@bananapus/suckers-v6 0.0.28 → 0.0.30

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bananapus/suckers-v6",
-  "version": "0.0.28",
+  "version": "0.0.30",
   "license": "MIT",
   "repository": {
     "type": "git",
@@ -19,8 +19,8 @@
   },
   "dependencies": {
     "@arbitrum/nitro-contracts": "^1.2.1",
-    "@bananapus/core-v6": "^0.0.34",
-    "@bananapus/permission-ids-v6": "^0.0.17",
+    "@bananapus/core-v6": "^0.0.36",
+    "@bananapus/permission-ids-v6": "^0.0.19",
     "@chainlink/contracts-ccip": "^1.6.0",
     "@chainlink/local": "github:smartcontractkit/chainlink-local#v0.2.7",
     "@openzeppelin/contracts": "^5.6.1",

package/src/JBSucker.sol

@@ -178,11 +178,10 @@ abstract contract JBSucker is ERC2771Context, JBPermissioned, Initializable, ERC
     /// @dev The `currency` and `decimals` fields describe the denomination; `value` is the balance amount.
     JBDenominatedAmount private _peerChainBalance;
 
-    /// @notice Outbound project-wide snapshot counter. Incremented each time `_sendRoot` is called.
-    uint64 private _snapshotNonce;
-
-    /// @notice The highest snapshot nonce received from the peer chain. Used to reject stale shared-state updates.
-    uint64 private _peerSnapshotNonce;
+    /// @notice The `block.timestamp` from the source chain when the most recent accepted peer snapshot was taken.
+    /// @dev Only snapshots with a strictly newer source timestamp are accepted, preventing stale rollbacks.
+    /// Returns 0 if no snapshot has been received yet.
+    uint256 public snapshotTimestamp;
 
     //*********************************************************************//
     // ---------------------------- constructor -------------------------- //
@@ -400,12 +399,12 @@ abstract contract JBSucker is ERC2771Context, JBPermissioned, Initializable, ERC
             emit StaleRootRejected({token: localToken, receivedNonce: root.remoteRoot.nonce, currentNonce: inbox.nonce});
         }
 
-        // --- Project-wide shared state update (gated by snapshot nonce) ---
-        // The snapshot nonce is a project-wide counter independent of per-token outbox nonces.
+        // --- Project-wide shared state update (gated by source timestamp) ---
+        // Only accept snapshots whose source timestamp is strictly newer than the last accepted one.
         // This prevents a staler per-token message from rolling back shared state (surplus, balance, supply)
         // that was already updated by a fresher message for a different token.
-        if (root.snapshotNonce > _peerSnapshotNonce) {
-            _peerSnapshotNonce = root.snapshotNonce;
+        if (root.sourceTimestamp > snapshotTimestamp) {
+            snapshotTimestamp = root.sourceTimestamp;
 
             // Update unconditionally — a legitimate zero supply must clear phantom cached supply.
             peerChainTotalSupply = root.sourceTotalSupply;
@@ -1489,7 +1488,7 @@ abstract contract JBSucker is ERC2771Context, JBPermissioned, Initializable, ERC
             nonce: nonce,
             root: root,
             messageVersion: MESSAGE_VERSION,
-            snapshotNonce: ++_snapshotNonce
+            sourceTimestamp: block.timestamp
         });
 
         // Send the root over the AMB (positional args — slither IR parser crashes on named args here).

package/src/JBSwapCCIPSucker.sol

@@ -405,10 +405,13 @@ contract JBSwapCCIPSucker is JBCCIPSucker, IUnlockCallback, IUniswapV3SwapCallba
         PendingSwap memory pending = pendingSwapOf[localToken][nonce];
         if (pending.bridgeAmount == 0) revert JBSwapCCIPSucker_NoPendingSwap();
 
-        // slither-disable-next-line reentrancy-no-eth,reentrancy-benign,reentrancy-events
+        // slither-disable-next-line reentrancy-no-eth,reentrancy-benign,reentrancy-events,reentrancy-eth
         uint256 localAmount =
             _executeSwap({tokenIn: pending.bridgeToken, tokenOut: localToken, amount: pending.bridgeAmount});
 
+        // Revert on zero output — matches outbound guard at toRemote.
+        if (localAmount == 0) revert JBSwapCCIPSucker_SwapFailed();
+
         // Update the conversion rate so claims can proceed, then clear the pending swap.
         _conversionRateOf[localToken][nonce] = ConversionRate({leafTotal: pending.leafTotal, localTotal: localAmount});
         delete pendingSwapOf[localToken][nonce];
@@ -430,7 +433,10 @@ contract JBSwapCCIPSucker is JBCCIPSucker, IUnlockCallback, IUniswapV3SwapCallba
         if (_retrySwapLocked) revert JBSwapCCIPSucker_SwapPending(0);
         // slither-disable-next-line events-maths
         _currentClaimLeafIndex = claimData.leaf.index + 1;
+        // slither-disable-next-line reentrancy-eth
         super.claim(claimData);
+        // Clear stale transient context to prevent leaking into same-tx emergency exits.
+        _currentClaimLeafIndex = 0;
     }
 
     //*********************************************************************//
@@ -453,14 +459,14 @@ contract JBSwapCCIPSucker is JBCCIPSucker, IUnlockCallback, IUniswapV3SwapCallba
         if (_currentClaimLeafIndex != 0) {
             uint64 nonce = _findNonceForLeafIndex({token: token, leafIndex: _currentClaimLeafIndex - 1});
             if (nonce != 0) {
+                // Gate on pending swaps — if a swap failed and hasn't been retried yet,
+                // claims must wait. This check must come BEFORE the leafTotal gate so that
+                // failed swaps (where _conversionRateOf was never written) still block claims.
+                if (pendingSwapOf[token][nonce].bridgeAmount > 0) {
+                    revert JBSwapCCIPSucker_SwapPending(nonce);
+                }
                 ConversionRate storage rate = _conversionRateOf[token][nonce];
                 if (rate.leafTotal > 0) {
-                    // Gate on pending swaps — if a swap failed and hasn't been retried yet,
-                    // claims must wait. Check pendingSwapOf rather than localTotal == 0 to
-                    // distinguish a pending swap from a legitimately zero-output swap.
-                    if (pendingSwapOf[token][nonce].bridgeAmount > 0) {
-                        revert JBSwapCCIPSucker_SwapPending(nonce);
-                    }
                     amount = amount * rate.localTotal / rate.leafTotal;
                 }
             }

package/src/libraries/JBSuckerLib.sol

@@ -219,7 +219,7 @@ library JBSuckerLib {
     /// @param nonce The outbox nonce for this send.
     /// @param root The merkle root of the outbox tree.
     /// @param messageVersion The message format version.
-    /// @param snapshotNonce The snapshot nonce (caller should pre-increment).
+    /// @param sourceTimestamp The `block.timestamp` on the source chain when the snapshot is taken.
     /// @return message The constructed JBMessageRoot.
     function buildSnapshotMessage(
         IJBDirectory directory,
@@ -229,7 +229,7 @@ library JBSuckerLib {
         uint64 nonce,
         bytes32 root,
         uint8 messageVersion,
-        uint64 snapshotNonce
+        uint256 sourceTimestamp
     )
         external
         view
@@ -268,7 +268,7 @@ library JBSuckerLib {
             sourceDecimals: _ETH_DECIMALS,
             sourceSurplus: ethSurplus,
             sourceBalance: ethBalance,
-            snapshotNonce: snapshotNonce
+            sourceTimestamp: sourceTimestamp
         });
     }
 

package/src/libraries/JBSwapPoolLib.sol

@@ -167,6 +167,12 @@ library JBSwapPoolLib {
                 IWrappedNativeToken(config.weth).withdraw(amountOut);
             }
         }
+
+        // V4 outputs native ETH for WETH-paired pools. If the caller requested WETH (not NATIVE_TOKEN),
+        // wrap the received ETH so the caller gets the token they expect.
+        if (isV4 && tokenOut != JBConstants.NATIVE_TOKEN && normalizedOut == config.weth) {
+            IWrappedNativeToken(config.weth).deposit{value: amountOut}();
+        }
     }
 
     /// @notice Execute the body of a V4 unlock callback. Called via DELEGATECALL from the sucker's

package/src/structs/JBMessageRoot.sol

@@ -17,9 +17,8 @@ import {JBInboxTreeRoot} from "./JBInboxTreeRoot.sol";
 /// `sourceDecimals` precision.
 /// @custom:member sourceBalance The total recorded balance on the source chain, denominated in `sourceCurrency` at
 /// `sourceDecimals` precision.
-/// @custom:member snapshotNonce A project-wide counter that orders shared-state snapshots independently of per-token
-/// outbox nonces. Used by the receiving chain to reject stale surplus/balance/supply updates without blocking
-/// token-local inbox root updates.
+/// @custom:member sourceTimestamp The `block.timestamp` on the source chain when the snapshot was taken. Used by the
+/// receiving chain to reject stale surplus/balance/supply updates without blocking token-local inbox root updates.
 struct JBMessageRoot {
     uint8 version;
     bytes32 token;
@@ -30,5 +29,5 @@ struct JBMessageRoot {
     uint8 sourceDecimals;
     uint256 sourceSurplus;
     uint256 sourceBalance;
-    uint64 snapshotNonce;
+    uint256 sourceTimestamp;
 }

package/test/AdversarialSuckerFork.t.sol

@@ -0,0 +1,449 @@
+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.28;
+
+import {CCIPSuckerClaimForkTestBase, LeafData} from "./ForkClaimMainnet.t.sol";
+import {JBSucker} from "../src/JBSucker.sol";
+import {JBClaim} from "../src/structs/JBClaim.sol";
+import {JBLeaf} from "../src/structs/JBLeaf.sol";
+import {JBConstants} from "@bananapus/core-v6/src/libraries/JBConstants.sol";
+import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
+
+// forge-lint: disable-next-line(unaliased-plain-import)
+import "forge-std/Test.sol";
+
+/// @notice Adversarial fork tests for the CCIP sucker: multi-root, stale-proof, and double-send scenarios.
+/// @dev Extends `CCIPSuckerClaimForkTestBase` (Ethereum -> Arbitrum) and exercises edge cases around
+/// the append-only outbox merkle tree, sequential root delivery, and inbox nonce gating.
+///
+/// The outbox merkle tree is **append-only**: `prepare()` inserts leaves and `toRemote()` reads the
+/// current cumulative root without clearing the tree. This means nonce=2's root is the root of the
+/// tree containing ALL leaves (including those from nonce=1). Proofs must always be computed against
+/// the LATEST delivered root on the inbox side.
+contract AdversarialSuckerForkTest is CCIPSuckerClaimForkTestBase {
+    // ── Chain-specific overrides (Ethereum -> Arbitrum, same as EthArbClaimForkTest)
+    // ──────────────────────────────────────────────────────────────────────────────
+
+    function _l1RpcUrl() internal pure override returns (string memory) {
+        return "ethereum";
+    }
+
+    function _l2RpcUrl() internal pure override returns (string memory) {
+        return "arbitrum";
+    }
+
+    function _l1ChainId() internal pure override returns (uint256) {
+        return 1;
+    }
+
+    function _l2ChainId() internal pure override returns (uint256) {
+        return 42_161;
+    }
+
+    function _l1ForkBlock() internal pure override returns (uint256) {
+        return 21_700_000;
+    }
+
+    function _l2ForkBlock() internal pure override returns (uint256) {
+        return 300_000_000;
+    }
+
+    // ════════════════════════════════════════════════════════════════════════
+    // Test 1: Claim with stale root after newer root delivered
+    // ════════════════════════════════════════════════════════════════════════
+    //
+    // Scenario:
+    //   - User A prepares (leaf 0, tree count = 1)
+    //   - toRemote sends root with nonce=1 (root of 1-leaf tree)
+    //   - Deliver nonce=1 to L2 inbox
+    //   - User B prepares (leaf 1, tree count = 2)
+    //   - toRemote sends root with nonce=2 (root of 2-leaf tree)
+    //   - Deliver nonce=2 to L2 inbox (overwrites inbox root)
+    //   - Attempt to claim User A's leaf using the STALE proof from nonce=1's tree
+    //
+    // Expected: The stale proof FAILS because the inbox root is now nonce=2's root (2-leaf tree),
+    // and the zero proof (valid for a single-leaf tree) does not match. The outbox tree is
+    // append-only, so nonce=2's root is the cumulative root of both leaves -- a different value
+    // from nonce=1's root.
+    //
+    // After the stale proof fails, we verify User A CAN claim with a proof computed against
+    // the 2-leaf tree (using leafB.hashed as the sibling at proof[0]).
+    //
+    // ════════════════════════════════════════════════════════════════════════
+
+    function test_adversarial_claimAgainstStaleRootAfterNewerRoot() external {
+        address userA = makeAddr("userA");
+        address userB = makeAddr("userB");
+        uint256 amountToSend = 0.05 ether;
+
+        // ── L1: User A pays and prepares ──
+        vm.selectFork(l1Fork);
+        address token = _terminalToken();
+        _mapTerminalToken();
+
+        LeafData memory leafA = _mapPayAndPrepare(userA, amountToSend);
+        assertEq(leafA.index, 0, "User A should be at index 0");
+
+        // toRemote: sends nonce=1 root (1-leaf tree).
+        (bytes32 root1, uint64 nonce1) = _sendToRemote();
+        assertEq(nonce1, 1, "First toRemote should produce nonce 1");
+        assertEq(root1, leafA.root, "Root 1 should match leaf A's root from InsertToOutboxTree");
+
+        // ── Deliver nonce=1 to L2 ──
+        vm.selectFork(l2Fork);
+        token = _terminalToken();
+        _deliverToL2(root1, nonce1, leafA.terminalTokenAmount);
+        assertEq(suckerL1.inboxOf(token).root, root1, "Inbox should hold root from nonce=1");
+
+        // ── L1: User B pays and prepares (tree now has 2 leaves) ──
+        vm.selectFork(l1Fork);
+        LeafData memory leafB = _mapPayAndPrepare(userB, amountToSend);
+        assertEq(leafB.index, 1, "User B should be at index 1");
+
+        // toRemote: sends nonce=2 root (2-leaf tree, cumulative).
+        (bytes32 root2, uint64 nonce2) = _sendToRemote();
+        assertEq(nonce2, 2, "Second toRemote should produce nonce 2");
+        assertTrue(root2 != root1, "Root 2 (2-leaf) should differ from root 1 (1-leaf)");
+
+        // ── Deliver nonce=2 to L2 (overwrites inbox root) ──
+        // IMPORTANT: _deliverToL2 uses vm.deal which SETS the balance (not adds).
+        // Since we need to claim BOTH leaves after nonce=2 delivery, we must provide
+        // the cumulative amount so the sucker can fund both claims.
+        vm.selectFork(l2Fork);
+        token = _terminalToken();
+        _deliverToL2(root2, nonce2, leafA.terminalTokenAmount + leafB.terminalTokenAmount);
+        assertEq(suckerL1.inboxOf(token).root, root2, "Inbox should now hold root from nonce=2");
+
+        // ── Attempt to claim User A's leaf with STALE proof (from nonce=1's 1-leaf tree) ──
+        // The zero proof is correct for a 1-leaf tree but NOT for a 2-leaf tree.
+        vm.expectPartialRevert(JBSucker.JBSucker_InvalidProof.selector);
+        suckerL1.claim(
+            JBClaim({
+                token: token,
+                leaf: JBLeaf({
+                    index: leafA.index,
+                    beneficiary: leafA.beneficiary,
+                    projectTokenCount: leafA.projectTokenCount,
+                    terminalTokenAmount: leafA.terminalTokenAmount
+                }),
+                proof: _zeroProof() // Stale proof: valid for root1 but NOT root2.
+            })
+        );
+
+        // ── User A CAN claim with the correct proof against the 2-leaf tree ──
+        // In a 2-leaf tree, the sibling of leaf A (index 0) is leaf B's hash at proof[0].
+        bytes32[32] memory correctProofA = _zeroProof();
+        correctProofA[0] = leafB.hashed;
+
+        suckerL1.claim(
+            JBClaim({
+                token: token,
+                leaf: JBLeaf({
+                    index: leafA.index,
+                    beneficiary: leafA.beneficiary,
+                    projectTokenCount: leafA.projectTokenCount,
+                    terminalTokenAmount: leafA.terminalTokenAmount
+                }),
+                proof: correctProofA
+            })
+        );
+        assertEq(
+            jbTokens().totalBalanceOf(userA, 1),
+            leafA.projectTokenCount,
+            "User A should receive tokens after claiming with correct 2-leaf proof"
+        );
+
+        // ── User B claims normally against the 2-leaf tree ──
+        bytes32[32] memory correctProofB = _zeroProof();
+        correctProofB[0] = leafA.hashed;
+
+        suckerL1.claim(
+            JBClaim({
+                token: token,
+                leaf: JBLeaf({
+                    index: leafB.index,
+                    beneficiary: leafB.beneficiary,
+                    projectTokenCount: leafB.projectTokenCount,
+                    terminalTokenAmount: leafB.terminalTokenAmount
+                }),
+                proof: correctProofB
+            })
+        );
+        assertEq(
+            jbTokens().totalBalanceOf(userB, 1),
+            leafB.projectTokenCount,
+            "User B should receive tokens after claiming with correct 2-leaf proof"
+        );
+    }
+
+    // ════════════════════════════════════════════════════════════════════════
+    // Test 2: Multiple sequential roots before any claims
+    // ════════════════════════════════════════════════════════════════════════
+    //
+    // Scenario:
+    //   - User A prepares (leaf 0)
+    //   - toRemote (nonce=1, root of 1-leaf tree)
+    //   - User B prepares (leaf 1)
+    //   - toRemote (nonce=2, root of 2-leaf tree)
+    //   - Deliver nonce=1 to L2 (inbox root = root1)
+    //   - Deliver nonce=2 to L2 (inbox root = root2, overwrites root1)
+    //   - Attempt to claim User A with nonce=1 proof (zero proof) -> should FAIL
+    //   - Claim User A with nonce=2 proof (leafB sibling) -> should SUCCEED
+    //   - Claim User B with nonce=2 proof (leafA sibling) -> should SUCCEED
+    //
+    // Key insight: Even though nonce=1 was delivered first, nonce=2 overwrites the inbox root.
+    // All claims must use proofs against nonce=2's root. The append-only tree ensures leaf A
+    // is still in nonce=2's tree, just with a different proof path.
+    //
+    // ════════════════════════════════════════════════════════════════════════
+
+    function test_adversarial_multipleRootsBeforeClaims() external {
+        address userA = makeAddr("userA");
+        address userB = makeAddr("userB");
+        uint256 amountToSend = 0.05 ether;
+
+        // ── L1: User A prepares ──
+        vm.selectFork(l1Fork);
+        address token = _terminalToken();
+        _mapTerminalToken();
+
+        LeafData memory leafA = _mapPayAndPrepare(userA, amountToSend);
+
+        // toRemote nonce=1 (1-leaf tree).
+        (bytes32 root1, uint64 nonce1) = _sendToRemote();
+
+        // ── L1: User B prepares ──
+        LeafData memory leafB = _mapPayAndPrepare(userB, amountToSend);
+
+        // toRemote nonce=2 (2-leaf tree).
+        (bytes32 root2, uint64 nonce2) = _sendToRemote();
+
+        // ── Deliver both roots to L2 in order ──
+        vm.selectFork(l2Fork);
+        token = _terminalToken();
+
+        // Deliver nonce=1 first.
+        _deliverToL2(root1, nonce1, leafA.terminalTokenAmount);
+        assertEq(suckerL1.inboxOf(token).root, root1, "Inbox should initially hold root1");
+
+        // Deliver nonce=2 (overwrites). Use cumulative amount since both claims happen after this.
+        _deliverToL2(root2, nonce2, leafA.terminalTokenAmount + leafB.terminalTokenAmount);
+        assertEq(suckerL1.inboxOf(token).root, root2, "Inbox should now hold root2 after nonce=2 delivery");
+
+        // ── Attempt to claim User A with nonce=1's proof (zero proof) ──
+        // This MUST fail because inbox root is now root2 (2-leaf tree).
+        vm.expectPartialRevert(JBSucker.JBSucker_InvalidProof.selector);
+        suckerL1.claim(
+            JBClaim({
+                token: token,
+                leaf: JBLeaf({
+                    index: leafA.index,
+                    beneficiary: leafA.beneficiary,
+                    projectTokenCount: leafA.projectTokenCount,
+                    terminalTokenAmount: leafA.terminalTokenAmount
+                }),
+                proof: _zeroProof()
+            })
+        );
+
+        // ── Claim User A with correct proof against the 2-leaf tree ──
+        bytes32[32] memory proofA = _zeroProof();
+        proofA[0] = leafB.hashed;
+
+        suckerL1.claim(
+            JBClaim({
+                token: token,
+                leaf: JBLeaf({
+                    index: leafA.index,
+                    beneficiary: leafA.beneficiary,
+                    projectTokenCount: leafA.projectTokenCount,
+                    terminalTokenAmount: leafA.terminalTokenAmount
+                }),
+                proof: proofA
+            })
+        );
+        assertEq(
+            jbTokens().totalBalanceOf(userA, 1),
+            leafA.projectTokenCount,
+            "User A claim should succeed with nonce=2 proof"
+        );
+
+        // ── Claim User B (only exists in nonce=2's tree) ──
+        bytes32[32] memory proofB = _zeroProof();
+        proofB[0] = leafA.hashed;
+
+        suckerL1.claim(
+            JBClaim({
+                token: token,
+                leaf: JBLeaf({
+                    index: leafB.index,
+                    beneficiary: leafB.beneficiary,
+                    projectTokenCount: leafB.projectTokenCount,
+                    terminalTokenAmount: leafB.terminalTokenAmount
+                }),
+                proof: proofB
+            })
+        );
+        assertEq(
+            jbTokens().totalBalanceOf(userB, 1),
+            leafB.projectTokenCount,
+            "User B claim should succeed with nonce=2 proof"
+        );
+    }
+
+    // ════════════════════════════════════════════════════════════════════════
+    // Test 3: Double toRemote (empty outbox)
+    // ════════════════════════════════════════════════════════════════════════
+    //
+    // Scenario:
+    //   - User prepares
+    //   - toRemote succeeds (outbox cleared: balance=0, numberOfClaimsSent=tree.count)
+    //   - toRemote again immediately — outbox is empty
+    //   - Expected: reverts with JBSucker_NothingToSend
+    //
+    // The guard is: `outbox.balance == 0 && outbox.tree.count == outbox.numberOfClaimsSent`
+    // After the first toRemote, balance is cleared and numberOfClaimsSent is set to tree.count,
+    // so the second call hits this guard and reverts.
+    //
+    // ════════════════════════════════════════════════════════════════════════
+
+    function test_adversarial_doubleToRemote() external {
+        address user = makeAddr("user");
+
+        // ── L1: User pays and prepares ──
+        vm.selectFork(l1Fork);
+        _mapTerminalToken();
+        _mapPayAndPrepare(user, 0.05 ether);
+
+        // First toRemote: should succeed.
+        _sendToRemote();
+
+        // Second toRemote: outbox is empty, should revert.
+        address token = _terminalToken();
+        address rootSender = makeAddr("doubleRootSender");
+        uint256 ccipFeeAmount = 1 ether;
+        vm.deal(rootSender, ccipFeeAmount);
+
+        vm.expectRevert(abi.encodeWithSelector(JBSucker.JBSucker_NothingToSend.selector));
+        vm.prank(rootSender);
+        suckerL1.toRemote{value: ccipFeeAmount}(token);
+    }
+
+    // ════════════════════════════════════════════════════════════════════════
+    // Test 4: Prepare after toRemote starts new batch
+    // ════════════════════════════════════════════════════════════════════════
+    //
+    // Scenario:
+    //   - User A prepares (leaf 0)
+    //   - toRemote sends root (nonce=1, 1-leaf tree)
+    //   - User B prepares (leaf 1 in the SAME append-only tree -- new "batch")
+    //   - toRemote sends root (nonce=2, 2-leaf tree)
+    //   - Deliver nonce=1 to L2, then deliver nonce=2 to L2
+    //   - Claim User A's leaf from first batch -> verify success
+    //   - Claim User B's leaf from second batch -> verify success
+    //
+    // Key: Even though User B's leaf was in a "new batch" (prepared after User A's toRemote),
+    // the outbox tree is cumulative. Nonce=2's root contains BOTH leaves. After nonce=2 delivery
+    // overwrites the inbox root, claims for both User A and User B must use proofs against the
+    // 2-leaf tree root.
+    //
+    // BUT: if we want to claim User A from nonce=1's root, we must do it BEFORE nonce=2
+    // overwrites it. This test demonstrates both orderings:
+    //   (a) Deliver nonce=1, claim User A against root1 (1-leaf proof)
+    //   (b) Deliver nonce=2, claim User B against root2 (2-leaf proof)
+    //
+    // ════════════════════════════════════════════════════════════════════════
+
+    function test_adversarial_prepareAfterToRemote_newBatch() external {
+        address userA = makeAddr("userA");
+        address userB = makeAddr("userB");
+        uint256 amountToSend = 0.05 ether;
+
+        // ── L1: User A prepares ──
+        vm.selectFork(l1Fork);
+        address token = _terminalToken();
+        _mapTerminalToken();
+
+        LeafData memory leafA = _mapPayAndPrepare(userA, amountToSend);
+        assertEq(leafA.index, 0, "User A should be at index 0");
+
+        // toRemote nonce=1 (1-leaf tree root).
+        (bytes32 root1, uint64 nonce1) = _sendToRemote();
+
+        // ── L1: User B prepares after toRemote (new "batch", same tree) ──
+        LeafData memory leafB = _mapPayAndPrepare(userB, amountToSend);
+        assertEq(leafB.index, 1, "User B should be at index 1");
+
+        // toRemote nonce=2 (2-leaf tree root).
+        (bytes32 root2, uint64 nonce2) = _sendToRemote();
+
+        // ── Deliver nonce=1 to L2 and claim User A immediately ──
+        vm.selectFork(l2Fork);
+        token = _terminalToken();
+
+        _deliverToL2(root1, nonce1, leafA.terminalTokenAmount);
+        assertEq(suckerL1.inboxOf(token).root, root1, "Inbox should hold root1");
+
+        // Claim User A against root1 (single-leaf tree, zero proof).
+        suckerL1.claim(
+            JBClaim({
+                token: token,
+                leaf: JBLeaf({
+                    index: leafA.index,
+                    beneficiary: leafA.beneficiary,
+                    projectTokenCount: leafA.projectTokenCount,
+                    terminalTokenAmount: leafA.terminalTokenAmount
+                }),
+                proof: _zeroProof()
+            })
+        );
+        assertEq(
+            jbTokens().totalBalanceOf(userA, 1),
+            leafA.projectTokenCount,
+            "User A should receive tokens from nonce=1 claim"
+        );
+
+        // ── Deliver nonce=2 to L2 (overwrites inbox root) ──
+        _deliverToL2(root2, nonce2, leafB.terminalTokenAmount);
+        assertEq(suckerL1.inboxOf(token).root, root2, "Inbox should now hold root2");
+
+        // Claim User B against root2 (2-leaf tree, sibling = leafA.hashed).
+        bytes32[32] memory proofB = _zeroProof();
+        proofB[0] = leafA.hashed;
+
+        suckerL1.claim(
+            JBClaim({
+                token: token,
+                leaf: JBLeaf({
+                    index: leafB.index,
+                    beneficiary: leafB.beneficiary,
+                    projectTokenCount: leafB.projectTokenCount,
+                    terminalTokenAmount: leafB.terminalTokenAmount
+                }),
+                proof: proofB
+            })
+        );
+        assertEq(
+            jbTokens().totalBalanceOf(userB, 1),
+            leafB.projectTokenCount,
+            "User B should receive tokens from nonce=2 claim"
+        );
+
+        // ── Verify double-claim for User A reverts (already claimed above) ──
+        bytes32[32] memory proofA2 = _zeroProof();
+        proofA2[0] = leafB.hashed;
+
+        vm.expectRevert(abi.encodeWithSelector(JBSucker.JBSucker_LeafAlreadyExecuted.selector, token, leafA.index));
+        suckerL1.claim(
+            JBClaim({
+                token: token,
+                leaf: JBLeaf({
+                    index: leafA.index,
+                    beneficiary: leafA.beneficiary,
+                    projectTokenCount: leafA.projectTokenCount,
+                    terminalTokenAmount: leafA.terminalTokenAmount
+                }),
+                proof: proofA2
+            })
+        );
+    }
+}

package/test/ForkArbitrum.t.sol

@@ -66,6 +66,7 @@ contract ForkArbitrumDeployerTest is TestBaseWorkflow, IERC721Receiver {
 
         // ── L1 (Ethereum mainnet)
         l1Fork = vm.createSelectFork("ethereum");
+        vm.rollFork(block.number - 5);
         super.setUp();
         vm.stopPrank();
 
@@ -97,6 +98,7 @@ contract ForkArbitrumDeployerTest is TestBaseWorkflow, IERC721Receiver {
 
         // ── L2 (Arbitrum mainnet)
         l2Fork = vm.createSelectFork("arbitrum");
+        vm.rollFork(block.number - 5);
         super.setUp();
         vm.stopPrank();
 
@@ -253,6 +255,7 @@ contract ForkArbitrumNativeTransferTest is TestBaseWorkflow {
 
         // ── L1 (Ethereum mainnet)
         l1Fork = vm.createSelectFork("ethereum");
+        vm.rollFork(block.number - 5);
         super.setUp();
         vm.stopPrank();
 

package/test/ForkCelo.t.sol

@@ -87,6 +87,7 @@ contract ForkCeloTest is TestBaseWorkflow {
         // ── L1 (Ethereum)
         // ────────────────────────────────────────────────────────────
         l1Fork = vm.createSelectFork("ethereum");
+        vm.rollFork(block.number - 5);
 
         // Deploy full JB infrastructure on L1.
         super.setUp();
@@ -131,6 +132,7 @@ contract ForkCeloTest is TestBaseWorkflow {
         // ── L2 (Celo)
         // ────────────────────────────────────────────────────────────
         l2Fork = vm.createSelectFork("celo");
+        vm.rollFork(block.number - 5);
 
         // Deploy full JB infrastructure on Celo.
         super.setUp();