@bananapus/suckers-v6 0.0.42 → 0.0.44

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bananapus/suckers-v6",
-  "version": "0.0.42",
+  "version": "0.0.44",
   "license": "MIT",
   "repository": {
     "type": "git",

package/src/JBSwapCCIPSucker.sol

@@ -179,6 +179,19 @@ contract JBSwapCCIPSucker is JBCCIPSucker, IUnlockCallback, IUniswapV3SwapCallba
     /// @custom:param token The local token address.
     mapping(address token => uint64) internal _highestReceivedNonce;
 
+    /// @notice Count of populated batch nonces per token. Appended exactly once per batch in
+    /// `ccipReceive`, so it equals the number of received batches independent of CCIP ordering.
+    /// @custom:param token The local token address.
+    mapping(address token => uint64) internal _populatedNonceCount;
+
+    /// @notice Populated batch nonces per token, indexed by insertion order. Enables the
+    /// empty-midpoint fallback in `_findNonceForLeafIndex` to walk only the K populated nonces
+    /// (O(K) worst case) instead of the full [lo, hi] nonce span (O(N) worst case under sparse
+    /// adversarial patterns).
+    /// @custom:param token The local token address.
+    /// @custom:param index The insertion index in [0, _populatedNonceCount[token]).
+    mapping(address token => mapping(uint64 index => uint64 nonce)) internal _populatedNonceByIndex;
+
     /// @notice Cumulative leaf count at the last `_sendRootOverAMB` call, per token.
     /// @dev Used on the sender side to derive the batch start index for the next send.
     /// @custom:param token The local token address.
@@ -366,8 +379,33 @@ contract JBSwapCCIPSucker is JBCCIPSucker, IUnlockCallback, IUniswapV3SwapCallba
                 // Record the batch range so _findNonceForLeafIndex can resolve leaf ownership
                 // independently of nonce ordering. Each nonce is self-describing: [start, end).
                 if (batchEnd > 0) {
+                    // Record this batch's half-open leaf range `[batchStart, batchEnd)`. Self-
+                    // describing per-nonce — no implicit chain across nonces — so out-of-order
+                    // delivery can still resolve a leaf to its batch.
                     _batchStartOf[localToken][nonce] = batchStart;
                     _batchEndOf[localToken][nonce] = batchEnd;
+
+                    // Append `nonce` to the populated-nonce list for this token. The outer
+                    // `_batchEndOf == 0 && _conversionRateOf == 0 && pendingSwapOf == 0` guard
+                    // fires at most once per (token, nonce), so each populated nonce is appended
+                    // exactly once — the array stays duplicate-free without extra checks.
+                    //
+                    // Reading `_populatedNonceCount[localToken]` first into a local lets us write
+                    // the new slot and the new count in a single read-modify-write pair (one
+                    // SLOAD, two SSTOREs to distinct slots). The `unchecked` increment is safe:
+                    // `priorCount` is bounded by the total number of populated nonces, which is
+                    // upper-bounded by the CCIP nonce space (`uint64`) — overflow requires more
+                    // batches than `uint64.max`, which the inbox can never produce.
+                    uint64 priorCount = _populatedNonceCount[localToken];
+                    _populatedNonceByIndex[localToken][priorCount] = nonce;
+                    unchecked {
+                        _populatedNonceCount[localToken] = priorCount + 1;
+                    }
+
+                    // Track the highest nonce ever observed for this token. Read by
+                    // `_findNonceForLeafIndex` as the binary-search upper bound. Out-of-order
+                    // delivery keeps this monotonic — we only advance it when the new nonce is
+                    // strictly higher than the prior maximum.
                     if (nonce > _highestReceivedNonce[localToken]) {
                         _highestReceivedNonce[localToken] = nonce;
                     }
@@ -666,29 +704,93 @@ contract JBSwapCCIPSucker is JBCCIPSucker, IUnlockCallback, IUniswapV3SwapCallba
     //*********************************************************************//
 
     /// @notice Find the nonce whose batch contains the given leaf index.
-    /// @dev Scans from the newest nonce backwards so recent batches resolve first without storing extra cache state.
+    /// @dev Binary search by nonce. Source-side `prepare()` appends batches in nonce order with each
+    /// new batch's `batchStart` equal to the previous batch's `batchEnd`, so across populated
+    /// destination slots `_batchStartOf` is strictly increasing in nonce — the populated subset is
+    /// monotonic even when CCIP delivery is out of order and leaves intermediate slots empty.
+    /// Binary search exploits that monotonicity for O(log N) lookup.
+    /// @dev Gap handling: when the midpoint slot is empty (CCIP out-of-order delivery or sparse
+    /// attacker writes), the fallback walks `_populatedNonceByIndex` — the list of every nonce
+    /// actually populated. That bounds the worst case at `O(K)` SLOADs, where `K` is the number
+    /// of received batches, regardless of how sparse the populated set is inside `[1, maxNonce]`.
+    /// The empty-slot scans that drove `O(N)` under the prior linear fallback are eliminated.
     /// @param token The local token address.
     /// @param leafIndex The leaf index from the claim.
-    /// @return The nonce of the batch containing this leaf, or 0 if no conversion rates exist.
+    /// @return The nonce of the batch containing this leaf, or 0 if no batches have been recorded.
     function _findNonceForLeafIndex(address token, uint256 leafIndex) internal view returns (uint64) {
+        // `_highestReceivedNonce` upper-bounds any populated slot for this token; zero means
+        // nothing has been received yet, so the leaf belongs to no batch.
         uint64 maxNonce = _highestReceivedNonce[token];
         if (maxNonce == 0) return 0;
 
-        // Scan from most recent nonce backwards so the normal just-bridged claim path exits quickly.
-        for (uint64 n = maxNonce; n >= 1; n--) {
-            if (_nonceContainsLeaf({token: token, nonce: n, leafIndex: leafIndex})) return n;
+        // Nonce 0 is reserved by inbox initialization and never holds a batch, so search [1, max].
+        uint64 lo = 1;
+        uint64 hi = maxNonce;
+
+        // Wrap arithmetic in `unchecked` — `lo` and `hi` are always in `[1, maxNonce]` and the
+        // edge-guards (`mid == lo` / `mid == hi` breaks) prevent the only ways `mid - 1` or
+        // `mid + 1` could over/underflow. Skipping the compiler checks shaves enough bytecode to
+        // stay under EIP-170 without changing semantics.
+        unchecked {
+            while (lo <= hi) {
+                uint64 mid = lo + (hi - lo) / 2;
+                // `batchEnd == 0` is the established sentinel for "no batch recorded" (see the
+                // write guard in `ccipReceive`); a real batch always has `batchEnd > batchStart`.
+                uint256 end = _batchEndOf[token][mid];
+
+                // Empty midpoint from out-of-order CCIP delivery (the sender minted a higher nonce
+                // than the inbox has yet received, leaving holes in `[1, maxNonce]`) or a sparse
+                // pattern an attacker assembled by inflating `_highestReceivedNonce` without
+                // populating intermediate slots. The earlier linear `[lo, hi]` scan walked every
+                // empty slot, so worst-case cost was `O(maxNonce)` SLOADs — that's the residual
+                // the audit flagged. Walk `_populatedNonceByIndex` instead: it's `K` entries (one
+                // per received batch) and contains exactly the slots a real batch can cover.
+                if (end == 0) {
+                    // Number of populated batch slots for this token — equal to the array length.
+                    // Maintained by `ccipReceive`'s append (one SSTORE per first-time receive).
+                    uint64 count = _populatedNonceCount[token];
+
+                    // Linear walk over the populated set. Bounded by `count`, not `maxNonce`, so
+                    // sparse adversarial patterns can't inflate this loop with empty slots.
+                    for (uint64 i; i < count; i++) {
+                        // Insertion-ordered nonce at index `i`. May be any value in `[1, maxNonce]`
+                        // because CCIP delivery is out-of-order; the array is not sorted by nonce.
+                        uint64 n = _populatedNonceByIndex[token][i];
+
+                        // Read end of this batch's leaf range. Always `> 0` here — we only push to
+                        // `_populatedNonceByIndex` after the corresponding `_batchEndOf` write.
+                        uint256 nEnd = _batchEndOf[token][n];
+
+                        // Coverage test: each batch's `[batchStart, batchEnd)` is non-overlapping
+                        // across populated nonces, so a hit is unique. The `[lo, hi]` window from
+                        // the binary search isn't applied — the binary-search invariant guarantees
+                        // the leaf can only live in a populated nonce, so an out-of-window match
+                        // would mean the binary search was already wrong; falling through to the
+                        // next iteration costs less than the extra two compares per iteration.
+                        if (leafIndex >= _batchStartOf[token][n] && leafIndex < nEnd) return n;
+                    }
+
+                    // No populated nonce contains `leafIndex` for this token. Break out of the
+                    // outer binary-search loop and fall through to the shared revert below.
+                    break;
+                }
+
+                // Each batch covers [batchStart, batchEnd). Across populated nonces these ranges
+                // are non-overlapping and strictly increasing, so the standard comparison applies.
+                uint256 start = _batchStartOf[token][mid];
+                if (leafIndex < start) {
+                    if (mid == lo) break; // Guard against `mid - 1` underflow at the lower edge.
+                    hi = mid - 1;
+                } else if (leafIndex >= end) {
+                    if (mid == hi) break; // Mirror guard at the upper edge.
+                    lo = mid + 1;
+                } else {
+                    return mid; // `start <= leafIndex < end`: leaf is inside this batch.
+                }
+            }
         }
 
+        // Window collapsed without a hit — surface the same error the legacy linear scan used.
         revert JBSwapCCIPSucker_BatchNotReceived({nonce: 0});
     }
-
-    /// @notice Check whether the given nonce's batch range contains the leaf index.
-    /// @param token The local token address.
-    /// @param nonce The nonce to check.
-    /// @param leafIndex The leaf index to look for.
-    /// @return True if the nonce's [start, end) range contains `leafIndex`.
-    function _nonceContainsLeaf(address token, uint64 nonce, uint256 leafIndex) internal view returns (bool) {
-        uint256 end = _batchEndOf[token][nonce];
-        return end != 0 && leafIndex >= _batchStartOf[token][nonce] && leafIndex < end;
-    }
 }