@bananapus/suckers-v6 0.0.1

package/src/JBArbitrumSucker.sol

@@ -0,0 +1,311 @@
+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.23;
+
+import {IBridge} from "@arbitrum/nitro-contracts/src/bridge/IBridge.sol";
+import {IInbox} from "@arbitrum/nitro-contracts/src/bridge/IInbox.sol";
+import {IOutbox} from "@arbitrum/nitro-contracts/src/bridge/IOutbox.sol";
+import {AddressAliasHelper} from "@arbitrum/nitro-contracts/src/libraries/AddressAliasHelper.sol";
+import {ArbSys} from "@arbitrum/nitro-contracts/src/precompiles/ArbSys.sol";
+import {IJBDirectory} from "@bananapus/core-v6/src/interfaces/IJBDirectory.sol";
+import {IJBPermissions} from "@bananapus/core-v6/src/interfaces/IJBPermissions.sol";
+import {IJBTokens} from "@bananapus/core-v6/src/interfaces/IJBTokens.sol";
+import {JBConstants} from "@bananapus/core-v6/src/libraries/JBConstants.sol";
+import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
+import {SafeERC20} from "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";
+import {BitMaps} from "@openzeppelin/contracts/utils/structs/BitMaps.sol";
+
+import {JBSucker} from "./JBSucker.sol";
+import {JBArbitrumSuckerDeployer} from "./deployers/JBArbitrumSuckerDeployer.sol";
+import {JBAddToBalanceMode} from "./enums/JBAddToBalanceMode.sol";
+import {JBLayer} from "./enums/JBLayer.sol";
+import {IArbGatewayRouter} from "./interfaces/IArbGatewayRouter.sol";
+import {IArbL1GatewayRouter} from "./interfaces/IArbL1GatewayRouter.sol";
+import {IArbL2GatewayRouter} from "./interfaces/IArbL2GatewayRouter.sol";
+import {IJBArbitrumSucker} from "./interfaces/IJBArbitrumSucker.sol";
+import {IJBSuckerDeployer} from "./interfaces/IJBSuckerDeployer.sol";
+import {ARBAddresses} from "./libraries/ARBAddresses.sol";
+import {ARBChains} from "./libraries/ARBChains.sol";
+import {JBInboxTreeRoot} from "./structs/JBInboxTreeRoot.sol";
+import {JBMessageRoot} from "./structs/JBMessageRoot.sol";
+import {JBOutboxTree} from "./structs/JBOutboxTree.sol";
+import {JBRemoteToken} from "./structs/JBRemoteToken.sol";
+import {MerkleLib} from "./utils/MerkleLib.sol";
+
+/// @notice A `JBSucker` implementation to suck tokens between two chains connected by an Arbitrum bridge.
+contract JBArbitrumSucker is JBSucker, IJBArbitrumSucker {
+    using BitMaps for BitMaps.BitMap;
+    using MerkleLib for MerkleLib.Tree;
+
+    //*********************************************************************//
+    // --------------------------- custom errors ------------------------- //
+    //*********************************************************************//
+
+    error JBArbitrumSucker_NotEnoughGas(uint256 payment, uint256 cost);
+
+    //*********************************************************************//
+    // --------------- public immutable stored properties ---------------- //
+    //*********************************************************************//
+
+    /// @notice The inbox used to send messages between the local and remote sucker.
+    IInbox public immutable override ARBINBOX;
+
+    /// @notice The gateway router for the specific chain
+    IArbGatewayRouter public immutable override GATEWAYROUTER;
+
+    /// @notice The layer that this contract is on.
+    JBLayer public immutable override LAYER;
+
+    //*********************************************************************//
+    // ---------------------------- constructor -------------------------- //
+    //*********************************************************************//
+
+    /// @param directory A contract storing directories of terminals and controllers for each project.
+    /// @param permissions A contract storing permissions.
+    /// @param tokens A contract that manages token minting and burning.
+    /// @param addToBalanceMode The mode of adding tokens to balance.
+    constructor(
+        JBArbitrumSuckerDeployer deployer,
+        IJBDirectory directory,
+        IJBPermissions permissions,
+        IJBTokens tokens,
+        JBAddToBalanceMode addToBalanceMode,
+        address trustedForwarder
+    )
+        JBSucker(directory, permissions, tokens, addToBalanceMode, trustedForwarder)
+    {
+        GATEWAYROUTER = JBArbitrumSuckerDeployer(deployer).arbGatewayRouter();
+        ARBINBOX = JBArbitrumSuckerDeployer(deployer).arbInbox();
+        LAYER = JBArbitrumSuckerDeployer(deployer).arbLayer();
+    }
+
+    //*********************************************************************//
+    // ------------------------ external views --------------------------- //
+    //*********************************************************************//
+
+    /// @notice Returns the chain on which the peer is located.
+    /// @return chainId of the peer.
+    function peerChainId() external view virtual override returns (uint256) {
+        uint256 chainId = block.chainid;
+        if (chainId == ARBChains.ETH_CHAINID) return ARBChains.ARB_CHAINID;
+        if (chainId == ARBChains.ARB_CHAINID) return ARBChains.ETH_CHAINID;
+        if (chainId == ARBChains.ETH_SEP_CHAINID) return ARBChains.ARB_SEP_CHAINID;
+        if (chainId == ARBChains.ARB_SEP_CHAINID) return ARBChains.ETH_SEP_CHAINID;
+        return 0;
+    }
+
+    //*********************************************************************//
+    // ------------------------ internal views --------------------------- //
+    //*********************************************************************//
+
+    /// @notice Checks if the `sender` (`_msgSender()`) is a valid representative of the remote peer.
+    /// @param sender The message's sender.
+    /// @return valid A flag if the sender is a valid representative of the remote peer.
+    function _isRemotePeer(address sender) internal view override returns (bool) {
+        // Convert the bytes32 peer to an address for comparison with EVM bridge contracts.
+        address peerAddress = _toAddress(peer());
+
+        // If we are the L1 peer,
+        if (LAYER == JBLayer.L1) {
+            IBridge bridge = ARBINBOX.bridge();
+            // Check that the sender is the bridge and that the outbox has our peer as the sender.
+            return sender == address(bridge) && peerAddress == IOutbox(bridge.activeOutbox()).l2ToL1Sender();
+        }
+
+        // If we are the L2 peer, check using the `AddressAliasHelper`.
+        return sender == AddressAliasHelper.applyL1ToL2Alias(peerAddress);
+    }
+
+    //*********************************************************************//
+    // --------------------- internal transactions ----------------------- //
+    //*********************************************************************//
+
+    /// @notice Uses the L1/L2 gateway to send the root and assets over the bridge to the peer.
+    /// @param transportPayment the amount of `msg.value` that is going to get paid for sending this message.
+    /// @param token The token to bridge the outbox tree for.
+    /// @param remoteToken Information about the remote token being bridged to.
+    function _sendRootOverAMB(
+        uint256 transportPayment,
+        uint256,
+        address token,
+        uint256 amount,
+        JBRemoteToken memory remoteToken,
+        JBMessageRoot memory message
+    )
+        internal
+        override
+    {
+        // Bridge expects to be paid
+        if (transportPayment == 0 && LAYER == JBLayer.L1) revert JBSucker_ExpectedMsgValue();
+
+        // Build the calldata that will be send to the peer. This will call `JBSucker.fromRemote` on the remote peer.
+        bytes memory data = abi.encodeCall(JBSucker.fromRemote, (message));
+
+        // Depending on which layer we are on, send the call to the other layer.
+        // slither-disable-start out-of-order-retryable
+        if (LAYER == JBLayer.L1) {
+            _toL2({
+                token: token, transportPayment: transportPayment, amount: amount, data: data, remoteToken: remoteToken
+            });
+        } else {
+            _toL1({token: token, amount: amount, data: data, remoteToken: remoteToken});
+        }
+        // slither-disable-end out-of-order-retryable
+    }
+
+    /// @notice Bridge the `token` and data to the remote L1 chain.
+    /// @param token The token to bridge.
+    /// @param amount The amount of tokens to bridge.
+    /// @param data The calldata to send to the remote chain. This calls `JBSucker.fromRemote` on the remote peer.
+    /// @param remoteToken Information about the remote token to bridged to.
+    function _toL1(address token, uint256 amount, bytes memory data, JBRemoteToken memory remoteToken) internal {
+        uint256 nativeValue;
+
+        // Revert if there's a `msg.value`. Sending a message to L1 does not require any payment.
+        if (msg.value != 0) {
+            // slither-disable-next-line msg-value-loop
+            revert JBSucker_UnexpectedMsgValue(msg.value);
+        }
+
+        // If the token is an ERC-20, bridge it to the peer.
+        // If the amount is `0` then we do not need to bridge any ERC20.
+        if (token != JBConstants.NATIVE_TOKEN && amount != 0) {
+            // slither-disable-next-line calls-loop
+            SafeERC20.forceApprove({token: IERC20(token), spender: GATEWAYROUTER.getGateway(token), value: amount});
+
+            // Convert bytes32 types to address at the Arbitrum bridge API boundary.
+            // slither-disable-next-line calls-loop,unused-return
+            IArbL2GatewayRouter(address(GATEWAYROUTER))
+                .outboundTransfer({
+                    l1Token: _toAddress(remoteToken.addr), to: _toAddress(peer()), amount: amount, data: bytes("")
+                });
+        } else {
+            // Otherwise, the token is the native token, and the amount will be sent as `msg.value`.
+            nativeValue = amount;
+        }
+
+        // Send the message to the peer with the reclaimed ETH.
+        // Address `100` is the ArbSys precompile address.
+        // Convert bytes32 peer to address at the Arbitrum API boundary.
+        // slither-disable-next-line calls-loop,unused-return
+        ArbSys(address(100)).sendTxToL1{value: nativeValue}({destination: _toAddress(peer()), data: data});
+    }
+
+    /// @notice Bridge the `token` and data to the remote L2 chain.
+    /// @param token The token to bridge.
+    /// @param amount The amount of tokens to bridge.
+    /// @param data The calldata to send to the remote chain. This calls `JBSucker.fromRemote` on the remote peer.
+    function _toL2(
+        address token,
+        uint256 transportPayment,
+        uint256 amount,
+        bytes memory data,
+        JBRemoteToken memory remoteToken
+    )
+        internal
+    {
+        uint256 nativeValue;
+        uint256 maxFeePerGas = block.basefee;
+        uint256 callTransportCost;
+        uint256 maxSubmissionCost;
+
+        {
+            // slither-disable-next-line calls-loop
+            maxSubmissionCost =
+                ARBINBOX.calculateRetryableSubmissionFee({dataLength: data.length, baseFee: maxFeePerGas});
+
+            // Tracks the cost for the call to the remote peer.
+            callTransportCost = maxSubmissionCost + (MESSENGER_BASE_GAS_LIMIT * maxFeePerGas);
+        }
+
+        // If the token is an ERC-20, bridge it to the peer.
+        // If the amount is `0` then we do not need to bridge any ERC20.
+        if (token != JBConstants.NATIVE_TOKEN && amount != 0) {
+            // Calculate the cost of the ERC-20 transfer. (96 is the length of the abi encoded `data`)
+            // slither-disable-next-line calls-loop
+            uint256 maxSubmissionCostERC20 =
+                ARBINBOX.calculateRetryableSubmissionFee({dataLength: 96, baseFee: maxFeePerGas});
+
+            uint256 tokenTransportCost = maxSubmissionCostERC20 + (remoteToken.minGas * maxFeePerGas);
+
+            // Ensure we bridge enough for gas costs on L2 side
+            if (transportPayment < callTransportCost + tokenTransportCost) {
+                revert JBArbitrumSucker_NotEnoughGas(transportPayment, callTransportCost + tokenTransportCost);
+            }
+
+            {
+                // The amount of left over transportPayment will be split over the two calls.
+                uint256 transportPaymentRemainder = (transportPayment - callTransportCost - tokenTransportCost) / 2;
+                tokenTransportCost += transportPaymentRemainder;
+                callTransportCost += transportPaymentRemainder;
+            }
+
+            // Approve the tokens to be bridged.
+            // slither-disable-next-line calls-loop
+            SafeERC20.forceApprove({token: IERC20(token), spender: GATEWAYROUTER.getGateway(token), value: amount});
+
+            // Perform the ERC-20 bridge transfer. Convert bytes32 peer to address at the Arbitrum bridge API boundary.
+            // slither-disable-start out-of-order-retryable
+            // slither-disable-next-line calls-loop,unused-return
+            IArbL1GatewayRouter(address(GATEWAYROUTER)).outboundTransferCustomRefund{value: tokenTransportCost}({
+                token: token,
+                refundTo: _msgSender(),
+                to: _toAddress(peer()),
+                amount: amount,
+                maxGas: remoteToken.minGas,
+                gasPriceBid: maxFeePerGas,
+                data: bytes(abi.encode(maxSubmissionCostERC20, bytes("")))
+            });
+        } else {
+            // Ensure we bridge enough for gas costs on L2 side
+            if (transportPayment < callTransportCost) {
+                revert JBArbitrumSucker_NotEnoughGas(transportPayment, callTransportCost);
+            }
+
+            // If the token is the native token then we only need to do a single call.
+            // So it should use all of the transportPayment.
+            callTransportCost = transportPayment;
+
+            // Otherwise, the token is the native token, and the amount will be sent as `msg.value`.
+            nativeValue = amount;
+        }
+
+        // Create the retryable ticket containing the merkleRoot.
+        // We call unsafe as we do not want the refund address to be aliased to L2.
+        // The above check is the same check that makes it `safeCreateRetryableTicket`.
+
+        // Convert bytes32 peer to address at the Arbitrum inbox API boundary.
+        // slither-disable-next-line calls-loop,unused-return
+        _createRetryableTicket({
+            callTransportCost: callTransportCost,
+            nativeValue: nativeValue,
+            maxSubmissionCost: maxSubmissionCost,
+            maxFeePerGas: maxFeePerGas,
+            data: data
+        });
+        // slither-disable-end out-of-order-retryable
+    }
+
+    /// @notice Helper to create the retryable ticket, avoiding stack-too-deep.
+    function _createRetryableTicket(
+        uint256 callTransportCost,
+        uint256 nativeValue,
+        uint256 maxSubmissionCost,
+        uint256 maxFeePerGas,
+        bytes memory data
+    )
+        internal
+    {
+        address peerAddress = _toAddress(peer());
+        // slither-disable-next-line unused-return,calls-loop
+        ARBINBOX.unsafeCreateRetryableTicket{value: callTransportCost + nativeValue}({
+            to: peerAddress,
+            l2CallValue: nativeValue,
+            maxSubmissionCost: maxSubmissionCost,
+            excessFeeRefundAddress: _msgSender(),
+            callValueRefundAddress: peerAddress,
+            gasLimit: MESSENGER_BASE_GAS_LIMIT,
+            maxFeePerGas: maxFeePerGas,
+            data: data
+        });
+    }
+}

package/src/JBBaseSucker.sol

@@ -0,0 +1,41 @@
+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.23;
+
+import "./JBOptimismSucker.sol";
+
+contract JBBaseSucker is JBOptimismSucker {
+    //*********************************************************************//
+    // ---------------------------- constructor -------------------------- //
+    //*********************************************************************//
+
+    /// @param deployer A contract that deploys the clones for this contracts.
+    /// @param directory A contract storing directories of terminals and controllers for each project.
+    /// @param permissions A contract storing permissions.
+    /// @param tokens A contract that manages token minting and burning.
+    /// @param addToBalanceMode The mode of adding tokens to balance.
+    constructor(
+        JBOptimismSuckerDeployer deployer,
+        IJBDirectory directory,
+        IJBPermissions permissions,
+        IJBTokens tokens,
+        JBAddToBalanceMode addToBalanceMode,
+        address trustedForwarder
+    )
+        JBOptimismSucker(deployer, directory, permissions, tokens, addToBalanceMode, trustedForwarder)
+    {}
+
+    //*********************************************************************//
+    // ------------------------ external views --------------------------- //
+    //*********************************************************************//
+
+    /// @notice Returns the chain on which the peer is located.
+    /// @return chainId of the peer.
+    function peerChainId() external view virtual override returns (uint256) {
+        uint256 chainId = block.chainid;
+        if (chainId == 1) return 8453;
+        if (chainId == 8453) return 1;
+        if (chainId == 11_155_111) return 84_532;
+        if (chainId == 84_532) return 11_155_111;
+        return 0;
+    }
+}

package/src/JBCCIPSucker.sol

@@ -0,0 +1,303 @@
+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.23;
+
+import {IAny2EVMMessageReceiver} from "@chainlink/contracts-ccip/src/v0.8/ccip/interfaces/IAny2EVMMessageReceiver.sol";
+import {Client} from "@chainlink/contracts-ccip/src/v0.8/ccip/libraries/Client.sol";
+import {IJBDirectory} from "@bananapus/core-v6/src/interfaces/IJBDirectory.sol";
+import {IJBPermissions} from "@bananapus/core-v6/src/interfaces/IJBPermissions.sol";
+import {IJBPrices} from "@bananapus/core-v6/src/interfaces/IJBPrices.sol";
+import {IJBRulesets} from "@bananapus/core-v6/src/interfaces/IJBRulesets.sol";
+import {IJBTokens} from "@bananapus/core-v6/src/interfaces/IJBTokens.sol";
+import {JBConstants} from "@bananapus/core-v6/src/libraries/JBConstants.sol";
+import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
+import {SafeERC20} from "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";
+import {BitMaps} from "@openzeppelin/contracts/utils/structs/BitMaps.sol";
+
+import {JBSucker} from "./JBSucker.sol";
+import {JBCCIPSuckerDeployer} from "./deployers/JBCCIPSuckerDeployer.sol";
+import {JBAddToBalanceMode} from "./enums/JBAddToBalanceMode.sol";
+import {ICCIPRouter, IWrappedNativeToken} from "./interfaces/ICCIPRouter.sol";
+import {IJBCCIPSuckerDeployer} from "./interfaces/IJBCCIPSuckerDeployer.sol";
+import {CCIPHelper} from "./libraries/CCIPHelper.sol";
+import {JBInboxTreeRoot} from "./structs/JBInboxTreeRoot.sol";
+import {JBMessageRoot} from "./structs/JBMessageRoot.sol";
+import {JBRemoteToken} from "./structs/JBRemoteToken.sol";
+import {JBTokenMapping} from "./structs/JBTokenMapping.sol";
+import {MerkleLib} from "./utils/MerkleLib.sol";
+
+/// @notice A `JBSucker` implementation to suck tokens between chains with Chainlink CCIP
+contract JBCCIPSucker is JBSucker, IAny2EVMMessageReceiver {
+    using MerkleLib for MerkleLib.Tree;
+    using BitMaps for BitMaps.BitMap;
+
+    //*********************************************************************//
+    // --------------------------- custom errors ------------------------- //
+    //*********************************************************************//
+
+    error JBCCIPSucker_InvalidRouter(address router);
+
+    //*********************************************************************//
+    // ------------------------------ events ----------------------------- //
+    //*********************************************************************//
+
+    /// @notice Emitted when a transport payment refund fails after a successful CCIP send.
+    /// @dev The refunded ETH is permanently stuck in this contract — there is no recovery function.
+    /// This is an accepted tradeoff to avoid reverting after CCIP has committed the bridge message.
+    /// @param recipient The address that was supposed to receive the refund.
+    /// @param amount The amount of the failed refund (permanently stuck in this contract).
+    event TransportPaymentRefundFailed(address indexed recipient, uint256 amount);
+
+    //*********************************************************************//
+    // --------------- public immutable stored properties ---------------- //
+    //*********************************************************************//
+
+    /// @notice The CCIP router used to bridge tokens between the local and remote chain.
+    ICCIPRouter public immutable CCIP_ROUTER;
+
+    /// @notice The chain id of the remote chain.
+    uint256 public immutable REMOTE_CHAIN_ID;
+
+    /// @notice The CCIP chain selector of the remote chain.
+    uint64 public immutable REMOTE_CHAIN_SELECTOR;
+
+    //*********************************************************************//
+    // ---------------------------- constructor -------------------------- //
+    //*********************************************************************//
+
+    /// @param deployer A contract that deploys the clones for this contracts.
+    /// @param directory A contract storing directories of terminals and controllers for each project.
+    /// @param tokens A contract that manages token minting and burning.
+    /// @param permissions A contract storing permissions.
+    /// @param addToBalanceMode The mode of adding tokens to balance.
+    constructor(
+        JBCCIPSuckerDeployer deployer,
+        IJBDirectory directory,
+        IJBTokens tokens,
+        IJBPermissions permissions,
+        JBAddToBalanceMode addToBalanceMode,
+        address trustedForwarder
+    )
+        JBSucker(directory, permissions, tokens, addToBalanceMode, trustedForwarder)
+    {
+        REMOTE_CHAIN_ID = IJBCCIPSuckerDeployer(deployer).ccipRemoteChainId();
+        REMOTE_CHAIN_SELECTOR = IJBCCIPSuckerDeployer(deployer).ccipRemoteChainSelector();
+        CCIP_ROUTER = IJBCCIPSuckerDeployer(deployer).ccipRouter();
+
+        if (address(CCIP_ROUTER) == address(0)) revert JBCCIPSucker_InvalidRouter(address(CCIP_ROUTER));
+    }
+
+    //*********************************************************************//
+    // ------------------------ external views --------------------------- //
+    //*********************************************************************//
+
+    /// @notice Returns the chain on which the peer is located.
+    /// @return chainId of the peer.
+    function peerChainId() external view virtual override returns (uint256 chainId) {
+        // Return the remote chain id
+        return REMOTE_CHAIN_ID;
+    }
+
+    //*********************************************************************//
+    // ------------------------- public views ---------------------------- //
+    //*********************************************************************//
+
+    /// @notice Return the current router
+    /// @return CCIP router address
+    function getRouter() public view returns (address) {
+        return address(CCIP_ROUTER);
+    }
+
+    /// @notice IERC165 supports an interfaceId
+    /// @param interfaceId The interfaceId to check
+    /// @return true if the interfaceId is supported
+    /// @dev Should indicate whether the contract implements IAny2EVMMessageReceiver
+    /// e.g. return interfaceId == type(IAny2EVMMessageReceiver).interfaceId || interfaceId == type(IERC165).interfaceId
+    /// This allows CCIP to check if ccipReceive is available before calling it.
+    /// If this returns false or reverts, only tokens are transferred to the receiver.
+    /// If this returns true, tokens are transferred and ccipReceive is called atomically.
+    /// Additionally, if the receiver address does not have code associated with
+    /// it at the time of execution (EXTCODESIZE returns 0), only tokens will be transferred.
+    function supportsInterface(bytes4 interfaceId) public view virtual override returns (bool) {
+        return interfaceId == type(IAny2EVMMessageReceiver).interfaceId || super.supportsInterface(interfaceId);
+    }
+
+    //*********************************************************************//
+    // --------------------- external transactions ----------------------- //
+    //*********************************************************************//
+
+    /// @notice The entrypoint for the CCIP router to call. This function should
+    /// never revert, all errors should be handled internally in this contract.
+    /// @param any2EvmMessage The message to process.
+    /// @dev Extremely important to ensure only router calls this.
+    function ccipReceive(Client.Any2EVMMessage calldata any2EvmMessage) external override {
+        // only calls from the set router are accepted.
+        if (_msgSender() != address(CCIP_ROUTER)) revert JBSucker_NotPeer(_toBytes32(_msgSender()));
+
+        // Decode the message root from the peer
+        JBMessageRoot memory root = abi.decode(any2EvmMessage.data, (JBMessageRoot));
+        address origin = abi.decode(any2EvmMessage.sender, (address));
+
+        // Make sure that the message came from our peer.
+        if (origin != _toAddress(peer()) || any2EvmMessage.sourceChainSelector != REMOTE_CHAIN_SELECTOR) {
+            revert JBSucker_NotPeer(_toBytes32(origin));
+        }
+
+        // Note (M-28): We intentionally do NOT validate root.amount against destTokenAmounts[0].amount here.
+        // CCIP fees are paid separately (via feeToken), so delivered amounts should always match what was sent.
+        // If we reverted on a mismatch, the tokens already transferred by CCIP would be locked in the router
+        // with no recovery path — a concrete fund-loss risk that outweighs the theoretical defense-in-depth
+        // benefit against a CCIP-level failure or peer compromise. See AUDIT_FINDINGS.md M-28.
+
+        // We either send no tokens or a single token.
+        if (any2EvmMessage.destTokenAmounts.length == 1) {
+            // The sucker only handles ERC-20s or native. CCIP delivers wrapped native (WETH).
+            Client.EVMTokenAmount memory tokenAmount = any2EvmMessage.destTokenAmounts[0];
+            // Unwrap WETH -> ETH only when the root says the token is NATIVE_TOKEN.
+            // When root.token is an ERC-20 address (e.g., bridging to a chain where ETH is an ERC-20), no unwrap.
+            if (root.token == _toBytes32(JBConstants.NATIVE_TOKEN)) {
+                // We can (safely) assume that the token that is set in the `destTokenAmounts` is a valid wrapped
+                // native.
+                // If this ends up not being the case then our sanity check to see if we unwrapped the native asset will
+                // fail.
+                IWrappedNativeToken wrapped_native = IWrappedNativeToken(tokenAmount.token);
+                uint256 balanceBefore = _balanceOf({token: JBConstants.NATIVE_TOKEN, addr: address(this)});
+
+                // Withdraw the wrapped native asset.
+                wrapped_native.withdraw(tokenAmount.amount);
+
+                // Sanity check the unwrapping of the native asset.
+                // slither-disable-next-line incorrect-equality
+                assert(
+                    balanceBefore + tokenAmount.amount
+                        == _balanceOf({token: JBConstants.NATIVE_TOKEN, addr: address(this)})
+                );
+            }
+        }
+
+        // Call ourselves to process the root.
+        this.fromRemote(root);
+    }
+
+    //*********************************************************************//
+    // --------------------- internal transactions ----------------------- //
+    //*********************************************************************//
+
+    /// @notice Unused in this context.
+    function _isRemotePeer(address sender) internal view override returns (bool _valid) {
+        // NOTICE: We do not check if its the `peer` here, as this contract is supposed to be the caller *NOT* the peer.
+        return sender == address(this);
+    }
+
+    /// @notice Uses CCIP to send the root and assets over the bridge to the peer.
+    /// @param transportPayment the amount of `msg.value` that is going to get paid for sending this message.
+    /// @param token The token to bridge the outbox tree for.
+    /// @param remoteToken Information about the remote token being bridged to.
+    function _sendRootOverAMB(
+        uint256 transportPayment,
+        uint256,
+        address token,
+        uint256 amount,
+        JBRemoteToken memory remoteToken,
+        JBMessageRoot memory sucker_message
+    )
+        internal
+        override
+    {
+        // Make sure we are attempting to pay the bridge
+        if (transportPayment == 0) revert JBSucker_ExpectedMsgValue();
+
+        uint256 gasLimit = MESSENGER_BASE_GAS_LIMIT;
+        Client.EVMTokenAmount[] memory tokenAmounts;
+        if (amount != 0) {
+            // If we also do an asset transfer then we increase the min required gas amount.
+            gasLimit += remoteToken.minGas;
+
+            // Wrap native ETH -> WETH for CCIP bridging. CCIP only transports ERC-20s.
+            // This is why `_validateTokenMapping` enforces minGas for native tokens too.
+            if (token == JBConstants.NATIVE_TOKEN) {
+                // Get the wrapped native token.
+                // slither-disable-next-line calls-loop
+                IWrappedNativeToken wrapped_native = CCIP_ROUTER.getWrappedNative();
+                // Deposit the wrapped native asset.
+                // slither-disable-next-line calls-loop,arbitrary-send-eth
+                wrapped_native.deposit{value: amount}();
+                // Update the token to be the wrapped native asset.
+                token = address(wrapped_native);
+            }
+
+            // Set the token amounts
+            tokenAmounts = new Client.EVMTokenAmount[](1);
+            tokenAmounts[0] = Client.EVMTokenAmount({token: token, amount: amount});
+
+            // approve the Router to spend tokens on contract's behalf. It will spend the amount of the given token
+            SafeERC20.forceApprove(IERC20(token), address(CCIP_ROUTER), amount);
+        }
+
+        // Create an EVM2AnyMessage struct in memory with necessary information for sending a cross-chain message
+        // CCIP requires EVM addresses, so convert the bytes32 peer to an address for the receiver field.
+        Client.EVM2AnyMessage memory message = Client.EVM2AnyMessage({
+            receiver: abi.encode(_toAddress(peer())),
+            data: abi.encode(sucker_message),
+            tokenAmounts: tokenAmounts,
+            extraArgs: Client._argsToBytes(
+                // Additional arguments, setting gas limit
+                Client.EVMExtraArgsV1({gasLimit: gasLimit})
+            ),
+            // Set the feeToken to a feeTokenAddress, indicating specific asset will be used for fees,
+            // We pay in the native asset.
+            feeToken: address(0)
+        });
+
+        // Get the fee required to send the CCIP message
+        // slither-disable-next-line calls-loop
+        uint256 fees = CCIP_ROUTER.getFee({destinationChainSelector: REMOTE_CHAIN_SELECTOR, message: message});
+
+        if (fees > transportPayment) {
+            revert JBSucker_InsufficientMsgValue(transportPayment, fees);
+        }
+
+        // slither-disable-next-line calls-loop,unused-return
+        CCIP_ROUTER.ccipSend{value: fees}({destinationChainSelector: REMOTE_CHAIN_SELECTOR, message: message});
+
+        // Refund remaining balance. We use a low-level call that does not revert on failure because
+        // `ccipSend` above has already committed the bridge message and transferred the tokens. If we
+        // reverted here (e.g. because the caller is a non-payable contract), the entire transaction
+        // would roll back — but the CCIP message is already in-flight. The tokens would be gone, the
+        // merkle root never gets processed, and the outbox state is inconsistent.
+        //
+        // If the refund fails, the ETH (transportPayment - fees) will be permanently stuck in this
+        // contract. There is no sweep or recovery function — `addOutstandingAmountToBalance` only
+        // moves funds tracked via `fromRemote`, not arbitrary ETH. This is an accepted tradeoff:
+        // stuck dust from a fee overpayment is far less harmful than bricking the entire bridge
+        // operation. The event provides observability so it doesn't go unnoticed.
+        //
+        // See AUDIT_FINDINGS.md M-2 for the full analysis.
+        uint256 refundAmount = transportPayment - fees;
+        if (refundAmount != 0) {
+            // slither-disable-next-line calls-loop,msg-value-loop,reentrancy-events
+            (bool sent,) = _msgSender().call{value: refundAmount}("");
+            if (!sent) emit TransportPaymentRefundFailed(_msgSender(), refundAmount);
+        }
+    }
+
+    /// @notice Allow sucker implementations to add/override mapping rules to suite their specific needs.
+    /// @dev Unlike OP/Arbitrum suckers (which share ETH as native on both chains), this CCIP sucker can connect
+    /// chains with different native tokens. This means `NATIVE_TOKEN` may map to an ERC-20 on the remote chain.
+    ///
+    /// Example: ETH mainnet (native = ETH) <-> Celo (native = CELO, ETH is an ERC-20).
+    ///   - On mainnet: `mapToken({localToken: NATIVE_TOKEN, remoteToken: celoETH_address})`
+    ///   - Sending: `_sendRootOverAMB` wraps native ETH -> WETH, bridges WETH via CCIP.
+    ///   - Receiving: `ccipReceive` checks `root.token == NATIVE_TOKEN` to decide whether to unwrap WETH -> ETH.
+    ///     If `root.token` is an ERC-20 address (like celoETH), no unwrap occurs — tokens stay as ERC-20.
+    ///
+    /// The base class restriction (`NATIVE_TOKEN` can only map to `NATIVE_TOKEN` or `address(0)`) is intentionally
+    /// removed here. The base class retains that restriction for OP/Arbitrum where both chains share ETH as native.
+    function _validateTokenMapping(JBTokenMapping calldata map) internal pure virtual override {
+        // Enforce a reasonable minimum gas limit for bridging. A minimum which is too low could lead to the loss of
+        // funds. CCIP wraps native tokens to WETH before bridging (see `_sendRootOverAMB`), so ALL tokens —
+        // including native — need sufficient gas for an ERC-20 transfer on the remote chain.
+        if (map.minGas < MESSENGER_ERC20_MIN_GAS_LIMIT) {
+            revert JBSucker_BelowMinGas(map.minGas, MESSENGER_ERC20_MIN_GAS_LIMIT);
+        }
+    }
+}