@rev-net/core-v6 0.0.12 → 0.0.13

package/script/helpers/RevnetCoreDeploymentLib.sol

@@ -9,6 +9,7 @@ import {IREVDeployer} from "./../../src/interfaces/IREVDeployer.sol";
 import {IREVLoans} from "./../../src/interfaces/IREVLoans.sol";
 
 struct RevnetCoreDeployment {
+    // forge-lint: disable-next-line(mixed-case-variable)
     IREVDeployer basic_deployer;
     IREVLoans loans;
 }
@@ -16,6 +17,7 @@ struct RevnetCoreDeployment {
 library RevnetCoreDeploymentLib {
     // Cheat code address, 0x7109709ECfa91a80626fF3989D68f67F5b1DD12D.
     address internal constant VM_ADDRESS = address(uint160(uint256(keccak256("hevm cheat code"))));
+    // forge-lint: disable-next-line(screaming-snake-case-const)
     Vm internal constant vm = Vm(VM_ADDRESS);
 
     function getDeployment(string memory path) internal returns (RevnetCoreDeployment memory deployment) {
@@ -38,6 +40,7 @@ library RevnetCoreDeploymentLib {
 
     function getDeployment(
         string memory path,
+        // forge-lint: disable-next-line(mixed-case-variable)
         string memory network_name
     )
         internal
@@ -64,7 +67,9 @@ library RevnetCoreDeploymentLib {
     /// @return The address of the contract.
     function _getDeploymentAddress(
         string memory path,
+        // forge-lint: disable-next-line(mixed-case-variable)
         string memory project_name,
+        // forge-lint: disable-next-line(mixed-case-variable)
         string memory network_name,
         string memory contractName
     )
@@ -73,7 +78,8 @@ library RevnetCoreDeploymentLib {
         returns (address)
     {
         string memory deploymentJson =
-            vm.readFile(string.concat(path, project_name, "/", network_name, "/", contractName, ".json"));
+        // forge-lint: disable-next-line(unsafe-cheatcode)
+        vm.readFile(string.concat(path, project_name, "/", network_name, "/", contractName, ".json"));
         return stdJson.readAddress({json: deploymentJson, key: ".address"});
     }
 }

package/src/REVDeployer.sol

@@ -1,12 +1,6 @@
 // SPDX-License-Identifier: MIT
 pragma solidity 0.8.26;
 
-import {ERC2771Context} from "@openzeppelin/contracts/metatx/ERC2771Context.sol";
-import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
-import {SafeERC20} from "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";
-import {IERC721} from "@openzeppelin/contracts/token/ERC721/IERC721.sol";
-import {IERC721Receiver} from "@openzeppelin/contracts/token/ERC721/IERC721Receiver.sol";
-import {mulDiv} from "@prb/math/src/Common.sol";
 import {IJB721TiersHook} from "@bananapus/721-hook-v6/src/interfaces/IJB721TiersHook.sol";
 import {IJB721TiersHookDeployer} from "@bananapus/721-hook-v6/src/interfaces/IJB721TiersHookDeployer.sol";
 import {JB721TiersHookFlags} from "@bananapus/721-hook-v6/src/structs/JB721TiersHookFlags.sol";
@@ -15,13 +9,11 @@ import {IJBBuybackHookRegistry} from "@bananapus/buyback-hook-v6/src/interfaces/
 import {IJBCashOutHook} from "@bananapus/core-v6/src/interfaces/IJBCashOutHook.sol";
 import {IJBController} from "@bananapus/core-v6/src/interfaces/IJBController.sol";
 import {IJBDirectory} from "@bananapus/core-v6/src/interfaces/IJBDirectory.sol";
-import {IJBPayHook} from "@bananapus/core-v6/src/interfaces/IJBPayHook.sol";
 import {IJBPermissioned} from "@bananapus/core-v6/src/interfaces/IJBPermissioned.sol";
 import {IJBPermissions} from "@bananapus/core-v6/src/interfaces/IJBPermissions.sol";
 import {IJBProjects} from "@bananapus/core-v6/src/interfaces/IJBProjects.sol";
 import {IJBRulesetApprovalHook} from "@bananapus/core-v6/src/interfaces/IJBRulesetApprovalHook.sol";
 import {IJBRulesetDataHook} from "@bananapus/core-v6/src/interfaces/IJBRulesetDataHook.sol";
-import {IJBSplitHook} from "@bananapus/core-v6/src/interfaces/IJBSplitHook.sol";
 import {IJBTerminal} from "@bananapus/core-v6/src/interfaces/IJBTerminal.sol";
 import {JBCashOuts} from "@bananapus/core-v6/src/libraries/JBCashOuts.sol";
 import {JBConstants} from "@bananapus/core-v6/src/libraries/JBConstants.sol";
@@ -38,14 +30,18 @@ import {JBPermissionsData} from "@bananapus/core-v6/src/structs/JBPermissionsDat
 import {JBRuleset} from "@bananapus/core-v6/src/structs/JBRuleset.sol";
 import {JBRulesetConfig} from "@bananapus/core-v6/src/structs/JBRulesetConfig.sol";
 import {JBRulesetMetadata} from "@bananapus/core-v6/src/structs/JBRulesetMetadata.sol";
-import {JBSplit} from "@bananapus/core-v6/src/structs/JBSplit.sol";
-import {JBTokenAmount} from "@bananapus/core-v6/src/structs/JBTokenAmount.sol";
 import {JBSplitGroup} from "@bananapus/core-v6/src/structs/JBSplitGroup.sol";
 import {JBTerminalConfig} from "@bananapus/core-v6/src/structs/JBTerminalConfig.sol";
 import {JBPermissionIds} from "@bananapus/permission-ids-v6/src/JBPermissionIds.sol";
 import {IJBSuckerRegistry} from "@bananapus/suckers-v6/src/interfaces/IJBSuckerRegistry.sol";
 import {CTPublisher} from "@croptop/core-v6/src/CTPublisher.sol";
 import {CTAllowedPost} from "@croptop/core-v6/src/structs/CTAllowedPost.sol";
+import {ERC2771Context} from "@openzeppelin/contracts/metatx/ERC2771Context.sol";
+import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
+import {SafeERC20} from "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";
+import {IERC721} from "@openzeppelin/contracts/token/ERC721/IERC721.sol";
+import {IERC721Receiver} from "@openzeppelin/contracts/token/ERC721/IERC721Receiver.sol";
+import {mulDiv} from "@prb/math/src/Common.sol";
 
 import {IREVDeployer} from "./interfaces/IREVDeployer.sol";
 import {REVAutoIssuance} from "./structs/REVAutoIssuance.sol";
@@ -224,6 +220,8 @@ contract REVDeployer is ERC2771Context, IREVDeployer, IJBRulesetDataHook, IJBCas
         });
 
         // Give the loan contract permission to use the surplus allowance of all revnets.
+        // Uses wildcard revnetId=0 intentionally — the loan contract is a singleton shared by all revnets,
+        // and each revnet's surplus allowance limits already constrain how much can be drawn.
         _setPermission({operator: LOANS, revnetId: 0, permissionId: JBPermissionIds.USE_ALLOWANCE});
 
         // Give the buyback hook (registry) permission to configure pools on all revnets.
@@ -255,6 +253,8 @@ contract REVDeployer is ERC2771Context, IREVDeployer, IJBRulesetDataHook, IJBCas
         )
     {
         // If the cash out is from a sucker, return the full cash out amount without taxes or fees.
+        // This relies on the sucker registry to only contain trusted sucker contracts deployed via
+        // the registry's own deploySuckersFor flow — external addresses cannot register as suckers.
         if (_isSuckerOf({revnetId: context.projectId, addr: context.holder})) {
             return (0, context.cashOutCount, context.totalSupply, hookSpecifications);
         }
@@ -270,12 +270,15 @@ contract REVDeployer is ERC2771Context, IREVDeployer, IJBRulesetDataHook, IJBCas
         // Get the terminal that will receive the cash out fee.
         IJBTerminal feeTerminal = DIRECTORY.primaryTerminalOf({projectId: FEE_REVNET_ID, token: context.surplus.token});
 
-        // If there's no cash out tax (100% cash out tax rate), or if there's no fee terminal, do not charge a fee.
-        if (context.cashOutTaxRate == 0 || address(feeTerminal) == address(0)) {
+        // If there's no cash out tax (100% cash out tax rate), if there's no fee terminal, or if the beneficiary is
+        // feeless (e.g. the router terminal routing value between projects), do not charge a fee.
+        if (context.cashOutTaxRate == 0 || address(feeTerminal) == address(0) || context.beneficiaryIsFeeless) {
             return (context.cashOutTaxRate, context.cashOutCount, context.totalSupply, hookSpecifications);
         }
 
         // Get a reference to the number of tokens being used to pay the fee (out of the total being cashed out).
+        // Micro cash outs (< 40 wei at 2.5% fee) round feeCashOutCount to zero, bypassing the fee.
+        // Economically insignificant: the gas cost of the transaction far exceeds the bypassed fee. No fix needed.
         uint256 feeCashOutCount = mulDiv({x: context.cashOutCount, y: FEE, denominator: JBConstants.MAX_FEE});
         uint256 nonFeeCashOutCount = context.cashOutCount - feeCashOutCount;
 
@@ -483,26 +486,6 @@ contract REVDeployer is ERC2771Context, IREVDeployer, IJBRulesetDataHook, IJBCas
         }
     }
 
-    /// @notice Try to initialize a Uniswap V4 buyback pool for a terminal token at a generic 1:1 price.
-    /// @dev Called after the ERC-20 token is deployed so the pool can be initialized in the PoolManager.
-    /// Silently catches failures (e.g., if the pool is already initialized).
-    /// @param revnetId The ID of the revnet.
-    /// @param terminalToken The terminal token to initialize a buyback pool for.
-    function _tryInitializeBuybackPoolFor(uint256 revnetId, address terminalToken) internal {
-        // Try to initialize the pool at a generic 1:1 sqrtPriceX96 and configure the buyback hook.
-        // The buyback hook constructs the PoolKey internally from the project token, terminal token, and pool params.
-        // slither-disable-next-line calls-loop
-        try BUYBACK_HOOK.initializePoolFor({
-            projectId: revnetId,
-            fee: DEFAULT_BUYBACK_POOL_FEE,
-            tickSpacing: DEFAULT_BUYBACK_TICK_SPACING,
-            twapWindow: DEFAULT_BUYBACK_TWAP_WINDOW,
-            terminalToken: terminalToken,
-            sqrtPriceX96: uint160(1 << 96)
-        }) {}
-            catch {} // Pool may already be initialized — that's OK.
-    }
-
     /// @notice Make a ruleset configuration for a revnet's stage.
     /// @param baseCurrency The base currency of the revnet.
     /// @param stageConfiguration The stage configuration to make a ruleset for.
@@ -582,6 +565,26 @@ contract REVDeployer is ERC2771Context, IREVDeployer, IJBRulesetDataHook, IJBCas
         }
     }
 
+    /// @notice Try to initialize a Uniswap V4 buyback pool for a terminal token at a generic 1:1 price.
+    /// @dev Called after the ERC-20 token is deployed so the pool can be initialized in the PoolManager.
+    /// Silently catches failures (e.g., if the pool is already initialized).
+    /// @param revnetId The ID of the revnet.
+    /// @param terminalToken The terminal token to initialize a buyback pool for.
+    function _tryInitializeBuybackPoolFor(uint256 revnetId, address terminalToken) internal {
+        // Try to initialize the pool at a generic 1:1 sqrtPriceX96 and configure the buyback hook.
+        // The buyback hook constructs the PoolKey internally from the project token, terminal token, and pool params.
+        // slither-disable-next-line calls-loop
+        try BUYBACK_HOOK.initializePoolFor({
+            projectId: revnetId,
+            fee: DEFAULT_BUYBACK_POOL_FEE,
+            tickSpacing: DEFAULT_BUYBACK_TICK_SPACING,
+            twapWindow: DEFAULT_BUYBACK_TWAP_WINDOW,
+            terminalToken: terminalToken,
+            sqrtPriceX96: uint160(1 << 96)
+        }) {}
+            catch {} // Pool may already be initialized — that's OK.
+    }
+
     //*********************************************************************//
     // --------------------- external transactions ----------------------- //
     //*********************************************************************//
@@ -649,7 +652,13 @@ contract REVDeployer is ERC2771Context, IREVDeployer, IJBRulesetDataHook, IJBCas
     /// @param stageId The ID of the stage auto-mint tokens are available from.
     /// @param beneficiary The address to auto-mint tokens to.
     function autoIssueFor(uint256 revnetId, uint256 stageId, address beneficiary) external override {
-        // Get a reference to the ruleset for the stage.
+        // Get the ruleset for the stage to check if it has started.
+        // Stage IDs are `block.timestamp + i` where `i` is the stage index. These match real JB ruleset IDs
+        // because JBRulesets assigns IDs the same way: `latestId >= block.timestamp ? latestId + 1 : block.timestamp`
+        // (see JBRulesets.sol L172). When all stages are queued in a single deployFor() call, the sequential
+        // IDs `block.timestamp`, `block.timestamp + 1`, ... exactly correspond to the JB-assigned ruleset IDs.
+        // The returned `ruleset.start` contains the derived start time (from `deriveStartFrom` using the stage's
+        // `mustStartAtOrAfter`), NOT the queue timestamp — so the timing guard correctly blocks early claims.
         // slither-disable-next-line unused-return
         (JBRuleset memory ruleset,) = CONTROLLER.getRulesetOf({projectId: revnetId, rulesetId: stageId});
 
@@ -678,6 +687,17 @@ contract REVDeployer is ERC2771Context, IREVDeployer, IJBRulesetDataHook, IJBCas
         });
     }
 
+    /// @notice Burn any of a revnet's tokens held by this contract.
+    /// @dev Project tokens can end up here from reserved token distribution when splits don't sum to 100%.
+    /// @param revnetId The ID of the revnet whose tokens should be burned.
+    function burnHeldTokensOf(uint256 revnetId) external override {
+        uint256 balance = CONTROLLER.TOKENS().totalBalanceOf({holder: address(this), projectId: revnetId});
+        if (balance == 0) revert REVDeployer_NothingToBurn();
+        CONTROLLER.burnTokensOf({holder: address(this), projectId: revnetId, tokenCount: balance, memo: ""});
+        // slither-disable-next-line reentrancy-events
+        emit BurnHeldTokens(revnetId, balance, _msgSender());
+    }
+
     /// @notice Launch a revnet, or initialize an existing Juicebox project as a revnet.
     /// @dev When initializing an existing project (revnetId != 0):
     /// - The project must not yet have a controller or rulesets. `JBController.launchRulesetsFor` enforces this —
@@ -780,17 +800,6 @@ contract REVDeployer is ERC2771Context, IREVDeployer, IJBRulesetDataHook, IJBCas
         return (revnetId, hook);
     }
 
-    /// @notice Burn any of a revnet's tokens held by this contract.
-    /// @dev Project tokens can end up here from reserved token distribution when splits don't sum to 100%.
-    /// @param revnetId The ID of the revnet whose tokens should be burned.
-    function burnHeldTokensOf(uint256 revnetId) external override {
-        uint256 balance = CONTROLLER.TOKENS().totalBalanceOf({holder: address(this), projectId: revnetId});
-        if (balance == 0) revert REVDeployer_NothingToBurn();
-        CONTROLLER.burnTokensOf({holder: address(this), projectId: revnetId, tokenCount: balance, memo: ""});
-        // slither-disable-next-line reentrancy-events
-        emit BurnHeldTokens(revnetId, balance, _msgSender());
-    }
-
     /// @notice Deploy new suckers for an existing revnet.
     /// @dev Only the revnet's split operator can deploy new suckers.
     /// @param revnetId The ID of the revnet to deploy suckers for.
@@ -1122,6 +1131,9 @@ contract REVDeployer is ERC2771Context, IREVDeployer, IJBRulesetDataHook, IJBCas
     /// of collateral) or lower issuance weight (reducing the surplus-per-token ratio). Borrowers should monitor
     /// upcoming stage transitions and adjust their positions accordingly, as loans that fall below their required
     /// collateralization may become eligible for liquidation.
+    /// @dev `cashOutTaxRate` changes at stage boundaries may allow users to cash out just before a rate increase.
+    /// This is accepted behavior — the arbitrage window is bounded by the ruleset design, and all stages are
+    /// configured immutably at deployment time.
     /// @param revnetId The ID of the revnet to make rulesets for.
     /// @param configuration The configuration containing the revnet's stages.
     /// @param terminalConfigurations The terminals to set up for the revnet. Used for payments and cash outs.
@@ -1229,8 +1241,11 @@ contract REVDeployer is ERC2771Context, IREVDeployer, IJBRulesetDataHook, IJBCas
                 });
 
                 // Store the amount of tokens that can be auto-minted on this chain during this stage.
-                // The first stage ID is stored at this block's timestamp,
-                // and further stage IDs have incrementally increasing IDs
+                // The stage ID is `block.timestamp + i`. This matches the ruleset ID that JBRulesets assigns
+                // because JBRulesets uses `latestId >= block.timestamp ? latestId + 1 : block.timestamp`
+                // (JBRulesets.sol L172), producing the same sequential IDs when all stages are queued in one tx.
+                // `autoIssueFor` later calls `getRulesetOf(revnetId, stageId)` — the returned `ruleset.start`
+                // is the derived start time (not the queue time), so the timing guard works correctly.
                 // slither-disable-next-line reentrancy-benign
                 amountToAutoIssue[revnetId][block.timestamp + i][autoIssuance.beneficiary] += autoIssuance.count;
             }
@@ -1288,7 +1303,8 @@ contract REVDeployer is ERC2771Context, IREVDeployer, IJBRulesetDataHook, IJBCas
     {
         // Set up the permission data.
         JBPermissionsData memory permissionData =
-            JBPermissionsData({operator: operator, projectId: uint64(revnetId), permissionIds: permissionIds});
+        // forge-lint: disable-next-line(unsafe-typecast)
+        JBPermissionsData({operator: operator, projectId: uint64(revnetId), permissionIds: permissionIds});
 
         // Set the permissions.
         PERMISSIONS.setPermissionsFor({account: account, permissionsData: permissionData});

package/src/REVLoans.sol

@@ -59,6 +59,7 @@ contract REVLoans is ERC721, ERC2771Context, Ownable, IREVLoans {
     error REVLoans_InvalidPrepaidFeePercent(uint256 prepaidFeePercent, uint256 min, uint256 max);
     error REVLoans_InvalidTerminal(address terminal, uint256 revnetId);
     error REVLoans_LoanExpired(uint256 timeSinceLoanCreated, uint256 loanLiquidationDuration);
+    error REVLoans_LoanIdOverflow();
     error REVLoans_NewBorrowAmountGreaterThanLoanAmount(uint256 newBorrowAmount, uint256 loanAmount);
     error REVLoans_NoMsgValueAllowed();
     error REVLoans_NotEnoughCollateral();
@@ -70,6 +71,7 @@ contract REVLoans is ERC721, ERC2771Context, Ownable, IREVLoans {
     error REVLoans_SourceMismatch();
     error REVLoans_Unauthorized(address caller, address owner);
     error REVLoans_UnderMinBorrowAmount(uint256 minBorrowAmount, uint256 borrowAmount);
+    error REVLoans_ZeroBorrowAmount();
     error REVLoans_ZeroCollateralLoanIsInvalid();
 
     //*********************************************************************//
@@ -93,7 +95,7 @@ contract REVLoans is ERC721, ERC2771Context, Ownable, IREVLoans {
     uint256 public constant override MIN_PREPAID_FEE_PERCENT = 25; // 2.5%
 
     //*********************************************************************//
-    // -------------------- private constant properties ------------------ //
+    // ------------------------ private constants ------------------------ //
     //*********************************************************************//
 
     /// @notice Just a kind reminder to our readers.
@@ -416,8 +418,10 @@ contract REVLoans is ERC721, ERC2771Context, Ownable, IREVLoans {
         // If the loan period has passed the prepaid time frame, take a fee.
         if (timeSinceLoanCreated <= loan.prepaidDuration) return 0;
 
-        // If the loan period has reached or passed the liquidation time frame, do not allow loan management.
-        if (timeSinceLoanCreated >= LOAN_LIQUIDATION_DURATION) {
+        // If the loan period has passed the liquidation time frame, do not allow loan management.
+        // Uses `>` (not `>=`) so the exact boundary second is still repayable — the liquidation path
+        // uses `<=`, and matching `>=` here would create a 1-second window where neither path is available.
+        if (timeSinceLoanCreated > LOAN_LIQUIDATION_DURATION) {
             revert REVLoans_LoanExpired(timeSinceLoanCreated, LOAN_LIQUIDATION_DURATION);
         }
 
@@ -461,9 +465,8 @@ contract REVLoans is ERC721, ERC2771Context, Ownable, IREVLoans {
     /// @dev Each source's `totalBorrowedFrom` is stored in the source token's native decimals (e.g. 6 for USDC,
     /// 18 for ETH). Before aggregation, each amount is normalized to the target `decimals` to prevent mixed-decimal
     /// arithmetic errors. For cross-currency sources, the normalized amount is then converted via the price feed.
-    /// @dev Callers should ensure the price feed has sufficient precision for the target `decimals`. Inverse price
-    /// feeds may truncate to zero at low decimal counts (e.g. a feed returning 1e21 at 6 decimals inverts to
-    /// mulDiv(1e6, 1e6, 1e21) = 0), which would cause a division-by-zero in the price conversion.
+    /// @dev Inverse price feeds may truncate to zero at low decimal counts (e.g. a feed returning 1e21 at 6 decimals
+    /// inverts to mulDiv(1e6, 1e6, 1e21) = 0). Sources with a zero price are skipped to prevent division-by-zero.
     /// @param revnetId The ID of the revnet to check for borrowed assets from.
     /// @param decimals The decimals the resulting fixed point value will include.
     /// @param currency The currency the resulting value will be in terms of.
@@ -519,6 +522,11 @@ contract REVLoans is ERC721, ERC2771Context, Ownable, IREVLoans {
                     decimals: decimals
                 });
 
+                // If the price feed returns zero, skip this source to avoid a division-by-zero panic
+                // that would DoS all loan operations. This intentionally understates total debt for
+                // the affected source — an acceptable tradeoff vs. blocking every borrow/repay.
+                if (pricePerUnit == 0) continue;
+
                 borrowedAmount += mulDiv({x: normalizedTokens, y: 10 ** decimals, denominator: pricePerUnit});
             }
         }
@@ -529,6 +537,8 @@ contract REVLoans is ERC721, ERC2771Context, Ownable, IREVLoans {
     //*********************************************************************//
 
     /// @notice Open a loan by borrowing from a revnet.
+    /// @dev The caller must first grant BURN_TOKENS permission to this contract via JBPermissions.setPermissionsFor().
+    /// This is required because collateral posting burns the caller's tokens through the controller.
     /// @dev Collateral tokens are permanently burned when the loan is created. They are re-minted to the borrower
     /// only upon repayment. If the loan expires (after LOAN_LIQUIDATION_DURATION), the collateral is permanently
     /// lost and cannot be recovered.
@@ -579,7 +589,8 @@ contract REVLoans is ERC721, ERC2771Context, Ownable, IREVLoans {
 
         // Set the loan's values.
         loan.source = source;
-        loan.createdAt = uint40(block.timestamp);
+        loan.createdAt = uint48(block.timestamp);
+        // forge-lint: disable-next-line(unsafe-typecast)
         loan.prepaidFeePercent = uint16(prepaidFeePercent);
         loan.prepaidDuration =
             uint32(mulDiv({x: prepaidFeePercent, y: LOAN_LIQUIDATION_DURATION, denominator: MAX_PREPAID_FEE_PERCENT}));
@@ -587,10 +598,14 @@ contract REVLoans is ERC721, ERC2771Context, Ownable, IREVLoans {
         // Get the amount of the loan.
         uint256 borrowAmount = _borrowAmountFrom({loan: loan, revnetId: revnetId, collateralCount: collateralCount});
 
+        // Revert if the bonding curve returns zero to prevent creating zero-amount loans.
+        if (borrowAmount == 0) revert REVLoans_ZeroBorrowAmount();
+
         // Make sure the minimum borrow amount is met.
         if (borrowAmount < minBorrowAmount) revert REVLoans_UnderMinBorrowAmount(minBorrowAmount, borrowAmount);
 
         // Get the amount of additional fee to take for the revnet issuing the loan.
+        // Fee rounding may leave a few wei of dust — economically insignificant relative to gas costs.
         uint256 sourceFeeAmount = JBFees.feeAmountFrom({amountBeforeFee: borrowAmount, feePercent: prepaidFeePercent});
 
         // Borrow the amount.
@@ -635,6 +650,9 @@ contract REVLoans is ERC721, ERC2771Context, Ownable, IREVLoans {
     /// @param startingLoanId The ID of the loan to start iterating from.
     /// @param count The amount of loans iterate over since the last liquidated loan.
     function liquidateExpiredLoansFrom(uint256 revnetId, uint256 startingLoanId, uint256 count) external override {
+        // Prevent cross-revnet accounting corruption: loan numbers must stay within the revnet's ID namespace.
+        if (startingLoanId + count > _ONE_TRILLION) revert REVLoans_LoanIdOverflow();
+
         // Iterate over the desired number of loans to check for liquidation.
         for (uint256 i; i < count; i++) {
             // Get a reference to the next loan ID.
@@ -928,8 +946,8 @@ contract REVLoans is ERC721, ERC2771Context, Ownable, IREVLoans {
         internal
     {
         // Register the source if this is the first time its being used for this revnet.
-        // Note: Sources are only appended, never removed. This is acceptable because the number of distinct
-        // (terminal, token) pairs per revnet is practically bounded.
+        // Note: Sources are only appended, never removed. Gas accumulation from iteration is bounded
+        // because the number of distinct (terminal, token) pairs per revnet is practically small (~5-20).
         if (!isLoanSourceOf[revnetId][loan.source.terminal][loan.source.token]) {
             isLoanSourceOf[revnetId][loan.source.terminal][loan.source.token] = true;
             _loanSourcesOf[revnetId].push(REVLoanSource({token: loan.source.token, terminal: loan.source.terminal}));
@@ -995,6 +1013,9 @@ contract REVLoans is ERC721, ERC2771Context, Ownable, IREVLoans {
         }
 
         // Transfer the remaining balance to the borrower.
+        // Note: In extreme fee configurations the subtraction could theoretically underflow, but the
+        // protocol fee (2.5%) and source fee (capped at prepaidFeePercent) are both small fractions of
+        // the borrowed amount, so `netAmountPaidOut` will always exceed their sum in practice.
         _transferFrom({
             from: address(this),
             to: beneficiary,
@@ -1035,7 +1056,9 @@ contract REVLoans is ERC721, ERC2771Context, Ownable, IREVLoans {
         if (newCollateralCount > type(uint112).max) {
             revert REVLoans_OverflowAlert(newCollateralCount, type(uint112).max);
         }
+        // forge-lint: disable-next-line(unsafe-typecast)
         loan.amount = uint112(newBorrowAmount);
+        // forge-lint: disable-next-line(unsafe-typecast)
         loan.collateral = uint112(newCollateralCount);
 
         // INTERACTIONS: Execute external calls with pre-computed deltas.
@@ -1064,16 +1087,17 @@ contract REVLoans is ERC721, ERC2771Context, Ownable, IREVLoans {
             });
         }
 
-        // If there is a source fee, pay it.
+        // If there is a source fee, pay it. Wrapped in try-catch so a reverting source terminal
+        // cannot block all loan operations (matching the REV fee pattern above).
         if (sourceFeeAmount > 0) {
-            // Increase the allowance for the beneficiary.
+            // Increase the allowance for the source terminal.
             uint256 payValue = _beforeTransferTo({
                 to: address(loan.source.terminal), token: loan.source.token, amount: sourceFeeAmount
             });
 
-            // Pay the fee.
-            // slither-disable-next-line unused-return
-            loan.source.terminal.pay{value: payValue}({
+            // Pay the fee. If it fails, reclaim the allowance and give the amount back to the borrower.
+            // slither-disable-next-line unused-return,arbitrary-send-eth
+            try loan.source.terminal.pay{value: payValue}({
                 projectId: revnetId,
                 token: loan.source.token,
                 amount: sourceFeeAmount,
@@ -1081,7 +1105,18 @@ contract REVLoans is ERC721, ERC2771Context, Ownable, IREVLoans {
                 minReturnedTokens: 0,
                 memo: "Fee from loan",
                 metadata: bytes(abi.encodePacked(REV_ID))
-            });
+            }) {}
+            catch (bytes memory) {
+                // If the fee can't be processed, decrease the ERC-20 allowance and return the amount
+                // to the beneficiary instead.
+                if (loan.source.token != JBConstants.NATIVE_TOKEN) {
+                    IERC20(loan.source.token)
+                        .safeDecreaseAllowance({
+                            spender: address(loan.source.terminal), requestedDecrease: sourceFeeAmount
+                        });
+                }
+                _transferFrom({from: address(this), to: beneficiary, token: loan.source.token, amount: sourceFeeAmount});
+            }
         }
     }
 
@@ -1351,6 +1386,7 @@ contract REVLoans is ERC721, ERC2771Context, Ownable, IREVLoans {
         if (amount > type(uint160).max) revert REVLoans_OverflowAlert(amount, type(uint160).max);
 
         // Otherwise, attempt to use the `permit2` method.
+        // forge-lint: disable-next-line(unsafe-typecast)
         PERMIT2.transferFrom({from: from, to: to, amount: uint160(amount), token: token});
     }
 

package/src/interfaces/IREVDeployer.sol

@@ -8,7 +8,6 @@ import {IJBDirectory} from "@bananapus/core-v6/src/interfaces/IJBDirectory.sol";
 import {IJBPermissions} from "@bananapus/core-v6/src/interfaces/IJBPermissions.sol";
 import {IJBProjects} from "@bananapus/core-v6/src/interfaces/IJBProjects.sol";
 import {IJBBuybackHookRegistry} from "@bananapus/buyback-hook-v6/src/interfaces/IJBBuybackHookRegistry.sol";
-import {IJBRulesetDataHook} from "@bananapus/core-v6/src/interfaces/IJBRulesetDataHook.sol";
 import {JBRulesetConfig} from "@bananapus/core-v6/src/structs/JBRulesetConfig.sol";
 import {JBTerminalConfig} from "@bananapus/core-v6/src/structs/JBTerminalConfig.sol";
 import {IJBSuckerRegistry} from "@bananapus/suckers-v6/src/interfaces/IJBSuckerRegistry.sol";

package/src/structs/REV721TiersHookFlags.sol

@@ -6,6 +6,7 @@ pragma solidity ^0.8.0;
 /// @custom:member noNewTiersWithOwnerMinting A flag indicating if new tiers with owner minting are forbidden.
 /// @custom:member preventOverspending A flag indicating if payments exceeding the price of minted NFTs should be
 /// prevented.
+// forge-lint: disable-next-line(pascal-case-struct)
 struct REV721TiersHookFlags {
     bool noNewTiersWithReserves;
     bool noNewTiersWithVotes;

package/src/structs/REVAutoIssuance.sol

@@ -4,6 +4,7 @@ pragma solidity ^0.8.0;
 /// @custom:member chainId The ID of the chain on which the mint should be honored.
 /// @custom:member count The number of tokens that should be minted.
 /// @custom:member beneficiary The address that will receive the minted tokens.
+// forge-lint: disable-next-line(pascal-case-struct)
 struct REVAutoIssuance {
     uint32 chainId;
     uint104 count;

package/src/structs/REVBaseline721HookConfig.sol

@@ -15,6 +15,7 @@ import {REV721TiersHookFlags} from "./REV721TiersHookFlags.sol";
 /// @custom:member reserveBeneficiary The default reserve beneficiary for the NFT collection.
 /// @custom:member flags A set of flags that configure the 721 hook. Omits `issueTokensForSplits` since revnets
 /// always force it to `false`.
+// forge-lint: disable-next-line(pascal-case-struct)
 struct REVBaseline721HookConfig {
     string name;
     string symbol;

package/src/structs/REVConfig.sol

@@ -9,6 +9,7 @@ import {REVStageConfig} from "./REVStageConfig.sol";
 /// @custom:member splitOperator The address that will receive the token premint and initial production split,
 /// and who is allowed to change who the operator is. Only the operator can replace itself after deployment.
 /// @custom:member stageConfigurations The periods of changing constraints.
+// forge-lint: disable-next-line(pascal-case-struct)
 struct REVConfig {
     REVDescription description;
     uint32 baseCurrency;

package/src/structs/REVCroptopAllowedPost.sol

@@ -10,6 +10,7 @@ pragma solidity ^0.8.0;
 /// @custom:member maximumSplitPercent The maximum split percent (out of JBConstants.SPLITS_TOTAL_PERCENT) that a
 /// poster can set. 0 means splits are not allowed.
 /// @custom:member allowedAddresses A list of addresses that are allowed to post on the category through Croptop.
+// forge-lint: disable-next-line(pascal-case-struct)
 struct REVCroptopAllowedPost {
     uint24 category;
     uint104 minimumPrice;

package/src/structs/REVDeploy721TiersHookConfig.sol

@@ -13,6 +13,7 @@ import {REVBaseline721HookConfig} from "./REVBaseline721HookConfig.sol";
 /// minting 721's from tiers that allow it.
 /// @custom:member preventSplitOperatorIncreasingDiscountPercent A flag indicating if the revnet's split operator should
 /// be prevented from increasing the discount of a tier.
+// forge-lint: disable-next-line(pascal-case-struct)
 struct REVDeploy721TiersHookConfig {
     REVBaseline721HookConfig baseline721HookConfiguration;
     bytes32 salt;

package/src/structs/REVDescription.sol

@@ -6,6 +6,7 @@ pragma solidity ^0.8.0;
 /// @custom:member uri The metadata URI containing revnet's info.
 /// @custom:member salt Revnets deployed across chains by the same address with the same salt will have the same
 /// address.
+// forge-lint: disable-next-line(pascal-case-struct)
 struct REVDescription {
     string name;
     string ticker;

package/src/structs/REVLoan.sol

@@ -9,6 +9,7 @@ import {REVLoanSource} from "./REVLoanSource.sol";
 /// @custom:member prepaidFeePercent The percentage of the loan's fees that were prepaid.
 /// @custom:member prepaidDuration The duration that the loan was prepaid for.
 /// @custom:member source The source of the loan.
+// forge-lint: disable-next-line(pascal-case-struct)
 struct REVLoan {
     uint112 amount;
     uint112 collateral;

package/src/structs/REVLoanSource.sol

@@ -5,6 +5,7 @@ import {IJBPayoutTerminal} from "@bananapus/core-v6/src/interfaces/IJBPayoutTerm
 
 /// @custom:member token The token that is being loaned.
 /// @custom:member terminal The terminal that the loan is being made from.
+// forge-lint: disable-next-line(pascal-case-struct)
 struct REVLoanSource {
     address token;
     IJBPayoutTerminal terminal;

package/src/structs/REVStageConfig.sol

@@ -21,6 +21,7 @@ import {REVAutoIssuance} from "./REVAutoIssuance.sol";
 /// cashed out. This rate is out of 10_000 (JBConstants.MAX_CASH_OUT_TAX_RATE). 0% corresponds to no tax when cashing
 /// out.
 /// @custom:member extraMetadata Extra info to attach set into this stage that may affect hooks.
+// forge-lint: disable-next-line(pascal-case-struct)
 struct REVStageConfig {
     uint48 startsAtOrAfter;
     REVAutoIssuance[] autoIssuances;

package/src/structs/REVSuckerDeploymentConfig.sol

@@ -5,6 +5,7 @@ import {JBSuckerDeployerConfig} from "@bananapus/suckers-v6/src/structs/JBSucker
 
 /// @custom:member deployerConfigurations The information for how to suck tokens to other chains.
 /// @custom:member salt The salt to use for creating suckers so that they use the same address across chains.
+// forge-lint: disable-next-line(pascal-case-struct)
 struct REVSuckerDeploymentConfig {
     JBSuckerDeployerConfig[] deployerConfigurations;
     bytes32 salt;