@bananapus/core-v6 0.0.35 → 0.0.37

package/USER_JOURNEYS.md

@@ -2,32 +2,30 @@
 
 ## Repo Purpose
 
-This repo is the canonical Juicebox V6 runtime surface.
-It owns project identity, rulesets, terminal execution, treasury accounting, permissions, price feeds, and migration
-paths. Most other V6 repos wrap or extend this behavior rather than replacing it.
+This repo is the main runtime surface for Juicebox V6. It owns project identity, rulesets, terminal execution, treasury accounting, permissions, price feeds, and migration paths. Most other V6 repos build on this behavior instead of replacing it.
 
 ## Primary Actors
 
-- founders launching and evolving Juicebox projects
-- supporters paying projects in the asset a terminal accepts
+- founders launching and updating Juicebox projects
+- supporters paying projects in assets that a terminal accepts
 - token holders cashing out against project surplus
 - operators managing permissions, splits, fund access limits, and rulesets
-- integrators wiring hooks, terminals, price feeds, and migrations into the canonical protocol surface
+- integrators wiring hooks, terminals, price feeds, and migrations into core
 
 ## Key Surfaces
 
 - `JBController`: project launch, ruleset queueing, token setup, splits, and controller migration
-- `JBMultiTerminal`: pay, payout, allowance, preview, and cash-out entrypoint
+- `JBMultiTerminal`: pay, payout, allowance, preview, and cash-out entrypoints
 - `JBTerminalStore`: balance, surplus, fee, and reclaim accounting
 - `JBDirectory`: controller and terminal routing
 - `JBPermissions`: packed operator-permission registry
 - `JBProjects`, `JBRulesets`, `JBPrices`, `JBFundAccessLimits`, `JBSplits`, `JBTokens`: core state and helper surfaces
 
-## Journey 1: Launch A Project With The Right Initial Shape
+## Journey 1: Launch A Project With The Right Initial Setup
 
 **Actor:** founder, deployer, or protocol integrator.
 
-**Intent:** create a project with the right owner, terminal, ruleset, and hook assumptions from block zero.
+**Intent:** create a project with the right owner, terminal, ruleset, and hook assumptions from the start.
 
 **Preconditions**
 - the team knows who should own the project, which terminals it should use, and what the first ruleset should allow
@@ -35,20 +33,20 @@ paths. Most other V6 repos wrap or extend this behavior rather than replacing it
 **Main Flow**
 1. Call `JBController.launchProjectFor(...)` with the owner, URI, ruleset config, terminal configs, and any split or hook metadata.
 2. `JBProjects` mints the project NFT, `JBDirectory` records controller and terminal routing, and `JBRulesets` stores the first ruleset.
-3. If the project wants ERC-20 tokens, reserved-rate behavior, or hook-driven behavior, that configuration is committed at launch instead of being inferred later.
+3. If the project wants ERC-20 tokens, reserved-rate behavior, or hook-driven behavior, that configuration is set at launch.
 4. The project can now accept payments and queue future rulesets without changing project identity.
 
 **Failure Modes**
 - accounting contexts do not match the intended terminal asset
 - hook metadata or split assumptions are invalid at launch
-- ownership or permission assumptions are wrong and expensive to repair later
+- ownership or permission assumptions are wrong and expensive to fix later
 
 **Postconditions**
-- the project NFT exists, the initial ruleset is active, accepted terminals are installed, and downstream hooks or splits can begin working immediately
+- the project NFT exists, the first ruleset is active, accepted terminals are installed, and hooks or splits can start immediately
 
 ## Journey 2: Accept A Payment And Issue The Right Token Exposure
 
-**Actor:** payer or integration paying on a user's behalf.
+**Actor:** payer or integration paying for a user.
 
 **Intent:** settle a payment through the canonical terminal path and issue the correct token exposure.
 
@@ -58,18 +56,18 @@ paths. Most other V6 repos wrap or extend this behavior rather than replacing it
 **Main Flow**
 1. A payer calls `pay(...)` on `JBMultiTerminal`.
 2. The terminal validates the accounting context, records funds, and asks `JBTerminalStore` to derive issuance from the active ruleset.
-3. `JBController` and `JBTokens` decide whether the beneficiary gets project token credits, ERC-20s, or no issuance because weight is zero.
+3. `JBController` and `JBTokens` decide whether the beneficiary gets project credits, ERC-20s, or no issuance because weight is zero.
 4. Any configured pay hooks or data hooks run around the accounting path.
 
 **Failure Modes**
 - payments are paused or the token is unsupported for the target accounting context
 - fee-on-transfer behavior or price-feed assumptions break the intended issuance path
-- hooks add side effects the payer or integrator did not account for
+- hooks add side effects that the payer or integrator did not account for
 
 **Postconditions**
-- treasury balances increase, hooks run in the right order, and the beneficiary receives credits or ERC-20 tokens consistent with the ruleset
+- treasury balances increase, hooks run in the right order, and the beneficiary receives credits or ERC-20 tokens that match the ruleset
 
-## Journey 3: Turn Credits Into ERC-20 Tokens Once A Project Wants A Transferable Token
+## Journey 3: Turn Credits Into ERC-20 Tokens
 
 **Actor:** holder or operator acting for a holder.
 
@@ -82,30 +80,30 @@ paths. Most other V6 repos wrap or extend this behavior rather than replacing it
 **Main Flow**
 1. Deploy or set the project's ERC-20 token through `JBController`.
 2. Holders or operators call `claimTokensFor(...)` to convert credits into ERC-20 balances for a beneficiary.
-3. Future issuance can continue using the same project identity while users now interact with a standard token surface.
+3. Future issuance can continue under the same project identity while users now interact with a standard token surface.
 
 **Failure Modes**
 - the wrong token is installed for the project
-- integrations assume credits are automatically ERC-20 balances after token installation
+- integrations assume credits automatically become ERC-20 balances after token installation
 
 **Postconditions**
-- the project deploys or installs its ERC-20 token and holders can claim credits into transferable balances
+- the project has an ERC-20 token and holders can claim credits into transferable balances
 
 ## Journey 4: Distribute Treasury Funds Through Governed Paths
 
 **Actor:** owner or authorized operator.
 
-**Intent:** move value out of the treasury through configured payouts or allowance surfaces.
+**Intent:** move value out of the treasury through configured payout or allowance paths.
 
 **Preconditions**
 - the project has terminal balances
 - the caller is allowed to use payout or allowance paths
 
 **Main Flow**
-1. Authorized actors call payout or allowance surfaces on the terminal.
+1. An authorized caller uses payout or allowance entrypoints on the terminal.
 2. `JBFundAccessLimits` bounds how much may leave for the current ruleset cycle.
-3. `JBSplits` fans value out to beneficiaries, projects, hooks, or fee recipients as configured.
-4. `JBTerminalStore` updates balances and fee accounting so later previews and cash outs remain consistent.
+3. `JBSplits` routes value to beneficiaries, projects, hooks, or fee recipients as configured.
+4. `JBTerminalStore` updates balances and fee accounting so later previews and cash outs stay consistent.
 
 **Failure Modes**
 - splits or access limits no longer match operator expectations
@@ -113,7 +111,7 @@ paths. Most other V6 repos wrap or extend this behavior rather than replacing it
 - operators assume allowance withdrawals behave exactly like payouts when fee treatment differs
 
 **Postconditions**
-- treasury value leaves only through configured limits, recipients, and fee logic instead of arbitrary admin withdrawals
+- value leaves the treasury only through configured limits, recipients, and fee logic
 
 ## Journey 5: Let Holders Cash Out Against Surplus
 
@@ -127,42 +125,42 @@ paths. Most other V6 repos wrap or extend this behavior rather than replacing it
 
 **Main Flow**
 1. The holder calls `cashOutTokensOf(...)` on the relevant terminal.
-2. `JBTerminalStore` calculates reclaim value using surplus, outstanding token supply, cash-out tax rate, and any pending reserved token effects.
-3. Cash-out hooks can modify behavior or side effects, but the core accounting remains anchored in the terminal store.
-4. Tokens burn and value exits the treasury through the terminal that actually held the asset.
+2. `JBTerminalStore` calculates reclaim value using surplus, total supply, cash-out tax rate, and any pending reserved-token effects.
+3. Cash-out hooks can change behavior or side effects, but core accounting still comes from the terminal store.
+4. Tokens burn and value exits the treasury through the terminal that held the asset.
 
 **Failure Modes**
 - fee-free or custom hook paths produce different outcomes than the holder expected
-- preview-versus-execution drift appears under volatile routing or multi-terminal liquidity
-- users misread multi-terminal surplus as one homogeneous pool
+- preview and execution drift under changing routing or multi-terminal liquidity
+- users treat multi-terminal surplus like one simple pool when it is not
 
 **Postconditions**
-- the holder burns the intended amount of token exposure and receives the correct reclaim amount under the current ruleset
+- the holder burns the intended token exposure and receives the reclaim amount allowed by the current ruleset
 
 ## Journey 6: Queue New Rulesets Without Migrating The Project
 
 **Actor:** owner or authorized operator.
 
-**Intent:** change future project economics without changing the project's identity or existing balances.
+**Intent:** change future project economics without changing identity or existing balances.
 
 **Preconditions**
 - the project is live and future economics need to change
 
 **Main Flow**
-1. The owner or an operator with the right permission queues one or more new rulesets through `JBController`.
-2. `JBRulesets` stores the proposed future configuration and any approval hook requirements.
-3. When the active duration elapses, the next approved ruleset becomes live and future pays, payouts, and cash outs follow the new terms.
-4. Existing balances and token history remain intact because only future behavior changed.
+1. The owner or an allowed operator queues one or more new rulesets through `JBController`.
+2. `JBRulesets` stores the future configuration and any approval-hook requirements.
+3. When the active duration ends, the next approved ruleset becomes live and later pays, payouts, and cash outs follow the new terms.
+4. Existing balances and token history stay intact because only future behavior changed.
 
 **Failure Modes**
 - approval-hook requirements are forgotten or misunderstood
 - queued metadata is incompatible with installed hooks
-- teams assume a ruleset change can retroactively fix prior accounting
+- teams assume a ruleset change can fix past accounting
 
 **Postconditions**
-- the next ruleset activates on schedule while the project keeps the same identity, treasury, and downstream integrations
+- the next ruleset activates on schedule while the project keeps the same identity, treasury, and integrations
 
-## Journey 7: Migrate A Project To New Terminal Or Controller Surfaces Deliberately
+## Journey 7: Migrate To New Terminal Or Controller Surfaces
 
 **Actor:** owner or migration operator.
 
@@ -173,13 +171,13 @@ paths. Most other V6 repos wrap or extend this behavior rather than replacing it
 - the destination surface is understood and intended
 
 **Main Flow**
-1. Confirm the active ruleset permits migration and the destination surface is the intended successor.
+1. Confirm the active ruleset allows migration and the destination is the intended successor.
 2. Use `JBController.migrate(...)` and the terminal-store migration paths instead of manually repointing addresses.
-3. Recheck directory routing and accepted accounting contexts after migration completes.
+3. Recheck directory routing and accepted accounting contexts after migration.
 
 **Failure Modes**
-- migration targets are wrong or only partially configured
-- operators manually repoint routing without using the protocol's migration surfaces
+- migration targets are wrong or only partly configured
+- operators manually repoint routing without using protocol migration paths
 
 **Postconditions**
 - balances, permissions, and future routing stay coherent after migration
@@ -188,7 +186,7 @@ paths. Most other V6 repos wrap or extend this behavior rather than replacing it
 
 **Actor:** project owner.
 
-**Intent:** delegate project operations narrowly instead of transferring blanket control.
+**Intent:** delegate narrow project operations instead of blanket control.
 
 **Preconditions**
 - the owner wants operators, delegates, or automation to manage only specific surfaces
@@ -196,10 +194,10 @@ paths. Most other V6 repos wrap or extend this behavior rather than replacing it
 **Main Flow**
 1. The owner configures operator permissions in `JBPermissions`.
 2. Downstream calls check those packed permission bits instead of assuming project ownership.
-3. Integrations such as ownable wrappers, hook deployers, and router registries can now respect project-scoped delegation without custom ACL logic.
+3. Ownable wrappers, hook deployers, and router registries can respect project-scoped delegation without custom ACL logic.
 
 **Failure Modes**
-- operators receive permissions broader than they need
+- operators receive broader permissions than they need
 - auditors assume downstream access still depends only on project ownership
 
 **Postconditions**
@@ -207,11 +205,11 @@ paths. Most other V6 repos wrap or extend this behavior rather than replacing it
 
 ## Trust Boundaries
 
-- `JBTerminalStore` is the accounting truth for balances, surplus, fees, and reclaim behavior
-- hooks, approval hooks, pay hooks, and cash-out hooks are trusted extension surfaces, not cosmetic plugins
-- price feeds and directory routing are critical external-context surfaces inherited by many downstream repos
+- `JBTerminalStore` is the accounting source of truth for balances, surplus, fees, and reclaim behavior
+- hooks, approval hooks, pay hooks, and cash-out hooks are trusted extension surfaces
+- price feeds and directory routing are critical shared-context surfaces
 
 ## Hand-Offs
 
-- Use [nana-permission-ids-v6](../nana-permission-ids-v6/USER_JOURNEYS.md) for the shared permission vocabulary that downstream repos import.
-- Use [nana-721-hook-v6](../nana-721-hook-v6/USER_JOURNEYS.md), [nana-router-terminal-v6](../nana-router-terminal-v6/USER_JOURNEYS.md), and [nana-buyback-hook-v6](../nana-buyback-hook-v6/USER_JOURNEYS.md) for opinionated layers on top of the core terminal and ruleset surfaces.
+- Use [nana-permission-ids-v6](../nana-permission-ids-v6/USER_JOURNEYS.md) for the shared permission vocabulary used by downstream repos.
+- Use [nana-721-hook-v6](../nana-721-hook-v6/USER_JOURNEYS.md), [nana-router-terminal-v6](../nana-router-terminal-v6/USER_JOURNEYS.md), and [nana-buyback-hook-v6](../nana-buyback-hook-v6/USER_JOURNEYS.md) for opinionated layers built on the core terminal and ruleset surfaces.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bananapus/core-v6",
-  "version": "0.0.35",
+  "version": "0.0.37",
   "license": "MIT",
   "repository": {
     "type": "git",
@@ -26,7 +26,7 @@
     "artifacts": "source ./.env && npx sphinx artifacts --org-id 'ea165b21-7cdc-4d7b-be59-ecdd4c26bee4' --project-name 'nana-core-v6'"
   },
   "dependencies": {
-    "@bananapus/permission-ids-v6": "^0.0.17",
+    "@bananapus/permission-ids-v6": "^0.0.19",
     "@chainlink/contracts": "^1.5.0",
     "@openzeppelin/contracts": "^5.6.1",
     "@prb/math": "^4.1.1",

package/src/JBController.sol

@@ -525,6 +525,10 @@ contract JBController is JBPermissioned, ERC2771Context, IJBController, IJBMigra
         // Cache common values used in both permission checks.
         address sender = _msgSender();
         bool senderIsTerminal = _isTerminalOf(projectId, sender);
+        bool senderIsTerminalOrDataHook = senderIsTerminal || sender == ruleset.dataHook();
+        // Only query the data hook if the sender isn't already a terminal or the data hook itself.
+        bool senderHasDataHookMintPermission =
+            !senderIsTerminalOrDataHook && _hasDataHookMintPermissionFor(projectId, ruleset, sender);
 
         // Minting is restricted to: the project's owner, addresses with permission to `MINT_TOKENS`, the project's
         // terminals, and the project's data hook.
@@ -532,15 +536,14 @@ contract JBController is JBPermissioned, ERC2771Context, IJBController, IJBMigra
             account: PROJECTS.ownerOf(projectId),
             projectId: projectId,
             permissionId: JBPermissionIds.MINT_TOKENS,
-            alsoGrantAccessIf: senderIsTerminal || sender == ruleset.dataHook()
-                || _hasDataHookMintPermissionFor(projectId, ruleset, sender)
+            alsoGrantAccessIf: senderIsTerminalOrDataHook || senderHasDataHookMintPermission
         });
 
         // If the message sender is not the project's terminal or data hook, the ruleset must have `allowOwnerMinting`
         // set to `true`.
         if (
-            ruleset.id != 0 && !ruleset.allowOwnerMinting() && !senderIsTerminal && sender != ruleset.dataHook()
-                && !_hasDataHookMintPermissionFor(projectId, ruleset, sender)
+            ruleset.id != 0 && !ruleset.allowOwnerMinting() && !senderIsTerminalOrDataHook
+                && !senderHasDataHookMintPermission
         ) {
             revert JBController_MintNotAllowedAndNotTerminalOrHook(sender);
         }

package/src/JBMultiTerminal.sol

@@ -1150,20 +1150,24 @@ contract JBMultiTerminal is JBPermissioned, ERC2771Context, IJBMultiTerminal {
         // Cache whether the beneficiary is feeless.
         bool beneficiaryIsFeeless = _isFeeless(beneficiary);
 
-        // Record the cash out.
-        (ruleset, reclaimAmount, cashOutTaxRate, hookSpecifications) = STORE.recordCashOutFor({
-            holder: holder,
-            projectId: projectId,
-            cashOutCount: cashOutCount,
-            tokenToReclaim: tokenToReclaim,
-            beneficiaryIsFeeless: beneficiaryIsFeeless,
-            metadata: metadata
-        });
+        {
+            // Cache the controller to avoid a redundant external call (also used inside STORE.recordCashOutFor).
+            IJBController controller = _controllerOf(projectId);
+
+            // Record the cash out.
+            (ruleset, reclaimAmount, cashOutTaxRate, hookSpecifications) = STORE.recordCashOutFor({
+                holder: holder,
+                projectId: projectId,
+                cashOutCount: cashOutCount,
+                tokenToReclaim: tokenToReclaim,
+                beneficiaryIsFeeless: beneficiaryIsFeeless,
+                metadata: metadata
+            });
 
-        // Burn the project tokens.
-        if (cashOutCount != 0) {
-            _controllerOf(projectId)
-                .burnTokensOf({holder: holder, projectId: projectId, tokenCount: cashOutCount, memo: ""});
+            // Burn the project tokens.
+            if (cashOutCount != 0) {
+                controller.burnTokensOf({holder: holder, projectId: projectId, tokenCount: cashOutCount, memo: ""});
+            }
         }
 
         // Keep a reference to the amount being reclaimed that is subject to fees.

package/test/TestAccessToFunds.sol

@@ -1146,6 +1146,20 @@ contract TestAccessToFunds_Local is TestBaseWorkflow {
                 : _nativePayAmount - _nativeCurrencyPayoutLimit > 1
         );
 
+        // Skip inputs where cross-currency payout limit rounding could flip the revert/succeed outcome.
+        // The test's `_toNative` helper may round differently than the contract's multi-step conversion
+        // (which uses 18-decimal intermediate fidelity). A 1 wei difference at the boundary is enough
+        // to cause the test to expect a revert that doesn't happen, or vice versa.
+        {
+            uint256 _nativePLTotal = uint256(_nativeCurrencyPayoutLimit) + _toNative(_usdCurrencyPayoutLimit);
+            uint256 _predicted = uint256(_nativeCurrencySurplusAllowance) + _nativePLTotal;
+            // If the predicted total is within 2 of the pay amount, rounding can go either way.
+            if (_predicted > _nativePayAmount ? _predicted - _nativePayAmount <= 2 : _nativePayAmount - _predicted <= 2)
+            {
+                vm.assume(false);
+            }
+        }
+
         {
             // Package up the limits for the given terminal.
             JBFundAccessLimitGroup[] memory _fundAccessLimitGroup = new JBFundAccessLimitGroup[](1);
@@ -1371,6 +1385,16 @@ contract TestAccessToFunds_Local is TestBaseWorkflow {
                 && _toNative(_usdCurrencySurplusAllowance + _usdCurrencyPayoutLimit) + _nativeCurrencyPayoutLimit
                         + _nativeCurrencySurplusAllowance > _nativePayAmount
         ) {
+            // Skip inputs near the rounding boundary for the second allowance call too.
+            {
+                uint256 _predicted2 = _toNative(_usdCurrencySurplusAllowance + _usdCurrencyPayoutLimit)
+                    + _nativeCurrencyPayoutLimit + _nativeCurrencySurplusAllowance;
+                if (_predicted2 > _nativePayAmount
+                        ? _predicted2 - _nativePayAmount <= 2
+                        : _nativePayAmount - _predicted2 <= 2) {
+                    return; // Too close to boundary — rounding may differ between test helper and contract.
+                }
+            }
             vm.expectRevert(
                 abi.encodeWithSelector(
                     JBTerminalStore.JBTerminalStore_InadequateTerminalStoreBalance.selector,

package/test/audit/CodexMigrationFeeFailure.t.sol

@@ -0,0 +1,163 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.6;
+
+import {TestBaseWorkflow} from "../helpers/TestBaseWorkflow.sol";
+import {JBMultiTerminal} from "../../src/JBMultiTerminal.sol";
+import {JBDirectory} from "../../src/JBDirectory.sol";
+import {JBTerminalStore} from "../../src/JBTerminalStore.sol";
+import {IJBController} from "../../src/interfaces/IJBController.sol";
+import {IJBTerminal} from "../../src/interfaces/IJBTerminal.sol";
+import {IJBRulesetApprovalHook} from "../../src/interfaces/IJBRulesetApprovalHook.sol";
+import {JBConstants} from "../../src/libraries/JBConstants.sol";
+import {JBFees} from "../../src/libraries/JBFees.sol";
+import {JBAccountingContext} from "../../src/structs/JBAccountingContext.sol";
+import {JBCurrencyAmount} from "../../src/structs/JBCurrencyAmount.sol";
+import {JBFundAccessLimitGroup} from "../../src/structs/JBFundAccessLimitGroup.sol";
+import {JBRulesetConfig} from "../../src/structs/JBRulesetConfig.sol";
+import {JBRulesetMetadata} from "../../src/structs/JBRulesetMetadata.sol";
+import {JBSplitGroup} from "../../src/structs/JBSplitGroup.sol";
+import {JBTerminalConfig} from "../../src/structs/JBTerminalConfig.sol";
+
+contract CodexMigrationFeeFailure is TestBaseWorkflow {
+    IJBController private _controller;
+    JBDirectory private _directory;
+    JBTerminalStore private _store;
+    JBMultiTerminal private _terminalA;
+    JBMultiTerminal private _terminalB;
+
+    address private _feeProjectOwner = address(420);
+    address private _projectOwner;
+    address private _payer;
+    uint256 private _projectId;
+
+    function setUp() public override {
+        super.setUp();
+
+        _controller = jbController();
+        _directory = jbDirectory();
+        _store = jbTerminalStore();
+        _terminalA = jbMultiTerminal();
+        _terminalB = jbMultiTerminal2();
+        _projectOwner = multisig();
+        _payer = beneficiary();
+
+        JBRulesetMetadata memory metadata = JBRulesetMetadata({
+            reservedPercent: 0,
+            cashOutTaxRate: 0,
+            baseCurrency: uint32(uint160(JBConstants.NATIVE_TOKEN)),
+            pausePay: false,
+            pauseCreditTransfers: false,
+            allowOwnerMinting: false,
+            allowSetCustomToken: false,
+            allowTerminalMigration: true,
+            allowSetTerminals: true,
+            allowSetController: false,
+            allowAddAccountingContext: false,
+            allowAddPriceFeed: false,
+            ownerMustSendPayouts: false,
+            holdFees: false,
+            useTotalSurplusForCashOuts: false,
+            useDataHookForPay: false,
+            useDataHookForCashOut: false,
+            dataHook: address(0),
+            metadata: 0
+        });
+
+        JBRulesetConfig[] memory rulesetConfig = new JBRulesetConfig[](1);
+        rulesetConfig[0].mustStartAtOrAfter = 0;
+        rulesetConfig[0].duration = 0;
+        rulesetConfig[0].weight = 1000 * 10 ** 18;
+        rulesetConfig[0].weightCutPercent = 0;
+        rulesetConfig[0].approvalHook = IJBRulesetApprovalHook(address(0));
+        rulesetConfig[0].metadata = metadata;
+        rulesetConfig[0].splitGroups = new JBSplitGroup[](0);
+        rulesetConfig[0].fundAccessLimitGroups = new JBFundAccessLimitGroup[](0);
+
+        JBAccountingContext[] memory contexts = new JBAccountingContext[](1);
+        contexts[0] = JBAccountingContext({
+            token: JBConstants.NATIVE_TOKEN, decimals: 18, currency: uint32(uint160(JBConstants.NATIVE_TOKEN))
+        });
+
+        JBTerminalConfig[] memory feeTerminalConfigs = new JBTerminalConfig[](1);
+        feeTerminalConfigs[0] = JBTerminalConfig({terminal: _terminalA, accountingContextsToAccept: contexts});
+
+        JBTerminalConfig[] memory projectTerminalConfigs = new JBTerminalConfig[](2);
+        projectTerminalConfigs[0] = JBTerminalConfig({terminal: _terminalA, accountingContextsToAccept: contexts});
+        projectTerminalConfigs[1] = JBTerminalConfig({terminal: _terminalB, accountingContextsToAccept: contexts});
+
+        _controller.launchProjectFor({
+            owner: _feeProjectOwner,
+            projectUri: "fee-project",
+            rulesetConfigurations: rulesetConfig,
+            terminalConfigurations: feeTerminalConfigs,
+            memo: ""
+        });
+
+        _projectId = _controller.launchProjectFor({
+            owner: _projectOwner,
+            projectUri: "migrating-project",
+            rulesetConfigurations: rulesetConfig,
+            terminalConfigurations: projectTerminalConfigs,
+            memo: ""
+        });
+    }
+
+    function test_migrationFeeFailure_strandsForgivenFeeAndChargesItAgainOnCleanup() external {
+        uint256 payAmount = 10 ether;
+        uint256 expectedFee = JBFees.feeAmountFrom({amountBeforeFee: payAmount, feePercent: _terminalA.FEE()});
+
+        vm.deal(_payer, payAmount);
+        vm.prank(_payer);
+        _terminalA.pay{value: payAmount}(_projectId, JBConstants.NATIVE_TOKEN, payAmount, _payer, 0, "", "");
+
+        // Break fee routing by removing every terminal from fee project #1.
+        vm.prank(_feeProjectOwner);
+        _directory.setTerminalsOf(1, new IJBTerminal[](0));
+
+        vm.prank(_projectOwner);
+        _terminalA.migrateBalanceOf(_projectId, JBConstants.NATIVE_TOKEN, _terminalB);
+
+        // The failed fee is credited back on terminal A instead of migrating with the project.
+        assertEq(
+            _store.balanceOf(address(_terminalA), _projectId, JBConstants.NATIVE_TOKEN),
+            expectedFee,
+            "failed migration fee remains on the source terminal"
+        );
+        assertEq(
+            _store.balanceOf(address(_terminalB), _projectId, JBConstants.NATIVE_TOKEN),
+            payAmount - expectedFee,
+            "only the post-fee amount reaches the destination terminal"
+        );
+        assertEq(
+            _store.balanceOf(address(_terminalA), 1, JBConstants.NATIVE_TOKEN),
+            0,
+            "fee project did not receive the forgiven migration fee"
+        );
+
+        // Restore fee routing and sweep the residual balance.
+        IJBTerminal[] memory feeTerminals = new IJBTerminal[](1);
+        feeTerminals[0] = IJBTerminal(address(_terminalA));
+        vm.prank(_feeProjectOwner);
+        _directory.setTerminalsOf(1, feeTerminals);
+
+        vm.prank(_projectOwner);
+        _terminalA.migrateBalanceOf(_projectId, JBConstants.NATIVE_TOKEN, _terminalB);
+
+        uint256 secondFee = JBFees.feeAmountFrom({amountBeforeFee: expectedFee, feePercent: _terminalA.FEE()});
+        assertEq(
+            _store.balanceOf(address(_terminalA), _projectId, JBConstants.NATIVE_TOKEN),
+            0,
+            "cleanup migration clears the stranded source balance"
+        );
+        assertEq(
+            _store.balanceOf(address(_terminalB), _projectId, JBConstants.NATIVE_TOKEN),
+            payAmount - secondFee,
+            "the previously forgiven fee is charged again during cleanup"
+        );
+        assertEq(
+            _store.balanceOf(address(_terminalA), 1, JBConstants.NATIVE_TOKEN),
+            secondFee,
+            "fee project only receives the second migration fee"
+        );
+    }
+}