@rev-net/core-v6 0.0.35 → 0.0.36

package/RISKS.md

@@ -87,3 +87,11 @@ The model assumes that attempts to inflate surplus through donations are not pro
 ### 8.5 Omnichain terminal expansion inherits remote-chain trust
 
 A project that expands to a new chain can register additional terminals on that chain. Because borrowability calculations aggregate surplus from all registered terminals across all chains, a compromised or misconfigured terminal on a remote chain can corrupt the project's surplus accounting globally. This is mitigated by including terminal addresses in the `encodedConfigurationHash` — cross-chain expansions via suckers must use the exact same terminal address as the host chain. Terminal addresses are deterministic across chains (same CREATE2 deployment), so this prevents expansions from silently using a different terminal. Project operators should still treat each chain expansion as a trust-boundary decision since bridge integrity and network assumptions remain outside protocol control.
+
+### 8.6 Cross-chain surplus staleness
+
+`REVLoans._borrowableAmountFrom` and `REVOwner.beforeCashOutRecordedWith` add `remoteSurplusOf()` and `remoteTotalSupplyOf()` to local values. These remote values update only when `toRemote()` is called on the peer chain -- no heartbeat or staleness check. Stale data can inflate per-token borrowable amounts when remote supply has grown since the last bridge message. Primary safeguard: borrowable is capped at `localSurplus` (REVLoans line 386-387), preventing extraction beyond what the local terminal holds.
+
+### 8.7 REVLoans CEI violation in `_adjust`
+
+In `REVLoans._adjust`, `totalCollateralOf[revnetId]` is incremented after external calls (`useAllowanceOf`, fee payment). A reentrant `borrowFrom` would see a lower `totalCollateralOf`. This is documented inline (lines 1128-1132) and requires an adversarial pay hook on the revnet's own terminal -- a trust-level configuration that is not realistic in standard deployments.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rev-net/core-v6",
-  "version": "0.0.35",
+  "version": "0.0.36",
   "license": "MIT",
   "repository": {
     "type": "git",

package/src/REVDeployer.sol

@@ -798,7 +798,7 @@ contract REVDeployer is ERC2771Context, IREVDeployer, IERC721Receiver {
         if (shouldDeployNewRevnet) {
             // If we're deploying a new revnet, launch a Juicebox project for it.
             // Sanity check that we deployed the `revnetId` that we expected to deploy.
-            // slither-disable-next-line reentrancy-benign,reentrancy-events
+            // slither-disable-next-line incorrect-equality,reentrancy-benign,reentrancy-events
             assert(
                 CONTROLLER.launchProjectFor({
                     owner: address(this),
@@ -970,6 +970,12 @@ contract REVDeployer is ERC2771Context, IREVDeployer, IERC721Receiver {
         JBFundAccessLimitGroup[] memory fundAccessLimitGroups =
             _makeLoanFundAccessLimits({terminalConfigurations: terminalConfigurations});
 
+        // Track the previous stage's effective start time for ordering validation.
+        // When stage 0 uses `startsAtOrAfter == 0`, the effective value is `block.timestamp`.
+        // Subsequent stages must be validated against this normalized value, not the raw calldata,
+        // so that cross-chain deployments can reproduce the same encoded configuration hash.
+        uint256 previousStageStart;
+
         // Iterate through each stage to set up its ruleset.
         for (uint256 i; i < configuration.stageConfigurations.length;) {
             // Set the stage being iterated on.
@@ -981,12 +987,19 @@ contract REVDeployer is ERC2771Context, IREVDeployer, IERC721Receiver {
                 revert REVDeployer_MustHaveSplits();
             }
 
+            // Compute the effective start time for this stage.
+            uint256 effectiveStart = (i == 0 && stageConfiguration.startsAtOrAfter == 0)
+                ? block.timestamp
+                : stageConfiguration.startsAtOrAfter;
+
             // If the stage's start time is not after the previous stage's start time, revert.
-            if (i > 0 && stageConfiguration.startsAtOrAfter <= configuration.stageConfigurations[i - 1].startsAtOrAfter)
-            {
+            if (i > 0 && effectiveStart <= previousStageStart) {
                 revert REVDeployer_StageTimesMustIncrease();
             }
 
+            // Store for the next iteration's ordering check.
+            previousStageStart = effectiveStart;
+
             // Make sure the revnet doesn't prevent cashouts all together.
             if (stageConfiguration.cashOutTaxRate >= JBConstants.MAX_CASH_OUT_TAX_RATE) {
                 revert REVDeployer_CashOutsCantBeTurnedOffCompletely(
@@ -1004,13 +1017,9 @@ contract REVDeployer is ERC2771Context, IREVDeployer, IERC721Receiver {
             // Add the stage's properties to the byte-encoded configuration.
             encodedConfiguration = abi.encode(
                 encodedConfiguration,
-                // If no start time is provided for the first stage, use the current block's timestamp.
-                // In the future, revnets deployed on other networks can match this revnet's encoded stage by specifying
-                // the
-                // same start time.
-                (i == 0 && stageConfiguration.startsAtOrAfter == 0)
-                    ? block.timestamp
-                    : stageConfiguration.startsAtOrAfter,
+                // Use the effective start time (normalized from 0 to block.timestamp for the first stage).
+                // Cross-chain deployments reproduce the hash by specifying the origin chain's timestamp.
+                effectiveStart,
                 stageConfiguration.splitPercent,
                 stageConfiguration.initialIssuance,
                 stageConfiguration.issuanceCutFrequency,

package/src/REVLoans.sol

@@ -543,17 +543,18 @@ contract REVLoans is ERC721, ERC2771Context, JBPermissioned, Ownable, IREVLoans
             // Get a reference to the token being iterated on.
             REVLoanSource storage source = sources[i];
 
-            // Get a reference to the accounting context for the source.
-            // slither-disable-next-line calls-loop
-            JBAccountingContext memory accountingContext =
-                source.terminal.accountingContextForTokenOf({projectId: revnetId, token: source.token});
-
             // Get a reference to the amount of tokens loaned out.
             uint256 tokensLoaned = totalBorrowedFrom[revnetId][source.terminal][source.token];
 
-            // Skip if no tokens are loaned from this source.
+            // Skip if no tokens are loaned from this source. Checked before the external call below to avoid
+            // reverting on stale sources whose terminals may no longer support this token.
             if (tokensLoaned == 0) continue;
 
+            // Get a reference to the accounting context for the source.
+            // slither-disable-next-line calls-loop
+            JBAccountingContext memory accountingContext =
+                source.terminal.accountingContextForTokenOf({projectId: revnetId, token: source.token});
+
             // Normalize the token amount from the source's decimals to the target decimals.
             uint256 normalizedTokens;
             if (accountingContext.decimals > decimals) {
@@ -1225,6 +1226,14 @@ contract REVLoans is ERC721, ERC2771Context, JBPermissioned, Ownable, IREVLoans
         return 0;
     }
 
+    /// @notice Clears any token allowance granted by `_beforeTransferTo`.
+    /// @param to The address that was granted the allowance.
+    /// @param token The token whose allowance should be cleared.
+    function _afterTransferTo(address to, address token) internal {
+        if (token == JBConstants.NATIVE_TOKEN) return;
+        IERC20(token).forceApprove({spender: to, value: 0});
+    }
+
     /// @notice Reallocates collateral from a loan by making a new loan based on the original, with reduced collateral.
     /// @param loanId The ID of the loan to reallocate collateral from.
     /// @param revnetId The ID of the revnet the loan is from.
@@ -1334,6 +1343,8 @@ contract REVLoans is ERC721, ERC2771Context, JBPermissioned, Ownable, IREVLoans
             memo: "",
             metadata: bytes(abi.encodePacked(REV_ID))
         });
+
+        _afterTransferTo({to: address(loan.source.terminal), token: loan.source.token});
     }
 
     /// @notice Pays down a loan.
@@ -1532,6 +1543,7 @@ contract REVLoans is ERC721, ERC2771Context, JBPermissioned, Ownable, IREVLoans
             metadata: bytes(abi.encodePacked(metadataProjectId))
         }) {
             success = true;
+            _afterTransferTo({to: address(terminal), token: token});
         } catch (bytes memory) {
             if (token != JBConstants.NATIVE_TOKEN) {
                 IERC20(token).safeDecreaseAllowance({spender: address(terminal), requestedDecrease: amount});

package/src/REVOwner.sol

@@ -16,6 +16,7 @@ import {JBCashOutHookSpecification} from "@bananapus/core-v6/src/structs/JBCashO
 import {JBPayHookSpecification} from "@bananapus/core-v6/src/structs/JBPayHookSpecification.sol";
 import {JBRuleset} from "@bananapus/core-v6/src/structs/JBRuleset.sol";
 import {IJBSuckerRegistry} from "@bananapus/suckers-v6/src/interfaces/IJBSuckerRegistry.sol";
+import {IERC165} from "@openzeppelin/contracts/utils/introspection/IERC165.sol";
 import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
 import {SafeERC20} from "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";
 import {mulDiv} from "@prb/math/src/Common.sol";
@@ -458,7 +459,8 @@ contract REVOwner is IJBRulesetDataHook, IJBCashOutHook {
     /// @dev See `IERC165.supportsInterface`.
     /// @return A flag indicating if the provided interface ID is supported.
     function supportsInterface(bytes4 interfaceId) public view virtual override returns (bool) {
-        return interfaceId == type(IJBRulesetDataHook).interfaceId || interfaceId == type(IJBCashOutHook).interfaceId;
+        return interfaceId == type(IERC165).interfaceId || interfaceId == type(IJBRulesetDataHook).interfaceId
+            || interfaceId == type(IJBCashOutHook).interfaceId;
     }
 
     //*********************************************************************//

package/test/audit/CodexREVOwnerRemoteSurplusCurrencyMismatch.t.sol

@@ -0,0 +1,142 @@
+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.28;
+
+import "forge-std/Test.sol";
+import "@bananapus/core-v6/test/helpers/TestBaseWorkflow.sol";
+import {IJBBuybackHookRegistry} from "@bananapus/buyback-hook-v6/src/interfaces/IJBBuybackHookRegistry.sol";
+import {IJBCashOutHook} from "@bananapus/core-v6/src/interfaces/IJBCashOutHook.sol";
+import {IJBRulesetDataHook} from "@bananapus/core-v6/src/interfaces/IJBRulesetDataHook.sol";
+import {JBBeforeCashOutRecordedContext} from "@bananapus/core-v6/src/structs/JBBeforeCashOutRecordedContext.sol";
+import {JBBeforePayRecordedContext} from "@bananapus/core-v6/src/structs/JBBeforePayRecordedContext.sol";
+import {JBCashOutHookSpecification} from "@bananapus/core-v6/src/structs/JBCashOutHookSpecification.sol";
+import {JBPayHookSpecification} from "@bananapus/core-v6/src/structs/JBPayHookSpecification.sol";
+import {JBTokenAmount} from "@bananapus/core-v6/src/structs/JBTokenAmount.sol";
+import {JBRuleset} from "@bananapus/core-v6/src/structs/JBRuleset.sol";
+import {IJBSuckerRegistry} from "@bananapus/suckers-v6/src/interfaces/IJBSuckerRegistry.sol";
+import {IERC165} from "@openzeppelin/contracts/utils/introspection/IERC165.sol";
+import {PoolKey} from "@uniswap/v4-core/src/types/PoolKey.sol";
+
+import {REVOwner} from "../../src/REVOwner.sol";
+
+contract CurrencyAwareSuckerRegistry {
+    uint256 public expectedCurrency;
+    uint256 public remoteSupply;
+    uint256 public remoteSurplus;
+
+    function setRemoteValues(uint256 currency, uint256 supply, uint256 surplus) external {
+        expectedCurrency = currency;
+        remoteSupply = supply;
+        remoteSurplus = surplus;
+    }
+
+    function isSuckerOf(uint256, address) external pure returns (bool) {
+        return false;
+    }
+
+    function remoteTotalSupplyOf(uint256) external view returns (uint256) {
+        return remoteSupply;
+    }
+
+    function remoteSurplusOf(uint256, uint256, uint256 currency) external view returns (uint256) {
+        return currency == expectedCurrency ? remoteSurplus : 0;
+    }
+}
+
+contract EchoBuybackRegistry is IJBRulesetDataHook {
+    function beforeCashOutRecordedWith(JBBeforeCashOutRecordedContext calldata context)
+        external
+        pure
+        returns (
+            uint256 cashOutTaxRate,
+            uint256 cashOutCount,
+            uint256 totalSupply,
+            uint256 effectiveSurplusValue,
+            JBCashOutHookSpecification[] memory hookSpecifications
+        )
+    {
+        cashOutTaxRate = context.cashOutTaxRate;
+        cashOutCount = context.cashOutCount;
+        totalSupply = context.totalSupply;
+        effectiveSurplusValue = context.surplus.value;
+        hookSpecifications = new JBCashOutHookSpecification[](0);
+    }
+
+    function beforePayRecordedWith(JBBeforePayRecordedContext calldata context)
+        external
+        pure
+        returns (uint256 weight, JBPayHookSpecification[] memory hookSpecifications)
+    {
+        weight = context.weight;
+        hookSpecifications = new JBPayHookSpecification[](0);
+    }
+
+    function hasMintPermissionFor(uint256, JBRuleset calldata, address) external pure returns (bool) {
+        return false;
+    }
+
+    function setPoolFor(uint256, PoolKey calldata, uint256, address) external pure {}
+    function setPoolFor(uint256, uint24, int24, uint256, address) external pure {}
+    function initializePoolFor(uint256, uint24, int24, uint256, address, uint160) external pure {}
+
+    function supportsInterface(bytes4 interfaceId) external pure returns (bool) {
+        return interfaceId == type(IJBRulesetDataHook).interfaceId || interfaceId == type(IERC165).interfaceId;
+    }
+}
+
+contract CodexREVOwnerRemoteSurplusCurrencyMismatchTest is TestBaseWorkflow {
+    REVOwner internal ownerHook;
+    CurrencyAwareSuckerRegistry internal suckerRegistry;
+    EchoBuybackRegistry internal buybackRegistry;
+
+    uint32 internal constant ETH_CURRENCY = 1;
+
+    function setUp() public override {
+        super.setUp();
+
+        suckerRegistry = new CurrencyAwareSuckerRegistry();
+        buybackRegistry = new EchoBuybackRegistry();
+
+        ownerHook = new REVOwner(
+            IJBBuybackHookRegistry(address(buybackRegistry)),
+            jbDirectory(),
+            999_999,
+            IJBSuckerRegistry(address(suckerRegistry)),
+            address(0),
+            address(0)
+        );
+    }
+
+    function test_beforeCashOutRecordedWith_usesTokenAddressInsteadOfCurrencyForRemoteSurplus() public {
+        suckerRegistry.setRemoteValues(ETH_CURRENCY, 500 ether, 900 ether);
+
+        address usdToken = address(0xBEEF);
+
+        JBBeforeCashOutRecordedContext memory context = JBBeforeCashOutRecordedContext({
+            terminal: address(jbMultiTerminal()),
+            holder: address(0xCAFE),
+            projectId: 1,
+            rulesetId: 0,
+            cashOutCount: 100 ether,
+            totalSupply: 1000 ether,
+            surplus: JBTokenAmount({token: usdToken, value: 100 ether, decimals: 18, currency: ETH_CURRENCY}),
+            useTotalSurplus: true,
+            cashOutTaxRate: 0,
+            beneficiaryIsFeeless: false,
+            metadata: ""
+        });
+
+        (,, uint256 returnedSupply, uint256 returnedSurplus,) = ownerHook.beforeCashOutRecordedWith(context);
+
+        assertEq(returnedSupply, 1500 ether, "remote supply should still be included");
+        assertEq(
+            returnedSurplus,
+            100 ether,
+            "remote surplus is incorrectly dropped because REVOwner keys by token address instead of currency"
+        );
+        assertEq(
+            suckerRegistry.remoteSurplusOf(1, 18, ETH_CURRENCY),
+            900 ether,
+            "registry confirms surplus exists for the requested currency"
+        );
+    }
+}

package/test/audit/SupportsInterfaceTest.t.sol

@@ -0,0 +1,51 @@
+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.28;
+
+import {Test} from "forge-std/Test.sol";
+import {IJBBuybackHookRegistry} from "@bananapus/buyback-hook-v6/src/interfaces/IJBBuybackHookRegistry.sol";
+import {IJBCashOutHook} from "@bananapus/core-v6/src/interfaces/IJBCashOutHook.sol";
+import {IJBDirectory} from "@bananapus/core-v6/src/interfaces/IJBDirectory.sol";
+import {IJBRulesetDataHook} from "@bananapus/core-v6/src/interfaces/IJBRulesetDataHook.sol";
+import {IJBSuckerRegistry} from "@bananapus/suckers-v6/src/interfaces/IJBSuckerRegistry.sol";
+import {IERC165} from "@openzeppelin/contracts/utils/introspection/IERC165.sol";
+
+import {REVOwner} from "../../src/REVOwner.sol";
+
+/// @notice Regression test for missing IERC165 support: REVOwner.supportsInterface omits IERC165.
+contract AuditFixL17Test is Test {
+    REVOwner revOwner;
+
+    function setUp() public {
+        revOwner = new REVOwner(
+            IJBBuybackHookRegistry(makeAddr("buybackHook")),
+            IJBDirectory(makeAddr("directory")),
+            1, // feeRevnetId
+            IJBSuckerRegistry(makeAddr("suckerRegistry")),
+            makeAddr("loans"),
+            makeAddr("hiddenTokens")
+        );
+    }
+
+    /// @notice supportsInterface returns true for IERC165 (0x01ffc9a7).
+    function test_supportsInterface_IERC165() public view {
+        assertTrue(revOwner.supportsInterface(type(IERC165).interfaceId), "should support IERC165");
+        assertEq(type(IERC165).interfaceId, bytes4(0x01ffc9a7), "IERC165 interface ID should be 0x01ffc9a7");
+    }
+
+    /// @notice supportsInterface returns true for IJBRulesetDataHook.
+    function test_supportsInterface_IJBRulesetDataHook() public view {
+        assertTrue(
+            revOwner.supportsInterface(type(IJBRulesetDataHook).interfaceId), "should support IJBRulesetDataHook"
+        );
+    }
+
+    /// @notice supportsInterface returns true for IJBCashOutHook.
+    function test_supportsInterface_IJBCashOutHook() public view {
+        assertTrue(revOwner.supportsInterface(type(IJBCashOutHook).interfaceId), "should support IJBCashOutHook");
+    }
+
+    /// @notice supportsInterface returns false for an unsupported interface.
+    function test_supportsInterface_unsupported() public view {
+        assertFalse(revOwner.supportsInterface(bytes4(0xdeadbeef)), "should not support random interface");
+    }
+}

package/test/audit/TestFeeAllowanceLeak.t.sol

@@ -0,0 +1,197 @@
+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.28;
+
+import {ERC165} from "@openzeppelin/contracts/utils/introspection/ERC165.sol";
+import {IERC165} from "@openzeppelin/contracts/utils/introspection/IERC165.sol";
+import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
+import {IJBDirectory} from "@bananapus/core-v6/src/interfaces/IJBDirectory.sol";
+import {IJBTerminal} from "@bananapus/core-v6/src/interfaces/IJBTerminal.sol";
+import {IJBPayoutTerminal} from "@bananapus/core-v6/src/interfaces/IJBPayoutTerminal.sol";
+import {JBAccountingContext} from "@bananapus/core-v6/src/structs/JBAccountingContext.sol";
+import {JBConstants} from "@bananapus/core-v6/src/libraries/JBConstants.sol";
+import {JBRuleset} from "@bananapus/core-v6/src/structs/JBRuleset.sol";
+import {JBPayHookSpecification} from "@bananapus/core-v6/src/structs/JBPayHookSpecification.sol";
+import {REVLoanSource} from "../../src/structs/REVLoanSource.sol";
+import {REVLoansFeeRecovery} from "../REVLoansFeeRecovery.t.sol";
+
+contract StickyAllowanceFeeTerminal is ERC165, IJBPayoutTerminal {
+    IERC20 public immutable token;
+    address public immutable loans;
+    address public thief;
+    uint256 public stealAmount;
+
+    constructor(IERC20 _token, address _loans) {
+        token = _token;
+        loans = _loans;
+    }
+
+    function configureSteal(address _thief, uint256 _stealAmount) external {
+        thief = _thief;
+        stealAmount = _stealAmount;
+    }
+
+    function pay(
+        uint256,
+        address,
+        uint256,
+        address,
+        uint256,
+        string calldata,
+        bytes calldata
+    )
+        external
+        payable
+        override
+        returns (uint256)
+    {
+        uint256 amount = stealAmount;
+        if (amount != 0) {
+            stealAmount = 0;
+            token.transferFrom(loans, thief, amount);
+        }
+        return 0;
+    }
+
+    function accountingContextForTokenOf(uint256, address) external view override returns (JBAccountingContext memory) {
+        return JBAccountingContext({token: address(token), decimals: 6, currency: uint32(uint160(address(token)))});
+    }
+
+    function accountingContextsOf(uint256) external pure override returns (JBAccountingContext[] memory) {
+        return new JBAccountingContext[](0);
+    }
+
+    function addAccountingContextsFor(uint256, JBAccountingContext[] calldata) external override {}
+
+    function addToBalanceOf(
+        uint256,
+        address,
+        uint256,
+        bool,
+        string calldata,
+        bytes calldata
+    )
+        external
+        payable
+        override
+    {}
+
+    function currentSurplusOf(uint256, address[] calldata, uint256, uint256) external pure override returns (uint256) {
+        return 0;
+    }
+
+    function migrateBalanceOf(uint256, address, IJBTerminal) external pure override returns (uint256) {
+        return 0;
+    }
+
+    function sendPayoutsOf(uint256, address, uint256, uint256, uint256) external pure override returns (uint256) {
+        return 0;
+    }
+
+    function useAllowanceOf(
+        uint256,
+        address,
+        uint256,
+        uint256,
+        uint256,
+        address payable,
+        address payable,
+        string calldata
+    )
+        external
+        pure
+        override
+        returns (uint256)
+    {
+        return 0;
+    }
+
+    function previewPayFor(
+        uint256,
+        address,
+        uint256,
+        address,
+        bytes calldata
+    )
+        external
+        pure
+        override
+        returns (JBRuleset memory, uint256, uint256, JBPayHookSpecification[] memory)
+    {
+        JBRuleset memory ruleset;
+        return (ruleset, 0, 0, new JBPayHookSpecification[](0));
+    }
+
+    function supportsInterface(bytes4 interfaceId) public view override(ERC165, IERC165) returns (bool) {
+        return interfaceId == type(IJBTerminal).interfaceId || interfaceId == type(IJBPayoutTerminal).interfaceId
+            || super.supportsInterface(interfaceId);
+    }
+}
+
+contract TestFeeAllowanceLeak is REVLoansFeeRecovery {
+    StickyAllowanceFeeTerminal internal stickyFeeTerminal;
+    address internal attacker = makeAddr("attacker");
+
+    function _stickyFeeTerminal() internal returns (StickyAllowanceFeeTerminal) {
+        if (address(stickyFeeTerminal) == address(0)) {
+            stickyFeeTerminal = new StickyAllowanceFeeTerminal(TOKEN, address(LOANS_CONTRACT));
+        }
+        return stickyFeeTerminal;
+    }
+
+    /// @notice Verifies that stale allowance is cleared — the original exploit no longer works.
+    /// @dev Previously, a sticky fee terminal could accumulate reusable allowance across borrows.
+    ///      After the fix (_afterTransferTo clears allowance on success), the allowance is zero.
+    function test_feeTerminalCannotHarvestStaleAllowanceAfterFix() public {
+        StickyAllowanceFeeTerminal terminal = _stickyFeeTerminal();
+
+        vm.mockCall(
+            address(jbDirectory()),
+            abi.encodeWithSelector(IJBDirectory.primaryTerminalOf.selector, FEE_PROJECT_ID, address(TOKEN)),
+            abi.encode(address(terminal))
+        );
+
+        REVLoanSource memory source = REVLoanSource({token: address(TOKEN), terminal: jbMultiTerminal()});
+        uint256 payAmount = 1_000_000;
+
+        deal(address(TOKEN), USER, payAmount * 2);
+
+        vm.startPrank(USER);
+        TOKEN.approve(address(jbMultiTerminal()), payAmount * 2);
+        uint256 firstTokenCount = jbMultiTerminal().pay(REVNET_ID, address(TOKEN), payAmount, USER, 0, "", "");
+        vm.stopPrank();
+
+        _mockLoanPermission(USER);
+        vm.prank(USER);
+        LOANS_CONTRACT.borrowFrom(REVNET_ID, source, 0, firstTokenCount, payable(USER), 25, USER);
+
+        // Allowance is now cleared after successful fee payment.
+        uint256 allowanceAfterBorrow = TOKEN.allowance(address(LOANS_CONTRACT), address(stickyFeeTerminal));
+        assertEq(allowanceAfterBorrow, 0, "no stale allowance after successful borrow");
+
+        // The uncollected fee is still parked in REVLoans (terminal didn't pull it),
+        // but there's no allowance for the terminal to steal it later.
+        uint256 loansBalance = TOKEN.balanceOf(address(LOANS_CONTRACT));
+        assertGt(loansBalance, 0, "uncollected fee is parked in REVLoans");
+
+        // Second borrow — terminal tries to steal but can't because allowance is 0.
+        vm.prank(USER);
+        uint256 secondTokenCount = jbMultiTerminal().pay(REVNET_ID, address(TOKEN), payAmount, USER, 0, "", "");
+
+        terminal.configureSteal(attacker, loansBalance);
+
+        _mockLoanPermission(USER);
+        vm.prank(USER);
+        LOANS_CONTRACT.borrowFrom(REVNET_ID, source, 0, secondTokenCount, payable(USER), 25, USER);
+
+        // The attacker gets nothing — the steal attempt fails silently (transferFrom reverts,
+        // caught by _tryPayFee's try-catch).
+        assertEq(TOKEN.balanceOf(attacker), 0, "attacker cannot drain stale allowance");
+
+        // And the current borrow also leaves zero allowance.
+        assertEq(
+            TOKEN.allowance(address(LOANS_CONTRACT), address(terminal)),
+            0,
+            "no fresh stale allowance after second borrow"
+        );
+    }
+}

package/test/audit/TestLoansAndDeployerFixes.t.sol

@@ -0,0 +1,576 @@
+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.28;
+
+/// @title TestLoansAndDeployerFixes
+/// @notice Regression tests for approval cleanup, stale source skip, and stage ordering.
+
+import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
+import {IJBDirectory} from "@bananapus/core-v6/src/interfaces/IJBDirectory.sol";
+import {IJBTerminal} from "@bananapus/core-v6/src/interfaces/IJBTerminal.sol";
+import {IJBPayoutTerminal} from "@bananapus/core-v6/src/interfaces/IJBPayoutTerminal.sol";
+import {IJBPermissions} from "@bananapus/core-v6/src/interfaces/IJBPermissions.sol";
+import {JBAccountingContext} from "@bananapus/core-v6/src/structs/JBAccountingContext.sol";
+import {JBConstants} from "@bananapus/core-v6/src/libraries/JBConstants.sol";
+import {JBSingleAllowance} from "@bananapus/core-v6/src/structs/JBSingleAllowance.sol";
+import {JBSplit} from "@bananapus/core-v6/src/structs/JBSplit.sol";
+import {JBTerminalConfig} from "@bananapus/core-v6/src/structs/JBTerminalConfig.sol";
+import {JBSuckerDeployerConfig} from "@bananapus/suckers-v6/src/structs/JBSuckerDeployerConfig.sol";
+import {REVLoanSource} from "../../src/structs/REVLoanSource.sol";
+import {REVLoan} from "../../src/structs/REVLoan.sol";
+import {REVStageConfig, REVAutoIssuance} from "../../src/structs/REVStageConfig.sol";
+import {REVConfig} from "../../src/structs/REVConfig.sol";
+import {REVDescription} from "../../src/structs/REVDescription.sol";
+import {REVSuckerDeploymentConfig} from "../../src/structs/REVSuckerDeploymentConfig.sol";
+import {REVDeployer} from "../../src/REVDeployer.sol";
+import {REVLoans} from "../../src/REVLoans.sol";
+import {REVEmpty721Config} from "../helpers/REVEmpty721Config.sol";
+import {REVLoansFeeRecovery, FeeRecoveryProjectConfig} from "../REVLoansFeeRecovery.t.sol";
+
+// ============================================================================
+// Main test contract — extends REVLoansFeeRecovery to reuse full setup.
+// ============================================================================
+
+contract TestLoansAndDeployerFixes is REVLoansFeeRecovery {
+    // ========================================================================
+    // Helpers
+    // ========================================================================
+
+    /// @notice Mock the burn-tokens permission without requiring it to be called.
+    /// Use this instead of _mockLoanPermission when the borrow may revert before
+    /// the burn is reached, or in other cases where vm.expectCall would cause a
+    /// spurious failure.
+    function _mockLoanPermissionNoExpect(address user) internal {
+        vm.mockCall(
+            address(jbPermissions()),
+            abi.encodeCall(IJBPermissions.hasPermission, (address(LOANS_CONTRACT), user, REVNET_ID, 11, true, true)),
+            abi.encode(true)
+        );
+    }
+
+    /// @notice Mock the repay-loan permission without requiring it to be called.
+    /// repayLoan calls _requirePermissionFrom(loanOwner, ..., REPAY_LOAN), but when
+    /// sender == loanOwner the hasPermission call is skipped entirely. We still mock
+    /// the call in case the path changes, but do not set expectCall.
+    function _mockRepayPermissionNoExpect(address user) internal {
+        vm.mockCall(
+            address(jbPermissions()),
+            abi.encodeCall(IJBPermissions.hasPermission, (user, user, REVNET_ID, 12, true, true)),
+            abi.encode(true)
+        );
+    }
+
+    // ========================================================================
+    // Stale ERC20 Approval Cleanup
+    // ========================================================================
+    // After _tryPayFee (in _addTo) or _removeFrom, the ERC20 allowance from
+    // the LOANS_CONTRACT to the terminal must be zero. The _afterTransferTo
+    // call now force-approves to 0 after successful transfers, and the catch
+    // block in _tryPayFee uses safeDecreaseAllowance on failure.
+    // ========================================================================
+
+    /// @notice After an ERC20 borrow, the allowance from LOANS_CONTRACT to the terminal is 0.
+    function test_erc20BorrowLeavesZeroAllowanceToTerminal() public {
+        uint256 payAmount = 1_000_000; // 6 decimals for TOKEN
+        deal(address(TOKEN), USER, payAmount);
+
+        // Pay into revnet with ERC-20.
+        vm.startPrank(USER);
+        TOKEN.approve(address(jbMultiTerminal()), payAmount);
+        uint256 tokenCount = jbMultiTerminal().pay(REVNET_ID, address(TOKEN), payAmount, USER, 0, "", "");
+        vm.stopPrank();
+
+        _mockLoanPermission(USER);
+        REVLoanSource memory source = REVLoanSource({token: address(TOKEN), terminal: jbMultiTerminal()});
+
+        vm.prank(USER);
+        LOANS_CONTRACT.borrowFrom(REVNET_ID, source, 0, tokenCount, payable(USER), 25, USER);
+
+        // Allowance to the terminal must be zero after successful borrow.
+        assertEq(
+            IERC20(address(TOKEN)).allowance(address(LOANS_CONTRACT), address(jbMultiTerminal())),
+            0,
+            "Stale allowance to terminal after ERC20 borrow"
+        );
+    }
+
+    /// @notice After a native ETH borrow, verify no stale state (native token has no allowance concept, but
+    /// the loans contract balance must be zero).
+    function test_nativeBorrowLeavesNoFundsStuck() public {
+        (, uint256 balanceBefore, uint256 balanceAfter) = _borrowNative(USER, 10e18, 25);
+
+        uint256 received = balanceAfter - balanceBefore;
+        assertGt(received, 0, "Borrower should receive ETH");
+
+        // No ETH stuck in the loans contract.
+        assertEq(address(LOANS_CONTRACT).balance, 0, "No ETH stuck in loans contract after native borrow");
+    }
+
+    /// @notice After an ERC20 borrow where the fee terminal reverts, the allowance from
+    /// LOANS_CONTRACT to the fee terminal is also 0 (catch block cleans it up).
+    function test_erc20BorrowWithRevertingFeeTerminalCleansAllowance() public {
+        // Mock the fee terminal to revert for TOKEN.
+        _mockRevertingFeeTerminal(address(TOKEN));
+
+        uint256 payAmount = 1_000_000;
+        deal(address(TOKEN), USER, payAmount);
+
+        vm.startPrank(USER);
+        TOKEN.approve(address(jbMultiTerminal()), payAmount);
+        uint256 tokenCount = jbMultiTerminal().pay(REVNET_ID, address(TOKEN), payAmount, USER, 0, "", "");
+        vm.stopPrank();
+
+        _mockLoanPermission(USER);
+        REVLoanSource memory source = REVLoanSource({token: address(TOKEN), terminal: jbMultiTerminal()});
+
+        vm.prank(USER);
+        LOANS_CONTRACT.borrowFrom(REVNET_ID, source, 0, tokenCount, payable(USER), 25, USER);
+
+        // Allowance to the REVERTING terminal must be 0 (catch block cleaned it up).
+        assertEq(
+            IERC20(address(TOKEN)).allowance(address(LOANS_CONTRACT), address(REVERTING_TERMINAL)),
+            0,
+            "Stale allowance to reverting fee terminal after borrow"
+        );
+
+        // Allowance to the regular terminal must also be 0.
+        assertEq(
+            IERC20(address(TOKEN)).allowance(address(LOANS_CONTRACT), address(jbMultiTerminal())),
+            0,
+            "Stale allowance to terminal after borrow with reverting fee terminal"
+        );
+
+        // No tokens stuck.
+        assertEq(IERC20(address(TOKEN)).balanceOf(address(LOANS_CONTRACT)), 0, "No ERC20 stuck in loans contract");
+    }
+
+    /// @notice After a full ERC20 loan repayment (_removeFrom path), the allowance to the terminal is 0.
+    function test_erc20RepaymentLeavesZeroAllowance() public {
+        uint256 payAmount = 1_000_000;
+        deal(address(TOKEN), USER, payAmount * 2); // Extra for repayment
+
+        // Pay into revnet.
+        vm.startPrank(USER);
+        TOKEN.approve(address(jbMultiTerminal()), payAmount);
+        uint256 tokenCount = jbMultiTerminal().pay(REVNET_ID, address(TOKEN), payAmount, USER, 0, "", "");
+        vm.stopPrank();
+
+        _mockLoanPermission(USER);
+        REVLoanSource memory source = REVLoanSource({token: address(TOKEN), terminal: jbMultiTerminal()});
+
+        // Borrow.
+        vm.prank(USER);
+        (uint256 loanId,) = LOANS_CONTRACT.borrowFrom(REVNET_ID, source, 0, tokenCount, payable(USER), 25, USER);
+
+        // Read loan details to get repay amount.
+        REVLoan memory loan = LOANS_CONTRACT.loanOf(loanId);
+
+        // Mock repay permission (no expectCall — sender == loanOwner so hasPermission is skipped).
+        _mockRepayPermissionNoExpect(USER);
+
+        // Approve the loans contract to pull tokens for repayment via permit2 or direct transfer.
+        uint256 maxRepay = loan.amount * 2; // Generous max to cover fees.
+        deal(address(TOKEN), USER, maxRepay);
+        vm.startPrank(USER);
+        TOKEN.approve(address(LOANS_CONTRACT), maxRepay);
+        LOANS_CONTRACT.repayLoan({
+            loanId: loanId,
+            maxRepayBorrowAmount: maxRepay,
+            collateralCountToReturn: loan.collateral,
+            beneficiary: payable(USER),
+            allowance: JBSingleAllowance({sigDeadline: 0, amount: 0, expiration: 0, nonce: 0, signature: ""})
+        });
+        vm.stopPrank();
+
+        // After repayment (_removeFrom), allowance to terminal must be 0.
+        assertEq(
+            IERC20(address(TOKEN)).allowance(address(LOANS_CONTRACT), address(jbMultiTerminal())),
+            0,
+            "Stale allowance to terminal after ERC20 repayment"
+        );
+    }
+
+    // ========================================================================
+    // Stale Loan Source DoS Prevention
+    // ========================================================================
+    // _totalBorrowedFrom must skip sources with zero balance (totalBorrowedFrom == 0)
+    // BEFORE calling accountingContextForTokenOf on the terminal. This prevents DoS
+    // when a stale terminal starts reverting.
+    // ========================================================================
+
+    /// @notice After fully repaying a loan, if the source terminal starts reverting on
+    /// accountingContextForTokenOf, subsequent borrows from other sources still work.
+    function test_staleLoanSourceDoesNotBlockNewBorrows() public {
+        // Step 1: Borrow from native ETH source.
+        vm.prank(USER);
+        uint256 nativeTokens =
+            jbMultiTerminal().pay{value: 10e18}(REVNET_ID, JBConstants.NATIVE_TOKEN, 10e18, USER, 0, "", "");
+
+        _mockLoanPermission(USER);
+        REVLoanSource memory nativeSource =
+            REVLoanSource({token: JBConstants.NATIVE_TOKEN, terminal: jbMultiTerminal()});
+
+        vm.prank(USER);
+        (uint256 loanId,) = LOANS_CONTRACT.borrowFrom(REVNET_ID, nativeSource, 0, nativeTokens, payable(USER), 25, USER);
+
+        // Step 2: Fully repay the native loan so totalBorrowedFrom goes to 0.
+        REVLoan memory loan = LOANS_CONTRACT.loanOf(loanId);
+
+        // Mock repay permission (no expectCall — sender == loanOwner so hasPermission is skipped).
+        _mockRepayPermissionNoExpect(USER);
+
+        uint256 maxRepay = loan.amount * 2;
+        vm.deal(USER, USER.balance + maxRepay);
+        vm.prank(USER);
+        LOANS_CONTRACT.repayLoan{value: maxRepay}({
+            loanId: loanId,
+            maxRepayBorrowAmount: maxRepay,
+            collateralCountToReturn: loan.collateral,
+            beneficiary: payable(USER),
+            allowance: JBSingleAllowance({sigDeadline: 0, amount: 0, expiration: 0, nonce: 0, signature: ""})
+        });
+
+        // Confirm the totalBorrowedFrom for native source is now 0.
+        assertEq(
+            LOANS_CONTRACT.totalBorrowedFrom(REVNET_ID, jbMultiTerminal(), JBConstants.NATIVE_TOKEN),
+            0,
+            "totalBorrowedFrom should be 0 after full repay"
+        );
+
+        // Step 3: Mock the terminal to revert on accountingContextForTokenOf for native token.
+        // This simulates a stale terminal that has been removed or broken.
+        vm.mockCallRevert(
+            address(jbMultiTerminal()),
+            abi.encodeWithSelector(
+                IJBTerminal.accountingContextForTokenOf.selector, REVNET_ID, JBConstants.NATIVE_TOKEN
+            ),
+            "terminal removed"
+        );
+
+        // Step 4: Pay into revnet with ERC20 and borrow from ERC20 source.
+        // The _totalBorrowedFrom loop should skip the native source (balance is 0)
+        // without calling accountingContextForTokenOf on it.
+        uint256 payAmount = 1_000_000;
+        deal(address(TOKEN), USER, payAmount);
+
+        // We need to clear the mock for ERC20-related calls on the terminal.
+        // The mock only targets native token, so ERC20 calls should still work.
+        vm.startPrank(USER);
+        TOKEN.approve(address(jbMultiTerminal()), payAmount);
+        uint256 erc20Tokens = jbMultiTerminal().pay(REVNET_ID, address(TOKEN), payAmount, USER, 0, "", "");
+        vm.stopPrank();
+
+        _mockLoanPermission(USER);
+        REVLoanSource memory erc20Source = REVLoanSource({token: address(TOKEN), terminal: jbMultiTerminal()});
+
+        // This should NOT revert despite the native source terminal reverting on accountingContextForTokenOf.
+        vm.prank(USER);
+        LOANS_CONTRACT.borrowFrom(REVNET_ID, erc20Source, 0, erc20Tokens, payable(USER), 25, USER);
+
+        // If we got here, the zero-balance source was successfully skipped.
+        assertGt(
+            LOANS_CONTRACT.totalBorrowedFrom(REVNET_ID, jbMultiTerminal(), address(TOKEN)),
+            0,
+            "ERC20 borrow should succeed despite stale native source"
+        );
+    }
+
+    /// @notice Verify that _totalBorrowedFrom correctly counts non-zero sources.
+    function test_nonZeroSourcesStillCounted() public {
+        // Borrow from native source (leave it outstanding).
+        vm.prank(USER);
+        uint256 nativeTokens =
+            jbMultiTerminal().pay{value: 10e18}(REVNET_ID, JBConstants.NATIVE_TOKEN, 10e18, USER, 0, "", "");
+
+        _mockLoanPermission(USER);
+        REVLoanSource memory nativeSource =
+            REVLoanSource({token: JBConstants.NATIVE_TOKEN, terminal: jbMultiTerminal()});
+
+        vm.prank(USER);
+        LOANS_CONTRACT.borrowFrom(REVNET_ID, nativeSource, 0, nativeTokens, payable(USER), 25, USER);
+
+        // Confirm totalBorrowedFrom is non-zero.
+        assertGt(
+            LOANS_CONTRACT.totalBorrowedFrom(REVNET_ID, jbMultiTerminal(), JBConstants.NATIVE_TOKEN),
+            0,
+            "totalBorrowedFrom should be non-zero for outstanding loan"
+        );
+
+        // Now borrow from ERC20 source as well — _totalBorrowedFrom should read both.
+        uint256 payAmount = 1_000_000;
+        deal(address(TOKEN), USER, payAmount);
+        vm.startPrank(USER);
+        TOKEN.approve(address(jbMultiTerminal()), payAmount);
+        uint256 erc20Tokens = jbMultiTerminal().pay(REVNET_ID, address(TOKEN), payAmount, USER, 0, "", "");
+        vm.stopPrank();
+
+        _mockLoanPermission(USER);
+        REVLoanSource memory erc20Source = REVLoanSource({token: address(TOKEN), terminal: jbMultiTerminal()});
+
+        // This call internally invokes _totalBorrowedFrom which reads both sources.
+        // If it incorrectly skips non-zero sources, the borrowable amount calculation would be wrong.
+        vm.prank(USER);
+        LOANS_CONTRACT.borrowFrom(REVNET_ID, erc20Source, 0, erc20Tokens, payable(USER), 25, USER);
+
+        assertGt(
+            LOANS_CONTRACT.totalBorrowedFrom(REVNET_ID, jbMultiTerminal(), address(TOKEN)),
+            0,
+            "ERC20 borrow should record totalBorrowedFrom"
+        );
+    }
+
+    // ========================================================================
+    // Cross-Chain startsAtOrAfter Normalization
+    // ========================================================================
+    // When stage 0 has startsAtOrAfter=0, it is normalized to block.timestamp.
+    // Stage 1 must have startsAtOrAfter > block.timestamp (the normalized value),
+    // otherwise REVDeployer_StageTimesMustIncrease is reverted.
+    // ========================================================================
+
+    /// @notice Deploying a revnet where stage 0 startsAtOrAfter=0 and stage 1 startsAtOrAfter=1
+    /// (less than block.timestamp) must revert with REVDeployer_StageTimesMustIncrease.
+    function test_stageTimesRevertWhenStage1BeforeBlockTimestamp() public {
+        REVStageConfig[] memory stageConfigurations = new REVStageConfig[](2);
+        uint256 decimalMultiplier = 10 ** 18;
+
+        JBSplit[] memory splits = new JBSplit[](1);
+        splits[0].beneficiary = payable(multisig());
+        splits[0].percent = 10_000;
+
+        REVAutoIssuance[] memory issuanceConfs = new REVAutoIssuance[](1);
+        issuanceConfs[0] = REVAutoIssuance({
+            // forge-lint: disable-next-line(unsafe-typecast)
+            chainId: uint32(block.chainid),
+            // forge-lint: disable-next-line(unsafe-typecast)
+            count: uint104(70_000 * decimalMultiplier),
+            beneficiary: multisig()
+        });
+
+        // Stage 0: startsAtOrAfter = 0 (normalized to block.timestamp).
+        stageConfigurations[0] = REVStageConfig({
+            startsAtOrAfter: 0, // Normalized to block.timestamp
+            autoIssuances: issuanceConfs,
+            splitPercent: 2000,
+            splits: splits,
+            // forge-lint: disable-next-line(unsafe-typecast)
+            initialIssuance: uint112(1000 * decimalMultiplier),
+            issuanceCutFrequency: 90 days,
+            issuanceCutPercent: JBConstants.MAX_WEIGHT_CUT_PERCENT / 2,
+            cashOutTaxRate: 6000,
+            extraMetadata: 0
+        });
+
+        // Stage 1: startsAtOrAfter = 1 (definitely < block.timestamp).
+        stageConfigurations[1] = REVStageConfig({
+            startsAtOrAfter: 1, // 1 < block.timestamp, should fail
+            autoIssuances: issuanceConfs,
+            splitPercent: 2000,
+            splits: splits,
+            // forge-lint: disable-next-line(unsafe-typecast)
+            initialIssuance: uint112(500 * decimalMultiplier),
+            issuanceCutFrequency: 90 days,
+            issuanceCutPercent: JBConstants.MAX_WEIGHT_CUT_PERCENT / 2,
+            cashOutTaxRate: 6000,
+            extraMetadata: 0
+        });
+
+        JBAccountingContext[] memory accountingContextsToAccept = new JBAccountingContext[](1);
+        accountingContextsToAccept[0] = JBAccountingContext({
+            token: JBConstants.NATIVE_TOKEN, decimals: 18, currency: uint32(uint160(JBConstants.NATIVE_TOKEN))
+        });
+
+        JBTerminalConfig[] memory terminalConfigurations = new JBTerminalConfig[](1);
+        terminalConfigurations[0] =
+            JBTerminalConfig({terminal: jbMultiTerminal(), accountingContextsToAccept: accountingContextsToAccept});
+
+        REVConfig memory config = REVConfig({
+            description: REVDescription({
+                name: "StageOrderTest", ticker: "$SOT", uri: "ipfs://test", salt: "STAGE_ORDER_SALT_REVERT"
+            }),
+            baseCurrency: uint32(uint160(JBConstants.NATIVE_TOKEN)),
+            splitOperator: multisig(),
+            stageConfigurations: stageConfigurations
+        });
+
+        REVSuckerDeploymentConfig memory suckerConfig = REVSuckerDeploymentConfig({
+            deployerConfigurations: new JBSuckerDeployerConfig[](0),
+            salt: keccak256(abi.encodePacked("STAGE_ORDER_REVERT"))
+        });
+
+        // This should revert because stage 1 start (1) < block.timestamp (the normalized stage 0 start).
+        vm.expectRevert(abi.encodeWithSelector(REVDeployer.REVDeployer_StageTimesMustIncrease.selector));
+        REV_DEPLOYER.deployFor({
+            revnetId: 0,
+            configuration: config,
+            terminalConfigurations: terminalConfigurations,
+            suckerDeploymentConfiguration: suckerConfig,
+            tiered721HookConfiguration: REVEmpty721Config.empty721Config(uint32(uint160(JBConstants.NATIVE_TOKEN))),
+            allowedPosts: REVEmpty721Config.emptyAllowedPosts()
+        });
+    }
+
+    /// @notice Deploying with stage 0 startsAtOrAfter=0 and stage 1 startsAtOrAfter > block.timestamp
+    /// should succeed.
+    function test_stageTimesSucceedWhenStage1AfterBlockTimestamp() public {
+        REVStageConfig[] memory stageConfigurations = new REVStageConfig[](2);
+        uint256 decimalMultiplier = 10 ** 18;
+
+        JBSplit[] memory splits = new JBSplit[](1);
+        splits[0].beneficiary = payable(multisig());
+        splits[0].percent = 10_000;
+
+        REVAutoIssuance[] memory issuanceConfs = new REVAutoIssuance[](1);
+        issuanceConfs[0] = REVAutoIssuance({
+            // forge-lint: disable-next-line(unsafe-typecast)
+            chainId: uint32(block.chainid),
+            // forge-lint: disable-next-line(unsafe-typecast)
+            count: uint104(70_000 * decimalMultiplier),
+            beneficiary: multisig()
+        });
+
+        // Stage 0: startsAtOrAfter = 0 (normalized to block.timestamp).
+        stageConfigurations[0] = REVStageConfig({
+            startsAtOrAfter: 0,
+            autoIssuances: issuanceConfs,
+            splitPercent: 2000,
+            splits: splits,
+            // forge-lint: disable-next-line(unsafe-typecast)
+            initialIssuance: uint112(1000 * decimalMultiplier),
+            issuanceCutFrequency: 90 days,
+            issuanceCutPercent: JBConstants.MAX_WEIGHT_CUT_PERCENT / 2,
+            cashOutTaxRate: 6000,
+            extraMetadata: 0
+        });
+
+        // Stage 1: startsAtOrAfter = block.timestamp + 100 (after normalized stage 0 start).
+        stageConfigurations[1] = REVStageConfig({
+            startsAtOrAfter: uint40(block.timestamp + 100),
+            autoIssuances: issuanceConfs,
+            splitPercent: 2000,
+            splits: splits,
+            // forge-lint: disable-next-line(unsafe-typecast)
+            initialIssuance: uint112(500 * decimalMultiplier),
+            issuanceCutFrequency: 90 days,
+            issuanceCutPercent: JBConstants.MAX_WEIGHT_CUT_PERCENT / 2,
+            cashOutTaxRate: 6000,
+            extraMetadata: 0
+        });
+
+        JBAccountingContext[] memory accountingContextsToAccept = new JBAccountingContext[](1);
+        accountingContextsToAccept[0] = JBAccountingContext({
+            token: JBConstants.NATIVE_TOKEN, decimals: 18, currency: uint32(uint160(JBConstants.NATIVE_TOKEN))
+        });
+
+        JBTerminalConfig[] memory terminalConfigurations = new JBTerminalConfig[](1);
+        terminalConfigurations[0] =
+            JBTerminalConfig({terminal: jbMultiTerminal(), accountingContextsToAccept: accountingContextsToAccept});
+
+        REVConfig memory config = REVConfig({
+            description: REVDescription({
+                name: "StageOrderTestOK", ticker: "$SOTOK", uri: "ipfs://test", salt: "STAGE_ORDER_SALT_SUCCESS"
+            }),
+            baseCurrency: uint32(uint160(JBConstants.NATIVE_TOKEN)),
+            splitOperator: multisig(),
+            stageConfigurations: stageConfigurations
+        });
+
+        REVSuckerDeploymentConfig memory suckerConfig = REVSuckerDeploymentConfig({
+            deployerConfigurations: new JBSuckerDeployerConfig[](0),
+            salt: keccak256(abi.encodePacked("STAGE_ORDER_SUCCESS"))
+        });
+
+        // This should succeed because stage 1 start > block.timestamp (the normalized stage 0 start).
+        (uint256 newRevnetId,) = REV_DEPLOYER.deployFor({
+            revnetId: 0,
+            configuration: config,
+            terminalConfigurations: terminalConfigurations,
+            suckerDeploymentConfiguration: suckerConfig,
+            tiered721HookConfiguration: REVEmpty721Config.empty721Config(uint32(uint160(JBConstants.NATIVE_TOKEN))),
+            allowedPosts: REVEmpty721Config.emptyAllowedPosts()
+        });
+
+        assertGt(newRevnetId, 0, "Deployment should succeed and return a valid revnet ID");
+    }
+
+    /// @notice Stage 1 startsAtOrAfter == block.timestamp (equal to normalized stage 0) must also revert
+    /// because the check is strictly greater-than.
+    function test_stageTimesRevertWhenStage1EqualsBlockTimestamp() public {
+        REVStageConfig[] memory stageConfigurations = new REVStageConfig[](2);
+        uint256 decimalMultiplier = 10 ** 18;
+
+        JBSplit[] memory splits = new JBSplit[](1);
+        splits[0].beneficiary = payable(multisig());
+        splits[0].percent = 10_000;
+
+        REVAutoIssuance[] memory issuanceConfs = new REVAutoIssuance[](1);
+        issuanceConfs[0] = REVAutoIssuance({
+            // forge-lint: disable-next-line(unsafe-typecast)
+            chainId: uint32(block.chainid),
+            // forge-lint: disable-next-line(unsafe-typecast)
+            count: uint104(70_000 * decimalMultiplier),
+            beneficiary: multisig()
+        });
+
+        // Stage 0: startsAtOrAfter = 0 (normalized to block.timestamp).
+        stageConfigurations[0] = REVStageConfig({
+            startsAtOrAfter: 0,
+            autoIssuances: issuanceConfs,
+            splitPercent: 2000,
+            splits: splits,
+            // forge-lint: disable-next-line(unsafe-typecast)
+            initialIssuance: uint112(1000 * decimalMultiplier),
+            issuanceCutFrequency: 90 days,
+            issuanceCutPercent: JBConstants.MAX_WEIGHT_CUT_PERCENT / 2,
+            cashOutTaxRate: 6000,
+            extraMetadata: 0
+        });
+
+        // Stage 1: startsAtOrAfter = block.timestamp (same as normalized stage 0, must fail).
+        stageConfigurations[1] = REVStageConfig({
+            startsAtOrAfter: uint40(block.timestamp),
+            autoIssuances: issuanceConfs,
+            splitPercent: 2000,
+            splits: splits,
+            // forge-lint: disable-next-line(unsafe-typecast)
+            initialIssuance: uint112(500 * decimalMultiplier),
+            issuanceCutFrequency: 90 days,
+            issuanceCutPercent: JBConstants.MAX_WEIGHT_CUT_PERCENT / 2,
+            cashOutTaxRate: 6000,
+            extraMetadata: 0
+        });
+
+        JBAccountingContext[] memory accountingContextsToAccept = new JBAccountingContext[](1);
+        accountingContextsToAccept[0] = JBAccountingContext({
+            token: JBConstants.NATIVE_TOKEN, decimals: 18, currency: uint32(uint160(JBConstants.NATIVE_TOKEN))
+        });
+
+        JBTerminalConfig[] memory terminalConfigurations = new JBTerminalConfig[](1);
+        terminalConfigurations[0] =
+            JBTerminalConfig({terminal: jbMultiTerminal(), accountingContextsToAccept: accountingContextsToAccept});
+
+        REVConfig memory config = REVConfig({
+            description: REVDescription({
+                name: "StageOrderEqual", ticker: "$SOTEQ", uri: "ipfs://test", salt: "STAGE_ORDER_SALT_EQUAL"
+            }),
+            baseCurrency: uint32(uint160(JBConstants.NATIVE_TOKEN)),
+            splitOperator: multisig(),
+            stageConfigurations: stageConfigurations
+        });
+
+        REVSuckerDeploymentConfig memory suckerConfig = REVSuckerDeploymentConfig({
+            deployerConfigurations: new JBSuckerDeployerConfig[](0),
+            salt: keccak256(abi.encodePacked("STAGE_ORDER_EQUAL"))
+        });
+
+        // This should revert because stage 1 start == block.timestamp == normalized stage 0 start.
+        // The check is `effectiveStart <= previousStageStart`, so equality triggers revert.
+        vm.expectRevert(abi.encodeWithSelector(REVDeployer.REVDeployer_StageTimesMustIncrease.selector));
+        REV_DEPLOYER.deployFor({
+            revnetId: 0,
+            configuration: config,
+            terminalConfigurations: terminalConfigurations,
+            suckerDeploymentConfiguration: suckerConfig,
+            tiered721HookConfiguration: REVEmpty721Config.empty721Config(uint32(uint160(JBConstants.NATIVE_TOKEN))),
+            allowedPosts: REVEmpty721Config.emptyAllowedPosts()
+        });
+    }
+}