@bananapus/suckers-v6 0.0.18 → 0.0.20

package/CHANGE_LOG.md

@@ -166,6 +166,7 @@ In v5, `JBSucker.initialize()` used `msg.sender` to set the `deployer` field. In
 | `JBSucker` | `JBSucker_AmountExceedsUint128(uint256 amount)` | Thrown when `terminalTokenAmount` or `projectTokenCount` exceeds `uint128` in `_insertIntoTree`. Guards against overflow for SVM/Solana compatibility. |
 | `JBSucker` | `JBSucker_InvalidMessageVersion(uint8 received, uint8 expected)` | Thrown in `fromRemote` when the message version does not match `MESSAGE_VERSION`. Prevents processing incompatible messages. |
 | `JBSucker` | `JBSucker_NothingToSend()` | Thrown in `toRemote()` when the outbox has zero balance and no unsent claims. Prevents unnecessary bridge calls. |
+| `JBSucker` | `JBSucker_IndexOutOfRange(uint256 index)` | Thrown in `_validate()` and `_validateForEmergencyExit()` when the leaf index exceeds the tree depth (`>= 2^32`). Prevents wasted gas on impossible proofs. |
 | `CCIPHelper` | `CCIPHelper_UnsupportedChain(uint256 chainId)` | Replaces bare `revert("Unsupported chain")` strings with a typed error. |
 | `JBSuckerRegistry` | `JBSuckerRegistry_FeeExceedsMax(uint256 fee, uint256 max)` | Thrown when `setToRemoteFee` is called with a fee exceeding `MAX_TO_REMOTE_FEE`. |
 
@@ -463,3 +464,21 @@ The `Deploy.s.sol` script's `_optimismSucker()`, `_baseSucker()`, `_arbitrumSuck
 The `JBSucker.toRemote()` fee payment has a best-effort pattern: if the fee terminal is missing or the `pay()` call reverts, the transaction should proceed without the fee. Previously, the catch block and no-terminal branch reset `transportPayment = msg.value`, restoring the fee amount into the transport payment. This caused zero-cost bridges (OP, Base, Celo, Arbitrum L2->L1) to revert with `JBSucker_UnexpectedMsgValue` because they check `if (transportPayment != 0) revert`.
 
 **Fix**: On fee payment failure, `transportPayment` is no longer overwritten. It stays at `msg.value - _toRemoteFee` (which is 0 when the caller sends exactly the fee amount). The fee ETH is retained by the sucker contract rather than being added back to the transport payment. This preserves bridge compatibility for all zero-cost bridge implementations.
+
+### 9.3 Index Bounds Check in `_validate` and `_validateForEmergencyExit`
+
+`_validate()` and `_validateForEmergencyExit()` did not check whether the leaf `index` exceeded the tree depth (`2^32 - 1`). While the merkle proof verification would still fail for out-of-range indices (since no valid proof exists), the missing check allowed unnecessary gas consumption and unclear revert messages.
+
+**Fix**: Both functions now revert with `JBSucker_IndexOutOfRange(index)` if `index >= (1 << _TREE_DEPTH)`. This is a new custom error added to `JBSucker`.
+
+### 9.4 Missing `wethOfChain` Entries for OP Sepolia and Base Sepolia
+
+`CCIPHelper.wethOfChain()` did not have entries for `OP_SEP_ID` (Optimism Sepolia) or `BASE_SEP_ID` (Base Sepolia), causing CCIP sucker deployments on those testnets to revert with `CCIPHelper_UnsupportedChain`.
+
+**Fix**: Added `OP_SEP_WETH` and `BASE_SEP_WETH` constants (`0x4200000000000000000000000000000000000006`) and corresponding branches in `wethOfChain()`.
+
+### 9.5 NatSpec Fix for Salt Encoding
+
+The NatSpec comment on `JBSucker.peer()` incorrectly described the deployer's salt computation as `keccak256(abi.encode(_msgSender(), salt))`. The actual code in `JBSuckerDeployer.createForSender()` uses `keccak256(abi.encodePacked(_msgSender(), salt))`.
+
+**Fix**: Updated the NatSpec to say `abi.encodePacked` to match the implementation.

package/SKILLS.md

@@ -109,6 +109,7 @@ Cross-chain token and fund bridging for Juicebox V6 projects, using merkle trees
 | `JBSucker_Deprecated` | `JBSucker` | `prepare` or `toRemote` called when sucker is `SENDING_DISABLED` or `DEPRECATED` |
 | `JBSucker_DeprecationTimestampTooSoon` | `JBSucker` | `setDeprecation` timestamp is less than `_maxMessagingDelay()` in the future |
 | `JBSucker_ExpectedMsgValue` | `JBSucker` | `toRemote` called without required `msg.value` for transport payment |
+| `JBSucker_IndexOutOfRange` | `JBSucker` | Leaf index exceeds tree depth (`>= 2^32`) in `_validate` or `_validateForEmergencyExit` |
 | `JBSucker_InsufficientBalance` | `JBSucker` | Emergency hatch exit amount exceeds outbox balance |
 | `JBSucker_InsufficientMsgValue` | `JBSucker` | `msg.value` is less than the `toRemoteFee` |
 | `JBSucker_InvalidMessageVersion` | `JBSucker` | `fromRemote` receives a message with wrong `MESSAGE_VERSION` |

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bananapus/suckers-v6",
-  "version": "0.0.18",
+  "version": "0.0.20",
   "license": "MIT",
   "repository": {
     "type": "git",
@@ -20,8 +20,8 @@
   "dependencies": {
     "@arbitrum/nitro-contracts": "^1.2.1",
     "@bananapus/address-registry-v6": "^0.0.16",
-    "@bananapus/core-v6": "^0.0.28",
-    "@bananapus/permission-ids-v6": "^0.0.14",
+    "@bananapus/core-v6": "^0.0.30",
+    "@bananapus/permission-ids-v6": "^0.0.15",
     "@chainlink/contracts-ccip": "^1.5.0",
     "@chainlink/local": "github:smartcontractkit/chainlink-local",
     "@openzeppelin/contracts": "^5.6.1",

package/src/JBSucker.sol

@@ -68,6 +68,7 @@ abstract contract JBSucker is ERC2771Context, JBPermissioned, Initializable, ERC
     error JBSucker_TokenAlreadyMapped(address localToken, bytes32 mappedTo);
     error JBSucker_TokenHasInvalidEmergencyHatchState(address token);
     error JBSucker_TokenNotMapped(address token);
+    error JBSucker_IndexOutOfRange(uint256 index);
     error JBSucker_UnexpectedMsgValue(uint256 value);
     error JBSucker_ZeroBeneficiary();
     error JBSucker_ZeroERC20Token();
@@ -227,7 +228,7 @@ abstract contract JBSucker is ERC2771Context, JBPermissioned, Initializable, ERC
 
     /// @notice The peer sucker on the remote chain, as a bytes32 for cross-VM compatibility.
     /// @dev Defaults to `_toBytes32(address(this))`, assuming deterministic cross-chain deployment via CREATE2. The
-    /// deployer (`JBSuckerDeployer`) uses `salt = keccak256(abi.encode(_msgSender(), salt))` to ensure
+    /// deployer (`JBSuckerDeployer`) uses `salt = keccak256(abi.encodePacked(_msgSender(), salt))` to ensure
     /// sender-specific determinism. This assumption breaks if CREATE2 conditions differ across chains (e.g.,
     /// different factory nonces, different init code, or different deployer addresses). In such cases, subclasses
     /// must override this function to return the correct peer address (e.g., a Solana program/PDA address for
@@ -1115,6 +1116,9 @@ abstract contract JBSucker is ERC2771Context, JBPermissioned, Initializable, ERC
     )
         internal
     {
+        // Ensure the index is within tree bounds (max 2^TREE_DEPTH - 1).
+        if (index >= (1 << _TREE_DEPTH)) revert JBSucker_IndexOutOfRange(index);
+
         // Make sure the leaf has not already been executed.
         if (_executedFor[terminalToken].get(index)) {
             revert JBSucker_LeafAlreadyExecuted(terminalToken, index);
@@ -1201,6 +1205,9 @@ abstract contract JBSucker is ERC2771Context, JBPermissioned, Initializable, ERC
     )
         internal
     {
+        // Ensure the index is within tree bounds (max 2^TREE_DEPTH - 1).
+        if (index >= (1 << _TREE_DEPTH)) revert JBSucker_IndexOutOfRange(index);
+
         // Make sure that the emergencyHatch is enabled for the token.
         JBSuckerState deprecationState = state();
         if (

package/src/libraries/CCIPHelper.sol

@@ -53,6 +53,8 @@ library CCIPHelper {
     address public constant AVA_WETH = 0xB31f66AA3C1e785363F0875A1B74E27b85FD66c7;
     address public constant BNB_WETH = 0xbb4CdB9CBd36B01bD1cBaEBF2De08d9173bc095c;
     address public constant BASE_WETH = 0x4200000000000000000000000000000000000006;
+    address public constant OP_SEP_WETH = 0x4200000000000000000000000000000000000006;
+    address public constant BASE_SEP_WETH = 0x4200000000000000000000000000000000000006;
 
     function routerOfChain(uint256 _chainId) internal pure returns (address router) {
         if (_chainId == ETH_ID) {
@@ -129,6 +131,10 @@ library CCIPHelper {
             return ETH_SEP_WETH;
         } else if (_chainId == ARB_SEP_ID) {
             return ARB_SEP_WETH;
+        } else if (_chainId == OP_SEP_ID) {
+            return OP_SEP_WETH;
+        } else if (_chainId == BASE_SEP_ID) {
+            return BASE_SEP_WETH;
         } else {
             revert CCIPHelper_UnsupportedChain(_chainId);
         }

package/test/unit/emergency.t.sol

@@ -35,6 +35,9 @@ contract SuckerEmergencyTest is Test {
 
     /// @notice Ensures that if a sucker is deprecated and a claim is valid that a user can withdraw their deposit.
     function testEmergencyExitWhenDeprecated(bool setAsDeprecated, bool isValidClaim, JBClaim memory claim) external {
+        // Bound index to valid tree range (< 2^32).
+        claim.leaf.index = bound(claim.leaf.index, 0, type(uint32).max);
+
         uint256 projectId = 1;
         TestSucker sucker = _createTestSucker(projectId, "");
 
@@ -84,6 +87,9 @@ contract SuckerEmergencyTest is Test {
 
     /// @notice Ensures that if a sucker is send disabled and a claim is valid that a user can withdraw their deposit.
     function testEmergencyExitWhenSendingDisabled(bool sendDisabled, bool isValidClaim, JBClaim memory claim) external {
+        // Bound index to valid tree range (< 2^32).
+        claim.leaf.index = bound(claim.leaf.index, 0, type(uint32).max);
+
         uint256 projectId = 1;
         TestSucker sucker = _createTestSucker(projectId, "");
 
@@ -139,6 +145,9 @@ contract SuckerEmergencyTest is Test {
     )
         external
     {
+        // Bound index to valid tree range (< 2^32).
+        claim.leaf.index = bound(claim.leaf.index, 0, type(uint32).max);
+
         uint256 projectId = 1;
         TestSucker sucker = _createTestSucker(projectId, "");