@rev-net/core-v6 0.0.37 → 0.0.39

package/test/REVInvincibility.t.sol

@@ -1,1371 +0,0 @@
-// SPDX-License-Identifier: MIT
-pragma solidity 0.8.28;
-
-// forge-lint: disable-next-line(unaliased-plain-import)
-import "forge-std/Test.sol";
-import {StdInvariant} from "forge-std/StdInvariant.sol";
-// forge-lint: disable-next-line(unaliased-plain-import)
-import /* {*} from */ "@bananapus/core-v6/test/helpers/TestBaseWorkflow.sol";
-// import /* {*} from "@bananapus/721-hook-v6/src/JB721TiersHookDeployer.sol";
-// forge-lint: disable-next-line(unaliased-plain-import)
-import /* {*} from */ "./../src/REVDeployer.sol";
-// forge-lint: disable-next-line(unaliased-plain-import)
-import /* {*} from */ "./../src/REVLoans.sol";
-// forge-lint: disable-next-line(unaliased-plain-import)
-import "@croptop/core-v6/src/CTPublisher.sol";
-import {MockBuybackDataHook} from "./mock/MockBuybackDataHook.sol";
-
-// forge-lint: disable-next-line(unaliased-plain-import)
-import "@bananapus/core-v6/script/helpers/CoreDeploymentLib.sol";
-// forge-lint: disable-next-line(unaliased-plain-import)
-import "@bananapus/721-hook-v6/script/helpers/Hook721DeploymentLib.sol";
-// forge-lint: disable-next-line(unaliased-plain-import)
-import "@bananapus/suckers-v6/script/helpers/SuckerDeploymentLib.sol";
-// forge-lint: disable-next-line(unaliased-plain-import)
-import "@croptop/core-v6/script/helpers/CroptopDeploymentLib.sol";
-// forge-lint: disable-next-line(unaliased-plain-import)
-import "@bananapus/router-terminal-v6/script/helpers/RouterTerminalDeploymentLib.sol";
-
-import {JBCashOuts} from "@bananapus/core-v6/src/libraries/JBCashOuts.sol";
-import {JBConstants} from "@bananapus/core-v6/src/libraries/JBConstants.sol";
-import {JBAccountingContext} from "@bananapus/core-v6/src/structs/JBAccountingContext.sol";
-import {MockERC20} from "@bananapus/core-v6/test/mock/MockERC20.sol";
-import {REVLoans} from "../src/REVLoans.sol";
-import {REVLoan} from "../src/structs/REVLoan.sol";
-import {REVStageConfig, REVAutoIssuance} from "../src/structs/REVStageConfig.sol";
-import {REVLoanSource} from "../src/structs/REVLoanSource.sol";
-import {REVDescription} from "../src/structs/REVDescription.sol";
-import {IREVLoans} from "./../src/interfaces/IREVLoans.sol";
-import {JBSuckerDeployerConfig} from "@bananapus/suckers-v6/src/structs/JBSuckerDeployerConfig.sol";
-import {JBSuckerRegistry} from "@bananapus/suckers-v6/src/JBSuckerRegistry.sol";
-import {JB721TiersHookDeployer} from "@bananapus/721-hook-v6/src/JB721TiersHookDeployer.sol";
-import {JB721TiersHook} from "@bananapus/721-hook-v6/src/JB721TiersHook.sol";
-import {JB721TiersHookStore} from "@bananapus/721-hook-v6/src/JB721TiersHookStore.sol";
-import {JB721CheckpointsDeployer} from "@bananapus/721-hook-v6/src/JB721CheckpointsDeployer.sol";
-import {IJB721CheckpointsDeployer} from "@bananapus/721-hook-v6/src/interfaces/IJB721CheckpointsDeployer.sol";
-import {JBAddressRegistry} from "@bananapus/address-registry-v6/src/JBAddressRegistry.sol";
-import {IJBAddressRegistry} from "@bananapus/address-registry-v6/src/interfaces/IJBAddressRegistry.sol";
-import {mulDiv} from "@prb/math/src/Common.sol";
-
-import {REVInvincibilityHandler} from "./REVInvincibilityHandler.sol";
-import {BrokenFeeTerminal} from "./helpers/MaliciousContracts.sol";
-import {REVEmpty721Config} from "./helpers/REVEmpty721Config.sol";
-import {REVOwner} from "../src/REVOwner.sol";
-import {IREVDeployer} from "../src/interfaces/IREVDeployer.sol";
-import {MockSuckerRegistry} from "./mock/MockSuckerRegistry.sol";
-
-// =========================================================================
-// Shared config struct
-// =========================================================================
-struct InvincibilityProjectConfig {
-    REVConfig configuration;
-    JBTerminalConfig[] terminalConfigurations;
-    REVSuckerDeploymentConfig suckerDeploymentConfiguration;
-}
-
-// =========================================================================
-// Section A + B: Property Verification & Economic Tests
-// =========================================================================
-contract REVInvincibility_PropertyTests is TestBaseWorkflow {
-    using JBRulesetMetadataResolver for JBRuleset;
-
-    // forge-lint: disable-next-line(mixed-case-variable)
-    bytes32 REV_DEPLOYER_SALT = "REVDeployer";
-
-    // forge-lint: disable-next-line(mixed-case-variable)
-    REVDeployer REV_DEPLOYER;
-    // forge-lint: disable-next-line(mixed-case-variable)
-    JB721TiersHook EXAMPLE_HOOK;
-    // forge-lint: disable-next-line(mixed-case-variable)
-    IJB721TiersHookDeployer HOOK_DEPLOYER;
-    // forge-lint: disable-next-line(mixed-case-variable)
-    IJB721TiersHookStore HOOK_STORE;
-    // forge-lint: disable-next-line(mixed-case-variable)
-    IJBAddressRegistry ADDRESS_REGISTRY;
-    // forge-lint: disable-next-line(mixed-case-variable)
-    IREVLoans LOANS_CONTRACT;
-    // forge-lint: disable-next-line(mixed-case-variable)
-    MockERC20 TOKEN;
-    // forge-lint: disable-next-line(mixed-case-variable)
-    IJBSuckerRegistry SUCKER_REGISTRY;
-    // forge-lint: disable-next-line(mixed-case-variable)
-    CTPublisher PUBLISHER;
-    // forge-lint: disable-next-line(mixed-case-variable)
-    MockBuybackDataHook MOCK_BUYBACK;
-    // forge-lint: disable-next-line(mixed-case-variable)
-    REVOwner REV_OWNER;
-
-    // forge-lint: disable-next-line(mixed-case-variable)
-    uint256 FEE_PROJECT_ID;
-    // forge-lint: disable-next-line(mixed-case-variable)
-    uint256 REVNET_ID;
-
-    // forge-lint: disable-next-line(mixed-case-variable)
-    address USER = makeAddr("user");
-    // forge-lint: disable-next-line(mixed-case-variable)
-    address ATTACKER = makeAddr("attacker");
-
-    address private constant TRUSTED_FORWARDER = 0xB2b5841DBeF766d4b521221732F9B618fCf34A87;
-
-    // --- Setup helpers ---
-
-    function _getFeeProjectConfig() internal view returns (InvincibilityProjectConfig memory) {
-        JBAccountingContext[] memory accountingContextsToAccept = new JBAccountingContext[](1);
-        accountingContextsToAccept[0] = JBAccountingContext({
-            token: JBConstants.NATIVE_TOKEN, decimals: 18, currency: uint32(uint160(JBConstants.NATIVE_TOKEN))
-        });
-
-        JBTerminalConfig[] memory terminalConfigurations = new JBTerminalConfig[](1);
-        terminalConfigurations[0] =
-            JBTerminalConfig({terminal: jbMultiTerminal(), accountingContextsToAccept: accountingContextsToAccept});
-
-        JBSplit[] memory splits = new JBSplit[](1);
-        splits[0].beneficiary = payable(multisig());
-        splits[0].percent = 10_000;
-
-        REVAutoIssuance[] memory issuanceConfs = new REVAutoIssuance[](1);
-        issuanceConfs[0] =
-            REVAutoIssuance({chainId: uint32(block.chainid), count: uint104(70_000e18), beneficiary: multisig()});
-
-        REVStageConfig[] memory stageConfigurations = new REVStageConfig[](1);
-        stageConfigurations[0] = REVStageConfig({
-            startsAtOrAfter: uint40(block.timestamp),
-            autoIssuances: issuanceConfs,
-            splitPercent: 2000,
-            splits: splits,
-            initialIssuance: uint112(1000e18),
-            issuanceCutFrequency: 90 days,
-            issuanceCutPercent: JBConstants.MAX_WEIGHT_CUT_PERCENT / 2,
-            cashOutTaxRate: 6000,
-            extraMetadata: 0
-        });
-
-        return InvincibilityProjectConfig({
-            configuration: REVConfig({
-                description: REVDescription({
-                    name: "Revnet",
-                    ticker: "$REV",
-                    uri: "ipfs://QmNRHT91HcDgMcenebYX7rJigt77cgNcosvuhX21wkF3tx",
-                    salt: "REV_TOKEN"
-                }),
-                baseCurrency: uint32(uint160(JBConstants.NATIVE_TOKEN)),
-                splitOperator: multisig(),
-                stageConfigurations: stageConfigurations
-            }),
-            terminalConfigurations: terminalConfigurations,
-            suckerDeploymentConfiguration: REVSuckerDeploymentConfig({
-                deployerConfigurations: new JBSuckerDeployerConfig[](0), salt: keccak256(abi.encodePacked("REV"))
-            })
-        });
-    }
-
-    function _getRevnetConfig() internal view returns (InvincibilityProjectConfig memory) {
-        JBAccountingContext[] memory accountingContextsToAccept = new JBAccountingContext[](1);
-        accountingContextsToAccept[0] = JBAccountingContext({
-            token: JBConstants.NATIVE_TOKEN, decimals: 18, currency: uint32(uint160(JBConstants.NATIVE_TOKEN))
-        });
-
-        JBTerminalConfig[] memory terminalConfigurations = new JBTerminalConfig[](1);
-        terminalConfigurations[0] =
-            JBTerminalConfig({terminal: jbMultiTerminal(), accountingContextsToAccept: accountingContextsToAccept});
-
-        JBSplit[] memory splits = new JBSplit[](1);
-        splits[0].beneficiary = payable(multisig());
-        splits[0].percent = 10_000;
-
-        REVAutoIssuance[] memory issuanceConfs = new REVAutoIssuance[](1);
-        issuanceConfs[0] =
-            REVAutoIssuance({chainId: uint32(block.chainid), count: uint104(70_000e18), beneficiary: multisig()});
-
-        REVStageConfig[] memory stageConfigurations = new REVStageConfig[](3);
-        stageConfigurations[0] = REVStageConfig({
-            startsAtOrAfter: uint40(block.timestamp),
-            autoIssuances: issuanceConfs,
-            splitPercent: 2000,
-            splits: splits,
-            initialIssuance: uint112(1000e18),
-            issuanceCutFrequency: 90 days,
-            issuanceCutPercent: JBConstants.MAX_WEIGHT_CUT_PERCENT / 2,
-            cashOutTaxRate: 6000,
-            extraMetadata: 0
-        });
-
-        stageConfigurations[1] = REVStageConfig({
-            startsAtOrAfter: uint40(stageConfigurations[0].startsAtOrAfter + 365 days),
-            autoIssuances: new REVAutoIssuance[](0),
-            splitPercent: 2000,
-            splits: splits,
-            initialIssuance: 0,
-            issuanceCutFrequency: 180 days,
-            issuanceCutPercent: JBConstants.MAX_WEIGHT_CUT_PERCENT / 2,
-            cashOutTaxRate: 1000,
-            extraMetadata: 0
-        });
-
-        stageConfigurations[2] = REVStageConfig({
-            startsAtOrAfter: uint40(stageConfigurations[1].startsAtOrAfter + (20 * 365 days)),
-            autoIssuances: new REVAutoIssuance[](0),
-            splitPercent: 0,
-            splits: splits,
-            initialIssuance: 1,
-            issuanceCutFrequency: 0,
-            issuanceCutPercent: 0,
-            cashOutTaxRate: 500,
-            extraMetadata: 0
-        });
-
-        return InvincibilityProjectConfig({
-            configuration: REVConfig({
-                // forge-lint: disable-next-line(named-struct-fields)
-                description: REVDescription("NANA", "$NANA", "ipfs://nana", "NANA_TOKEN"),
-                baseCurrency: uint32(uint160(JBConstants.NATIVE_TOKEN)),
-                splitOperator: multisig(),
-                stageConfigurations: stageConfigurations
-            }),
-            terminalConfigurations: terminalConfigurations,
-            suckerDeploymentConfiguration: REVSuckerDeploymentConfig({
-                deployerConfigurations: new JBSuckerDeployerConfig[](0), salt: keccak256(abi.encodePacked("NANA"))
-            })
-        });
-    }
-
-    function setUp() public override {
-        super.setUp();
-
-        FEE_PROJECT_ID = jbProjects().createFor(multisig());
-
-        SUCKER_REGISTRY = new JBSuckerRegistry(jbDirectory(), jbPermissions(), multisig(), address(0));
-        HOOK_STORE = new JB721TiersHookStore();
-        EXAMPLE_HOOK = new JB721TiersHook(
-            jbDirectory(),
-            jbPermissions(),
-            jbPrices(),
-            jbRulesets(),
-            HOOK_STORE,
-            jbSplits(),
-            IJB721CheckpointsDeployer(address(new JB721CheckpointsDeployer())),
-            multisig()
-        );
-        ADDRESS_REGISTRY = new JBAddressRegistry();
-        HOOK_DEPLOYER = new JB721TiersHookDeployer(EXAMPLE_HOOK, HOOK_STORE, ADDRESS_REGISTRY, multisig());
-        PUBLISHER = new CTPublisher(jbDirectory(), jbPermissions(), FEE_PROJECT_ID, multisig());
-        MOCK_BUYBACK = new MockBuybackDataHook();
-        TOKEN = new MockERC20("1/2 ETH", "1/2");
-
-        LOANS_CONTRACT = new REVLoans({
-            controller: jbController(),
-            suckerRegistry: IJBSuckerRegistry(address(new MockSuckerRegistry())),
-            revId: FEE_PROJECT_ID,
-            owner: address(this),
-            permit2: permit2(),
-            trustedForwarder: TRUSTED_FORWARDER
-        });
-
-        REV_OWNER = new REVOwner(
-            IJBBuybackHookRegistry(address(MOCK_BUYBACK)),
-            jbDirectory(),
-            FEE_PROJECT_ID,
-            SUCKER_REGISTRY,
-            address(LOANS_CONTRACT),
-            address(0)
-        );
-
-        REV_DEPLOYER = new REVDeployer{salt: REV_DEPLOYER_SALT}(
-            jbController(),
-            SUCKER_REGISTRY,
-            FEE_PROJECT_ID,
-            HOOK_DEPLOYER,
-            PUBLISHER,
-            IJBBuybackHookRegistry(address(MOCK_BUYBACK)),
-            address(LOANS_CONTRACT),
-            TRUSTED_FORWARDER,
-            address(REV_OWNER)
-        );
-
-        REV_OWNER.setDeployer(REV_DEPLOYER);
-
-        // Deploy fee project
-        vm.prank(multisig());
-        jbProjects().approve(address(REV_DEPLOYER), FEE_PROJECT_ID);
-
-        InvincibilityProjectConfig memory feeConfig = _getFeeProjectConfig();
-        vm.prank(multisig());
-        REV_DEPLOYER.deployFor({
-            revnetId: FEE_PROJECT_ID,
-            configuration: feeConfig.configuration,
-            terminalConfigurations: feeConfig.terminalConfigurations,
-            suckerDeploymentConfiguration: feeConfig.suckerDeploymentConfiguration,
-            tiered721HookConfiguration: REVEmpty721Config.empty721Config(uint32(uint160(JBConstants.NATIVE_TOKEN))),
-            allowedPosts: REVEmpty721Config.emptyAllowedPosts()
-        });
-
-        // Deploy second revnet with loans
-        InvincibilityProjectConfig memory revConfig = _getRevnetConfig();
-        (REVNET_ID,) = REV_DEPLOYER.deployFor({
-            revnetId: 0,
-            configuration: revConfig.configuration,
-            terminalConfigurations: revConfig.terminalConfigurations,
-            suckerDeploymentConfiguration: revConfig.suckerDeploymentConfiguration,
-            tiered721HookConfiguration: REVEmpty721Config.empty721Config(uint32(uint160(JBConstants.NATIVE_TOKEN))),
-            allowedPosts: REVEmpty721Config.emptyAllowedPosts()
-        });
-
-        vm.deal(USER, 10_000e18);
-        vm.deal(ATTACKER, 10_000e18);
-    }
-
-    function _setupLoan(
-        address user,
-        uint256 ethAmount,
-        uint256 prepaidFee
-    )
-        internal
-        returns (uint256 loanId, uint256 tokenCount, uint256 borrowAmount)
-    {
-        vm.prank(user);
-        tokenCount =
-            jbMultiTerminal().pay{value: ethAmount}(REVNET_ID, JBConstants.NATIVE_TOKEN, ethAmount, user, 0, "", "");
-
-        borrowAmount =
-            LOANS_CONTRACT.borrowableAmountFrom(REVNET_ID, tokenCount, 18, uint32(uint160(JBConstants.NATIVE_TOKEN)));
-
-        if (borrowAmount == 0) return (0, tokenCount, 0);
-
-        mockExpect(
-            address(jbPermissions()),
-            abi.encodeCall(IJBPermissions.hasPermission, (address(LOANS_CONTRACT), user, REVNET_ID, 11, true, true)),
-            abi.encode(true)
-        );
-
-        REVLoanSource memory source = REVLoanSource({token: JBConstants.NATIVE_TOKEN, terminal: jbMultiTerminal()});
-
-        vm.prank(user);
-        (loanId,) = LOANS_CONTRACT.borrowFrom(REVNET_ID, source, 0, tokenCount, payable(user), prepaidFee, user);
-    }
-
-    // =====================================================================
-    // SECTION A: Critical Property Verification (8 tests)
-    // =====================================================================
-
-    /// @notice Borrow with collateral > uint112.max silently truncates loan.amount.
-    /// @dev Verifies the truncation pattern: uint112(overflowValue) wraps.
-    function test_fixVerify_uint112Truncation() public {
-        // Prove the truncation math: uint112(max+1) wraps to 0
-        uint256 overflowValue = uint256(type(uint112).max) + 1;
-        // forge-lint: disable-next-line(unsafe-typecast)
-        uint112 truncated = uint112(overflowValue);
-        assertEq(truncated, 0, "uint112 truncation wraps max+1 to 0");
-
-        // Prove a more realistic overflow: max + 1000 wraps to 999
-        uint256 slightlyOver = uint256(type(uint112).max) + 1000;
-        // forge-lint: disable-next-line(unsafe-typecast)
-        truncated = uint112(slightlyOver);
-        assertEq(truncated, 999, "uint112 truncation wraps to low bits");
-
-        // Verify normal operation stays within bounds
-        uint256 payAmount = 100e18;
-        vm.prank(USER);
-        uint256 tokens =
-            jbMultiTerminal().pay{value: payAmount}(REVNET_ID, JBConstants.NATIVE_TOKEN, payAmount, USER, 0, "", "");
-
-        uint256 borrowable =
-            LOANS_CONTRACT.borrowableAmountFrom(REVNET_ID, tokens, 18, uint32(uint160(JBConstants.NATIVE_TOKEN)));
-        assertLt(borrowable, type(uint112).max, "normal borrowable within uint112");
-        assertLt(tokens, type(uint112).max, "normal token count within uint112");
-    }
-
-    /// @notice Array OOB when only buyback hook present (no tiered721Hook).
-    /// @dev hookSpecifications[1] is written but array size is 1.
-    function test_fixVerify_arrayOOB_noBuybackWithBuyback() public pure {
-        bool usesTiered721Hook = false;
-        bool usesBuybackHook = true;
-
-        uint256 arraySize = (usesTiered721Hook ? 1 : 0) + (usesBuybackHook ? 1 : 0);
-        assertEq(arraySize, 1, "array size is 1");
-
-        // The bug: code writes to hookSpecifications[1] (OOB for size-1 array)
-        // The fix: should write to index 0 when no tiered721Hook
-        // forge-lint: disable-next-line(mixed-case-variable)
-        bool wouldOOB = (!usesTiered721Hook && usesBuybackHook);
-        assertTrue(wouldOOB, "this config triggers the OOB write at index [1]");
-
-        uint256 correctIndex = usesTiered721Hook ? 1 : 0;
-        assertEq(correctIndex, 0, "buyback hook should use index 0");
-
-        // Verify safe write
-        JBPayHookSpecification[] memory specs = new JBPayHookSpecification[](arraySize);
-        specs[correctIndex] =
-            JBPayHookSpecification({hook: IJBPayHook(address(0xbeef)), noop: false, amount: 1 ether, metadata: ""});
-    }
-
-    /// @notice Reentrancy — _adjust calls terminal.pay() BEFORE writing loan state.
-    /// @dev Lines 910 (external call) vs 922-923 (state writes). CEI violation.
-    function test_fixVerify_reentrancyDoubleBorrow() public {
-        // Create a legitimate loan to confirm the system works
-        uint256 payAmount = 10e18;
-        vm.prank(USER);
-        uint256 tokens =
-            jbMultiTerminal().pay{value: payAmount}(REVNET_ID, JBConstants.NATIVE_TOKEN, payAmount, USER, 0, "", "");
-
-        uint256 borrowable =
-            LOANS_CONTRACT.borrowableAmountFrom(REVNET_ID, tokens, 18, uint32(uint160(JBConstants.NATIVE_TOKEN)));
-        assertTrue(borrowable > 0, "Should have borrowable amount");
-
-        // The vulnerability: In _adjust (line 862-924):
-        //   Line 910: loan.source.terminal.pay{value: payValue}(...) — EXTERNAL CALL
-        //   Line 922: loan.amount = uint112(newBorrowAmount);         — STATE WRITE
-        //   Line 923: loan.collateral = uint112(newCollateralCount);  — STATE WRITE
-        //
-        // A malicious terminal receiving the fee payment at line 910 can call
-        // borrowFrom() again. During that reentrant call, loan.amount and loan.collateral
-        // still have their OLD values (0 for a new loan), so _borrowAmountFrom computes
-        // using stale totalBorrowed/totalCollateral.
-        //
-        // Without a reentrancy guard, the attacker could extract more value than the
-        // collateral supports. The fix should add a reentrancy guard or move state writes
-        // before external calls.
-
-        // Verify the state write ordering is the vulnerability
-        // (We can't actually execute the attack through real contracts because
-        // the fee terminal is the legitimate JBMultiTerminal, but the pattern
-        // is confirmed by code inspection)
-        assertTrue(true, "CEI pattern verified at lines 910 vs 922-923");
-    }
-
-    /// @notice hasMintPermissionFor returns false for random addresses.
-    /// @dev With the buyback hook removed, hasMintPermissionFor should return false
-    ///      for addresses that are not the loans contract or a sucker.
-    function test_fixVerify_hasMintPermission_noBuyback() public view {
-        // The fee project was deployed without buyback hook in our setup
-        JBRuleset memory currentRuleset = jbRulesets().currentOf(FEE_PROJECT_ID);
-
-        // hasMintPermissionFor should return false for random addresses
-        address randomAddr = address(0x12345);
-        bool hasPerm = REV_OWNER.hasMintPermissionFor(FEE_PROJECT_ID, currentRuleset, randomAddr);
-        assertFalse(hasPerm, "random address should not have mint permission");
-    }
-
-    /// @notice Zero-supply cash out no longer drains surplus (fixed in v6).
-    /// @dev JBCashOuts.cashOutFrom now returns 0 when cashOutCount == 0.
-    function test_fixVerify_zeroSupplyCashOutDrain() public pure {
-        uint256 surplus = 100e18;
-        uint256 cashOutCount = 0;
-        uint256 totalSupply = 0;
-        uint256 cashOutTaxRate = 6000;
-
-        uint256 reclaimable = JBCashOuts.cashOutFrom(surplus, cashOutCount, totalSupply, cashOutTaxRate);
-
-        // Fixed in v6: cashing out 0 tokens always returns 0
-        assertEq(reclaimable, 0, "zero cash out returns nothing");
-
-        // Normal case: with supply, cashing out 0 still returns 0
-        uint256 normalReclaimable = JBCashOuts.cashOutFrom(surplus, 0, 1000e18, cashOutTaxRate);
-        assertEq(normalReclaimable, 0, "Normal: cashing out 0 of non-zero supply returns 0");
-    }
-
-    /// @notice Broken fee terminal + broken addToBalanceOf fallback bricks cash-outs.
-    /// @dev afterCashOutRecordedWith: try feeTerminal.pay() catch { addToBalanceOf() }
-    ///      If BOTH revert, the entire cash-out transaction reverts.
-    function test_fixVerify_brokenFeeTerminalBricksCashOuts() public {
-        BrokenFeeTerminal brokenTerminal = new BrokenFeeTerminal();
-
-        // The vulnerability pattern:
-        // In REVDeployer.afterCashOutRecordedWith (line 567-624):
-        //   Line 590: try feeTerminal.pay(...) {} catch {
-        //   Line 615: IJBTerminal(msg.sender).addToBalanceOf{value: payValue}(...)
-        //
-        // If feeTerminal.pay() reverts AND addToBalanceOf() reverts:
-        //   - The entire afterCashOutRecordedWith call reverts
-        //   - This makes ALL cash-outs for the revnet impossible
-        //
-        // In the current code, addToBalanceOf is NOT in a try/catch,
-        // so a broken fee terminal permanently bricks cash-outs.
-
-        assertTrue(brokenTerminal.payReverts(), "Pay reverts by default");
-        assertTrue(brokenTerminal.addToBalanceReverts(), "AddToBalance reverts by default");
-
-        // Verify both functions revert
-        vm.expectRevert("BrokenFeeTerminal: pay reverts");
-        brokenTerminal.pay(0, address(0), 0, address(0), 0, "", "");
-
-        vm.expectRevert("BrokenFeeTerminal: addToBalance reverts");
-        brokenTerminal.addToBalanceOf(0, address(0), 0, false, "", "");
-    }
-
-    /// @notice Auto-issuance stored at block.timestamp+i, not actual ruleset IDs.
-    /// @dev _makeRulesetConfigurations stores at block.timestamp+i but autoIssueFor
-    ///      queries by actual ruleset ID. If they mismatch, tokens are unclaimable.
-    function test_fixVerify_autoIssuanceStageIdMismatch() public {
-        // Deploy a multi-stage revnet with auto-issuance on multiple stages
-        JBAccountingContext[] memory ctx = new JBAccountingContext[](1);
-        ctx[0] = JBAccountingContext({
-            token: JBConstants.NATIVE_TOKEN, decimals: 18, currency: uint32(uint160(JBConstants.NATIVE_TOKEN))
-        });
-
-        JBTerminalConfig[] memory tc = new JBTerminalConfig[](1);
-        tc[0] = JBTerminalConfig({terminal: jbMultiTerminal(), accountingContextsToAccept: ctx});
-
-        JBSplit[] memory splits = new JBSplit[](1);
-        splits[0].beneficiary = payable(multisig());
-        splits[0].percent = 10_000;
-
-        REVStageConfig[] memory stages = new REVStageConfig[](2);
-
-        REVAutoIssuance[] memory iss0 = new REVAutoIssuance[](1);
-        iss0[0] = REVAutoIssuance({chainId: uint32(block.chainid), count: uint104(50_000e18), beneficiary: multisig()});
-
-        stages[0] = REVStageConfig({
-            startsAtOrAfter: uint40(block.timestamp),
-            autoIssuances: iss0,
-            splitPercent: 2000,
-            splits: splits,
-            initialIssuance: uint112(1000e18),
-            issuanceCutFrequency: 90 days,
-            issuanceCutPercent: JBConstants.MAX_WEIGHT_CUT_PERCENT / 2,
-            cashOutTaxRate: 6000,
-            extraMetadata: 0
-        });
-
-        REVAutoIssuance[] memory iss1 = new REVAutoIssuance[](1);
-        iss1[0] = REVAutoIssuance({chainId: uint32(block.chainid), count: uint104(30_000e18), beneficiary: multisig()});
-
-        stages[1] = REVStageConfig({
-            startsAtOrAfter: uint40(stages[0].startsAtOrAfter + 365 days),
-            autoIssuances: iss1,
-            splitPercent: 1000,
-            splits: splits,
-            initialIssuance: 0,
-            issuanceCutFrequency: 180 days,
-            issuanceCutPercent: JBConstants.MAX_WEIGHT_CUT_PERCENT / 2,
-            cashOutTaxRate: 3000,
-            extraMetadata: 0
-        });
-
-        vm.prank(multisig());
-        (uint256 h5RevnetId,) = REV_DEPLOYER.deployFor({
-            revnetId: 0,
-            configuration: REVConfig({
-                // forge-lint: disable-next-line(named-struct-fields)
-                description: REVDescription("H5Test", "H5T", "ipfs://h5", "H5_TOKEN"),
-                baseCurrency: uint32(uint160(JBConstants.NATIVE_TOKEN)),
-                splitOperator: multisig(),
-                stageConfigurations: stages
-            }),
-            terminalConfigurations: tc,
-            suckerDeploymentConfiguration: REVSuckerDeploymentConfig({
-                deployerConfigurations: new JBSuckerDeployerConfig[](0), salt: keccak256("H5_INVINCIBILITY")
-            }),
-            tiered721HookConfiguration: REVEmpty721Config.empty721Config(uint32(uint160(JBConstants.NATIVE_TOKEN))),
-            allowedPosts: REVEmpty721Config.emptyAllowedPosts()
-        });
-
-        // Stage 0 auto-issuance stored at block.timestamp
-        uint256 stage0Amount = REV_DEPLOYER.amountToAutoIssue(h5RevnetId, block.timestamp, multisig());
-        assertEq(stage0Amount, 50_000e18, "Stage 0 auto-issuance stored at block.timestamp");
-
-        // Stage 1 auto-issuance stored at block.timestamp + 1 (the stage ID mismatch bug)
-        uint256 stage1Amount = REV_DEPLOYER.amountToAutoIssue(h5RevnetId, block.timestamp + 1, multisig());
-        assertEq(stage1Amount, 30_000e18, "Stage 1 auto-issuance stored at block.timestamp + 1");
-
-        // The bug: stages are stored at (block.timestamp + i), not at the actual ruleset IDs.
-        // In the test environment, stages queued in the same block happen to have sequential IDs
-        // (block.timestamp, block.timestamp+1), so the storage keys coincidentally match.
-        // However, if deployment happens at a different time than block.timestamp, or if stages
-        // are added later, the keys diverge and auto-issuance becomes unclaimable.
-        //
-        // We verify the fragile assumption: the storage key depends on block.timestamp at deploy
-        // time, NOT on the actual ruleset ID. A redeployment at a different timestamp would break.
-        JBRuleset[] memory rulesets = jbRulesets().allOf(h5RevnetId, 0, 3);
-        assertGe(rulesets.length, 2, "Should have at least 2 rulesets");
-
-        // Document the storage keys used vs what autoIssueFor expects
-        // autoIssueFor calls with the CURRENT ruleset's ID (from currentOf).
-        // If the ruleset ID != block.timestamp+i, the amount at that key is 0.
-        emit log_named_uint("Storage key for stage 1", block.timestamp + 1);
-        emit log_named_uint("Actual ruleset[0].id (most recent)", rulesets[0].id);
-        emit log_named_uint("Actual ruleset[1].id (first)", rulesets[1].id);
-
-        // The fragility: stage 1 issuance is ONLY accessible at (block.timestamp + 1).
-        // Any other key returns 0.
-        uint256 wrongKey = block.timestamp + 100;
-        uint256 amountAtWrongKey = REV_DEPLOYER.amountToAutoIssue(h5RevnetId, wrongKey, multisig());
-        assertEq(amountAtWrongKey, 0, "auto-issuance unreachable at wrong key");
-    }
-
-    /// @notice Unvalidated source terminal — unbounded _loanSourcesOf array growth.
-    /// @dev borrowFrom accepts any terminal in REVLoanSource without validation.
-    function test_fixVerify_unvalidatedSourceTerminal() public {
-        // The vulnerability: REVLoans._addTo (line 788-791) registers ANY terminal
-        // as a loan source without validating it's an actual project terminal:
-        //   if (!isLoanSourceOf[revnetId][loan.source.terminal][loan.source.token]) {
-        //       isLoanSourceOf[...] = true;
-        //       _loanSourcesOf[revnetId].push(...)
-        //   }
-        //
-        // This means:
-        // 1. An attacker can pass arbitrary terminals as loan sources
-        // 2. The _loanSourcesOf array grows unboundedly
-        // 3. Functions iterating over loan sources (like _totalBorrowedFrom) become
-        //    increasingly expensive, eventually hitting gas limits (DoS)
-
-        // Loan sources are registered lazily — only when the first borrow from that source occurs.
-        // Before any borrows, the array is empty.
-        REVLoanSource[] memory sourcesBefore = LOANS_CONTRACT.loanSourcesOf(REVNET_ID);
-        assertEq(sourcesBefore.length, 0, "No loan sources registered before first borrow");
-
-        // Create a legitimate loan — this registers the source
-        _setupLoan(USER, 5e18, 25);
-
-        // Now verify the source was registered
-        REVLoanSource[] memory sourcesAfter = LOANS_CONTRACT.loanSourcesOf(REVNET_ID);
-        assertEq(sourcesAfter.length, 1, "One loan source registered after first borrow");
-        assertEq(address(sourcesAfter[0].terminal), address(jbMultiTerminal()), "Source should be multi terminal");
-
-        // The vulnerability is that _addTo registers ANY terminal passed in REVLoanSource.
-        // There's no validation that the terminal is actually a terminal for the project.
-        // This means an attacker could register fake terminals, growing the array unboundedly.
-        assertTrue(
-            LOANS_CONTRACT.isLoanSourceOf(REVNET_ID, jbMultiTerminal(), JBConstants.NATIVE_TOKEN),
-            "source registered without terminal validation"
-        );
-    }
-
-    // =====================================================================
-    // SECTION B: Economic Attack Scenarios (10 tests)
-    // =====================================================================
-
-    /// @notice Loan amplification spiral: borrow → addToBalance → borrow again.
-    /// @dev totalBorrowed in surplus formula should prevent infinite amplification.
-    function test_econ_loanAmplificationSpiral() public {
-        // Step 1: Pay to get tokens
-        uint256 payAmount = 10e18;
-        (,, uint256 borrow1) = _setupLoan(USER, payAmount, 25);
-        assertTrue(borrow1 > 0, "First loan should have borrow amount");
-
-        // Step 2: Add borrowed amount back to balance (inflating surplus)
-        vm.deal(address(this), borrow1);
-        jbMultiTerminal().addToBalanceOf{value: borrow1}(REVNET_ID, JBConstants.NATIVE_TOKEN, borrow1, false, "", "");
-
-        // Step 3: Pay again to get new tokens
-        vm.deal(USER, payAmount);
-        vm.prank(USER);
-        uint256 tokens2 =
-            jbMultiTerminal().pay{value: payAmount}(REVNET_ID, JBConstants.NATIVE_TOKEN, payAmount, USER, 0, "", "");
-
-        // Step 4: Try to borrow again
-        LOANS_CONTRACT.borrowableAmountFrom(REVNET_ID, tokens2, 18, uint32(uint160(JBConstants.NATIVE_TOKEN)));
-
-        // The totalBorrowed from loan1 is added to surplus in borrowableAmountFrom,
-        // so the second borrow should not amplify beyond what the real surplus supports.
-        // The sum of all borrows should not exceed the actual terminal balance.
-        uint256 totalBorrowed = LOANS_CONTRACT.totalBorrowedFrom(REVNET_ID, jbMultiTerminal(), JBConstants.NATIVE_TOKEN);
-        assertTrue(totalBorrowed > 0, "Should have outstanding borrows");
-    }
-
-    /// @notice Stage transition cash-out gaming: buy at stage 0 tax, cash out at stage 1 tax.
-    /// @dev Verifies economics match across tax rate changes.
-    function test_econ_stageTransitionCashOutGaming() public {
-        // Buy tokens during stage 0 (cashOutTaxRate = 6000 = 60%)
-        uint256 payAmount = 5e18;
-        vm.prank(USER);
-        uint256 tokens =
-            jbMultiTerminal().pay{value: payAmount}(REVNET_ID, JBConstants.NATIVE_TOKEN, payAmount, USER, 0, "", "");
-
-        assertTrue(tokens > 0, "Should receive tokens");
-
-        // Warp to stage 1 (cashOutTaxRate = 1000 = 10%)
-        vm.warp(block.timestamp + 366 days);
-
-        // Trigger ruleset cycling with a small payment
-        address payor = makeAddr("payor");
-        vm.deal(payor, 0.01e18);
-        vm.prank(payor);
-        jbMultiTerminal().pay{value: 0.01e18}(REVNET_ID, JBConstants.NATIVE_TOKEN, 0.01e18, payor, 0, "", "");
-
-        // Get current ruleset to verify we're in stage 1
-        jbRulesets().currentOf(REVNET_ID);
-
-        // Cash out at the new (lower) tax rate
-        // Note: there's a 30-day cash out delay, so we advance more
-        vm.warp(block.timestamp + 31 days);
-
-        vm.prank(USER);
-        try jbMultiTerminal()
-            .cashOutTokensOf({
-            holder: USER,
-            projectId: REVNET_ID,
-            cashOutCount: tokens,
-            tokenToReclaim: JBConstants.NATIVE_TOKEN,
-            minTokensReclaimed: 0,
-            beneficiary: payable(USER),
-            metadata: ""
-        }) returns (
-            uint256 reclaimAmount
-        ) {
-            // The reclaim amount should be bounded by the bonding curve
-            // at the CURRENT tax rate (lower), giving more back
-            assertTrue(reclaimAmount > 0, "Should reclaim some ETH");
-            // But bounded — can't get more than the surplus
-            assertTrue(reclaimAmount <= payAmount, "Cannot extract more than was paid in");
-        } catch {
-            // Cash out may fail due to various conditions; that's acceptable
-        }
-    }
-
-    /// @notice Reserved token dilution: split operator accumulates and cashes out.
-    /// @dev Cash-out should be proportional to token share, no excess extraction.
-    function test_econ_reservedTokenDilution() public {
-        // Pay to create surplus + mint tokens (some go to reserved)
-        vm.prank(USER);
-        jbMultiTerminal().pay{value: 10e18}(REVNET_ID, JBConstants.NATIVE_TOKEN, 10e18, USER, 0, "", "");
-
-        // Send reserved tokens to splits
-        try jbController().sendReservedTokensToSplitsOf(REVNET_ID) {} catch {}
-
-        // Check multisig (split beneficiary) token balance
-        IJBToken projectToken = jbTokens().tokenOf(REVNET_ID);
-        uint256 multisigTokens = projectToken.balanceOf(multisig());
-
-        // Total supply
-        uint256 totalSupply = jbController().totalTokenSupplyWithReservedTokensOf(REVNET_ID);
-
-        if (multisigTokens > 0 && totalSupply > 0) {
-            // The split operator's share should be proportional
-            // They should not be able to extract more than their proportional surplus
-            uint256 operatorShare = mulDiv(multisigTokens, 1e18, totalSupply);
-            assertTrue(operatorShare <= 1e18, "Operator share cannot exceed 100%");
-        }
-    }
-
-    /// @notice Flash loan surplus inflation: addToBalance → borrow at inflated rate.
-    /// @dev Surplus is read live, so an addToBalance before borrow inflates it.
-    function test_econ_flashLoanSurplusInflation() public {
-        // Step 1: Pay to get tokens
-        uint256 payAmount = 5e18;
-        vm.prank(USER);
-        uint256 tokens =
-            jbMultiTerminal().pay{value: payAmount}(REVNET_ID, JBConstants.NATIVE_TOKEN, payAmount, USER, 0, "", "");
-
-        // Record borrowable BEFORE inflation
-        uint256 borrowableBefore =
-            LOANS_CONTRACT.borrowableAmountFrom(REVNET_ID, tokens, 18, uint32(uint160(JBConstants.NATIVE_TOKEN)));
-
-        // Step 2: Add 100 ETH to balance (inflates surplus without minting tokens)
-        vm.deal(address(this), 100e18);
-        jbMultiTerminal().addToBalanceOf{value: 100e18}(REVNET_ID, JBConstants.NATIVE_TOKEN, 100e18, false, "", "");
-
-        // Record borrowable AFTER inflation
-        uint256 borrowableAfter =
-            LOANS_CONTRACT.borrowableAmountFrom(REVNET_ID, tokens, 18, uint32(uint160(JBConstants.NATIVE_TOKEN)));
-
-        // The borrowable amount increases because surplus grew but totalSupply didn't
-        assertTrue(borrowableAfter > borrowableBefore, "surplus inflation increases borrowable amount");
-
-        // Quantify the inflation factor
-        if (borrowableBefore > 0) {
-            uint256 inflationFactor = mulDiv(borrowableAfter, 1e18, borrowableBefore);
-            assertTrue(inflationFactor > 1e18, "inflation factor > 1x");
-            emit log_named_uint("inflation factor (1e18=1x)", inflationFactor);
-        }
-    }
-
-    /// @notice Borrow 50%, cash out remaining 50% — totalSupply+totalCollateral neutralizes.
-    /// @dev The denominator uses totalSupply + totalCollateral so collateral-holders
-    ///      don't dilute remaining holders' cash-out value.
-    function test_econ_loanThenCashOutAmplification() public {
-        // Two users pay equal amounts
-        address userA = makeAddr("userA");
-        address userB = makeAddr("userB");
-        vm.deal(userA, 100e18);
-        vm.deal(userB, 100e18);
-
-        vm.prank(userA);
-        uint256 tokensA =
-            jbMultiTerminal().pay{value: 10e18}(REVNET_ID, JBConstants.NATIVE_TOKEN, 10e18, userA, 0, "", "");
-
-        vm.prank(userB);
-        jbMultiTerminal().pay{value: 10e18}(REVNET_ID, JBConstants.NATIVE_TOKEN, 10e18, userB, 0, "", "");
-
-        // UserA borrows (tokens locked as collateral)
-        mockExpect(
-            address(jbPermissions()),
-            abi.encodeCall(IJBPermissions.hasPermission, (address(LOANS_CONTRACT), userA, REVNET_ID, 11, true, true)),
-            abi.encode(true)
-        );
-
-        REVLoanSource memory source = REVLoanSource({token: JBConstants.NATIVE_TOKEN, terminal: jbMultiTerminal()});
-        uint256 borrowableA =
-            LOANS_CONTRACT.borrowableAmountFrom(REVNET_ID, tokensA, 18, uint32(uint160(JBConstants.NATIVE_TOKEN)));
-
-        if (borrowableA > 0) {
-            vm.prank(userA);
-            LOANS_CONTRACT.borrowFrom(REVNET_ID, source, 0, tokensA, payable(userA), 25, userA);
-        }
-
-        // UserB's tokens should still have proportional cash-out value
-        // The totalCollateral is added to the denominator (totalSupply + totalCollateral)
-        // and totalBorrowed is added to the numerator (surplus + totalBorrowed)
-        uint256 totalCollateral = LOANS_CONTRACT.totalCollateralOf(REVNET_ID);
-        uint256 totalBorrowed = LOANS_CONTRACT.totalBorrowedFrom(REVNET_ID, jbMultiTerminal(), JBConstants.NATIVE_TOKEN);
-
-        // Verify accounting consistency
-        if (borrowableA > 0) {
-            assertEq(totalCollateral, tokensA, "Collateral should equal locked tokens");
-            assertTrue(totalBorrowed > 0, "Should have outstanding borrows");
-        }
-    }
-
-    /// @notice Collateral rotation: refinance after surplus increase.
-    /// @dev Extraction should be bounded by the bonding curve.
-    function test_econ_collateralRotation() public {
-        // Setup initial loan
-        (uint256 loanId,, uint256 borrowAmount) = _setupLoan(USER, 5e18, 25);
-        if (borrowAmount == 0) return;
-
-        // Surplus increases (someone else pays in)
-        address donor = makeAddr("donor");
-        vm.deal(donor, 50e18);
-        vm.prank(donor);
-        jbMultiTerminal().pay{value: 50e18}(REVNET_ID, JBConstants.NATIVE_TOKEN, 50e18, donor, 0, "", "");
-
-        // After surplus increase, the same collateral could borrow more
-        REVLoan memory loan = LOANS_CONTRACT.loanOf(loanId);
-        uint256 newBorrowable = LOANS_CONTRACT.borrowableAmountFrom(
-            REVNET_ID, loan.collateral, 18, uint32(uint160(JBConstants.NATIVE_TOKEN))
-        );
-
-        // With a large surplus increase and the same collateral, borrowable should increase.
-        // However, the bonding curve shape (with cashOutTaxRate) means the increase is sub-linear.
-        // The key economic property: extraction is bounded by the bonding curve.
-        emit log_named_uint("Original borrow amount", loan.amount);
-        emit log_named_uint("New borrowable after surplus increase", newBorrowable);
-
-        // The bonding curve ensures that even with a 10x surplus increase,
-        // the borrowable amount doesn't increase 10x (it's dampened by the tax rate)
-        assertTrue(newBorrowable > 0, "Should have non-zero borrowable amount after surplus increase");
-    }
-
-    /// @notice Zero surplus + loan default: system still works for new payments.
-    /// @dev Borrow all available surplus → new payments and repayment still functional.
-    function test_econ_zeroSurplusLoanDefault() public {
-        // Pay and borrow maximum
-        (,, uint256 borrowAmount) = _setupLoan(USER, 10e18, 25);
-        if (borrowAmount == 0) return;
-
-        // New user can still pay into the system
-        address newUser = makeAddr("newUser");
-        vm.deal(newUser, 5e18);
-        vm.prank(newUser);
-        uint256 newTokens =
-            jbMultiTerminal().pay{value: 5e18}(REVNET_ID, JBConstants.NATIVE_TOKEN, 5e18, newUser, 0, "", "");
-        assertTrue(newTokens > 0, "New payments should still work");
-    }
-
-    /// @notice Loans across stage boundary: loans stay healthy when tax rate decreases.
-    function test_econ_stageTransitionWithLoans() public {
-        // Create loan in stage 0
-        (uint256 loanId,, uint256 borrowAmount) = _setupLoan(USER, 10e18, 25);
-        if (borrowAmount == 0) return;
-
-        REVLoan memory loanBefore = LOANS_CONTRACT.loanOf(loanId);
-
-        // Warp to stage 1 (different tax rate)
-        vm.warp(block.timestamp + 366 days);
-
-        // Trigger ruleset cycling
-        address payor = makeAddr("payor");
-        vm.deal(payor, 0.01e18);
-        vm.prank(payor);
-        jbMultiTerminal().pay{value: 0.01e18}(REVNET_ID, JBConstants.NATIVE_TOKEN, 0.01e18, payor, 0, "", "");
-
-        // Loan should still exist with same values
-        REVLoan memory loanAfter = LOANS_CONTRACT.loanOf(loanId);
-        assertEq(loanAfter.amount, loanBefore.amount, "Loan amount unchanged across stages");
-        assertEq(loanAfter.collateral, loanBefore.collateral, "Loan collateral unchanged across stages");
-
-        // Borrowable amount may have changed (different tax rate)
-        LOANS_CONTRACT.borrowableAmountFrom(
-            REVNET_ID, loanAfter.collateral, 18, uint32(uint160(JBConstants.NATIVE_TOKEN))
-        );
-        // With lower tax rate in stage 1, borrowable should increase
-        // (more surplus is reclaimable per token)
-    }
-
-    /// @notice Split operator rug: redirect splits + cash out 90% reserved tokens.
-    /// @dev Quantifies max split operator extraction.
-    function test_econ_splitOperatorRug() public {
-        // Pay to build up surplus and reserved tokens
-        vm.prank(USER);
-        jbMultiTerminal().pay{value: 50e18}(REVNET_ID, JBConstants.NATIVE_TOKEN, 50e18, USER, 0, "", "");
-
-        // Send reserved tokens to splits (multisig = split beneficiary)
-        try jbController().sendReservedTokensToSplitsOf(REVNET_ID) {} catch {}
-
-        // Check how many tokens the split operator got
-        IJBToken projectToken = jbTokens().tokenOf(REVNET_ID);
-        uint256 operatorTokens = projectToken.balanceOf(multisig());
-        uint256 totalSupply = jbController().totalTokenSupplyWithReservedTokensOf(REVNET_ID);
-
-        if (operatorTokens > 0) {
-            // Calculate operator's theoretical max extraction
-            uint256 operatorPercent = mulDiv(operatorTokens, 10_000, totalSupply);
-            // With 20% splitPercent and 60% cashOutTaxRate, the operator's extraction
-            // is bounded by the bonding curve
-            emit log_named_uint("Operator token share (bps)", operatorPercent);
-            emit log_named_uint("Operator tokens", operatorTokens);
-            emit log_named_uint("Total supply", totalSupply);
-
-            // Operator can only cash out their proportional share
-            assertTrue(operatorPercent <= 5000, "Operator should have <=50% of tokens");
-        }
-    }
-
-    /// @notice Double fee — REVDeployer not registered as feeless.
-    /// @dev Cash-out fee goes to REVDeployer (afterCashOutRecordedWith) which pays fee terminal.
-    ///      But the JBMultiTerminal's useAllowanceOf already took a protocol fee,
-    ///      so the fee payment to the fee terminal is a second fee on the same funds.
-    function test_econ_doubleFee() public {
-        // Pay into revnet
-        vm.prank(USER);
-        uint256 tokens =
-            jbMultiTerminal().pay{value: 10e18}(REVNET_ID, JBConstants.NATIVE_TOKEN, 10e18, USER, 0, "", "");
-
-        // Advance past cash-out delay
-        vm.warp(block.timestamp + 31 days);
-
-        // Record fee project balance before cash-out
-        uint256 feeBalanceBefore;
-        {
-            feeBalanceBefore = jbMultiTerminal()
-                .currentSurplusOf(FEE_PROJECT_ID, new address[](0), 18, uint32(uint160(JBConstants.NATIVE_TOKEN)));
-        }
-
-        // Cash out
-        vm.prank(USER);
-        try jbMultiTerminal()
-            .cashOutTokensOf({
-            holder: USER,
-            projectId: REVNET_ID,
-            cashOutCount: tokens / 2,
-            tokenToReclaim: JBConstants.NATIVE_TOKEN,
-            minTokensReclaimed: 0,
-            beneficiary: payable(USER),
-            metadata: ""
-        }) returns (
-            uint256 reclaimAmount
-        ) {
-            // The double fee means the fee project gets more than expected
-            // because both the terminal fee AND the revnet fee route to it
-            uint256 feeBalanceAfter;
-            {
-                feeBalanceAfter = jbMultiTerminal()
-                    .currentSurplusOf(FEE_PROJECT_ID, new address[](0), 18, uint32(uint160(JBConstants.NATIVE_TOKEN)));
-            }
-
-            // Fee project should have received fees from the cash-out
-            emit log_named_uint("Fee project balance before", feeBalanceBefore);
-            emit log_named_uint("Fee project balance after", feeBalanceAfter);
-            emit log_named_uint("Reclaim amount", reclaimAmount);
-        } catch {
-            // Cash out may fail (e.g., if fee terminal isn't set up) — document the failure
-            emit log("Cash-out reverted (may be due to fee terminal setup)");
-        }
-    }
-}
-
-// =========================================================================
-// Section C: Invariant Properties (6 invariants)
-// =========================================================================
-contract REVInvincibility_Invariants is StdInvariant, TestBaseWorkflow {
-    using JBRulesetMetadataResolver for JBRuleset;
-
-    // forge-lint: disable-next-line(mixed-case-variable)
-    bytes32 REV_DEPLOYER_SALT = "REVDeployer_INV";
-
-    // forge-lint: disable-next-line(mixed-case-variable)
-    REVDeployer REV_DEPLOYER;
-    // forge-lint: disable-next-line(mixed-case-variable)
-    REVOwner REV_OWNER;
-    // forge-lint: disable-next-line(mixed-case-variable)
-    JB721TiersHook EXAMPLE_HOOK;
-    // forge-lint: disable-next-line(mixed-case-variable)
-    IJB721TiersHookDeployer HOOK_DEPLOYER;
-    // forge-lint: disable-next-line(mixed-case-variable)
-    IJB721TiersHookStore HOOK_STORE;
-    // forge-lint: disable-next-line(mixed-case-variable)
-    IJBAddressRegistry ADDRESS_REGISTRY;
-    // forge-lint: disable-next-line(mixed-case-variable)
-    IREVLoans LOANS_CONTRACT;
-    // forge-lint: disable-next-line(mixed-case-variable)
-    IJBSuckerRegistry SUCKER_REGISTRY;
-    // forge-lint: disable-next-line(mixed-case-variable)
-    CTPublisher PUBLISHER;
-    // forge-lint: disable-next-line(mixed-case-variable)
-    MockBuybackDataHook MOCK_BUYBACK;
-
-    // forge-lint: disable-next-line(mixed-case-variable)
-    REVInvincibilityHandler HANDLER;
-
-    // forge-lint: disable-next-line(mixed-case-variable)
-    uint256 FEE_PROJECT_ID;
-    // forge-lint: disable-next-line(mixed-case-variable)
-    uint256 REVNET_ID;
-    // forge-lint: disable-next-line(mixed-case-variable)
-    uint256 INITIAL_TIMESTAMP;
-    // forge-lint: disable-next-line(mixed-case-variable)
-    uint256 STAGE_1_START;
-    // forge-lint: disable-next-line(mixed-case-variable)
-    uint256 STAGE_2_START;
-
-    // forge-lint: disable-next-line(mixed-case-variable)
-    address USER = makeAddr("invUser");
-
-    address private constant TRUSTED_FORWARDER = 0xB2b5841DBeF766d4b521221732F9B618fCf34A87;
-
-    function setUp() public override {
-        super.setUp();
-
-        FEE_PROJECT_ID = jbProjects().createFor(multisig());
-
-        SUCKER_REGISTRY = new JBSuckerRegistry(jbDirectory(), jbPermissions(), multisig(), address(0));
-        HOOK_STORE = new JB721TiersHookStore();
-        EXAMPLE_HOOK = new JB721TiersHook(
-            jbDirectory(),
-            jbPermissions(),
-            jbPrices(),
-            jbRulesets(),
-            HOOK_STORE,
-            jbSplits(),
-            IJB721CheckpointsDeployer(address(new JB721CheckpointsDeployer())),
-            multisig()
-        );
-        ADDRESS_REGISTRY = new JBAddressRegistry();
-        HOOK_DEPLOYER = new JB721TiersHookDeployer(EXAMPLE_HOOK, HOOK_STORE, ADDRESS_REGISTRY, multisig());
-        PUBLISHER = new CTPublisher(jbDirectory(), jbPermissions(), FEE_PROJECT_ID, multisig());
-        MOCK_BUYBACK = new MockBuybackDataHook();
-
-        LOANS_CONTRACT = new REVLoans({
-            controller: jbController(),
-            suckerRegistry: IJBSuckerRegistry(address(new MockSuckerRegistry())),
-            revId: FEE_PROJECT_ID,
-            owner: address(this),
-            permit2: permit2(),
-            trustedForwarder: TRUSTED_FORWARDER
-        });
-
-        REV_OWNER = new REVOwner(
-            IJBBuybackHookRegistry(address(MOCK_BUYBACK)),
-            jbDirectory(),
-            FEE_PROJECT_ID,
-            SUCKER_REGISTRY,
-            address(LOANS_CONTRACT),
-            address(0)
-        );
-
-        REV_DEPLOYER = new REVDeployer{salt: REV_DEPLOYER_SALT}(
-            jbController(),
-            SUCKER_REGISTRY,
-            FEE_PROJECT_ID,
-            HOOK_DEPLOYER,
-            PUBLISHER,
-            IJBBuybackHookRegistry(address(MOCK_BUYBACK)),
-            address(LOANS_CONTRACT),
-            TRUSTED_FORWARDER,
-            address(REV_OWNER)
-        );
-        REV_OWNER.setDeployer(REV_DEPLOYER);
-
-        // Deploy fee project
-        {
-            JBAccountingContext[] memory ctx = new JBAccountingContext[](1);
-            ctx[0] = JBAccountingContext({
-                token: JBConstants.NATIVE_TOKEN, decimals: 18, currency: uint32(uint160(JBConstants.NATIVE_TOKEN))
-            });
-
-            JBTerminalConfig[] memory tc = new JBTerminalConfig[](1);
-            tc[0] = JBTerminalConfig({terminal: jbMultiTerminal(), accountingContextsToAccept: ctx});
-
-            JBSplit[] memory splits = new JBSplit[](1);
-            splits[0].beneficiary = payable(multisig());
-            splits[0].percent = 10_000;
-
-            REVAutoIssuance[] memory issuanceConfs = new REVAutoIssuance[](1);
-            issuanceConfs[0] =
-                REVAutoIssuance({chainId: uint32(block.chainid), count: uint104(70_000e18), beneficiary: multisig()});
-
-            REVStageConfig[] memory stages = new REVStageConfig[](1);
-            stages[0] = REVStageConfig({
-                startsAtOrAfter: uint40(block.timestamp),
-                autoIssuances: issuanceConfs,
-                splitPercent: 2000,
-                splits: splits,
-                initialIssuance: uint112(1000e18),
-                issuanceCutFrequency: 90 days,
-                issuanceCutPercent: JBConstants.MAX_WEIGHT_CUT_PERCENT / 2,
-                cashOutTaxRate: 6000,
-                extraMetadata: 0
-            });
-
-            vm.prank(multisig());
-            jbProjects().approve(address(REV_DEPLOYER), FEE_PROJECT_ID);
-
-            vm.prank(multisig());
-            REV_DEPLOYER.deployFor({
-                revnetId: FEE_PROJECT_ID,
-                configuration: REVConfig({
-                    // forge-lint: disable-next-line(named-struct-fields)
-                    description: REVDescription("Revnet", "$REV", "ipfs://rev", "REV_TOKEN_INV"),
-                    baseCurrency: uint32(uint160(JBConstants.NATIVE_TOKEN)),
-                    splitOperator: multisig(),
-                    stageConfigurations: stages
-                }),
-                terminalConfigurations: tc,
-                suckerDeploymentConfiguration: REVSuckerDeploymentConfig({
-                    deployerConfigurations: new JBSuckerDeployerConfig[](0), salt: keccak256("REV_INV")
-                }),
-                tiered721HookConfiguration: REVEmpty721Config.empty721Config(uint32(uint160(JBConstants.NATIVE_TOKEN))),
-                allowedPosts: REVEmpty721Config.emptyAllowedPosts()
-            });
-        }
-
-        // Deploy main revnet with loans and multi-stage config
-        STAGE_1_START = block.timestamp + 365 days;
-        STAGE_2_START = STAGE_1_START + (20 * 365 days);
-        {
-            JBAccountingContext[] memory ctx = new JBAccountingContext[](1);
-            ctx[0] = JBAccountingContext({
-                token: JBConstants.NATIVE_TOKEN, decimals: 18, currency: uint32(uint160(JBConstants.NATIVE_TOKEN))
-            });
-
-            JBTerminalConfig[] memory tc = new JBTerminalConfig[](1);
-            tc[0] = JBTerminalConfig({terminal: jbMultiTerminal(), accountingContextsToAccept: ctx});
-
-            JBSplit[] memory splits = new JBSplit[](1);
-            splits[0].beneficiary = payable(multisig());
-            splits[0].percent = 10_000;
-
-            REVAutoIssuance[] memory issuanceConfs = new REVAutoIssuance[](1);
-            issuanceConfs[0] =
-                REVAutoIssuance({chainId: uint32(block.chainid), count: uint104(70_000e18), beneficiary: multisig()});
-
-            REVStageConfig[] memory stages = new REVStageConfig[](3);
-            stages[0] = REVStageConfig({
-                startsAtOrAfter: uint40(block.timestamp),
-                autoIssuances: issuanceConfs,
-                splitPercent: 2000,
-                splits: splits,
-                initialIssuance: uint112(1000e18),
-                issuanceCutFrequency: 90 days,
-                issuanceCutPercent: JBConstants.MAX_WEIGHT_CUT_PERCENT / 2,
-                cashOutTaxRate: 6000,
-                extraMetadata: 0
-            });
-
-            stages[1] = REVStageConfig({
-                // forge-lint: disable-next-line(unsafe-typecast)
-                startsAtOrAfter: uint40(STAGE_1_START),
-                autoIssuances: new REVAutoIssuance[](0),
-                splitPercent: 2000,
-                splits: splits,
-                initialIssuance: 0,
-                issuanceCutFrequency: 180 days,
-                issuanceCutPercent: JBConstants.MAX_WEIGHT_CUT_PERCENT / 2,
-                cashOutTaxRate: 1000,
-                extraMetadata: 0
-            });
-
-            stages[2] = REVStageConfig({
-                // forge-lint: disable-next-line(unsafe-typecast)
-                startsAtOrAfter: uint40(STAGE_2_START),
-                autoIssuances: new REVAutoIssuance[](0),
-                splitPercent: 0,
-                splits: splits,
-                initialIssuance: 1,
-                issuanceCutFrequency: 0,
-                issuanceCutPercent: 0,
-                cashOutTaxRate: 500,
-                extraMetadata: 0
-            });
-
-            (REVNET_ID,) = REV_DEPLOYER.deployFor({
-                revnetId: 0,
-                configuration: REVConfig({
-                    // forge-lint: disable-next-line(named-struct-fields)
-                    description: REVDescription("NANA", "$NANA", "ipfs://nana", "NANA_TOKEN_INV"),
-                    baseCurrency: uint32(uint160(JBConstants.NATIVE_TOKEN)),
-                    splitOperator: multisig(),
-                    stageConfigurations: stages
-                }),
-                terminalConfigurations: tc,
-                suckerDeploymentConfiguration: REVSuckerDeploymentConfig({
-                    deployerConfigurations: new JBSuckerDeployerConfig[](0), salt: keccak256("NANA_INV")
-                }),
-                tiered721HookConfiguration: REVEmpty721Config.empty721Config(uint32(uint160(JBConstants.NATIVE_TOKEN))),
-                allowedPosts: REVEmpty721Config.emptyAllowedPosts()
-            });
-        }
-
-        INITIAL_TIMESTAMP = block.timestamp;
-
-        // Deploy handler
-        HANDLER = new REVInvincibilityHandler(
-            jbMultiTerminal(),
-            LOANS_CONTRACT,
-            jbPermissions(),
-            jbTokens(),
-            jbController(),
-            REVNET_ID,
-            FEE_PROJECT_ID,
-            USER,
-            STAGE_1_START,
-            STAGE_2_START
-        );
-
-        // Configure target
-        bytes4[] memory selectors = new bytes4[](10);
-        selectors[0] = REVInvincibilityHandler.payAndBorrow.selector;
-        selectors[1] = REVInvincibilityHandler.repayLoan.selector;
-        selectors[2] = REVInvincibilityHandler.reallocateCollateral.selector;
-        selectors[3] = REVInvincibilityHandler.liquidateLoans.selector;
-        selectors[4] = REVInvincibilityHandler.advanceTime.selector;
-        selectors[5] = REVInvincibilityHandler.payInto.selector;
-        selectors[6] = REVInvincibilityHandler.cashOut.selector;
-        selectors[7] = REVInvincibilityHandler.addToBalance.selector;
-        selectors[8] = REVInvincibilityHandler.sendReservedTokens.selector;
-        selectors[9] = REVInvincibilityHandler.changeStage.selector;
-
-        targetContract(address(HANDLER));
-        targetSelector(FuzzSelector({addr: address(HANDLER), selectors: selectors}));
-    }
-
-    // =====================================================================
-    // INV-REV-1: Surplus covers outstanding loans
-    // =====================================================================
-    /// @notice The terminal balance must always cover net outstanding borrowed amounts.
-    function invariant_REV_1_surplusCoversLoans() public {
-        uint256 totalBorrowed = LOANS_CONTRACT.totalBorrowedFrom(REVNET_ID, jbMultiTerminal(), JBConstants.NATIVE_TOKEN);
-
-        uint256 storeBalance = jbMultiTerminal()
-            .currentSurplusOf(REVNET_ID, new address[](0), 18, uint32(uint160(JBConstants.NATIVE_TOKEN)));
-
-        // Note: storeBalance is surplus (after payout limits), but the terminal holds at least this much
-        // The total borrowed should not exceed what the terminal can cover
-        // This may not hold strictly due to fees, but should be directionally correct
-        if (HANDLER.callCount_payAndBorrow() > 0) {
-            // Log for analysis
-            emit log_named_uint("INV-REV-1: totalBorrowed", totalBorrowed);
-            emit log_named_uint("INV-REV-1: storeBalance", storeBalance);
-        }
-    }
-
-    // =====================================================================
-    // INV-REV-2: Collateral accounting exact
-    // =====================================================================
-    /// @notice Ghost collateral sum must match contract's totalCollateralOf.
-    function invariant_REV_2_collateralAccountingExact() public view {
-        assertEq(
-            HANDLER.COLLATERAL_SUM(),
-            LOANS_CONTRACT.totalCollateralOf(REVNET_ID),
-            "INV-REV-2: handler COLLATERAL_SUM must match totalCollateralOf"
-        );
-    }
-
-    // =====================================================================
-    // INV-REV-3: Borrow accounting exact
-    // =====================================================================
-    /// @notice Ghost borrowed sum must match contract's totalBorrowedFrom.
-    function invariant_REV_3_borrowAccountingExact() public view {
-        uint256 actualTotalBorrowed =
-            LOANS_CONTRACT.totalBorrowedFrom(REVNET_ID, jbMultiTerminal(), JBConstants.NATIVE_TOKEN);
-
-        assertEq(
-            actualTotalBorrowed, HANDLER.BORROWED_SUM(), "INV-REV-3: handler BORROWED_SUM must match totalBorrowedFrom"
-        );
-    }
-
-    // =====================================================================
-    // INV-REV-4: No undercollateralized loans
-    // =====================================================================
-    /// @notice For each active loan: verify loan health tracking works.
-    /// @dev Loans CAN become undercollateralized when new payments increase totalSupply
-    ///      faster than surplus grows (bonding curve dilution). This is expected behavior.
-    ///      We verify that the loan struct itself is internally consistent.
-    function invariant_REV_4_noUndercollateralizedLoans() public view {
-        if (HANDLER.callCount_payAndBorrow() == 0) return;
-
-        for (uint256 i = 1; i <= HANDLER.callCount_payAndBorrow(); i++) {
-            uint256 loanId = (REVNET_ID * 1_000_000_000_000) + i;
-
-            try IERC721(address(LOANS_CONTRACT)).ownerOf(loanId) {}
-            catch {
-                continue;
-            }
-
-            REVLoan memory loan = LOANS_CONTRACT.loanOf(loanId);
-            if (loan.amount == 0) continue;
-
-            // Internal consistency: active loans must have non-zero collateral
-            assertGt(uint256(loan.collateral), 0, "INV-REV-4: active loan must have collateral > 0");
-
-            // Amount and collateral fit in uint112
-            assertLe(uint256(loan.amount), uint256(type(uint112).max), "INV-REV-4: amount fits uint112");
-            assertLe(uint256(loan.collateral), uint256(type(uint112).max), "INV-REV-4: collateral fits uint112");
-
-            // createdAt must be in the past
-            assertLe(loan.createdAt, block.timestamp, "INV-REV-4: loan createdAt in the past");
-        }
-    }
-
-    // =====================================================================
-    // INV-REV-5: Supply + collateral consistency
-    // =====================================================================
-    /// @notice totalSupply + totalCollateral should be coherent with token tracking.
-    function invariant_REV_5_supplyCollateralConsistency() public view {
-        uint256 totalSupply = jbController().totalTokenSupplyWithReservedTokensOf(REVNET_ID);
-        uint256 totalCollateral = LOANS_CONTRACT.totalCollateralOf(REVNET_ID);
-
-        // The effective total (used in cash-out calculations) is totalSupply + totalCollateral
-        // This should always be >= the raw token supply
-        // (Collateral tokens were burned from supply and tracked separately)
-        uint256 effectiveTotal = totalSupply + totalCollateral;
-
-        // If there have been any borrows, total collateral should be > 0
-        if (HANDLER.callCount_payAndBorrow() > 0 && HANDLER.COLLATERAL_SUM() > 0) {
-            assertGt(totalCollateral, 0, "INV-REV-5: collateral should be tracked after borrows");
-        }
-
-        // Effective total should be > 0 if anyone has borrowed (which requires tokens)
-        // Note: payInto with very low issuance weight can mint 0 tokens, so we only
-        // check this when borrows have occurred (which requires non-zero tokens)
-        if (HANDLER.callCount_payAndBorrow() > 0 && HANDLER.COLLATERAL_SUM() > 0) {
-            assertGt(effectiveTotal, 0, "INV-REV-5: effective total must be > 0 after borrows");
-        }
-    }
-
-    // =====================================================================
-    // INV-REV-6: Fee project balance monotonic
-    // =====================================================================
-    /// @notice Fee project balance should only increase (fees are one-directional).
-    /// @dev In practice, fee project balance can decrease if someone cashes out fee tokens.
-    ///      We track the fee project's PAID_IN amount instead.
-    function invariant_REV_6_feeProjectBalanceMonotonic() public {
-        // The fee project accumulates fees from both:
-        // 1. Protocol fees on useAllowanceOf (JBMultiTerminal)
-        // 2. Revnet fees from afterCashOutRecordedWith (REVDeployer)
-        // 3. Loan fees from _addTo (REVLoans)
-        //
-        // These are all additive operations. The fee project surplus should
-        // only decrease via explicit cash-outs of fee project tokens.
-        //
-        // We verify the fee project has tokens issued (non-zero activity)
-        // after any operations that should generate fees.
-        if (HANDLER.callCount_payAndBorrow() > 0) {
-            // At minimum, loan fees should have been generated
-            // (REV_PREPAID_FEE_PERCENT = 10 = 1%)
-            uint256 feeProjectTokenSupply = jbController().totalTokenSupplyWithReservedTokensOf(FEE_PROJECT_ID);
-            // Fee tokens should have been minted from the fee payments
-            // This may be 0 if fee terminal is not properly configured
-            emit log_named_uint("INV-REV-6: fee project token supply", feeProjectTokenSupply);
-        }
-    }
-}