@rev-net/core-v6 0.0.36 → 0.0.39

package/test/REVLoansAttacks.t.sol

@@ -1,816 +0,0 @@
-// SPDX-License-Identifier: MIT
-pragma solidity 0.8.28;
-
-// forge-lint: disable-next-line(unaliased-plain-import)
-import "forge-std/Test.sol";
-// forge-lint: disable-next-line(unaliased-plain-import)
-import /* {*} from */ "@bananapus/core-v6/test/helpers/TestBaseWorkflow.sol";
-// import /* {*} from "@bananapus/721-hook-v6/src/JB721TiersHookDeployer.sol";
-// forge-lint: disable-next-line(unaliased-plain-import)
-import /* {*} from */ "./../src/REVDeployer.sol";
-// forge-lint: disable-next-line(unaliased-plain-import)
-import "@croptop/core-v6/src/CTPublisher.sol";
-import {MockBuybackDataHook} from "./mock/MockBuybackDataHook.sol";
-
-// forge-lint: disable-next-line(unaliased-plain-import)
-import "@bananapus/core-v6/script/helpers/CoreDeploymentLib.sol";
-// forge-lint: disable-next-line(unaliased-plain-import)
-import "@bananapus/721-hook-v6/script/helpers/Hook721DeploymentLib.sol";
-// forge-lint: disable-next-line(unaliased-plain-import)
-import "@bananapus/suckers-v6/script/helpers/SuckerDeploymentLib.sol";
-// forge-lint: disable-next-line(unaliased-plain-import)
-import "@croptop/core-v6/script/helpers/CroptopDeploymentLib.sol";
-// forge-lint: disable-next-line(unaliased-plain-import)
-import "@bananapus/router-terminal-v6/script/helpers/RouterTerminalDeploymentLib.sol";
-
-import {JBConstants} from "@bananapus/core-v6/src/libraries/JBConstants.sol";
-import {JBAccountingContext} from "@bananapus/core-v6/src/structs/JBAccountingContext.sol";
-import {MockPriceFeed} from "@bananapus/core-v6/test/mock/MockPriceFeed.sol";
-import {MockERC20} from "@bananapus/core-v6/test/mock/MockERC20.sol";
-import {REVLoans} from "../src/REVLoans.sol";
-import {REVLoan} from "../src/structs/REVLoan.sol";
-import {REVStageConfig, REVAutoIssuance} from "../src/structs/REVStageConfig.sol";
-import {REVLoanSource} from "../src/structs/REVLoanSource.sol";
-import {REVDescription} from "../src/structs/REVDescription.sol";
-import {IREVLoans} from "./../src/interfaces/IREVLoans.sol";
-import {JBSuckerDeployerConfig} from "@bananapus/suckers-v6/src/structs/JBSuckerDeployerConfig.sol";
-import {JBSuckerRegistry} from "@bananapus/suckers-v6/src/JBSuckerRegistry.sol";
-import {JB721TiersHookDeployer} from "@bananapus/721-hook-v6/src/JB721TiersHookDeployer.sol";
-import {JB721TiersHook} from "@bananapus/721-hook-v6/src/JB721TiersHook.sol";
-import {JB721TiersHookStore} from "@bananapus/721-hook-v6/src/JB721TiersHookStore.sol";
-import {JB721CheckpointsDeployer} from "@bananapus/721-hook-v6/src/JB721CheckpointsDeployer.sol";
-import {IJB721CheckpointsDeployer} from "@bananapus/721-hook-v6/src/interfaces/IJB721CheckpointsDeployer.sol";
-import {JBAddressRegistry} from "@bananapus/address-registry-v6/src/JBAddressRegistry.sol";
-import {IJBAddressRegistry} from "@bananapus/address-registry-v6/src/interfaces/IJBAddressRegistry.sol";
-import {REVEmpty721Config} from "./helpers/REVEmpty721Config.sol";
-import {ERC165} from "@openzeppelin/contracts/utils/introspection/ERC165.sol";
-import {JBRuleset} from "@bananapus/core-v6/src/structs/JBRuleset.sol";
-import {JBPayHookSpecification} from "@bananapus/core-v6/src/structs/JBPayHookSpecification.sol";
-import {REVOwner} from "../src/REVOwner.sol";
-import {IREVDeployer} from "../src/interfaces/IREVDeployer.sol";
-import {MockSuckerRegistry} from "./mock/MockSuckerRegistry.sol";
-
-/// @notice A malicious terminal that re-enters REVLoans during fee payment in _adjust().
-/// @dev Reentrancy during pay() callback in _adjust.
-contract ReentrantTerminal is ERC165, IJBPayoutTerminal {
-    IREVLoans public loans;
-    uint256 public revnetId;
-    bool public shouldReenter;
-    bool public reentered;
-
-    // Parameters for re-entrant borrowFrom call
-    uint256 public reenterCollateral;
-    REVLoanSource public reenterSource;
-
-    function setReentrancy(
-        IREVLoans _loans,
-        uint256 _revnetId,
-        uint256 _collateral,
-        REVLoanSource memory _source
-    )
-        external
-    {
-        loans = _loans;
-        revnetId = _revnetId;
-        reenterCollateral = _collateral;
-        reenterSource = _source;
-        shouldReenter = true;
-    }
-
-    function pay(
-        uint256,
-        address,
-        uint256,
-        address,
-        uint256,
-        string calldata,
-        bytes calldata
-    )
-        external
-        payable
-        override
-        returns (uint256)
-    {
-        // On fee payment during _adjust, try to re-enter borrowFrom
-        if (shouldReenter && !reentered) {
-            reentered = true;
-            // Attempt reentrancy: borrow again during fee payment
-            try loans.borrowFrom(
-                revnetId,
-                reenterSource,
-                0, // minBorrowAmount
-                reenterCollateral,
-                payable(address(this)),
-                25, // MIN_PREPAID_FEE_PERCENT
-                address(this)
-            ) {}
-                catch {
-                // Expected to revert if reentrancy guard exists
-            }
-        }
-        return 0;
-    }
-
-    function accountingContextForTokenOf(uint256, address) external pure override returns (JBAccountingContext memory) {
-        return JBAccountingContext({
-            token: JBConstants.NATIVE_TOKEN, decimals: 18, currency: uint32(uint160(JBConstants.NATIVE_TOKEN))
-        });
-    }
-
-    function accountingContextsOf(uint256) external pure override returns (JBAccountingContext[] memory) {
-        return new JBAccountingContext[](0);
-    }
-
-    function addAccountingContextsFor(uint256, JBAccountingContext[] calldata) external override {}
-
-    function addToBalanceOf(
-        uint256,
-        address,
-        uint256,
-        bool,
-        string calldata,
-        bytes calldata
-    )
-        external
-        payable
-        override
-    {}
-
-    function currentSurplusOf(uint256, address[] calldata, uint256, uint256) external pure override returns (uint256) {
-        return 0;
-    }
-
-    function migrateBalanceOf(uint256, address, IJBTerminal) external pure override returns (uint256) {
-        return 0;
-    }
-
-    function sendPayoutsOf(uint256, address, uint256, uint256, uint256) external pure override returns (uint256) {
-        return 0;
-    }
-
-    function useAllowanceOf(
-        uint256,
-        address,
-        uint256,
-        uint256,
-        uint256,
-        address payable,
-        address payable,
-        string calldata
-    )
-        external
-        pure
-        override
-        returns (uint256)
-    {
-        return 0;
-    }
-
-    function previewPayFor(
-        uint256,
-        address,
-        uint256,
-        address,
-        bytes calldata
-    )
-        external
-        pure
-        override
-        returns (JBRuleset memory, uint256, uint256, JBPayHookSpecification[] memory)
-    {
-        JBRuleset memory ruleset;
-        return (ruleset, 0, 0, new JBPayHookSpecification[](0));
-    }
-
-    function supportsInterface(bytes4 interfaceId) public view override(ERC165, IERC165) returns (bool) {
-        return interfaceId == type(IJBTerminal).interfaceId || interfaceId == type(IJBPayoutTerminal).interfaceId
-            || super.supportsInterface(interfaceId);
-    }
-
-    receive() external payable {}
-}
-
-struct AttackProjectConfig {
-    REVConfig configuration;
-    JBTerminalConfig[] terminalConfigurations;
-    REVSuckerDeploymentConfig suckerDeploymentConfiguration;
-}
-
-/// @title REVLoansAttacks
-/// @notice Attack tests for REVLoans covering uint112 truncation, reentrancy,
-///         collateral race conditions, liquidation edge cases, and fuzz testing.
-contract REVLoansAttacks is TestBaseWorkflow {
-    // forge-lint: disable-next-line(mixed-case-variable)
-    bytes32 REV_DEPLOYER_SALT = "REVDeployer";
-    // forge-lint: disable-next-line(mixed-case-variable)
-    bytes32 ERC20_SALT = "REV_TOKEN";
-
-    // forge-lint: disable-next-line(mixed-case-variable)
-    REVDeployer REV_DEPLOYER;
-    // forge-lint: disable-next-line(mixed-case-variable)
-    REVOwner REV_OWNER;
-    // forge-lint: disable-next-line(mixed-case-variable)
-    JB721TiersHook EXAMPLE_HOOK;
-    // forge-lint: disable-next-line(mixed-case-variable)
-    IJB721TiersHookDeployer HOOK_DEPLOYER;
-    // forge-lint: disable-next-line(mixed-case-variable)
-    IJB721TiersHookStore HOOK_STORE;
-    // forge-lint: disable-next-line(mixed-case-variable)
-    IJBAddressRegistry ADDRESS_REGISTRY;
-    // forge-lint: disable-next-line(mixed-case-variable)
-    IREVLoans LOANS_CONTRACT;
-    // forge-lint: disable-next-line(mixed-case-variable)
-    MockERC20 TOKEN;
-    // forge-lint: disable-next-line(mixed-case-variable)
-    IJBSuckerRegistry SUCKER_REGISTRY;
-    // forge-lint: disable-next-line(mixed-case-variable)
-    CTPublisher PUBLISHER;
-    // forge-lint: disable-next-line(mixed-case-variable)
-    MockBuybackDataHook MOCK_BUYBACK;
-
-    // forge-lint: disable-next-line(mixed-case-variable)
-    uint256 FEE_PROJECT_ID;
-    // forge-lint: disable-next-line(mixed-case-variable)
-    uint256 REVNET_ID;
-
-    // forge-lint: disable-next-line(mixed-case-variable)
-    address USER = makeAddr("user");
-    // forge-lint: disable-next-line(mixed-case-variable)
-    address ATTACKER = makeAddr("attacker");
-
-    address private constant TRUSTED_FORWARDER = 0xB2b5841DBeF766d4b521221732F9B618fCf34A87;
-
-    function _getFeeProjectConfig() internal view returns (AttackProjectConfig memory) {
-        string memory name = "Revnet";
-        string memory symbol = "$REV";
-        string memory projectUri = "ipfs://QmNRHT91HcDgMcenebYX7rJigt77cgNcosvuhX21wkF3tx";
-        uint8 decimals = 18;
-        uint256 decimalMultiplier = 10 ** decimals;
-
-        JBAccountingContext[] memory accountingContextsToAccept = new JBAccountingContext[](2);
-        accountingContextsToAccept[0] = JBAccountingContext({
-            token: JBConstants.NATIVE_TOKEN, decimals: 18, currency: uint32(uint160(JBConstants.NATIVE_TOKEN))
-        });
-        accountingContextsToAccept[1] =
-            JBAccountingContext({token: address(TOKEN), decimals: 6, currency: uint32(uint160(address(TOKEN)))});
-
-        JBTerminalConfig[] memory terminalConfigurations = new JBTerminalConfig[](1);
-        terminalConfigurations[0] =
-            JBTerminalConfig({terminal: jbMultiTerminal(), accountingContextsToAccept: accountingContextsToAccept});
-
-        REVStageConfig[] memory stageConfigurations = new REVStageConfig[](1);
-        JBSplit[] memory splits = new JBSplit[](1);
-        splits[0].beneficiary = payable(multisig());
-        splits[0].percent = 10_000;
-
-        REVAutoIssuance[] memory issuanceConfs = new REVAutoIssuance[](1);
-        issuanceConfs[0] = REVAutoIssuance({
-            // forge-lint: disable-next-line(unsafe-typecast)
-            chainId: uint32(block.chainid),
-            // forge-lint: disable-next-line(unsafe-typecast)
-            count: uint104(70_000 * decimalMultiplier),
-            beneficiary: multisig()
-        });
-
-        stageConfigurations[0] = REVStageConfig({
-            startsAtOrAfter: uint40(block.timestamp),
-            autoIssuances: issuanceConfs,
-            splitPercent: 2000,
-            splits: splits,
-            // forge-lint: disable-next-line(unsafe-typecast)
-            initialIssuance: uint112(1000 * decimalMultiplier),
-            issuanceCutFrequency: 90 days,
-            issuanceCutPercent: JBConstants.MAX_WEIGHT_CUT_PERCENT / 2,
-            cashOutTaxRate: 6000,
-            extraMetadata: 0
-        });
-
-        REVConfig memory revnetConfiguration = REVConfig({
-            // forge-lint: disable-next-line(named-struct-fields)
-            description: REVDescription(name, symbol, projectUri, ERC20_SALT),
-            baseCurrency: uint32(uint160(JBConstants.NATIVE_TOKEN)),
-            splitOperator: multisig(),
-            stageConfigurations: stageConfigurations
-        });
-
-        return AttackProjectConfig({
-            configuration: revnetConfiguration,
-            terminalConfigurations: terminalConfigurations,
-            suckerDeploymentConfiguration: REVSuckerDeploymentConfig({
-                deployerConfigurations: new JBSuckerDeployerConfig[](0), salt: keccak256(abi.encodePacked("REV"))
-            })
-        });
-    }
-
-    function _getRevnetConfig() internal view returns (AttackProjectConfig memory) {
-        string memory name = "NANA";
-        string memory symbol = "$NANA";
-        string memory projectUri = "ipfs://QmNRHT91HcDgMcenebYX7rJigt77cgNxosvuhX21wkF3tx";
-        uint8 decimals = 18;
-        uint256 decimalMultiplier = 10 ** decimals;
-
-        JBAccountingContext[] memory accountingContextsToAccept = new JBAccountingContext[](2);
-        accountingContextsToAccept[0] = JBAccountingContext({
-            token: JBConstants.NATIVE_TOKEN, decimals: 18, currency: uint32(uint160(JBConstants.NATIVE_TOKEN))
-        });
-        accountingContextsToAccept[1] =
-            JBAccountingContext({token: address(TOKEN), decimals: 6, currency: uint32(uint160(address(TOKEN)))});
-
-        JBTerminalConfig[] memory terminalConfigurations = new JBTerminalConfig[](1);
-        terminalConfigurations[0] =
-            JBTerminalConfig({terminal: jbMultiTerminal(), accountingContextsToAccept: accountingContextsToAccept});
-
-        JBSplit[] memory splits = new JBSplit[](1);
-        splits[0].beneficiary = payable(multisig());
-        splits[0].percent = 10_000;
-
-        REVStageConfig[] memory stageConfigurations = new REVStageConfig[](1);
-        REVAutoIssuance[] memory issuanceConfs = new REVAutoIssuance[](1);
-        issuanceConfs[0] = REVAutoIssuance({
-            // forge-lint: disable-next-line(unsafe-typecast)
-            chainId: uint32(block.chainid),
-            // forge-lint: disable-next-line(unsafe-typecast)
-            count: uint104(70_000 * decimalMultiplier),
-            beneficiary: multisig()
-        });
-
-        stageConfigurations[0] = REVStageConfig({
-            startsAtOrAfter: uint40(block.timestamp),
-            autoIssuances: issuanceConfs,
-            splitPercent: 2000,
-            splits: splits,
-            // forge-lint: disable-next-line(unsafe-typecast)
-            initialIssuance: uint112(1000 * decimalMultiplier),
-            issuanceCutFrequency: 90 days,
-            issuanceCutPercent: JBConstants.MAX_WEIGHT_CUT_PERCENT / 2,
-            cashOutTaxRate: 6000,
-            extraMetadata: 0
-        });
-
-        REVConfig memory revnetConfiguration = REVConfig({
-            // forge-lint: disable-next-line(named-struct-fields)
-            description: REVDescription(name, symbol, projectUri, "NANA_TOKEN"),
-            baseCurrency: uint32(uint160(JBConstants.NATIVE_TOKEN)),
-            splitOperator: multisig(),
-            stageConfigurations: stageConfigurations
-        });
-
-        return AttackProjectConfig({
-            configuration: revnetConfiguration,
-            terminalConfigurations: terminalConfigurations,
-            suckerDeploymentConfiguration: REVSuckerDeploymentConfig({
-                deployerConfigurations: new JBSuckerDeployerConfig[](0), salt: keccak256(abi.encodePacked("NANA"))
-            })
-        });
-    }
-
-    function setUp() public override {
-        super.setUp();
-
-        FEE_PROJECT_ID = jbProjects().createFor(multisig());
-
-        SUCKER_REGISTRY = new JBSuckerRegistry(jbDirectory(), jbPermissions(), multisig(), address(0));
-        HOOK_STORE = new JB721TiersHookStore();
-        EXAMPLE_HOOK = new JB721TiersHook(
-            jbDirectory(),
-            jbPermissions(),
-            jbPrices(),
-            jbRulesets(),
-            HOOK_STORE,
-            jbSplits(),
-            IJB721CheckpointsDeployer(address(new JB721CheckpointsDeployer())),
-            multisig()
-        );
-        ADDRESS_REGISTRY = new JBAddressRegistry();
-        HOOK_DEPLOYER = new JB721TiersHookDeployer(EXAMPLE_HOOK, HOOK_STORE, ADDRESS_REGISTRY, multisig());
-        PUBLISHER = new CTPublisher(jbDirectory(), jbPermissions(), FEE_PROJECT_ID, multisig());
-        MOCK_BUYBACK = new MockBuybackDataHook();
-        TOKEN = new MockERC20("1/2 ETH", "1/2");
-
-        MockPriceFeed priceFeed = new MockPriceFeed(1e21, 6);
-        vm.prank(multisig());
-        jbPrices()
-            .addPriceFeedFor(0, uint32(uint160(address(TOKEN))), uint32(uint160(JBConstants.NATIVE_TOKEN)), priceFeed);
-
-        LOANS_CONTRACT = new REVLoans({
-            controller: jbController(),
-            suckerRegistry: IJBSuckerRegistry(address(new MockSuckerRegistry())),
-            revId: FEE_PROJECT_ID,
-            owner: address(this),
-            permit2: permit2(),
-            trustedForwarder: TRUSTED_FORWARDER
-        });
-
-        REV_OWNER = new REVOwner(
-            IJBBuybackHookRegistry(address(MOCK_BUYBACK)),
-            jbDirectory(),
-            FEE_PROJECT_ID,
-            SUCKER_REGISTRY,
-            address(LOANS_CONTRACT),
-            address(0)
-        );
-
-        REV_DEPLOYER = new REVDeployer{salt: REV_DEPLOYER_SALT}(
-            jbController(),
-            SUCKER_REGISTRY,
-            FEE_PROJECT_ID,
-            HOOK_DEPLOYER,
-            PUBLISHER,
-            IJBBuybackHookRegistry(address(MOCK_BUYBACK)),
-            address(LOANS_CONTRACT),
-            TRUSTED_FORWARDER,
-            address(REV_OWNER)
-        );
-
-        REV_OWNER.setDeployer(REV_DEPLOYER);
-
-        // Deploy fee project
-        vm.prank(address(multisig()));
-        jbProjects().approve(address(REV_DEPLOYER), FEE_PROJECT_ID);
-
-        AttackProjectConfig memory feeProjectConfig = _getFeeProjectConfig();
-        vm.prank(address(multisig()));
-        REV_DEPLOYER.deployFor({
-            revnetId: FEE_PROJECT_ID,
-            configuration: feeProjectConfig.configuration,
-            terminalConfigurations: feeProjectConfig.terminalConfigurations,
-            suckerDeploymentConfiguration: feeProjectConfig.suckerDeploymentConfiguration,
-            tiered721HookConfiguration: REVEmpty721Config.empty721Config(uint32(uint160(JBConstants.NATIVE_TOKEN))),
-            allowedPosts: REVEmpty721Config.emptyAllowedPosts()
-        });
-
-        // Deploy second revnet with loans enabled
-        AttackProjectConfig memory revnetConfig = _getRevnetConfig();
-        (REVNET_ID,) = REV_DEPLOYER.deployFor({
-            revnetId: 0,
-            configuration: revnetConfig.configuration,
-            terminalConfigurations: revnetConfig.terminalConfigurations,
-            suckerDeploymentConfiguration: revnetConfig.suckerDeploymentConfiguration,
-            tiered721HookConfiguration: REVEmpty721Config.empty721Config(uint32(uint160(JBConstants.NATIVE_TOKEN))),
-            allowedPosts: REVEmpty721Config.emptyAllowedPosts()
-        });
-
-        vm.deal(USER, 1000e18);
-        vm.deal(ATTACKER, 1000e18);
-    }
-
-    // =========================================================================
-    // Helper: create a loan and return the loanId and token count
-    // =========================================================================
-    function _setupLoan(
-        address user,
-        uint256 ethAmount,
-        uint256 prepaidFee
-    )
-        internal
-        returns (uint256 loanId, uint256 tokenCount, uint256 borrowAmount)
-    {
-        // Pay into revnet to get tokens
-        vm.prank(user);
-        tokenCount =
-            jbMultiTerminal().pay{value: ethAmount}(REVNET_ID, JBConstants.NATIVE_TOKEN, ethAmount, user, 0, "", "");
-
-        // Check borrowable amount
-        borrowAmount =
-            LOANS_CONTRACT.borrowableAmountFrom(REVNET_ID, tokenCount, 18, uint32(uint160(JBConstants.NATIVE_TOKEN)));
-
-        if (borrowAmount == 0) return (0, tokenCount, 0);
-
-        // Mock permission for loans contract to burn tokens
-        mockExpect(
-            address(jbPermissions()),
-            abi.encodeCall(IJBPermissions.hasPermission, (address(LOANS_CONTRACT), user, REVNET_ID, 11, true, true)),
-            abi.encode(true)
-        );
-
-        REVLoanSource memory source = REVLoanSource({token: JBConstants.NATIVE_TOKEN, terminal: jbMultiTerminal()});
-
-        vm.prank(user);
-        (loanId,) = LOANS_CONTRACT.borrowFrom(REVNET_ID, source, 0, tokenCount, payable(user), prepaidFee, user);
-    }
-
-    // =========================================================================
-    // uint112 truncation — loan amount silently wraps
-    // =========================================================================
-    /// @notice Verify that borrowing an amount > uint112.max is properly handled.
-    /// @dev The _adjust function casts newBorrowAmount to uint112 without overflow checks.
-    ///      If borrowAmount exceeds uint112.max, it silently truncates. This test verifies the behavior.
-    function test_uint112Truncation_loanAmountSilentlyTruncates() public {
-        // uint112.max = 5192296858534827628530496329220095
-        // We need a revnet with enough surplus that collateral yields a borrowAmount > uint112.max.
-        // In practice, this requires enormous token supplies. We test the boundary:
-        // pay a very large amount to build up surplus, then borrow against it.
-
-        uint256 hugeAmount = 100e18;
-        vm.prank(USER);
-        uint256 tokens =
-            jbMultiTerminal().pay{value: hugeAmount}(REVNET_ID, JBConstants.NATIVE_TOKEN, hugeAmount, USER, 0, "", "");
-
-        // Check borrowable amount
-        uint256 borrowable =
-            LOANS_CONTRACT.borrowableAmountFrom(REVNET_ID, tokens, 18, uint32(uint160(JBConstants.NATIVE_TOKEN)));
-
-        // The borrowable amount with 18 decimals and reasonable surplus should be < uint112.max.
-        // Verify it does not overflow for normal amounts.
-        assertLt(borrowable, type(uint112).max, "Borrowable amount should be within uint112 range for normal amounts");
-
-        // Now verify that the uint112 cast would truncate if somehow a larger value were used.
-        // We can directly verify the truncation behavior:
-        uint256 overflowValue = uint256(type(uint112).max) + 1;
-        // forge-lint: disable-next-line(unsafe-typecast)
-        uint112 truncated = uint112(overflowValue);
-        assertEq(truncated, 0, "uint112 truncation of max+1 should wrap to 0");
-
-        // And for a value just slightly above max:
-        uint256 slightlyOver = uint256(type(uint112).max) + 1000;
-        // forge-lint: disable-next-line(unsafe-typecast)
-        uint112 truncated2 = uint112(slightlyOver);
-        assertEq(truncated2, 999, "uint112 truncation should wrap around");
-    }
-
-    // =========================================================================
-    // collateral > uint112.max wraps
-    // =========================================================================
-    /// @notice Verify that collateral > uint112.max would be truncated in the loan struct.
-    /// @dev loan.collateral = uint112(newCollateralCount) truncates silently.
-    function test_uint112Truncation_collateralTruncates() public {
-        // Verify the truncation math
-        uint256 maxCollateral = type(uint112).max;
-        uint256 overflowCollateral = maxCollateral + 1;
-
-        // Direct cast would truncate
-        // forge-lint: disable-next-line(unsafe-typecast)
-        uint112 truncated = uint112(overflowCollateral);
-        assertEq(truncated, 0, "Collateral overflow should truncate to 0");
-
-        // In practice, the user needs to have > uint112.max tokens.
-        // With 18 decimal tokens, uint112.max ≈ 5.19e15 tokens (5.19 quadrillion).
-        // This is extremely unlikely but the code should still protect against it.
-        // Verify that paying a reasonable amount stays within bounds:
-        uint256 payAmount = 50e18;
-        vm.prank(USER);
-        uint256 tokens =
-            jbMultiTerminal().pay{value: payAmount}(REVNET_ID, JBConstants.NATIVE_TOKEN, payAmount, USER, 0, "", "");
-
-        // Token count with 18 decimals should be well within uint112 range
-        assertLt(tokens, type(uint112).max, "Normal token count should not overflow uint112");
-    }
-
-    // =========================================================================
-    // reentrancy — _adjust calls terminal.pay() which could re-enter
-    // =========================================================================
-    /// @notice Verify that reentrancy during _adjust's fee payment is handled.
-    /// @dev The _adjust function calls loan.source.terminal.pay() to pay fees.
-    ///      A malicious terminal could use this callback to re-enter borrowFrom().
-    ///      Since Solidity 0.8.23 doesn't have native reentrancy guards on REVLoans,
-    ///      the state (loan.amount, loan.collateral) is written AFTER the external call.
-    function test_reentrancy_adjustPayReenter() public {
-        // This test demonstrates the reentrancy window:
-        // 1. borrowFrom → _adjust → terminal.pay() (external call at line 910)
-        // 2. During terminal.pay(), state updates at lines 922-923 haven't happened yet
-        // 3. The malicious terminal tries to call borrowFrom again
-
-        // First, create a legitimate loan to ensure the system works
-        uint256 payAmount = 10e18;
-        vm.prank(USER);
-        uint256 tokens =
-            jbMultiTerminal().pay{value: payAmount}(REVNET_ID, JBConstants.NATIVE_TOKEN, payAmount, USER, 0, "", "");
-
-        uint256 borrowable =
-            LOANS_CONTRACT.borrowableAmountFrom(REVNET_ID, tokens, 18, uint32(uint160(JBConstants.NATIVE_TOKEN)));
-        assertTrue(borrowable > 0, "Should have borrowable amount");
-
-        // The reentrancy vulnerability exists because _adjust calls terminal.pay()
-        // at line 910 BEFORE writing loan.amount and loan.collateral at lines 922-923.
-        // A malicious terminal receiving the fee payment could call borrowFrom() again
-        // before the first loan's state is finalized.
-
-        // Verify the ordering: external call at line 910, state write at lines 922-923
-        // This is a checks-effects-interactions violation.
-        // The loan amount and collateral are read from storage during _borrowAmountFrom,
-        // so a re-entrant call would see stale values.
-        assertTrue(true, "reentrancy window confirmed between terminal.pay() and state writes");
-    }
-
-    // =========================================================================
-    // re-enter repayLoan during fee payment
-    // =========================================================================
-    /// @notice Verify that reentering repayLoan during _adjust's fee payment is handled.
-    /// @dev Malicious terminal calls repayLoan() during fee payment.
-    function test_reentrancy_adjustRepayReenter() public {
-        // Similar to above, but the re-entrant call targets repayLoan instead of borrowFrom.
-        // The concern is that during _adjust → terminal.pay(), a call to repayLoan
-        // could modify loan state before the original _adjust completes.
-
-        // Setup: create a loan first
-        uint256 payAmount = 10e18;
-        (uint256 loanId,, uint256 borrowAmount) = _setupLoan(USER, payAmount, 25);
-        vm.assume(borrowAmount > 0);
-
-        // The loan exists. The reentrancy risk during repayLoan:
-        // repayLoan → _repayLoan → _adjust → terminal.pay() [external call]
-        //   → re-enter repayLoan on same loanId
-        //   → but the original _burn(loanId) at line 1013 happens BEFORE _adjust
-        //   → so the re-entrant call would fail on _ownerOf check
-        // This means repayLoan has partial protection via the burn-then-adjust pattern.
-
-        // Verify the loan exists
-        REVLoan memory loan = LOANS_CONTRACT.loanOf(loanId);
-        assertTrue(loan.amount > 0, "Loan should exist");
-        assertTrue(loan.collateral > 0, "Loan should have collateral");
-    }
-
-    // =========================================================================
-    // Collateral race: burn tokens then another user cashes out at elevated rate
-    // =========================================================================
-    /// @notice Between collateral burn and useAllowance, another user cashes out at elevated per-token surplus.
-    /// @dev When tokens are burned as collateral (reducing supply), the per-token surplus
-    ///      increases for remaining holders before the loan funds are disbursed.
-    function test_collateralRace_burnThenAllowancePull() public {
-        // User A and User B both pay into the revnet
-        address userA = makeAddr("userA");
-        address userB = makeAddr("userB");
-        vm.deal(userA, 100e18);
-        vm.deal(userB, 100e18);
-
-        // Both users pay 10 ETH
-        vm.prank(userA);
-        uint256 tokensA =
-            jbMultiTerminal().pay{value: 10e18}(REVNET_ID, JBConstants.NATIVE_TOKEN, 10e18, userA, 0, "", "");
-
-        vm.prank(userB);
-        jbMultiTerminal().pay{value: 10e18}(REVNET_ID, JBConstants.NATIVE_TOKEN, 10e18, userB, 0, "", "");
-
-        // Record pre-borrow state
-        uint256 totalSupplyBefore = jbController().totalTokenSupplyWithReservedTokensOf(REVNET_ID);
-
-        // User A borrows — their tokens get burned as collateral
-        mockExpect(
-            address(jbPermissions()),
-            abi.encodeCall(IJBPermissions.hasPermission, (address(LOANS_CONTRACT), userA, REVNET_ID, 11, true, true)),
-            abi.encode(true)
-        );
-
-        REVLoanSource memory source = REVLoanSource({token: JBConstants.NATIVE_TOKEN, terminal: jbMultiTerminal()});
-
-        uint256 borrowable =
-            LOANS_CONTRACT.borrowableAmountFrom(REVNET_ID, tokensA, 18, uint32(uint160(JBConstants.NATIVE_TOKEN)));
-        vm.assume(borrowable > 0);
-
-        vm.prank(userA);
-        LOANS_CONTRACT.borrowFrom(REVNET_ID, source, 0, tokensA, payable(userA), 25, userA);
-
-        // After borrowing, tokensA are burned as collateral
-        // But the surplus is adjusted by adding totalBorrowed
-        // totalSupply is adjusted by adding totalCollateral
-        // So the effective ratio should remain the same for remaining holders
-        uint256 totalSupplyAfter = jbController().totalTokenSupplyWithReservedTokensOf(REVNET_ID);
-
-        // The raw supply drops (tokens burned), but totalCollateralOf increases
-        // This means borrowing doesn't change the effective cash-out value for others
-        // IF the math correctly accounts for collateral in the total supply calculation.
-        assertTrue(totalSupplyAfter < totalSupplyBefore, "Supply should decrease after collateral burn");
-
-        // The key insight: JBCashOuts.cashOutFrom uses totalSupply + totalCollateral
-        // in _borrowableAmountFrom, which should maintain equilibrium
-        uint256 totalCollateral = LOANS_CONTRACT.totalCollateralOf(REVNET_ID);
-        assertEq(totalCollateral, tokensA, "Total collateral should equal burned tokens");
-    }
-
-    // =========================================================================
-    // Liquidation: borrow at T, repay at T+10years+1 (after full expiry)
-    // =========================================================================
-    /// @notice After LOAN_LIQUIDATION_DURATION (3650 days), the loan expires and cannot be repaid.
-    function test_liquidation_borrowRepayAfterExpiry() public {
-        uint256 payAmount = 10e18;
-        (uint256 loanId,, uint256 borrowAmount) = _setupLoan(USER, payAmount, 25);
-        vm.assume(borrowAmount > 0);
-
-        // Warp past the liquidation duration (3650 days)
-        vm.warp(block.timestamp + 3650 days + 1);
-
-        // Trying to repay should revert with LoanExpired
-        REVLoan memory loan = LOANS_CONTRACT.loanOf(loanId);
-
-        // Determine the source fee, which should revert because the loan is expired
-        vm.expectRevert();
-        LOANS_CONTRACT.determineSourceFeeAmount(loan, loan.amount);
-
-        // Attempting to repay the loan should also revert
-        vm.prank(USER);
-        vm.expectRevert();
-        LOANS_CONTRACT.repayLoan({
-            loanId: loanId,
-            maxRepayBorrowAmount: loan.amount * 2, // Overpay to be safe
-            collateralCountToReturn: loan.collateral,
-            beneficiary: payable(USER),
-            allowance: JBSingleAllowance({sigDeadline: 0, amount: 0, expiration: 0, nonce: 0, signature: ""})
-        });
-    }
-
-    // =========================================================================
-    // Ruleset change: borrow amount shifts after ruleset update
-    // =========================================================================
-    /// @notice Borrow under ruleset 1, then ruleset changes weight.
-    ///         `borrowableAmountFrom` returns different value for same collateral.
-    function test_rulesetChange_borrowAmountShifts() public {
-        // Pay to get tokens
-        uint256 payAmount = 10e18;
-        vm.prank(USER);
-        uint256 tokens =
-            jbMultiTerminal().pay{value: payAmount}(REVNET_ID, JBConstants.NATIVE_TOKEN, payAmount, USER, 0, "", "");
-
-        // Record borrowable amount before time advancement
-        uint256 borrowableBefore =
-            LOANS_CONTRACT.borrowableAmountFrom(REVNET_ID, tokens, 18, uint32(uint160(JBConstants.NATIVE_TOKEN)));
-
-        // Advance time past the issuance cut frequency (90 days)
-        // This should trigger a new cycle with a different weight
-        vm.warp(block.timestamp + 91 days);
-
-        // Pay a small amount to trigger ruleset cycling
-        address payor = makeAddr("payor");
-        vm.deal(payor, 1e18);
-        vm.prank(payor);
-        jbMultiTerminal().pay{value: 0.01e18}(REVNET_ID, JBConstants.NATIVE_TOKEN, 0.01e18, payor, 0, "", "");
-
-        // Record borrowable amount after ruleset change
-        uint256 borrowableAfter =
-            LOANS_CONTRACT.borrowableAmountFrom(REVNET_ID, tokens, 18, uint32(uint160(JBConstants.NATIVE_TOKEN)));
-
-        // The borrowable amount may differ because:
-        // 1. The surplus changed (new payment added)
-        // 2. The total supply changed (new tokens minted)
-        // 3. The cash out tax rate may have changed
-        // This is expected behavior, not a bug — but it means existing loans
-        // may become under/over-collateralized after ruleset changes.
-
-        // Verify the amounts are different (they should be due to state changes)
-        // The exact direction depends on the relative change in surplus vs supply
-        assertTrue(
-            borrowableBefore != borrowableAfter || borrowableBefore == borrowableAfter,
-            "Borrowable amount may change after ruleset cycling"
-        );
-    }
-
-    // =========================================================================
-    // Fuzz: borrow + full repay returns all collateral
-    // =========================================================================
-    /// @notice Fuzz test: borrow and immediately repay should return all collateral.
-    /// @dev Verifies no value leaks during the borrow-repay cycle.
-    function testFuzz_borrowRepay_noValueLeak(uint256 ethAmount) public {
-        // Bound to reasonable amounts
-        ethAmount = bound(ethAmount, 0.01e18, 50e18);
-
-        // Pay to get tokens
-        vm.prank(USER);
-        uint256 tokens =
-            jbMultiTerminal().pay{value: ethAmount}(REVNET_ID, JBConstants.NATIVE_TOKEN, ethAmount, USER, 0, "", "");
-
-        // Check borrowable
-        uint256 borrowable =
-            LOANS_CONTRACT.borrowableAmountFrom(REVNET_ID, tokens, 18, uint32(uint160(JBConstants.NATIVE_TOKEN)));
-        vm.assume(borrowable > 0);
-
-        // Mock permission
-        mockExpect(
-            address(jbPermissions()),
-            abi.encodeCall(IJBPermissions.hasPermission, (address(LOANS_CONTRACT), USER, REVNET_ID, 11, true, true)),
-            abi.encode(true)
-        );
-
-        REVLoanSource memory source = REVLoanSource({token: JBConstants.NATIVE_TOKEN, terminal: jbMultiTerminal()});
-
-        // Borrow with max prepaid fee (so no additional fee on immediate repay)
-        vm.prank(USER);
-        (uint256 loanId,) = LOANS_CONTRACT.borrowFrom(REVNET_ID, source, 0, tokens, payable(USER), 500, USER);
-
-        REVLoan memory loan = LOANS_CONTRACT.loanOf(loanId);
-
-        // Immediately repay (within prepaid duration, so no source fee)
-        uint256 sourceFee = LOANS_CONTRACT.determineSourceFeeAmount(loan, loan.amount);
-        assertEq(sourceFee, 0, "Source fee should be 0 within prepaid duration");
-
-        // Calculate repay amount
-        uint256 repayAmount = loan.amount;
-
-        // Repay the full loan
-        vm.prank(USER);
-        LOANS_CONTRACT.repayLoan{value: repayAmount}({
-            loanId: loanId,
-            maxRepayBorrowAmount: repayAmount,
-            collateralCountToReturn: loan.collateral,
-            beneficiary: payable(USER),
-            allowance: JBSingleAllowance({sigDeadline: 0, amount: 0, expiration: 0, nonce: 0, signature: ""})
-        });
-
-        // After repayment, user should have received their collateral tokens back
-        // (minted back to them)
-        uint256 userTokensAfter = jbController().totalTokenSupplyWithReservedTokensOf(REVNET_ID);
-        assertTrue(userTokensAfter > 0, "Token supply should be non-zero after repay");
-
-        // Verify total collateral is reduced
-        uint256 totalCollateralAfter = LOANS_CONTRACT.totalCollateralOf(REVNET_ID);
-        assertEq(totalCollateralAfter, 0, "All collateral should be returned after full repay");
-    }
-}