@bananapus/core-v6 0.0.42 → 0.0.44

package/CHANGELOG.md

@@ -19,7 +19,7 @@ This file describes the verified change from `nana-core-v5` to the current `nana
 - Token metadata is more editable than in v5. The controller now exposes a dedicated token-metadata update path.
 - Approval-hook handling is safer. The v6 codebase and tests are built around preventing a bad approval hook from freezing project behavior.
 - Fee accounting is tighter than in v5, especially around fee-free surplus behavior and cross-flow bookkeeping.
-- The repo carries much broader test coverage than the v5 tree, including dedicated audit, invariant, fork, and formal-style suites.
+- The repo carries much broader test coverage than the v5 tree, including dedicated review, invariant, fork, and formal-style suites.
 - The implementation baseline moved from the v5 `0.8.23` world to `0.8.28`.
 
 ## Verified deltas

package/README.md

@@ -89,7 +89,7 @@ When a flow is unclear, read the contract that owns the state before the contrac
 2. `test/TestTerminalPreviewParity.sol`
 3. `test/invariants/TerminalStoreInvariant.t.sol`
 4. `test/invariants/RulesetsInvariant.t.sol`
-5. `test/audit/CrossTerminalSurplusSpoof.t.sol`
+5. `test/regression/CrossTerminalSurplusSpoof.t.sol`
 
 ## Install
 
@@ -123,7 +123,7 @@ This repo contains the main core deployments and periphery deployment helpers. M
 src/
   core contracts, periphery helpers, interfaces, libraries, enums, structs, and abstract bases
 test/
-  unit, integration, fork, invariant, audit, formal, and regression coverage
+  unit, integration, fork, invariant, review, formal, and regression coverage
 script/
   Deploy.s.sol
   DeployPeriphery.s.sol
@@ -135,7 +135,7 @@ script/
 - Hooks can materially change payment and cash-out behavior.
 - Permissions are flexible, which makes broad or wildcard grants risky.
 - Multi-terminal and multi-token accounting is powerful, but it is easy to misuse if an integration assumes a single-terminal model.
-- Fee, surplus, and reclaim logic stay high-priority audit areas.
+- Fee, surplus, and reclaim logic stay high-priority review areas.
 
 The easiest way to misread V6 is to treat core like a simple crowdfunding terminal. It is closer to a configurable accounting and settlement layer.
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bananapus/core-v6",
-  "version": "0.0.42",
+  "version": "0.0.44",
   "license": "MIT",
   "repository": {
     "type": "git",
@@ -38,7 +38,7 @@
     "artifacts": "source ./.env && npx sphinx artifacts --org-id 'ea165b21-7cdc-4d7b-be59-ecdd4c26bee4' --project-name 'nana-core-v6'"
   },
   "dependencies": {
-    "@bananapus/permission-ids-v6": "0.0.22",
+    "@bananapus/permission-ids-v6": "^0.0.22",
     "@chainlink/contracts": "1.5.0",
     "@openzeppelin/contracts": "5.6.1",
     "@prb/math": "4.1.1",

package/references/entrypoints.md

@@ -155,6 +155,8 @@ The core Juicebox V6 protocol on EVM: a modular system for launching treasury-ba
 
 | Function | What it does |
 |----------|--------------|
-| `setFeelessAddress(address addr, bool flag)` | Adds or removes an address from the fee exemption list. Owner-only. (`JBFeelessAddresses`) |
+| `setFeelessAddress(address addr, bool flag)` | Adds or removes an address from the global (all-project) fee exemption list. Owner-only. (`JBFeelessAddresses`) |
+| `setFeelessAddressFor(uint256 projectId, address addr, bool flag)` | Adds or removes an address from a project's fee exemption list. `projectId = 0` = global wildcard. Owner-only. (`JBFeelessAddresses`) |
+| `isFeelessFor(address addr, uint256 projectId)` | Returns whether an address is feeless for a project (checks both wildcard and project-specific). (`JBFeelessAddresses`) |
 | `setControllerAllowed(uint256 projectId)` | Returns whether a project's controller can currently be set. (`IJBDirectoryAccessControl`) |
 | `setTerminalsAllowed(uint256 projectId)` | Returns whether a project's terminals can currently be set. (`IJBDirectoryAccessControl`) |

package/references/types-errors-events.md

@@ -8,7 +8,7 @@ Use this file when you need deeper protocol reference material after the repo-lo
 |-------------|------------|---------|
 | `JBRuleset` | `cycleNumber (uint48)`, `id (uint48)`, `basedOnId (uint48)`, `start (uint48)`, `duration (uint32)`, `weight (uint112)`, `weightCutPercent (uint32)`, `approvalHook`, `metadata (uint256)` | `currentOf()`, `recordPaymentFrom()`, `recordCashOutFor()` return values |
 | `JBRulesetConfig` | `mustStartAtOrAfter (uint48)`, `duration (uint32)`, `weight (uint112)`, `weightCutPercent (uint32)`, `approvalHook`, `metadata (JBRulesetMetadata)`, `splitGroups[]`, `fundAccessLimitGroups[]` | `launchProjectFor()`, `queueRulesetsOf()` input |
-| `JBRulesetMetadata` | `reservedPercent (uint16)`, `cashOutTaxRate (uint16)`, `baseCurrency (uint32)`, `pausePay`, `pauseCreditTransfers`, `allowOwnerMinting`, `allowSetCustomToken`, `allowTerminalMigration`, `allowSetTerminals`, `allowSetController`, `allowAddAccountingContext`, `allowAddPriceFeed`, `ownerMustSendPayouts`, `holdFees`, `useTotalSurplusForCashOuts`, `useDataHookForPay`, `useDataHookForCashOut`, `dataHook (address)`, `metadata (uint16)` | Packed into `JBRuleset.metadata` |
+| `JBRulesetMetadata` | `reservedPercent (uint16)`, `cashOutTaxRate (uint16)`, `baseCurrency (uint32)`, `pausePay`, `pauseCreditTransfers`, `allowOwnerMinting`, `allowSetCustomToken`, `allowTerminalMigration`, `allowSetTerminals`, `allowSetController`, `allowAddAccountingContext`, `allowAddPriceFeed`, `ownerMustSendPayouts`, `holdFees`, `scopeCashOutsToLocalBalances`, `useDataHookForPay`, `useDataHookForCashOut`, `dataHook (address)`, `metadata (uint16)` | Packed into `JBRuleset.metadata` |
 | `JBSplit` | `percent (uint32)`, `projectId (uint64)`, `beneficiary (address payable)`, `preferAddToBalance`, `lockedUntil (uint48)`, `hook (IJBSplitHook)` | `splitsOf()`, `setSplitGroupsOf()` |
 | `JBSplitGroup` | `groupId (uint256)`, `splits (JBSplit[])` | `JBRulesetConfig.splitGroups`, `setSplitGroupsOf()` |
 | `JBAccountingContext` | `token (address)`, `decimals (uint8)`, `currency (uint32)` | Terminal token accounting, surplus/reclaim calculations |
@@ -28,7 +28,7 @@ Use this file when you need deeper protocol reference material after the repo-lo
 | Struct | Key Fields | Used In |
 |--------|------------|---------|
 | `JBBeforePayRecordedContext` | `terminal`, `payer`, `amount (JBTokenAmount)`, `projectId`, `rulesetId`, `beneficiary`, `weight`, `reservedPercent`, `metadata` | `IJBRulesetDataHook.beforePayRecordedWith()` input |
-| `JBBeforeCashOutRecordedContext` | `terminal`, `holder`, `projectId`, `rulesetId`, `cashOutCount`, `totalSupply`, `surplus (JBTokenAmount)`, `useTotalSurplus`, `cashOutTaxRate`, `beneficiaryIsFeeless`, `metadata` | `IJBRulesetDataHook.beforeCashOutRecordedWith()` input |
+| `JBBeforeCashOutRecordedContext` | `terminal`, `holder`, `projectId`, `rulesetId`, `cashOutCount`, `totalSupply`, `surplus (JBTokenAmount)`, `scopeCashOutsToLocalBalances`, `cashOutTaxRate`, `beneficiaryIsFeeless`, `metadata` | `IJBRulesetDataHook.beforeCashOutRecordedWith()` input |
 | `JBAfterPayRecordedContext` | `payer`, `projectId`, `rulesetId`, `amount (JBTokenAmount)`, `forwardedAmount (JBTokenAmount)`, `weight`, `newlyIssuedTokenCount`, `beneficiary`, `hookMetadata`, `payerMetadata` | `IJBPayHook.afterPayRecordedWith()` input |
 | `JBAfterCashOutRecordedContext` | `holder`, `projectId`, `rulesetId`, `cashOutCount`, `reclaimedAmount (JBTokenAmount)`, `forwardedAmount (JBTokenAmount)`, `cashOutTaxRate`, `beneficiary`, `hookMetadata`, `cashOutMetadata` | `IJBCashOutHook.afterCashOutRecordedWith()` input |
 | `JBPayHookSpecification` | `hook (IJBPayHook)`, `noop (bool)`, `amount`, `metadata` | Returned by data hook; specifies which pay hooks to call and how much to forward. `noop = true` means informational-only (callback skipped, amount must be 0). |
@@ -182,7 +182,6 @@ Errors an agent is most likely to encounter. All are custom errors (revert with
 | `JBSplits_TotalPercentExceeds100` | `JBSplits` | Split percentages sum exceeds `SPLITS_TOTAL_PERCENT`. |
 | `JBPrices_PriceFeedAlreadyExists` | `JBPrices` | Feed already set for that currency pair (immutable). |
 | `JBPrices_PriceFeedNotFound` | `JBPrices` | No feed found for the requested currency pair. |
-| `JBPermissions_CantSetRootPermissionForWildcardProject` | `JBPermissions` | Tried to grant ROOT with `projectId = 0` (wildcard). |
 | `JBRulesets_InvalidWeight` | `JBRulesets` | Weight exceeds `uint112.max`. |
 | `JBRulesets_InvalidWeightCutPercent` | `JBRulesets` | `weightCutPercent` exceeds `MAX_WEIGHT_CUT_PERCENT`. |
 | `JBFundAccessLimits_InvalidPayoutLimitCurrencyOrdering` | `JBFundAccessLimits` | Payout limit currencies not in strictly increasing order. |

package/src/JBChainlinkV3PriceFeed.sol

@@ -17,7 +17,7 @@ contract JBChainlinkV3PriceFeed is IJBPriceFeed {
     // --------------------------- custom errors ------------------------- //
     //*********************************************************************//
 
-    error JBChainlinkV3PriceFeed_IncompleteRound();
+    error JBChainlinkV3PriceFeed_IncompleteRound(uint80 roundId, uint80 answeredInRound, uint256 updatedAt);
     error JBChainlinkV3PriceFeed_NegativePrice(int256 price);
     error JBChainlinkV3PriceFeed_StalePrice(uint256 timestamp, uint256 threshold, uint256 updatedAt);
 
@@ -51,20 +51,28 @@ contract JBChainlinkV3PriceFeed is IJBPriceFeed {
     /// @return The current unit price from the feed, as a fixed point number with the specified number of decimals.
     function currentUnitPrice(uint256 decimals) public view virtual override returns (uint256) {
         // Get the latest round information from the feed.
-        // slither-disable-next-line unused-return
         (uint80 roundId, int256 price,, uint256 updatedAt, uint80 answeredInRound) = FEED.latestRoundData();
 
         // Make sure the round is finished (check before stale price to avoid false stale on incomplete rounds).
-        // slither-disable-next-line incorrect-equality
-        if (updatedAt == 0) revert JBChainlinkV3PriceFeed_IncompleteRound();
+        if (updatedAt == 0) {
+            revert JBChainlinkV3PriceFeed_IncompleteRound({
+                roundId: roundId, answeredInRound: answeredInRound, updatedAt: updatedAt
+            });
+        }
 
         // Make sure the answer was provided in the current round.
-        if (answeredInRound < roundId) revert JBChainlinkV3PriceFeed_IncompleteRound();
+        if (answeredInRound < roundId) {
+            revert JBChainlinkV3PriceFeed_IncompleteRound({
+                roundId: roundId, answeredInRound: answeredInRound, updatedAt: updatedAt
+            });
+        }
 
         // Make sure the price's update threshold is met.
         // forge-lint: disable-next-line(block-timestamp)
         if (block.timestamp > THRESHOLD + updatedAt) {
-            revert JBChainlinkV3PriceFeed_StalePrice(block.timestamp, THRESHOLD, updatedAt);
+            revert JBChainlinkV3PriceFeed_StalePrice({
+                timestamp: block.timestamp, threshold: THRESHOLD, updatedAt: updatedAt
+            });
         }
 
         // Make sure the price is positive.

package/src/JBChainlinkV3SequencerPriceFeed.sol

@@ -14,7 +14,7 @@ contract JBChainlinkV3SequencerPriceFeed is JBChainlinkV3PriceFeed {
     // --------------------------- custom errors ------------------------- //
     //*********************************************************************//
 
-    error JBChainlinkV3SequencerPriceFeed_InvalidRound();
+    error JBChainlinkV3SequencerPriceFeed_InvalidRound(uint256 startedAt);
     error JBChainlinkV3SequencerPriceFeed_SequencerDownOrRestarting(
         uint256 timestamp, uint256 gracePeriodTime, uint256 startedAt
     );
@@ -58,18 +58,17 @@ contract JBChainlinkV3SequencerPriceFeed is JBChainlinkV3PriceFeed {
     /// @return The current unit price from the feed, as a fixed point number with the specified number of decimals.
     function currentUnitPrice(uint256 decimals) public view override returns (uint256) {
         // Fetch sequencer status.
-        // slither-disable-next-line unused-return
         (, int256 answer, uint256 startedAt,,) = SEQUENCER_FEED.latestRoundData();
 
         // Check if round is valid to prevent an edge-case where Arbitrum uptime contract is not init.
-        if (startedAt == 0) revert JBChainlinkV3SequencerPriceFeed_InvalidRound();
+        if (startedAt == 0) revert JBChainlinkV3SequencerPriceFeed_InvalidRound({startedAt: startedAt});
 
         // Revert if sequencer has too recently restarted or is currently down.
         // forge-lint: disable-next-line(block-timestamp)
         if (block.timestamp <= GRACE_PERIOD_TIME + startedAt || answer != 0) {
-            revert JBChainlinkV3SequencerPriceFeed_SequencerDownOrRestarting(
-                block.timestamp, GRACE_PERIOD_TIME, startedAt
-            );
+            revert JBChainlinkV3SequencerPriceFeed_SequencerDownOrRestarting({
+                timestamp: block.timestamp, gracePeriodTime: GRACE_PERIOD_TIME, startedAt: startedAt
+            });
         }
 
         return super.currentUnitPrice(decimals);

package/src/JBController.sol

@@ -60,19 +60,19 @@ contract JBController is JBPermissioned, ERC2771Context, IJBController, IJBMigra
     //*********************************************************************//
 
     error JBController_AddingPriceFeedNotAllowed(uint256 projectId);
-    error JBController_CreditTransfersPaused();
+    error JBController_CreditTransfersPaused(uint256 projectId, uint256 rulesetId);
     error JBController_InvalidCashOutTaxRate(uint256 rate, uint256 limit);
     error JBController_InvalidReservedPercent(uint256 percent, uint256 limit);
     error JBController_MintNotAllowedAndNotTerminalOrHook(address caller);
-    error JBController_NoReservedTokens();
+    error JBController_NoReservedTokens(uint256 projectId);
     error JBController_OnlyDirectory(address sender, IJBDirectory directory);
     error JBController_PendingReservedTokens(uint256 pendingReservedTokenBalance);
     error JBController_RulesetsAlreadyLaunched(uint256 projectId);
-    error JBController_RulesetsArrayEmpty();
+    error JBController_RulesetsArrayEmpty(uint256 projectId, uint256 rulesetConfigurationCount);
     error JBController_RulesetSetTokenNotAllowed(uint256 projectId);
-    error JBController_TerminalTokensNotTransferred();
-    error JBController_ZeroTokensToBurn();
-    error JBController_ZeroTokensToMint();
+    error JBController_TerminalTokensNotTransferred(address terminal, address token, uint256 allowance);
+    error JBController_ZeroTokensToBurn(uint256 projectId, address holder);
+    error JBController_ZeroTokensToMint(uint256 projectId, address beneficiary);
 
     //*********************************************************************//
     // --------------- public immutable stored properties ---------------- //
@@ -163,7 +163,6 @@ contract JBController is JBPermissioned, ERC2771Context, IJBController, IJBMigra
         RULESETS = rulesets;
         SPLITS = splits;
         TOKENS = tokens;
-        // slither-disable-next-line missing-zero-check
         OMNICHAIN_RULESET_OPERATOR = omnichainRulesetOperator;
     }
 
@@ -189,7 +188,7 @@ contract JBController is JBPermissioned, ERC2771Context, IJBController, IJBMigra
     {
         // Enforce permissions.
         _requirePermissionFrom({
-            account: PROJECTS.ownerOf(projectId), projectId: projectId, permissionId: JBPermissionIds.ADD_PRICE_FEED
+            account: _ownerOf(projectId), projectId: projectId, permissionId: JBPermissionIds.ADD_PRICE_FEED
         });
 
         JBRuleset memory ruleset = _currentRulesetOf(projectId);
@@ -235,7 +234,6 @@ contract JBController is JBPermissioned, ERC2771Context, IJBController, IJBMigra
             from.supportsInterface(type(IJBController).interfaceId)
                 && IJBController(address(from)).pendingReservedTokenBalanceOf(projectId) > 0
         ) {
-            // slither-disable-next-line unused-return
             IJBController(address(from)).sendReservedTokensToSplitsOf(projectId);
         }
     }
@@ -261,11 +259,11 @@ contract JBController is JBPermissioned, ERC2771Context, IJBController, IJBMigra
             account: holder,
             projectId: projectId,
             permissionId: JBPermissionIds.BURN_TOKENS,
-            alsoGrantAccessIf: _isTerminalOf(projectId, _msgSender())
+            alsoGrantAccessIf: _isTerminalOf({projectId: projectId, terminal: _msgSender()})
         });
 
         // There must be tokens to burn.
-        if (tokenCount == 0) revert JBController_ZeroTokensToBurn();
+        if (tokenCount == 0) revert JBController_ZeroTokensToBurn({projectId: projectId, holder: holder});
 
         emit BurnTokens({
             holder: holder, projectId: projectId, tokenCount: tokenCount, memo: memo, caller: _msgSender()
@@ -319,7 +317,7 @@ contract JBController is JBPermissioned, ERC2771Context, IJBController, IJBMigra
     {
         // Enforce permissions.
         _requirePermissionFrom({
-            account: PROJECTS.ownerOf(projectId), projectId: projectId, permissionId: JBPermissionIds.DEPLOY_ERC20
+            account: _ownerOf(projectId), projectId: projectId, permissionId: JBPermissionIds.DEPLOY_ERC20
         });
 
         // If a salt is provided, use it.
@@ -359,7 +357,6 @@ contract JBController is JBPermissioned, ERC2771Context, IJBController, IJBMigra
         // Approve the tokens being paid.
         IERC20(address(token)).forceApprove({spender: address(terminal), value: splitTokenCount});
 
-        // slither-disable-next-line unused-return
         terminal.pay({
             projectId: projectId,
             token: address(token),
@@ -371,8 +368,11 @@ contract JBController is JBPermissioned, ERC2771Context, IJBController, IJBMigra
         });
 
         // Make sure that the terminal received the tokens.
-        if (IERC20(address(token)).allowance({owner: address(this), spender: address(terminal)}) != 0) {
-            revert JBController_TerminalTokensNotTransferred();
+        uint256 allowance = IERC20(address(token)).allowance({owner: address(this), spender: address(terminal)});
+        if (allowance != 0) {
+            revert JBController_TerminalTokensNotTransferred({
+                terminal: address(terminal), token: address(token), allowance: allowance
+            });
         }
     }
 
@@ -400,7 +400,6 @@ contract JBController is JBPermissioned, ERC2771Context, IJBController, IJBMigra
         returns (uint256 projectId)
     {
         // Mint the project ERC-721 into the owner's wallet.
-        // slither-disable-next-line reentrancy-benign
         projectId = PROJECTS.createFor(owner);
 
         // If provided, set the project's metadata URI.
@@ -415,7 +414,6 @@ contract JBController is JBPermissioned, ERC2771Context, IJBController, IJBMigra
         _configureTerminals({projectId: projectId, terminalConfigurations: terminalConfigurations});
 
         // Queue the rulesets.
-        // slither-disable-next-line reentrancy-events
         uint256 rulesetId = _queueRulesets({projectId: projectId, rulesetConfigurations: rulesetConfigurations});
 
         emit LaunchProject({
@@ -445,39 +443,41 @@ contract JBController is JBPermissioned, ERC2771Context, IJBController, IJBMigra
         returns (uint256 rulesetId)
     {
         // Make sure there are rulesets being queued.
-        if (rulesetConfigurations.length == 0) revert JBController_RulesetsArrayEmpty();
+        if (rulesetConfigurations.length == 0) {
+            revert JBController_RulesetsArrayEmpty({
+                projectId: projectId, rulesetConfigurationCount: rulesetConfigurations.length
+            });
+        }
 
         // Keep a reference to the sender.
         address sender = _msgSender();
 
         // Enforce permissions.
+        bool isOmnichainOperator = sender == OMNICHAIN_RULESET_OPERATOR;
         _requirePermissionAllowingOverrideFrom({
-            account: PROJECTS.ownerOf(projectId),
+            account: _ownerOf(projectId),
             projectId: projectId,
             permissionId: JBPermissionIds.LAUNCH_RULESETS,
-            alsoGrantAccessIf: sender == OMNICHAIN_RULESET_OPERATOR
+            alsoGrantAccessIf: isOmnichainOperator
         });
-
-        // Enforce permissions.
         _requirePermissionAllowingOverrideFrom({
-            account: PROJECTS.ownerOf(projectId),
+            account: _ownerOf(projectId),
             projectId: projectId,
             permissionId: JBPermissionIds.SET_TERMINALS,
-            alsoGrantAccessIf: sender == OMNICHAIN_RULESET_OPERATOR
+            alsoGrantAccessIf: isOmnichainOperator
         });
-
         if (bytes(projectUri).length > 0) {
             _requirePermissionAllowingOverrideFrom({
-                account: PROJECTS.ownerOf(projectId),
+                account: _ownerOf(projectId),
                 projectId: projectId,
                 permissionId: JBPermissionIds.SET_PROJECT_URI,
-                alsoGrantAccessIf: sender == OMNICHAIN_RULESET_OPERATOR
+                alsoGrantAccessIf: isOmnichainOperator
             });
         }
 
         // If the project has already had rulesets, use `queueRulesetsOf(...)` instead.
         if (RULESETS.latestRulesetIdOf(projectId) > 0) {
-            revert JBController_RulesetsAlreadyLaunched(projectId);
+            revert JBController_RulesetsAlreadyLaunched({projectId: projectId});
         }
 
         // If provided, set the project's metadata URI.
@@ -492,7 +492,6 @@ contract JBController is JBPermissioned, ERC2771Context, IJBController, IJBMigra
         _configureTerminals({projectId: projectId, terminalConfigurations: terminalConfigurations});
 
         // Queue the first ruleset.
-        // slither-disable-next-line reentrancy-events
         rulesetId = _queueRulesets({projectId: projectId, rulesetConfigurations: rulesetConfigurations});
 
         emit LaunchRulesets({
@@ -539,7 +538,7 @@ contract JBController is JBPermissioned, ERC2771Context, IJBController, IJBMigra
         returns (uint256 beneficiaryTokenCount)
     {
         // There should be tokens to mint.
-        if (tokenCount == 0) revert JBController_ZeroTokensToMint();
+        if (tokenCount == 0) revert JBController_ZeroTokensToMint({projectId: projectId, beneficiary: beneficiary});
 
         // Keep a reference to the reserved percent.
         uint256 reservedPercent;
@@ -549,16 +548,16 @@ contract JBController is JBPermissioned, ERC2771Context, IJBController, IJBMigra
 
         // Cache common values used in both permission checks.
         address sender = _msgSender();
-        bool senderIsTerminal = _isTerminalOf(projectId, sender);
+        bool senderIsTerminal = _isTerminalOf({projectId: projectId, terminal: sender});
         bool senderIsTerminalOrDataHook = senderIsTerminal || sender == ruleset.dataHook();
         // Only query the data hook if the sender isn't already a terminal or the data hook itself.
-        bool senderHasDataHookMintPermission =
-            !senderIsTerminalOrDataHook && _hasDataHookMintPermissionFor(projectId, ruleset, sender);
+        bool senderHasDataHookMintPermission = !senderIsTerminalOrDataHook
+            && _hasDataHookMintPermissionFor({projectId: projectId, ruleset: ruleset, addr: sender});
 
         // Minting is restricted to: the project's owner, addresses with permission to `MINT_TOKENS`, the project's
         // terminals, and the project's data hook.
         _requirePermissionAllowingOverrideFrom({
-            account: PROJECTS.ownerOf(projectId),
+            account: _ownerOf(projectId),
             projectId: projectId,
             permissionId: JBPermissionIds.MINT_TOKENS,
             alsoGrantAccessIf: senderIsTerminalOrDataHook || senderHasDataHookMintPermission
@@ -570,7 +569,7 @@ contract JBController is JBPermissioned, ERC2771Context, IJBController, IJBMigra
             ruleset.id != 0 && !ruleset.allowOwnerMinting() && !senderIsTerminalOrDataHook
                 && !senderHasDataHookMintPermission
         ) {
-            revert JBController_MintNotAllowedAndNotTerminalOrHook(sender);
+            revert JBController_MintNotAllowedAndNotTerminalOrHook({caller: sender});
         }
 
         // Determine the reserved percent to use.
@@ -581,7 +580,6 @@ contract JBController is JBPermissioned, ERC2771Context, IJBController, IJBMigra
 
         if (beneficiaryTokenCount != 0) {
             // Mint the tokens.
-            // slither-disable-next-line reentrancy-benign,reentrancy-events,unused-return
             TOKENS.mintFor({holder: beneficiary, projectId: projectId, count: beneficiaryTokenCount});
         }
 
@@ -618,18 +616,21 @@ contract JBController is JBPermissioned, ERC2771Context, IJBController, IJBMigra
         returns (uint256 rulesetId)
     {
         // Make sure there are rulesets being queued.
-        if (rulesetConfigurations.length == 0) revert JBController_RulesetsArrayEmpty();
+        if (rulesetConfigurations.length == 0) {
+            revert JBController_RulesetsArrayEmpty({
+                projectId: projectId, rulesetConfigurationCount: rulesetConfigurations.length
+            });
+        }
 
         // Enforce permissions.
         _requirePermissionAllowingOverrideFrom({
-            account: PROJECTS.ownerOf(projectId),
+            account: _ownerOf(projectId),
             projectId: projectId,
             permissionId: JBPermissionIds.QUEUE_RULESETS,
             alsoGrantAccessIf: _msgSender() == OMNICHAIN_RULESET_OPERATOR
         });
 
         // Queue the rulesets.
-        // slither-disable-next-line reentrancy-events
         rulesetId = _queueRulesets({projectId: projectId, rulesetConfigurations: rulesetConfigurations});
 
         emit QueueRulesets({rulesetId: rulesetId, projectId: projectId, memo: memo, caller: _msgSender()});
@@ -662,7 +663,7 @@ contract JBController is JBPermissioned, ERC2771Context, IJBController, IJBMigra
     {
         // Enforce permissions.
         _requirePermissionFrom({
-            account: PROJECTS.ownerOf(projectId), projectId: projectId, permissionId: JBPermissionIds.SET_SPLIT_GROUPS
+            account: _ownerOf(projectId), projectId: projectId, permissionId: JBPermissionIds.SET_SPLIT_GROUPS
         });
 
         // Set the split groups.
@@ -676,7 +677,7 @@ contract JBController is JBPermissioned, ERC2771Context, IJBController, IJBMigra
     function setTokenFor(uint256 projectId, IJBToken token) external override {
         // Enforce permissions.
         _requirePermissionFrom({
-            account: PROJECTS.ownerOf(projectId), projectId: projectId, permissionId: JBPermissionIds.SET_TOKEN
+            account: _ownerOf(projectId), projectId: projectId, permissionId: JBPermissionIds.SET_TOKEN
         });
 
         // Get a reference to the current ruleset.
@@ -700,7 +701,7 @@ contract JBController is JBPermissioned, ERC2771Context, IJBController, IJBMigra
     function setTokenMetadataOf(uint256 projectId, string calldata name, string calldata symbol) external override {
         // Enforce permissions.
         _requirePermissionFrom({
-            account: PROJECTS.ownerOf(projectId), projectId: projectId, permissionId: JBPermissionIds.SET_TOKEN_METADATA
+            account: _ownerOf(projectId), projectId: projectId, permissionId: JBPermissionIds.SET_TOKEN_METADATA
         });
 
         TOKENS.setTokenMetadataFor({projectId: projectId, name: name, symbol: symbol});
@@ -715,7 +716,7 @@ contract JBController is JBPermissioned, ERC2771Context, IJBController, IJBMigra
     function setUriOf(uint256 projectId, string calldata uri) external override {
         // Enforce permissions.
         _requirePermissionFrom({
-            account: PROJECTS.ownerOf(projectId), projectId: projectId, permissionId: JBPermissionIds.SET_PROJECT_URI
+            account: _ownerOf(projectId), projectId: projectId, permissionId: JBPermissionIds.SET_PROJECT_URI
         });
 
         // Set the project's metadata URI.
@@ -748,7 +749,9 @@ contract JBController is JBPermissioned, ERC2771Context, IJBController, IJBMigra
         JBRuleset memory ruleset = _currentRulesetOf(projectId);
 
         // Credit transfers must not be paused.
-        if (ruleset.pauseCreditTransfers()) revert JBController_CreditTransfersPaused();
+        if (ruleset.pauseCreditTransfers()) {
+            revert JBController_CreditTransfersPaused({projectId: projectId, rulesetId: ruleset.id});
+        }
 
         TOKENS.transferCreditsFrom({holder: holder, projectId: projectId, recipient: recipient, count: creditCount});
     }
@@ -939,7 +942,6 @@ contract JBController is JBPermissioned, ERC2771Context, IJBController, IJBMigra
             JBTerminalConfig memory terminalConfig = terminalConfigurations[i];
 
             // Add the accounting contexts for the specified tokens.
-            // slither-disable-next-line calls-loop
             terminalConfig.terminal
                 .addAccountingContextsFor({
                     projectId: projectId, accountingContexts: terminalConfig.accountingContextsToAccept
@@ -975,20 +977,19 @@ contract JBController is JBPermissioned, ERC2771Context, IJBController, IJBMigra
 
             // Make sure its reserved percent is valid.
             if (rulesetConfig.metadata.reservedPercent > JBConstants.MAX_RESERVED_PERCENT) {
-                revert JBController_InvalidReservedPercent(
-                    rulesetConfig.metadata.reservedPercent, JBConstants.MAX_RESERVED_PERCENT
-                );
+                revert JBController_InvalidReservedPercent({
+                    percent: rulesetConfig.metadata.reservedPercent, limit: JBConstants.MAX_RESERVED_PERCENT
+                });
             }
 
             // Make sure its cash out tax rate is valid.
             if (rulesetConfig.metadata.cashOutTaxRate > JBConstants.MAX_CASH_OUT_TAX_RATE) {
-                revert JBController_InvalidCashOutTaxRate(
-                    rulesetConfig.metadata.cashOutTaxRate, JBConstants.MAX_CASH_OUT_TAX_RATE
-                );
+                revert JBController_InvalidCashOutTaxRate({
+                    rate: rulesetConfig.metadata.cashOutTaxRate, limit: JBConstants.MAX_CASH_OUT_TAX_RATE
+                });
             }
 
             // Queue its ruleset.
-            // slither-disable-next-line calls-loop
             JBRuleset memory ruleset = RULESETS.queueFor({
                 projectId: projectId,
                 duration: rulesetConfig.duration,
@@ -1000,13 +1001,11 @@ contract JBController is JBPermissioned, ERC2771Context, IJBController, IJBMigra
             });
 
             // Set its split groups.
-            // slither-disable-next-line calls-loop
             SPLITS.setSplitGroupsOf({
                 projectId: projectId, rulesetId: ruleset.id, splitGroups: rulesetConfig.splitGroups
             });
 
             // Set its fund access limits.
-            // slither-disable-next-line calls-loop
             FUND_ACCESS_LIMITS.setFundAccessLimitsFor({
                 projectId: projectId, rulesetId: ruleset.id, fundAccessLimitGroups: rulesetConfig.fundAccessLimitGroups
             });
@@ -1069,13 +1068,19 @@ contract JBController is JBPermissioned, ERC2771Context, IJBController, IJBMigra
 
                 // If the split has a hook, call its `processSplitWith` function.
                 if (split.hook != IJBSplitHook(address(0))) {
-                    // Send the tokens to the split hook.
-                    // slither-disable-next-line reentrancy-events
-                    _sendTokens({
-                        projectId: projectId, tokenCount: splitTokenCount, recipient: address(split.hook), token: token
-                    });
+                    if (token != IJBToken(address(0))) {
+                        // ERC-20: grant the hook an allowance and let it pull tokens via transferFrom.
+                        IERC20(address(token)).forceApprove({spender: address(split.hook), value: splitTokenCount});
+                    } else {
+                        // Credits: send directly — there is no allowance mechanism for credits.
+                        TOKENS.transferCreditsFrom({
+                            holder: address(this),
+                            projectId: projectId,
+                            recipient: address(split.hook),
+                            count: splitTokenCount
+                        });
+                    }
 
-                    // slither-disable-next-line calls-loop,reentrancy-events
                     try split.hook
                         .processSplitWith(
                             JBSplitHookContext({
@@ -1088,9 +1093,18 @@ contract JBController is JBPermissioned, ERC2771Context, IJBController, IJBMigra
                             })
                         ) {}
                     catch (bytes memory reason) {
-                        // If the hook reverts, the tokens already transferred to it stay with the hook.
                         emit SplitHookReverted({projectId: projectId, hook: address(split.hook), reason: reason});
                     }
+
+                    // For ERC-20 tokens, burn any tokens the hook did not consume.
+                    if (token != IJBToken(address(0))) {
+                        uint256 remaining =
+                            IERC20(address(token)).allowance({owner: address(this), spender: address(split.hook)});
+                        if (remaining > 0) {
+                            IERC20(address(token)).forceApprove({spender: address(split.hook), value: 0});
+                            TOKENS.burnFrom({holder: address(this), projectId: projectId, count: remaining});
+                        }
+                    }
                     // If the split has a project ID, try to pay the project. If that fails, pay the beneficiary.
                 } else {
                     // Pay the project using the split's beneficiary if one was provided. Otherwise, use the message
@@ -1099,7 +1113,6 @@ contract JBController is JBPermissioned, ERC2771Context, IJBController, IJBMigra
 
                     if (split.projectId != 0) {
                         // Get a reference to the receiving project's primary payment terminal for the token.
-                        // slither-disable-next-line calls-loop
                         IJBTerminal terminal = token == IJBToken(address(0))
                             ? IJBTerminal(address(0))
                             : DIRECTORY.primaryTerminalOf({projectId: split.projectId, token: address(token)});
@@ -1108,17 +1121,14 @@ contract JBController is JBPermissioned, ERC2771Context, IJBController, IJBMigra
                         // which accepts the token, send the tokens to the beneficiary.
                         if (address(token) == address(0) || address(terminal) == address(0)) {
                             // Mint the tokens to the beneficiary.
-                            // slither-disable-next-line reentrancy-events
                             _sendTokens({
                                 projectId: projectId, tokenCount: splitTokenCount, recipient: beneficiary, token: token
                             });
                         } else {
                             // Use the `projectId` in the pay metadata.
-                            // slither-disable-next-line reentrancy-events
                             bytes memory metadata = bytes(abi.encodePacked(projectId));
 
                             // Try to fulfill the payment.
-                            // slither-disable-next-line calls-loop
                             try this.executePayReservedTokenToTerminal({
                                 projectId: split.projectId,
                                 terminal: terminal,
@@ -1142,7 +1152,6 @@ contract JBController is JBPermissioned, ERC2771Context, IJBController, IJBMigra
                         }
                     } else if (beneficiary == address(0xdead)) {
                         // If the split has no project ID, and the beneficiary is 0xdead, burn.
-                        // slither-disable-next-line calls-loop
                         TOKENS.burnFrom({holder: address(this), projectId: projectId, count: splitTokenCount});
                     } else {
                         // If the split has no project Id, send to beneficiary.
@@ -1180,13 +1189,13 @@ contract JBController is JBPermissioned, ERC2771Context, IJBController, IJBMigra
         tokenCount = pendingReservedTokenBalanceOf[projectId];
 
         // Revert if there are no pending reserved tokens
-        if (tokenCount == 0) revert JBController_NoReservedTokens();
+        if (tokenCount == 0) revert JBController_NoReservedTokens({projectId: projectId});
 
         // Get the ruleset to read the reserved percent from.
         JBRuleset memory ruleset = _currentRulesetOf(projectId);
 
         // Get a reference to the project's owner.
-        address owner = PROJECTS.ownerOf(projectId);
+        address owner = _ownerOf(projectId);
 
         // Reset the pending reserved token balance.
         pendingReservedTokenBalanceOf[projectId] = 0;
@@ -1313,6 +1322,13 @@ contract JBController is JBPermissioned, ERC2771Context, IJBController, IJBMigra
         return ERC2771Context._msgSender();
     }
 
+    /// @notice The owner of a project.
+    /// @param projectId The ID of the project to get the owner of.
+    /// @return The owner of the project.
+    function _ownerOf(uint256 projectId) internal view returns (address) {
+        return PROJECTS.ownerOf(projectId);
+    }
+
     /// @notice The project's upcoming ruleset.
     /// @param projectId The ID of the project to check.
     /// @return The project's upcoming ruleset.