@bananapus/suckers-v6 0.0.38 → 0.0.40

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bananapus/suckers-v6",
-  "version": "0.0.38",
+  "version": "0.0.40",
   "license": "MIT",
   "repository": {
     "type": "git",
@@ -31,7 +31,7 @@
   "dependencies": {
     "@arbitrum/nitro-contracts": "3.2.0",
     "@bananapus/core-v6": "^0.0.44",
-    "@bananapus/permission-ids-v6": "^0.0.23",
+    "@bananapus/permission-ids-v6": "^0.0.25",
     "@chainlink/contracts-ccip": "1.6.4",
     "@chainlink/local": "0.2.7",
     "@openzeppelin/contracts": "5.6.1",

package/src/JBSuckerRegistry.sol

@@ -497,6 +497,13 @@ contract JBSuckerRegistry is ERC2771Context, Ownable, JBPermissioned, IJBSuckerR
         // default peer symmetry assumption will not hold.
         salt = keccak256(abi.encode(sender, salt));
 
+        // Cache the project owner so the explicit-peer gate can check against the original authority, not a
+        // delegated operator. The default same-address peering invariant (peer == 0 or peer == address(this))
+        // does not need this stronger gate, but a non-symmetric explicit peer authorizes that arbitrary address
+        // to deliver outbox roots and mint project tokens — so it must require a permission strictly broader
+        // than ops automation's `DEPLOY_SUCKERS`.
+        address projectOwner = PROJECTS.ownerOf(projectId);
+
         // Iterate through the configurations and deploy the suckers.
         for (uint256 i; i < configurations.length;) {
             // Get the configuration being iterated over.
@@ -507,6 +514,18 @@ contract JBSuckerRegistry is ERC2771Context, Ownable, JBPermissioned, IJBSuckerR
                 revert JBSuckerRegistry_InvalidDeployer({deployer: configuration.deployer});
             }
 
+            // If the configuration specifies a non-symmetric explicit peer, require the additional
+            // `SET_SUCKER_PEER` permission. Default peering (peer == 0 or peer == bytes32 of address(this)) is
+            // unaffected. Without this gate, a delegated operator with only `DEPLOY_SUCKERS` could register an
+            // attacker peer and use the resulting sucker's mint authority to deliver fabricated outbox roots.
+            // forge-lint: disable-next-line(unsafe-typecast)
+            bytes32 selfPeer = bytes32(uint256(uint160(address(this))));
+            if (configuration.peer != bytes32(0) && configuration.peer != selfPeer) {
+                _requirePermissionFrom({
+                    account: projectOwner, projectId: projectId, permissionId: JBPermissionIds.SET_SUCKER_PEER
+                });
+            }
+
             // Create the sucker.
             IJBSucker sucker = configuration.deployer
             .createForSender({localProjectId: projectId, salt: salt, peer: configuration.peer});

package/src/JBSwapCCIPSucker.sol

@@ -224,7 +224,7 @@ contract JBSwapCCIPSucker is JBCCIPSucker, IUnlockCallback, IUniswapV3SwapCallba
         POOL_MANAGER = swapDeployer.poolManager();
         V3_FACTORY = swapDeployer.v3Factory();
         UNIV4_HOOK = swapDeployer.univ4Hook();
-        WRAPPED_NATIVE_TOKEN = IWrappedNativeToken(swapDeployer.weth());
+        WRAPPED_NATIVE_TOKEN = IWrappedNativeToken(swapDeployer.wrappedNativeToken());
 
         if (address(BRIDGE_TOKEN) == address(0)) {
             revert JBSwapCCIPSucker_InvalidBridgeToken({
@@ -306,20 +306,25 @@ contract JBSwapCCIPSucker is JBCCIPSucker, IUnlockCallback, IUniswapV3SwapCallba
                 }
             }
 
-            // Capture the inbox nonce before fromRemote to detect whether the root was accepted.
-            uint64 inboxNonceBefore = _inboxOf[localToken].nonce;
-
             // Store the inbox merkle root for later claims.
             // Must be called BEFORE writing batch metadata and conversion rates so that stale
             // (duplicate/replayed) roots that fromRemote silently rejects do not overwrite
             // metadata from the original accepted delivery.
             this.fromRemote(root);
 
-            // Only write batch metadata and conversion rates if fromRemote accepted this root.
-            // fromRemote updates _inboxOf[localToken].nonce when the root's nonce is strictly
-            // greater than the current inbox nonce; stale roots are silently rejected.
-            // We detect acceptance by checking if the nonce actually changed.
-            if (_inboxOf[localToken].nonce > inboxNonceBefore) {
+            // Write batch metadata if this nonce hasn't been seen before.
+            // Decoupled from nonce advancement to support out-of-order CCIP delivery:
+            // if nonce 2 arrives before nonce 1, fromRemote only advances the inbox for nonce 2,
+            // but we still need to record nonce 1's batch metadata when it arrives later.
+            // The Merkle tree is append-only, so nonce 1's leaves are provable against nonce 2's root.
+            //
+            // Detect "already seen" without extra storage: a nonce has been processed if it has
+            // either a batch range (batchEnd > 0) or a conversion rate / pending swap recorded.
+            if (
+                _batchEndOf[localToken][root.remoteRoot.nonce] == 0
+                    && _conversionRateOf[localToken][root.remoteRoot.nonce].leafTotal == 0
+                    && pendingSwapOf[localToken][root.remoteRoot.nonce].leafTotal == 0
+            ) {
                 // Record the batch range so _findNonceForLeafIndex can resolve leaf ownership
                 // independently of nonce ordering. Each nonce is self-describing: [start, end).
                 if (batchEnd > 0) {
@@ -605,7 +610,7 @@ contract JBSwapCCIPSucker is JBCCIPSucker, IUnlockCallback, IUniswapV3SwapCallba
                 v3Factory: V3_FACTORY,
                 poolManager: POOL_MANAGER,
                 univ4Hook: UNIV4_HOOK,
-                weth: address(WRAPPED_NATIVE_TOKEN)
+                wrappedNativeToken: address(WRAPPED_NATIVE_TOKEN)
             }),
             tokenIn: tokenIn,
             tokenOut: tokenOut,

package/src/deployers/JBSwapCCIPSuckerDeployer.sol

@@ -42,7 +42,7 @@ contract JBSwapCCIPSuckerDeployer is JBCCIPSuckerDeployer, IJBSwapCCIPSuckerDepl
     address public univ4Hook;
 
     /// @notice The ERC-20 wrapper address for the chain's native token (e.g. WETH on Ethereum).
-    address public weth;
+    address public wrappedNativeToken;
 
     //*********************************************************************//
     // ---------------------------- constructor -------------------------- //
@@ -72,13 +72,13 @@ contract JBSwapCCIPSuckerDeployer is JBCCIPSuckerDeployer, IJBSwapCCIPSuckerDepl
     /// @param _poolManager The Uniswap V4 PoolManager (can be address(0) if V4 unavailable).
     /// @param _v3Factory The Uniswap V3 factory (can be address(0) if V3 unavailable).
     /// @param _univ4Hook The V4 hook for pool discovery (optional, address(0) if none).
-    /// @param _weth The ERC-20 wrapper address for the chain's native token (e.g. WETH on Ethereum).
+    /// @param _wrappedNativeToken The ERC-20 wrapper address for the chain's native token (e.g. WETH on Ethereum).
     function setSwapConstants(
         IERC20 _bridgeToken,
         IPoolManager _poolManager,
         IUniswapV3Factory _v3Factory,
         address _univ4Hook,
-        address _weth
+        address _wrappedNativeToken
     )
         external
     {
@@ -110,6 +110,6 @@ contract JBSwapCCIPSuckerDeployer is JBCCIPSuckerDeployer, IJBSwapCCIPSuckerDepl
         univ4Hook = _univ4Hook;
 
         // Store the wrapped native token address.
-        weth = _weth;
+        wrappedNativeToken = _wrappedNativeToken;
     }
 }

package/src/interfaces/IJBSwapCCIPSuckerDeployer.sol

@@ -24,5 +24,5 @@ interface IJBSwapCCIPSuckerDeployer is IJBCCIPSuckerDeployer {
 
     /// @notice The ERC-20 wrapper address for the chain's native token (e.g. WETH on Ethereum). Used for V3 native
     /// swaps.
-    function weth() external view returns (address);
+    function wrappedNativeToken() external view returns (address);
 }

package/src/libraries/JBSuckerLib.sol

@@ -130,11 +130,11 @@ library JBSuckerLib {
                                     projectId: projectId,
                                     pricingCurrency: tokenCurrency,
                                     unitCurrency: JBCurrencyIds.ETH,
-                                    decimals: _ETH_DECIMALS
+                                    decimals: dec
                                 }) returns (
                                     uint256 price
                                 ) {
-                                    ethBalance += mulDiv({x: bal, y: price, denominator: 10 ** dec});
+                                    ethBalance += mulDiv({x: bal, y: 10 ** _ETH_DECIMALS, denominator: price});
                                 } catch {}
                             }
                         }

package/src/libraries/JBSwapPoolLib.sol

@@ -77,12 +77,13 @@ library JBSwapPoolLib {
     /// @custom:member v3Factory The Uniswap V3 factory used for pool discovery.
     /// @custom:member poolManager The Uniswap V4 pool manager used for V4 pool queries and swaps.
     /// @custom:member univ4Hook The address of the Uniswap V4 hook contract to search for hooked pools.
-    /// @custom:member weth The address of the ERC-20 wrapper for the chain's native token (e.g. WETH on Ethereum).
+    /// @custom:member wrappedNativeToken The address of the ERC-20 wrapper for the chain's native token (e.g. WETH on
+    /// Ethereum).
     struct SwapConfig {
         IUniswapV3Factory v3Factory;
         IPoolManager poolManager;
         address univ4Hook;
-        address weth;
+        address wrappedNativeToken;
     }
 
     //*********************************************************************//
@@ -109,8 +110,8 @@ library JBSwapPoolLib {
         returns (uint256 amountOut)
     {
         // Normalize NATIVE_TOKEN sentinel to the wrapped native token for pool lookups.
-        address normalizedIn = _normalize({token: tokenIn, weth: config.weth});
-        address normalizedOut = _normalize({token: tokenOut, weth: config.weth});
+        address normalizedIn = _normalize({token: tokenIn, wrappedNativeToken: config.wrappedNativeToken});
+        address normalizedOut = _normalize({token: tokenOut, wrappedNativeToken: config.wrappedNativeToken});
 
         // No swap needed if tokens are the same after normalization (e.g., NATIVE_TOKEN and wrapped native token).
         if (normalizedIn == normalizedOut) return amount;
@@ -167,15 +168,15 @@ library JBSwapPoolLib {
             }
             // V3 outputs wrapped native token for native pairs — unwrap to raw native token.
             if (tokenOut == JBConstants.NATIVE_TOKEN) {
-                IWrappedNativeToken(config.weth).withdraw(amountOut);
+                IWrappedNativeToken(config.wrappedNativeToken).withdraw(amountOut);
             }
         }
 
         // V4 outputs native tokens for wrapped-native-paired pools. If the caller requested the wrapped form
         // (not NATIVE_TOKEN), wrap the received native tokens so the caller gets the token they expect.
-        if (isV4 && tokenOut != JBConstants.NATIVE_TOKEN && normalizedOut == config.weth) {
+        if (isV4 && tokenOut != JBConstants.NATIVE_TOKEN && normalizedOut == config.wrappedNativeToken) {
             // Wrap through the configured wrapped native token contract.
-            IWrappedNativeToken(config.weth).deposit{value: amountOut}();
+            IWrappedNativeToken(config.wrappedNativeToken).deposit{value: amountOut}();
         }
     }
 
@@ -193,7 +194,7 @@ library JBSwapPoolLib {
             int256 amountSpecified,
             uint160 sqrtPriceLimitX96,
             uint256 minAmountOut,
-            address weth
+            address wrappedNativeToken
         ) = abi.decode(data, (PoolKey, bool, int256, uint160, uint256, address));
 
         uint256 amountIn;
@@ -237,8 +238,14 @@ library JBSwapPoolLib {
         // Settle input (pay what we owe to the PoolManager).
         Currency inputCurrency = zeroForOne ? key.currency0 : key.currency1;
         if (Currency.unwrap(inputCurrency) == address(0)) {
-            // Native token: unwrap if needed, then settle by sending native value directly.
-            if (weth != address(0)) IWrappedNativeToken(weth).withdraw(amountIn);
+            // Native token: unwrap wrapped native token if the caller holds it, then settle directly.
+            // The buyback hook holds wrapped native tokens (needs unwrap), while suckers hold raw ETH (skip unwrap).
+            if (wrappedNativeToken != address(0)) {
+                uint256 wrappedBalance = IERC20(wrappedNativeToken).balanceOf(address(this));
+                if (wrappedBalance >= amountIn) {
+                    IWrappedNativeToken(wrappedNativeToken).withdraw(amountIn);
+                }
+            }
             poolManager.settle{value: amountIn}();
         } else {
             // ERC-20: sync the currency balance, transfer tokens, then settle.
@@ -440,8 +447,8 @@ library JBSwapPoolLib {
         address sorted0;
         address sorted1;
         {
-            address v4In = normalizedTokenIn == config.weth ? address(0) : normalizedTokenIn;
-            address v4Out = normalizedTokenOut == config.weth ? address(0) : normalizedTokenOut;
+            address v4In = normalizedTokenIn == config.wrappedNativeToken ? address(0) : normalizedTokenIn;
+            address v4Out = normalizedTokenOut == config.wrappedNativeToken ? address(0) : normalizedTokenOut;
 
             // Sort tokens to match the V4 currency ordering convention.
             (sorted0, sorted1) = v4In < v4Out ? (v4In, v4Out) : (v4Out, v4In);
@@ -668,8 +675,8 @@ library JBSwapPoolLib {
         minAmountOut = _quoteWithSlippage({
             amount: amount,
             liquidity: liquidity,
-            tokenIn: normalizedTokenIn == config.weth ? address(0) : normalizedTokenIn,
-            tokenOut: normalizedTokenOut == config.weth ? address(0) : normalizedTokenOut,
+            tokenIn: normalizedTokenIn == config.wrappedNativeToken ? address(0) : normalizedTokenIn,
+            tokenOut: normalizedTokenOut == config.wrappedNativeToken ? address(0) : normalizedTokenOut,
             tick: tick,
             poolFeeBps: feeBps
         });
@@ -1001,7 +1008,7 @@ library JBSwapPoolLib {
         returns (uint256 amountOut)
     {
         // Convert wrapped native token to address(0) for V4's native token convention.
-        address v4In = normalizedTokenIn == config.weth ? address(0) : normalizedTokenIn;
+        address v4In = normalizedTokenIn == config.wrappedNativeToken ? address(0) : normalizedTokenIn;
 
         // Determine swap direction based on currency ordering in the pool key.
         bool zeroForOne = Currency.unwrap(key.currency0) == v4In;
@@ -1019,7 +1026,9 @@ library JBSwapPoolLib {
             // forge-lint: disable-next-line(unsafe-typecast)
             int256 exactInputAmount = -int256(amount);
 
-            unlockData = abi.encode(key, zeroForOne, exactInputAmount, sqrtPriceLimitX96, minAmountOut, config.weth);
+            unlockData = abi.encode(
+                key, zeroForOne, exactInputAmount, sqrtPriceLimitX96, minAmountOut, config.wrappedNativeToken
+            );
         }
 
         // Unlock the PoolManager and encode the swap parameters for the callback.
@@ -1031,10 +1040,10 @@ library JBSwapPoolLib {
 
     /// @notice Normalize a token address, converting the NATIVE_TOKEN sentinel to the wrapped native token.
     /// @param token The token address to normalize.
-    /// @param weth The wrapped native token address on this chain.
+    /// @param wrappedNativeToken The wrapped native token address on this chain.
     /// @return The normalized token address.
-    function _normalize(address token, address weth) internal pure returns (address) {
-        return token == JBConstants.NATIVE_TOKEN ? weth : token;
+    function _normalize(address token, address wrappedNativeToken) internal pure returns (address) {
+        return token == JBConstants.NATIVE_TOKEN ? wrappedNativeToken : token;
     }
 
     /// @notice Get the Uniswap V3 fee tier for a given index.