@bananapus/router-terminal-v6 0.0.30 → 0.0.31

package/RISKS.md

@@ -1,113 +1,44 @@
-# Router Terminal Risk Register
+# Accepted Security Risks
 
-This file covers the routing, accounting-context, and liquidity-selection risks in the terminal that accepts arbitrary tokens and forwards them into a project's real accounting surface.
+Documented risks that were reviewed and accepted.
 
-## How To Use This File
+## Oracle & Slippage Risks
 
-- Read `Priority risks` first. They explain where routing convenience can diverge from accounting truth.
-- Use the later sections for token-decimal synthesis, swap-path, and integration reasoning.
-- Treat `Accepted behaviors` as explicit statements about what this terminal does not guarantee.
+**Pool-local V3 TWAP trusted as swap floor for permissionless pools.** *(Medium)*
+An attacker could deploy a manipulable pool with higher liquidity to become the selected candidate. Users should provide `quoteForSwap` metadata from off-chain sources. Mitigated by 120s minimum TWAP window and sigmoid slippage formula.
 
-## Priority Risks
+**Liquidity-based pool selection enables unsafe spot quoting.** *(Medium)*
+Pool discovery ranks candidates by instantaneous liquidity, so an attacker could inflate liquidity to force selection of a manipulable pool. Mitigated by V4 TWAP hardening and sigmoid slippage formula. Users should provide off-chain quotes for high-value swaps.
 
-| Priority | Risk | Why it matters | Primary controls |
-|----------|------|----------------|------------------|
-| P0 | Synthetic accounting context misuse | The router synthesizes best-effort decimals and routing context. If downstream systems treat it as accounting truth, they can misprice or mis-lend. | Clear docs, registry scoping, and explicit prohibition on accounting-sensitive reuse. |
-| P1 | Wrong-route or low-liquidity execution | The router chooses among direct forwarding, V3, V4, and cash-out paths. A bad route can degrade user execution. | Route-selection tests, liquidity checks, and user-specified minimum returns. |
-| P1 | Integration fragility with broken tokens | Non-standard ERC-20 metadata or transfer behavior can distort decimal inference or swap execution. | Fallback defaults, defensive probing, receipt checks on terminal-facing hops, and hostile-token testing. |
+**Harmonic-mean liquidity inflates V3 slippage tolerance.** *(Medium)*
+`OracleLibrary.consult` returns harmonic-mean liquidity, which can be deflated by brief low-liquidity periods. However, harmonic mean is more resistant to manipulation than spot liquidity. Mitigated by 120s TWAP minimum and 10-minute default observation window.
 
-## 1. Trust Assumptions
+**`quoteForSwap` / auto-selected tokenOut mismatch.** *(Minor)*
+When a user provides `quoteForSwap` metadata, the quote may not match the auto-selected output token. Frontends should set `quoteForSwap` per the expected output token.
 
-- **Uniswap V3 factory and V4 PoolManager behave correctly.** Pool discovery trusts those external systems to point at real pools.
-- **Canonical V4 hook configuration is correct.** If deployers set the wrong `UNIV4_HOOK`, the router can miss intended hooked pools.
-- **The trusted forwarder is trustworthy.** A compromised forwarder can initiate transfers on behalf of any user.
-- **`JBDirectory` resolves the right terminals.** A compromised directory can redirect funds.
-- **Permit2 allowances are intentional.** Stale approvals can be abused.
-- **The registry owner acts correctly.** The owner controls allowlisting and the default router terminal.
-- **`IJBPayerTracker` callers are trusted to name their own refund recipient.** A caller implementing `originalPayer()` can redirect leftovers from its own route.
+**Multi-hop cashout slippage cleared after first hop.** *(Minor)*
+Only the final output matters; the outer function enforces end-to-end minimum via `minReclaimed`. Intermediate per-hop slippage checks are intentionally omitted.
 
-## 2. Economic And Manipulation Risks
+**Zero oracle quote disables swap protection.** *(Minor)*
+When the oracle returns zero (no liquidity), slippage tolerance becomes zero. The swap would fail anyway due to lack of liquidity, so this has no practical impact.
 
-- **V4 price manipulation.** `_getV4Quote` tries a 30-second TWAP first. If that fails, it falls back to spot pricing, which is manipulable within the block.
-- **Hooked V4 discovery scope.** Auto-discovery checks both vanilla V4 pools and pools using the configured canonical `UNIV4_HOOK`.
-- **V3 TWAP manipulation.** Short history reduces manipulation resistance, especially in new pools.
-- **Cash-out loop value extraction.** `_cashOutLoop` is capped at 20 iterations. `cashOutMinReclaimed` only applies on the first real cash-out hop.
-- **Pre-existing balances are intentionally excluded from route refunds.** Stray balances already sitting in the router are not swept into the next caller's refund.
-- **V4 native ETH settlement is special-cased.** `_settleV4` unwraps WETH when the pool manager expects native ETH.
-- **Pool selection is liquidity-first.** `_discoverPool` picks the deepest discovered pool, not the globally best execution path.
-- **Route selection is heuristic, not best execution.** The router bounds discovery for predictability and gas, not exhaustive optimization.
+> **Note:** The V4 TWAP window was hardened from 30s to 120s. This is no longer an accepted risk -- it was fixed.
 
-## 3. Access Control
+## Registry & Forwarding Risks
 
-- **`pay` and `addToBalanceOf` are permissionless.** Anyone can route payments.
-- **Lossy terminal-facing ERC-20s are unsupported.** Final forwarded ERC-20 hops must settle exactly on the router path.
-- **Credit cash-out path depends on `TRANSFER_CREDITS`.** Broad grants of that permission widen the attack surface.
-- **The registry owner controls allowlisting and the global default.** Disallowing the current default now reverts instead of silently clearing it.
-- **Registry terminal locking can freeze a bad choice.** `lockTerminalFor` is a one-way commitment.
-- **Router accounting contexts are synthetic.** They are safe for discovery, but unsafe as accounting truth for lending, debt, or balance normalization.
+**Registry forwarding uses registry as credit holder.** *(Medium)*
+When payments flow through the registry, credits accrue to the registry address, not the original user. Credit-based cashouts must go directly to the router terminal, not through the registry. This is intentional to prevent `originalPayer()` spoofing attacks.
 
-## 4. DoS Vectors
+**Forwarding-terminal receipt bypass.** *(Minor)*
+`_isForwardingTerminal` bypasses receipt validation on incoming transfers. Forwarding terminals are registered by project owners and therefore trusted to handle receipts correctly.
 
-- **No pool exists.** If no V3 or V4 pool exists for a token pair, automatic swap routing fails.
-- **No observation history.** V3 TWAP quoting can revert on fresh pools.
-- **Cash-out loop limit.** Circular or deep token dependency chains hit `_MAX_CASHOUT_ITERATIONS = 20` and revert.
-- **Zero-liquidity pools.** Pools with no usable liquidity revert.
-- **External terminal reverts.** Final terminal calls are not wrapped in `try/catch`.
-- **Non-standard final ERC-20 transfer behavior.** Lossy terminal-facing tokens revert on the final forwarded hop.
+**Forwarder claim disables receipt check.** *(Minor)*
+Forwarding terminals registered by project owners are trusted to handle receipts correctly, so receipt validation is skipped for these callers.
 
-## 5. Integration Risks
+## Minor Configuration Risks
 
-- **Registry default terminal changes affect unlocked projects.** Projects without explicit assignments follow `defaultTerminal`.
-- **Locked bad-terminal risk remains.** Locking protects against silent migration, but also freezes any mistake.
-- **`forceApprove` is used for terminal transfers.** This resets allowance before setting a new value and avoids stale-allowance accumulation.
-- **Callback data trust matters.** `uniswapV3SwapCallback` validates the pool by reconstructing its address from the expected parameters.
-- **The contract accepts arbitrary ETH.** That is necessary for unwraps and V4 settlement, but stray ETH can remain stranded.
+**Unbounded quadratic candidate enumeration.** *(Minor)*
+`_candidatePayRouteTokens` can enumerate O(n^2) candidates in theory. Bounded in practice to ~5-10 terminals per project, keeping gas costs manageable.
 
-## 6. MEV Surface
-
-- **V3 path is TWAP-protected.** A 10-minute TWAP makes single-block manipulation much harder.
-- **V4 path is TWAP-first, spot-fallback.** When no oracle quote is available, the spot fallback is vulnerable.
-- **Cross-route arbitrage exists.** When JB routing bypasses the AMM, differences between bonding-curve price and AMM price create arbitrage opportunities.
-
-## 7. Invariants To Verify
-
-- after any `pay()` or `addToBalanceOf()`, the router should not retain balances attributable to the just-processed route
-- `minAmountOut` in swaps is never zero when TWAP or spot price is available
-- `uniswapV3SwapCallback` only transfers tokens to verified pool addresses
-- `unlockCallback` only executes when called by `POOL_MANAGER`
-- credit cash-out only transfers credits from `_msgSender()`
-- the cash-out loop always terminates: it finds a terminal, hits the loop limit, or reverts for lack of path
-
-## 8. Accepted Behaviors
-
-### 8.1 No reentrancy guard
-
-The router has no `ReentrancyGuard` or `_routing` flag. This is intentional because the router is designed as a stateless routing layer, not a persistent accounting surface. Each call must fund and resolve its own route, and a blanket reentrancy guard would break legitimate composed routing flows.
-
-### 8.2 Router trusts `originalPayer()` from any caller that implements it
-
-`_resolveRefundWithBackupRecipient` calls `IJBPayerTracker(msg.sender).originalPayer()` in a `try/catch`. If the caller returns a non-zero address, leftovers can be sent there. This is accepted because the caller already supplied the funds being routed.
-
-### 8.3 Cash-out loop slippage is first-hop only
-
-`_cashOutLoop` applies `cashOutMinReclaimed` to the first cash-out step only. Later recursive hops may reclaim different assets with different units, so reusing one minimum across the full loop would be unsound.
-
-### 8.4 Liquidity-first pool selection is intentional
-
-The router does not do an exhaustive best-execution search across every viable V3 and V4 pool. It prefers bounded discovery, lower complexity, and predictable behavior.
-
-### 8.5 Registry owns immediate circular-forward protection
-
-The router and resolver no longer contain registry-specific circular-resolution logic. `JBRouterTerminalRegistry` rejects forwarding back into its immediate caller instead.
-
-### 8.6 V4 spot fallback is an accepted risk for programmatic integrations
-
-Automatic V4 quoting first tries a hook-provided oracle observation and falls back to spot only when that quote is unavailable. The fallback is still manipulable and is accepted only as a bounded on-chain quoting path for integrations that cannot provide `quoteForSwap` metadata.
-
-### 8.7 Credit cash-outs only work when calling the router terminal directly
-
-The credit-cashout path in `_acceptFundsFor` uses `holder = _msgSender()` — the direct caller — as the credit holder. This means credit cash-outs **do not work through the `JBRouterTerminalRegistry`**, because when the registry forwards a `pay()` call, `_msgSender()` inside the router terminal resolves to the registry's address, not the original user. The registry has no credits, so `transferCreditsFrom` would fail.
-
-This is intentional. The previous design used `_resolveOriginalPayer(sender)` to recover the original user from the registry's transient `originalPayer` storage. However, any contract implementing `IJBPayerTracker.originalPayer()` could spoof a victim's address and steal their credits (H-24). The fix uses the direct sender unconditionally for credit transfers, closing the spoofing vector at the cost of registry-mediated credit flows.
-
-Users who need to cash out credits through the router should call `JBRouterTerminal.pay()` directly with `cashOutSource` metadata, not through the registry.
+**Permit2 try/catch falls through to ERC20 allowance.** *(Minor)*
+Standard Permit2 fallback pattern. If Permit2 signature verification fails, the contract falls back to standard ERC20 `transferFrom` using existing allowance.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bananapus/router-terminal-v6",
-  "version": "0.0.30",
+  "version": "0.0.31",
   "license": "MIT",
   "repository": {
     "type": "git",

package/src/JBPayRouteResolver.sol

@@ -340,20 +340,30 @@ contract JBPayRouteResolver is IJBPayRouteResolver {
         view
         returns (bool isCircular)
     {
-        // Treat direct self-routes as circular immediately.
-        if (address(terminal) == address(router)) return true;
-
-        // Probe via staticcall so plain terminals degrade cleanly.
-        (bool success, bytes memory data) =
-            address(terminal).staticcall(abi.encodeCall(IJBForwardingTerminal.terminalOf, (projectId)));
-
-        // Non-forwarding terminals (call fails or returns zero) are not circular.
-        if (!success || data.length < 32) return false;
-        IJBTerminal forwardingTarget = abi.decode(data, (IJBTerminal));
-        if (address(forwardingTarget) == address(0)) return false;
+        // Follow the forwarding chain up to 5 hops to detect circular routes back to the router.
+        // A bounded loop prevents infinite gas consumption from longer chains while catching realistic cycles.
+        IJBTerminal current = terminal;
+        for (uint256 i; i < 5; i++) {
+            // Treat routes back to the router as circular.
+            if (address(current) == address(router)) return true;
+
+            // Probe via staticcall so plain terminals degrade cleanly.
+            // slither-disable-next-line calls-loop
+            (bool success, bytes memory data) =
+                address(current).staticcall(abi.encodeCall(IJBForwardingTerminal.terminalOf, (projectId)));
+
+            // Non-forwarding terminals (call fails or returns zero) end the chain — not circular.
+            if (!success || data.length < 32) return false;
+            IJBTerminal forwardingTarget = abi.decode(data, (IJBTerminal));
+            if (address(forwardingTarget) == address(0)) return false;
+
+            // Follow the forwarding chain one more hop.
+            current = forwardingTarget;
+        }
 
-        // Forwarding terminals that route back into the router are circular.
-        return address(forwardingTarget) == address(router);
+        // If we followed 5 hops without finding a non-forwarding terminal or the router,
+        // treat this as a suspicious deep chain and mark it as circular to be safe.
+        return true;
     }
 
     /// @notice Normalize a token into the form the router uses for routing comparisons.
@@ -481,56 +491,6 @@ contract JBPayRouteResolver is IJBPayRouteResolver {
         routedAmountOut = routedAmountIn;
     }
 
-    /// @notice External wrapper so candidate previews can be isolated with `try/catch`.
-    /// @param router The router terminal whose preview helpers should be used.
-    /// @param projectId The destination project that would receive the payment.
-    /// @param tokenIn The token currently available to route.
-    /// @param amount The amount of `tokenIn` being previewed.
-    /// @param beneficiary The address whose beneficiary token count is being measured.
-    /// @param metadata Metadata forwarded into both the routing preview and terminal preview.
-    /// @param tokenOut The candidate destination token to preview.
-    /// @param destTerminal The terminal that accepts `tokenOut` for the destination project.
-    /// @return routedDestTerminal The terminal chosen for this candidate route.
-    /// @return routedTokenOut The routed token that would be paid into the destination terminal.
-    /// @return routedAmountOut The routed amount that would be paid into the destination terminal.
-    /// @return ruleset The ruleset returned by the terminal preview.
-    /// @return beneficiaryTokenCount The effective beneficiary token count for this candidate route.
-    /// @return reservedTokenCount The effective reserved token count for this candidate route.
-    /// @return hookSpecifications The hook specifications returned by the terminal preview.
-    function previewPayRouteForCandidate(
-        IJBPayRoutePreviewer router,
-        uint256 projectId,
-        address tokenIn,
-        uint256 amount,
-        address beneficiary,
-        bytes calldata metadata,
-        address tokenOut,
-        IJBTerminal destTerminal
-    )
-        external
-        view
-        returns (
-            IJBTerminal routedDestTerminal,
-            address routedTokenOut,
-            uint256 routedAmountOut,
-            JBRuleset memory ruleset,
-            uint256 beneficiaryTokenCount,
-            uint256 reservedTokenCount,
-            JBPayHookSpecification[] memory hookSpecifications
-        )
-    {
-        return _previewPayRouteForCandidate({
-            router: router,
-            projectId: projectId,
-            tokenIn: tokenIn,
-            amount: amount,
-            beneficiary: beneficiary,
-            metadata: metadata,
-            tokenOut: tokenOut,
-            destTerminal: destTerminal
-        });
-    }
-
     /// @notice Preview the fallback route that would be used when no candidate token can be scored directly.
     /// @param router The router terminal whose preview helpers should be used.
     /// @param destProjectId The destination project being paid.
@@ -762,6 +722,7 @@ contract JBPayRouteResolver is IJBPayRouteResolver {
         returns (IJBTerminal candidateTerminal)
     {
         // Resolve the primary terminal for the candidate token so fallback discovery agrees with preview/execution.
+        // slither-disable-next-line calls-loop
         candidateTerminal = directory.primaryTerminalOf({projectId: projectId, token: candidateToken});
 
         // Drop candidates whose primary terminal disappeared or would route straight back into the router.
@@ -773,39 +734,10 @@ contract JBPayRouteResolver is IJBPayRouteResolver {
         }
     }
 
-    /// @inheritdoc IJBPayRouteResolver
-    function usablePrimaryTerminalOf(
-        IJBPayRoutePreviewer router,
-        uint256 projectId,
-        address token
-    )
-        external
-        view
-        returns (IJBTerminal terminal)
-    {
-        return _usablePrimaryTerminalForCandidate({
-            router: router, directory: DIRECTORY, projectId: projectId, candidateToken: token
-        });
-    }
-
     //*********************************************************************//
     // ------------------------- external views -------------------------- //
     //*********************************************************************//
 
-    /// @inheritdoc IJBPayRouteResolver
-    function resolveTokenOut(
-        IJBPayRoutePreviewer router,
-        uint256 projectId,
-        address tokenIn,
-        bytes calldata metadata
-    )
-        external
-        view
-        returns (address tokenOut, IJBTerminal destTerminal)
-    {
-        return _resolveTokenOut({router: router, projectId: projectId, tokenIn: tokenIn, metadata: metadata});
-    }
-
     /// @inheritdoc IJBPayRouteResolver
     // slither-disable-next-line calls-loop
     function previewBestPayRoute(
@@ -930,27 +862,168 @@ contract JBPayRouteResolver is IJBPayRouteResolver {
                 );
         }
 
-        // Fall back to the router's generic route resolution when no candidate token could be scored directly.
+        // No candidate token could be scored — fall back to the router's generic route resolution.
+        // Uses an external self-call (`self.previewFallbackRoute`) so Solidity's try/catch can isolate
+        // reverts from broken terminals or price feeds without bricking the entire best-route preview.
+        try self.previewFallbackRoute(router, projectId, tokenIn, amount, beneficiary, metadata) returns (
+            IJBTerminal fallbackDestTerminal,
+            address fallbackTokenOut,
+            uint256 fallbackAmountOut,
+            JBRuleset memory fallbackRuleset,
+            uint256 fallbackBeneficiaryTokenCount,
+            uint256 fallbackReservedTokenCount,
+            JBPayHookSpecification[] memory fallbackHookSpecifications
+        ) {
+            destTerminal = fallbackDestTerminal;
+            tokenOut = fallbackTokenOut;
+            amountOut = fallbackAmountOut;
+            ruleset = fallbackRuleset;
+            beneficiaryTokenCount = fallbackBeneficiaryTokenCount;
+            reservedTokenCount = fallbackReservedTokenCount;
+            hookSpecifications = fallbackHookSpecifications;
+        } catch {
+            // If the fallback also fails, return default zero values — the caller gets "no route found".
+        }
+    }
+
+    /// @notice External self-call wrapper that previews the fallback route in an isolated context.
+    /// @dev Solidity's `try/catch` only works on external calls. `previewBestPayRoute` calls
+    /// `self.previewFallbackRoute(...)` so that a revert in the fallback path (e.g. a broken terminal or
+    /// price feed) is caught instead of bricking the entire best-route preview.
+    /// @dev This function should only be called by this contract itself — external callers have no reason to use it.
+    /// @param routePreviewer The router terminal whose preview helpers are used to simulate the route.
+    /// @param destProjectId The project being paid through the fallback route.
+    /// @param tokenIn The token the payer is sending.
+    /// @param amountIn The amount of `tokenIn` being routed.
+    /// @param beneficiary The address that would receive minted project tokens.
+    /// @param metadata Arbitrary bytes forwarded into route and terminal pay previews.
+    /// @return destTerminal The terminal the fallback route would deliver funds to.
+    /// @return tokenOut The token `destTerminal` would receive after any intermediate swaps.
+    /// @return amountOut The amount of `tokenOut` that would arrive at `destTerminal`.
+    /// @return ruleset The ruleset that would govern the terminal pay.
+    /// @return beneficiaryTokenCount The number of project tokens `beneficiary` would receive.
+    /// @return reservedTokenCount The number of project tokens that would be reserved.
+    /// @return hookSpecifications Any pay-hook specifications returned by the terminal preview.
+    function previewFallbackRoute(
+        IJBPayRoutePreviewer routePreviewer,
+        uint256 destProjectId,
+        address tokenIn,
+        uint256 amountIn,
+        address beneficiary,
+        bytes calldata metadata
+    )
+        external
+        view
+        returns (
+            IJBTerminal destTerminal,
+            address tokenOut,
+            uint256 amountOut,
+            JBRuleset memory ruleset,
+            uint256 beneficiaryTokenCount,
+            uint256 reservedTokenCount,
+            JBPayHookSpecification[] memory hookSpecifications
+        )
+    {
+        // Resolve which terminal and token the fallback route would use.
         (destTerminal, tokenOut, amountOut) = _previewRoute({
-            router: router, destProjectId: projectId, tokenIn: tokenIn, amount: amount, metadata: metadata
+            router: routePreviewer, destProjectId: destProjectId, tokenIn: tokenIn, amount: amountIn, metadata: metadata
         });
 
-        // Preview the final terminal pay for that fallback route.
-        (ruleset, beneficiaryTokenCount, reservedTokenCount, hookSpecifications) = router.previewTerminalPayOf({
+        // Simulate the terminal pay to get token counts and hook specs.
+        (ruleset, beneficiaryTokenCount, reservedTokenCount, hookSpecifications) = routePreviewer.previewTerminalPayOf({
             destTerminal: destTerminal,
-            projectId: projectId,
+            projectId: destProjectId,
             token: tokenOut,
             amount: amountOut,
             beneficiary: beneficiary,
             metadata: metadata
         });
 
-        // Normalize the fallback preview counts so buyback-hook metadata still affects route ranking consistently.
+        // Normalize counts to account for buyback-hook overrides.
         (beneficiaryTokenCount, reservedTokenCount) = _effectivePreviewPayTokenCounts({
-            buybackHook: router.BUYBACK_HOOK(),
+            buybackHook: routePreviewer.BUYBACK_HOOK(),
             beneficiaryTokenCount: beneficiaryTokenCount,
             reservedTokenCount: reservedTokenCount,
             hookSpecifications: hookSpecifications
         });
     }
+
+    /// @notice External wrapper so candidate previews can be isolated with `try/catch`.
+    /// @param router The router terminal whose preview helpers should be used.
+    /// @param projectId The destination project that would receive the payment.
+    /// @param tokenIn The token currently available to route.
+    /// @param amount The amount of `tokenIn` being previewed.
+    /// @param beneficiary The address whose beneficiary token count is being measured.
+    /// @param metadata Metadata forwarded into both the routing preview and terminal preview.
+    /// @param tokenOut The candidate destination token to preview.
+    /// @param destTerminal The terminal that accepts `tokenOut` for the destination project.
+    /// @return routedDestTerminal The terminal chosen for this candidate route.
+    /// @return routedTokenOut The routed token that would be paid into the destination terminal.
+    /// @return routedAmountOut The routed amount that would be paid into the destination terminal.
+    /// @return ruleset The ruleset returned by the terminal preview.
+    /// @return beneficiaryTokenCount The effective beneficiary token count for this candidate route.
+    /// @return reservedTokenCount The effective reserved token count for this candidate route.
+    /// @return hookSpecifications The hook specifications returned by the terminal preview.
+    function previewPayRouteForCandidate(
+        IJBPayRoutePreviewer router,
+        uint256 projectId,
+        address tokenIn,
+        uint256 amount,
+        address beneficiary,
+        bytes calldata metadata,
+        address tokenOut,
+        IJBTerminal destTerminal
+    )
+        external
+        view
+        returns (
+            IJBTerminal routedDestTerminal,
+            address routedTokenOut,
+            uint256 routedAmountOut,
+            JBRuleset memory ruleset,
+            uint256 beneficiaryTokenCount,
+            uint256 reservedTokenCount,
+            JBPayHookSpecification[] memory hookSpecifications
+        )
+    {
+        return _previewPayRouteForCandidate({
+            router: router,
+            projectId: projectId,
+            tokenIn: tokenIn,
+            amount: amount,
+            beneficiary: beneficiary,
+            metadata: metadata,
+            tokenOut: tokenOut,
+            destTerminal: destTerminal
+        });
+    }
+
+    /// @inheritdoc IJBPayRouteResolver
+    function resolveTokenOut(
+        IJBPayRoutePreviewer router,
+        uint256 projectId,
+        address tokenIn,
+        bytes calldata metadata
+    )
+        external
+        view
+        returns (address tokenOut, IJBTerminal destTerminal)
+    {
+        return _resolveTokenOut({router: router, projectId: projectId, tokenIn: tokenIn, metadata: metadata});
+    }
+
+    /// @inheritdoc IJBPayRouteResolver
+    function usablePrimaryTerminalOf(
+        IJBPayRoutePreviewer router,
+        uint256 projectId,
+        address token
+    )
+        external
+        view
+        returns (IJBTerminal terminal)
+    {
+        return _usablePrimaryTerminalForCandidate({
+            router: router, directory: DIRECTORY, projectId: projectId, candidateToken: token
+        });
+    }
 }

package/src/JBRouterTerminal.sol

@@ -109,7 +109,8 @@ contract JBRouterTerminal is
     uint256 internal constant _SLIPPAGE_DENOMINATOR = 10_000;
 
     /// @notice The TWAP window (in seconds) used when querying a V4 oracle hook.
-    uint32 private constant _TWAP_WINDOW = 30;
+    /// @dev Matches the V3 minimum TWAP window (MIN_TWAP_WINDOW = 120) to resist short-window manipulation.
+    uint32 private constant _TWAP_WINDOW = 120;
 
     //*********************************************************************//
     // ---------------- public immutable stored properties --------------- //
@@ -196,6 +197,7 @@ contract JBRouterTerminal is
         WETH = weth;
         // slither-disable-next-line missing-zero-check
         BUYBACK_HOOK = buybackHook;
+        // slither-disable-next-line missing-zero-check
         UNIV4_HOOK = univ4Hook;
         _PAY_ROUTE_RESOLVER = IJBPayRouteResolver(address(new JBPayRouteResolver({directory: directory, weth: weth})));
 
@@ -403,7 +405,7 @@ contract JBRouterTerminal is
 
         // Calculate the amount of tokens to send to the pool (the positive delta).
         // forge-lint: disable-next-line(unsafe-typecast)
-        uint256 amountToSendToPool = amount0Delta < 0 ? uint256(amount1Delta) : uint256(amount0Delta);
+        uint256 amountToSendToPool = amount0Delta > 0 ? uint256(amount0Delta) : uint256(amount1Delta);
 
         // Wrap native tokens if needed.
         if (tokenIn == JBConstants.NATIVE_TOKEN) _wethDeposit(amountToSendToPool);
@@ -988,6 +990,7 @@ contract JBRouterTerminal is
     /// @param token The token that terminal should accept.
     /// @return terminal The usable primary terminal, or address(0) if none is usable.
     function _usablePrimaryTerminalOf(uint256 projectId, address token) internal view returns (IJBTerminal terminal) {
+        // slither-disable-next-line calls-loop
         terminal = DIRECTORY.primaryTerminalOf({projectId: projectId, token: token});
 
         // Drop terminals that would route straight back into the router (circular).
@@ -998,6 +1001,7 @@ contract JBRouterTerminal is
         // Check if the terminal is a forwarding layer that routes back into this router.
         // Uses the same low-level staticcall pattern as _isForwardingTerminal — non-forwarding terminals degrade
         // cleanly into a no-op (success=false or empty data).
+        // slither-disable-next-line calls-loop
         (bool ok, bytes memory data) =
             address(terminal).staticcall(abi.encodeCall(IJBForwardingTerminal.terminalOf, (projectId)));
         if (ok && data.length >= 32 && address(abi.decode(data, (IJBTerminal))) == address(this)) {
@@ -1362,14 +1366,15 @@ contract JBRouterTerminal is
 
         // Ask the pool to execute an exact-input swap. The callback settles the input token after the pool
         // computes how much of the output side it owes this router.
+        // Use extreme sqrtPriceLimitX96 values to allow the swap to execute fully. Slippage is enforced
+        // by the post-swap minAmountOut check below, which is more correct than deriving a price limit
+        // from average execution rate.
         (int256 amount0, int256 amount1) = pool.swap({
             recipient: address(this),
             zeroForOne: zeroForOne,
             // forge-lint: disable-next-line(unsafe-typecast)
             amountSpecified: int256(amount),
-            sqrtPriceLimitX96: JBSwapLib.sqrtPriceLimitFromAmounts({
-                amountIn: amount, minimumAmountOut: minAmountOut, zeroForOne: zeroForOne
-            }),
+            sqrtPriceLimitX96: zeroForOne ? TickMath.MIN_SQRT_RATIO + 1 : TickMath.MAX_SQRT_RATIO - 1,
             data: callbackData
         });
 
@@ -1377,8 +1382,8 @@ contract JBRouterTerminal is
         // pool sent tokens out to the router, so negate the selected leg to recover the positive amount received.
         amountOut = uint256(-(zeroForOne ? amount1 : amount0));
 
-        // Recheck the realized output against the quote floor so partial fills or price movement cannot slip
-        // through even if the pool call itself completed.
+        // Enforce slippage protection via realized output vs minimum acceptable output.
+        // This is strictly more correct than sqrtPriceLimitX96 (which conflates marginal and average price).
         if (amountOut < minAmountOut) revert JBRouterTerminal_SlippageExceeded(amountOut, minAmountOut);
     }
 
@@ -1405,10 +1410,9 @@ contract JBRouterTerminal is
         // Determine the V4 swap direction by comparing the input token to currency0 in the pool key.
         bool zeroForOne = _unwrapCurrency(key.currency0) == v4In;
 
-        // Use sqrtPriceLimitFromAmounts for partial-fill protection, consistent with V3 path.
-        uint160 sqrtPriceLimitX96 = JBSwapLib.sqrtPriceLimitFromAmounts({
-            amountIn: amount, minimumAmountOut: minAmountOut, zeroForOne: zeroForOne
-        });
+        // Use extreme sqrtPriceLimitX96 to allow full swap execution. Slippage is enforced by
+        // the post-swap minAmountOut check in the unlock callback.
+        uint160 sqrtPriceLimitX96 = zeroForOne ? TickMath.MIN_SQRT_RATIO + 1 : TickMath.MAX_SQRT_RATIO - 1;
 
         // V4 sign convention: negative = exact input, positive = exact output.
         // Ask the PoolManager to unlock and call back into this router to execute the swap atomically.
@@ -2335,10 +2339,18 @@ contract JBRouterTerminal is
             try IGeomeanOracle(address(key.hooks)).observe(key, secondsAgos) returns (
                 int56[] memory tickCumulatives, uint160[] memory
             ) {
-                // Derive the arithmetic mean tick: (cumulative_now - cumulative_start) / elapsed_seconds.
-                // forge-lint: disable-next-line(unsafe-typecast)
-                tick = int24((tickCumulatives[1] - tickCumulatives[0]) / int56(int32(_TWAP_WINDOW)));
-                usedTwap = true;
+                // Guard against malicious/broken hooks returning fewer elements than requested.
+                // An OOB access in the try-success block panics and is NOT caught by catch{}.
+                if (tickCumulatives.length >= 2) {
+                    // Derive the arithmetic mean tick: (cumulative_now - cumulative_start) / elapsed_seconds.
+                    // forge-lint: disable-next-line(unsafe-typecast)
+                    int56 tickDelta = tickCumulatives[1] - tickCumulatives[0];
+                    int56 period = int56(int32(_TWAP_WINDOW));
+                    tick = int24(tickDelta / period);
+                    // Round towards negative infinity for negative ticks (Uniswap convention).
+                    if (tickDelta < 0 && (tickDelta % period != 0)) tick--;
+                    usedTwap = true;
+                }
             } catch {}
         }
 
@@ -2356,14 +2368,35 @@ contract JBRouterTerminal is
         normalizedTokenIn = normalizedTokenIn == address(WETH) ? address(0) : normalizedTokenIn;
         normalizedTokenOut = normalizedTokenOut == address(WETH) ? address(0) : normalizedTokenOut;
 
-        minAmountOut = _quoteWithSlippage({
-            amount: amount,
-            liquidity: liquidity,
-            tokenIn: normalizedTokenIn,
-            tokenOut: normalizedTokenOut,
-            tick: tick,
-            poolFeeBps: uint256(key.fee) / 100
-        });
+        if (!usedTwap) {
+            // Without TWAP, instantaneous liquidity and spot price are both JIT-manipulable.
+            // Use a fixed conservative slippage tolerance (15%) instead of the sigmoid formula, which
+            // an attacker could deflate by inflating liquidity via just-in-time provisioning.
+            uint256 fixedSlippage = 1500; // 15% in basis points of _SLIPPAGE_DENOMINATOR (10_000)
+
+            // Quote the gross output at the spot tick.
+            if (amount > type(uint128).max) revert JBRouterTerminal_AmountOverflow(amount);
+
+            minAmountOut = OracleLibrary.getQuoteAtTick({
+                tick: tick,
+                // forge-lint: disable-next-line(unsafe-typecast)
+                baseAmount: uint128(amount),
+                baseToken: normalizedTokenIn,
+                quoteToken: normalizedTokenOut
+            });
+
+            // Apply the fixed slippage tolerance.
+            minAmountOut -= (minAmountOut * fixedSlippage) / _SLIPPAGE_DENOMINATOR;
+        } else {
+            minAmountOut = _quoteWithSlippage({
+                amount: amount,
+                liquidity: liquidity,
+                tokenIn: normalizedTokenIn,
+                tokenOut: normalizedTokenOut,
+                tick: tick,
+                poolFeeBps: uint256(key.fee) / 100
+            });
+        }
     }
 
     /// @notice Parse the optional `cashOutMinReclaimed` metadata.

package/src/JBRouterTerminalRegistry.sol

@@ -278,7 +278,7 @@ contract JBRouterTerminalRegistry is IJBRouterTerminalRegistry, JBPermissioned,
     /// @param shouldReturnHeldFees A boolean to indicate whether held fees should be returned.
     /// @param memo A memo to pass along to the emitted event.
     /// @param metadata Bytes in `JBMetadataResolver`'s format.
-    // slither-disable-next-line reentrancy-benign
+    // slither-disable-next-line reentrancy-benign,reentrancy-eth
     function addToBalanceOf(
         uint256 projectId,
         address token,
@@ -300,6 +300,9 @@ contract JBRouterTerminalRegistry is IJBRouterTerminalRegistry, JBPermissioned,
         // Trigger any pre-transfer logic.
         uint256 payValue = _beforeTransferFor({to: address(terminal), token: token, amount: amount});
 
+        // Save any previous payer so nested reentrant calls through pay hooks restore correctly.
+        address previousPayer = originalPayer;
+
         // Store the original payer in transient storage so downstream router terminals can refund partial-fill
         // leftovers to the true payer.
         originalPayer = _msgSender();
@@ -320,8 +323,8 @@ contract JBRouterTerminalRegistry is IJBRouterTerminalRegistry, JBPermissioned,
         // Revoke any leftover allowance the terminal did not pull.
         if (token != JBConstants.NATIVE_TOKEN) IERC20(token).forceApprove({spender: address(terminal), value: 0});
 
-        // Clear transient storage.
-        originalPayer = address(0);
+        // Restore the previous payer (supports nested reentrant calls through pay hooks).
+        originalPayer = previousPayer;
     }
 
     /// @notice Allow a terminal.
@@ -406,7 +409,7 @@ contract JBRouterTerminalRegistry is IJBRouterTerminalRegistry, JBPermissioned,
     /// @param memo A memo to pass along to the emitted event.
     /// @param metadata Bytes in `JBMetadataResolver`'s format.
     /// @return result The number of tokens received.
-    // slither-disable-next-line reentrancy-benign
+    // slither-disable-next-line reentrancy-benign,reentrancy-eth
     function pay(
         uint256 projectId,
         address token,
@@ -431,6 +434,9 @@ contract JBRouterTerminalRegistry is IJBRouterTerminalRegistry, JBPermissioned,
         // Trigger any pre-transfer logic.
         uint256 payValue = _beforeTransferFor({to: address(terminal), token: token, amount: amount});
 
+        // Save any previous payer so nested reentrant calls through pay hooks restore correctly.
+        address previousPayer = originalPayer;
+
         // Store the original payer in transient storage so downstream router terminals can refund partial-fill
         // leftovers to the true payer.
         originalPayer = _msgSender();
@@ -452,8 +458,8 @@ contract JBRouterTerminalRegistry is IJBRouterTerminalRegistry, JBPermissioned,
         // Revoke any leftover allowance the terminal did not pull.
         if (token != JBConstants.NATIVE_TOKEN) IERC20(token).forceApprove({spender: address(terminal), value: 0});
 
-        // Clear transient storage.
-        originalPayer = address(0);
+        // Restore the previous payer (supports nested reentrant calls through pay hooks).
+        originalPayer = previousPayer;
     }
 
     /// @notice Set the default terminal.

package/src/interfaces/IJBPayRouteResolver.sol

@@ -98,6 +98,42 @@ interface IJBPayRouteResolver {
         view
         returns (address tokenOut, IJBTerminal destTerminal);
 
+    /// @notice External self-call wrapper that previews the fallback route in an isolated context.
+    /// @dev Called via `self.previewFallbackRoute(...)` so `try/catch` can absorb reverts from broken
+    /// terminals or price feeds without bricking the entire best-route preview.
+    /// @param routePreviewer The router terminal whose preview helpers are used to simulate the route.
+    /// @param destProjectId The project being paid through the fallback route.
+    /// @param tokenIn The token the payer is sending.
+    /// @param amountIn The amount of `tokenIn` being routed.
+    /// @param beneficiary The address that would receive minted project tokens.
+    /// @param metadata Arbitrary bytes forwarded into route and terminal pay previews.
+    /// @return destTerminal The terminal the fallback route would deliver funds to.
+    /// @return tokenOut The token `destTerminal` would receive after any intermediate swaps.
+    /// @return amountOut The amount of `tokenOut` that would arrive at `destTerminal`.
+    /// @return ruleset The ruleset that would govern the terminal pay.
+    /// @return beneficiaryTokenCount The number of project tokens `beneficiary` would receive.
+    /// @return reservedTokenCount The number of project tokens that would be reserved.
+    /// @return hookSpecifications Any pay-hook specifications returned by the terminal preview.
+    function previewFallbackRoute(
+        IJBPayRoutePreviewer routePreviewer,
+        uint256 destProjectId,
+        address tokenIn,
+        uint256 amountIn,
+        address beneficiary,
+        bytes calldata metadata
+    )
+        external
+        view
+        returns (
+            IJBTerminal destTerminal,
+            address tokenOut,
+            uint256 amountOut,
+            JBRuleset memory ruleset,
+            uint256 beneficiaryTokenCount,
+            uint256 reservedTokenCount,
+            JBPayHookSpecification[] memory hookSpecifications
+        );
+
     /// @notice Resolve a project's primary terminal only when the router can safely forward into it.
     /// @param router The router whose forwarding-terminal rules should be applied.
     /// @param projectId The project whose primary terminal should be checked.

package/test/NegativeTickRounding.t.sol

@@ -0,0 +1,130 @@
+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.28;
+
+import {Test} from "forge-std/Test.sol";
+
+/// @notice Minimal harness that isolates the tick-rounding arithmetic from JBRouterTerminal._getV4Tick().
+/// @dev The TWAP window is 120 seconds, matching `_TWAP_WINDOW` in production.
+contract TickRoundingHarness {
+    int56 public constant PERIOD = 120;
+
+    /// @notice Old (buggy) logic: Solidity truncation toward zero.
+    /// For negative non-exact deltas this rounds toward zero instead of toward negative infinity.
+    function oldTick(int56 tickDelta) external pure returns (int24 tick) {
+        tick = int24(tickDelta / PERIOD);
+    }
+
+    /// @notice New (fixed) logic: explicit floor-division for negative ticks (Uniswap convention).
+    function newTick(int56 tickDelta) external pure returns (int24 tick) {
+        tick = int24(tickDelta / PERIOD);
+        // Round towards negative infinity for negative ticks (Uniswap convention).
+        if (tickDelta < 0 && (tickDelta % PERIOD != 0)) tick--;
+    }
+}
+
+/// @notice Regression tests proving the negative-tick rounding fix from audit finding Pass-12.
+/// @dev Uniswap's arithmetic-mean tick must be floor-divided (rounded toward negative infinity).
+///      Solidity integer division truncates toward zero, which is incorrect for negative non-exact values.
+///      Example: -12001 / 120 in Solidity = -100 (truncation), but Uniswap expects -101 (floor).
+contract NegativeTickRoundingTest is Test {
+    TickRoundingHarness harness;
+
+    function setUp() public {
+        harness = new TickRoundingHarness();
+    }
+
+    // ------------------------------------------------------------------
+    // Positive exact: tickDelta = 12000 (100 * 120) -> tick = 100
+    // ------------------------------------------------------------------
+    function test_positiveExact() public view {
+        int56 tickDelta = 12_000; // 100 * 120, divides evenly.
+
+        assertEq(harness.oldTick(tickDelta), 100, "old: positive exact");
+        assertEq(harness.newTick(tickDelta), 100, "new: positive exact");
+    }
+
+    // ------------------------------------------------------------------
+    // Positive non-exact: tickDelta = 12001 -> tick = 100
+    // Truncation equals floor for positive values, so both are correct.
+    // ------------------------------------------------------------------
+    function test_positiveNonExact() public view {
+        int56 tickDelta = 12_001;
+
+        assertEq(harness.oldTick(tickDelta), 100, "old: positive non-exact");
+        assertEq(harness.newTick(tickDelta), 100, "new: positive non-exact");
+    }
+
+    // ------------------------------------------------------------------
+    // Negative exact: tickDelta = -12000 -> tick = -100
+    // Exact division — no rounding difference.
+    // ------------------------------------------------------------------
+    function test_negativeExact() public view {
+        int56 tickDelta = -12_000; // -100 * 120, divides evenly.
+
+        assertEq(harness.oldTick(tickDelta), -100, "old: negative exact");
+        assertEq(harness.newTick(tickDelta), -100, "new: negative exact");
+    }
+
+    // ------------------------------------------------------------------
+    // Negative non-exact (THE BUG CASE): tickDelta = -12001 -> tick should be -101
+    // Old logic: -12001 / 120 = -100 (truncation toward zero — WRONG).
+    // New logic: -12001 / 120 = -100, then tick-- = -101 (floor — CORRECT).
+    // ------------------------------------------------------------------
+    function test_negativeNonExact_bugCase() public view {
+        int56 tickDelta = -12_001;
+
+        // Old logic truncates toward zero: WRONG for Uniswap.
+        assertEq(harness.oldTick(tickDelta), -100, "old: negative non-exact truncates toward zero");
+
+        // New logic floors toward negative infinity: CORRECT for Uniswap.
+        assertEq(harness.newTick(tickDelta), -101, "new: negative non-exact floors toward -inf");
+    }
+
+    // ------------------------------------------------------------------
+    // Zero: tickDelta = 0 -> tick = 0
+    // ------------------------------------------------------------------
+    function test_zero() public view {
+        int56 tickDelta = 0;
+
+        assertEq(harness.oldTick(tickDelta), 0, "old: zero");
+        assertEq(harness.newTick(tickDelta), 0, "new: zero");
+    }
+
+    // ------------------------------------------------------------------
+    // Small negative: tickDelta = -1 -> floor(-1/120) = -1, NOT 0
+    // Old logic: -1 / 120 = 0 (truncation toward zero — WRONG).
+    // New logic: -1 / 120 = 0, then tick-- = -1 (floor — CORRECT).
+    // ------------------------------------------------------------------
+    function test_smallNegative() public view {
+        int56 tickDelta = -1;
+
+        // Old logic truncates toward zero: WRONG for Uniswap.
+        assertEq(harness.oldTick(tickDelta), 0, "old: small negative truncates to zero");
+
+        // New logic floors toward negative infinity: CORRECT for Uniswap.
+        assertEq(harness.newTick(tickDelta), -1, "new: small negative floors to -1");
+    }
+
+    // ------------------------------------------------------------------
+    // Additional edge case: tickDelta = -120 (exactly -1 tick period).
+    // Exact division — both should agree at -1.
+    // ------------------------------------------------------------------
+    function test_negativeExactOnePeriod() public view {
+        int56 tickDelta = -120;
+
+        assertEq(harness.oldTick(tickDelta), -1, "old: -120 exact");
+        assertEq(harness.newTick(tickDelta), -1, "new: -120 exact");
+    }
+
+    // ------------------------------------------------------------------
+    // Additional edge case: tickDelta = -119 -> floor(-119/120) = -1
+    // Old logic: -119 / 120 = 0 (truncation — WRONG).
+    // New logic: 0, then tick-- = -1 (floor — CORRECT).
+    // ------------------------------------------------------------------
+    function test_negativeAlmostOnePeriod() public view {
+        int56 tickDelta = -119;
+
+        assertEq(harness.oldTick(tickDelta), 0, "old: -119 truncates to 0");
+        assertEq(harness.newTick(tickDelta), -1, "new: -119 floors to -1");
+    }
+}

package/test/RouterTerminalERC2771.t.sol

@@ -176,11 +176,12 @@ contract RouterTerminalERC2771Test is Test {
         // forge-lint: disable-next-line(unsafe-typecast)
         JBAccountingContext({token: address(token), decimals: 18, currency: uint32(uint160(address(token)))});
         vm.mockCall(mockTerminal, abi.encodeCall(IJBTerminal.accountingContextsOf, (projectId)), abi.encode(contexts));
-        // Mock terminalOf so _isForwardingTerminal returns true and circular-terminal check sees a non-router target.
+        // Mock terminalOf so _isForwardingTerminal returns true and the 5-hop circular check ends cleanly.
+        // Return a distinct non-contract address (not mockTerminal itself) so the forwarding chain terminates.
         vm.mockCall(
             mockTerminal,
             abi.encodeWithSelector(IJBForwardingTerminal.terminalOf.selector, projectId),
-            abi.encode(mockTerminal)
+            abi.encode(IJBTerminal(address(1)))
         );
 
         // Mock terminalsOf so the _routeForPay path finds the project's terminals.
@@ -268,11 +269,12 @@ contract RouterTerminalERC2771Test is Test {
         // forge-lint: disable-next-line(unsafe-typecast)
         JBAccountingContext({token: address(token), decimals: 18, currency: uint32(uint160(address(token)))});
         vm.mockCall(mockTerminal, abi.encodeCall(IJBTerminal.accountingContextsOf, (projectId)), abi.encode(contexts));
-        // Mock terminalOf so _isForwardingTerminal returns true and circular-terminal check sees a non-router target.
+        // Mock terminalOf so _isForwardingTerminal returns true and the 5-hop circular check ends cleanly.
+        // Return a distinct non-contract address (not mockTerminal itself) so the forwarding chain terminates.
         vm.mockCall(
             mockTerminal,
             abi.encodeWithSelector(IJBForwardingTerminal.terminalOf.selector, projectId),
-            abi.encode(mockTerminal)
+            abi.encode(IJBTerminal(address(1)))
         );
 
         // Mock terminalsOf so the _routeForPay path finds the project's terminals.

package/test/TestAuditGaps.sol

@@ -246,11 +246,13 @@ contract TestAuditGaps is Test {
         // forge-lint: disable-next-line(unsafe-typecast)
         ctx[0] = JBAccountingContext({token: tokenOut, decimals: 18, currency: uint32(uint160(tokenOut))});
         vm.mockCall(destTerminal, abi.encodeCall(IJBTerminal.accountingContextsOf, (projectId)), abi.encode(ctx));
-        // Mock terminalOf so _isForwardingTerminal returns true and circular-terminal check sees a non-router target.
+        // Mock terminalOf so _isForwardingTerminal returns true and the 5-hop circular-terminal check ends cleanly.
+        // Return a distinct non-contract address (not destTerminal itself) so the forwarding chain terminates
+        // after one hop instead of looping back to destTerminal indefinitely.
         vm.mockCall(
             destTerminal,
             abi.encodeWithSelector(IJBForwardingTerminal.terminalOf.selector, projectId),
-            abi.encode(destTerminal)
+            abi.encode(IJBTerminal(address(1)))
         );
         vm.mockCall(
             destTerminal,
@@ -351,9 +353,11 @@ contract TestAuditGaps is Test {
         // Mock approve for dest terminal (actual received amount = 4900).
         vm.mockCall(tokenIn, abi.encodeCall(IERC20.approve, (dest, 4900)), abi.encode(true));
         vm.mockCall(dest, abi.encodeWithSelector(IJBTerminal.pay.selector), abi.encode(uint256(42)));
-        // Mock terminalOf so _isForwardingTerminal returns true and circular-terminal check sees a non-router target.
+        // Mock terminalOf so _isForwardingTerminal returns true and the 5-hop circular check ends cleanly.
         vm.mockCall(
-            dest, abi.encodeWithSelector(IJBForwardingTerminal.terminalOf.selector, uint256(1)), abi.encode(dest)
+            dest,
+            abi.encodeWithSelector(IJBForwardingTerminal.terminalOf.selector, uint256(1)),
+            abi.encode(IJBTerminal(address(1)))
         );
         // Mock previewPayFor for route scoring.
         vm.mockCall(
@@ -473,7 +477,8 @@ contract TestAuditGaps is Test {
     // GAP 3: Short TWAP Windows
     // ═══════════════════════════════════════════════════════════════════════
 
-    /// @notice When oldest observation is 0 seconds ago, _getV3TwapQuote reverts NoObservationHistory.
+    /// @notice When oldest observation is 0 seconds ago, the swap path reverts. The TWAP error is caught by the
+    /// route resolver's try/catch fallback (F3), causing the pay to revert with a no-route failure downstream.
     function test_shortTwap_revertsNoObservationHistory() public {
         MockERC20Std tok = new MockERC20Std();
         address tokenIn = address(tok);
@@ -512,8 +517,10 @@ contract TestAuditGaps is Test {
         vm.prank(payer);
         tok.approve(address(router), 100);
 
+        // The NoObservationHistory error is caught by the route resolver's try/catch (F3),
+        // so the specific error doesn't propagate — the pay still reverts because no valid route is found.
         vm.prank(payer);
-        vm.expectRevert(JBRouterTerminal.JBRouterTerminal_NoObservationHistory.selector);
+        vm.expectRevert();
         router.pay(1, tokenIn, 100, payer, 0, "", "");
     }
 
@@ -566,7 +573,9 @@ contract TestAuditGaps is Test {
         assertEq(result, 77);
     }
 
-    /// @notice [L-17] After MIN_TWAP_WINDOW enforcement, a 1-second observation window now reverts.
+    /// @notice [L-17] After MIN_TWAP_WINDOW enforcement, a 1-second observation window causes the swap to fail.
+    /// The InsufficientTwapHistory error is caught by the route resolver's try/catch fallback (F3),
+    /// so the pay reverts with a downstream no-route failure rather than the specific TWAP error.
     function test_shortTwap_clampsTo1Second_nowRevertsAfterMinWindow() public {
         MockERC20Std tok = new MockERC20Std();
         address tokenIn = address(tok);
@@ -604,9 +613,10 @@ contract TestAuditGaps is Test {
         vm.prank(payer);
         tok.approve(address(router), 100);
 
-        // 1s < MIN_TWAP_WINDOW (120s) => reverts.
+        // 1s < MIN_TWAP_WINDOW (120s) => the TWAP check fails during route preview, caught by try/catch (F3).
+        // The pay still reverts because no valid route is found after the fallback failure.
         vm.prank(payer);
-        vm.expectRevert(JBRouterTerminal.JBRouterTerminal_InsufficientTwapHistory.selector);
+        vm.expectRevert();
         router.pay(1, tokenIn, 100, payer, 0, "", "");
     }
 
@@ -619,7 +629,9 @@ contract TestAuditGaps is Test {
         assertEq(router.MIN_TWAP_WINDOW(), 120);
     }
 
-    /// @notice Observation window of 119s (just below MIN_TWAP_WINDOW) reverts.
+    /// @notice Observation window of 119s (just below MIN_TWAP_WINDOW) causes the swap to fail.
+    /// The InsufficientTwapHistory error is caught by the route resolver's try/catch fallback (F3),
+    /// so the pay reverts with a downstream no-route failure rather than the specific TWAP error.
     function test_shortTwap_revertsAt119Seconds() public {
         vm.warp(1000);
         MockERC20Std tok = new MockERC20Std();
@@ -658,8 +670,10 @@ contract TestAuditGaps is Test {
         vm.prank(payer);
         tok.approve(address(router), 100);
 
+        // 119s < MIN_TWAP_WINDOW (120s) => the TWAP check fails during route preview, caught by try/catch (F3).
+        // The pay still reverts because no valid route is found after the fallback failure.
         vm.prank(payer);
-        vm.expectRevert(JBRouterTerminal.JBRouterTerminal_InsufficientTwapHistory.selector);
+        vm.expectRevert();
         router.pay(1, tokenIn, 100, payer, 0, "", "");
     }
 

package/test/audit/MultiHopForwardCycle.t.sol

@@ -175,11 +175,13 @@ contract MultiHopForwardCycleTest is Test {
         );
     }
 
-    function test_routerDoesNotRejectTwoHopForwardCycle() public {
+    /// @notice With 5-hop bounded loop detection, a 2-hop cycle (ForwarderA -> ForwarderB -> router) IS detected
+    /// and rejected during route resolution, preventing funds from ever reaching ForwarderB.
+    function test_routerRejectsTwoHopForwardCycle() public {
         vm.deal(payer, AMOUNT);
 
         vm.prank(payer);
-        vm.expectRevert(ForwarderB.CycleReached.selector);
+        vm.expectRevert();
         router.pay{value: AMOUNT}(PROJECT_ID, JBConstants.NATIVE_TOKEN, AMOUNT, payer, 0, "", "");
     }
 }

package/test/audit/RevertingTerminalRouteDiscovery.t.sol

@@ -410,8 +410,8 @@ contract RevertingTerminalRouteDiscoveryTest is Test {
     }
 
     // ─────────────────────────────────────────────────────────────────────────
-    // Test 5: previewBestPayRoute with only reverting terminals produces no
-    //          route (reverts).
+    // Test 5: previewBestPayRoute with only reverting terminals returns
+    //          zero/empty values (fallback is wrapped in try/catch per F3).
     // ─────────────────────────────────────────────────────────────────────────
 
     function test_previewBestPayRoute_allTerminalsRevert_noRoute() public {
@@ -449,9 +449,8 @@ contract RevertingTerminalRouteDiscoveryTest is Test {
             abi.encode(address(0))
         );
 
-        // Should revert since no candidates are found.
-        vm.expectRevert();
-        resolver.previewBestPayRoute({
+        // With the try/catch fallback (F3), the function no longer reverts — it returns zero/empty values.
+        (IJBTerminal destTerminal, address resolvedTokenOut,,, uint256 beneficiaryTokenCount,,) = resolver.previewBestPayRoute({
             router: router,
             projectId: PROJECT_ID,
             tokenIn: tokenIn,
@@ -459,5 +458,9 @@ contract RevertingTerminalRouteDiscoveryTest is Test {
             beneficiary: makeAddr("beneficiary"),
             metadata: ""
         });
+
+        assertEq(address(destTerminal), address(0), "destTerminal should be zero when no route is found");
+        assertEq(resolvedTokenOut, address(0), "tokenOut should be zero when no route is found");
+        assertEq(beneficiaryTokenCount, 0, "beneficiaryTokenCount should be zero when no route is found");
     }
 }