@bananapus/core-v6 0.0.6 → 0.0.8

package/README.md

@@ -1,4 +1,4 @@
-# nana-core-v6
+# Juicebox Core
 
 The core protocol contracts for Juicebox V6 on EVM. A flexible toolkit for launching and managing a treasury-backed token on Ethereum and L2s.
 

package/SKILLS.md

@@ -1,4 +1,4 @@
-# nana-core-v6
+# Juicebox Core
 
 ## Purpose
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bananapus/core-v6",
-  "version": "0.0.6",
+  "version": "0.0.8",
   "license": "MIT",
   "repository": {
     "type": "git",

package/src/JBRulesets.sol

@@ -840,50 +840,53 @@ contract JBRulesets is JBControlled, IJBRulesets {
         return _getStructFor({projectId: projectId, rulesetId: rulesetId});
     }
 
-    /// @notice Cache the value of the ruleset weight.
+    /// @notice Cache the value of the ruleset weight for a specific ruleset.
+    /// @dev The caller should pass the ruleset ID that `currentOf()` actually uses. When a queued ruleset is rejected
+    /// by an approval hook, `currentOf()` falls back to the base ruleset — callers should pass that base ruleset's
+    /// ID,
+    /// not the rejected latest.
     /// @param projectId The ID of the project having its ruleset weight cached.
-    function updateRulesetWeightCache(uint256 projectId) external override {
-        // Keep a reference to the struct for the latest queued ruleset.
-        // The cached value will be based on this struct.
-        JBRuleset memory latestQueuedRuleset =
-            _getStructFor({projectId: projectId, rulesetId: latestRulesetIdOf[projectId]});
+    /// @param rulesetId The ID of the ruleset to update the cache for.
+    function updateRulesetWeightCache(uint256 projectId, uint256 rulesetId) external override {
+        // Get the target ruleset.
+        JBRuleset memory targetRuleset = _getStructFor({projectId: projectId, rulesetId: rulesetId});
 
-        // Nothing to cache if the latest ruleset doesn't have a duration or a weight cut percent.
+        // Nothing to cache if the target ruleset doesn't have a duration or a weight cut percent.
         // slither-disable-next-line incorrect-equality
-        if (latestQueuedRuleset.duration == 0 || latestQueuedRuleset.weightCutPercent == 0) return;
+        if (targetRuleset.duration == 0 || targetRuleset.weightCutPercent == 0) return;
 
         // Get a reference to the current cache.
-        JBRulesetWeightCache storage cache = _weightCacheOf[projectId][latestQueuedRuleset.id];
+        JBRulesetWeightCache storage cache = _weightCacheOf[projectId][targetRuleset.id];
 
         // Determine the largest start timestamp the cache can be filled to.
         // Cap the advance to the cache lookup threshold per call to stay within the iteration limit in
         // deriveWeightFrom.
         // Multiple calls are needed to advance the cache for large cycle gaps.
-        uint256 maxStart = latestQueuedRuleset.start
-            + (cache.weightCutMultiple + _WEIGHT_CUT_MULTIPLE_CACHE_LOOKUP_THRESHOLD) * latestQueuedRuleset.duration;
+        uint256 maxStart = targetRuleset.start + (cache.weightCutMultiple + _WEIGHT_CUT_MULTIPLE_CACHE_LOOKUP_THRESHOLD)
+            * targetRuleset.duration;
 
         // Determine the start timestamp to derive a weight from for the cache.
         uint256 start = block.timestamp < maxStart ? block.timestamp : maxStart;
 
         // The difference between the start of the latest queued ruleset and the start of the ruleset we're caching the
         // weight of.
-        uint256 startDistance = start - latestQueuedRuleset.start;
+        uint256 startDistance = start - targetRuleset.start;
 
         // Calculate the weight cut multiple.
         uint168 weightCutMultiple;
         unchecked {
-            weightCutMultiple = uint168(startDistance / latestQueuedRuleset.duration);
+            weightCutMultiple = uint168(startDistance / targetRuleset.duration);
         }
 
         // Store the new values.
         cache.weight = uint112(
             deriveWeightFrom({
                 projectId: projectId,
-                baseRulesetStart: latestQueuedRuleset.start,
-                baseRulesetDuration: latestQueuedRuleset.duration,
-                baseRulesetWeight: latestQueuedRuleset.weight,
-                baseRulesetWeightCutPercent: latestQueuedRuleset.weightCutPercent,
-                baseRulesetCacheId: latestQueuedRuleset.id,
+                baseRulesetStart: targetRuleset.start,
+                baseRulesetDuration: targetRuleset.duration,
+                baseRulesetWeight: targetRuleset.weight,
+                baseRulesetWeightCutPercent: targetRuleset.weightCutPercent,
+                baseRulesetCacheId: targetRuleset.id,
                 start: start
             })
         );

package/src/interfaces/IJBRulesets.sol

@@ -145,7 +145,9 @@ interface IJBRulesets {
         external
         returns (JBRuleset memory ruleset);
 
-    /// @notice Updates the weight cache for a project to allow efficient weight derivation over many cycles.
+    /// @notice Updates the weight cache for a specific ruleset to allow efficient weight derivation over many cycles.
     /// @param projectId The ID of the project to update the weight cache for.
-    function updateRulesetWeightCache(uint256 projectId) external;
+    /// @param rulesetId The ID of the ruleset to update the cache for. This should be the ruleset that currentOf()
+    /// actually uses, which may differ from latestRulesetIdOf if the latest was rejected by an approval hook.
+    function updateRulesetWeightCache(uint256 projectId, uint256 rulesetId) external;
 }

package/src/libraries/JBMetadataResolver.sol

@@ -115,7 +115,7 @@ library JBMetadataResolver {
 
         // Add the new entry after the last entry of the table, the new offset is the last offset + the number of words
         // taken by the last data
-        // M-21: Compute in uint256 first — casting directly to uint8 silently wraps offsets > 255.
+        // Compute in uint256 first — casting directly to uint8 silently wraps offsets > 255.
         uint256 newOffset = lastOffset + numberOfWordslastData;
         if (newOffset > 255) revert JBMetadataResolver_MetadataTooLong();
         newMetadata = abi.encodePacked(newMetadata, idToAdd, bytes1(uint8(newOffset)));
@@ -282,7 +282,7 @@ library JBMetadataResolver {
         assembly ("memory-safe") {
             let length := sub(end, start)
 
-            // M-20: Allocate memory at freemem — round up to 32-byte boundary so subsequent
+            // Allocate memory at freemem — round up to 32-byte boundary so subsequent
             // allocations do not overlap the tail of this buffer.
             slicedBytes := mload(0x40)
             mstore(0x40, and(add(add(add(slicedBytes, length), 0x20), 0x1f), not(0x1f)))
@@ -296,7 +296,7 @@ library JBMetadataResolver {
             // same for the out array
             let sliceBytesStartOfData := add(slicedBytes, 0x20)
 
-            // M-20: Copy data — bound is `length` not `end`. Using `end` (an absolute source offset)
+            // Copy data — bound is `length` not `end`. Using `end` (an absolute source offset)
             // would over-copy by `start` bytes past the allocated buffer.
             for { let i := 0 } lt(i, length) { i := add(i, 0x20) } {
                 mstore(add(sliceBytesStartOfData, i), mload(add(startBytes, i)))

package/test/AuditExploits.t.sol

@@ -4,9 +4,9 @@ pragma solidity ^0.8.6;
 import /* {*} from */ "./helpers/TestBaseWorkflow.sol";
 import {JBCashOuts} from "../src/libraries/JBCashOuts.sol";
 
-/// @notice Exploit PoC tests for critical vulnerability scenarios in Juicebox V5.
-/// @dev These tests target specific edge cases and potential vulnerabilities identified during audit.
-contract AuditExploits_Local is TestBaseWorkflow {
+/// @notice Tests for edge case scenarios in Juicebox V5.
+/// @dev These tests target specific edge cases and potential vulnerabilities.
+contract EdgeCases_Local is TestBaseWorkflow {
     //*********************************************************************//
     // ----------------------------- storage ----------------------------- //
     //*********************************************************************//
@@ -292,7 +292,7 @@ contract AuditExploits_Local is TestBaseWorkflow {
     }
 
     //*********************************************************************//
-    // --- Test 2: REVDeployer beforePayRecordedWith OOB (C-2) ---------- //
+    // --- Test 2: REVDeployer beforePayRecordedWith OOB ---------------- //
     //*********************************************************************//
 
     /// @notice Demonstrates that REVDeployer.beforePayRecordedWith writes to index [1] of the
@@ -937,14 +937,14 @@ contract AuditExploits_Local is TestBaseWorkflow {
     }
 
     //*********************************************************************//
-    // ====== CRITICAL EXPLOIT PoC TESTS ================================ //
+    // ====== EDGE CASE TESTS ============================================ //
     //*********************************************************************//
 
     //*********************************************************************//
-    // --- [C-5] Zero-Supply Cash Out Drains Entire Surplus ------------- //
+    // --- Zero-Supply Cash Out Drains Entire Surplus ------------------- //
     //*********************************************************************//
 
-    /// @notice PoC: When totalSupply == 0 and surplus > 0, calling cashOutTokensOf with
+    /// @notice When totalSupply == 0 and surplus > 0, calling cashOutTokensOf with
     ///         cashOutCount = 0 returns the ENTIRE surplus without burning any tokens.
     /// @dev Attack flow:
     ///      1. Project is funded via addToBalanceOf (no tokens minted)
@@ -952,7 +952,7 @@ contract AuditExploits_Local is TestBaseWorkflow {
     ///      3. JBCashOuts.cashOutFrom: 0 >= 0 → true → returns full surplus
     ///      4. JBMultiTerminal: cashOutCount != 0 is false → no burn
     ///      5. Attacker receives full surplus minus fee
-    function test_C5_zeroSupplyCashOut_drainsEntireSurplus() public {
+    function test_zeroSupplyCashOut_drainsEntireSurplus() public {
         // --- Setup: create a project with 0% cash out tax ---
         uint256 projectId = _launchProject({cashOutTaxRate: 0, reservedPercent: 0});
 
@@ -982,7 +982,7 @@ contract AuditExploits_Local is TestBaseWorkflow {
         // After fix: cashOutCount == 0 → early return 0
         uint256 reclaimFromLibrary =
             JBCashOuts.cashOutFrom({surplus: fundAmount, cashOutCount: 0, totalSupply: 0, cashOutTaxRate: 0});
-        assertEq(reclaimFromLibrary, 0, "FIX CONFIRMED: cashOutFrom(surplus, 0, 0, rate) returns 0");
+        assertEq(reclaimFromLibrary, 0, "cashOutFrom(surplus, 0, 0, rate) returns 0");
 
         // --- Verify the exploit is now blocked ---
         address attacker = makeAddr("attacker");
@@ -1006,22 +1006,22 @@ contract AuditExploits_Local is TestBaseWorkflow {
         uint256 ethReceived = attackerEthAfter - attackerEthBefore;
 
         // --- Verify the exploit is blocked ---
-        assertEq(reclaimAmount, 0, "FIX: attacker receives nothing when cashing out 0 tokens");
-        assertEq(ethReceived, 0, "FIX: no ETH transferred to attacker");
+        assertEq(reclaimAmount, 0, "attacker receives nothing when cashing out 0 tokens");
+        assertEq(ethReceived, 0, "no ETH transferred to attacker");
 
         // Terminal balance should be unchanged — not drained.
         uint256 terminalBalanceAfter =
             jbTerminalStore().balanceOf(address(_terminal), projectId, JBConstants.NATIVE_TOKEN);
-        assertEq(terminalBalanceAfter, fundAmount, "FIX: terminal balance preserved");
+        assertEq(terminalBalanceAfter, fundAmount, "terminal balance preserved");
 
         // Attacker never had any tokens.
         uint256 attackerTokens = _tokens.totalBalanceOf(attacker, projectId);
         assertEq(attackerTokens, 0, "attacker never held any tokens");
     }
 
-    /// @notice PoC variant: Same attack but with a cash out tax rate.
+    /// @notice Same scenario but with a cash out tax rate.
     ///         Even with a tax, the attacker drains surplus (fee goes to project #1).
-    function test_C5_zeroSupplyCashOut_withTaxRate() public {
+    function test_zeroSupplyCashOut_withTaxRate() public {
         // 50% cash out tax rate
         uint256 projectId = _launchProject({cashOutTaxRate: 5000, reservedPercent: 0});
 
@@ -1043,7 +1043,7 @@ contract AuditExploits_Local is TestBaseWorkflow {
         // After fix: cashOutCount == 0 → early return 0, regardless of tax rate.
         uint256 reclaimFromLibrary =
             JBCashOuts.cashOutFrom({surplus: fundAmount, cashOutCount: 0, totalSupply: 0, cashOutTaxRate: 5000});
-        assertEq(reclaimFromLibrary, 0, "FIX: 0 returned even with 50% tax when cashOutCount=0");
+        assertEq(reclaimFromLibrary, 0, "0 returned even with 50% tax when cashOutCount=0");
 
         // Verify exploit is blocked.
         address attacker = makeAddr("attacker");
@@ -1063,12 +1063,12 @@ contract AuditExploits_Local is TestBaseWorkflow {
         uint256 ethReceived = attacker.balance - attackerEthBefore;
 
         // After fix: attacker gets nothing.
-        assertEq(ethReceived, 0, "FIX: attacker receives nothing with 0 tokens burned");
-        assertEq(reclaimAmount, 0, "FIX: reclaim is 0");
+        assertEq(ethReceived, 0, "attacker receives nothing with 0 tokens burned");
+        assertEq(reclaimAmount, 0, "reclaim is 0");
     }
 
-    /// @notice PoC variant: Repeatable attack. After all tokens are burned, attacker drains surplus.
-    function test_C5_zeroSupplyCashOut_afterAllTokensBurned() public {
+    /// @notice After all tokens are burned, calling cashOut with 0 returns nothing.
+    function test_zeroSupplyCashOut_afterAllTokensBurned() public {
         uint256 projectId = _launchProject({cashOutTaxRate: 0, reservedPercent: 0});
 
         vm.prank(_projectOwner);
@@ -1119,18 +1119,18 @@ contract AuditExploits_Local is TestBaseWorkflow {
         });
 
         // After fix: cashing out 0 tokens returns 0, treasury is safe.
-        assertEq(stolen, 0, "FIX: attacker cannot steal funds after tokens were burned");
-        assertEq(attacker.balance, 0, "FIX: attacker receives no ETH");
+        assertEq(stolen, 0, "cannot extract funds after tokens were burned");
+        assertEq(attacker.balance, 0, "no ETH received");
     }
 
     //*********************************************************************//
-    // --- [C-2] REVDeployer.beforePayRecordedWith Array OOB (Enhanced)-- //
+    // --- REVDeployer.beforePayRecordedWith Array OOB (Enhanced)-------- //
     //*********************************************************************//
 
-    /// @notice PoC: Demonstrates the exact Solidity panic that occurs in REVDeployer when
+    /// @notice Demonstrates the exact Solidity panic that occurs in REVDeployer when
     ///         usesTiered721Hook=false and usesBuybackHook=true.
     ///         This mirrors REVDeployer.sol lines 248-258 exactly.
-    function test_C2_beforePayRecordedWith_fullOOBPattern() public {
+    function test_beforePayRecordedWith_fullOOBPattern() public {
         // Simulate all 4 combinations and verify only the problematic one reverts.
         bool[4] memory tiered = [false, true, false, true];
         bool[4] memory buyback = [false, false, true, true];
@@ -1165,13 +1165,13 @@ contract AuditExploits_Local is TestBaseWorkflow {
     }
 
     //*********************************************************************//
-    // --- [C-4] REVDeployer.hasMintPermissionFor address(0) call ------- //
+    // --- REVDeployer.hasMintPermissionFor address(0) call ------------- //
     //*********************************************************************//
 
-    /// @notice PoC: Demonstrates that calling a function on address(0) reverts.
+    /// @notice Demonstrates that calling a function on address(0) reverts.
     ///         This mirrors REVDeployer.sol line 353 where buybackHook.hasMintPermissionFor(...)
     ///         is called when buybackHookOf[revnetId] == address(0).
-    function test_C4_hasMintPermissionFor_callOnAddressZero() public {
+    function test_hasMintPermissionFor_callOnAddressZero() public {
         // The bug is in the short-circuit evaluation of:
         //   addr == loansOf[revnetId]              // false (addr is some real address)
         //   || addr == address(buybackHook)         // false (buybackHook is address(0), addr is not)
@@ -1206,22 +1206,22 @@ contract AuditExploits_Local is TestBaseWorkflow {
         // The call succeeds (returns false from empty contract) but has no return data.
         // Solidity's interface-based call would revert because it expects abi-encoded bool.
         if (success && data.length < 32) {
-            revert("C-4 confirmed: call to address(0) returns empty data, ABI decode reverts");
+            revert("confirmed: call to address(0) returns empty data, ABI decode reverts");
         }
         if (!success) {
-            revert("C-4 confirmed: call to address(0) reverted directly");
+            revert("confirmed: call to address(0) reverted directly");
         }
     }
 
     //*********************************************************************//
-    // --- [C-1] REVLoans uint112 Truncation Pattern -------------------- //
+    // --- REVLoans uint112 Truncation Pattern --------------------------- //
     //*********************************************************************//
 
-    /// @notice PoC: Demonstrates silent uint112 truncation.
+    /// @notice Demonstrates silent uint112 truncation.
     ///         This mirrors REVLoans.sol lines 922-923 where:
     ///           loan.amount = uint112(newBorrowAmount);
     ///           loan.collateral = uint112(newCollateralCount);
-    function test_C1_uint112SilentTruncation() public pure {
+    function test_uint112SilentTruncation() public pure {
         // Values that exceed uint112.max
         uint256 hugeCollateral = uint256(type(uint112).max) + 1000 ether;
         uint256 hugeBorrow = uint256(type(uint112).max) + 500 ether;
@@ -1249,14 +1249,14 @@ contract AuditExploits_Local is TestBaseWorkflow {
         // If attacker repays truncatedBorrow (tiny), they get back truncatedCollateral (tiny).
         // But they already received hugeBorrow worth of funds from the surplus.
         // Net theft = hugeBorrow - truncatedBorrow
-        assertGt(borrowProfit, 999 ether, "EXPLOIT: attacker steals >999 ETH from truncation of 1000 ETH overflow");
+        assertGt(borrowProfit, 999 ether, "attacker extracts >999 ETH from truncation of 1000 ETH overflow");
     }
 
     //*********************************************************************//
-    // --- [C-3] REVLoans Reentrancy Pattern ----------------------------- //
+    // --- REVLoans Reentrancy Pattern ----------------------------------- //
     //*********************************************************************//
 
-    /// @notice PoC: Demonstrates the CEI violation pattern in REVLoans._adjust.
+    /// @notice Demonstrates the CEI violation pattern in REVLoans._adjust.
     ///         The contract makes external calls (useAllowanceOf, feeTerminal.pay, _transferFrom)
     ///         BEFORE writing loan.amount and loan.collateral at lines 921-923.
     ///
@@ -1264,7 +1264,7 @@ contract AuditExploits_Local is TestBaseWorkflow {
     ///
     /// @dev The actual exploit requires a full REVLoans deployment which is in revnet-core-v5.
     ///      This test demonstrates the PATTERN: external call before state write.
-    function test_C3_reentrancyPattern_externalCallBeforeStateWrite() public {
+    function test_reentrancyPattern_externalCallBeforeStateWrite() public {
         // Deploy a mock "victim" contract that follows the vulnerable pattern.
         ReentrancyVictim victim = new ReentrancyVictim();
 
@@ -1280,26 +1280,22 @@ contract AuditExploits_Local is TestBaseWorkflow {
         attacker.attack();
 
         // The attacker extracted more than they should have.
-        assertGt(
-            address(attacker).balance,
-            10 ether,
-            "EXPLOIT: attacker extracted more than single borrow allows (re-entered)"
-        );
+        assertGt(address(attacker).balance, 10 ether, "attacker extracted more than single borrow allows (re-entered)");
 
         // The victim was drained below expected.
         assertLt(address(victim).balance, 10 ether, "victim was over-drained");
     }
 
     //*********************************************************************//
-    // --- [M-1] Held Fee Reentrancy ----------------------------------- //
+    // --- Held Fee Reentrancy ----------------------------------------- //
     //*********************************************************************//
 
-    /// @notice PoC: Verifies that the M-1 held fee reentrancy fix works correctly.
+    /// @notice Verifies that the held fee reentrancy fix works correctly.
     ///         A reentrant fee terminal calls back into processHeldFeesOf during pay().
     ///         Before the fix, the same fee would be processed twice. After the fix,
     ///         the index is advanced before the external call (CEI pattern), so the
     ///         reentrant call processes zero fees.
-    function test_M1_heldFeeReentrancy_blocked() public {
+    function test_heldFeeReentrancy_blocked() public {
         // --- Step 1: Launch fee project (project #1) with the standard terminal ---
         JBTerminalConfig[] memory terminalConfigurations = new JBTerminalConfig[](1);
         JBAccountingContext[] memory tokensToAccept = new JBAccountingContext[](1);
@@ -1466,9 +1462,7 @@ contract AuditExploits_Local is TestBaseWorkflow {
         // With the fix (CEI): the reentrant call sees the index already advanced,
         // so it only processes the remaining fees (not the same fee again).
         // Total pay calls should be exactly 2 (one per held fee), not 3+ (which would indicate double-processing).
-        assertEq(
-            reentrantTerminal.payCallCount(), 2, "M-1 FIX: exactly 2 pay calls (no double-processing from reentrancy)"
-        );
+        assertEq(reentrantTerminal.payCallCount(), 2, "exactly 2 pay calls (no double-processing from reentrancy)");
 
         // Held fees should all be consumed.
         JBFee[] memory remainingFees = _terminal.heldFeesOf(projectId, JBConstants.NATIVE_TOKEN, 100);
@@ -1476,7 +1470,7 @@ contract AuditExploits_Local is TestBaseWorkflow {
     }
 
     /// @notice Verify processHeldFeesOf correctly handles partial unlock (some locked, some unlocked).
-    function test_M1_partialLockedFees() public {
+    function test_partialLockedFees() public {
         // Launch fee project.
         JBTerminalConfig[] memory terminalConfigurations = new JBTerminalConfig[](1);
         JBAccountingContext[] memory tokensToAccept = new JBAccountingContext[](1);
@@ -1637,14 +1631,14 @@ contract AuditExploits_Local is TestBaseWorkflow {
     }
 
     //*********************************************************************//
-    // --- [H-3] Approval Hook Revert DoS (NEW - no test existed) ------- //
+    // --- Approval Hook Revert DoS ------------------------------------ //
     //*********************************************************************//
 
-    /// @notice PoC: A malicious approval hook that reverts on approvalStatusOf() causes
+    /// @notice A malicious approval hook that reverts on approvalStatusOf() causes
     ///         currentOf() to revert when the NEXT ruleset (queued or auto-cycled) needs
     ///         approval from the hook. This permanently freezes the project.
     ///         Affects JBRulesets (NOT fixed).
-    function test_H3_approvalHookRevertDoS() public {
+    function test_approvalHookRevertDoS() public {
         // Deploy a malicious approval hook that always reverts
         MaliciousApprovalHook maliciousHook = new MaliciousApprovalHook();
 
@@ -1759,30 +1753,30 @@ contract AuditExploits_Local is TestBaseWorkflow {
         // currentOf no longer reverts — it treats the approval as Failed and falls back
         // to the most recent approved ruleset. The project is NOT frozen.
         JBRuleset memory currentRuleset = jbRulesets().currentOf(projectId);
-        assertGt(currentRuleset.id, 0, "H-3 FIX: project is not frozen, currentOf succeeds");
+        assertGt(currentRuleset.id, 0, "project is not frozen, currentOf succeeds");
     }
 
     //*********************************************************************//
-    // --- [C-5] V5.1 Regression: Verify Fix Works ---------------------- //
+    // --- V5.1 Regression: Verify Fix Works ----------------------------- //
     //*********************************************************************//
 
-    /// @notice Verify that the C-5 zero-supply cash-out exploit is still present in V5.0
-    ///         but the V5.1 rulesets should handle rulesets correctly (C-5 is a different
-    ///         bug from the rulesets fix - C-5 is in JBCashOuts library).
-    /// @dev Confirms the C-5 fix: cashing out 0 tokens returns 0, not the full surplus.
-    function test_C5_v51_zeroSupplyCashOut_fixedInLibrary() public pure {
-        // C-5 was in JBCashOuts.cashOutFrom: when cashOutCount=0 and totalSupply=0,
+    /// @notice Verify that the zero-supply cash-out exploit is still present in V5.0
+    ///         but the V5.1 rulesets should handle rulesets correctly (the zero-supply bug
+    ///         is a different bug from the rulesets fix - it is in JBCashOuts library).
+    /// @dev Confirms the fix: cashing out 0 tokens returns 0, not the full surplus.
+    function test_v51_zeroSupplyCashOut_fixedInLibrary() public pure {
+        // The bug was in JBCashOuts.cashOutFrom: when cashOutCount=0 and totalSupply=0,
         // the function returned the full surplus instead of 0.
         // The fix adds an early return of 0 when cashOutCount == 0.
         uint256 reclaimFromLibrary =
             JBCashOuts.cashOutFrom({surplus: 10 ether, cashOutCount: 0, totalSupply: 0, cashOutTaxRate: 0});
 
         // Cashing out 0 tokens should return 0, not the full surplus.
-        assertEq(reclaimFromLibrary, 0, "C-5 FIX: cashOutFrom(surplus, 0, 0, rate) should return 0");
+        assertEq(reclaimFromLibrary, 0, "cashOutFrom(surplus, 0, 0, rate) should return 0");
     }
 
-    /// @notice Verify C-5 does not manifest when totalSupply > 0 (normal operation).
-    function test_C5_v51_normalOperation_cashOut_safe() public pure {
+    /// @notice Verify the zero-supply bug does not manifest when totalSupply > 0 (normal operation).
+    function test_v51_normalOperation_cashOut_safe() public pure {
         // With non-zero supply and non-zero cashOutCount, the bonding curve works correctly
         uint256 reclaimable =
             JBCashOuts.cashOutFrom({surplus: 10 ether, cashOutCount: 500e18, totalSupply: 1000e18, cashOutTaxRate: 0});
@@ -1792,11 +1786,11 @@ contract AuditExploits_Local is TestBaseWorkflow {
     }
 
     //*********************************************************************//
-    // --- [L-5] Held Fees Storage Cleanup ------------------------------ //
+    // --- Held Fees Storage Cleanup ------------------------------------ //
     //*********************************************************************//
 
     /// @notice Verifies that processHeldFeesOf deletes processed entries and resets array+index when done.
-    function test_L5_heldFeesStorageCleanup() public {
+    function test_heldFeesStorageCleanup() public {
         // Launch fee project.
         JBTerminalConfig[] memory terminalConfigurations = new JBTerminalConfig[](1);
         JBAccountingContext[] memory tokensToAccept = new JBAccountingContext[](1);
@@ -1930,7 +1924,7 @@ contract AuditExploits_Local is TestBaseWorkflow {
 
         // After processing all, the array should be fully reset (not just emptied).
         JBFee[] memory remaining = _terminal.heldFeesOf(projectId, JBConstants.NATIVE_TOKEN, 100);
-        assertEq(remaining.length, 0, "L-5: all fees processed and array cleaned");
+        assertEq(remaining.length, 0, "all fees processed and array cleaned");
 
         // Creating new fees after cleanup should work from index 0 (array was reset).
         vm.deal(address(this), 2 ether);
@@ -1957,16 +1951,16 @@ contract AuditExploits_Local is TestBaseWorkflow {
 
         // Should have 1 new fee (not 4 = 3 deleted + 1 new).
         JBFee[] memory newFees = _terminal.heldFeesOf(projectId, JBConstants.NATIVE_TOKEN, 100);
-        assertEq(newFees.length, 1, "L-5: new fee after array reset works correctly");
+        assertEq(newFees.length, 1, "new fee after array reset works correctly");
     }
 
     //*********************************************************************//
-    // --- [L-8] Ruleset Start Time After Base Ruleset ------------------ //
+    // --- Ruleset Start Time After Base Ruleset ------------------------ //
     //*********************************************************************//
 
     /// @notice Verifies that a queued ruleset's start time is bumped to at least
-    ///         the base ruleset's start time (L-8 fix).
-    function test_L8_rulesetStartsAfterBaseRuleset() public {
+    ///         the base ruleset's start time.
+    function test_rulesetStartsAfterBaseRuleset() public {
         // Launch fee project.
         JBTerminalConfig[] memory terminalConfigurations = new JBTerminalConfig[](1);
         JBAccountingContext[] memory tokensToAccept = new JBAccountingContext[](1);
@@ -2026,7 +2020,7 @@ contract AuditExploits_Local is TestBaseWorkflow {
         assertGt(firstStart, 0, "first ruleset should have a start time");
 
         // Queue a second ruleset with mustStartAtOrAfter=0 (meaning "as soon as possible").
-        // Without the L-8 fix, this could theoretically derive a start before the base ruleset.
+        // Without the fix, this could theoretically derive a start before the base ruleset.
         JBRulesetConfig[] memory secondConfig = new JBRulesetConfig[](1);
         secondConfig[0].mustStartAtOrAfter = 0; // Key: asking for earliest possible
         secondConfig[0].duration = 30 days;
@@ -2041,15 +2035,15 @@ contract AuditExploits_Local is TestBaseWorkflow {
         // Get the queued ruleset.
         (JBRuleset memory queued,) = jbRulesets().latestQueuedOf(projectId);
 
-        // L-8 fix: the queued ruleset must start at or after the base ruleset's start.
-        assertGe(queued.start, firstStart, "L-8: queued ruleset must start at or after base ruleset");
+        // Fix: the queued ruleset must start at or after the base ruleset's start.
+        assertGe(queued.start, firstStart, "queued ruleset must start at or after base ruleset");
 
         // It should start at the next cycle boundary (firstStart + duration).
         assertEq(queued.start, firstStart + 30 days, "queued ruleset starts at next cycle boundary");
     }
 
     //*********************************************************************//
-    // --- [H-4] Pending Reserves Inflate cashOutWeight (property test)-- //
+    // --- Pending Reserves Inflate cashOutWeight (property test)-------- //
     //*********************************************************************//
 
     //*********************************************************************//
@@ -2507,13 +2501,13 @@ contract AuditExploits_Local is TestBaseWorkflow {
     }
 
     //*********************************************************************//
-    // --- [H-4] Pending Reserves Inflate cashOutWeight (property test)-- //
+    // --- Pending Reserves Inflate cashOutWeight (property test)-------- //
     //*********************************************************************//
 
     /// @notice Property: cashOut reclaim with pending reserves <= cashOut reclaim after reserves distributed.
     /// @dev When there are pending reserved tokens that haven't been distributed, they should
     ///      not inflate the denominator used for cash-out calculations.
-    function test_H4_pendingReserves_cashOutProperty() public {
+    function test_pendingReserves_cashOutProperty() public {
         // Launch project with 50% reserved rate
         uint256 projectId = _launchProject({cashOutTaxRate: 0, reservedPercent: 5000});
 
@@ -2529,7 +2523,7 @@ contract AuditExploits_Local is TestBaseWorkflow {
             token: JBConstants.NATIVE_TOKEN,
             beneficiary: _beneficiary,
             minReturnedTokens: 0,
-            memo: "H-4 test",
+            memo: "test",
             metadata: new bytes(0)
         });
 
@@ -2589,7 +2583,7 @@ contract AuditExploits_Local is TestBaseWorkflow {
         // share decreases, so reclaimable should decrease or stay the same.
         // With 0% cashOutTaxRate and linear redemption: reclaimable = surplus * tokens / totalSupply
         // After reserves: totalSupply is larger, so reclaimable is smaller.
-        assertLe(reclaimAfter, reclaimBefore, "H-4 property: reclaim after reserves distributed <= reclaim before");
+        assertLe(reclaimAfter, reclaimBefore, "reclaim after reserves distributed <= reclaim before");
     }
 }
 
@@ -2638,7 +2632,7 @@ contract ReentrancyAttacker {
     }
 }
 
-/// @notice Malicious fee terminal that reenters processHeldFeesOf during pay(), demonstrating M-1.
+/// @notice Malicious fee terminal that reenters processHeldFeesOf during pay().
 contract ReentrantFeeTerminal is ERC165 {
     IJBMultiTerminal public immutable victim;
     uint256 public immutable targetProjectId;
@@ -2694,7 +2688,7 @@ contract ReentrantFeeTerminal is ERC165 {
     receive() external payable {}
 }
 
-/// @notice Malicious approval hook that always reverts, demonstrating H-3 DoS.
+/// @notice Malicious approval hook that always reverts.
 contract MaliciousApprovalHook is ERC165, IJBRulesetApprovalHook {
     function DURATION() external pure override returns (uint256) {
         return 1 days;

package/test/FlashLoanAttacks.t.sol

@@ -262,15 +262,15 @@ contract FlashLoanAttacks_Local is TestBaseWorkflow {
     }
 
     // ═══════════════════════════════════════════════════════════════════
-    //  Test 5: C-5 regression — cashOut(0) with totalSupply==0 must return 0
+    //  Test 5: Regression — cashOut(0) with totalSupply==0 must return 0
     // ═══════════════════════════════════════════════════════════════════
 
-    /// @notice C-5 was a V5 audit finding where cashOut(0) with totalSupply==0 returned the entire surplus.
+    /// @notice Regression test: cashOut(0) with totalSupply==0 previously returned the entire surplus.
     /// @dev In V5, `cashOutCount >= totalSupply` (0 >= 0) was true and returned the full surplus before
     /// checking for zero cashOutCount. Fixed since V5.1: `JBCashOuts.cashOutFrom` returns 0 when
     /// cashOutCount==0 (line 31) before reaching the `cashOutCount >= totalSupply` check (line 37).
     /// This test verifies the fix holds.
-    function test_C5_variant_addToBalance_zeroCashOut() public {
+    function test_variant_addToBalance_zeroCashOut() public {
         // Add to balance when no tokens exist
         vm.deal(address(0xD000), 5 ether);
         vm.prank(address(0xD000));
@@ -297,7 +297,7 @@ contract FlashLoanAttacks_Local is TestBaseWorkflow {
                 metadata: new bytes(0)
             });
 
-        assertEq(reclaimAmount, 0, "C-5 regression: cashOut(0) must return 0");
+        assertEq(reclaimAmount, 0, "Regression: cashOut(0) must return 0");
     }
 
     // ═══════════════════════════════════════════════════════════════════
@@ -350,11 +350,11 @@ contract FlashLoanAttacks_Local is TestBaseWorkflow {
     }
 
     // ═══════════════════════════════════════════════════════════════════
-    //  Test 8: H-4 reserved token inflation — cashOut timing
+    //  Test 8: Reserved token inflation — cashOut timing
     // ═══════════════════════════════════════════════════════════════════
 
     function test_reservedTokenInflation_cashOutTiming() public {
-        // Launch a project with 20% reserved to test H-4
+        // Launch a project with 20% reserved to test inflation
         JBRulesetConfig[] memory rulesetConfig = new JBRulesetConfig[](1);
         rulesetConfig[0].mustStartAtOrAfter = 0;
         rulesetConfig[0].duration = 0;

package/test/TestCashOutTimingEdge.sol

@@ -4,7 +4,7 @@ pragma solidity ^0.8.6;
 import /* {*} from */ "./helpers/TestBaseWorkflow.sol";
 import {JBCashOuts} from "../src/libraries/JBCashOuts.sol";
 
-/// @notice Edge case tests for cross-ruleset cash outs and pending reserves inflation (H-4).
+/// @notice Edge case tests for cross-ruleset cash outs and pending reserves inflation.
 /// Demonstrates that pending reserved tokens inflate totalSupply in cash-out calculations,
 /// systematically undervaluing cash-outs until reserves are distributed.
 contract TestCashOutTimingEdge_Local is TestBaseWorkflow {
@@ -92,7 +92,7 @@ contract TestCashOutTimingEdge_Local is TestBaseWorkflow {
         _controller.deployERC20For(_projectId, "Test", "TST", bytes32(0));
     }
 
-    /// @notice H-4 CONFIRMATION: Pending reserves inflate totalSupply, reducing cash-out value.
+    /// @notice Pending reserves inflate totalSupply, reducing cash-out value.
     /// When reserves exist but haven't been distributed, totalTokenSupplyWithReservedTokensOf
     /// includes them in the denominator, making each token worth less.
     function test_pendingReserves_inflateSupply_reduceCashOut() external {
@@ -134,8 +134,8 @@ contract TestCashOutTimingEdge_Local is TestBaseWorkflow {
             surplus: surplus, cashOutCount: payerTokens, totalSupply: circulatingSupply, cashOutTaxRate: 5000
         });
 
-        // H-4 CONFIRMED: Cash-out with pending reserves is LESS than without.
-        assertLt(reclaimWithInflation, reclaimWithoutInflation, "H-4: Pending reserves reduce cash-out value");
+        // Cash-out with pending reserves is LESS than without.
+        assertLt(reclaimWithInflation, reclaimWithoutInflation, "Pending reserves reduce cash-out value");
 
         // Quantify the impact.
         uint256 lostValue = reclaimWithoutInflation - reclaimWithInflation;
@@ -177,7 +177,7 @@ contract TestCashOutTimingEdge_Local is TestBaseWorkflow {
         assertEq(totalAfter, totalBefore, "Total supply unchanged after distribution");
 
         // Cash-out value should be the same since total didn't change.
-        // The fix for H-4 would be: don't include pending reserves in totalSupply.
+        // One approach: don't include pending reserves in totalSupply.
         uint256 reclaimAfter = JBCashOuts.cashOutFrom({
             surplus: surplus, cashOutCount: payerTokens, totalSupply: totalAfter, cashOutTaxRate: 5000
         });

package/test/TestDurationUnderflow.sol

@@ -21,7 +21,7 @@ contract JBRulesetsHarness is JBRulesets {
     }
 }
 
-/// @notice Tests for M-19: duration underflow fix in `_simulateCycledRulesetBasedOn`.
+/// @notice Tests for duration underflow fix in `_simulateCycledRulesetBasedOn`.
 ///
 /// The fix guards against arithmetic underflow when `baseRuleset.duration >= block.timestamp`.
 /// Without the fix, `block.timestamp - baseRuleset.duration + 1` wraps around to ~2^256,

package/test/TestFees.sol

@@ -481,7 +481,7 @@ contract TestFees_Local is TestBaseWorkflow {
         assertEq(_persistingFee.length, 1);
     }
 
-    function test_AuditFinding4POC() external {
+    function test_doubleFeeEdgeCase() external {
         vm.skip(true);
 
         // Setup: Pay the zero project so the terminal has balance of 1 eth from another project.
@@ -537,10 +537,10 @@ contract TestFees_Local is TestBaseWorkflow {
         // Check the unlock timestamp
         assertEq(_checkOgFee[0].unlockTimestamp, block.timestamp + 2_419_200);
 
-        // Audit Example correctly asserts that the fee amount is 1 ETH
+        // The fee amount is 1 ETH
         assertEq(_checkOgFee[0].amount, _nativeDistLimit);
 
-        // Audit Example correctly asserts that the projects balance in terminal store will be zero.
+        // The project's balance in terminal store will be zero.
         uint256 project2BalanceStore =
             jbTerminalStore().balanceOf(address(_terminal), _projectId, JBConstants.NATIVE_TOKEN);
         assertEq(project2BalanceStore, 0);

package/test/TestMigrationHeldFees.sol

@@ -3,7 +3,7 @@ pragma solidity ^0.8.6;
 
 import /* {*} from */ "./helpers/TestBaseWorkflow.sol";
 
-/// @notice Confirms M-16: held fees are stranded when a terminal migrates.
+/// @notice Confirms held fees are stranded when a terminal migrates.
 /// The migration calls addToBalanceOf with shouldReturnHeldFees: false,
 /// leaving held fees in the old terminal with no balance to process them.
 contract TestMigrationHeldFees_Local is TestBaseWorkflow {
@@ -116,7 +116,7 @@ contract TestMigrationHeldFees_Local is TestBaseWorkflow {
         });
     }
 
-    /// @notice M-16 CONFIRMED: Pay → distribute payouts (holds fees) → migrate → fees stranded.
+    /// @notice Pay → distribute payouts (holds fees) → migrate → fees stranded.
     function test_migration_heldFeesStranded() external {
         // Step 1: Pay the project.
         _terminal.pay{value: PAY_AMOUNT}({
@@ -156,7 +156,7 @@ contract TestMigrationHeldFees_Local is TestBaseWorkflow {
 
         // Held fees still exist in old terminal.
         JBFee[] memory feesAfterMigration = _terminal.heldFeesOf(_projectId, JBConstants.NATIVE_TOKEN, 100);
-        assertEq(feesAfterMigration.length, heldFees.length, "M-16: Held fees remain in old terminal");
+        assertEq(feesAfterMigration.length, heldFees.length, "Held fees remain in old terminal");
     }
 
     /// @notice Process held fees FIRST, then migrate — correct approach.
@@ -244,6 +244,6 @@ contract TestMigrationHeldFees_Local is TestBaseWorkflow {
         // The fee processing attempted but the terminal has no actual ETH.
         // The _recordAddedBalanceFor in the catch block inflates the store balance
         // without actual funds — this is a phantom balance.
-        // This documents the M-16 issue: either fees are lost OR phantom balances are created.
+        // This documents the issue: either fees are lost OR phantom balances are created.
     }
 }

package/test/TestRulesetQueuingStress.sol

@@ -22,7 +22,7 @@ contract MockApprovalHookConfigurable is IJBRulesetApprovalHook {
     }
 }
 
-    /// @notice Mock approval hook that always reverts (for DoS testing — H-3 confirmation).
+    /// @notice Mock approval hook that always reverts (for DoS testing).
     contract RevertingApprovalHook is IJBRulesetApprovalHook {
         uint256 public constant override DURATION = 3 days;
 
@@ -296,10 +296,10 @@ contract MockApprovalHookConfigurable is IJBRulesetApprovalHook {
             assertGt(current.cycleNumber, 1, "Should have rolled over multiple cycles");
         }
 
-        /// @notice H-3 FIX VERIFICATION: Reverting approval hook no longer causes DoS.
+        /// @notice Reverting approval hook no longer causes DoS.
         /// The try/catch in _approvalStatusOf catches the revert and returns Failed status,
         /// so currentOf succeeds and falls back to the previous ruleset.
-        function test_approvalHook_revert_causesDoS_H3() external {
+        function test_approvalHook_revert_causesDoS() external {
             RevertingApprovalHook revertHook = new RevertingApprovalHook();
 
             uint256 pid = _launchProject(FOURTEEN_DAYS, INITIAL_WEIGHT, 0, IJBRulesetApprovalHook(address(revertHook)));
@@ -310,7 +310,7 @@ contract MockApprovalHookConfigurable is IJBRulesetApprovalHook {
             // Warp past current cycle so the queued one is checked.
             vm.warp(block.timestamp + FOURTEEN_DAYS);
 
-            // H-3 FIX: The reverting hook is caught by try/catch, treated as Failed.
+            // The reverting hook is caught by try/catch, treated as Failed.
             // currentOf succeeds and falls back to the original ruleset (weight not doubled).
             JBRuleset memory current = _rulesets.currentOf(pid);
             assertGt(current.id, 0, "currentOf should succeed, not revert");

package/test/TestWeightCacheStaleAfterRejection.sol

@@ -0,0 +1,289 @@
+// SPDX-License-Identifier: MIT
+pragma solidity >=0.8.6;
+
+import /* {*} from */ "./helpers/TestBaseWorkflow.sol";
+
+/// @notice Mock approval hook that ALWAYS rejects queued rulesets.
+contract AlwaysRejectApprovalHook is IJBRulesetApprovalHook {
+    function DURATION() external pure override returns (uint256) {
+        return 0;
+    }
+
+    function approvalStatusOf(uint256, JBRuleset memory) external pure override returns (JBApprovalStatus) {
+        return JBApprovalStatus.Failed;
+    }
+
+    function supportsInterface(bytes4 interfaceId) external pure override returns (bool) {
+        return interfaceId == type(IJBRulesetApprovalHook).interfaceId || interfaceId == type(IERC165).interfaceId;
+    }
+}
+
+/// @notice Regression tests for the weight cache stale-after-rejection fix.
+///
+/// Before the fix, updateRulesetWeightCache() only updated the cache for latestRulesetIdOf.
+/// When a queued ruleset was rejected by an approval hook, currentOf() would fall back to
+/// the base ruleset, but that base ruleset's cache could never be updated — causing
+/// deriveWeightFrom() to revert with WeightCacheRequired after >20,000 cycles.
+///
+/// The fix adds a rulesetId parameter to updateRulesetWeightCache() so callers can
+/// specify exactly which ruleset's cache to update — typically the one currentOf() uses.
+contract TestWeightCacheStaleAfterRejection is TestBaseWorkflow {
+    IJBController private _controller;
+    IJBRulesets private _rulesets;
+    address private _projectOwner;
+    AlwaysRejectApprovalHook private _rejectHook;
+
+    uint256 private _projectId;
+
+    function setUp() public override {
+        super.setUp();
+        _controller = jbController();
+        _rulesets = jbRulesets();
+        _projectOwner = multisig();
+        _rejectHook = new AlwaysRejectApprovalHook();
+    }
+
+    /// @notice Launch a project with a 1-second duration ruleset, weight decay, and an always-reject approval hook.
+    function _launchProject() internal returns (uint256 projectId) {
+        JBRulesetConfig[] memory rulesetConfigurations = new JBRulesetConfig[](1);
+
+        JBRulesetMetadata memory metadata = JBRulesetMetadata({
+            reservedPercent: 0,
+            cashOutTaxRate: 0,
+            baseCurrency: uint32(uint160(JBConstants.NATIVE_TOKEN)),
+            pausePay: false,
+            pauseCreditTransfers: false,
+            allowOwnerMinting: false,
+            allowSetCustomToken: false,
+            allowTerminalMigration: false,
+            allowSetTerminals: false,
+            ownerMustSendPayouts: false,
+            allowSetController: false,
+            allowAddAccountingContext: true,
+            allowAddPriceFeed: false,
+            holdFees: false,
+            useTotalSurplusForCashOuts: true,
+            useDataHookForPay: false,
+            useDataHookForCashOut: false,
+            dataHook: address(0),
+            metadata: 0
+        });
+
+        rulesetConfigurations[0] = JBRulesetConfig({
+            mustStartAtOrAfter: 0,
+            duration: 1, // 1 second — cycles very fast
+            weight: 1000e18,
+            weightCutPercent: 1, // Non-zero so weight decays each cycle
+            approvalHook: _rejectHook, // Will reject all subsequent rulesets
+            metadata: metadata,
+            splitGroups: new JBSplitGroup[](0),
+            fundAccessLimitGroups: new JBFundAccessLimitGroup[](0)
+        });
+
+        vm.prank(_projectOwner);
+        projectId = _controller.launchProjectFor({
+            owner: _projectOwner,
+            projectUri: "ipfs://test",
+            rulesetConfigurations: rulesetConfigurations,
+            terminalConfigurations: new JBTerminalConfig[](0),
+            memo: ""
+        });
+    }
+
+    /// @notice Helper to build a new ruleset config for queuing (will be rejected).
+    function _buildRejectedConfig() internal pure returns (JBRulesetConfig[] memory newConfigs) {
+        newConfigs = new JBRulesetConfig[](1);
+        newConfigs[0] = JBRulesetConfig({
+            mustStartAtOrAfter: 0,
+            duration: 1,
+            weight: 500e18, // Specific weight, not 1 (inherit), to avoid deriveWeightFrom during queuing
+            weightCutPercent: 1,
+            approvalHook: IJBRulesetApprovalHook(address(0)),
+            metadata: JBRulesetMetadata({
+                reservedPercent: 0,
+                cashOutTaxRate: 0,
+                baseCurrency: uint32(uint160(JBConstants.NATIVE_TOKEN)),
+                pausePay: false,
+                pauseCreditTransfers: false,
+                allowOwnerMinting: false,
+                allowSetCustomToken: false,
+                allowTerminalMigration: false,
+                allowSetTerminals: false,
+                ownerMustSendPayouts: false,
+                allowSetController: false,
+                allowAddAccountingContext: true,
+                allowAddPriceFeed: false,
+                holdFees: false,
+                useTotalSurplusForCashOuts: true,
+                useDataHookForPay: false,
+                useDataHookForCashOut: false,
+                dataHook: address(0),
+                metadata: 0
+            }),
+            splitGroups: new JBSplitGroup[](0),
+            fundAccessLimitGroups: new JBFundAccessLimitGroup[](0)
+        });
+    }
+
+    /// @notice REGRESSION: After queuing a rejected ruleset and warping >20k cycles,
+    /// updateRulesetWeightCache() should update the active base ruleset's cache (not just the
+    /// rejected latest), allowing currentOf() to succeed.
+    function test_weightCache_fixedAfterApprovalRejection() public {
+        _projectId = _launchProject();
+
+        // Verify the project works initially.
+        JBRuleset memory initial = _rulesets.currentOf(_projectId);
+        assertGt(initial.weight, 0, "Initial weight should be set");
+
+        // Queue a new ruleset (B). It will be rejected by A's approval hook.
+        vm.prank(_projectOwner);
+        _controller.queueRulesetsOf({projectId: _projectId, rulesetConfigurations: _buildRejectedConfig(), memo: ""});
+
+        // Verify B is now the latest but A is still the current (B is rejected).
+        uint256 latestId = _rulesets.latestRulesetIdOf(_projectId);
+        assertGt(latestId, initial.id, "Latest should be B");
+        JBRuleset memory afterQueue = _rulesets.currentOf(_projectId);
+        assertEq(afterQueue.id, initial.id, "Current should still be A (B is rejected)");
+
+        // Warp beyond the 20,000-cycle cache threshold.
+        vm.warp(block.timestamp + 20_001);
+
+        // Before the fix, updateRulesetWeightCache only accepted projectId and always updated
+        // latestRulesetIdOf — which is the rejected B. A's cache could never be updated.
+        // After the fix, the caller passes the rulesetId of the active base ruleset (A).
+        _rulesets.updateRulesetWeightCache(_projectId, initial.id);
+
+        // Now currentOf() should succeed because A's cache is populated.
+        JBRuleset memory afterFix = _rulesets.currentOf(_projectId);
+        assertEq(afterFix.id, initial.id, "Should still use ruleset A");
+        // Weight should be less than initial (decayed over 20k+ cycles).
+        assertLt(afterFix.weight, initial.weight, "Weight should have decayed");
+    }
+
+    /// @notice Multiple cache updates work correctly when the latest is rejected.
+    /// Verifies that progressive caching (multiple updateRulesetWeightCache calls) also
+    /// works for the base ruleset, not just the latest.
+    function test_weightCache_progressiveCachingForRejectedLatest() public {
+        _projectId = _launchProject();
+
+        // Capture the base ruleset (A) ID before warping — after the warp, currentOf() would revert.
+        uint256 baseRulesetId = _rulesets.currentOf(_projectId).id;
+
+        // Queue a rejected ruleset.
+        vm.prank(_projectOwner);
+        _controller.queueRulesetsOf({projectId: _projectId, rulesetConfigurations: _buildRejectedConfig(), memo: ""});
+
+        // Warp far into the future (50k cycles — needs 3 cache update calls).
+        vm.warp(block.timestamp + 50_001);
+
+        // First cache update covers up to 20k cycles.
+        _rulesets.updateRulesetWeightCache(_projectId, baseRulesetId);
+        // Second covers up to 40k.
+        _rulesets.updateRulesetWeightCache(_projectId, baseRulesetId);
+        // Third covers up to 50k.
+        _rulesets.updateRulesetWeightCache(_projectId, baseRulesetId);
+
+        // currentOf() should now work.
+        JBRuleset memory current = _rulesets.currentOf(_projectId);
+        assertGt(current.cycleNumber, 50_000, "Should be past 50k cycles");
+    }
+
+    /// @notice With the fix applied, payments and cashouts continue to work even after
+    /// a rejected ruleset + large cycle gap.
+    function test_weightCache_terminalOperationsWorkAfterFix() public {
+        // Set up terminal for the project.
+        JBAccountingContext[] memory accountingContexts = new JBAccountingContext[](1);
+        accountingContexts[0] = JBAccountingContext({
+            token: JBConstants.NATIVE_TOKEN, decimals: 18, currency: uint32(uint160(JBConstants.NATIVE_TOKEN))
+        });
+
+        JBTerminalConfig[] memory terminalConfigs = new JBTerminalConfig[](1);
+        terminalConfigs[0] =
+            JBTerminalConfig({terminal: jbMultiTerminal(), accountingContextsToAccept: accountingContexts});
+
+        // Launch with terminals.
+        JBRulesetConfig[] memory rulesetConfigurations = new JBRulesetConfig[](1);
+        rulesetConfigurations[0] = JBRulesetConfig({
+            mustStartAtOrAfter: 0,
+            duration: 1,
+            weight: 1000e18,
+            weightCutPercent: 1,
+            approvalHook: _rejectHook,
+            metadata: JBRulesetMetadata({
+                reservedPercent: 0,
+                cashOutTaxRate: 0,
+                baseCurrency: uint32(uint160(JBConstants.NATIVE_TOKEN)),
+                pausePay: false,
+                pauseCreditTransfers: false,
+                allowOwnerMinting: false,
+                allowSetCustomToken: false,
+                allowTerminalMigration: false,
+                allowSetTerminals: false,
+                ownerMustSendPayouts: false,
+                allowSetController: false,
+                allowAddAccountingContext: true,
+                allowAddPriceFeed: false,
+                holdFees: false,
+                useTotalSurplusForCashOuts: true,
+                useDataHookForPay: false,
+                useDataHookForCashOut: false,
+                dataHook: address(0),
+                metadata: 0
+            }),
+            splitGroups: new JBSplitGroup[](0),
+            fundAccessLimitGroups: new JBFundAccessLimitGroup[](0)
+        });
+
+        vm.prank(_projectOwner);
+        _projectId = _controller.launchProjectFor({
+            owner: _projectOwner,
+            projectUri: "ipfs://test",
+            rulesetConfigurations: rulesetConfigurations,
+            terminalConfigurations: terminalConfigs,
+            memo: ""
+        });
+
+        // Make a payment so there are funds in the terminal.
+        address payer = makeAddr("payer");
+        vm.deal(payer, 10 ether);
+        vm.prank(payer);
+        jbMultiTerminal().pay{value: 5 ether}({
+            projectId: _projectId,
+            token: JBConstants.NATIVE_TOKEN,
+            amount: 5 ether,
+            beneficiary: payer,
+            minReturnedTokens: 0,
+            memo: "",
+            metadata: ""
+        });
+
+        // Capture the base ruleset (A) ID before queuing a rejected one.
+        uint256 baseRulesetId = _rulesets.currentOf(_projectId).id;
+
+        // Queue a rejected ruleset.
+        vm.prank(_projectOwner);
+        _controller.queueRulesetsOf({projectId: _projectId, rulesetConfigurations: _buildRejectedConfig(), memo: ""});
+
+        // Warp beyond 20k cycles.
+        vm.warp(block.timestamp + 20_001);
+
+        // Update the cache for the active base ruleset (A), not the rejected latest (B).
+        _rulesets.updateRulesetWeightCache(_projectId, baseRulesetId);
+
+        // Payments should succeed after cache update.
+        vm.deal(payer, 1 ether);
+        vm.prank(payer);
+        jbMultiTerminal().pay{value: 1 ether}({
+            projectId: _projectId,
+            token: JBConstants.NATIVE_TOKEN,
+            amount: 1 ether,
+            beneficiary: payer,
+            minReturnedTokens: 0,
+            memo: "",
+            metadata: ""
+        });
+
+        uint256 tokenBalance = jbTokens().totalBalanceOf(payer, _projectId);
+        assertGt(tokenBalance, 0, "Payer should have tokens after fix");
+    }
+}

package/test/formal/BondingCurveProperties.t.sol

@@ -192,7 +192,7 @@ contract BondingCurveProperties is Test {
         uint256 secondResult = JBCashOuts.cashOutFrom(remainingSurplus, b, remainingSupply, cashOutTaxRate);
 
         // NOTE: Strict subadditivity (firstResult + secondResult <= singleResult) was proven to be
-        // violated due to mulDiv rounding accumulation (FV-1 in AUDIT_FINDINGS.md).
+        // violated due to mulDiv rounding accumulation.
         // The violation is bounded by rounding precision and is economically insignificant (~0.00001%).
         // We verify the weaker property: the excess is bounded by rounding tolerance.
         if (firstResult + secondResult > singleResult) {
@@ -228,7 +228,7 @@ contract BondingCurveProperties is Test {
 
         uint256 secondResult = JBCashOuts.cashOutFrom(remainingSurplus, b, remainingSupply, cashOutTaxRate);
 
-        // NOTE: Strict subadditivity violated due to mulDiv rounding (FV-1 in AUDIT_FINDINGS.md).
+        // NOTE: Strict subadditivity violated due to mulDiv rounding.
         // Verify the weaker property: excess bounded by rounding tolerance (< 0.01%).
         if (firstResult + secondResult > singleResult) {
             uint256 excess = (firstResult + secondResult) - singleResult;

package/test/invariants/handlers/RulesetsHandler.sol

@@ -106,6 +106,6 @@ contract RulesetsHandler is Test {
 
     /// @notice Update the weight cache for the project.
     function updateWeightCache() public {
-        try rulesets.updateRulesetWeightCache(projectId) {} catch {}
+        try rulesets.updateRulesetWeightCache(projectId, rulesets.latestRulesetIdOf(projectId)) {} catch {}
     }
 }

package/test/units/static/JBFundAccessLimits/TestFundAccessLimitsEdge.sol

@@ -52,7 +52,7 @@ contract TestFundAccessLimitsEdge_Local is JBTest {
         // Query all limits — should have 2 entries now (both with currency=1, amount=1000).
         JBCurrencyAmount[] memory allLimits = limits.payoutLimitsOf(PROJECT_ID, RULESET_ID, TERMINAL, TOKEN);
 
-        // BUG CONFIRMED: Two entries instead of one.
+        // Two entries instead of one.
         assertEq(allLimits.length, 2, "BUG: Limits accumulated instead of being replaced");
         assertEq(allLimits[0].amount, 1000, "First accumulated limit");
         assertEq(allLimits[1].amount, 1000, "Second accumulated limit");

package/test/units/static/JBMetadataResolver/TestMetadataResolverM20M21.sol

@@ -62,7 +62,7 @@ contract M20M21Harness {
     }
 }
 
-/// @notice Tests for M-20 (_sliceBytes over-copy) and M-21 (addToMetadata offset overflow).
+/// @notice Tests for _sliceBytes over-copy and addToMetadata offset overflow.
 contract TestMetadataResolverM20M21 is JBTest {
     M20M21Harness harness;
 
@@ -71,13 +71,13 @@ contract TestMetadataResolverM20M21 is JBTest {
     }
 
     //*********************************************************************//
-    // --- M-20: _sliceBytes memory over-copy --------------------------- //
+    // --- _sliceBytes memory over-copy --------------------------------- //
     //*********************************************************************//
 
     /// @notice Verifies that addToMetadata preserves all entries when adding to metadata with
     /// multiple existing entries. The _sliceBytes call at line 129 uses start > 0, which on
     /// the buggy code would over-copy and corrupt subsequent memory operations.
-    function test_M20_addToMetadataPreservesAllEntries() external view {
+    function test_addToMetadataPreservesAllEntries() external view {
         bytes4 id1 = bytes4(0x11111111);
         bytes4 id2 = bytes4(0x22222222);
         bytes4 id3 = bytes4(0x33333333);
@@ -116,7 +116,7 @@ contract TestMetadataResolverM20M21 is JBTest {
 
     /// @notice Test with 4 sequential addToMetadata calls, each exercising _sliceBytes.
     /// More entries = more start > 0 cases = more chances for memory corruption.
-    function test_M20_multipleSequentialAdds() external view {
+    function test_multipleSequentialAdds() external view {
         bytes4[5] memory ids =
             [bytes4(0x11111111), bytes4(0x22222222), bytes4(0x33333333), bytes4(0x44444444), bytes4(0x55555555)];
         uint256[5] memory vals = [uint256(100), uint256(200), uint256(300), uint256(400), uint256(500)];
@@ -144,7 +144,7 @@ contract TestMetadataResolverM20M21 is JBTest {
     /// @notice Verify that getDataFor returns the exact expected length for non-first entries.
     /// On buggy code, _sliceBytes copies more than needed, but the returned length should still
     /// be correct. This test verifies both length and content.
-    function test_M20_getDataForReturnsCorrectLength() external view {
+    function test_getDataForReturnsCorrectLength() external view {
         bytes4 id1 = bytes4(0xAAAAAAAA);
         bytes4 id2 = bytes4(0xBBBBBBBB);
 
@@ -172,14 +172,14 @@ contract TestMetadataResolverM20M21 is JBTest {
     }
 
     //*********************************************************************//
-    // --- M-21: addToMetadata offset overflow -------------------------- //
+    // --- addToMetadata offset overflow -------------------------------- //
     //*********************************************************************//
 
     /// @notice Verifies that addToMetadata reverts when the new offset would exceed 255.
     /// Uses 6 entries (table = 1 word, 30 bytes) with data totaling 253 words → total 255 words.
     /// Adding a 7th entry via addToMetadata forces the table from 1→2 words, incrementing all
     /// offsets by 1. This pushes newOffset from 255 to 256, triggering the overflow check.
-    function test_M21_addToMetadataRevertsOnOffsetOverflow() external {
+    function test_addToMetadataRevertsOnOffsetOverflow() external {
         // 6 entries: table = ceil(6*5/32) = 1 word. firstOffset = 2.
         // 5 entries × 42 words + 1 entry × 43 words = 253 words of data.
         // Total = 1 (reserved) + 1 (table) + 253 (data) = 255 words.
@@ -213,7 +213,7 @@ contract TestMetadataResolverM20M21 is JBTest {
     /// @notice Verifies that addToMetadata works when the offset is exactly at the boundary (255).
     /// Same 6-entry table expansion setup but with 1 less data word (total 254 words),
     /// so the expanded offset is exactly 255 — the maximum valid value.
-    function test_M21_addToMetadataSucceedsAtBoundary() external view {
+    function test_addToMetadataSucceedsAtBoundary() external view {
         // 6 entries × 42 words each = 252 words of data.
         // Total = 1 (reserved) + 1 (table) + 252 (data) = 254 words.
         bytes4[] memory ids = new bytes4[](6);

package/test/units/static/JBPrices/TestPrices.sol

@@ -238,7 +238,7 @@ contract TestPrices_Local is JBPricesSetup {
             address(directory), abi.encodeCall(IJBDirectory.controllerOf, (PROJECT_ID)), abi.encode(address(this))
         );
 
-        // BUG CONFIRMED: This reverts because default feed blocks project-specific feeds.
+        // This reverts because default feed blocks project-specific feeds.
         vm.expectRevert(abi.encodeWithSelector(JBPrices.JBPrices_PriceFeedAlreadyExists.selector, defaultFeed));
         _prices.addPriceFeedFor(PROJECT_ID, _pricingCurrency, _unitCurrency, projectFeed);
     }

package/test/units/static/JBRulesets/TestRulesets.sol

@@ -550,10 +550,10 @@ contract TestJBRulesetsUnits_Local is JBTest {
         // Update the weight cache incrementally — each call advances by at most 20,000 cycles.
         // With 20,000 cycles and 10% weight cut per cycle, weight reaches 0 well before 20,000 cycles.
         // First call: advances cache by up to 20,000 cycles (weight decays to 0).
-        _rulesets.updateRulesetWeightCache(_projectId);
+        _rulesets.updateRulesetWeightCache(_projectId, _rulesets.latestRulesetIdOf(_projectId));
 
         // Second call during the same block should mirror the previous (cache already covers current time).
-        _rulesets.updateRulesetWeightCache(_projectId);
+        _rulesets.updateRulesetWeightCache(_projectId, _rulesets.latestRulesetIdOf(_projectId));
     }
 
     function test_QueueForApprovalHookDNSupportInterface() external {

package/test/units/static/JBRulesets/TestUpdateRulesetWeightCache.sol

@@ -48,7 +48,7 @@ contract TestUpdateRulesetWeightCache_Local is JBRulesetsSetup {
     function test_WhenLatestRulesetOfProjectDurationOrWeightCutPercentEQZero() external {
         // it will return without updating
 
-        _rulesets.updateRulesetWeightCache(_projectId);
+        _rulesets.updateRulesetWeightCache(_projectId, _rulesets.latestRulesetIdOf(_projectId));
     }
 
     function test_WhenLatestRulesetHasProperDurationAndWeightCutPercent() external {
@@ -86,6 +86,6 @@ contract TestUpdateRulesetWeightCache_Local is JBRulesetsSetup {
             mustStartAtOrAfter: _mustStartAt
         });
 
-        _rulesets.updateRulesetWeightCache(_projectId);
+        _rulesets.updateRulesetWeightCache(_projectId, _rulesets.latestRulesetIdOf(_projectId));
     }
 }