@bananapus/suckers-v6 0.0.27 → 0.0.28

package/RISKS.md

@@ -24,6 +24,7 @@ This file focuses on the bridge-like risks in the sucker system: merkle-root pro
 - **CCIP:** trusts `CCIP_ROUTER` identity plus `any2EvmMessage.sender` and `sourceChainSelector`. The router address is immutable at deploy time -- if Chainlink rotates routers, the sucker is bricked (no upgrade path).
 - **CREATE2 peer assumption.** `peer()` defaults to `address(this)`, assuming deterministic cross-chain deployment. Breaks if deployer address, init code, or factory nonce differs across chains. Incorrect peer = permanent fund loss (messages accepted from nobody, or routed to wrong address).
 - **Controller/terminal must exist on destination chain.** `_handleClaim` calls `controllerOf(projectId).mintTokensOf()`. If the project does not exist or has no controller on the remote chain, all claims permanently revert -- funds are stuck.
+- **Registry allowlisting does not verify deployer singleton provenance.** `JBSuckerRegistry.deploySuckersFor()` only checks the deployer allowlist, not the singleton implementation behind the deployer. `configureSingleton()` can point an approved deployer at any JBSucker singleton. This is a privileged-only concern (both deployer configuration and registry allowlisting require governance). Defense: validate deployer configuration during registry allowlist reviews.
 - **No reentrancy guard.** The contract relies on state ordering (mark-executed-before-external-call) rather than explicit ReentrancyGuard. Correct today, but fragile to future refactors.
 
 ## 2. Merkle Tree Risks
@@ -41,6 +42,7 @@ This file focuses on the bridge-like risks in the sucker system: merkle-root pro
 - **CCIP: no guaranteed delivery order.** CCIP does not guarantee in-order delivery. The contract handles this by accepting any nonce > current, but concurrent `toRemote` calls for the same token could result in a later root arriving first, skipping an intermediate root.
 - **OP Stack: generally ordered** but the L1-to-L2 message must be relayed by an off-chain actor. A delayed or dropped relay permanently blocks claims until someone retries the relay.
 - **Message loss.** If an AMB silently fails (accepts the message on L1 but never delivers to L2), `numberOfClaimsSent` is incremented but the remote peer never receives the root. Those leaves are blocked from both remote claim and local emergency exit (conservative: locked, not double-spent). Recovery requires enabling the emergency hatch.
+- **Aggregate balance accounting.** `amountToAddToBalanceOf(token)` computes `balanceOf(this) - outbox.balance`, making all contract-held tokens fungible claim backing. This is intentional: all funds serve the same project, so refunded ETH (from failed Arbitrum retryable tickets) and stale native deliveries correctly become project-claimable. The tradeoff is that later roots can consume liquidity from earlier failed batches, but the project is the ultimate beneficiary in all cases.
 - **`fromRemote` does not revert on stale nonce.** By design, stale/duplicate messages are silently ignored (emitting `StaleRootRejected`). This prevents fund loss on native token transfers where reverting would lose the ETH, but means monitoring must watch for this event to detect bridge issues.
 
 ## 4. Token Mapping Risks
@@ -62,7 +64,7 @@ This file focuses on the bridge-like risks in the sucker system: merkle-root pro
 - **Renounced registry ownership risk.** If the registry owner calls `renounceOwnership()`, `setToRemoteFee()` becomes permanently uncallable and the fee is frozen at its current value across all suckers. This is a deliberate trade-off: it allows the registry owner to credibly commit to a fee level, but eliminates the ability to respond to future ETH price changes. The fee is still capped at `MAX_TO_REMOTE_FEE`, so the maximum downside is bounded.
 - **Immutable fee project.** `FEE_PROJECT_ID` is set at construction and cannot be changed. If the fee project is abandoned or its terminal removed, there is no way to redirect fees without deploying new suckers.
 - **Cross-reference: sucker registration path.** Suckers are deployed via `JBSuckerRegistry.deploySuckersFor`, which requires `DEPLOY_SUCKERS` permission from the project owner. The registry's `deploy` function uses `CREATE2` with a deployer-specific salt. The sucker's `peer()` address is deterministic — a misconfigured peer means the sucker accepts messages from the wrong remote address. See [nana-omnichain-deployers-v6 RISKS.md](../nana-omnichain-deployers-v6/RISKS.md) for deployer-level risks.
-- **Registry aggregate views fail open.** `JBSuckerRegistry.remoteBalanceOf`, `remoteSurplusOf`, and `remoteTotalSupplyOf` sum values across active suckers but silently skip any sucker that reverts. This preserves liveness for dashboards and cross-chain estimates, but it means the returned aggregate can understate remote state whenever one peer is broken, censored, deprecated incorrectly, or simply expensive to query.
+- **Registry aggregate views fail open.** `JBSuckerRegistry.remoteBalanceOf`, `remoteSurplusOf`, and `remoteTotalSupplyOf` include both active and deprecated suckers with per-chain deduplication (max per chain, not sum). When multiple suckers target the same peer chain (e.g., during migration), the highest reported value is used. The views silently skip any sucker that reverts. This preserves liveness for dashboards and cross-chain estimates, but it means the returned aggregate can understate remote state whenever one peer is broken, censored, or simply expensive to query.
 
 ## 6. Deprecation Lifecycle
 
@@ -83,6 +85,8 @@ This file focuses on the bridge-like risks in the sucker system: merkle-root pro
 - **Claim vs emergency exit use separate bitmap slots.** Emergency exit uses `_executedFor[keccak256(abi.encode(terminalToken))]` while regular claims use `_executedFor[terminalToken]`. This means a leaf that was emergency-exited locally could theoretically also be claimed remotely if the root was already sent -- double-spend is prevented only by the `numberOfClaimsSent` check.
 - **`numberOfClaimsSent` is the critical guard.** Emergency exit reverts if `outbox.numberOfClaimsSent != 0 && outbox.numberOfClaimsSent - 1 >= index`. The `numberOfClaimsSent != 0` precondition prevents underflow when no root has ever been sent — in that case, all leaves are available for emergency exit. This means leaves at indices below `numberOfClaimsSent` cannot be emergency-exited (they may have been sent to the remote peer). If `_sendRootOverAMB` silently fails, these leaves are permanently locked.
 - **Emergency exit decrements `outbox.balance`.** If emergency exits drain the outbox balance below the amount that was already sent to the bridge, the accounting becomes inconsistent. The contract guards against this by only allowing exit for unsent leaves.
+- **Emergency exit recipient is the leaf beneficiary.** `exitThroughEmergencyHatch()` refunds to `claimData.leaf.beneficiary`, not the original `prepare()` caller. The depositor chose this beneficiary when preparing the bridge; the leaf structure does not store the depositor address. If Alice prepares for Bob and the bridge fails, Bob gets the emergency refund, not Alice. This is the intended behavior: the depositor delegated their claim to the beneficiary.
+- **`numberOfClaimsSent` advancement timing.** `_sendRoot()` sets `numberOfClaimsSent` before `_sendRootOverAMB()` completes. If the L1 transaction succeeds but L2 delivery fails, those leaves are blocked from emergency exit. Mitigations: Arbitrum retryable tickets can be manually re-executed on L2; Optimism messages can be re-relayed by anyone. If delivery permanently fails, `enableEmergencyHatchFor()` combined with project owner intervention can recover. Adding a rollback mechanism would introduce double-spend risk (leaf claimable on both chains). Current design is conservative: locked funds are preferable to double-spent funds.
 - **Emergency hatch + minting.** Emergency exit calls `_handleClaim`, which mints project tokens via the controller. If the controller or token contract is broken/missing, emergency exits also revert -- there is no "raw withdrawal" of terminal tokens without minting.
 
 ## 8. DoS Vectors
@@ -130,7 +134,11 @@ The fee is paid to `FEE_PROJECT_ID` (the protocol project), not to the sucker's
 
 ### 10.5 Registry aggregate views prioritize liveness over completeness
 
-`JBSuckerRegistry.remoteBalanceOf`, `remoteSurplusOf`, and `remoteTotalSupplyOf` intentionally use `try/catch` around each sucker and silently ignore peers that revert. This is accepted because a single bad peer should not brick every cross-chain dashboard or estimator. The trade-off is that these read surfaces are best-effort only: consumers must treat them as lower bounds, not exact reconciled totals, unless they independently verify that every active sucker responded successfully.
+`JBSuckerRegistry.remoteBalanceOf`, `remoteSurplusOf`, and `remoteTotalSupplyOf` intentionally use `try/catch` around each sucker and silently ignore peers that revert. Both active and deprecated suckers are included, with per-chain deduplication: when multiple suckers target the same peer chain (e.g., during a migration window), the highest reported value is used to avoid double-counting. This is accepted because a single bad peer should not brick every cross-chain dashboard or estimator. The trade-off is that these read surfaces are best-effort only: consumers must treat them as lower bounds, not exact reconciled totals, unless they independently verify that every active sucker responded successfully.
+
+### 10.8 Zero-output swap batches route to pendingSwapOf
+
+When `JBSwapCCIPSucker.ccipReceive` receives bridge tokens and the swap succeeds but returns zero local tokens (e.g., due to extreme price impact or dust amounts), the batch is routed to `pendingSwapOf` for later retry via `retrySwap`. Without this, claims would proceed with zero terminal backing, minting unbacked project tokens. The trade-off is that these batches require a manual `retrySwap` call once pool conditions improve. Anyone can call `retrySwap` — it is permissionless.
 
 ### 10.6 Hookless V4 spot pricing is sandwich-vulnerable by design
 
@@ -139,3 +147,7 @@ When the only available Uniswap pool for a cross-denomination swap is a hookless
 ### 10.7 `mapTokens` refunds ETH on enable-only batches
 
 `mapTokens()` only uses `msg.value` when one or more mappings are being disabled and need transport payment for the final root flush. If every mapping in the batch is enable-only (`numberToDisable == 0`), the full `msg.value` is refunded to `_msgSender()`. If the refund transfer fails (e.g., the caller is a non-payable contract), the call reverts with `JBSucker_RefundFailed`. When disables are present, any dust remainder from integer division (`msg.value % numberToDisable`) is also refunded on a best-effort basis.
+
+### 10.9 Zero-value `prepare()` is allowed
+
+`prepare()` does not reject `projectTokenCount == 0`. A zero-value check would be trivially bypassed by passing `1` instead, so it provides no real protection against remap-window consumption. The cost to create a leaf with `projectTokenCount = 1` is negligible (1 wei of project tokens). The one-time remap window is protected by the token mapping's `enabled` flag and the outbox tree count, not by minimum deposit requirements.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bananapus/suckers-v6",
-  "version": "0.0.27",
+  "version": "0.0.28",
   "license": "MIT",
   "repository": {
     "type": "git",

package/src/JBArbitrumSucker.sol

@@ -20,6 +20,7 @@ import {JBLayer} from "./enums/JBLayer.sol";
 import {IArbGatewayRouter} from "./interfaces/IArbGatewayRouter.sol";
 import {IArbL1GatewayRouter} from "./interfaces/IArbL1GatewayRouter.sol";
 import {IArbL2GatewayRouter} from "./interfaces/IArbL2GatewayRouter.sol";
+import {IL1ArbitrumGateway} from "./interfaces/IL1ArbitrumGateway.sol";
 import {IJBArbitrumSucker} from "./interfaces/IJBArbitrumSucker.sol";
 import {ARBChains} from "./libraries/ARBChains.sol";
 import {JBMessageRoot} from "./structs/JBMessageRoot.sol";
@@ -256,12 +257,26 @@ contract JBArbitrumSucker is JBSucker, IJBArbitrumSucker {
         // If the token is an ERC-20, bridge it to the peer.
         // If the amount is `0` then we do not need to bridge any ERC20.
         if (token != JBConstants.NATIVE_TOKEN && amount != 0) {
-            // Calculate the cost of the ERC-20 transfer. (96 is the length of the abi encoded `data`)
-            // slither-disable-next-line calls-loop
-            uint256 maxSubmissionCostERC20 =
-                ARBINBOX.calculateRetryableSubmissionFee({dataLength: 96, baseFee: maxFeePerGas});
-
-            uint256 tokenTransportCost = maxSubmissionCostERC20 + (remoteToken.minGas * maxFeePerGas);
+            uint256 tokenTransportCost;
+            uint256 maxSubmissionCostERC20;
+            {
+                // Get the exact calldata length the gateway will create for the retryable ticket.
+                // The Arbitrum Inbox validates maxSubmissionCost against this actual payload, not the user data.
+                // slither-disable-next-line calls-loop
+                address gateway = GATEWAYROUTER.getGateway(token);
+                // slither-disable-next-line calls-loop
+                uint256 outboundCalldataLength =
+                    IL1ArbitrumGateway(gateway)
+                .getOutboundCalldata({
+                    _token: token, _from: address(this), _to: _peerAddress(), _amount: amount, _data: bytes("")
+                })
+                .length;
+                // slither-disable-next-line calls-loop
+                maxSubmissionCostERC20 = ARBINBOX.calculateRetryableSubmissionFee({
+                    dataLength: outboundCalldataLength, baseFee: maxFeePerGas
+                });
+                tokenTransportCost = maxSubmissionCostERC20 + (remoteToken.minGas * maxFeePerGas);
+            }
 
             // Ensure we bridge enough for gas costs on L2 side
             if (transportPayment < callTransportCost + tokenTransportCost) {

package/src/JBCCIPSucker.sol

@@ -228,8 +228,9 @@ contract JBCCIPSucker is JBSucker, IAny2EVMMessageReceiver {
         }
 
         // Determine fee payment mode: native ETH or LINK token.
-        // When transportPayment == 0, we pay in LINK from the sucker's pre-funded balance.
-        // This enables chains with no meaningful native token (e.g. Tempo).
+        // When transportPayment == 0, we pay in LINK pulled from the caller via transferFrom.
+        // This enables chains with no meaningful native token (e.g. Tempo) while keeping
+        // toRemote permissionless — the caller provides LINK inline with their bridge intent.
         address feeToken = transportPayment == 0 ? CCIPHelper.linkOfChain(block.chainid) : address(0);
 
         // Build and send the CCIP message with the root payload.
@@ -240,6 +241,7 @@ contract JBCCIPSucker is JBSucker, IAny2EVMMessageReceiver {
             peerAddress: _peerAddress(),
             transportPayment: transportPayment,
             feeToken: feeToken,
+            feeTokenPayer: feeToken != address(0) ? _msgSender() : address(0),
             gasLimit: gasLimit,
             encodedPayload: abi.encode(_CCIP_MSG_TYPE_ROOT, abi.encode(sucker_message)),
             tokenAmounts: tokenAmounts,

package/src/JBSucker.sol

@@ -561,7 +561,7 @@ abstract contract JBSucker is ERC2771Context, JBPermissioned, Initializable, ERC
         uint256 nextEarliestDeprecationTime = block.timestamp + _maxMessagingDelay();
 
         // The deprecation can be entirely disabled *or* it has to be later than the earliest possible time.
-        if (timestamp != 0 && timestamp < nextEarliestDeprecationTime) {
+        if (timestamp != 0 && timestamp <= nextEarliestDeprecationTime) {
             revert JBSucker_DeprecationTimestampTooSoon({
                 givenTime: timestamp, minimumTime: nextEarliestDeprecationTime
             });
@@ -982,6 +982,9 @@ abstract contract JBSucker is ERC2771Context, JBPermissioned, Initializable, ERC
         // (e.g., the bridge is non-functional), the project owner can call `enableEmergencyHatchFor` to allow
         // local withdrawals via `exitThroughEmergencyHatch`.
         if (map.remoteToken == bytes32(0) && _outboxOf[token].numberOfClaimsSent != _outboxOf[token].tree.count) {
+            // Disable before external call to prevent reentrancy via prepare().
+            // _sendRoot uses the `currentMapping` parameter, not storage, so this is safe.
+            _remoteTokenFor[token].enabled = false;
             _sendRoot({transportPayment: transportPaymentValue, token: token, remoteToken: currentMapping});
         }
 

package/src/JBSuckerRegistry.sol

@@ -191,7 +191,9 @@ contract JBSuckerRegistry is ERC2771Context, Ownable, JBPermissioned, IJBSuckerR
     }
 
     /// @notice The cumulative balance across all remote peer chains for a project, denominated in a given currency.
-    /// @dev Sums `peerChainBalanceOf` from each active sucker. Silently skips suckers that revert.
+    /// @dev Includes both active and deprecated suckers to prevent undercounting during migration windows.
+    /// Uses per-chain deduplication (max per chain, not sum) to prevent double-counting when both a deprecated and
+    /// active sucker exist for the same chain. Silently skips suckers that revert.
     /// @param projectId The ID of the project.
     /// @param decimals The decimal precision for the returned value.
     /// @param currency The currency to normalize to.
@@ -207,25 +209,65 @@ contract JBSuckerRegistry is ERC2771Context, Ownable, JBPermissioned, IJBSuckerR
         returns (uint256 balance)
     {
         address[] memory allSuckers = _suckersOf[projectId].keys();
-        for (uint256 i; i < allSuckers.length;) {
+        uint256 len = allSuckers.length;
+
+        // Per-chain dedup arrays. The number of suckers per project is small (typically 1-5),
+        // so a linear scan is cheaper than a mapping.
+        uint256[] memory chainIds = new uint256[](len);
+        uint256[] memory maxBalances = new uint256[](len);
+        uint256 chainCount;
+
+        for (uint256 i; i < len;) {
             // slither-disable-next-line unused-return
             (, uint256 val) = _suckersOf[projectId].tryGet(allSuckers[i]);
-            if (val == _SUCKER_EXISTS) {
+            // Include both active and deprecated suckers in aggregate economic views.
+            if (val == _SUCKER_EXISTS || val == _SUCKER_DEPRECATED) {
                 // slither-disable-next-line calls-loop
                 try IJBSucker(allSuckers[i]).peerChainBalanceOf(decimals, currency) returns (
                     JBDenominatedAmount memory amt
                 ) {
-                    balance += amt.value;
+                    // slither-disable-next-line calls-loop
+                    uint256 chainId = IJBSucker(allSuckers[i]).peerChainId();
+                    // Per-chain max: if multiple suckers target the same chain (deprecated + active
+                    // during migration), take the highest value to avoid double-counting.
+                    bool found;
+                    for (uint256 j; j < chainCount;) {
+                        if (chainIds[j] == chainId) {
+                            if (amt.value > maxBalances[j]) maxBalances[j] = amt.value;
+                            found = true;
+                            break;
+                        }
+                        unchecked {
+                            ++j;
+                        }
+                    }
+                    if (!found) {
+                        chainIds[chainCount] = chainId;
+                        maxBalances[chainCount] = amt.value;
+                        unchecked {
+                            ++chainCount;
+                        }
+                    }
                 } catch {}
             }
             unchecked {
                 ++i;
             }
         }
+
+        // Sum the per-chain max values.
+        for (uint256 k; k < chainCount;) {
+            balance += maxBalances[k];
+            unchecked {
+                ++k;
+            }
+        }
     }
 
     /// @notice The cumulative surplus across all remote peer chains for a project, denominated in a given currency.
-    /// @dev Sums `peerChainSurplusOf` from each active sucker. Silently skips suckers that revert.
+    /// @dev Includes both active and deprecated suckers to prevent undercounting during migration windows.
+    /// Uses per-chain deduplication (max per chain, not sum) to prevent double-counting when both a deprecated and
+    /// active sucker exist for the same chain. Silently skips suckers that revert.
     /// @param projectId The ID of the project.
     /// @param decimals The decimal precision for the returned value.
     /// @param currency The currency to normalize to.
@@ -241,42 +283,120 @@ contract JBSuckerRegistry is ERC2771Context, Ownable, JBPermissioned, IJBSuckerR
         returns (uint256 surplus)
     {
         address[] memory allSuckers = _suckersOf[projectId].keys();
-        for (uint256 i; i < allSuckers.length;) {
+        uint256 len = allSuckers.length;
+
+        // Per-chain dedup arrays. The number of suckers per project is small (typically 1-5),
+        // so a linear scan is cheaper than a mapping.
+        uint256[] memory chainIds = new uint256[](len);
+        uint256[] memory maxSurplus = new uint256[](len);
+        uint256 chainCount;
+
+        for (uint256 i; i < len;) {
             // slither-disable-next-line unused-return
             (, uint256 val) = _suckersOf[projectId].tryGet(allSuckers[i]);
-            if (val == _SUCKER_EXISTS) {
+            // Include both active and deprecated suckers in aggregate economic views.
+            if (val == _SUCKER_EXISTS || val == _SUCKER_DEPRECATED) {
                 // slither-disable-next-line calls-loop
                 try IJBSucker(allSuckers[i]).peerChainSurplusOf(decimals, currency) returns (
                     JBDenominatedAmount memory amt
                 ) {
-                    surplus += amt.value;
+                    // slither-disable-next-line calls-loop
+                    uint256 chainId = IJBSucker(allSuckers[i]).peerChainId();
+                    // Per-chain max: if multiple suckers target the same chain (deprecated + active
+                    // during migration), take the highest value to avoid double-counting.
+                    bool found;
+                    for (uint256 j; j < chainCount;) {
+                        if (chainIds[j] == chainId) {
+                            if (amt.value > maxSurplus[j]) maxSurplus[j] = amt.value;
+                            found = true;
+                            break;
+                        }
+                        unchecked {
+                            ++j;
+                        }
+                    }
+                    if (!found) {
+                        chainIds[chainCount] = chainId;
+                        maxSurplus[chainCount] = amt.value;
+                        unchecked {
+                            ++chainCount;
+                        }
+                    }
                 } catch {}
             }
             unchecked {
                 ++i;
             }
         }
+
+        // Sum the per-chain max values.
+        for (uint256 k; k < chainCount;) {
+            surplus += maxSurplus[k];
+            unchecked {
+                ++k;
+            }
+        }
     }
 
     /// @notice The cumulative total supply across all remote peer chains for a project.
-    /// @dev Sums `peerChainTotalSupply` from each active sucker. Silently skips suckers that revert.
+    /// @dev Includes both active and deprecated suckers to prevent undercounting during migration windows.
+    /// Uses per-chain deduplication (max per chain, not sum) to prevent double-counting when both a deprecated and
+    /// active sucker exist for the same chain. Silently skips suckers that revert.
     /// @param projectId The ID of the project.
     /// @return totalSupply The combined peer chain total supply.
     function remoteTotalSupplyOf(uint256 projectId) external view override returns (uint256 totalSupply) {
         address[] memory allSuckers = _suckersOf[projectId].keys();
-        for (uint256 i; i < allSuckers.length;) {
+        uint256 len = allSuckers.length;
+
+        // Per-chain dedup arrays. The number of suckers per project is small (typically 1-5),
+        // so a linear scan is cheaper than a mapping.
+        uint256[] memory chainIds = new uint256[](len);
+        uint256[] memory maxSupply = new uint256[](len);
+        uint256 chainCount;
+
+        for (uint256 i; i < len;) {
             // slither-disable-next-line unused-return
             (, uint256 val) = _suckersOf[projectId].tryGet(allSuckers[i]);
-            if (val == _SUCKER_EXISTS) {
+            // Include both active and deprecated suckers in aggregate economic views.
+            if (val == _SUCKER_EXISTS || val == _SUCKER_DEPRECATED) {
                 // slither-disable-next-line calls-loop
                 try IJBSucker(allSuckers[i]).peerChainTotalSupply() returns (uint256 supply) {
-                    totalSupply += supply;
+                    // slither-disable-next-line calls-loop
+                    uint256 chainId = IJBSucker(allSuckers[i]).peerChainId();
+                    // Per-chain max: if multiple suckers target the same chain (deprecated + active
+                    // during migration), take the highest value to avoid double-counting.
+                    bool found;
+                    for (uint256 j; j < chainCount;) {
+                        if (chainIds[j] == chainId) {
+                            if (supply > maxSupply[j]) maxSupply[j] = supply;
+                            found = true;
+                            break;
+                        }
+                        unchecked {
+                            ++j;
+                        }
+                    }
+                    if (!found) {
+                        chainIds[chainCount] = chainId;
+                        maxSupply[chainCount] = supply;
+                        unchecked {
+                            ++chainCount;
+                        }
+                    }
                 } catch {}
             }
             unchecked {
                 ++i;
             }
         }
+
+        // Sum the per-chain max values.
+        for (uint256 k; k < chainCount;) {
+            totalSupply += maxSupply[k];
+            unchecked {
+                ++k;
+            }
+        }
     }
 
     //*********************************************************************//

package/src/JBSwapCCIPSucker.sol

@@ -313,12 +313,35 @@ contract JBSwapCCIPSucker is JBCCIPSucker, IUnlockCallback, IUniswapV3SwapCallba
                 }
             }
 
-            // Store conversion rate whenever the batch has leaf-denomination tokens, even if
-            // localAmount == 0 (swap rounded to zero). Without this, claims for this nonce would
-            // skip scaling and use the raw leaf amount, draining backing from other batches.
+            // Zero-output swap guard: When a swap succeeds but returns zero local tokens, the
+            // batch must NOT be marked claimable. Without this guard, `_addToBalance` would see
+            // `pendingSwapOf.bridgeAmount == 0` (no pending swap stored) and allow claims to
+            // proceed — minting the full bridged project-token amount while adding zero terminal
+            // backing, breaking cross-chain solvency.
+            //
+            // Route zero-output swaps into `pendingSwapOf` so the swap can be retried via
+            // `retrySwap` once pool conditions improve. Only store the conversion rate when
+            // the swap produced a positive local amount.
             if (root.amount > 0) {
-                _conversionRateOf[localToken][root.remoteRoot.nonce] =
-                    ConversionRate({leafTotal: root.amount, localTotal: localAmount});
+                if (localAmount == 0 && any2EvmMessage.destTokenAmounts.length == 1) {
+                    Client.EVMTokenAmount memory zeroSwapTokenAmount = any2EvmMessage.destTokenAmounts[0];
+                    // Only route to pending if there were actual bridge tokens delivered.
+                    // If bridgeAmount is also 0 (zero-value batch), store the conversion rate
+                    // normally — there is nothing to retry.
+                    if (zeroSwapTokenAmount.amount > 0) {
+                        pendingSwapOf[localToken][root.remoteRoot.nonce] = PendingSwap({
+                            bridgeToken: zeroSwapTokenAmount.token,
+                            bridgeAmount: zeroSwapTokenAmount.amount,
+                            leafTotal: root.amount
+                        });
+                    } else {
+                        _conversionRateOf[localToken][root.remoteRoot.nonce] =
+                            ConversionRate({leafTotal: root.amount, localTotal: 0});
+                    }
+                } else {
+                    _conversionRateOf[localToken][root.remoteRoot.nonce] =
+                        ConversionRate({leafTotal: root.amount, localTotal: localAmount});
+                }
             }
 
             // Store the inbox merkle root for later claims.
@@ -563,6 +586,7 @@ contract JBSwapCCIPSucker is JBCCIPSucker, IUnlockCallback, IUniswapV3SwapCallba
                 peerAddress: _toAddress(peer()),
                 transportPayment: transportPayment,
                 feeToken: feeToken,
+                feeTokenPayer: feeToken != address(0) ? _msgSender() : address(0),
                 gasLimit: MESSENGER_BASE_GAS_LIMIT + remoteToken.minGas,
                 encodedPayload: encodedPayload,
                 tokenAmounts: tokenAmounts,

package/src/interfaces/IL1ArbitrumGateway.sol

@@ -0,0 +1,23 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.0;
+
+/// @notice Interface for Arbitrum L1 gateways to query the exact calldata they construct for retryable tickets.
+interface IL1ArbitrumGateway {
+    /// @notice Returns the calldata that the gateway will submit as a retryable ticket to the Inbox.
+    /// @param _token The L1 token address.
+    /// @param _from The sender on L1.
+    /// @param _to The recipient on L2.
+    /// @param _amount The amount of tokens being bridged.
+    /// @param _data Additional data (forwarded to the L2 gateway).
+    /// @return The ABI-encoded calldata for `finalizeInboundTransfer` on the L2 gateway.
+    function getOutboundCalldata(
+        address _token,
+        address _from,
+        address _to,
+        uint256 _amount,
+        bytes calldata _data
+    )
+        external
+        view
+        returns (bytes memory);
+}

package/src/libraries/JBCCIPLib.sol

@@ -68,13 +68,14 @@ library JBCCIPLib {
     /// @dev Runs via DELEGATECALL. Handles EVM2AnyMessage construction, getFee, ccipSend, and refund.
     /// @dev Supports two fee modes:
     ///   - `transportPayment > 0`: pay CCIP fees in native ETH (existing behavior).
-    ///   - `transportPayment == 0`: pay CCIP fees in LINK from the sucker's pre-funded balance.
+    ///   - `transportPayment == 0`: pay CCIP fees in LINK pulled from the caller via transferFrom.
     ///     This enables chains with no meaningful native token (e.g. Tempo) to use CCIP.
     /// @param ccipRouter The CCIP router.
     /// @param remoteChainSelector The CCIP chain selector for the remote chain.
     /// @param peerAddress The peer sucker address on the remote chain.
     /// @param transportPayment The ETH transport payment available (0 for LINK fee mode).
     /// @param feeToken The fee token address: address(0) for native ETH, LINK address for LINK fee mode.
+    /// @param feeTokenPayer The address to pull LINK fees from via transferFrom (0 to use sucker's own balance).
     /// @param gasLimit The gas limit for the CCIP message.
     /// @param encodedPayload The ABI-encoded payload (e.g., abi.encode(type, data)).
     /// @param tokenAmounts The token amounts to bridge (from prepareTokenAmounts).
@@ -87,6 +88,7 @@ library JBCCIPLib {
         address peerAddress,
         uint256 transportPayment,
         address feeToken,
+        address feeTokenPayer,
         uint256 gasLimit,
         bytes memory encodedPayload,
         Client.EVMTokenAmount[] memory tokenAmounts,
@@ -95,6 +97,10 @@ library JBCCIPLib {
         external
         returns (bool refundFailed, uint256 refundAmount)
     {
+        // Cache to reduce stack pressure.
+        address router = address(ccipRouter);
+        uint64 chainSel = remoteChainSelector;
+
         // Build the CCIP message.
         Client.EVM2AnyMessage memory message = Client.EVM2AnyMessage({
             receiver: abi.encode(peerAddress),
@@ -106,10 +112,17 @@ library JBCCIPLib {
 
         // Get the CCIP fee for sending the message.
         // slither-disable-next-line calls-loop
-        uint256 fees = ccipRouter.getFee({destinationChainSelector: remoteChainSelector, message: message});
+        uint256 fees = ICCIPRouter(router).getFee({destinationChainSelector: chainSel, message: message});
 
         if (feeToken != address(0)) {
-            // LINK fee path: approve the router to spend LINK from the sucker's balance.
+            // LINK fee path: pull the fee from the caller so toRemote stays permissionless.
+            // The caller must approve LINK to the sucker before calling toRemote.
+            if (feeTokenPayer != address(0)) {
+                // slither-disable-next-line arbitrary-send-erc20
+                IERC20(feeToken).safeTransferFrom({from: feeTokenPayer, to: address(this), value: fees});
+            }
+
+            // Approve the router to spend LINK (fee + any bridged LINK amount).
             // When the fee token is also a bridged token (e.g. LINK on Tempo), the approval
             // must cover both the bridged amount and the fee. prepareTokenAmounts() already
             // approved the bridged amount, but forceApprove replaces (not adds), so we must
@@ -121,14 +134,14 @@ library JBCCIPLib {
                     break;
                 }
             }
-            SafeERC20.forceApprove({token: IERC20(feeToken), spender: address(ccipRouter), value: totalApproval});
+            SafeERC20.forceApprove({token: IERC20(feeToken), spender: router, value: totalApproval});
 
             // slither-disable-next-line calls-loop,unused-return
-            ccipRouter.ccipSend({destinationChainSelector: remoteChainSelector, message: message});
+            ICCIPRouter(router).ccipSend({destinationChainSelector: chainSel, message: message});
         } else {
             // Native ETH fee path.
             // slither-disable-next-line calls-loop,unused-return,arbitrary-send-eth
-            ccipRouter.ccipSend{value: fees}({destinationChainSelector: remoteChainSelector, message: message});
+            ICCIPRouter(router).ccipSend{value: fees}({destinationChainSelector: chainSel, message: message});
 
             // Calculate the excess transport payment to refund.
             refundAmount = transportPayment - fees;

package/test/ForkClaimMainnet.t.sol

@@ -417,9 +417,12 @@ abstract contract CCIPSuckerClaimForkTestBase is TestBaseWorkflow {
             vm.prank(rootSender);
             suckerL1.toRemote{value: ccipFeeAmount}(token);
         } else {
-            // LINK fee path: pre-fund sucker with LINK, call toRemote with msg.value = 0.
+            // LINK fee path: caller provides LINK inline — approve + transferFrom.
             address linkToken = _linkTokenOf(block.chainid);
-            deal(linkToken, address(suckerL1), IERC20(linkToken).balanceOf(address(suckerL1)) + 100 ether);
+            uint256 linkForFees = 100 ether;
+            deal(linkToken, rootSender, linkForFees);
+            vm.prank(rootSender);
+            IERC20(linkToken).approve({spender: address(suckerL1), value: linkForFees});
             vm.prank(rootSender);
             suckerL1.toRemote(token);
         }

package/test/ForkMainnet.t.sol

@@ -344,21 +344,22 @@ abstract contract CCIPSuckerMainnetForkTestBase is TestBaseWorkflow {
             assertLt(rootSender.balance, ccipFeeAmount, "CCIP fees should have been deducted");
             assertGt(rootSender.balance, 0, "Excess native should be returned");
         } else {
-            // LINK fee path: pre-fund sucker with LINK, call toRemote with msg.value = 0.
+            // LINK fee path: caller provides LINK inline — approve + transferFrom.
             // On Tempo, CALLVALUE always returns 0, so transportPayment = 0, triggering LINK fee mode.
             address linkToken = _linkTokenOf(block.chainid);
             uint256 linkForFees = 100 ether;
-            deal(linkToken, address(suckerL1), IERC20(linkToken).balanceOf(address(suckerL1)) + linkForFees);
-            uint256 suckerLinkBefore = IERC20(linkToken).balanceOf(address(suckerL1));
-
+            deal(linkToken, rootSender, linkForFees);
+            uint256 senderLinkBefore = IERC20(linkToken).balanceOf(rootSender);
+            vm.prank(rootSender);
+            IERC20(linkToken).approve({spender: address(suckerL1), value: linkForFees});
             vm.prank(rootSender);
             suckerL1.toRemote(token);
 
-            // Verify LINK was consumed for CCIP fees.
+            // Verify LINK was consumed from the caller for CCIP fees.
             assertLt(
-                IERC20(linkToken).balanceOf(address(suckerL1)),
-                suckerLinkBefore,
-                "LINK should have been consumed for CCIP fees"
+                IERC20(linkToken).balanceOf(rootSender),
+                senderLinkBefore,
+                "LINK should have been consumed from caller for CCIP fees"
             );
         }
 

package/test/ForkSwapMainnet.t.sol

@@ -310,19 +310,21 @@ abstract contract SwapCCIPSuckerForkTestBase is TestBaseWorkflow {
             assertLt(rootSender.balance, ccipFeeAmount, "CCIP fees should have been deducted");
             assertGt(rootSender.balance, 0, "Excess native should be returned");
         } else {
-            // LINK fee path: pre-fund sucker with LINK, call toRemote with msg.value = 0.
+            // LINK fee path: caller provides LINK inline — approve + transferFrom.
             address linkToken = CCIPHelper.linkOfChain(block.chainid);
-            deal(linkToken, address(suckerL1), IERC20(linkToken).balanceOf(address(suckerL1)) + 100 ether);
-            uint256 suckerLinkBefore = IERC20(linkToken).balanceOf(address(suckerL1));
-
+            uint256 linkForFees = 100 ether;
+            deal(linkToken, rootSender, linkForFees);
+            uint256 senderLinkBefore = IERC20(linkToken).balanceOf(rootSender);
+            vm.prank(rootSender);
+            IERC20(linkToken).approve({spender: address(suckerL1), value: linkForFees});
             vm.prank(rootSender);
             suckerL1.toRemote(token);
 
-            // Verify LINK was consumed for CCIP fees.
+            // Verify LINK was consumed from the caller for CCIP fees.
             assertLt(
-                IERC20(linkToken).balanceOf(address(suckerL1)),
-                suckerLinkBefore,
-                "LINK should have been consumed for CCIP fees"
+                IERC20(linkToken).balanceOf(rootSender),
+                senderLinkBefore,
+                "LINK should have been consumed from caller for CCIP fees"
             );
         }
 

package/test/SuckerAttacks.t.sol

@@ -473,7 +473,7 @@ contract SuckerAttacks is Test {
         // The sucker uses outbox.balance for validation, so large claims should fail
 
         // Set up deprecated state for emergency exit
-        uint256 deprecationTimestamp = block.timestamp + 14 days;
+        uint256 deprecationTimestamp = block.timestamp + 14 days + 1;
         // forge-lint: disable-next-line(unsafe-typecast)
         sucker.setDeprecation(uint40(deprecationTimestamp));
         vm.warp(deprecationTimestamp);

package/test/SuckerRegressions.t.sol

@@ -243,7 +243,7 @@ contract SuckerRegressionsTest is Test {
         uint256 projectTokenCount = 5 ether;
 
         // Set up the sucker to be deprecated so emergency exit is allowed.
-        uint256 deprecationTimestamp = block.timestamp + 14 days;
+        uint256 deprecationTimestamp = block.timestamp + 14 days + 1;
         // forge-lint: disable-next-line(unsafe-typecast)
         sucker.setDeprecation(uint40(deprecationTimestamp));
         vm.warp(deprecationTimestamp);