@rev-net/core-v6 0.0.35 → 0.0.37

package/test/audit/ReallocatePermission.t.sol

@@ -0,0 +1,363 @@
+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.28;
+
+// forge-lint: disable-next-line(unaliased-plain-import)
+import "forge-std/Test.sol";
+// forge-lint: disable-next-line(unaliased-plain-import)
+import /* {*} from */ "@bananapus/core-v6/test/helpers/TestBaseWorkflow.sol";
+// forge-lint: disable-next-line(unaliased-plain-import)
+import /* {*} from */ "../../src/REVDeployer.sol";
+// forge-lint: disable-next-line(unaliased-plain-import)
+import "@croptop/core-v6/src/CTPublisher.sol";
+import {MockBuybackDataHook} from "../mock/MockBuybackDataHook.sol";
+import {REVEmpty721Config} from "../helpers/REVEmpty721Config.sol";
+// forge-lint: disable-next-line(unaliased-plain-import)
+import "@bananapus/core-v6/script/helpers/CoreDeploymentLib.sol";
+// forge-lint: disable-next-line(unaliased-plain-import)
+import "@bananapus/721-hook-v6/script/helpers/Hook721DeploymentLib.sol";
+// forge-lint: disable-next-line(unaliased-plain-import)
+import "@bananapus/suckers-v6/script/helpers/SuckerDeploymentLib.sol";
+// forge-lint: disable-next-line(unaliased-plain-import)
+import "@croptop/core-v6/script/helpers/CroptopDeploymentLib.sol";
+// forge-lint: disable-next-line(unaliased-plain-import)
+import "@bananapus/router-terminal-v6/script/helpers/RouterTerminalDeploymentLib.sol";
+import {JBConstants} from "@bananapus/core-v6/src/libraries/JBConstants.sol";
+import {JBAccountingContext} from "@bananapus/core-v6/src/structs/JBAccountingContext.sol";
+import {JBPermissioned} from "@bananapus/core-v6/src/abstract/JBPermissioned.sol";
+import {JBPermissionIds} from "@bananapus/permission-ids-v6/src/JBPermissionIds.sol";
+import {JBPermissionsData} from "@bananapus/core-v6/src/structs/JBPermissionsData.sol";
+import {REVLoans} from "../../src/REVLoans.sol";
+import {REVLoan} from "../../src/structs/REVLoan.sol";
+import {REVStageConfig, REVAutoIssuance} from "../../src/structs/REVStageConfig.sol";
+import {REVLoanSource} from "../../src/structs/REVLoanSource.sol";
+import {REVDescription} from "../../src/structs/REVDescription.sol";
+import {IREVLoans} from "../../src/interfaces/IREVLoans.sol";
+import {JBSuckerDeployerConfig} from "@bananapus/suckers-v6/src/structs/JBSuckerDeployerConfig.sol";
+import {JBSuckerRegistry} from "@bananapus/suckers-v6/src/JBSuckerRegistry.sol";
+import {JB721TiersHookDeployer} from "@bananapus/721-hook-v6/src/JB721TiersHookDeployer.sol";
+import {JB721TiersHook} from "@bananapus/721-hook-v6/src/JB721TiersHook.sol";
+import {JB721TiersHookStore} from "@bananapus/721-hook-v6/src/JB721TiersHookStore.sol";
+import {JB721CheckpointsDeployer} from "@bananapus/721-hook-v6/src/JB721CheckpointsDeployer.sol";
+import {IJB721CheckpointsDeployer} from "@bananapus/721-hook-v6/src/interfaces/IJB721CheckpointsDeployer.sol";
+import {JBAddressRegistry} from "@bananapus/address-registry-v6/src/JBAddressRegistry.sol";
+import {IJBAddressRegistry} from "@bananapus/address-registry-v6/src/interfaces/IJBAddressRegistry.sol";
+import {REVOwner} from "../../src/REVOwner.sol";
+import {IREVDeployer} from "../../src/interfaces/IREVDeployer.sol";
+import {MockSuckerRegistry} from "../mock/MockSuckerRegistry.sol";
+
+/// @notice Verify that reallocateCollateralFromLoan works with only REALLOCATE_LOAN permission,
+/// without requiring OPEN_LOAN. Also verify that borrowFrom still requires OPEN_LOAN (regression).
+contract ReallocatePermissionTest is TestBaseWorkflow {
+    // forge-lint: disable-next-line(mixed-case-variable)
+    bytes32 REV_DEPLOYER_SALT = "REVDeployer";
+
+    // forge-lint: disable-next-line(mixed-case-variable)
+    REVDeployer REV_DEPLOYER;
+    // forge-lint: disable-next-line(mixed-case-variable)
+    REVOwner REV_OWNER;
+    // forge-lint: disable-next-line(mixed-case-variable)
+    JB721TiersHook EXAMPLE_HOOK;
+    // forge-lint: disable-next-line(mixed-case-variable)
+    IJB721TiersHookDeployer HOOK_DEPLOYER;
+    // forge-lint: disable-next-line(mixed-case-variable)
+    IJB721TiersHookStore HOOK_STORE;
+    // forge-lint: disable-next-line(mixed-case-variable)
+    IJBAddressRegistry ADDRESS_REGISTRY;
+    // forge-lint: disable-next-line(mixed-case-variable)
+    IREVLoans LOANS_CONTRACT;
+    // forge-lint: disable-next-line(mixed-case-variable)
+    IJBSuckerRegistry SUCKER_REGISTRY;
+    // forge-lint: disable-next-line(mixed-case-variable)
+    CTPublisher PUBLISHER;
+    // forge-lint: disable-next-line(mixed-case-variable)
+    MockBuybackDataHook MOCK_BUYBACK;
+
+    // forge-lint: disable-next-line(mixed-case-variable)
+    uint256 FEE_PROJECT_ID;
+    // forge-lint: disable-next-line(mixed-case-variable)
+    uint256 REVNET_ID;
+
+    // forge-lint: disable-next-line(mixed-case-variable)
+    address HOLDER = makeAddr("holder");
+    // forge-lint: disable-next-line(mixed-case-variable)
+    address OPERATOR = makeAddr("operator");
+
+    address private constant TRUSTED_FORWARDER = 0xB2b5841DBeF766d4b521221732F9B618fCf34A87;
+
+    function setUp() public override {
+        super.setUp();
+
+        FEE_PROJECT_ID = jbProjects().createFor(multisig());
+        SUCKER_REGISTRY = new JBSuckerRegistry(jbDirectory(), jbPermissions(), multisig(), address(0));
+        HOOK_STORE = new JB721TiersHookStore();
+        EXAMPLE_HOOK = new JB721TiersHook(
+            jbDirectory(),
+            jbPermissions(),
+            jbPrices(),
+            jbRulesets(),
+            HOOK_STORE,
+            jbSplits(),
+            IJB721CheckpointsDeployer(address(new JB721CheckpointsDeployer())),
+            multisig()
+        );
+        ADDRESS_REGISTRY = new JBAddressRegistry();
+        HOOK_DEPLOYER = new JB721TiersHookDeployer(EXAMPLE_HOOK, HOOK_STORE, ADDRESS_REGISTRY, multisig());
+        PUBLISHER = new CTPublisher(jbDirectory(), jbPermissions(), FEE_PROJECT_ID, multisig());
+        MOCK_BUYBACK = new MockBuybackDataHook();
+
+        LOANS_CONTRACT = new REVLoans({
+            controller: jbController(),
+            suckerRegistry: IJBSuckerRegistry(address(new MockSuckerRegistry())),
+            revId: FEE_PROJECT_ID,
+            owner: address(this),
+            permit2: permit2(),
+            trustedForwarder: TRUSTED_FORWARDER
+        });
+
+        REV_OWNER = new REVOwner(
+            IJBBuybackHookRegistry(address(MOCK_BUYBACK)),
+            jbDirectory(),
+            FEE_PROJECT_ID,
+            SUCKER_REGISTRY,
+            address(LOANS_CONTRACT),
+            address(0)
+        );
+
+        REV_DEPLOYER = new REVDeployer{salt: REV_DEPLOYER_SALT}(
+            jbController(),
+            SUCKER_REGISTRY,
+            FEE_PROJECT_ID,
+            HOOK_DEPLOYER,
+            PUBLISHER,
+            IJBBuybackHookRegistry(address(MOCK_BUYBACK)),
+            address(LOANS_CONTRACT),
+            TRUSTED_FORWARDER,
+            address(REV_OWNER)
+        );
+
+        REV_OWNER.setDeployer(REV_DEPLOYER);
+
+        vm.prank(multisig());
+        jbProjects().approve(address(REV_DEPLOYER), FEE_PROJECT_ID);
+
+        _deployFeeProject();
+        _deployRevnet();
+
+        vm.deal(HOLDER, 1000 ether);
+        vm.deal(OPERATOR, 100 ether);
+    }
+
+    function _deployFeeProject() internal {
+        JBAccountingContext[] memory acc = new JBAccountingContext[](1);
+        acc[0] = JBAccountingContext({
+            token: JBConstants.NATIVE_TOKEN, decimals: 18, currency: uint32(uint160(JBConstants.NATIVE_TOKEN))
+        });
+        JBTerminalConfig[] memory tc = new JBTerminalConfig[](1);
+        tc[0] = JBTerminalConfig({terminal: jbMultiTerminal(), accountingContextsToAccept: acc});
+
+        JBSplit[] memory splits = new JBSplit[](1);
+        splits[0].beneficiary = payable(multisig());
+        splits[0].percent = 10_000;
+
+        REVAutoIssuance[] memory ai = new REVAutoIssuance[](1);
+        ai[0] = REVAutoIssuance({chainId: uint32(block.chainid), count: uint104(70_000e18), beneficiary: multisig()});
+
+        REVStageConfig[] memory stages = new REVStageConfig[](1);
+        stages[0] = REVStageConfig({
+            startsAtOrAfter: uint40(block.timestamp),
+            autoIssuances: ai,
+            splitPercent: 2000,
+            splits: splits,
+            initialIssuance: uint112(1000e18),
+            issuanceCutFrequency: 90 days,
+            issuanceCutPercent: JBConstants.MAX_WEIGHT_CUT_PERCENT / 2,
+            cashOutTaxRate: 6000,
+            extraMetadata: 0
+        });
+
+        REVConfig memory cfg = REVConfig({
+            description: REVDescription("Revnet", "$REV", "ipfs://test", "REV_TOKEN"),
+            baseCurrency: uint32(uint160(JBConstants.NATIVE_TOKEN)),
+            splitOperator: multisig(),
+            stageConfigurations: stages
+        });
+
+        vm.prank(multisig());
+        REV_DEPLOYER.deployFor({
+            revnetId: FEE_PROJECT_ID,
+            configuration: cfg,
+            terminalConfigurations: tc,
+            suckerDeploymentConfiguration: REVSuckerDeploymentConfig({
+                deployerConfigurations: new JBSuckerDeployerConfig[](0), salt: keccak256("FEE")
+            }),
+            tiered721HookConfiguration: REVEmpty721Config.empty721Config(uint32(uint160(JBConstants.NATIVE_TOKEN))),
+            allowedPosts: REVEmpty721Config.emptyAllowedPosts()
+        });
+    }
+
+    function _deployRevnet() internal {
+        JBAccountingContext[] memory acc = new JBAccountingContext[](1);
+        acc[0] = JBAccountingContext({
+            token: JBConstants.NATIVE_TOKEN, decimals: 18, currency: uint32(uint160(JBConstants.NATIVE_TOKEN))
+        });
+        JBTerminalConfig[] memory tc = new JBTerminalConfig[](1);
+        tc[0] = JBTerminalConfig({terminal: jbMultiTerminal(), accountingContextsToAccept: acc});
+
+        JBSplit[] memory splits = new JBSplit[](1);
+        splits[0].beneficiary = payable(multisig());
+        splits[0].percent = 10_000;
+
+        REVAutoIssuance[] memory ai = new REVAutoIssuance[](1);
+        ai[0] = REVAutoIssuance({chainId: uint32(block.chainid), count: uint104(70_000e18), beneficiary: multisig()});
+
+        REVStageConfig[] memory stages = new REVStageConfig[](1);
+        stages[0] = REVStageConfig({
+            startsAtOrAfter: uint40(block.timestamp),
+            autoIssuances: ai,
+            splitPercent: 2000,
+            splits: splits,
+            initialIssuance: uint112(1000e18),
+            issuanceCutFrequency: 90 days,
+            issuanceCutPercent: JBConstants.MAX_WEIGHT_CUT_PERCENT / 2,
+            cashOutTaxRate: 6000,
+            extraMetadata: 0
+        });
+
+        REVConfig memory cfg = REVConfig({
+            description: REVDescription("NANA", "$NANA", "ipfs://test2", "NANA_TOKEN"),
+            baseCurrency: uint32(uint160(JBConstants.NATIVE_TOKEN)),
+            splitOperator: multisig(),
+            stageConfigurations: stages
+        });
+
+        (REVNET_ID,) = REV_DEPLOYER.deployFor({
+            revnetId: 0,
+            configuration: cfg,
+            terminalConfigurations: tc,
+            suckerDeploymentConfiguration: REVSuckerDeploymentConfig({
+                deployerConfigurations: new JBSuckerDeployerConfig[](0), salt: keccak256("NANA")
+            }),
+            tiered721HookConfiguration: REVEmpty721Config.empty721Config(uint32(uint160(JBConstants.NATIVE_TOKEN))),
+            allowedPosts: REVEmpty721Config.emptyAllowedPosts()
+        });
+    }
+
+    /// @notice Helper: Grant a specific permission to an operator for HOLDER on REVNET_ID using real JBPermissions.
+    function _grantPermission(address operator, uint256 permissionId) internal {
+        uint8[] memory permissionIds = new uint8[](1);
+        permissionIds[0] = uint8(permissionId);
+        vm.prank(HOLDER);
+        jbPermissions()
+            .setPermissionsFor({
+            account: HOLDER,
+            permissionsData: JBPermissionsData({
+            operator: operator, projectId: uint64(REVNET_ID), permissionIds: permissionIds
+        })
+        });
+    }
+
+    /// @notice Helper: create an initial loan for the HOLDER.
+    function _createInitialLoan() internal returns (uint256 loanId, uint256 tokenCount) {
+        // HOLDER pays into the revnet to get tokens.
+        vm.prank(HOLDER);
+        tokenCount =
+            jbMultiTerminal().pay{value: 10 ether}(REVNET_ID, JBConstants.NATIVE_TOKEN, 10 ether, HOLDER, 0, "", "");
+
+        // Grant LOANS_CONTRACT the BURN_TOKENS permission so it can burn HOLDER's tokens as collateral.
+        _grantPermission(address(LOANS_CONTRACT), JBPermissionIds.BURN_TOKENS);
+
+        // HOLDER calls borrowFrom directly (sender == holder, so OPEN_LOAN check is short-circuited).
+        REVLoanSource memory source = REVLoanSource({token: JBConstants.NATIVE_TOKEN, terminal: jbMultiTerminal()});
+
+        vm.prank(HOLDER);
+        (loanId,) = LOANS_CONTRACT.borrowFrom(REVNET_ID, source, 0, tokenCount, payable(HOLDER), 25, HOLDER);
+    }
+
+    /// @notice After fix: an operator with only REALLOCATE_LOAN permission can reallocate.
+    /// @dev Before the fix, this would revert because the inner borrowFrom call required OPEN_LOAN.
+    function test_reallocate_succeeds_with_only_REALLOCATE_LOAN_permission() public {
+        (uint256 loanId,) = _createInitialLoan();
+        require(loanId != 0, "Loan setup failed");
+
+        // Donate to inflate surplus so collateral reallocation is meaningful.
+        address donor = makeAddr("donor");
+        vm.deal(donor, 500 ether);
+        vm.prank(donor);
+        jbMultiTerminal().addToBalanceOf{value: 500 ether}(
+            REVNET_ID, JBConstants.NATIVE_TOKEN, 500 ether, false, "", ""
+        );
+
+        // HOLDER pays more to get extra tokens for the new loan's additional collateral.
+        vm.prank(HOLDER);
+        uint256 extraTokens =
+            jbMultiTerminal().pay{value: 50 ether}(REVNET_ID, JBConstants.NATIVE_TOKEN, 50 ether, HOLDER, 0, "", "");
+
+        // Get the loan's collateral count.
+        REVLoan memory loan = LOANS_CONTRACT.loanOf(loanId);
+        uint256 collateralToTransfer = loan.collateral / 10;
+
+        REVLoanSource memory source = REVLoanSource({token: JBConstants.NATIVE_TOKEN, terminal: jbMultiTerminal()});
+
+        // Grant OPERATOR only REALLOCATE_LOAN permission (NOT OPEN_LOAN).
+        _grantPermission(OPERATOR, JBPermissionIds.REALLOCATE_LOAN);
+
+        // This should succeed: OPERATOR has REALLOCATE_LOAN, and _borrowFrom skips OPEN_LOAN check.
+        vm.prank(OPERATOR);
+        (uint256 reallocatedLoanId, uint256 newLoanId,,) = LOANS_CONTRACT.reallocateCollateralFromLoan(
+            loanId,
+            collateralToTransfer,
+            source,
+            0, // minBorrowAmount
+            extraTokens,
+            payable(HOLDER),
+            25 // prepaidFeePercent
+        );
+
+        // Verify both loans were created.
+        assertTrue(reallocatedLoanId != 0, "Reallocated loan should exist");
+        assertTrue(newLoanId != 0, "New loan should exist");
+    }
+
+    /// @notice Regression: borrowFrom still requires OPEN_LOAN permission.
+    /// @dev An operator with only REALLOCATE_LOAN should NOT be able to call borrowFrom directly.
+    function test_borrowFrom_still_requires_OPEN_LOAN() public {
+        // HOLDER pays into the revnet.
+        vm.prank(HOLDER);
+        uint256 tokenCount =
+            jbMultiTerminal().pay{value: 10 ether}(REVNET_ID, JBConstants.NATIVE_TOKEN, 10 ether, HOLDER, 0, "", "");
+
+        REVLoanSource memory source = REVLoanSource({token: JBConstants.NATIVE_TOKEN, terminal: jbMultiTerminal()});
+
+        // OPERATOR does NOT have OPEN_LOAN permission (no permission granted at all).
+        vm.prank(OPERATOR);
+        vm.expectRevert(
+            abi.encodeWithSelector(
+                JBPermissioned.JBPermissioned_Unauthorized.selector,
+                HOLDER, // account
+                OPERATOR, // sender
+                REVNET_ID, // projectId
+                JBPermissionIds.OPEN_LOAN // permissionId
+            )
+        );
+        LOANS_CONTRACT.borrowFrom(REVNET_ID, source, 0, tokenCount, payable(HOLDER), 25, HOLDER);
+    }
+
+    /// @notice Verify that borrowFrom succeeds when the caller has OPEN_LOAN permission.
+    function test_borrowFrom_succeeds_with_OPEN_LOAN() public {
+        // HOLDER pays into the revnet.
+        vm.prank(HOLDER);
+        uint256 tokenCount =
+            jbMultiTerminal().pay{value: 10 ether}(REVNET_ID, JBConstants.NATIVE_TOKEN, 10 ether, HOLDER, 0, "", "");
+
+        REVLoanSource memory source = REVLoanSource({token: JBConstants.NATIVE_TOKEN, terminal: jbMultiTerminal()});
+
+        // Grant OPERATOR the OPEN_LOAN permission.
+        _grantPermission(OPERATOR, JBPermissionIds.OPEN_LOAN);
+        // Grant LOANS_CONTRACT the BURN_TOKENS permission so it can burn tokens for collateral.
+        _grantPermission(address(LOANS_CONTRACT), JBPermissionIds.BURN_TOKENS);
+
+        vm.prank(OPERATOR);
+        (uint256 loanId,) = LOANS_CONTRACT.borrowFrom(REVNET_ID, source, 0, tokenCount, payable(HOLDER), 25, HOLDER);
+        assertTrue(loanId != 0, "Loan should be created successfully");
+    }
+}

package/test/audit/RemoteLoanAccountingGap.t.sol

@@ -0,0 +1,74 @@
+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.28;
+
+import {TestAuditFixVerification} from "../TestAuditFixVerification.t.sol";
+import {JBConstants} from "@bananapus/core-v6/src/libraries/JBConstants.sol";
+import {JBCashOuts} from "@bananapus/core-v6/src/libraries/JBCashOuts.sol";
+import {JBPermissionIds} from "@bananapus/permission-ids-v6/src/JBPermissionIds.sol";
+import {JBPermissionsData} from "@bananapus/core-v6/src/structs/JBPermissionsData.sol";
+import {REVLoanSource} from "../../src/structs/REVLoanSource.sol";
+import {REVLoan} from "../../src/structs/REVLoan.sol";
+
+contract CodexRemoteLoanAccountingGap is TestAuditFixVerification {
+    function test_remoteLoanStateInflatesLocalBorrowability() public {
+        uint256 payAmount = 100 ether;
+
+        vm.prank(USER);
+        uint256 tokens =
+            jbMultiTerminal().pay{value: payAmount}(REVNET_ID, JBConstants.NATIVE_TOKEN, payAmount, USER, 0, "", "");
+
+        // Simulate a peer chain that started from 100 ETH / 100k tokens, then originated a loan against
+        // 50k burned-collateral tokens. The registry only exports the raw post-loan values, not the
+        // remote loan's economic adjustments.
+        uint256 remoteRawSupply = 50_000e18;
+        uint256 remoteRawSurplus = 62.5e18;
+        uint256 remoteLoanCollateral = 50_000e18;
+        uint256 remoteLoanDebt = 37.5e18;
+        MOCK_SUCKER_REGISTRY.setRemoteValues(remoteRawSupply, remoteRawSurplus);
+
+        uint256 collateral = tokens / 10;
+        uint256 actualBorrowable =
+            LOANS_CONTRACT.borrowableAmountFrom(REVNET_ID, collateral, 18, uint32(uint160(JBConstants.NATIVE_TOKEN)));
+
+        uint256 localSupply = jbController().totalTokenSupplyWithReservedTokensOf(REVNET_ID);
+        uint256 localSurplus = jbMultiTerminal()
+            .currentSurplusOf(REVNET_ID, new address[](0), 18, uint32(uint160(JBConstants.NATIVE_TOKEN)));
+
+        uint256 correctedBorrowable = JBCashOuts.cashOutFrom({
+            surplus: localSurplus + remoteRawSurplus + remoteLoanDebt,
+            cashOutCount: collateral,
+            totalSupply: localSupply + remoteRawSupply + remoteLoanCollateral,
+            cashOutTaxRate: 5000
+        });
+
+        if (correctedBorrowable > localSurplus) correctedBorrowable = localSurplus;
+
+        assertGt(actualBorrowable, correctedBorrowable, "raw remote values should overstate borrowability");
+
+        _grantLoansBurnPermission(USER, REVNET_ID);
+
+        REVLoanSource memory source = REVLoanSource({token: JBConstants.NATIVE_TOKEN, terminal: jbMultiTerminal()});
+
+        vm.prank(USER);
+        (, REVLoan memory loan) =
+            LOANS_CONTRACT.borrowFrom(REVNET_ID, source, actualBorrowable, collateral, payable(USER), 25, USER);
+
+        assertEq(loan.amount, actualBorrowable, "loan should be opened at the inflated amount");
+        assertGt(loan.amount, correctedBorrowable, "loan exceeds the corrected omnichain value");
+    }
+
+    function _grantLoansBurnPermission(address account, uint256 revnetId) internal {
+        uint8[] memory permissionIds = new uint8[](1);
+        permissionIds[0] = JBPermissionIds.BURN_TOKENS;
+
+        JBPermissionsData memory permissionsData = JBPermissionsData({
+            operator: address(LOANS_CONTRACT),
+            // forge-lint: disable-next-line(unsafe-typecast)
+            projectId: uint56(revnetId),
+            permissionIds: permissionIds
+        });
+
+        vm.prank(account);
+        jbPermissions().setPermissionsFor(account, permissionsData);
+    }
+}

package/test/audit/SupportsInterfaceTest.t.sol

@@ -0,0 +1,51 @@
+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.28;
+
+import {Test} from "forge-std/Test.sol";
+import {IJBBuybackHookRegistry} from "@bananapus/buyback-hook-v6/src/interfaces/IJBBuybackHookRegistry.sol";
+import {IJBCashOutHook} from "@bananapus/core-v6/src/interfaces/IJBCashOutHook.sol";
+import {IJBDirectory} from "@bananapus/core-v6/src/interfaces/IJBDirectory.sol";
+import {IJBRulesetDataHook} from "@bananapus/core-v6/src/interfaces/IJBRulesetDataHook.sol";
+import {IJBSuckerRegistry} from "@bananapus/suckers-v6/src/interfaces/IJBSuckerRegistry.sol";
+import {IERC165} from "@openzeppelin/contracts/utils/introspection/IERC165.sol";
+
+import {REVOwner} from "../../src/REVOwner.sol";
+
+/// @notice Regression test for missing IERC165 support: REVOwner.supportsInterface omits IERC165.
+contract AuditFixL17Test is Test {
+    REVOwner revOwner;
+
+    function setUp() public {
+        revOwner = new REVOwner(
+            IJBBuybackHookRegistry(makeAddr("buybackHook")),
+            IJBDirectory(makeAddr("directory")),
+            1, // feeRevnetId
+            IJBSuckerRegistry(makeAddr("suckerRegistry")),
+            makeAddr("loans"),
+            makeAddr("hiddenTokens")
+        );
+    }
+
+    /// @notice supportsInterface returns true for IERC165 (0x01ffc9a7).
+    function test_supportsInterface_IERC165() public view {
+        assertTrue(revOwner.supportsInterface(type(IERC165).interfaceId), "should support IERC165");
+        assertEq(type(IERC165).interfaceId, bytes4(0x01ffc9a7), "IERC165 interface ID should be 0x01ffc9a7");
+    }
+
+    /// @notice supportsInterface returns true for IJBRulesetDataHook.
+    function test_supportsInterface_IJBRulesetDataHook() public view {
+        assertTrue(
+            revOwner.supportsInterface(type(IJBRulesetDataHook).interfaceId), "should support IJBRulesetDataHook"
+        );
+    }
+
+    /// @notice supportsInterface returns true for IJBCashOutHook.
+    function test_supportsInterface_IJBCashOutHook() public view {
+        assertTrue(revOwner.supportsInterface(type(IJBCashOutHook).interfaceId), "should support IJBCashOutHook");
+    }
+
+    /// @notice supportsInterface returns false for an unsupported interface.
+    function test_supportsInterface_unsupported() public view {
+        assertFalse(revOwner.supportsInterface(bytes4(0xdeadbeef)), "should not support random interface");
+    }
+}

package/test/audit/TestFeeAllowanceLeak.t.sol

@@ -0,0 +1,197 @@
+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.28;
+
+import {ERC165} from "@openzeppelin/contracts/utils/introspection/ERC165.sol";
+import {IERC165} from "@openzeppelin/contracts/utils/introspection/IERC165.sol";
+import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
+import {IJBDirectory} from "@bananapus/core-v6/src/interfaces/IJBDirectory.sol";
+import {IJBTerminal} from "@bananapus/core-v6/src/interfaces/IJBTerminal.sol";
+import {IJBPayoutTerminal} from "@bananapus/core-v6/src/interfaces/IJBPayoutTerminal.sol";
+import {JBAccountingContext} from "@bananapus/core-v6/src/structs/JBAccountingContext.sol";
+import {JBConstants} from "@bananapus/core-v6/src/libraries/JBConstants.sol";
+import {JBRuleset} from "@bananapus/core-v6/src/structs/JBRuleset.sol";
+import {JBPayHookSpecification} from "@bananapus/core-v6/src/structs/JBPayHookSpecification.sol";
+import {REVLoanSource} from "../../src/structs/REVLoanSource.sol";
+import {REVLoansFeeRecovery} from "../REVLoansFeeRecovery.t.sol";
+
+contract StickyAllowanceFeeTerminal is ERC165, IJBPayoutTerminal {
+    IERC20 public immutable token;
+    address public immutable loans;
+    address public thief;
+    uint256 public stealAmount;
+
+    constructor(IERC20 _token, address _loans) {
+        token = _token;
+        loans = _loans;
+    }
+
+    function configureSteal(address _thief, uint256 _stealAmount) external {
+        thief = _thief;
+        stealAmount = _stealAmount;
+    }
+
+    function pay(
+        uint256,
+        address,
+        uint256,
+        address,
+        uint256,
+        string calldata,
+        bytes calldata
+    )
+        external
+        payable
+        override
+        returns (uint256)
+    {
+        uint256 amount = stealAmount;
+        if (amount != 0) {
+            stealAmount = 0;
+            token.transferFrom(loans, thief, amount);
+        }
+        return 0;
+    }
+
+    function accountingContextForTokenOf(uint256, address) external view override returns (JBAccountingContext memory) {
+        return JBAccountingContext({token: address(token), decimals: 6, currency: uint32(uint160(address(token)))});
+    }
+
+    function accountingContextsOf(uint256) external pure override returns (JBAccountingContext[] memory) {
+        return new JBAccountingContext[](0);
+    }
+
+    function addAccountingContextsFor(uint256, JBAccountingContext[] calldata) external override {}
+
+    function addToBalanceOf(
+        uint256,
+        address,
+        uint256,
+        bool,
+        string calldata,
+        bytes calldata
+    )
+        external
+        payable
+        override
+    {}
+
+    function currentSurplusOf(uint256, address[] calldata, uint256, uint256) external pure override returns (uint256) {
+        return 0;
+    }
+
+    function migrateBalanceOf(uint256, address, IJBTerminal) external pure override returns (uint256) {
+        return 0;
+    }
+
+    function sendPayoutsOf(uint256, address, uint256, uint256, uint256) external pure override returns (uint256) {
+        return 0;
+    }
+
+    function useAllowanceOf(
+        uint256,
+        address,
+        uint256,
+        uint256,
+        uint256,
+        address payable,
+        address payable,
+        string calldata
+    )
+        external
+        pure
+        override
+        returns (uint256)
+    {
+        return 0;
+    }
+
+    function previewPayFor(
+        uint256,
+        address,
+        uint256,
+        address,
+        bytes calldata
+    )
+        external
+        pure
+        override
+        returns (JBRuleset memory, uint256, uint256, JBPayHookSpecification[] memory)
+    {
+        JBRuleset memory ruleset;
+        return (ruleset, 0, 0, new JBPayHookSpecification[](0));
+    }
+
+    function supportsInterface(bytes4 interfaceId) public view override(ERC165, IERC165) returns (bool) {
+        return interfaceId == type(IJBTerminal).interfaceId || interfaceId == type(IJBPayoutTerminal).interfaceId
+            || super.supportsInterface(interfaceId);
+    }
+}
+
+contract TestFeeAllowanceLeak is REVLoansFeeRecovery {
+    StickyAllowanceFeeTerminal internal stickyFeeTerminal;
+    address internal attacker = makeAddr("attacker");
+
+    function _stickyFeeTerminal() internal returns (StickyAllowanceFeeTerminal) {
+        if (address(stickyFeeTerminal) == address(0)) {
+            stickyFeeTerminal = new StickyAllowanceFeeTerminal(TOKEN, address(LOANS_CONTRACT));
+        }
+        return stickyFeeTerminal;
+    }
+
+    /// @notice Verifies that stale allowance is cleared — the original exploit no longer works.
+    /// @dev Previously, a sticky fee terminal could accumulate reusable allowance across borrows.
+    ///      After the fix (_afterTransferTo clears allowance on success), the allowance is zero.
+    function test_feeTerminalCannotHarvestStaleAllowanceAfterFix() public {
+        StickyAllowanceFeeTerminal terminal = _stickyFeeTerminal();
+
+        vm.mockCall(
+            address(jbDirectory()),
+            abi.encodeWithSelector(IJBDirectory.primaryTerminalOf.selector, FEE_PROJECT_ID, address(TOKEN)),
+            abi.encode(address(terminal))
+        );
+
+        REVLoanSource memory source = REVLoanSource({token: address(TOKEN), terminal: jbMultiTerminal()});
+        uint256 payAmount = 1_000_000;
+
+        deal(address(TOKEN), USER, payAmount * 2);
+
+        vm.startPrank(USER);
+        TOKEN.approve(address(jbMultiTerminal()), payAmount * 2);
+        uint256 firstTokenCount = jbMultiTerminal().pay(REVNET_ID, address(TOKEN), payAmount, USER, 0, "", "");
+        vm.stopPrank();
+
+        _mockLoanPermission(USER);
+        vm.prank(USER);
+        LOANS_CONTRACT.borrowFrom(REVNET_ID, source, 0, firstTokenCount, payable(USER), 25, USER);
+
+        // Allowance is now cleared after successful fee payment.
+        uint256 allowanceAfterBorrow = TOKEN.allowance(address(LOANS_CONTRACT), address(stickyFeeTerminal));
+        assertEq(allowanceAfterBorrow, 0, "no stale allowance after successful borrow");
+
+        // The uncollected fee is still parked in REVLoans (terminal didn't pull it),
+        // but there's no allowance for the terminal to steal it later.
+        uint256 loansBalance = TOKEN.balanceOf(address(LOANS_CONTRACT));
+        assertGt(loansBalance, 0, "uncollected fee is parked in REVLoans");
+
+        // Second borrow — terminal tries to steal but can't because allowance is 0.
+        vm.prank(USER);
+        uint256 secondTokenCount = jbMultiTerminal().pay(REVNET_ID, address(TOKEN), payAmount, USER, 0, "", "");
+
+        terminal.configureSteal(attacker, loansBalance);
+
+        _mockLoanPermission(USER);
+        vm.prank(USER);
+        LOANS_CONTRACT.borrowFrom(REVNET_ID, source, 0, secondTokenCount, payable(USER), 25, USER);
+
+        // The attacker gets nothing — the steal attempt fails silently (transferFrom reverts,
+        // caught by _tryPayFee's try-catch).
+        assertEq(TOKEN.balanceOf(attacker), 0, "attacker cannot drain stale allowance");
+
+        // And the current borrow also leaves zero allowance.
+        assertEq(
+            TOKEN.allowance(address(LOANS_CONTRACT), address(terminal)),
+            0,
+            "no fresh stale allowance after second borrow"
+        );
+    }
+}