@rev-net/core-v6 0.0.36 → 0.0.37

package/test/audit/REVOwnerCurrencyMismatch.t.sol

@@ -0,0 +1,188 @@
+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.28;
+
+import "forge-std/Test.sol";
+import "@bananapus/core-v6/test/helpers/TestBaseWorkflow.sol";
+import {IJBBuybackHookRegistry} from "@bananapus/buyback-hook-v6/src/interfaces/IJBBuybackHookRegistry.sol";
+import {IJBRulesetDataHook} from "@bananapus/core-v6/src/interfaces/IJBRulesetDataHook.sol";
+import {JBBeforeCashOutRecordedContext} from "@bananapus/core-v6/src/structs/JBBeforeCashOutRecordedContext.sol";
+import {JBBeforePayRecordedContext} from "@bananapus/core-v6/src/structs/JBBeforePayRecordedContext.sol";
+import {JBCashOutHookSpecification} from "@bananapus/core-v6/src/structs/JBCashOutHookSpecification.sol";
+import {JBPayHookSpecification} from "@bananapus/core-v6/src/structs/JBPayHookSpecification.sol";
+import {JBTokenAmount} from "@bananapus/core-v6/src/structs/JBTokenAmount.sol";
+import {JBRuleset} from "@bananapus/core-v6/src/structs/JBRuleset.sol";
+import {JBConstants} from "@bananapus/core-v6/src/libraries/JBConstants.sol";
+import {IJBSuckerRegistry} from "@bananapus/suckers-v6/src/interfaces/IJBSuckerRegistry.sol";
+import {IERC165} from "@openzeppelin/contracts/utils/introspection/IERC165.sol";
+import {PoolKey} from "@uniswap/v4-core/src/types/PoolKey.sol";
+
+import {REVOwner} from "../../src/REVOwner.sol";
+
+/// @notice Mock sucker registry that returns configurable remote values.
+/// @dev All functions are view/pure to avoid StateChangeDuringStaticCall when called from
+/// REVOwner.beforeCashOutRecordedWith (which is a view function).
+contract MockSuckerRegistry {
+    uint256 public remoteSurplusToReturn;
+    uint256 public remoteSupplyToReturn;
+
+    function setRemoteValues(uint256 supply, uint256 surplus) external {
+        remoteSupplyToReturn = supply;
+        remoteSurplusToReturn = surplus;
+    }
+
+    function isSuckerOf(uint256, address) external pure returns (bool) {
+        return false;
+    }
+
+    function remoteTotalSupplyOf(uint256) external view returns (uint256) {
+        return remoteSupplyToReturn;
+    }
+
+    function remoteSurplusOf(uint256, uint256, uint256) external view returns (uint256) {
+        return remoteSurplusToReturn;
+    }
+}
+
+/// @notice Minimal echo buyback registry that passes through cash out context unchanged.
+contract EchoBuybackRegistry is IJBRulesetDataHook {
+    function beforeCashOutRecordedWith(JBBeforeCashOutRecordedContext calldata context)
+        external
+        pure
+        returns (
+            uint256 cashOutTaxRate,
+            uint256 cashOutCount,
+            uint256 totalSupply,
+            uint256 effectiveSurplusValue,
+            JBCashOutHookSpecification[] memory hookSpecifications
+        )
+    {
+        cashOutTaxRate = context.cashOutTaxRate;
+        cashOutCount = context.cashOutCount;
+        totalSupply = context.totalSupply;
+        effectiveSurplusValue = context.surplus.value;
+        hookSpecifications = new JBCashOutHookSpecification[](0);
+    }
+
+    function beforePayRecordedWith(JBBeforePayRecordedContext calldata context)
+        external
+        pure
+        returns (uint256 weight, JBPayHookSpecification[] memory hookSpecifications)
+    {
+        weight = context.weight;
+        hookSpecifications = new JBPayHookSpecification[](0);
+    }
+
+    function hasMintPermissionFor(uint256, JBRuleset calldata, address) external pure returns (bool) {
+        return false;
+    }
+
+    function setPoolFor(uint256, PoolKey calldata, uint256, address) external pure {}
+    function setPoolFor(uint256, uint24, int24, uint256, address) external pure {}
+    function initializePoolFor(uint256, uint24, int24, uint256, address, uint160) external pure {}
+
+    function supportsInterface(bytes4 interfaceId) external pure returns (bool) {
+        return interfaceId == type(IJBRulesetDataHook).interfaceId || interfaceId == type(IERC165).interfaceId;
+    }
+}
+
+/// @notice REVOwner.beforeCashOutRecordedWith should pass the surplus currency (not the token address) to
+/// remoteSurplusOf. @dev `currency: uint256(context.surplus.currency)` passes the correct currency value,
+/// not `uint256(uint160(context.surplus.token))` which would pass the token address (e.g. 61166 for NATIVE_TOKEN).
+contract REVOwnerCurrencyMismatchTest is TestBaseWorkflow {
+    REVOwner internal ownerHook;
+    MockSuckerRegistry internal suckerRegistry;
+    EchoBuybackRegistry internal buybackRegistry;
+
+    function setUp() public override {
+        super.setUp();
+
+        suckerRegistry = new MockSuckerRegistry();
+        buybackRegistry = new EchoBuybackRegistry();
+
+        ownerHook = new REVOwner(
+            IJBBuybackHookRegistry(address(buybackRegistry)),
+            jbDirectory(),
+            999_999, // fee revnet ID (won't be used in this test path)
+            IJBSuckerRegistry(address(suckerRegistry)),
+            address(0), // loans
+            address(0) // hidden tokens
+        );
+    }
+
+    /// @notice Verify that remoteSurplusOf is called with the context's currency, not the token address.
+    /// @dev NATIVE_TOKEN = 0x000000000000000000000000000000000000EEEe
+    ///      uint160(NATIVE_TOKEN) = 61166
+    ///      The correct currency for ETH is 1 (baseCurrency).
+    ///      Before the fix, 61166 was passed. After the fix, 1 is passed.
+    function test_remoteSurplusOf_receives_currency_not_token_address() public {
+        // Set up remote values so the registry returns something.
+        suckerRegistry.setRemoteValues(500 ether, 900 ether);
+
+        uint32 ethCurrency = 1; // ETH baseCurrency identifier
+
+        // Build a context where surplus.token = NATIVE_TOKEN and surplus.currency = 1 (ETH).
+        // These are intentionally different values to detect the bug.
+        JBBeforeCashOutRecordedContext memory context = JBBeforeCashOutRecordedContext({
+            terminal: address(jbMultiTerminal()),
+            holder: address(0xCAFE),
+            projectId: 1,
+            rulesetId: 0,
+            cashOutCount: 100 ether,
+            totalSupply: 1000 ether,
+            surplus: JBTokenAmount({
+                token: JBConstants.NATIVE_TOKEN, // 0xEEEe
+                value: 100 ether,
+                decimals: 18,
+                currency: ethCurrency // 1
+            }),
+            useTotalSurplus: true,
+            cashOutTaxRate: 0, // zero tax = feeless path (simpler, avoids needing fee terminal)
+            beneficiaryIsFeeless: false,
+            metadata: ""
+        });
+
+        // Use vm.expectCall to verify the exact parameters passed to remoteSurplusOf.
+        // After fix: currency should be 1 (ethCurrency), NOT 61166 (uint160(NATIVE_TOKEN)).
+        // This assertion will fail if the buggy code passes uint256(uint160(NATIVE_TOKEN)) = 61166.
+        vm.expectCall(
+            address(suckerRegistry), abi.encodeCall(suckerRegistry.remoteSurplusOf, (1, 18, uint256(ethCurrency)))
+        );
+
+        ownerHook.beforeCashOutRecordedWith(context);
+    }
+
+    /// @notice Verify that the remote surplus is actually included in the returned effectiveSurplusValue.
+    /// @dev This is a regression test: if the wrong currency is passed, the registry might return 0
+    ///      and the remote surplus would be silently dropped.
+    function test_remoteSurplus_included_in_effectiveSurplus() public {
+        suckerRegistry.setRemoteValues(500 ether, 900 ether);
+
+        uint32 ethCurrency = 1;
+
+        JBBeforeCashOutRecordedContext memory context = JBBeforeCashOutRecordedContext({
+            terminal: address(jbMultiTerminal()),
+            holder: address(0xCAFE),
+            projectId: 1,
+            rulesetId: 0,
+            cashOutCount: 100 ether,
+            totalSupply: 1000 ether,
+            surplus: JBTokenAmount({
+                token: JBConstants.NATIVE_TOKEN, value: 100 ether, decimals: 18, currency: ethCurrency
+            }),
+            useTotalSurplus: true,
+            cashOutTaxRate: 0,
+            beneficiaryIsFeeless: false,
+            metadata: ""
+        });
+
+        (,, uint256 returnedSupply, uint256 returnedSurplus,) = ownerHook.beforeCashOutRecordedWith(context);
+
+        // Remote supply should be added.
+        assertEq(returnedSupply, 1500 ether, "totalSupply should include remote supply");
+
+        // Remote surplus should be added (100 local + 900 remote = 1000).
+        assertEq(
+            returnedSurplus, 1000 ether, "effectiveSurplusValue should include remote surplus (100 local + 900 remote)"
+        );
+    }
+}

package/test/audit/{CodexREVOwnerRemoteSurplusCurrencyMismatch.t.sol → REVOwnerRemoteSurplusCurrencyMismatch.t.sol}

@@ -83,7 +83,7 @@ contract EchoBuybackRegistry is IJBRulesetDataHook {
     }
 }
 
-contract CodexREVOwnerRemoteSurplusCurrencyMismatchTest is TestBaseWorkflow {
+contract REVOwnerRemoteSurplusCurrencyMismatchTest is TestBaseWorkflow {
     REVOwner internal ownerHook;
     CurrencyAwareSuckerRegistry internal suckerRegistry;
     EchoBuybackRegistry internal buybackRegistry;
@@ -128,11 +128,9 @@ contract CodexREVOwnerRemoteSurplusCurrencyMismatchTest is TestBaseWorkflow {
         (,, uint256 returnedSupply, uint256 returnedSurplus,) = ownerHook.beforeCashOutRecordedWith(context);
 
         assertEq(returnedSupply, 1500 ether, "remote supply should still be included");
-        assertEq(
-            returnedSurplus,
-            100 ether,
-            "remote surplus is incorrectly dropped because REVOwner keys by token address instead of currency"
-        );
+        // Remote surplus is correctly included (100 local + 900 remote = 1000) because the currency is passed to
+        // remoteSurplusOf.
+        assertEq(returnedSurplus, 1000 ether, "remote surplus should be included now that currency is passed correctly");
         assertEq(
             suckerRegistry.remoteSurplusOf(1, 18, ETH_CURRENCY),
             900 ether,

package/test/audit/ReallocatePermission.t.sol

@@ -0,0 +1,363 @@
+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.28;
+
+// forge-lint: disable-next-line(unaliased-plain-import)
+import "forge-std/Test.sol";
+// forge-lint: disable-next-line(unaliased-plain-import)
+import /* {*} from */ "@bananapus/core-v6/test/helpers/TestBaseWorkflow.sol";
+// forge-lint: disable-next-line(unaliased-plain-import)
+import /* {*} from */ "../../src/REVDeployer.sol";
+// forge-lint: disable-next-line(unaliased-plain-import)
+import "@croptop/core-v6/src/CTPublisher.sol";
+import {MockBuybackDataHook} from "../mock/MockBuybackDataHook.sol";
+import {REVEmpty721Config} from "../helpers/REVEmpty721Config.sol";
+// forge-lint: disable-next-line(unaliased-plain-import)
+import "@bananapus/core-v6/script/helpers/CoreDeploymentLib.sol";
+// forge-lint: disable-next-line(unaliased-plain-import)
+import "@bananapus/721-hook-v6/script/helpers/Hook721DeploymentLib.sol";
+// forge-lint: disable-next-line(unaliased-plain-import)
+import "@bananapus/suckers-v6/script/helpers/SuckerDeploymentLib.sol";
+// forge-lint: disable-next-line(unaliased-plain-import)
+import "@croptop/core-v6/script/helpers/CroptopDeploymentLib.sol";
+// forge-lint: disable-next-line(unaliased-plain-import)
+import "@bananapus/router-terminal-v6/script/helpers/RouterTerminalDeploymentLib.sol";
+import {JBConstants} from "@bananapus/core-v6/src/libraries/JBConstants.sol";
+import {JBAccountingContext} from "@bananapus/core-v6/src/structs/JBAccountingContext.sol";
+import {JBPermissioned} from "@bananapus/core-v6/src/abstract/JBPermissioned.sol";
+import {JBPermissionIds} from "@bananapus/permission-ids-v6/src/JBPermissionIds.sol";
+import {JBPermissionsData} from "@bananapus/core-v6/src/structs/JBPermissionsData.sol";
+import {REVLoans} from "../../src/REVLoans.sol";
+import {REVLoan} from "../../src/structs/REVLoan.sol";
+import {REVStageConfig, REVAutoIssuance} from "../../src/structs/REVStageConfig.sol";
+import {REVLoanSource} from "../../src/structs/REVLoanSource.sol";
+import {REVDescription} from "../../src/structs/REVDescription.sol";
+import {IREVLoans} from "../../src/interfaces/IREVLoans.sol";
+import {JBSuckerDeployerConfig} from "@bananapus/suckers-v6/src/structs/JBSuckerDeployerConfig.sol";
+import {JBSuckerRegistry} from "@bananapus/suckers-v6/src/JBSuckerRegistry.sol";
+import {JB721TiersHookDeployer} from "@bananapus/721-hook-v6/src/JB721TiersHookDeployer.sol";
+import {JB721TiersHook} from "@bananapus/721-hook-v6/src/JB721TiersHook.sol";
+import {JB721TiersHookStore} from "@bananapus/721-hook-v6/src/JB721TiersHookStore.sol";
+import {JB721CheckpointsDeployer} from "@bananapus/721-hook-v6/src/JB721CheckpointsDeployer.sol";
+import {IJB721CheckpointsDeployer} from "@bananapus/721-hook-v6/src/interfaces/IJB721CheckpointsDeployer.sol";
+import {JBAddressRegistry} from "@bananapus/address-registry-v6/src/JBAddressRegistry.sol";
+import {IJBAddressRegistry} from "@bananapus/address-registry-v6/src/interfaces/IJBAddressRegistry.sol";
+import {REVOwner} from "../../src/REVOwner.sol";
+import {IREVDeployer} from "../../src/interfaces/IREVDeployer.sol";
+import {MockSuckerRegistry} from "../mock/MockSuckerRegistry.sol";
+
+/// @notice Verify that reallocateCollateralFromLoan works with only REALLOCATE_LOAN permission,
+/// without requiring OPEN_LOAN. Also verify that borrowFrom still requires OPEN_LOAN (regression).
+contract ReallocatePermissionTest is TestBaseWorkflow {
+    // forge-lint: disable-next-line(mixed-case-variable)
+    bytes32 REV_DEPLOYER_SALT = "REVDeployer";
+
+    // forge-lint: disable-next-line(mixed-case-variable)
+    REVDeployer REV_DEPLOYER;
+    // forge-lint: disable-next-line(mixed-case-variable)
+    REVOwner REV_OWNER;
+    // forge-lint: disable-next-line(mixed-case-variable)
+    JB721TiersHook EXAMPLE_HOOK;
+    // forge-lint: disable-next-line(mixed-case-variable)
+    IJB721TiersHookDeployer HOOK_DEPLOYER;
+    // forge-lint: disable-next-line(mixed-case-variable)
+    IJB721TiersHookStore HOOK_STORE;
+    // forge-lint: disable-next-line(mixed-case-variable)
+    IJBAddressRegistry ADDRESS_REGISTRY;
+    // forge-lint: disable-next-line(mixed-case-variable)
+    IREVLoans LOANS_CONTRACT;
+    // forge-lint: disable-next-line(mixed-case-variable)
+    IJBSuckerRegistry SUCKER_REGISTRY;
+    // forge-lint: disable-next-line(mixed-case-variable)
+    CTPublisher PUBLISHER;
+    // forge-lint: disable-next-line(mixed-case-variable)
+    MockBuybackDataHook MOCK_BUYBACK;
+
+    // forge-lint: disable-next-line(mixed-case-variable)
+    uint256 FEE_PROJECT_ID;
+    // forge-lint: disable-next-line(mixed-case-variable)
+    uint256 REVNET_ID;
+
+    // forge-lint: disable-next-line(mixed-case-variable)
+    address HOLDER = makeAddr("holder");
+    // forge-lint: disable-next-line(mixed-case-variable)
+    address OPERATOR = makeAddr("operator");
+
+    address private constant TRUSTED_FORWARDER = 0xB2b5841DBeF766d4b521221732F9B618fCf34A87;
+
+    function setUp() public override {
+        super.setUp();
+
+        FEE_PROJECT_ID = jbProjects().createFor(multisig());
+        SUCKER_REGISTRY = new JBSuckerRegistry(jbDirectory(), jbPermissions(), multisig(), address(0));
+        HOOK_STORE = new JB721TiersHookStore();
+        EXAMPLE_HOOK = new JB721TiersHook(
+            jbDirectory(),
+            jbPermissions(),
+            jbPrices(),
+            jbRulesets(),
+            HOOK_STORE,
+            jbSplits(),
+            IJB721CheckpointsDeployer(address(new JB721CheckpointsDeployer())),
+            multisig()
+        );
+        ADDRESS_REGISTRY = new JBAddressRegistry();
+        HOOK_DEPLOYER = new JB721TiersHookDeployer(EXAMPLE_HOOK, HOOK_STORE, ADDRESS_REGISTRY, multisig());
+        PUBLISHER = new CTPublisher(jbDirectory(), jbPermissions(), FEE_PROJECT_ID, multisig());
+        MOCK_BUYBACK = new MockBuybackDataHook();
+
+        LOANS_CONTRACT = new REVLoans({
+            controller: jbController(),
+            suckerRegistry: IJBSuckerRegistry(address(new MockSuckerRegistry())),
+            revId: FEE_PROJECT_ID,
+            owner: address(this),
+            permit2: permit2(),
+            trustedForwarder: TRUSTED_FORWARDER
+        });
+
+        REV_OWNER = new REVOwner(
+            IJBBuybackHookRegistry(address(MOCK_BUYBACK)),
+            jbDirectory(),
+            FEE_PROJECT_ID,
+            SUCKER_REGISTRY,
+            address(LOANS_CONTRACT),
+            address(0)
+        );
+
+        REV_DEPLOYER = new REVDeployer{salt: REV_DEPLOYER_SALT}(
+            jbController(),
+            SUCKER_REGISTRY,
+            FEE_PROJECT_ID,
+            HOOK_DEPLOYER,
+            PUBLISHER,
+            IJBBuybackHookRegistry(address(MOCK_BUYBACK)),
+            address(LOANS_CONTRACT),
+            TRUSTED_FORWARDER,
+            address(REV_OWNER)
+        );
+
+        REV_OWNER.setDeployer(REV_DEPLOYER);
+
+        vm.prank(multisig());
+        jbProjects().approve(address(REV_DEPLOYER), FEE_PROJECT_ID);
+
+        _deployFeeProject();
+        _deployRevnet();
+
+        vm.deal(HOLDER, 1000 ether);
+        vm.deal(OPERATOR, 100 ether);
+    }
+
+    function _deployFeeProject() internal {
+        JBAccountingContext[] memory acc = new JBAccountingContext[](1);
+        acc[0] = JBAccountingContext({
+            token: JBConstants.NATIVE_TOKEN, decimals: 18, currency: uint32(uint160(JBConstants.NATIVE_TOKEN))
+        });
+        JBTerminalConfig[] memory tc = new JBTerminalConfig[](1);
+        tc[0] = JBTerminalConfig({terminal: jbMultiTerminal(), accountingContextsToAccept: acc});
+
+        JBSplit[] memory splits = new JBSplit[](1);
+        splits[0].beneficiary = payable(multisig());
+        splits[0].percent = 10_000;
+
+        REVAutoIssuance[] memory ai = new REVAutoIssuance[](1);
+        ai[0] = REVAutoIssuance({chainId: uint32(block.chainid), count: uint104(70_000e18), beneficiary: multisig()});
+
+        REVStageConfig[] memory stages = new REVStageConfig[](1);
+        stages[0] = REVStageConfig({
+            startsAtOrAfter: uint40(block.timestamp),
+            autoIssuances: ai,
+            splitPercent: 2000,
+            splits: splits,
+            initialIssuance: uint112(1000e18),
+            issuanceCutFrequency: 90 days,
+            issuanceCutPercent: JBConstants.MAX_WEIGHT_CUT_PERCENT / 2,
+            cashOutTaxRate: 6000,
+            extraMetadata: 0
+        });
+
+        REVConfig memory cfg = REVConfig({
+            description: REVDescription("Revnet", "$REV", "ipfs://test", "REV_TOKEN"),
+            baseCurrency: uint32(uint160(JBConstants.NATIVE_TOKEN)),
+            splitOperator: multisig(),
+            stageConfigurations: stages
+        });
+
+        vm.prank(multisig());
+        REV_DEPLOYER.deployFor({
+            revnetId: FEE_PROJECT_ID,
+            configuration: cfg,
+            terminalConfigurations: tc,
+            suckerDeploymentConfiguration: REVSuckerDeploymentConfig({
+                deployerConfigurations: new JBSuckerDeployerConfig[](0), salt: keccak256("FEE")
+            }),
+            tiered721HookConfiguration: REVEmpty721Config.empty721Config(uint32(uint160(JBConstants.NATIVE_TOKEN))),
+            allowedPosts: REVEmpty721Config.emptyAllowedPosts()
+        });
+    }
+
+    function _deployRevnet() internal {
+        JBAccountingContext[] memory acc = new JBAccountingContext[](1);
+        acc[0] = JBAccountingContext({
+            token: JBConstants.NATIVE_TOKEN, decimals: 18, currency: uint32(uint160(JBConstants.NATIVE_TOKEN))
+        });
+        JBTerminalConfig[] memory tc = new JBTerminalConfig[](1);
+        tc[0] = JBTerminalConfig({terminal: jbMultiTerminal(), accountingContextsToAccept: acc});
+
+        JBSplit[] memory splits = new JBSplit[](1);
+        splits[0].beneficiary = payable(multisig());
+        splits[0].percent = 10_000;
+
+        REVAutoIssuance[] memory ai = new REVAutoIssuance[](1);
+        ai[0] = REVAutoIssuance({chainId: uint32(block.chainid), count: uint104(70_000e18), beneficiary: multisig()});
+
+        REVStageConfig[] memory stages = new REVStageConfig[](1);
+        stages[0] = REVStageConfig({
+            startsAtOrAfter: uint40(block.timestamp),
+            autoIssuances: ai,
+            splitPercent: 2000,
+            splits: splits,
+            initialIssuance: uint112(1000e18),
+            issuanceCutFrequency: 90 days,
+            issuanceCutPercent: JBConstants.MAX_WEIGHT_CUT_PERCENT / 2,
+            cashOutTaxRate: 6000,
+            extraMetadata: 0
+        });
+
+        REVConfig memory cfg = REVConfig({
+            description: REVDescription("NANA", "$NANA", "ipfs://test2", "NANA_TOKEN"),
+            baseCurrency: uint32(uint160(JBConstants.NATIVE_TOKEN)),
+            splitOperator: multisig(),
+            stageConfigurations: stages
+        });
+
+        (REVNET_ID,) = REV_DEPLOYER.deployFor({
+            revnetId: 0,
+            configuration: cfg,
+            terminalConfigurations: tc,
+            suckerDeploymentConfiguration: REVSuckerDeploymentConfig({
+                deployerConfigurations: new JBSuckerDeployerConfig[](0), salt: keccak256("NANA")
+            }),
+            tiered721HookConfiguration: REVEmpty721Config.empty721Config(uint32(uint160(JBConstants.NATIVE_TOKEN))),
+            allowedPosts: REVEmpty721Config.emptyAllowedPosts()
+        });
+    }
+
+    /// @notice Helper: Grant a specific permission to an operator for HOLDER on REVNET_ID using real JBPermissions.
+    function _grantPermission(address operator, uint256 permissionId) internal {
+        uint8[] memory permissionIds = new uint8[](1);
+        permissionIds[0] = uint8(permissionId);
+        vm.prank(HOLDER);
+        jbPermissions()
+            .setPermissionsFor({
+            account: HOLDER,
+            permissionsData: JBPermissionsData({
+            operator: operator, projectId: uint64(REVNET_ID), permissionIds: permissionIds
+        })
+        });
+    }
+
+    /// @notice Helper: create an initial loan for the HOLDER.
+    function _createInitialLoan() internal returns (uint256 loanId, uint256 tokenCount) {
+        // HOLDER pays into the revnet to get tokens.
+        vm.prank(HOLDER);
+        tokenCount =
+            jbMultiTerminal().pay{value: 10 ether}(REVNET_ID, JBConstants.NATIVE_TOKEN, 10 ether, HOLDER, 0, "", "");
+
+        // Grant LOANS_CONTRACT the BURN_TOKENS permission so it can burn HOLDER's tokens as collateral.
+        _grantPermission(address(LOANS_CONTRACT), JBPermissionIds.BURN_TOKENS);
+
+        // HOLDER calls borrowFrom directly (sender == holder, so OPEN_LOAN check is short-circuited).
+        REVLoanSource memory source = REVLoanSource({token: JBConstants.NATIVE_TOKEN, terminal: jbMultiTerminal()});
+
+        vm.prank(HOLDER);
+        (loanId,) = LOANS_CONTRACT.borrowFrom(REVNET_ID, source, 0, tokenCount, payable(HOLDER), 25, HOLDER);
+    }
+
+    /// @notice After fix: an operator with only REALLOCATE_LOAN permission can reallocate.
+    /// @dev Before the fix, this would revert because the inner borrowFrom call required OPEN_LOAN.
+    function test_reallocate_succeeds_with_only_REALLOCATE_LOAN_permission() public {
+        (uint256 loanId,) = _createInitialLoan();
+        require(loanId != 0, "Loan setup failed");
+
+        // Donate to inflate surplus so collateral reallocation is meaningful.
+        address donor = makeAddr("donor");
+        vm.deal(donor, 500 ether);
+        vm.prank(donor);
+        jbMultiTerminal().addToBalanceOf{value: 500 ether}(
+            REVNET_ID, JBConstants.NATIVE_TOKEN, 500 ether, false, "", ""
+        );
+
+        // HOLDER pays more to get extra tokens for the new loan's additional collateral.
+        vm.prank(HOLDER);
+        uint256 extraTokens =
+            jbMultiTerminal().pay{value: 50 ether}(REVNET_ID, JBConstants.NATIVE_TOKEN, 50 ether, HOLDER, 0, "", "");
+
+        // Get the loan's collateral count.
+        REVLoan memory loan = LOANS_CONTRACT.loanOf(loanId);
+        uint256 collateralToTransfer = loan.collateral / 10;
+
+        REVLoanSource memory source = REVLoanSource({token: JBConstants.NATIVE_TOKEN, terminal: jbMultiTerminal()});
+
+        // Grant OPERATOR only REALLOCATE_LOAN permission (NOT OPEN_LOAN).
+        _grantPermission(OPERATOR, JBPermissionIds.REALLOCATE_LOAN);
+
+        // This should succeed: OPERATOR has REALLOCATE_LOAN, and _borrowFrom skips OPEN_LOAN check.
+        vm.prank(OPERATOR);
+        (uint256 reallocatedLoanId, uint256 newLoanId,,) = LOANS_CONTRACT.reallocateCollateralFromLoan(
+            loanId,
+            collateralToTransfer,
+            source,
+            0, // minBorrowAmount
+            extraTokens,
+            payable(HOLDER),
+            25 // prepaidFeePercent
+        );
+
+        // Verify both loans were created.
+        assertTrue(reallocatedLoanId != 0, "Reallocated loan should exist");
+        assertTrue(newLoanId != 0, "New loan should exist");
+    }
+
+    /// @notice Regression: borrowFrom still requires OPEN_LOAN permission.
+    /// @dev An operator with only REALLOCATE_LOAN should NOT be able to call borrowFrom directly.
+    function test_borrowFrom_still_requires_OPEN_LOAN() public {
+        // HOLDER pays into the revnet.
+        vm.prank(HOLDER);
+        uint256 tokenCount =
+            jbMultiTerminal().pay{value: 10 ether}(REVNET_ID, JBConstants.NATIVE_TOKEN, 10 ether, HOLDER, 0, "", "");
+
+        REVLoanSource memory source = REVLoanSource({token: JBConstants.NATIVE_TOKEN, terminal: jbMultiTerminal()});
+
+        // OPERATOR does NOT have OPEN_LOAN permission (no permission granted at all).
+        vm.prank(OPERATOR);
+        vm.expectRevert(
+            abi.encodeWithSelector(
+                JBPermissioned.JBPermissioned_Unauthorized.selector,
+                HOLDER, // account
+                OPERATOR, // sender
+                REVNET_ID, // projectId
+                JBPermissionIds.OPEN_LOAN // permissionId
+            )
+        );
+        LOANS_CONTRACT.borrowFrom(REVNET_ID, source, 0, tokenCount, payable(HOLDER), 25, HOLDER);
+    }
+
+    /// @notice Verify that borrowFrom succeeds when the caller has OPEN_LOAN permission.
+    function test_borrowFrom_succeeds_with_OPEN_LOAN() public {
+        // HOLDER pays into the revnet.
+        vm.prank(HOLDER);
+        uint256 tokenCount =
+            jbMultiTerminal().pay{value: 10 ether}(REVNET_ID, JBConstants.NATIVE_TOKEN, 10 ether, HOLDER, 0, "", "");
+
+        REVLoanSource memory source = REVLoanSource({token: JBConstants.NATIVE_TOKEN, terminal: jbMultiTerminal()});
+
+        // Grant OPERATOR the OPEN_LOAN permission.
+        _grantPermission(OPERATOR, JBPermissionIds.OPEN_LOAN);
+        // Grant LOANS_CONTRACT the BURN_TOKENS permission so it can burn tokens for collateral.
+        _grantPermission(address(LOANS_CONTRACT), JBPermissionIds.BURN_TOKENS);
+
+        vm.prank(OPERATOR);
+        (uint256 loanId,) = LOANS_CONTRACT.borrowFrom(REVNET_ID, source, 0, tokenCount, payable(HOLDER), 25, HOLDER);
+        assertTrue(loanId != 0, "Loan should be created successfully");
+    }
+}

package/test/audit/RemoteLoanAccountingGap.t.sol

@@ -0,0 +1,74 @@
+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.28;
+
+import {TestAuditFixVerification} from "../TestAuditFixVerification.t.sol";
+import {JBConstants} from "@bananapus/core-v6/src/libraries/JBConstants.sol";
+import {JBCashOuts} from "@bananapus/core-v6/src/libraries/JBCashOuts.sol";
+import {JBPermissionIds} from "@bananapus/permission-ids-v6/src/JBPermissionIds.sol";
+import {JBPermissionsData} from "@bananapus/core-v6/src/structs/JBPermissionsData.sol";
+import {REVLoanSource} from "../../src/structs/REVLoanSource.sol";
+import {REVLoan} from "../../src/structs/REVLoan.sol";
+
+contract CodexRemoteLoanAccountingGap is TestAuditFixVerification {
+    function test_remoteLoanStateInflatesLocalBorrowability() public {
+        uint256 payAmount = 100 ether;
+
+        vm.prank(USER);
+        uint256 tokens =
+            jbMultiTerminal().pay{value: payAmount}(REVNET_ID, JBConstants.NATIVE_TOKEN, payAmount, USER, 0, "", "");
+
+        // Simulate a peer chain that started from 100 ETH / 100k tokens, then originated a loan against
+        // 50k burned-collateral tokens. The registry only exports the raw post-loan values, not the
+        // remote loan's economic adjustments.
+        uint256 remoteRawSupply = 50_000e18;
+        uint256 remoteRawSurplus = 62.5e18;
+        uint256 remoteLoanCollateral = 50_000e18;
+        uint256 remoteLoanDebt = 37.5e18;
+        MOCK_SUCKER_REGISTRY.setRemoteValues(remoteRawSupply, remoteRawSurplus);
+
+        uint256 collateral = tokens / 10;
+        uint256 actualBorrowable =
+            LOANS_CONTRACT.borrowableAmountFrom(REVNET_ID, collateral, 18, uint32(uint160(JBConstants.NATIVE_TOKEN)));
+
+        uint256 localSupply = jbController().totalTokenSupplyWithReservedTokensOf(REVNET_ID);
+        uint256 localSurplus = jbMultiTerminal()
+            .currentSurplusOf(REVNET_ID, new address[](0), 18, uint32(uint160(JBConstants.NATIVE_TOKEN)));
+
+        uint256 correctedBorrowable = JBCashOuts.cashOutFrom({
+            surplus: localSurplus + remoteRawSurplus + remoteLoanDebt,
+            cashOutCount: collateral,
+            totalSupply: localSupply + remoteRawSupply + remoteLoanCollateral,
+            cashOutTaxRate: 5000
+        });
+
+        if (correctedBorrowable > localSurplus) correctedBorrowable = localSurplus;
+
+        assertGt(actualBorrowable, correctedBorrowable, "raw remote values should overstate borrowability");
+
+        _grantLoansBurnPermission(USER, REVNET_ID);
+
+        REVLoanSource memory source = REVLoanSource({token: JBConstants.NATIVE_TOKEN, terminal: jbMultiTerminal()});
+
+        vm.prank(USER);
+        (, REVLoan memory loan) =
+            LOANS_CONTRACT.borrowFrom(REVNET_ID, source, actualBorrowable, collateral, payable(USER), 25, USER);
+
+        assertEq(loan.amount, actualBorrowable, "loan should be opened at the inflated amount");
+        assertGt(loan.amount, correctedBorrowable, "loan exceeds the corrected omnichain value");
+    }
+
+    function _grantLoansBurnPermission(address account, uint256 revnetId) internal {
+        uint8[] memory permissionIds = new uint8[](1);
+        permissionIds[0] = JBPermissionIds.BURN_TOKENS;
+
+        JBPermissionsData memory permissionsData = JBPermissionsData({
+            operator: address(LOANS_CONTRACT),
+            // forge-lint: disable-next-line(unsafe-typecast)
+            projectId: uint56(revnetId),
+            permissionIds: permissionIds
+        });
+
+        vm.prank(account);
+        jbPermissions().setPermissionsFor(account, permissionsData);
+    }
+}