@bananapus/core-v6 0.0.7 → 0.0.9

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bananapus/core-v6",
-  "version": "0.0.7",
+  "version": "0.0.9",
   "license": "MIT",
   "repository": {
     "type": "git",
@@ -26,7 +26,7 @@
     "artifacts": "source ./.env && npx sphinx artifacts --org-id 'ea165b21-7cdc-4d7b-be59-ecdd4c26bee4' --project-name 'nana-core-v6'"
   },
   "dependencies": {
-    "@bananapus/permission-ids-v6": "^0.0.2",
+    "@bananapus/permission-ids-v6": "^0.0.4",
     "@chainlink/contracts": "^1.3.0",
     "@openzeppelin/contracts": "^5.2.0",
     "@prb/math": "^4.1.0",

package/script/DeployPeriphery.s.sol

@@ -44,6 +44,14 @@ contract DeployPeriphery is Script, Sphinx {
     /// @notice The nonce that gets used across all chains to sync deployment addresses and allow for new deployments of
     /// the same bytecode.
     uint256 private CORE_DEPLOYMENT_NONCE = 6;
+
+    /// @notice The address of the omnichain ruleset operator contract (e.g. JBOmnichainDeployer).
+    /// @dev TRUST ASSUMPTION: This address is granted implicit permission to launch rulesets, set terminals, and queue
+    /// rulesets on any project via the JBController (bypassing normal JBPermissions checks). A compromised or
+    /// incorrect operator address could manipulate any project's rulesets across chains.
+    /// @dev This address should correspond to the deterministic CREATE2 deployment of the omnichain deployer contract
+    /// from the nana-omnichain-deployers-v6 repository. Verify it matches the deployed address on all target chains
+    /// before running this script.
     address private OMNICHAIN_RULESET_OPERATOR = address(0x8f5DED85c40b50d223269C1F922A056E72101590);
 
     function configureSphinx() public override {
@@ -66,6 +74,9 @@ contract DeployPeriphery is Script, Sphinx {
     }
 
     function deploy() public sphinx {
+        // Validate the omnichain ruleset operator is set. See TRUST ASSUMPTION above.
+        require(OMNICHAIN_RULESET_OPERATOR != address(0), "Omnichain ruleset operator not set");
+
         // Deploy the ETH/USD price feed.
         IJBPriceFeed feed;
 

package/src/libraries/JBMetadataResolver.sol

@@ -115,7 +115,7 @@ library JBMetadataResolver {
 
         // Add the new entry after the last entry of the table, the new offset is the last offset + the number of words
         // taken by the last data
-        // M-21: Compute in uint256 first — casting directly to uint8 silently wraps offsets > 255.
+        // Compute in uint256 first — casting directly to uint8 silently wraps offsets > 255.
         uint256 newOffset = lastOffset + numberOfWordslastData;
         if (newOffset > 255) revert JBMetadataResolver_MetadataTooLong();
         newMetadata = abi.encodePacked(newMetadata, idToAdd, bytes1(uint8(newOffset)));
@@ -282,7 +282,7 @@ library JBMetadataResolver {
         assembly ("memory-safe") {
             let length := sub(end, start)
 
-            // M-20: Allocate memory at freemem — round up to 32-byte boundary so subsequent
+            // Allocate memory at freemem — round up to 32-byte boundary so subsequent
             // allocations do not overlap the tail of this buffer.
             slicedBytes := mload(0x40)
             mstore(0x40, and(add(add(add(slicedBytes, length), 0x20), 0x1f), not(0x1f)))
@@ -296,7 +296,7 @@ library JBMetadataResolver {
             // same for the out array
             let sliceBytesStartOfData := add(slicedBytes, 0x20)
 
-            // M-20: Copy data — bound is `length` not `end`. Using `end` (an absolute source offset)
+            // Copy data — bound is `length` not `end`. Using `end` (an absolute source offset)
             // would over-copy by `start` bytes past the allocated buffer.
             for { let i := 0 } lt(i, length) { i := add(i, 0x20) } {
                 mstore(add(sliceBytesStartOfData, i), mload(add(startBytes, i)))

package/test/AuditExploits.t.sol

@@ -4,9 +4,9 @@ pragma solidity ^0.8.6;
 import /* {*} from */ "./helpers/TestBaseWorkflow.sol";
 import {JBCashOuts} from "../src/libraries/JBCashOuts.sol";
 
-/// @notice Exploit PoC tests for critical vulnerability scenarios in Juicebox V5.
-/// @dev These tests target specific edge cases and potential vulnerabilities identified during audit.
-contract AuditExploits_Local is TestBaseWorkflow {
+/// @notice Tests for edge case scenarios in Juicebox V5.
+/// @dev These tests target specific edge cases and potential vulnerabilities.
+contract EdgeCases_Local is TestBaseWorkflow {
     //*********************************************************************//
     // ----------------------------- storage ----------------------------- //
     //*********************************************************************//
@@ -292,7 +292,7 @@ contract AuditExploits_Local is TestBaseWorkflow {
     }
 
     //*********************************************************************//
-    // --- Test 2: REVDeployer beforePayRecordedWith OOB (C-2) ---------- //
+    // --- Test 2: REVDeployer beforePayRecordedWith OOB ---------------- //
     //*********************************************************************//
 
     /// @notice Demonstrates that REVDeployer.beforePayRecordedWith writes to index [1] of the
@@ -937,14 +937,14 @@ contract AuditExploits_Local is TestBaseWorkflow {
     }
 
     //*********************************************************************//
-    // ====== CRITICAL EXPLOIT PoC TESTS ================================ //
+    // ====== EDGE CASE TESTS ============================================ //
     //*********************************************************************//
 
     //*********************************************************************//
-    // --- [C-5] Zero-Supply Cash Out Drains Entire Surplus ------------- //
+    // --- Zero-Supply Cash Out Drains Entire Surplus ------------------- //
     //*********************************************************************//
 
-    /// @notice PoC: When totalSupply == 0 and surplus > 0, calling cashOutTokensOf with
+    /// @notice When totalSupply == 0 and surplus > 0, calling cashOutTokensOf with
     ///         cashOutCount = 0 returns the ENTIRE surplus without burning any tokens.
     /// @dev Attack flow:
     ///      1. Project is funded via addToBalanceOf (no tokens minted)
@@ -952,7 +952,7 @@ contract AuditExploits_Local is TestBaseWorkflow {
     ///      3. JBCashOuts.cashOutFrom: 0 >= 0 → true → returns full surplus
     ///      4. JBMultiTerminal: cashOutCount != 0 is false → no burn
     ///      5. Attacker receives full surplus minus fee
-    function test_C5_zeroSupplyCashOut_drainsEntireSurplus() public {
+    function test_zeroSupplyCashOut_drainsEntireSurplus() public {
         // --- Setup: create a project with 0% cash out tax ---
         uint256 projectId = _launchProject({cashOutTaxRate: 0, reservedPercent: 0});
 
@@ -982,7 +982,7 @@ contract AuditExploits_Local is TestBaseWorkflow {
         // After fix: cashOutCount == 0 → early return 0
         uint256 reclaimFromLibrary =
             JBCashOuts.cashOutFrom({surplus: fundAmount, cashOutCount: 0, totalSupply: 0, cashOutTaxRate: 0});
-        assertEq(reclaimFromLibrary, 0, "FIX CONFIRMED: cashOutFrom(surplus, 0, 0, rate) returns 0");
+        assertEq(reclaimFromLibrary, 0, "cashOutFrom(surplus, 0, 0, rate) returns 0");
 
         // --- Verify the exploit is now blocked ---
         address attacker = makeAddr("attacker");
@@ -1006,22 +1006,22 @@ contract AuditExploits_Local is TestBaseWorkflow {
         uint256 ethReceived = attackerEthAfter - attackerEthBefore;
 
         // --- Verify the exploit is blocked ---
-        assertEq(reclaimAmount, 0, "FIX: attacker receives nothing when cashing out 0 tokens");
-        assertEq(ethReceived, 0, "FIX: no ETH transferred to attacker");
+        assertEq(reclaimAmount, 0, "attacker receives nothing when cashing out 0 tokens");
+        assertEq(ethReceived, 0, "no ETH transferred to attacker");
 
         // Terminal balance should be unchanged — not drained.
         uint256 terminalBalanceAfter =
             jbTerminalStore().balanceOf(address(_terminal), projectId, JBConstants.NATIVE_TOKEN);
-        assertEq(terminalBalanceAfter, fundAmount, "FIX: terminal balance preserved");
+        assertEq(terminalBalanceAfter, fundAmount, "terminal balance preserved");
 
         // Attacker never had any tokens.
         uint256 attackerTokens = _tokens.totalBalanceOf(attacker, projectId);
         assertEq(attackerTokens, 0, "attacker never held any tokens");
     }
 
-    /// @notice PoC variant: Same attack but with a cash out tax rate.
+    /// @notice Same scenario but with a cash out tax rate.
     ///         Even with a tax, the attacker drains surplus (fee goes to project #1).
-    function test_C5_zeroSupplyCashOut_withTaxRate() public {
+    function test_zeroSupplyCashOut_withTaxRate() public {
         // 50% cash out tax rate
         uint256 projectId = _launchProject({cashOutTaxRate: 5000, reservedPercent: 0});
 
@@ -1043,7 +1043,7 @@ contract AuditExploits_Local is TestBaseWorkflow {
         // After fix: cashOutCount == 0 → early return 0, regardless of tax rate.
         uint256 reclaimFromLibrary =
             JBCashOuts.cashOutFrom({surplus: fundAmount, cashOutCount: 0, totalSupply: 0, cashOutTaxRate: 5000});
-        assertEq(reclaimFromLibrary, 0, "FIX: 0 returned even with 50% tax when cashOutCount=0");
+        assertEq(reclaimFromLibrary, 0, "0 returned even with 50% tax when cashOutCount=0");
 
         // Verify exploit is blocked.
         address attacker = makeAddr("attacker");
@@ -1063,12 +1063,12 @@ contract AuditExploits_Local is TestBaseWorkflow {
         uint256 ethReceived = attacker.balance - attackerEthBefore;
 
         // After fix: attacker gets nothing.
-        assertEq(ethReceived, 0, "FIX: attacker receives nothing with 0 tokens burned");
-        assertEq(reclaimAmount, 0, "FIX: reclaim is 0");
+        assertEq(ethReceived, 0, "attacker receives nothing with 0 tokens burned");
+        assertEq(reclaimAmount, 0, "reclaim is 0");
     }
 
-    /// @notice PoC variant: Repeatable attack. After all tokens are burned, attacker drains surplus.
-    function test_C5_zeroSupplyCashOut_afterAllTokensBurned() public {
+    /// @notice After all tokens are burned, calling cashOut with 0 returns nothing.
+    function test_zeroSupplyCashOut_afterAllTokensBurned() public {
         uint256 projectId = _launchProject({cashOutTaxRate: 0, reservedPercent: 0});
 
         vm.prank(_projectOwner);
@@ -1119,18 +1119,18 @@ contract AuditExploits_Local is TestBaseWorkflow {
         });
 
         // After fix: cashing out 0 tokens returns 0, treasury is safe.
-        assertEq(stolen, 0, "FIX: attacker cannot steal funds after tokens were burned");
-        assertEq(attacker.balance, 0, "FIX: attacker receives no ETH");
+        assertEq(stolen, 0, "cannot extract funds after tokens were burned");
+        assertEq(attacker.balance, 0, "no ETH received");
     }
 
     //*********************************************************************//
-    // --- [C-2] REVDeployer.beforePayRecordedWith Array OOB (Enhanced)-- //
+    // --- REVDeployer.beforePayRecordedWith Array OOB (Enhanced)-------- //
     //*********************************************************************//
 
-    /// @notice PoC: Demonstrates the exact Solidity panic that occurs in REVDeployer when
+    /// @notice Demonstrates the exact Solidity panic that occurs in REVDeployer when
     ///         usesTiered721Hook=false and usesBuybackHook=true.
     ///         This mirrors REVDeployer.sol lines 248-258 exactly.
-    function test_C2_beforePayRecordedWith_fullOOBPattern() public {
+    function test_beforePayRecordedWith_fullOOBPattern() public {
         // Simulate all 4 combinations and verify only the problematic one reverts.
         bool[4] memory tiered = [false, true, false, true];
         bool[4] memory buyback = [false, false, true, true];
@@ -1165,13 +1165,13 @@ contract AuditExploits_Local is TestBaseWorkflow {
     }
 
     //*********************************************************************//
-    // --- [C-4] REVDeployer.hasMintPermissionFor address(0) call ------- //
+    // --- REVDeployer.hasMintPermissionFor address(0) call ------------- //
     //*********************************************************************//
 
-    /// @notice PoC: Demonstrates that calling a function on address(0) reverts.
+    /// @notice Demonstrates that calling a function on address(0) reverts.
     ///         This mirrors REVDeployer.sol line 353 where buybackHook.hasMintPermissionFor(...)
     ///         is called when buybackHookOf[revnetId] == address(0).
-    function test_C4_hasMintPermissionFor_callOnAddressZero() public {
+    function test_hasMintPermissionFor_callOnAddressZero() public {
         // The bug is in the short-circuit evaluation of:
         //   addr == loansOf[revnetId]              // false (addr is some real address)
         //   || addr == address(buybackHook)         // false (buybackHook is address(0), addr is not)
@@ -1206,22 +1206,22 @@ contract AuditExploits_Local is TestBaseWorkflow {
         // The call succeeds (returns false from empty contract) but has no return data.
         // Solidity's interface-based call would revert because it expects abi-encoded bool.
         if (success && data.length < 32) {
-            revert("C-4 confirmed: call to address(0) returns empty data, ABI decode reverts");
+            revert("confirmed: call to address(0) returns empty data, ABI decode reverts");
         }
         if (!success) {
-            revert("C-4 confirmed: call to address(0) reverted directly");
+            revert("confirmed: call to address(0) reverted directly");
         }
     }
 
     //*********************************************************************//
-    // --- [C-1] REVLoans uint112 Truncation Pattern -------------------- //
+    // --- REVLoans uint112 Truncation Pattern --------------------------- //
     //*********************************************************************//
 
-    /// @notice PoC: Demonstrates silent uint112 truncation.
+    /// @notice Demonstrates silent uint112 truncation.
     ///         This mirrors REVLoans.sol lines 922-923 where:
     ///           loan.amount = uint112(newBorrowAmount);
     ///           loan.collateral = uint112(newCollateralCount);
-    function test_C1_uint112SilentTruncation() public pure {
+    function test_uint112SilentTruncation() public pure {
         // Values that exceed uint112.max
         uint256 hugeCollateral = uint256(type(uint112).max) + 1000 ether;
         uint256 hugeBorrow = uint256(type(uint112).max) + 500 ether;
@@ -1249,14 +1249,14 @@ contract AuditExploits_Local is TestBaseWorkflow {
         // If attacker repays truncatedBorrow (tiny), they get back truncatedCollateral (tiny).
         // But they already received hugeBorrow worth of funds from the surplus.
         // Net theft = hugeBorrow - truncatedBorrow
-        assertGt(borrowProfit, 999 ether, "EXPLOIT: attacker steals >999 ETH from truncation of 1000 ETH overflow");
+        assertGt(borrowProfit, 999 ether, "attacker extracts >999 ETH from truncation of 1000 ETH overflow");
     }
 
     //*********************************************************************//
-    // --- [C-3] REVLoans Reentrancy Pattern ----------------------------- //
+    // --- REVLoans Reentrancy Pattern ----------------------------------- //
     //*********************************************************************//
 
-    /// @notice PoC: Demonstrates the CEI violation pattern in REVLoans._adjust.
+    /// @notice Demonstrates the CEI violation pattern in REVLoans._adjust.
     ///         The contract makes external calls (useAllowanceOf, feeTerminal.pay, _transferFrom)
     ///         BEFORE writing loan.amount and loan.collateral at lines 921-923.
     ///
@@ -1264,7 +1264,7 @@ contract AuditExploits_Local is TestBaseWorkflow {
     ///
     /// @dev The actual exploit requires a full REVLoans deployment which is in revnet-core-v5.
     ///      This test demonstrates the PATTERN: external call before state write.
-    function test_C3_reentrancyPattern_externalCallBeforeStateWrite() public {
+    function test_reentrancyPattern_externalCallBeforeStateWrite() public {
         // Deploy a mock "victim" contract that follows the vulnerable pattern.
         ReentrancyVictim victim = new ReentrancyVictim();
 
@@ -1280,26 +1280,22 @@ contract AuditExploits_Local is TestBaseWorkflow {
         attacker.attack();
 
         // The attacker extracted more than they should have.
-        assertGt(
-            address(attacker).balance,
-            10 ether,
-            "EXPLOIT: attacker extracted more than single borrow allows (re-entered)"
-        );
+        assertGt(address(attacker).balance, 10 ether, "attacker extracted more than single borrow allows (re-entered)");
 
         // The victim was drained below expected.
         assertLt(address(victim).balance, 10 ether, "victim was over-drained");
     }
 
     //*********************************************************************//
-    // --- [M-1] Held Fee Reentrancy ----------------------------------- //
+    // --- Held Fee Reentrancy ----------------------------------------- //
     //*********************************************************************//
 
-    /// @notice PoC: Verifies that the M-1 held fee reentrancy fix works correctly.
+    /// @notice Verifies that the held fee reentrancy fix works correctly.
     ///         A reentrant fee terminal calls back into processHeldFeesOf during pay().
     ///         Before the fix, the same fee would be processed twice. After the fix,
     ///         the index is advanced before the external call (CEI pattern), so the
     ///         reentrant call processes zero fees.
-    function test_M1_heldFeeReentrancy_blocked() public {
+    function test_heldFeeReentrancy_blocked() public {
         // --- Step 1: Launch fee project (project #1) with the standard terminal ---
         JBTerminalConfig[] memory terminalConfigurations = new JBTerminalConfig[](1);
         JBAccountingContext[] memory tokensToAccept = new JBAccountingContext[](1);
@@ -1466,9 +1462,7 @@ contract AuditExploits_Local is TestBaseWorkflow {
         // With the fix (CEI): the reentrant call sees the index already advanced,
         // so it only processes the remaining fees (not the same fee again).
         // Total pay calls should be exactly 2 (one per held fee), not 3+ (which would indicate double-processing).
-        assertEq(
-            reentrantTerminal.payCallCount(), 2, "M-1 FIX: exactly 2 pay calls (no double-processing from reentrancy)"
-        );
+        assertEq(reentrantTerminal.payCallCount(), 2, "exactly 2 pay calls (no double-processing from reentrancy)");
 
         // Held fees should all be consumed.
         JBFee[] memory remainingFees = _terminal.heldFeesOf(projectId, JBConstants.NATIVE_TOKEN, 100);
@@ -1476,7 +1470,7 @@ contract AuditExploits_Local is TestBaseWorkflow {
     }
 
     /// @notice Verify processHeldFeesOf correctly handles partial unlock (some locked, some unlocked).
-    function test_M1_partialLockedFees() public {
+    function test_partialLockedFees() public {
         // Launch fee project.
         JBTerminalConfig[] memory terminalConfigurations = new JBTerminalConfig[](1);
         JBAccountingContext[] memory tokensToAccept = new JBAccountingContext[](1);
@@ -1637,14 +1631,14 @@ contract AuditExploits_Local is TestBaseWorkflow {
     }
 
     //*********************************************************************//
-    // --- [H-3] Approval Hook Revert DoS (NEW - no test existed) ------- //
+    // --- Approval Hook Revert DoS ------------------------------------ //
     //*********************************************************************//
 
-    /// @notice PoC: A malicious approval hook that reverts on approvalStatusOf() causes
+    /// @notice A malicious approval hook that reverts on approvalStatusOf() causes
     ///         currentOf() to revert when the NEXT ruleset (queued or auto-cycled) needs
     ///         approval from the hook. This permanently freezes the project.
     ///         Affects JBRulesets (NOT fixed).
-    function test_H3_approvalHookRevertDoS() public {
+    function test_approvalHookRevertDoS() public {
         // Deploy a malicious approval hook that always reverts
         MaliciousApprovalHook maliciousHook = new MaliciousApprovalHook();
 
@@ -1759,30 +1753,30 @@ contract AuditExploits_Local is TestBaseWorkflow {
         // currentOf no longer reverts — it treats the approval as Failed and falls back
         // to the most recent approved ruleset. The project is NOT frozen.
         JBRuleset memory currentRuleset = jbRulesets().currentOf(projectId);
-        assertGt(currentRuleset.id, 0, "H-3 FIX: project is not frozen, currentOf succeeds");
+        assertGt(currentRuleset.id, 0, "project is not frozen, currentOf succeeds");
     }
 
     //*********************************************************************//
-    // --- [C-5] V5.1 Regression: Verify Fix Works ---------------------- //
+    // --- V5.1 Regression: Verify Fix Works ----------------------------- //
     //*********************************************************************//
 
-    /// @notice Verify that the C-5 zero-supply cash-out exploit is still present in V5.0
-    ///         but the V5.1 rulesets should handle rulesets correctly (C-5 is a different
-    ///         bug from the rulesets fix - C-5 is in JBCashOuts library).
-    /// @dev Confirms the C-5 fix: cashing out 0 tokens returns 0, not the full surplus.
-    function test_C5_v51_zeroSupplyCashOut_fixedInLibrary() public pure {
-        // C-5 was in JBCashOuts.cashOutFrom: when cashOutCount=0 and totalSupply=0,
+    /// @notice Verify that the zero-supply cash-out exploit is still present in V5.0
+    ///         but the V5.1 rulesets should handle rulesets correctly (the zero-supply bug
+    ///         is a different bug from the rulesets fix - it is in JBCashOuts library).
+    /// @dev Confirms the fix: cashing out 0 tokens returns 0, not the full surplus.
+    function test_v51_zeroSupplyCashOut_fixedInLibrary() public pure {
+        // The bug was in JBCashOuts.cashOutFrom: when cashOutCount=0 and totalSupply=0,
         // the function returned the full surplus instead of 0.
         // The fix adds an early return of 0 when cashOutCount == 0.
         uint256 reclaimFromLibrary =
             JBCashOuts.cashOutFrom({surplus: 10 ether, cashOutCount: 0, totalSupply: 0, cashOutTaxRate: 0});
 
         // Cashing out 0 tokens should return 0, not the full surplus.
-        assertEq(reclaimFromLibrary, 0, "C-5 FIX: cashOutFrom(surplus, 0, 0, rate) should return 0");
+        assertEq(reclaimFromLibrary, 0, "cashOutFrom(surplus, 0, 0, rate) should return 0");
     }
 
-    /// @notice Verify C-5 does not manifest when totalSupply > 0 (normal operation).
-    function test_C5_v51_normalOperation_cashOut_safe() public pure {
+    /// @notice Verify the zero-supply bug does not manifest when totalSupply > 0 (normal operation).
+    function test_v51_normalOperation_cashOut_safe() public pure {
         // With non-zero supply and non-zero cashOutCount, the bonding curve works correctly
         uint256 reclaimable =
             JBCashOuts.cashOutFrom({surplus: 10 ether, cashOutCount: 500e18, totalSupply: 1000e18, cashOutTaxRate: 0});
@@ -1792,11 +1786,11 @@ contract AuditExploits_Local is TestBaseWorkflow {
     }
 
     //*********************************************************************//
-    // --- [L-5] Held Fees Storage Cleanup ------------------------------ //
+    // --- Held Fees Storage Cleanup ------------------------------------ //
     //*********************************************************************//
 
     /// @notice Verifies that processHeldFeesOf deletes processed entries and resets array+index when done.
-    function test_L5_heldFeesStorageCleanup() public {
+    function test_heldFeesStorageCleanup() public {
         // Launch fee project.
         JBTerminalConfig[] memory terminalConfigurations = new JBTerminalConfig[](1);
         JBAccountingContext[] memory tokensToAccept = new JBAccountingContext[](1);
@@ -1930,7 +1924,7 @@ contract AuditExploits_Local is TestBaseWorkflow {
 
         // After processing all, the array should be fully reset (not just emptied).
         JBFee[] memory remaining = _terminal.heldFeesOf(projectId, JBConstants.NATIVE_TOKEN, 100);
-        assertEq(remaining.length, 0, "L-5: all fees processed and array cleaned");
+        assertEq(remaining.length, 0, "all fees processed and array cleaned");
 
         // Creating new fees after cleanup should work from index 0 (array was reset).
         vm.deal(address(this), 2 ether);
@@ -1957,16 +1951,16 @@ contract AuditExploits_Local is TestBaseWorkflow {
 
         // Should have 1 new fee (not 4 = 3 deleted + 1 new).
         JBFee[] memory newFees = _terminal.heldFeesOf(projectId, JBConstants.NATIVE_TOKEN, 100);
-        assertEq(newFees.length, 1, "L-5: new fee after array reset works correctly");
+        assertEq(newFees.length, 1, "new fee after array reset works correctly");
     }
 
     //*********************************************************************//
-    // --- [L-8] Ruleset Start Time After Base Ruleset ------------------ //
+    // --- Ruleset Start Time After Base Ruleset ------------------------ //
     //*********************************************************************//
 
     /// @notice Verifies that a queued ruleset's start time is bumped to at least
-    ///         the base ruleset's start time (L-8 fix).
-    function test_L8_rulesetStartsAfterBaseRuleset() public {
+    ///         the base ruleset's start time.
+    function test_rulesetStartsAfterBaseRuleset() public {
         // Launch fee project.
         JBTerminalConfig[] memory terminalConfigurations = new JBTerminalConfig[](1);
         JBAccountingContext[] memory tokensToAccept = new JBAccountingContext[](1);
@@ -2026,7 +2020,7 @@ contract AuditExploits_Local is TestBaseWorkflow {
         assertGt(firstStart, 0, "first ruleset should have a start time");
 
         // Queue a second ruleset with mustStartAtOrAfter=0 (meaning "as soon as possible").
-        // Without the L-8 fix, this could theoretically derive a start before the base ruleset.
+        // Without the fix, this could theoretically derive a start before the base ruleset.
         JBRulesetConfig[] memory secondConfig = new JBRulesetConfig[](1);
         secondConfig[0].mustStartAtOrAfter = 0; // Key: asking for earliest possible
         secondConfig[0].duration = 30 days;
@@ -2041,15 +2035,15 @@ contract AuditExploits_Local is TestBaseWorkflow {
         // Get the queued ruleset.
         (JBRuleset memory queued,) = jbRulesets().latestQueuedOf(projectId);
 
-        // L-8 fix: the queued ruleset must start at or after the base ruleset's start.
-        assertGe(queued.start, firstStart, "L-8: queued ruleset must start at or after base ruleset");
+        // Fix: the queued ruleset must start at or after the base ruleset's start.
+        assertGe(queued.start, firstStart, "queued ruleset must start at or after base ruleset");
 
         // It should start at the next cycle boundary (firstStart + duration).
         assertEq(queued.start, firstStart + 30 days, "queued ruleset starts at next cycle boundary");
     }
 
     //*********************************************************************//
-    // --- [H-4] Pending Reserves Inflate cashOutWeight (property test)-- //
+    // --- Pending Reserves Inflate cashOutWeight (property test)-------- //
     //*********************************************************************//
 
     //*********************************************************************//
@@ -2507,13 +2501,13 @@ contract AuditExploits_Local is TestBaseWorkflow {
     }
 
     //*********************************************************************//
-    // --- [H-4] Pending Reserves Inflate cashOutWeight (property test)-- //
+    // --- Pending Reserves Inflate cashOutWeight (property test)-------- //
     //*********************************************************************//
 
     /// @notice Property: cashOut reclaim with pending reserves <= cashOut reclaim after reserves distributed.
     /// @dev When there are pending reserved tokens that haven't been distributed, they should
     ///      not inflate the denominator used for cash-out calculations.
-    function test_H4_pendingReserves_cashOutProperty() public {
+    function test_pendingReserves_cashOutProperty() public {
         // Launch project with 50% reserved rate
         uint256 projectId = _launchProject({cashOutTaxRate: 0, reservedPercent: 5000});
 
@@ -2529,7 +2523,7 @@ contract AuditExploits_Local is TestBaseWorkflow {
             token: JBConstants.NATIVE_TOKEN,
             beneficiary: _beneficiary,
             minReturnedTokens: 0,
-            memo: "H-4 test",
+            memo: "test",
             metadata: new bytes(0)
         });
 
@@ -2589,7 +2583,7 @@ contract AuditExploits_Local is TestBaseWorkflow {
         // share decreases, so reclaimable should decrease or stay the same.
         // With 0% cashOutTaxRate and linear redemption: reclaimable = surplus * tokens / totalSupply
         // After reserves: totalSupply is larger, so reclaimable is smaller.
-        assertLe(reclaimAfter, reclaimBefore, "H-4 property: reclaim after reserves distributed <= reclaim before");
+        assertLe(reclaimAfter, reclaimBefore, "reclaim after reserves distributed <= reclaim before");
     }
 }
 
@@ -2638,7 +2632,7 @@ contract ReentrancyAttacker {
     }
 }
 
-/// @notice Malicious fee terminal that reenters processHeldFeesOf during pay(), demonstrating M-1.
+/// @notice Malicious fee terminal that reenters processHeldFeesOf during pay().
 contract ReentrantFeeTerminal is ERC165 {
     IJBMultiTerminal public immutable victim;
     uint256 public immutable targetProjectId;
@@ -2694,7 +2688,7 @@ contract ReentrantFeeTerminal is ERC165 {
     receive() external payable {}
 }
 
-/// @notice Malicious approval hook that always reverts, demonstrating H-3 DoS.
+/// @notice Malicious approval hook that always reverts.
 contract MaliciousApprovalHook is ERC165, IJBRulesetApprovalHook {
     function DURATION() external pure override returns (uint256) {
         return 1 days;

package/test/FlashLoanAttacks.t.sol

@@ -262,15 +262,15 @@ contract FlashLoanAttacks_Local is TestBaseWorkflow {
     }
 
     // ═══════════════════════════════════════════════════════════════════
-    //  Test 5: C-5 regression — cashOut(0) with totalSupply==0 must return 0
+    //  Test 5: Regression — cashOut(0) with totalSupply==0 must return 0
     // ═══════════════════════════════════════════════════════════════════
 
-    /// @notice C-5 was a V5 audit finding where cashOut(0) with totalSupply==0 returned the entire surplus.
+    /// @notice Regression test: cashOut(0) with totalSupply==0 previously returned the entire surplus.
     /// @dev In V5, `cashOutCount >= totalSupply` (0 >= 0) was true and returned the full surplus before
     /// checking for zero cashOutCount. Fixed since V5.1: `JBCashOuts.cashOutFrom` returns 0 when
     /// cashOutCount==0 (line 31) before reaching the `cashOutCount >= totalSupply` check (line 37).
     /// This test verifies the fix holds.
-    function test_C5_variant_addToBalance_zeroCashOut() public {
+    function test_variant_addToBalance_zeroCashOut() public {
         // Add to balance when no tokens exist
         vm.deal(address(0xD000), 5 ether);
         vm.prank(address(0xD000));
@@ -297,7 +297,7 @@ contract FlashLoanAttacks_Local is TestBaseWorkflow {
                 metadata: new bytes(0)
             });
 
-        assertEq(reclaimAmount, 0, "C-5 regression: cashOut(0) must return 0");
+        assertEq(reclaimAmount, 0, "Regression: cashOut(0) must return 0");
     }
 
     // ═══════════════════════════════════════════════════════════════════
@@ -350,11 +350,11 @@ contract FlashLoanAttacks_Local is TestBaseWorkflow {
     }
 
     // ═══════════════════════════════════════════════════════════════════
-    //  Test 8: H-4 reserved token inflation — cashOut timing
+    //  Test 8: Reserved token inflation — cashOut timing
     // ═══════════════════════════════════════════════════════════════════
 
     function test_reservedTokenInflation_cashOutTiming() public {
-        // Launch a project with 20% reserved to test H-4
+        // Launch a project with 20% reserved to test inflation
         JBRulesetConfig[] memory rulesetConfig = new JBRulesetConfig[](1);
         rulesetConfig[0].mustStartAtOrAfter = 0;
         rulesetConfig[0].duration = 0;

package/test/TestCashOutTimingEdge.sol

@@ -4,7 +4,7 @@ pragma solidity ^0.8.6;
 import /* {*} from */ "./helpers/TestBaseWorkflow.sol";
 import {JBCashOuts} from "../src/libraries/JBCashOuts.sol";
 
-/// @notice Edge case tests for cross-ruleset cash outs and pending reserves inflation (H-4).
+/// @notice Edge case tests for cross-ruleset cash outs and pending reserves inflation.
 /// Demonstrates that pending reserved tokens inflate totalSupply in cash-out calculations,
 /// systematically undervaluing cash-outs until reserves are distributed.
 contract TestCashOutTimingEdge_Local is TestBaseWorkflow {
@@ -92,7 +92,7 @@ contract TestCashOutTimingEdge_Local is TestBaseWorkflow {
         _controller.deployERC20For(_projectId, "Test", "TST", bytes32(0));
     }
 
-    /// @notice H-4 CONFIRMATION: Pending reserves inflate totalSupply, reducing cash-out value.
+    /// @notice Pending reserves inflate totalSupply, reducing cash-out value.
     /// When reserves exist but haven't been distributed, totalTokenSupplyWithReservedTokensOf
     /// includes them in the denominator, making each token worth less.
     function test_pendingReserves_inflateSupply_reduceCashOut() external {
@@ -134,8 +134,8 @@ contract TestCashOutTimingEdge_Local is TestBaseWorkflow {
             surplus: surplus, cashOutCount: payerTokens, totalSupply: circulatingSupply, cashOutTaxRate: 5000
         });
 
-        // H-4 CONFIRMED: Cash-out with pending reserves is LESS than without.
-        assertLt(reclaimWithInflation, reclaimWithoutInflation, "H-4: Pending reserves reduce cash-out value");
+        // Cash-out with pending reserves is LESS than without.
+        assertLt(reclaimWithInflation, reclaimWithoutInflation, "Pending reserves reduce cash-out value");
 
         // Quantify the impact.
         uint256 lostValue = reclaimWithoutInflation - reclaimWithInflation;
@@ -177,7 +177,7 @@ contract TestCashOutTimingEdge_Local is TestBaseWorkflow {
         assertEq(totalAfter, totalBefore, "Total supply unchanged after distribution");
 
         // Cash-out value should be the same since total didn't change.
-        // The fix for H-4 would be: don't include pending reserves in totalSupply.
+        // One approach: don't include pending reserves in totalSupply.
         uint256 reclaimAfter = JBCashOuts.cashOutFrom({
             surplus: surplus, cashOutCount: payerTokens, totalSupply: totalAfter, cashOutTaxRate: 5000
         });

package/test/TestDurationUnderflow.sol

@@ -21,7 +21,7 @@ contract JBRulesetsHarness is JBRulesets {
     }
 }
 
-/// @notice Tests for M-19: duration underflow fix in `_simulateCycledRulesetBasedOn`.
+/// @notice Tests for duration underflow fix in `_simulateCycledRulesetBasedOn`.
 ///
 /// The fix guards against arithmetic underflow when `baseRuleset.duration >= block.timestamp`.
 /// Without the fix, `block.timestamp - baseRuleset.duration + 1` wraps around to ~2^256,

package/test/TestFees.sol

@@ -481,7 +481,7 @@ contract TestFees_Local is TestBaseWorkflow {
         assertEq(_persistingFee.length, 1);
     }
 
-    function test_AuditFinding4POC() external {
+    function test_doubleFeeEdgeCase() external {
         vm.skip(true);
 
         // Setup: Pay the zero project so the terminal has balance of 1 eth from another project.
@@ -537,10 +537,10 @@ contract TestFees_Local is TestBaseWorkflow {
         // Check the unlock timestamp
         assertEq(_checkOgFee[0].unlockTimestamp, block.timestamp + 2_419_200);
 
-        // Audit Example correctly asserts that the fee amount is 1 ETH
+        // The fee amount is 1 ETH
         assertEq(_checkOgFee[0].amount, _nativeDistLimit);
 
-        // Audit Example correctly asserts that the projects balance in terminal store will be zero.
+        // The project's balance in terminal store will be zero.
         uint256 project2BalanceStore =
             jbTerminalStore().balanceOf(address(_terminal), _projectId, JBConstants.NATIVE_TOKEN);
         assertEq(project2BalanceStore, 0);

package/test/TestMigrationHeldFees.sol

@@ -3,7 +3,7 @@ pragma solidity ^0.8.6;
 
 import /* {*} from */ "./helpers/TestBaseWorkflow.sol";
 
-/// @notice Confirms M-16: held fees are stranded when a terminal migrates.
+/// @notice Confirms held fees are stranded when a terminal migrates.
 /// The migration calls addToBalanceOf with shouldReturnHeldFees: false,
 /// leaving held fees in the old terminal with no balance to process them.
 contract TestMigrationHeldFees_Local is TestBaseWorkflow {
@@ -116,7 +116,7 @@ contract TestMigrationHeldFees_Local is TestBaseWorkflow {
         });
     }
 
-    /// @notice M-16 CONFIRMED: Pay → distribute payouts (holds fees) → migrate → fees stranded.
+    /// @notice Pay → distribute payouts (holds fees) → migrate → fees stranded.
     function test_migration_heldFeesStranded() external {
         // Step 1: Pay the project.
         _terminal.pay{value: PAY_AMOUNT}({
@@ -156,7 +156,7 @@ contract TestMigrationHeldFees_Local is TestBaseWorkflow {
 
         // Held fees still exist in old terminal.
         JBFee[] memory feesAfterMigration = _terminal.heldFeesOf(_projectId, JBConstants.NATIVE_TOKEN, 100);
-        assertEq(feesAfterMigration.length, heldFees.length, "M-16: Held fees remain in old terminal");
+        assertEq(feesAfterMigration.length, heldFees.length, "Held fees remain in old terminal");
     }
 
     /// @notice Process held fees FIRST, then migrate — correct approach.
@@ -244,6 +244,6 @@ contract TestMigrationHeldFees_Local is TestBaseWorkflow {
         // The fee processing attempted but the terminal has no actual ETH.
         // The _recordAddedBalanceFor in the catch block inflates the store balance
         // without actual funds — this is a phantom balance.
-        // This documents the M-16 issue: either fees are lost OR phantom balances are created.
+        // This documents the issue: either fees are lost OR phantom balances are created.
     }
 }

package/test/TestRulesetQueuingStress.sol

@@ -22,7 +22,7 @@ contract MockApprovalHookConfigurable is IJBRulesetApprovalHook {
     }
 }
 
-    /// @notice Mock approval hook that always reverts (for DoS testing — H-3 confirmation).
+    /// @notice Mock approval hook that always reverts (for DoS testing).
     contract RevertingApprovalHook is IJBRulesetApprovalHook {
         uint256 public constant override DURATION = 3 days;
 
@@ -296,10 +296,10 @@ contract MockApprovalHookConfigurable is IJBRulesetApprovalHook {
             assertGt(current.cycleNumber, 1, "Should have rolled over multiple cycles");
         }
 
-        /// @notice H-3 FIX VERIFICATION: Reverting approval hook no longer causes DoS.
+        /// @notice Reverting approval hook no longer causes DoS.
         /// The try/catch in _approvalStatusOf catches the revert and returns Failed status,
         /// so currentOf succeeds and falls back to the previous ruleset.
-        function test_approvalHook_revert_causesDoS_H3() external {
+        function test_approvalHook_revert_causesDoS() external {
             RevertingApprovalHook revertHook = new RevertingApprovalHook();
 
             uint256 pid = _launchProject(FOURTEEN_DAYS, INITIAL_WEIGHT, 0, IJBRulesetApprovalHook(address(revertHook)));
@@ -310,7 +310,7 @@ contract MockApprovalHookConfigurable is IJBRulesetApprovalHook {
             // Warp past current cycle so the queued one is checked.
             vm.warp(block.timestamp + FOURTEEN_DAYS);
 
-            // H-3 FIX: The reverting hook is caught by try/catch, treated as Failed.
+            // The reverting hook is caught by try/catch, treated as Failed.
             // currentOf succeeds and falls back to the original ruleset (weight not doubled).
             JBRuleset memory current = _rulesets.currentOf(pid);
             assertGt(current.id, 0, "currentOf should succeed, not revert");

package/test/formal/BondingCurveProperties.t.sol

@@ -192,7 +192,7 @@ contract BondingCurveProperties is Test {
         uint256 secondResult = JBCashOuts.cashOutFrom(remainingSurplus, b, remainingSupply, cashOutTaxRate);
 
         // NOTE: Strict subadditivity (firstResult + secondResult <= singleResult) was proven to be
-        // violated due to mulDiv rounding accumulation (FV-1 in AUDIT_FINDINGS.md).
+        // violated due to mulDiv rounding accumulation.
         // The violation is bounded by rounding precision and is economically insignificant (~0.00001%).
         // We verify the weaker property: the excess is bounded by rounding tolerance.
         if (firstResult + secondResult > singleResult) {
@@ -228,7 +228,7 @@ contract BondingCurveProperties is Test {
 
         uint256 secondResult = JBCashOuts.cashOutFrom(remainingSurplus, b, remainingSupply, cashOutTaxRate);
 
-        // NOTE: Strict subadditivity violated due to mulDiv rounding (FV-1 in AUDIT_FINDINGS.md).
+        // NOTE: Strict subadditivity violated due to mulDiv rounding.
         // Verify the weaker property: excess bounded by rounding tolerance (< 0.01%).
         if (firstResult + secondResult > singleResult) {
             uint256 excess = (firstResult + secondResult) - singleResult;

package/test/units/static/JBFundAccessLimits/TestFundAccessLimitsEdge.sol

@@ -52,7 +52,7 @@ contract TestFundAccessLimitsEdge_Local is JBTest {
         // Query all limits — should have 2 entries now (both with currency=1, amount=1000).
         JBCurrencyAmount[] memory allLimits = limits.payoutLimitsOf(PROJECT_ID, RULESET_ID, TERMINAL, TOKEN);
 
-        // BUG CONFIRMED: Two entries instead of one.
+        // Two entries instead of one.
         assertEq(allLimits.length, 2, "BUG: Limits accumulated instead of being replaced");
         assertEq(allLimits[0].amount, 1000, "First accumulated limit");
         assertEq(allLimits[1].amount, 1000, "Second accumulated limit");

package/test/units/static/JBMetadataResolver/TestMetadataResolverM20M21.sol

@@ -62,7 +62,7 @@ contract M20M21Harness {
     }
 }
 
-/// @notice Tests for M-20 (_sliceBytes over-copy) and M-21 (addToMetadata offset overflow).
+/// @notice Tests for _sliceBytes over-copy and addToMetadata offset overflow.
 contract TestMetadataResolverM20M21 is JBTest {
     M20M21Harness harness;
 
@@ -71,13 +71,13 @@ contract TestMetadataResolverM20M21 is JBTest {
     }
 
     //*********************************************************************//
-    // --- M-20: _sliceBytes memory over-copy --------------------------- //
+    // --- _sliceBytes memory over-copy --------------------------------- //
     //*********************************************************************//
 
     /// @notice Verifies that addToMetadata preserves all entries when adding to metadata with
     /// multiple existing entries. The _sliceBytes call at line 129 uses start > 0, which on
     /// the buggy code would over-copy and corrupt subsequent memory operations.
-    function test_M20_addToMetadataPreservesAllEntries() external view {
+    function test_addToMetadataPreservesAllEntries() external view {
         bytes4 id1 = bytes4(0x11111111);
         bytes4 id2 = bytes4(0x22222222);
         bytes4 id3 = bytes4(0x33333333);
@@ -116,7 +116,7 @@ contract TestMetadataResolverM20M21 is JBTest {
 
     /// @notice Test with 4 sequential addToMetadata calls, each exercising _sliceBytes.
     /// More entries = more start > 0 cases = more chances for memory corruption.
-    function test_M20_multipleSequentialAdds() external view {
+    function test_multipleSequentialAdds() external view {
         bytes4[5] memory ids =
             [bytes4(0x11111111), bytes4(0x22222222), bytes4(0x33333333), bytes4(0x44444444), bytes4(0x55555555)];
         uint256[5] memory vals = [uint256(100), uint256(200), uint256(300), uint256(400), uint256(500)];
@@ -144,7 +144,7 @@ contract TestMetadataResolverM20M21 is JBTest {
     /// @notice Verify that getDataFor returns the exact expected length for non-first entries.
     /// On buggy code, _sliceBytes copies more than needed, but the returned length should still
     /// be correct. This test verifies both length and content.
-    function test_M20_getDataForReturnsCorrectLength() external view {
+    function test_getDataForReturnsCorrectLength() external view {
         bytes4 id1 = bytes4(0xAAAAAAAA);
         bytes4 id2 = bytes4(0xBBBBBBBB);
 
@@ -172,14 +172,14 @@ contract TestMetadataResolverM20M21 is JBTest {
     }
 
     //*********************************************************************//
-    // --- M-21: addToMetadata offset overflow -------------------------- //
+    // --- addToMetadata offset overflow -------------------------------- //
     //*********************************************************************//
 
     /// @notice Verifies that addToMetadata reverts when the new offset would exceed 255.
     /// Uses 6 entries (table = 1 word, 30 bytes) with data totaling 253 words → total 255 words.
     /// Adding a 7th entry via addToMetadata forces the table from 1→2 words, incrementing all
     /// offsets by 1. This pushes newOffset from 255 to 256, triggering the overflow check.
-    function test_M21_addToMetadataRevertsOnOffsetOverflow() external {
+    function test_addToMetadataRevertsOnOffsetOverflow() external {
         // 6 entries: table = ceil(6*5/32) = 1 word. firstOffset = 2.
         // 5 entries × 42 words + 1 entry × 43 words = 253 words of data.
         // Total = 1 (reserved) + 1 (table) + 253 (data) = 255 words.
@@ -213,7 +213,7 @@ contract TestMetadataResolverM20M21 is JBTest {
     /// @notice Verifies that addToMetadata works when the offset is exactly at the boundary (255).
     /// Same 6-entry table expansion setup but with 1 less data word (total 254 words),
     /// so the expanded offset is exactly 255 — the maximum valid value.
-    function test_M21_addToMetadataSucceedsAtBoundary() external view {
+    function test_addToMetadataSucceedsAtBoundary() external view {
         // 6 entries × 42 words each = 252 words of data.
         // Total = 1 (reserved) + 1 (table) + 252 (data) = 254 words.
         bytes4[] memory ids = new bytes4[](6);

package/test/units/static/JBPrices/TestPrices.sol

@@ -238,7 +238,7 @@ contract TestPrices_Local is JBPricesSetup {
             address(directory), abi.encodeCall(IJBDirectory.controllerOf, (PROJECT_ID)), abi.encode(address(this))
         );
 
-        // BUG CONFIRMED: This reverts because default feed blocks project-specific feeds.
+        // This reverts because default feed blocks project-specific feeds.
         vm.expectRevert(abi.encodeWithSelector(JBPrices.JBPrices_PriceFeedAlreadyExists.selector, defaultFeed));
         _prices.addPriceFeedFor(PROJECT_ID, _pricingCurrency, _unitCurrency, projectFeed);
     }