@rev-net/core-v6 0.0.4 → 0.0.6

package/test/REVAutoIssuanceFuzz.t.sol

@@ -29,7 +29,7 @@ import {IJBAddressRegistry} from "@bananapus/address-registry-v6/src/interfaces/
 
 /// @notice Fuzz tests for REVDeployer multi-stage auto-issuance.
 /// Tests stage ID computation consistency and multi-stage claiming behavior.
-/// Related to H-5: stage IDs use block.timestamp + i which may mismatch actual ruleset IDs.
+/// Stage IDs use block.timestamp + i which may mismatch actual ruleset IDs.
 contract REVAutoIssuanceFuzz_Local is TestBaseWorkflow, JBTest {
     bytes32 REV_DEPLOYER_SALT = "REVDeployer";
 
@@ -245,13 +245,13 @@ contract REVAutoIssuanceFuzz_Local is TestBaseWorkflow, JBTest {
         REV_DEPLOYER.autoIssueFor(revnetId, stageIds[1], multisig());
     }
 
-    // ───────────────── H-5: Stage ID vs Ruleset ID comparison
+    // ───────────────── Stage ID vs Ruleset ID comparison
     // ─────────────────────
 
-    /// @notice H-5 EXPLORATION: Compare stored stageIds with actual ruleset IDs.
+    /// @notice Compare stored stageIds with actual ruleset IDs.
     /// Stage IDs use block.timestamp + i during deployment.
     /// If actual ruleset IDs differ (e.g., on cross-chain deployment), auto-issuance breaks.
-    function test_H5_stageId_vs_rulesetId_comparison() external {
+    function test_stageId_vs_rulesetId_comparison() external {
         (uint256 revnetId, uint256[] memory stageIds) = _deployMultiStageRevnet(3);
 
         // Get the actual rulesets from the controller.
@@ -263,7 +263,7 @@ contract REVAutoIssuanceFuzz_Local is TestBaseWorkflow, JBTest {
         // For stage 1, the stored key is block.timestamp + 1.
         // The actual ruleset ID depends on when JBRulesets creates it.
         // If the ruleset hasn't started yet, getRulesetOf will use the queued ruleset.
-        // This is where H-5 manifests: the actual ID may differ from block.timestamp + 1.
+        // The actual ID may differ from block.timestamp + 1.
         uint256 stage1StoredKey = stageIds[1]; // block.timestamp + 1
         uint256 storedAmount = REV_DEPLOYER.amountToAutoIssue(revnetId, stage1StoredKey, multisig());
         assertGt(storedAmount, 0, "Auto-issuance stored at block.timestamp + 1");

package/test/REVDeployerAuditRegressions.t.sol

@@ -28,8 +28,8 @@ import {JB721TiersHookStore} from "@bananapus/721-hook-v6/src/JB721TiersHookStor
 import {JBAddressRegistry} from "@bananapus/address-registry-v6/src/JBAddressRegistry.sol";
 import {IJBAddressRegistry} from "@bananapus/address-registry-v6/src/interfaces/IJBAddressRegistry.sol";
 
-/// @notice Audit regression tests for REVDeployer findings C-2, C-4, and H-5.
-contract REVDeployerAuditRegressions_Local is TestBaseWorkflow, JBTest {
+/// @notice Regression tests for REVDeployer.
+contract REVDeployerRegressions_Local is TestBaseWorkflow, JBTest {
     using JBRulesetMetadataResolver for JBRuleset;
 
     bytes32 REV_DEPLOYER_SALT = "REVDeployer";
@@ -87,13 +87,13 @@ contract REVDeployerAuditRegressions_Local is TestBaseWorkflow, JBTest {
     }
 
     //*********************************************************************//
-    // --- [C-2] REVDeployer.beforePayRecordedWith Array OOB Regression - //
+    // --- REVDeployer.beforePayRecordedWith Array OOB Regression ------- //
     //*********************************************************************//
 
-    /// @notice Tests that the C-2 array OOB pattern manifests when only buybackHook is present.
+    /// @notice Tests that the array OOB pattern manifests when only buybackHook is present.
     /// @dev REVDeployer line 258: hookSpecifications[1] = buybackHookSpecifications[0]
     ///      always writes to index [1], even when the array has size 1 (no tiered721Hook).
-    function test_C2_arrayOOB_onlyBuybackHook() public pure {
+    function test_arrayOOB_onlyBuybackHook() public pure {
         // Simulate: usesTiered721Hook=false, usesBuybackHook=true
         bool usesTiered721Hook = false;
         bool usesBuybackHook = true;
@@ -107,18 +107,18 @@ contract REVDeployerAuditRegressions_Local is TestBaseWorkflow, JBTest {
         // Index [1] WOULD be written by the bug, but that's OOB
         // Verify the pattern: writing to index 1 of a size-1 array should revert
         bool wouldRevert = (!usesTiered721Hook && usesBuybackHook);
-        assertTrue(wouldRevert, "C-2: this combination triggers the OOB bug");
+        assertTrue(wouldRevert, "this combination triggers the OOB bug");
 
         // Verify the safe index: the buyback hook should go at index 0 when no tiered hook
         uint256 correctIndex = usesTiered721Hook ? 1 : 0;
-        assertEq(correctIndex, 0, "C-2 FIX: buyback hook should use index 0 when no tiered hook");
+        assertEq(correctIndex, 0, "buyback hook should use index 0 when no tiered hook");
 
         // Write to the correct index (no revert)
         specs[correctIndex] = JBPayHookSpecification({hook: IJBPayHook(address(0xbeef)), amount: 1 ether, metadata: ""});
     }
 
     /// @notice Verify both hooks present works fine (no OOB).
-    function test_C2_noOOB_bothHooksPresent() public pure {
+    function test_noOOB_bothHooksPresent() public pure {
         bool usesTiered721Hook = true;
         bool usesBuybackHook = true;
 
@@ -131,13 +131,13 @@ contract REVDeployerAuditRegressions_Local is TestBaseWorkflow, JBTest {
     }
 
     //*********************************************************************//
-    // --- [C-4] hasMintPermissionFor returns false for random addresses - //
+    // --- hasMintPermissionFor returns false for random addresses ------- //
     //*********************************************************************//
 
     /// @notice Tests that calling hasMintPermissionFor returns false for random addresses.
     /// @dev With the buyback hook removed, hasMintPermissionFor should return false
     ///      for addresses that are not the loans contract or a sucker.
-    function test_C4_hasMintPermissionFor_noBuybackHook() public {
+    function test_hasMintPermissionFor_noBuybackHook() public {
         // Deploy a revnet WITHOUT a buyback hook
         JBAccountingContext[] memory accountingContextsToAccept = new JBAccountingContext[](1);
         accountingContextsToAccept[0] = JBAccountingContext({
@@ -191,17 +191,17 @@ contract REVDeployerAuditRegressions_Local is TestBaseWorkflow, JBTest {
         // With buyback hook removed, hasMintPermissionFor should return false
         // for addresses that are not the loans contract or a sucker.
         bool hasPerm = REV_DEPLOYER.hasMintPermissionFor(revnetId, currentRuleset, someRandomAddr);
-        assertFalse(hasPerm, "C-4: random address should not have mint permission");
+        assertFalse(hasPerm, "random address should not have mint permission");
     }
 
     //*********************************************************************//
-    // --- [H-5] Auto-Issuance Stage ID Mismatch ----------------------- //
+    // --- Auto-Issuance Stage ID Mismatch ------------------------------ //
     //*********************************************************************//
 
     /// @notice Tests that auto-issuance stage IDs are computed correctly for multi-stage revnets.
-    /// @dev H-5: The stage ID is computed as `block.timestamp + i` which only works if stages
+    /// @dev The stage ID is computed as `block.timestamp + i` which only works if stages
     ///      are deployed in a specific order at a specific time.
-    function test_H5_autoIssuanceStageIdMismatch() public {
+    function test_autoIssuanceStageIdMismatch() public {
         JBAccountingContext[] memory accountingContextsToAccept = new JBAccountingContext[](1);
         accountingContextsToAccept[0] = JBAccountingContext({
             token: JBConstants.NATIVE_TOKEN, decimals: 18, currency: uint32(uint160(JBConstants.NATIVE_TOKEN))
@@ -241,7 +241,7 @@ contract REVDeployerAuditRegressions_Local is TestBaseWorkflow, JBTest {
             });
         }
 
-        // Stage 1: also has auto-issuance — this is where H-5 manifests
+        // Stage 1: also has auto-issuance — this is where the mismatch manifests
         {
             REVAutoIssuance[] memory issuanceConfs = new REVAutoIssuance[](1);
             issuanceConfs[0] = REVAutoIssuance({
@@ -294,7 +294,7 @@ contract REVDeployerAuditRegressions_Local is TestBaseWorkflow, JBTest {
         // Verify the revnet was deployed
         assertGt(revnetId, 0, "revnet should be deployed");
 
-        // The H-5 bug: auto-issuance for stage 1 is stored at key (block.timestamp + 1),
+        // The bug: auto-issuance for stage 1 is stored at key (block.timestamp + 1),
         // but the actual ruleset ID for stage 1 is the timestamp when that stage's ruleset
         // was queued. These may not match.
         // We verify the auto-issuance amounts are stored and can be queried.
@@ -303,12 +303,12 @@ contract REVDeployerAuditRegressions_Local is TestBaseWorkflow, JBTest {
         // Stage 0 auto-issuance should be stored at block.timestamp
         assertEq(stage0Amount, 50_000 * decimalMultiplier, "Stage 0 auto-issuance should be stored at block.timestamp");
 
-        // Stage 1 auto-issuance is stored at (block.timestamp + 1) per H-5
+        // Stage 1 auto-issuance is stored at (block.timestamp + 1)
         uint256 stage1Amount = REV_DEPLOYER.amountToAutoIssue(revnetId, block.timestamp + 1, multisig());
         assertEq(
             stage1Amount,
             30_000 * decimalMultiplier,
-            "H-5: Stage 1 auto-issuance stored at block.timestamp + 1 (may not match ruleset ID)"
+            "Stage 1 auto-issuance stored at block.timestamp + 1 (may not match ruleset ID)"
         );
 
         // Now check the actual ruleset IDs to demonstrate the mismatch
@@ -316,12 +316,12 @@ contract REVDeployerAuditRegressions_Local is TestBaseWorkflow, JBTest {
         if (rulesets.length >= 2) {
             uint256 actualStage1RulesetId = rulesets[1].id;
 
-            // The H-5 mismatch: the storage key (block.timestamp + 1) likely != the actual ruleset ID
+            // The mismatch: the storage key (block.timestamp + 1) likely != the actual ruleset ID
             // If they don't match, auto-issuance tokens for stage 1 become unclaimable
             if (actualStage1RulesetId != block.timestamp + 1) {
                 // Verify the amount at the ACTUAL ruleset ID is 0 (the mismatch)
                 uint256 amountAtActualId = REV_DEPLOYER.amountToAutoIssue(revnetId, actualStage1RulesetId, multisig());
-                assertEq(amountAtActualId, 0, "H-5 CONFIRMED: auto-issuance at actual ruleset ID is 0 (mismatch)");
+                assertEq(amountAtActualId, 0, "auto-issuance at actual ruleset ID is 0 (mismatch)");
             }
         }
     }

package/test/REVInvincibility.t.sol

@@ -51,9 +51,9 @@ struct InvincibilityProjectConfig {
 }
 
 // =========================================================================
-// Section A + B: Fix Verification & Economic Attack Tests
+// Section A + B: Property Verification & Economic Tests
 // =========================================================================
-contract REVInvincibility_FixVerify is TestBaseWorkflow, JBTest {
+contract REVInvincibility_PropertyTests is TestBaseWorkflow, JBTest {
     using JBRulesetMetadataResolver for JBRuleset;
 
     bytes32 REV_DEPLOYER_SALT = "REVDeployer";
@@ -285,21 +285,21 @@ contract REVInvincibility_FixVerify is TestBaseWorkflow, JBTest {
     }
 
     // =====================================================================
-    // SECTION A: Critical Fix Verification (8 tests)
+    // SECTION A: Critical Property Verification (8 tests)
     // =====================================================================
 
-    /// @notice C-1: Borrow with collateral > uint112.max silently truncates loan.amount.
+    /// @notice Borrow with collateral > uint112.max silently truncates loan.amount.
     /// @dev Verifies the truncation pattern: uint112(overflowValue) wraps.
-    function test_fixVerify_C1_uint112Truncation() public {
+    function test_fixVerify_uint112Truncation() public {
         // Prove the truncation math: uint112(max+1) wraps to 0
         uint256 overflowValue = uint256(type(uint112).max) + 1;
         uint112 truncated = uint112(overflowValue);
-        assertEq(truncated, 0, "C-1: uint112 truncation wraps max+1 to 0");
+        assertEq(truncated, 0, "uint112 truncation wraps max+1 to 0");
 
         // Prove a more realistic overflow: max + 1000 wraps to 999
         uint256 slightlyOver = uint256(type(uint112).max) + 1000;
         truncated = uint112(slightlyOver);
-        assertEq(truncated, 999, "C-1: uint112 truncation wraps to low bits");
+        assertEq(truncated, 999, "uint112 truncation wraps to low bits");
 
         // Verify normal operation stays within bounds
         uint256 payAmount = 100e18;
@@ -309,35 +309,35 @@ contract REVInvincibility_FixVerify is TestBaseWorkflow, JBTest {
 
         uint256 borrowable =
             LOANS_CONTRACT.borrowableAmountFrom(REVNET_ID, tokens, 18, uint32(uint160(JBConstants.NATIVE_TOKEN)));
-        assertLt(borrowable, type(uint112).max, "C-1: normal borrowable within uint112");
-        assertLt(tokens, type(uint112).max, "C-1: normal token count within uint112");
+        assertLt(borrowable, type(uint112).max, "normal borrowable within uint112");
+        assertLt(tokens, type(uint112).max, "normal token count within uint112");
     }
 
-    /// @notice C-2: Array OOB when only buyback hook present (no tiered721Hook).
+    /// @notice Array OOB when only buyback hook present (no tiered721Hook).
     /// @dev hookSpecifications[1] is written but array size is 1.
-    function test_fixVerify_C2_arrayOOB_noBuybackWithBuyback() public pure {
+    function test_fixVerify_arrayOOB_noBuybackWithBuyback() public pure {
         bool usesTiered721Hook = false;
         bool usesBuybackHook = true;
 
         uint256 arraySize = (usesTiered721Hook ? 1 : 0) + (usesBuybackHook ? 1 : 0);
-        assertEq(arraySize, 1, "C-2: array size is 1");
+        assertEq(arraySize, 1, "array size is 1");
 
         // The bug: code writes to hookSpecifications[1] (OOB for size-1 array)
         // The fix: should write to index 0 when no tiered721Hook
         bool wouldOOB = (!usesTiered721Hook && usesBuybackHook);
-        assertTrue(wouldOOB, "C-2: this config triggers the OOB write at index [1]");
+        assertTrue(wouldOOB, "this config triggers the OOB write at index [1]");
 
         uint256 correctIndex = usesTiered721Hook ? 1 : 0;
-        assertEq(correctIndex, 0, "C-2 FIX: buyback hook should use index 0");
+        assertEq(correctIndex, 0, "buyback hook should use index 0");
 
         // Verify safe write
         JBPayHookSpecification[] memory specs = new JBPayHookSpecification[](arraySize);
         specs[correctIndex] = JBPayHookSpecification({hook: IJBPayHook(address(0xbeef)), amount: 1 ether, metadata: ""});
     }
 
-    /// @notice C-3: Reentrancy — _adjust calls terminal.pay() BEFORE writing loan state.
+    /// @notice Reentrancy — _adjust calls terminal.pay() BEFORE writing loan state.
     /// @dev Lines 910 (external call) vs 922-923 (state writes). CEI violation.
-    function test_fixVerify_C3_reentrancyDoubleBorrow() public {
+    function test_fixVerify_reentrancyDoubleBorrow() public {
         // Create a legitimate loan to confirm the system works
         uint256 payAmount = 10e18;
         vm.prank(USER);
@@ -366,25 +366,25 @@ contract REVInvincibility_FixVerify is TestBaseWorkflow, JBTest {
         // (We can't actually execute the attack through real contracts because
         // the fee terminal is the legitimate JBMultiTerminal, but the pattern
         // is confirmed by code inspection)
-        assertTrue(true, "C-3: CEI violation confirmed at lines 910 vs 922-923");
+        assertTrue(true, "CEI pattern verified at lines 910 vs 922-923");
     }
 
-    /// @notice C-4: hasMintPermissionFor returns false for random addresses.
+    /// @notice hasMintPermissionFor returns false for random addresses.
     /// @dev With the buyback hook removed, hasMintPermissionFor should return false
     ///      for addresses that are not the loans contract or a sucker.
-    function test_fixVerify_C4_hasMintPermission_noBuyback() public {
+    function test_fixVerify_hasMintPermission_noBuyback() public {
         // The fee project was deployed without buyback hook in our setup
         JBRuleset memory currentRuleset = jbRulesets().currentOf(FEE_PROJECT_ID);
 
         // hasMintPermissionFor should return false for random addresses
         address randomAddr = address(0x12345);
         bool hasPerm = REV_DEPLOYER.hasMintPermissionFor(FEE_PROJECT_ID, currentRuleset, randomAddr);
-        assertFalse(hasPerm, "C-4: random address should not have mint permission");
+        assertFalse(hasPerm, "random address should not have mint permission");
     }
 
-    /// @notice C-5: Zero-supply cash out no longer drains surplus (fixed in v6).
+    /// @notice Zero-supply cash out no longer drains surplus (fixed in v6).
     /// @dev JBCashOuts.cashOutFrom now returns 0 when cashOutCount == 0.
-    function test_fixVerify_C5_zeroSupplyCashOutDrain() public pure {
+    function test_fixVerify_zeroSupplyCashOutDrain() public pure {
         uint256 surplus = 100e18;
         uint256 cashOutCount = 0;
         uint256 totalSupply = 0;
@@ -393,17 +393,17 @@ contract REVInvincibility_FixVerify is TestBaseWorkflow, JBTest {
         uint256 reclaimable = JBCashOuts.cashOutFrom(surplus, cashOutCount, totalSupply, cashOutTaxRate);
 
         // Fixed in v6: cashing out 0 tokens always returns 0
-        assertEq(reclaimable, 0, "C-5 fixed: zero cash out returns nothing");
+        assertEq(reclaimable, 0, "zero cash out returns nothing");
 
         // Normal case: with supply, cashing out 0 still returns 0
         uint256 normalReclaimable = JBCashOuts.cashOutFrom(surplus, 0, 1000e18, cashOutTaxRate);
         assertEq(normalReclaimable, 0, "Normal: cashing out 0 of non-zero supply returns 0");
     }
 
-    /// @notice H-2: Broken fee terminal + broken addToBalanceOf fallback bricks cash-outs.
+    /// @notice Broken fee terminal + broken addToBalanceOf fallback bricks cash-outs.
     /// @dev afterCashOutRecordedWith: try feeTerminal.pay() catch { addToBalanceOf() }
     ///      If BOTH revert, the entire cash-out transaction reverts.
-    function test_fixVerify_H2_brokenFeeTerminalBricksCashOuts() public {
+    function test_fixVerify_brokenFeeTerminalBricksCashOuts() public {
         BrokenFeeTerminal brokenTerminal = new BrokenFeeTerminal();
 
         // The vulnerability pattern:
@@ -429,10 +429,10 @@ contract REVInvincibility_FixVerify is TestBaseWorkflow, JBTest {
         brokenTerminal.addToBalanceOf(0, address(0), 0, false, "", "");
     }
 
-    /// @notice H-5: Auto-issuance stored at block.timestamp+i, not actual ruleset IDs.
+    /// @notice Auto-issuance stored at block.timestamp+i, not actual ruleset IDs.
     /// @dev _makeRulesetConfigurations stores at block.timestamp+i but autoIssueFor
     ///      queries by actual ruleset ID. If they mismatch, tokens are unclaimable.
-    function test_fixVerify_H5_autoIssuanceStageIdMismatch() public {
+    function test_fixVerify_autoIssuanceStageIdMismatch() public {
         // Deploy a multi-stage revnet with auto-issuance on multiple stages
         JBAccountingContext[] memory ctx = new JBAccountingContext[](1);
         ctx[0] = JBAccountingContext({
@@ -495,13 +495,13 @@ contract REVInvincibility_FixVerify is TestBaseWorkflow, JBTest {
 
         // Stage 0 auto-issuance stored at block.timestamp
         uint256 stage0Amount = REV_DEPLOYER.amountToAutoIssue(h5RevnetId, block.timestamp, multisig());
-        assertEq(stage0Amount, 50_000e18, "H-5: Stage 0 auto-issuance stored at block.timestamp");
+        assertEq(stage0Amount, 50_000e18, "Stage 0 auto-issuance stored at block.timestamp");
 
-        // Stage 1 auto-issuance stored at block.timestamp + 1 (the H-5 bug)
+        // Stage 1 auto-issuance stored at block.timestamp + 1 (the stage ID mismatch bug)
         uint256 stage1Amount = REV_DEPLOYER.amountToAutoIssue(h5RevnetId, block.timestamp + 1, multisig());
-        assertEq(stage1Amount, 30_000e18, "H-5: Stage 1 auto-issuance stored at block.timestamp + 1");
+        assertEq(stage1Amount, 30_000e18, "Stage 1 auto-issuance stored at block.timestamp + 1");
 
-        // The H-5 bug: stages are stored at (block.timestamp + i), not at the actual ruleset IDs.
+        // The bug: stages are stored at (block.timestamp + i), not at the actual ruleset IDs.
         // In the test environment, stages queued in the same block happen to have sequential IDs
         // (block.timestamp, block.timestamp+1), so the storage keys coincidentally match.
         // However, if deployment happens at a different time than block.timestamp, or if stages
@@ -515,20 +515,20 @@ contract REVInvincibility_FixVerify is TestBaseWorkflow, JBTest {
         // Document the storage keys used vs what autoIssueFor expects
         // autoIssueFor calls with the CURRENT ruleset's ID (from currentOf).
         // If the ruleset ID != block.timestamp+i, the amount at that key is 0.
-        emit log_named_uint("H-5: Storage key for stage 1", block.timestamp + 1);
-        emit log_named_uint("H-5: Actual ruleset[0].id (most recent)", rulesets[0].id);
-        emit log_named_uint("H-5: Actual ruleset[1].id (first)", rulesets[1].id);
+        emit log_named_uint("Storage key for stage 1", block.timestamp + 1);
+        emit log_named_uint("Actual ruleset[0].id (most recent)", rulesets[0].id);
+        emit log_named_uint("Actual ruleset[1].id (first)", rulesets[1].id);
 
         // The fragility: stage 1 issuance is ONLY accessible at (block.timestamp + 1).
         // Any other key returns 0.
         uint256 wrongKey = block.timestamp + 100;
         uint256 amountAtWrongKey = REV_DEPLOYER.amountToAutoIssue(h5RevnetId, wrongKey, multisig());
-        assertEq(amountAtWrongKey, 0, "H-5: auto-issuance unreachable at wrong key");
+        assertEq(amountAtWrongKey, 0, "auto-issuance unreachable at wrong key");
     }
 
-    /// @notice H-6: Unvalidated source terminal — unbounded _loanSourcesOf array growth.
+    /// @notice Unvalidated source terminal — unbounded _loanSourcesOf array growth.
     /// @dev borrowFrom accepts any terminal in REVLoanSource without validation.
-    function test_fixVerify_H6_unvalidatedSourceTerminal() public {
+    function test_fixVerify_unvalidatedSourceTerminal() public {
         // The vulnerability: REVLoans._addTo (line 788-791) registers ANY terminal
         // as a loan source without validating it's an actual project terminal:
         //   if (!isLoanSourceOf[revnetId][loan.source.terminal][loan.source.token]) {
@@ -555,12 +555,12 @@ contract REVInvincibility_FixVerify is TestBaseWorkflow, JBTest {
         assertEq(sourcesAfter.length, 1, "One loan source registered after first borrow");
         assertEq(address(sourcesAfter[0].terminal), address(jbMultiTerminal()), "Source should be multi terminal");
 
-        // H-6: The vulnerability is that _addTo registers ANY terminal passed in REVLoanSource.
+        // The vulnerability is that _addTo registers ANY terminal passed in REVLoanSource.
         // There's no validation that the terminal is actually a terminal for the project.
         // This means an attacker could register fake terminals, growing the array unboundedly.
         assertTrue(
             LOANS_CONTRACT.isLoanSourceOf(REVNET_ID, jbMultiTerminal(), JBConstants.NATIVE_TOKEN),
-            "H-6: source registered without terminal validation"
+            "source registered without terminal validation"
         );
     }
 
@@ -674,7 +674,7 @@ contract REVInvincibility_FixVerify is TestBaseWorkflow, JBTest {
     }
 
     /// @notice Flash loan surplus inflation: addToBalance → borrow at inflated rate.
-    /// @dev M-11: surplus is read live, so an addToBalance before borrow inflates it.
+    /// @dev Surplus is read live, so an addToBalance before borrow inflates it.
     function test_econ_flashLoanSurplusInflation() public {
         // Step 1: Pay to get tokens
         uint256 payAmount = 5e18;
@@ -694,14 +694,14 @@ contract REVInvincibility_FixVerify is TestBaseWorkflow, JBTest {
         uint256 borrowableAfter =
             LOANS_CONTRACT.borrowableAmountFrom(REVNET_ID, tokens, 18, uint32(uint160(JBConstants.NATIVE_TOKEN)));
 
-        // M-11: The borrowable amount increases because surplus grew but totalSupply didn't
-        assertTrue(borrowableAfter > borrowableBefore, "M-11: surplus inflation increases borrowable amount");
+        // The borrowable amount increases because surplus grew but totalSupply didn't
+        assertTrue(borrowableAfter > borrowableBefore, "surplus inflation increases borrowable amount");
 
         // Quantify the inflation factor
         if (borrowableBefore > 0) {
             uint256 inflationFactor = mulDiv(borrowableAfter, 1e18, borrowableBefore);
-            assertTrue(inflationFactor > 1e18, "M-11: inflation factor > 1x");
-            emit log_named_uint("M-11 inflation factor (1e18=1x)", inflationFactor);
+            assertTrue(inflationFactor > 1e18, "inflation factor > 1x");
+            emit log_named_uint("inflation factor (1e18=1x)", inflationFactor);
         }
     }
 
@@ -858,11 +858,11 @@ contract REVInvincibility_FixVerify is TestBaseWorkflow, JBTest {
         }
     }
 
-    /// @notice H-1: Double fee — REVDeployer not registered as feeless.
+    /// @notice Double fee — REVDeployer not registered as feeless.
     /// @dev Cash-out fee goes to REVDeployer (afterCashOutRecordedWith) which pays fee terminal.
     ///      But the JBMultiTerminal's useAllowanceOf already took a protocol fee,
     ///      so the fee payment to the fee terminal is a second fee on the same funds.
-    function test_econ_doubleFeeH1() public {
+    function test_econ_doubleFee() public {
         // Pay into revnet
         vm.prank(USER);
         uint256 tokens =
@@ -896,7 +896,7 @@ contract REVInvincibility_FixVerify is TestBaseWorkflow, JBTest {
             }) returns (
             uint256 reclaimAmount
         ) {
-            // The H-1 double fee means the fee project gets more than expected
+            // The double fee means the fee project gets more than expected
             // because both the terminal fee AND the revnet fee route to it
             uint256 feeBalanceAfter;
             {
@@ -914,7 +914,7 @@ contract REVInvincibility_FixVerify is TestBaseWorkflow, JBTest {
             emit log_named_uint("Reclaim amount", reclaimAmount);
         } catch {
             // Cash out may fail (e.g., if fee terminal isn't set up) — document the failure
-            emit log("H-1: Cash-out reverted (may be due to fee terminal setup)");
+            emit log("Cash-out reverted (may be due to fee terminal setup)");
         }
     }
 }

package/test/REVLoans.invariants.t.sol

@@ -583,7 +583,7 @@ contract InvariantREVLoansTests is StdInvariant, TestBaseWorkflow, JBTest {
         return LOANS_CONTRACT.totalBorrowedFrom(_revnetId, jbMultiTerminal(), JBConstants.NATIVE_TOKEN);
     }
 
-    /// @notice INV-RL-3: loan.amount <= type(uint112).max for all active loans (C-1 regression).
+    /// @notice INV-RL-3: loan.amount <= type(uint112).max for all active loans.
     /// @dev Verifies that no loan amount exceeds the uint112 storage boundary.
     function invariant_C_LoanAmountFitsUint112() public view {
         if (PAY_HANDLER.RUNS() == 0) return;

package/test/REVLoansAttacks.t.sol

@@ -35,7 +35,7 @@ import {ERC165} from "@openzeppelin/contracts/utils/introspection/ERC165.sol";
 import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
 
 /// @notice A malicious terminal that re-enters REVLoans during fee payment in _adjust().
-/// @dev Used to prove C-3: reentrancy during pay() callback in _adjust.
+/// @dev Reentrancy during pay() callback in _adjust.
 contract ReentrantTerminal is ERC165, IJBPayoutTerminal {
     IREVLoans public loans;
     uint256 public revnetId;
@@ -174,7 +174,7 @@ struct AttackProjectConfig {
 }
 
 /// @title REVLoansAttacks
-/// @notice Attack tests for REVLoans covering C-1 uint112 truncation, C-3 reentrancy,
+/// @notice Attack tests for REVLoans covering uint112 truncation, reentrancy,
 ///         collateral race conditions, liquidation edge cases, and fuzz testing.
 contract REVLoansAttacks is TestBaseWorkflow, JBTest {
     bytes32 REV_DEPLOYER_SALT = "REVDeployer";
@@ -412,10 +412,10 @@ contract REVLoansAttacks is TestBaseWorkflow, JBTest {
     }
 
     // =========================================================================
-    // C-1: uint112 truncation — loan amount silently wraps
+    // uint112 truncation — loan amount silently wraps
     // =========================================================================
     /// @notice Verify that borrowing an amount > uint112.max is properly handled.
-    /// @dev C-1: The _adjust function casts newBorrowAmount to uint112 without overflow checks.
+    /// @dev The _adjust function casts newBorrowAmount to uint112 without overflow checks.
     ///      If borrowAmount exceeds uint112.max, it silently truncates. This test verifies the behavior.
     function test_uint112Truncation_loanAmountSilentlyTruncates() public {
         // uint112.max = 5192296858534827628530496329220095
@@ -449,10 +449,10 @@ contract REVLoansAttacks is TestBaseWorkflow, JBTest {
     }
 
     // =========================================================================
-    // C-1 variant: collateral > uint112.max wraps
+    // collateral > uint112.max wraps
     // =========================================================================
     /// @notice Verify that collateral > uint112.max would be truncated in the loan struct.
-    /// @dev C-1 variant: loan.collateral = uint112(newCollateralCount) truncates silently.
+    /// @dev loan.collateral = uint112(newCollateralCount) truncates silently.
     function test_uint112Truncation_collateralTruncates() public {
         // Verify the truncation math
         uint256 maxCollateral = type(uint112).max;
@@ -476,10 +476,10 @@ contract REVLoansAttacks is TestBaseWorkflow, JBTest {
     }
 
     // =========================================================================
-    // C-3: reentrancy — _adjust calls terminal.pay() which could re-enter
+    // reentrancy — _adjust calls terminal.pay() which could re-enter
     // =========================================================================
     /// @notice Verify that reentrancy during _adjust's fee payment is handled.
-    /// @dev C-3: The _adjust function calls loan.source.terminal.pay() to pay fees.
+    /// @dev The _adjust function calls loan.source.terminal.pay() to pay fees.
     ///      A malicious terminal could use this callback to re-enter borrowFrom().
     ///      Since Solidity 0.8.23 doesn't have native reentrancy guards on REVLoans,
     ///      the state (loan.amount, loan.collateral) is written AFTER the external call.
@@ -508,14 +508,14 @@ contract REVLoansAttacks is TestBaseWorkflow, JBTest {
         // This is a checks-effects-interactions violation.
         // The loan amount and collateral are read from storage during _borrowAmountFrom,
         // so a re-entrant call would see stale values.
-        assertTrue(true, "C-3: reentrancy window confirmed between terminal.pay() and state writes");
+        assertTrue(true, "reentrancy window confirmed between terminal.pay() and state writes");
     }
 
     // =========================================================================
-    // C-3 variant: re-enter repayLoan during fee payment
+    // re-enter repayLoan during fee payment
     // =========================================================================
     /// @notice Verify that reentering repayLoan during _adjust's fee payment is handled.
-    /// @dev C-3 variant: malicious terminal calls repayLoan() during fee payment.
+    /// @dev Malicious terminal calls repayLoan() during fee payment.
     function test_reentrancy_adjustRepayReenter() public {
         // Similar to above, but the re-entrant call targets repayLoan instead of borrowFrom.
         // The concern is that during _adjust → terminal.pay(), a call to repayLoan

package/test/REVLoansAuditRegressions.t.sol

@@ -32,7 +32,7 @@ import {IJBAddressRegistry} from "@bananapus/address-registry-v6/src/interfaces/
 import {ERC165} from "@openzeppelin/contracts/utils/introspection/ERC165.sol";
 
 /// @notice A fake terminal that tracks whether useAllowanceOf was called.
-/// @dev Used to prove H-6: REVLoans.borrowFrom does not validate source terminal registration.
+/// @dev REVLoans.borrowFrom does not validate source terminal registration.
 contract FakeTerminal is ERC165, IJBPayoutTerminal {
     bool public useAllowanceCalled;
     uint256 public lastProjectId;
@@ -128,8 +128,8 @@ contract FakeTerminal is ERC165, IJBPayoutTerminal {
     }
 }
 
-/// @notice Audit regression tests for REVLoans finding H-6: Unvalidated Source Terminal.
-contract REVLoansAuditRegressions_Local is TestBaseWorkflow, JBTest {
+/// @notice Regression tests for REVLoans unvalidated source terminal.
+contract REVLoansRegressions_Local is TestBaseWorkflow, JBTest {
     bytes32 REV_DEPLOYER_SALT = "REVDeployer";
     bytes32 ERC20_SALT = "REV_TOKEN";
 
@@ -239,14 +239,14 @@ contract REVLoansAuditRegressions_Local is TestBaseWorkflow, JBTest {
     }
 
     //*********************************************************************//
-    // --- [H-6] Unvalidated Source Terminal in REVLoans ---------------- //
+    // --- Unvalidated Source Terminal in REVLoans ---------------------- //
     //*********************************************************************//
 
-    /// @notice Demonstrates H-6: borrowFrom accepts any terminal without validating
+    /// @notice Demonstrates that borrowFrom accepts any terminal without validating
     ///         it is registered in the JBDirectory for the project.
-    /// @dev The fake terminal's useAllowanceOf is called, proving no directory check occurs.
+    /// @dev The fake terminal's useAllowanceOf is called, showing no directory check occurs.
     ///      In production, a malicious terminal could return fake amounts or misroute funds.
-    function test_H6_unvalidatedSourceTerminal() public {
+    function test_unvalidatedSourceTerminal() public {
         // Step 1: User pays into the revnet to get tokens (collateral)
         vm.prank(USER);
         uint256 tokens = jbMultiTerminal().pay{value: 1e18}(REVNET_ID, JBConstants.NATIVE_TOKEN, 1e18, USER, 0, "", "");
@@ -266,7 +266,7 @@ contract REVLoansAuditRegressions_Local is TestBaseWorkflow, JBTest {
         assertFalse(found, "fake terminal should NOT be in the directory");
 
         // Step 3: Try to borrow using the fake terminal as the source
-        // H-6 vulnerability: REVLoans.borrowFrom does NOT check if the terminal
+        // Vulnerability: REVLoans.borrowFrom does NOT check if the terminal
         // is registered in the directory before calling useAllowanceOf on it.
         REVLoanSource memory fakeSource =
             REVLoanSource({token: JBConstants.NATIVE_TOKEN, terminal: IJBPayoutTerminal(address(fakeTerminal))});
@@ -275,7 +275,7 @@ contract REVLoansAuditRegressions_Local is TestBaseWorkflow, JBTest {
             LOANS_CONTRACT.borrowableAmountFrom(REVNET_ID, tokens, 18, uint32(uint160(JBConstants.NATIVE_TOKEN)));
         assertGt(borrowable, 0, "should have borrowable amount");
 
-        // H-6 PROOF: Use vm.expectCall to prove the fake terminal's useAllowanceOf
+        // Use vm.expectCall to verify the fake terminal's useAllowanceOf
         // is called. This works even if the outer call reverts, because expectCall
         // records the call was made regardless.
         // The code calls accountingContextForTokenOf first, then useAllowanceOf.
@@ -287,7 +287,7 @@ contract REVLoansAuditRegressions_Local is TestBaseWorkflow, JBTest {
         );
         vm.expectCall(address(fakeTerminal), abi.encodeWithSelector(IJBPayoutTerminal.useAllowanceOf.selector));
 
-        // The borrow will reach the fake terminal (proving no validation),
+        // The borrow will reach the fake terminal (showing no validation),
         // but will revert downstream when trying to transfer 0 - fees (underflow).
         vm.prank(USER);
         vm.expectRevert();
@@ -296,11 +296,11 @@ contract REVLoansAuditRegressions_Local is TestBaseWorkflow, JBTest {
         // If we reach here, both vm.expectCall checks passed:
         // 1. accountingContextForTokenOf was called on the fake terminal
         // 2. useAllowanceOf was called on the fake terminal
-        // This proves H-6: no directory validation before calling the source terminal
+        // This shows no directory validation before calling the source terminal
     }
 
     /// @notice Verify that the configured loan source (real terminal) is properly registered.
-    function test_H6_configuredSourceIsRegistered() public {
+    function test_configuredSourceIsRegistered() public {
         // The real terminal should be in the directory
         IJBTerminal[] memory terminals = jbDirectory().terminalsOf(REVNET_ID);
         bool found = false;

package/test/REVLoansSourced.t.sol

@@ -831,7 +831,7 @@ contract REVLoansSourcedTests is TestBaseWorkflow, JBTest {
 
         uint256 amountDiff = borrowableFromNewCollateral > loan.amount ? 0 : loan.amount - borrowableFromNewCollateral;
 
-        // Skip fuzz runs where both repay amount and collateral return are zero (M-27 fix rejects these).
+        // Skip fuzz runs where both repay amount and collateral return are zero.
         vm.assume(amountDiff > 0 || collateralReturned > 0);
 
         uint256 maxAmountPaidDown = loan.amount;