@bananapus/suckers-v6 0.0.23 → 0.0.25

package/RISKS.md

@@ -127,6 +127,10 @@ The registry owner can adjust `toRemoteFee` via `JBSuckerRegistry.setToRemoteFee
 
 The fee is paid to `FEE_PROJECT_ID` (the protocol project), not to the sucker's own `projectId()`. This centralizes fee collection, but it is still only best-effort: if the fee project's native terminal is missing or its `pay` call reverts, the fee ETH stays in the sucker contract and is later recoverable through the normal claim path. The sucker's project does not directly benefit from the anti-spam fee.
 
-### 10.5 `mapTokens` refunds ETH on enable-only batches
+### 10.5 Hookless V4 spot pricing is sandwich-vulnerable by design
+
+When the only available Uniswap pool for a cross-denomination swap is a hookless V4 pool (no V3 pool exists), `_getV4Quote` falls back to the instantaneous spot tick from `POOL_MANAGER.getSlot0()` instead of a TWAP oracle. This tick is manipulable via sandwich attacks, allowing an attacker to skew the `minAmountOut` and extract value from the swap. The sigmoid slippage model limits the damage but operates on a corrupted baseline. This is an accepted tradeoff: reverting when no TWAP is available would cause the CCIP message to fail, leaving bridged tokens stuck in the CCIP router until manual retry. Getting some value (even at a worse rate) is preferred over a stuck bridge message, especially since this path only triggers when no V3 pool with built-in TWAP exists at all. The hooked V4 path also falls back to spot if the hook's `observe()` reverts, with the same tradeoff.
+
+### 10.6 `mapTokens` refunds ETH on enable-only batches
 
 `mapTokens()` only uses `msg.value` when one or more mappings are being disabled and need transport payment for the final root flush. If every mapping in the batch is enable-only (`numberToDisable == 0`), the full `msg.value` is refunded to `_msgSender()`. If the refund transfer fails (e.g., the caller is a non-payable contract), the call reverts with `JBSucker_RefundFailed`. When disables are present, any dust remainder from integer division (`msg.value % numberToDisable`) is also refunded on a best-effort basis.

package/USER_JOURNEYS.md

@@ -66,6 +66,19 @@
 2. Use `exitThroughEmergencyHatch(...)` with the relevant claim data.
 3. Treat emergency execution slots as distinct state that still must not allow the same economic position to be claimed twice.
 
+## Journey 6: Create A Proxy Project And Route Payments Through It
+
+**Starting state:** a project exists on the home chain with an ERC-20 token deployed, and wants to let users on other chains acquire proxy tokens backed by real project tokens.
+
+**Success:** a proxy project is created once, and payments routed through it mint proxy tokens 1:1 with the real tokens deposited.
+
+**Flow**
+1. Call `JBSuckerTerminal.createProxy(realProjectId, name, symbol, salt)` to launch a locked proxy project with a permanent 1:1 ruleset, backed by the real project's ERC-20 token.
+2. Anyone can then call `JBSuckerTerminal.pay(proxyProjectId, token, amount, beneficiary, ...)` to pay the real project and automatically receive proxy tokens.
+3. Suckers registered for the proxy project get mint permission through `JBSuckerTerminal`'s data hook, enabling cross-chain bridging of proxy token positions.
+
+**Failure cases that matter:** calling `createProxy` on a project without an ERC-20 deployed, attempting to create a second proxy for the same project, and paying with a token that has no primary terminal on the real project.
+
 ## Hand-Offs
 
 - Use [nana-omnichain-deployers-v6](../nana-omnichain-deployers-v6/USER_JOURNEYS.md) when a project wants suckers packaged into its launch flow instead of deployed separately.

package/foundry.toml

@@ -29,3 +29,4 @@ arbitrum = "${RPC_ARBITRUM_MAINNET}"
 optimism = "${RPC_OPTIMISM_MAINNET}"
 base = "${RPC_BASE_MAINNET}"
 celo = "${RPC_CELO_MAINNET}"
+tempo = "${RPC_TEMPO_MAINNET}"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bananapus/suckers-v6",
-  "version": "0.0.23",
+  "version": "0.0.25",
   "license": "MIT",
   "repository": {
     "type": "git",
@@ -19,12 +19,15 @@
   },
   "dependencies": {
     "@arbitrum/nitro-contracts": "^1.2.1",
-    "@bananapus/core-v6": "^0.0.32",
-    "@bananapus/permission-ids-v6": "^0.0.15",
-    "@chainlink/contracts-ccip": "^1.5.0",
-    "@chainlink/local": "github:smartcontractkit/chainlink-local",
+    "@bananapus/core-v6": "^0.0.34",
+    "@bananapus/permission-ids-v6": "^0.0.17",
+    "@chainlink/contracts-ccip": "^1.6.0",
+    "@chainlink/local": "github:smartcontractkit/chainlink-local#v0.2.7",
     "@openzeppelin/contracts": "^5.6.1",
     "@prb/math": "^4.1.0",
+    "@uniswap/v3-core": "github:Uniswap/v3-core#0.8",
+    "@uniswap/v3-periphery": "github:Uniswap/v3-periphery#0.8",
+    "@uniswap/v4-core": "^1.0.2",
     "solady": "^0.1.26"
   },
   "devDependencies": {

package/script/Deploy.s.sol

@@ -52,6 +52,8 @@ contract DeployScript is Script, Sphinx {
     bytes32 ARB_OP_SALT = "_SUCKER_ARB_OP_V6_";
     // forge-lint: disable-next-line(mixed-case-variable)
     bytes32 OP_BASE_SALT = "_SUCKER_OP_BASE_V6_";
+    // forge-lint: disable-next-line(mixed-case-variable)
+    bytes32 TEMPO_SALT = "_SUCKER_ETH_TEMPO_V6_";
 
     // forge-lint: disable-next-line(mixed-case-variable)
     IJBSuckerRegistry REGISTRY;
@@ -62,8 +64,9 @@ contract DeployScript is Script, Sphinx {
     function configureSphinx() public override {
         // TODO: Update to contain JB Emergency Developers
         sphinxConfig.projectName = "nana-suckers-v6";
-        sphinxConfig.mainnets = ["ethereum", "optimism", "base", "arbitrum"];
-        sphinxConfig.testnets = ["ethereum_sepolia", "optimism_sepolia", "base_sepolia", "arbitrum_sepolia"];
+        sphinxConfig.mainnets = ["ethereum", "optimism", "base", "arbitrum", "tempo"];
+        sphinxConfig.testnets =
+            ["ethereum_sepolia", "optimism_sepolia", "base_sepolia", "arbitrum_sepolia", "tempo_moderato"];
     }
 
     function run() public {
@@ -580,6 +583,16 @@ contract DeployScript is Script, Sphinx {
                     })
                 )
             );
+
+            // Tempo
+            PRE_APPROVED_DEPLOYERS.push(
+                address(
+                    _deployCCIPSuckerFor({
+                        salt: TEMPO_SALT,
+                        remoteChainId: block.chainid == 1 ? CCIPHelper.TEMPO_ID : CCIPHelper.TEMPO_MOD_ID
+                    })
+                )
+            );
         }
 
         // Check if we should do the L2 portion.
@@ -678,6 +691,19 @@ contract DeployScript is Script, Sphinx {
                 )
             );
         }
+
+        // Tempo / Tempo Moderato.
+        if (block.chainid == 4217 || block.chainid == 42_431) {
+            // Tempo -> ETH.
+            PRE_APPROVED_DEPLOYERS.push(
+                address(
+                    _deployCCIPSuckerFor({
+                        salt: TEMPO_SALT,
+                        remoteChainId: block.chainid == 4217 ? CCIPHelper.ETH_ID : CCIPHelper.ETH_SEP_ID
+                    })
+                )
+            );
+        }
     }
 
     // forge-lint: disable-next-line(mixed-case-function)

package/src/JBArbitrumSucker.sol

@@ -12,7 +12,6 @@ import {IJBTokens} from "@bananapus/core-v6/src/interfaces/IJBTokens.sol";
 import {JBConstants} from "@bananapus/core-v6/src/libraries/JBConstants.sol";
 import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
 import {SafeERC20} from "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";
-import {BitMaps} from "@openzeppelin/contracts/utils/structs/BitMaps.sol";
 
 import {JBSucker} from "./JBSucker.sol";
 import {JBArbitrumSuckerDeployer} from "./deployers/JBArbitrumSuckerDeployer.sol";
@@ -25,13 +24,9 @@ import {IJBArbitrumSucker} from "./interfaces/IJBArbitrumSucker.sol";
 import {ARBChains} from "./libraries/ARBChains.sol";
 import {JBMessageRoot} from "./structs/JBMessageRoot.sol";
 import {JBRemoteToken} from "./structs/JBRemoteToken.sol";
-import {MerkleLib} from "./utils/MerkleLib.sol";
 
 /// @notice A `JBSucker` implementation to suck tokens between two chains connected by an Arbitrum bridge.
 contract JBArbitrumSucker is JBSucker, IJBArbitrumSucker {
-    using BitMaps for BitMaps.BitMap;
-    using MerkleLib for MerkleLib.Tree;
-
     //*********************************************************************//
     // --------------------------- custom errors ------------------------- //
     //*********************************************************************//
@@ -98,7 +93,7 @@ contract JBArbitrumSucker is JBSucker, IJBArbitrumSucker {
     /// @return valid A flag if the sender is a valid representative of the remote peer.
     function _isRemotePeer(address sender) internal view override returns (bool) {
         // Convert the bytes32 peer to an address for comparison with EVM bridge contracts.
-        address peerAddress = _toAddress(peer());
+        address peerAddress = _peerAddress();
 
         // If we are the L1 peer,
         if (LAYER == JBLayer.L1) {
@@ -125,7 +120,7 @@ contract JBArbitrumSucker is JBSucker, IJBArbitrumSucker {
     )
         internal
     {
-        address peerAddress = _toAddress(peer());
+        address peerAddress = _peerAddress();
         // slither-disable-next-line unused-return,calls-loop
         ARBINBOX.unsafeCreateRetryableTicket{value: callTransportCost + nativeValue}({
             to: peerAddress,
@@ -139,6 +134,14 @@ contract JBArbitrumSucker is JBSucker, IJBArbitrumSucker {
         });
     }
 
+    /// @notice Approves the Arbitrum gateway to spend `amount` of `token`.
+    /// @param token The ERC-20 token to approve.
+    /// @param amount The amount to approve.
+    function _approveGateway(address token, uint256 amount) internal {
+        // slither-disable-next-line calls-loop
+        SafeERC20.forceApprove({token: IERC20(token), spender: GATEWAYROUTER.getGateway(token), value: amount});
+    }
+
     /// @notice Uses the L1/L2 gateway to send the root and assets over the bridge to the peer.
     /// @param transportPayment the amount of `msg.value` that is going to get paid for sending this message.
     /// @param token The token to bridge the outbox tree for.
@@ -191,13 +194,12 @@ contract JBArbitrumSucker is JBSucker, IJBArbitrumSucker {
         uint256 nativeValue;
 
         // Cache peer address to avoid redundant calls.
-        address peerAddress = _toAddress(peer());
+        address peerAddress = _peerAddress();
 
         // If the token is an ERC-20, bridge it to the peer.
         // If the amount is `0` then we do not need to bridge any ERC20.
         if (token != JBConstants.NATIVE_TOKEN && amount != 0) {
-            // slither-disable-next-line calls-loop
-            SafeERC20.forceApprove({token: IERC20(token), spender: GATEWAYROUTER.getGateway(token), value: amount});
+            _approveGateway({token: token, amount: amount});
 
             // Convert bytes32 types to address at the Arbitrum bridge API boundary.
             // slither-disable-next-line calls-loop,unused-return
@@ -274,8 +276,7 @@ contract JBArbitrumSucker is JBSucker, IJBArbitrumSucker {
             }
 
             // Approve the tokens to be bridged.
-            // slither-disable-next-line calls-loop
-            SafeERC20.forceApprove({token: IERC20(token), spender: GATEWAYROUTER.getGateway(token), value: amount});
+            _approveGateway({token: token, amount: amount});
 
             // Perform the ERC-20 bridge transfer. Convert bytes32 peer to address at the Arbitrum bridge API boundary.
             // slither-disable-start out-of-order-retryable
@@ -283,7 +284,7 @@ contract JBArbitrumSucker is JBSucker, IJBArbitrumSucker {
             IArbL1GatewayRouter(address(GATEWAYROUTER)).outboundTransferCustomRefund{value: tokenTransportCost}({
                 token: token,
                 refundTo: _msgSender(),
-                to: _toAddress(peer()),
+                to: _peerAddress(),
                 amount: amount,
                 maxGas: remoteToken.minGas,
                 gasPriceBid: maxFeePerGas,

package/src/JBCCIPSucker.sol

@@ -1,36 +1,41 @@
 // SPDX-License-Identifier: MIT
 pragma solidity 0.8.28;
 
+// External packages (alphabetized)
 import {IJBDirectory} from "@bananapus/core-v6/src/interfaces/IJBDirectory.sol";
 import {IJBPermissions} from "@bananapus/core-v6/src/interfaces/IJBPermissions.sol";
 import {IJBTokens} from "@bananapus/core-v6/src/interfaces/IJBTokens.sol";
 import {JBConstants} from "@bananapus/core-v6/src/libraries/JBConstants.sol";
-import {IAny2EVMMessageReceiver} from "@chainlink/contracts-ccip/src/v0.8/ccip/interfaces/IAny2EVMMessageReceiver.sol";
-import {Client} from "@chainlink/contracts-ccip/src/v0.8/ccip/libraries/Client.sol";
-import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
-import {SafeERC20} from "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";
-import {BitMaps} from "@openzeppelin/contracts/utils/structs/BitMaps.sol";
-
+import {IAny2EVMMessageReceiver} from "@chainlink/contracts-ccip/contracts/interfaces/IAny2EVMMessageReceiver.sol";
+import {Client} from "@chainlink/contracts-ccip/contracts/libraries/Client.sol";
+// Local: base contracts
 import {JBSucker} from "./JBSucker.sol";
+
+// Local: deployers
 import {JBCCIPSuckerDeployer} from "./deployers/JBCCIPSuckerDeployer.sol";
-import {IJBSuckerRegistry} from "./interfaces/IJBSuckerRegistry.sol";
-import {ICCIPRouter, IWrappedNativeToken} from "./interfaces/ICCIPRouter.sol";
+
+// Local: interfaces (alphabetized)
+import {ICCIPRouter} from "./interfaces/ICCIPRouter.sol";
 import {IJBCCIPSuckerDeployer} from "./interfaces/IJBCCIPSuckerDeployer.sol";
+import {IJBSuckerRegistry} from "./interfaces/IJBSuckerRegistry.sol";
+
+// Local: libraries (alphabetized)
+import {CCIPHelper} from "./libraries/CCIPHelper.sol";
+import {JBCCIPLib} from "./libraries/JBCCIPLib.sol";
+
+// Local: structs (alphabetized)
 import {JBMessageRoot} from "./structs/JBMessageRoot.sol";
 import {JBRemoteToken} from "./structs/JBRemoteToken.sol";
 import {JBTokenMapping} from "./structs/JBTokenMapping.sol";
-import {MerkleLib} from "./utils/MerkleLib.sol";
 
 /// @notice A `JBSucker` implementation to suck tokens between chains with Chainlink CCIP
 contract JBCCIPSucker is JBSucker, IAny2EVMMessageReceiver {
-    using MerkleLib for MerkleLib.Tree;
-    using BitMaps for BitMaps.BitMap;
-
     //*********************************************************************//
     // --------------------------- custom errors ------------------------- //
     //*********************************************************************//
 
     error JBCCIPSucker_InvalidRouter(address router);
+    error JBCCIPSucker_UnknownMessageType(uint8 messageType);
 
     //*********************************************************************//
     // ------------------------------ events ----------------------------- //
@@ -43,6 +48,13 @@ contract JBCCIPSucker is JBSucker, IAny2EVMMessageReceiver {
     /// @param amount The amount of the failed refund (permanently stuck in this contract).
     event TransportPaymentRefundFailed(address indexed recipient, uint256 amount);
 
+    //*********************************************************************//
+    // ----------------------- internal constants ------------------------ //
+    //*********************************************************************//
+
+    /// @notice Message type prefix for root messages (fromRemote).
+    uint8 internal constant _CCIP_MSG_TYPE_ROOT = 0;
+
     //*********************************************************************//
     // --------------- public immutable stored properties ---------------- //
     //*********************************************************************//
@@ -60,10 +72,13 @@ contract JBCCIPSucker is JBSucker, IAny2EVMMessageReceiver {
     // ---------------------------- constructor -------------------------- //
     //*********************************************************************//
 
-    /// @param deployer A contract that deploys the clones for this contracts.
+    /// @param deployer A contract that deploys the clones for this contract.
     /// @param directory A contract storing directories of terminals and controllers for each project.
     /// @param tokens A contract that manages token minting and burning.
     /// @param permissions A contract storing permissions.
+    /// @param feeProjectId The ID of the project that receives fees.
+    /// @param registry The sucker registry that tracks deployed suckers.
+    /// @param trustedForwarder The trusted forwarder for ERC-2771 meta-transactions.
     constructor(
         JBCCIPSuckerDeployer deployer,
         IJBDirectory directory,
@@ -75,10 +90,16 @@ contract JBCCIPSucker is JBSucker, IAny2EVMMessageReceiver {
     )
         JBSucker(directory, permissions, tokens, feeProjectId, registry, trustedForwarder)
     {
+        // Read the remote chain ID from the deployer.
         REMOTE_CHAIN_ID = IJBCCIPSuckerDeployer(deployer).ccipRemoteChainId();
+
+        // Read the CCIP chain selector from the deployer.
         REMOTE_CHAIN_SELECTOR = IJBCCIPSuckerDeployer(deployer).ccipRemoteChainSelector();
+
+        // Read the CCIP router from the deployer.
         CCIP_ROUTER = IJBCCIPSuckerDeployer(deployer).ccipRouter();
 
+        // Ensure the CCIP router is not the zero address.
         if (address(CCIP_ROUTER) == address(0)) revert JBCCIPSucker_InvalidRouter(address(CCIP_ROUTER));
     }
 
@@ -87,9 +108,8 @@ contract JBCCIPSucker is JBSucker, IAny2EVMMessageReceiver {
     //*********************************************************************//
 
     /// @notice Returns the chain on which the peer is located.
-    /// @return chainId of the peer.
+    /// @return chainId The chain ID of the peer.
     function peerChainId() external view virtual override returns (uint256 chainId) {
-        // Return the remote chain id
         return REMOTE_CHAIN_ID;
     }
 
@@ -97,23 +117,22 @@ contract JBCCIPSucker is JBSucker, IAny2EVMMessageReceiver {
     // ------------------------- public views ---------------------------- //
     //*********************************************************************//
 
-    /// @notice Return the current router
-    /// @return CCIP router address
-    function getRouter() public view returns (address) {
+    /// @notice Returns the address of the current CCIP router.
+    /// @return router The CCIP router address.
+    function getRouter() public view returns (address router) {
         return address(CCIP_ROUTER);
     }
 
-    /// @notice IERC165 supports an interfaceId
-    /// @param interfaceId The interfaceId to check
-    /// @return true if the interfaceId is supported
-    /// @dev Should indicate whether the contract implements IAny2EVMMessageReceiver
-    /// e.g. return interfaceId == type(IAny2EVMMessageReceiver).interfaceId || interfaceId == type(IERC165).interfaceId
+    /// @notice Checks whether this contract supports a given interface.
+    /// @param interfaceId The interface ID to check.
+    /// @return supported Whether the interface is supported.
+    /// @dev Should indicate whether the contract implements IAny2EVMMessageReceiver.
     /// This allows CCIP to check if ccipReceive is available before calling it.
     /// If this returns false or reverts, only tokens are transferred to the receiver.
     /// If this returns true, tokens are transferred and ccipReceive is called atomically.
     /// Additionally, if the receiver address does not have code associated with
     /// it at the time of execution (EXTCODESIZE returns 0), only tokens will be transferred.
-    function supportsInterface(bytes4 interfaceId) public view virtual override returns (bool) {
+    function supportsInterface(bytes4 interfaceId) public view virtual override returns (bool supported) {
         return interfaceId == type(IAny2EVMMessageReceiver).interfaceId || super.supportsInterface(interfaceId);
     }
 
@@ -128,70 +147,40 @@ contract JBCCIPSucker is JBSucker, IAny2EVMMessageReceiver {
     /// reverting on invalid sender/peer data is correct here because accepting and silently discarding a
     /// malformed message would lose the bridged tokens with no recovery path. A revert keeps tokens in the
     /// CCIP router where they can be retried or recovered.
-    function ccipReceive(Client.Any2EVMMessage calldata any2EvmMessage) external override {
+    function ccipReceive(Client.Any2EVMMessage calldata any2EvmMessage) external virtual override {
         // Use msg.sender (not _msgSender()) because the CCIP router never uses ERC2771 meta-transactions.
         // Using _msgSender() would allow a trusted forwarder to spoof the router address via the
         // ERC-2771 calldata suffix.
         if (msg.sender != address(CCIP_ROUTER)) revert JBSucker_NotPeer(_toBytes32(msg.sender));
 
-        // Decode the message root from the peer
-        JBMessageRoot memory root = abi.decode(any2EvmMessage.data, (JBMessageRoot));
+        // Decode the sender address from the CCIP message.
         address origin = abi.decode(any2EvmMessage.sender, (address));
 
         // Make sure that the message came from our peer.
-        if (origin != _toAddress(peer()) || any2EvmMessage.sourceChainSelector != REMOTE_CHAIN_SELECTOR) {
+        if (origin != _peerAddress() || any2EvmMessage.sourceChainSelector != REMOTE_CHAIN_SELECTOR) {
             revert JBSucker_NotPeer(_toBytes32(origin));
         }
 
-        // By design, CCIP guarantees token delivery matches the sent amount. Validating the
-        // delivered amount against the message would add gas cost for a check that the bridge itself enforces.
-        // If CCIP's guarantee fails, the bridge itself is compromised.
-        //
-        // We intentionally do NOT validate root.amount against destTokenAmounts[0].amount here.
-        // CCIP fees are paid separately (via feeToken), so delivered amounts should always match what was sent.
-        // If we reverted on a mismatch, the tokens already transferred by CCIP would be locked in the router
-        // with no recovery path — a concrete fund-loss risk that outweighs the theoretical defense-in-depth
-        // benefit against a CCIP-level failure or peer compromise.
-
-        // We either send no tokens or a single token.
-        if (any2EvmMessage.destTokenAmounts.length == 1) {
-            // The sucker only handles ERC-20s or native. CCIP delivers wrapped native (WETH).
-            Client.EVMTokenAmount memory tokenAmount = any2EvmMessage.destTokenAmounts[0];
-            // Unwrap WETH -> ETH only when the root says the token is NATIVE_TOKEN.
-            // When root.token is an ERC-20 address (e.g., bridging to a chain where ETH is an ERC-20), no unwrap.
-            if (root.token == _toBytes32(JBConstants.NATIVE_TOKEN)) {
-                // We can (safely) assume that the token that is set in the `destTokenAmounts` is a valid wrapped
-                // native.
-                // If this ends up not being the case then our sanity check to see if we unwrapped the native asset will
-                // fail.
-                // forge-lint: disable-next-line(mixed-case-variable)
-                IWrappedNativeToken wrapped_native = IWrappedNativeToken(tokenAmount.token);
-                uint256 balanceBefore = _balanceOf({token: JBConstants.NATIVE_TOKEN, addr: address(this)});
-
-                // Withdraw the wrapped native asset.
-                wrapped_native.withdraw(tokenAmount.amount);
-
-                // Sanity check the unwrapping of the native asset.
-                // slither-disable-next-line incorrect-equality
-                assert(
-                    balanceBefore + tokenAmount.amount
-                        == _balanceOf({token: JBConstants.NATIVE_TOKEN, addr: address(this)})
-                );
-            }
-        }
+        // Discriminate message type: abi.encode(uint8 type, bytes payload).
+        (uint8 messageType, bytes memory payload) = JBCCIPLib.decodeTypedMessage(any2EvmMessage.data);
 
-        // Call ourselves to process the root.
-        this.fromRemote(root);
-    }
+        // Handle root messages (merkle tree updates with bridged assets).
+        if (messageType == _CCIP_MSG_TYPE_ROOT) {
+            // Decode the root message from the payload.
+            JBMessageRoot memory root = abi.decode(payload, (JBMessageRoot));
 
-    //*********************************************************************//
-    // ------------------------ internal views --------------------------- //
-    //*********************************************************************//
+            // Only unwrap WETH -> ETH when the root targets native token (not when claiming WETH as ERC-20).
+            if (root.token == bytes32(uint256(uint160(JBConstants.NATIVE_TOKEN)))) {
+                JBCCIPLib.unwrapReceivedTokens({
+                    ccipRouter: CCIP_ROUTER, destTokenAmounts: any2EvmMessage.destTokenAmounts
+                });
+            }
 
-    /// @notice Unused in this context.
-    function _isRemotePeer(address sender) internal view override returns (bool _valid) {
-        // NOTICE: We do not check if its the `peer` here, as this contract is supposed to be the caller *NOT* the peer.
-        return sender == address(this);
+            // Forward the root message to this contract's fromRemote handler.
+            this.fromRemote(root);
+        } else {
+            revert JBCCIPSucker_UnknownMessageType(messageType);
+        }
     }
 
     //*********************************************************************//
@@ -199,14 +188,16 @@ contract JBCCIPSucker is JBSucker, IAny2EVMMessageReceiver {
     //*********************************************************************//
 
     /// @notice Uses CCIP to send the root and assets over the bridge to the peer.
-    /// @dev CCIP transport payment refund failures emit a `TransportPaymentRefundFailed` event by design rather
-    /// than reverting. After `ccipSend` commits the bridge message and transfers tokens, reverting the transaction
-    /// would leave the CCIP message in-flight with no corresponding on-chain state update — the tokens would be
-    /// gone, the merkle root never processed, and the outbox inconsistent. Emitting an event preserves
-    /// observability while preventing a single failed refund from blocking the entire bridge operation.
-    /// @param transportPayment the amount of `msg.value` that is going to get paid for sending this message.
+    /// @dev Delegates CCIP message construction and sending to JBCCIPLib (via DELEGATECALL) to reduce bytecode.
+    /// @dev Supports two fee modes:
+    ///   - `transportPayment > 0`: pay CCIP fees in native ETH (existing behavior).
+    ///   - `transportPayment == 0`: pay CCIP fees in LINK from the sucker's pre-funded balance.
+    ///     This enables chains with no meaningful native token (e.g. Tempo) to use CCIP.
+    /// @param transportPayment The amount of `msg.value` that is going to get paid for sending this message.
     /// @param token The token to bridge the outbox tree for.
+    /// @param amount The amount of tokens to bridge.
     /// @param remoteToken Information about the remote token being bridged to.
+    /// @param sucker_message The message root to send to the remote peer.
     // forge-lint: disable-next-line(mixed-case-function)
     function _sendRootOverAMB(
         uint256 transportPayment,
@@ -218,88 +209,64 @@ contract JBCCIPSucker is JBSucker, IAny2EVMMessageReceiver {
         JBMessageRoot memory sucker_message
     )
         internal
+        virtual
         override
     {
-        // Make sure we are attempting to pay the bridge
-        if (transportPayment == 0) revert JBSucker_ExpectedMsgValue();
-
+        // Start with the base gas limit for cross-chain calls.
         uint256 gasLimit = MESSENGER_BASE_GAS_LIMIT;
         Client.EVMTokenAmount[] memory tokenAmounts;
+
         if (amount != 0) {
-            // If we also do an asset transfer then we increase the min required gas amount.
+            // Add extra gas for the ERC-20 token transfer on the remote chain.
             gasLimit += remoteToken.minGas;
 
-            // Wrap native ETH -> WETH for CCIP bridging. CCIP only transports ERC-20s.
-            // This is why `_validateTokenMapping` enforces minGas for native tokens too.
-            if (token == JBConstants.NATIVE_TOKEN) {
-                // Get the wrapped native token.
-                // slither-disable-next-line calls-loop
-                // forge-lint: disable-next-line(mixed-case-variable)
-                IWrappedNativeToken wrapped_native = CCIP_ROUTER.getWrappedNative();
-                // Deposit the wrapped native asset.
-                // slither-disable-next-line calls-loop,arbitrary-send-eth
-                wrapped_native.deposit{value: amount}();
-                // Update the token to be the wrapped native asset.
-                token = address(wrapped_native);
-            }
-
-            // Set the token amounts
-            tokenAmounts = new Client.EVMTokenAmount[](1);
-            tokenAmounts[0] = Client.EVMTokenAmount({token: token, amount: amount});
-
-            // approve the Router to spend tokens on contract's behalf. It will spend the amount of the given token
-            SafeERC20.forceApprove({token: IERC20(token), spender: address(CCIP_ROUTER), value: amount});
+            // Wrap native ETH -> WETH if needed, build the CCIP token amounts array, and approve the router.
+            // slither-disable-next-line unused-return
+            (tokenAmounts,) = JBCCIPLib.prepareTokenAmounts({ccipRouter: CCIP_ROUTER, token: token, amount: amount});
+        } else {
+            // No tokens to bridge — use an empty array.
+            tokenAmounts = new Client.EVMTokenAmount[](0);
         }
 
-        // Create an EVM2AnyMessage struct in memory with necessary information for sending a cross-chain message
-        // CCIP requires EVM addresses, so convert the bytes32 peer to an address for the receiver field.
-        Client.EVM2AnyMessage memory message = Client.EVM2AnyMessage({
-            receiver: abi.encode(_toAddress(peer())),
-            data: abi.encode(sucker_message),
+        // Determine fee payment mode: native ETH or LINK token.
+        // When transportPayment == 0, we pay in LINK from the sucker's pre-funded balance.
+        // This enables chains with no meaningful native token (e.g. Tempo).
+        address feeToken = transportPayment == 0 ? CCIPHelper.linkOfChain(block.chainid) : address(0);
+
+        // Build and send the CCIP message with the root payload.
+        // slither-disable-next-line reentrancy-events
+        (bool refundFailed, uint256 refundAmount) = JBCCIPLib.sendCCIPMessage({
+            ccipRouter: CCIP_ROUTER,
+            remoteChainSelector: REMOTE_CHAIN_SELECTOR,
+            peerAddress: _peerAddress(),
+            transportPayment: transportPayment,
+            feeToken: feeToken,
+            gasLimit: gasLimit,
+            encodedPayload: abi.encode(_CCIP_MSG_TYPE_ROOT, abi.encode(sucker_message)),
             tokenAmounts: tokenAmounts,
-            extraArgs: Client._argsToBytes(
-                // Additional arguments, setting gas limit
-                Client.EVMExtraArgsV1({gasLimit: gasLimit})
-            ),
-            // Set the feeToken to a feeTokenAddress, indicating specific asset will be used for fees,
-            // We pay in the native asset.
-            feeToken: address(0)
+            refundRecipient: _msgSender()
         });
 
-        // Get the fee required to send the CCIP message
-        // slither-disable-next-line calls-loop
-        uint256 fees = CCIP_ROUTER.getFee({destinationChainSelector: REMOTE_CHAIN_SELECTOR, message: message});
+        // Emit an event if the excess transport payment refund failed.
+        if (refundFailed) emit TransportPaymentRefundFailed(_msgSender(), refundAmount);
+    }
 
-        if (fees > transportPayment) {
-            revert JBSucker_InsufficientMsgValue(transportPayment, fees);
-        }
+    //*********************************************************************//
+    // ------------------------ internal views --------------------------- //
+    //*********************************************************************//
 
-        // slither-disable-next-line calls-loop,unused-return
-        CCIP_ROUTER.ccipSend{value: fees}({destinationChainSelector: REMOTE_CHAIN_SELECTOR, message: message});
-
-        // Refund remaining balance. We use a low-level call that does not revert on failure because
-        // `ccipSend` above has already committed the bridge message and transferred the tokens. If we
-        // reverted here (e.g. because the caller is a non-payable contract), the entire transaction
-        // would roll back — but the CCIP message is already in-flight. The tokens would be gone, the
-        // merkle root never gets processed, and the outbox state is inconsistent.
-        //
-        // If the refund fails, the ETH (transportPayment - fees) will be permanently stuck in this
-        // contract. There is no sweep or recovery function — `_addToBalance` only
-        // moves funds tracked via `fromRemote`, not arbitrary ETH. This is an accepted tradeoff:
-        // stuck dust from a fee overpayment is far less harmful than bricking the entire bridge
-        // operation. The event provides observability so it doesn't go unnoticed.
-        //
-        uint256 refundAmount = transportPayment - fees;
-        if (refundAmount != 0) {
-            // slither-disable-next-line calls-loop,msg-value-loop,reentrancy-events
-            (bool sent,) = _msgSender().call{value: refundAmount}("");
-            if (!sent) emit TransportPaymentRefundFailed(_msgSender(), refundAmount);
-        }
+    /// @notice Checks whether the given sender is a remote peer. Unused in this context.
+    /// @param sender The address to check.
+    /// @return _valid Whether the sender is a remote peer.
+    function _isRemotePeer(address sender) internal view override returns (bool _valid) {
+        // We do not check if it is the `peer` here, as this contract is supposed to be the caller *NOT* the peer.
+        return sender == address(this);
     }
 
-    /// @notice Allow sucker implementations to add/override mapping rules to suite their specific needs.
+    /// @notice Validates a token mapping. Allows CCIP-specific mapping rules.
     /// @dev Unlike OP/Arbitrum suckers (which share ETH as native on both chains), this CCIP sucker can connect
     /// chains with different native tokens. This means `NATIVE_TOKEN` may map to an ERC-20 on the remote chain.
+    /// @param map The token mapping to validate.
     ///
     /// Example: ETH mainnet (native = ETH) <-> Celo (native = CELO, ETH is an ERC-20).
     ///   - On mainnet: `mapToken({localToken: NATIVE_TOKEN, remoteToken: celoETH_address})`

package/src/JBOptimismSucker.sol

@@ -7,7 +7,6 @@ import {IJBTokens} from "@bananapus/core-v6/src/interfaces/IJBTokens.sol";
 import {JBConstants} from "@bananapus/core-v6/src/libraries/JBConstants.sol";
 import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
 import {SafeERC20} from "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";
-import {BitMaps} from "@openzeppelin/contracts/utils/structs/BitMaps.sol";
 
 import {JBSucker} from "./JBSucker.sol";
 import {JBOptimismSuckerDeployer} from "./deployers/JBOptimismSuckerDeployer.sol";
@@ -17,13 +16,9 @@ import {IOPMessenger} from "./interfaces/IOPMessenger.sol";
 import {IOPStandardBridge} from "./interfaces/IOPStandardBridge.sol";
 import {JBMessageRoot} from "./structs/JBMessageRoot.sol";
 import {JBRemoteToken} from "./structs/JBRemoteToken.sol";
-import {MerkleLib} from "./utils/MerkleLib.sol";
 
 /// @notice A `JBSucker` implementation to suck tokens between two chains connected by an OP Bridge.
 contract JBOptimismSucker is JBSucker, IJBOptimismSucker {
-    using BitMaps for BitMaps.BitMap;
-    using MerkleLib for MerkleLib.Tree;
-
     //*********************************************************************//
     // --------------- public immutable stored properties ---------------- //
     //*********************************************************************//