
         );
 
         vm.expectRevert(

package/test/TestForwardedTokenConsumption.sol

@@ -145,7 +145,13 @@ contract TestForwardedTokenConsumption_Local is TestBaseWorkflow {
         vm.mockCall(
             _DATA_HOOK,
             abi.encodeWithSelector(IJBRulesetDataHook.beforeCashOutRecordedWith.selector),
-            abi.encode(0, cashOutCount, _controller.totalTokenSupplyWithReservedTokensOf(_projectId), specifications)
+            abi.encode(
+                0,
+                cashOutCount,
+                _controller.totalTokenSupplyWithReservedTokensOf(_projectId),
+                _PAY_AMOUNT,
+                specifications
+            )
         );
 
         vm.prank(multisig());

package/test/TestJBERC20Inheritance.sol

@@ -3,6 +3,8 @@ pragma solidity 0.8.28;
 
 import {TestBaseWorkflow} from "./helpers/TestBaseWorkflow.sol";
 import {JBERC20} from "../src/JBERC20.sol";
+import {IJBPermissions} from "../src/interfaces/IJBPermissions.sol";
+import {IJBProjects} from "../src/interfaces/IJBProjects.sol";
 import {IJBRulesetApprovalHook} from "../src/interfaces/IJBRulesetApprovalHook.sol";
 import {IJBToken} from "../src/interfaces/IJBToken.sol";
 import {JBConstants} from "../src/libraries/JBConstants.sol";
@@ -15,7 +17,7 @@ import {JBTerminalConfig} from "../src/structs/JBTerminalConfig.sol";
 
 import {ERC20Votes} from "../src/JBERC20.sol";
 
-contract JBERC20Inheritance_Local is JBERC20, TestBaseWorkflow {
+contract JBERC20Inheritance_Local is JBERC20(IJBPermissions(address(1)), IJBProjects(address(2))), TestBaseWorkflow {
     /// This test is to verify that the inheritance order of JBERC20 is correct and that it calls the
     /// `ERC20Votes._update()`
     /// forge-config: default.allow_internal_expect_revert = true

package/test/TestTokenFlow.sol

@@ -99,8 +99,8 @@ contract TestTokenFlow_Local is TestBaseWorkflow {
             });
         } else {
             // Create a new `IJBToken` and change it's owner to the `JBTokens` contract.
-            IJBToken _newToken = IJBToken(Clones.clone(address(new JBERC20())));
-            _newToken.initialize({name: "NewTestName", symbol: "NewTestSymbol", owner: address(_tokens)});
+            IJBToken _newToken = IJBToken(Clones.clone(address(new JBERC20(jbPermissions(), jbProjects()))));
+            _newToken.initialize({name: "NewTestName", symbol: "NewTestSymbol", tokens: address(_tokens)});
 
             // Mock the token can be added to the project.
             vm.mockCall(

package/test/audit/CashOutReenterPay.t.sol

@@ -260,6 +260,7 @@ contract CashOutReenterPay is TestBaseWorkflow {
                 ruleset.cashOutTaxRate(), // Use the ruleset's 50% cash out tax rate.
                 cashOutCount, // Number of tokens being cashed out.
                 totalSupply, // Total supply for the bonding curve.
+                PAY_AMOUNT, // effectiveSurplusValue — full initial funding, no payouts yet.
                 specifications // Our malicious hook specification.
             )
         );
@@ -475,6 +476,9 @@ contract CashOutReenterPay is TestBaseWorkflow {
         // Read the current total supply for the bonding curve calculation.
         uint256 totalSupply = _tokens.totalSupplyOf(_projectId);
 
+        // Read the current surplus for the bonding curve.
+        uint256 surplus = jbTerminalStore().balanceOf(address(_terminal), _projectId, JBConstants.NATIVE_TOKEN);
+
         // Mock the data hook to return no hook specifications (simple cashout).
         vm.mockCall(
             DATA_HOOK,
@@ -483,6 +487,7 @@ contract CashOutReenterPay is TestBaseWorkflow {
                 ruleset.cashOutTaxRate(), // Pass through the ruleset's tax rate.
                 cashOutCount, // Number of tokens being cashed out.
                 totalSupply, // Current total supply.
+                surplus, // effectiveSurplusValue — current terminal balance.
                 new JBCashOutHookSpecification[](0) // No hooks for this cashout.
             )
         );

package/test/audit/CodexHeldFeeRounding.t.sol

@@ -0,0 +1,159 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.6;
+
+import {TestBaseWorkflow} from "../helpers/TestBaseWorkflow.sol";
+import {IJBController} from "../../src/interfaces/IJBController.sol";
+import {IJBMultiTerminal} from "../../src/interfaces/IJBMultiTerminal.sol";
+import {IJBRulesetApprovalHook} from "../../src/interfaces/IJBRulesetApprovalHook.sol";
+import {JBConstants} from "../../src/libraries/JBConstants.sol";
+import {JBAccountingContext} from "../../src/structs/JBAccountingContext.sol";
+import {JBCurrencyAmount} from "../../src/structs/JBCurrencyAmount.sol";
+import {JBFundAccessLimitGroup} from "../../src/structs/JBFundAccessLimitGroup.sol";
+import {JBRulesetConfig} from "../../src/structs/JBRulesetConfig.sol";
+import {JBRulesetMetadata} from "../../src/structs/JBRulesetMetadata.sol";
+import {JBSplitGroup} from "../../src/structs/JBSplitGroup.sol";
+import {JBTerminalConfig} from "../../src/structs/JBTerminalConfig.sol";
+
+contract CodexHeldFeeRoundingTest is TestBaseWorkflow {
+    IJBController private _controller;
+    IJBMultiTerminal private _terminal;
+
+    uint256 private _projectId;
+    address private _projectOwner;
+    address private _beneficiary;
+
+    function setUp() public override {
+        super.setUp();
+
+        _projectOwner = multisig();
+        _beneficiary = beneficiary();
+        _terminal = jbMultiTerminal();
+        _controller = jbController();
+
+        JBRulesetMetadata memory metadata = JBRulesetMetadata({
+            reservedPercent: 0,
+            cashOutTaxRate: 0,
+            baseCurrency: uint32(uint160(JBConstants.NATIVE_TOKEN)),
+            pausePay: false,
+            pauseCreditTransfers: false,
+            allowOwnerMinting: false,
+            allowSetCustomToken: false,
+            allowTerminalMigration: true,
+            allowSetTerminals: false,
+            ownerMustSendPayouts: false,
+            allowSetController: false,
+            allowAddAccountingContext: true,
+            allowAddPriceFeed: false,
+            holdFees: true,
+            useTotalSurplusForCashOuts: false,
+            useDataHookForPay: false,
+            useDataHookForCashOut: false,
+            dataHook: address(0),
+            metadata: 0
+        });
+
+        JBCurrencyAmount[] memory payoutLimits = new JBCurrencyAmount[](1);
+        payoutLimits[0] = JBCurrencyAmount({amount: 100, currency: uint32(uint160(JBConstants.NATIVE_TOKEN))});
+
+        JBCurrencyAmount[] memory surplusAllowances = new JBCurrencyAmount[](1);
+        surplusAllowances[0] = JBCurrencyAmount({amount: 0, currency: uint32(uint160(JBConstants.NATIVE_TOKEN))});
+
+        JBFundAccessLimitGroup[] memory fundAccessLimits = new JBFundAccessLimitGroup[](1);
+        fundAccessLimits[0] = JBFundAccessLimitGroup({
+            terminal: address(_terminal),
+            token: JBConstants.NATIVE_TOKEN,
+            payoutLimits: payoutLimits,
+            surplusAllowances: surplusAllowances
+        });
+
+        JBRulesetConfig[] memory rulesetConfigs = new JBRulesetConfig[](1);
+        rulesetConfigs[0] = JBRulesetConfig({
+            mustStartAtOrAfter: 0,
+            duration: 0,
+            weight: 0,
+            weightCutPercent: 0,
+            approvalHook: IJBRulesetApprovalHook(address(0)),
+            metadata: metadata,
+            splitGroups: new JBSplitGroup[](0),
+            fundAccessLimitGroups: fundAccessLimits
+        });
+
+        JBAccountingContext[] memory contexts = new JBAccountingContext[](1);
+        contexts[0] = JBAccountingContext({
+            token: JBConstants.NATIVE_TOKEN, decimals: 18, currency: uint32(uint160(JBConstants.NATIVE_TOKEN))
+        });
+
+        JBTerminalConfig[] memory terminalConfigs = new JBTerminalConfig[](1);
+        terminalConfigs[0] = JBTerminalConfig({terminal: _terminal, accountingContextsToAccept: contexts});
+
+        // Project 1 is the fee project.
+        _controller.launchProjectFor({
+            owner: _projectOwner,
+            projectUri: "fee-project",
+            rulesetConfigurations: rulesetConfigs,
+            terminalConfigurations: terminalConfigs,
+            memo: ""
+        });
+
+        _projectId = _controller.launchProjectFor({
+            owner: _projectOwner,
+            projectUri: "project",
+            rulesetConfigurations: rulesetConfigs,
+            terminalConfigurations: terminalConfigs,
+            memo: ""
+        });
+    }
+
+    function test_partialHeldFeeRepaymentCanEraseRemainingFee() external {
+        // Seed the project with enough balance to send a payout that holds fees.
+        _terminal.pay{value: 100}({
+            projectId: _projectId,
+            amount: 100,
+            token: JBConstants.NATIVE_TOKEN,
+            beneficiary: _beneficiary,
+            minReturnedTokens: 0,
+            memo: "",
+            metadata: new bytes(0)
+        });
+
+        _terminal.sendPayoutsOf({
+            projectId: _projectId,
+            token: JBConstants.NATIVE_TOKEN,
+            amount: 40,
+            currency: uint32(uint160(JBConstants.NATIVE_TOKEN)),
+            minTokensPaidOut: 0
+        });
+
+        // 40 gross produces a 1 wei fee and 39 wei net payout.
+        assertEq(address(_projectOwner).balance, 39);
+
+        vm.prank(_projectOwner);
+        _terminal.addToBalanceOf{value: 1}({
+            projectId: _projectId,
+            token: JBConstants.NATIVE_TOKEN,
+            amount: 1,
+            shouldReturnHeldFees: true,
+            memo: "",
+            metadata: new bytes(0)
+        });
+
+        // After repaying only 1 wei of the 39 wei payout, the fee should still be owed in full.
+        uint256 feeProjectBalanceBefore = jbTerminalStore().balanceOf(address(_terminal), 1, JBConstants.NATIVE_TOKEN);
+        assertEq(feeProjectBalanceBefore, 0);
+
+        vm.warp(block.timestamp + 2_419_200);
+        _terminal.processHeldFeesOf(_projectId, JBConstants.NATIVE_TOKEN, 10);
+
+        uint256 feeProjectBalanceAfter = jbTerminalStore().balanceOf(address(_terminal), 1, JBConstants.NATIVE_TOKEN);
+        uint256 projectBalanceAfter =
+            jbTerminalStore().balanceOf(address(_terminal), _projectId, JBConstants.NATIVE_TOKEN);
+
+        // The fee project never receives the original 1 wei fee.
+        assertEq(feeProjectBalanceAfter, 0);
+        // The payer project only gets its explicit top-up recorded.
+        assertEq(projectBalanceAfter, 61);
+        // One wei remains stranded in the terminal: actual native balance exceeds tracked balances.
+        assertEq(address(_terminal).balance, 62);
+        assertEq(address(_terminal).balance - (feeProjectBalanceAfter + projectBalanceAfter), 1);
+    }
+}

package/test/helpers/TestBaseWorkflow.sol

@@ -293,7 +293,7 @@ contract TestBaseWorkflow is JBTest, DeployPermit2 {
         _jbPermissions = new JBPermissions(_trustedForwarder);
         _jbProjects = new JBProjects(_multisig, address(0), _trustedForwarder);
         _jbDirectory = new JBDirectory(_jbPermissions, _jbProjects, _multisig);
-        _jbErc20 = new JBERC20();
+        _jbErc20 = new JBERC20(_jbPermissions, _jbProjects);
         _jbTokens = new JBTokens(_jbDirectory, _jbErc20);
         _jbRulesets = new JBRulesets(_jbDirectory);
         _jbPrices = new JBPrices(_jbDirectory, _jbPermissions, _jbProjects, _multisig, _trustedForwarder);

package/test/units/static/JBERC20/JBERC20Setup.sol

@@ -3,6 +3,8 @@ pragma solidity 0.8.28;
 
 import {Clones} from "@openzeppelin/contracts/proxy/Clones.sol";
 import {JBERC20} from "../../../../src/JBERC20.sol";
+import {IJBPermissions} from "../../../../src/interfaces/IJBPermissions.sol";
+import {IJBProjects} from "../../../../src/interfaces/IJBProjects.sol";
 import {IJBToken} from "../../../../src/interfaces/IJBToken.sol";
 import {JBTest} from "../../../helpers/JBTest.sol";
 
@@ -11,7 +13,10 @@ Contract that deploys a target contract with other mock contracts to satisfy the
 Tests relative to this contract will be dependent on mock calls/emits and stdStorage.
 */
 contract JBERC20Setup is JBTest {
-    address _owner = makeAddr("owner");
+    // Mocks
+    address _tokens = makeAddr("tokens");
+    IJBProjects _projects = IJBProjects(makeAddr("projects"));
+    IJBPermissions _permissions = IJBPermissions(makeAddr("permissions"));
 
     // Implementation (constructor sets _name = "invalid", cannot be initialized)
     IJBToken public _implementation;
@@ -20,8 +25,8 @@ contract JBERC20Setup is JBTest {
     IJBToken public _erc20;
 
     function erc20Setup() public virtual {
-        // Deploy the implementation
-        _implementation = new JBERC20();
+        // Deploy the implementation with immutable permissions and projects
+        _implementation = new JBERC20(_permissions, _projects);
 
         // Clone it — clones start with empty storage, so initialize() works
         _erc20 = IJBToken(Clones.clone(address(_implementation)));

package/test/units/static/JBERC20/TestInitialize.sol

@@ -4,7 +4,6 @@ pragma solidity 0.8.28;
 import {IERC20Metadata} from "@openzeppelin/contracts/token/ERC20/extensions/IERC20Metadata.sol";
 import {JBERC20} from "../../../../src/JBERC20.sol";
 import {JBERC20Setup} from "./JBERC20Setup.sol";
-import {Ownable} from "@openzeppelin/contracts/access/Ownable.sol";
 
 contract TestInitialize_Local is JBERC20Setup {
     string _name = "Nana";
@@ -17,21 +16,21 @@ contract TestInitialize_Local is JBERC20Setup {
     function test_ImplementationCannotBeInitialized() external {
         // The implementation has _name = "invalid" set in constructor, so initialize() must revert.
         vm.expectRevert(JBERC20.JBERC20_AlreadyInitialized.selector);
-        _implementation.initialize(_name, _symbol, _owner);
+        _implementation.initialize(_name, _symbol, _tokens);
     }
 
     function test_WhenANameIsAlreadySet() external {
         // it will revert
 
-        _erc20.initialize(_name, _symbol, _owner);
+        _erc20.initialize(_name, _symbol, _tokens);
 
-        // ensure ownership transferred
-        address newOwner = Ownable(address(_erc20)).owner();
-        assertEq(newOwner, _owner);
+        // ensure TOKENS is set
+        address setTokens = address(JBERC20(address(_erc20)).TOKENS());
+        assertEq(setTokens, _tokens);
 
         // will fail as internal name is no longer zero length
         vm.expectRevert();
-        _erc20.initialize(_name, _symbol, _owner);
+        _erc20.initialize(_name, _symbol, _tokens);
     }
 
     function test_WhenName_EQNothing() external {
@@ -39,17 +38,17 @@ contract TestInitialize_Local is JBERC20Setup {
 
         // will fail as internal name is no longer than zero length
         vm.expectRevert();
-        _erc20.initialize("", _symbol, _owner);
+        _erc20.initialize("", _symbol, _tokens);
     }
 
     function test_WhenNameIsValidAndNotAlreadySet() external {
-        // it will set the name and symbol and transfer ownership
+        // it will set the name, symbol, and store references
 
-        _erc20.initialize(_name, _symbol, _owner);
+        _erc20.initialize(_name, _symbol, _tokens);
 
-        // ensure ownership transferred
-        address newOwner = Ownable(address(_erc20)).owner();
-        assertEq(newOwner, _owner);
+        // ensure TOKENS is set
+        address setTokens = address(JBERC20(address(_erc20)).TOKENS());
+        assertEq(setTokens, _tokens);
 
         // name is set
         string memory _setName = IERC20Metadata(address(_erc20)).name();

package/test/units/static/JBERC20/TestName.sol

@@ -15,7 +15,7 @@ contract TestName_Local is JBERC20Setup {
 
     function test_WhenANameIsSet() external {
         // it will return the name
-        _erc20.initialize("NANAPUS", "NANA", _owner);
+        _erc20.initialize("NANAPUS", "NANA", _tokens);
 
         string memory _setName = _token.name();
         assertEq(_setName, "NANAPUS");

package/test/units/static/JBERC20/TestNonces.sol

@@ -6,6 +6,7 @@ import {JBERC20Setup} from "./JBERC20Setup.sol";
 import {SigUtils} from "./SigUtils.sol";
 
 contract TestNonces_Local is JBERC20Setup {
+    address _user = makeAddr("user");
     IERC20Permit _token;
     SigUtils sigUtils;
 
@@ -30,7 +31,7 @@ contract TestNonces_Local is JBERC20Setup {
     function test_WhenAUserHasNotCalledPermit() external view {
         // it will return zero
 
-        uint256 _nonce = _token.nonces(_owner);
+        uint256 _nonce = _token.nonces(_user);
 
         assertEq(_nonce, 0);
     }

package/test/units/static/JBERC20/TestSymbol.sol

@@ -16,7 +16,7 @@ contract TestSymbol_Local is JBERC20Setup {
     function test_WhenASymbolIsSet() external {
         // it will return a non-empty string
 
-        _erc20.initialize("NANAPUS", "NANA", _owner);
+        _erc20.initialize("NANAPUS", "NANA", _tokens);
 
         string memory _setSymbol = _token.symbol();
         assertEq(_setSymbol, "NANA");

package/test/units/static/JBTerminalStore/TestPreviewCashOutFrom.sol

@@ -453,7 +453,7 @@ contract TestPreviewCashOutFor_Local is JBTerminalStoreSetup {
         mockExpect(
             address(_dataHook),
             abi.encodeCall(IJBRulesetDataHook.beforeCashOutRecordedWith, (_context)),
-            abi.encode(0, 10e18, _totalSupply, _spec)
+            abi.encode(0, 10e18, _totalSupply, 3e18, _spec)
         );
 
         (, uint256 reclaimAmount, uint256 cashOutTaxRate, JBCashOutHookSpecification[] memory hookSpecifications) = _store.previewCashOutFrom({

package/test/units/static/JBTerminalStore/TestRecordCashOutsFor.sol

@@ -417,7 +417,7 @@ contract TestRecordCashOutsFor_Local is JBTerminalStoreSetup {
         mockExpect(
             address(_dataHook),
             abi.encodeCall(IJBRulesetDataHook.beforeCashOutRecordedWith, (_context)),
-            abi.encode(0, 1e18, _totalSupply, _spec)
+            abi.encode(0, 1e18, _totalSupply, 3e18, _spec)
         );
 
         uint256 balanceBefore = _store.balanceOf(address(this), _projectId, _accountingContexts.token);
@@ -521,7 +521,7 @@ contract TestRecordCashOutsFor_Local is JBTerminalStoreSetup {
         mockExpect(
             address(_dataHook),
             abi.encodeCall(IJBRulesetDataHook.beforeCashOutRecordedWith, (_context)),
-            abi.encode(0, 1e18, _totalSupply, _spec)
+            abi.encode(0, 1e18, _totalSupply, 3e18, _spec)
         );
 
         (, uint256 reclaimed,,) = _store.recordCashOutFor({
@@ -576,7 +576,7 @@ contract TestRecordCashOutsFor_Local is JBTerminalStoreSetup {
         mockExpect(
             address(_dataHook),
             abi.encodeCall(IJBRulesetDataHook.beforeCashOutRecordedWith, (_context)),
-            abi.encode(0, 1e18, _totalSupply, _spec)
+            abi.encode(0, 1e18, _totalSupply, 3e18, _spec)
         );
 
         vm.expectRevert(abi.encodeWithSelector(JBTerminalStore.JBTerminalStore_NoopHookSpecHasAmount.selector, 1));
@@ -631,7 +631,7 @@ contract TestRecordCashOutsFor_Local is JBTerminalStoreSetup {
         mockExpect(
             address(_dataHook),
             abi.encodeCall(IJBRulesetDataHook.beforeCashOutRecordedWith, (_context)),
-            abi.encode(0, 1e18, _totalSupply, _spec)
+            abi.encode(0, 1e18, _totalSupply, 3e18, _spec)
         );
 
         vm.expectRevert(abi.encodeWithSelector(JBTerminalStore.JBTerminalStore_NoopHookSpecHasAmount.selector, 1));

package/test/units/static/JBTokens/JBTokensSetup.sol

@@ -4,6 +4,8 @@ pragma solidity 0.8.28;
 import {JBERC20} from "../../../../src/JBERC20.sol";
 import {JBTokens} from "../../../../src/JBTokens.sol";
 import {IJBDirectory} from "../../../../src/interfaces/IJBDirectory.sol";
+import {IJBPermissions} from "../../../../src/interfaces/IJBPermissions.sol";
+import {IJBProjects} from "../../../../src/interfaces/IJBProjects.sol";
 import {IJBToken} from "../../../../src/interfaces/IJBToken.sol";
 import {IJBTokens} from "../../../../src/interfaces/IJBTokens.sol";
 import {JBTest} from "../../../helpers/JBTest.sol";
@@ -15,6 +17,8 @@ Tests relative to this contract will be dependent on mock calls/emits and stdSto
 contract JBTokensSetup is JBTest {
     // Mocks
     IJBDirectory public directory = IJBDirectory(makeAddr("directory"));
+    IJBPermissions public permissions = IJBPermissions(makeAddr("permissions"));
+    IJBProjects public projects = IJBProjects(makeAddr("projects"));
     IJBToken public jbToken;
 
     // Target Contract
@@ -22,7 +26,7 @@ contract JBTokensSetup is JBTest {
 
     function tokensSetup() public virtual {
         // Instantiate the contract being tested
-        jbToken = new JBERC20();
+        jbToken = new JBERC20(permissions, projects);
         _tokens = new JBTokens(directory, jbToken);
     }
 }