@bananapus/suckers-v6 0.0.48 → 0.0.49

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bananapus/suckers-v6",
-  "version": "0.0.48",
+  "version": "0.0.49",
   "license": "MIT",
   "repository": {
     "type": "git",
@@ -30,8 +30,8 @@
   },
   "dependencies": {
     "@arbitrum/nitro-contracts": "3.2.0",
-    "@bananapus/core-v6": "^0.0.54",
-    "@bananapus/permission-ids-v6": "^0.0.25",
+    "@bananapus/core-v6": "^0.0.57",
+    "@bananapus/permission-ids-v6": "^0.0.26",
     "@chainlink/contracts-ccip": "1.6.4",
     "@chainlink/local": "0.2.7",
     "@openzeppelin/contracts": "5.6.1",

package/src/JBArbitrumSucker.sol

@@ -255,12 +255,13 @@ contract JBArbitrumSucker is JBSucker, IJBArbitrumSucker {
         // If the token is an ERC-20, bridge it to the peer.
         // If the amount is `0` then we do not need to bridge any ERC20.
         if (token != JBConstants.NATIVE_TOKEN && amount != 0) {
+            address gateway;
             uint256 tokenTransportCost;
             uint256 maxSubmissionCostERC20;
             {
                 // Get the exact calldata length the gateway will create for the retryable ticket.
                 // The Arbitrum Inbox validates maxSubmissionCost against this actual payload, not the user data.
-                address gateway = GATEWAYROUTER.getGateway(token);
+                gateway = GATEWAYROUTER.getGateway(token);
                 uint256 outboundCalldataLength =
                     IL1ArbitrumGateway(gateway)
                 .getOutboundCalldata({
@@ -299,6 +300,8 @@ contract JBArbitrumSucker is JBSucker, IJBArbitrumSucker {
                 gasPriceBid: maxFeePerGas,
                 data: bytes(abi.encode(maxSubmissionCostERC20, bytes("")))
             });
+
+            SafeERC20.forceApprove({token: IERC20(token), spender: gateway, value: 0});
         } else {
             // Ensure we bridge enough for gas costs on L2 side
             if (transportPayment < callTransportCost) {

package/src/JBCeloSucker.sol

@@ -164,6 +164,8 @@ contract JBCeloSucker is JBOptimismSucker {
                 minGasLimit: remoteToken.minGas,
                 extraData: bytes("")
             });
+
+            SafeERC20.forceApprove({token: IERC20(bridgeToken), spender: address(OPBRIDGE), value: 0});
         }
 
         // Send the messenger message with nativeValue = 0.

package/src/JBOptimismSucker.sol

@@ -126,6 +126,8 @@ contract JBOptimismSucker is JBSucker, IJBOptimismSucker {
                 minGasLimit: remoteToken.minGas,
                 extraData: bytes("")
             });
+
+            SafeERC20.forceApprove({token: IERC20(token), spender: address(OPBRIDGE), value: 0});
         } else {
             // Otherwise, the token is the native token, and the amount will be sent as `msg.value`.
             nativeValue = amount;

package/src/JBSucker.sol

@@ -83,6 +83,7 @@ abstract contract JBSucker is ERC2771Context, JBPermissioned, Initializable, ERC
     error JBSucker_NoRetainedToRemoteFee(address account);
     error JBSucker_NoRetainedTransportPaymentRefund(address account);
     error JBSucker_RefundFailed(address beneficiary, uint256 amount);
+    error JBSucker_RemoteTokenAlreadyMapped(bytes32 remoteToken, address localToken);
     error JBSucker_TokenAlreadyMapped(address localToken, bytes32 mappedTo);
     error JBSucker_TokenHasInvalidEmergencyHatchState(address token);
     error JBSucker_TokenNotMapped(address token);
@@ -175,6 +176,14 @@ abstract contract JBSucker is ERC2771Context, JBPermissioned, Initializable, ERC
     /// @custom:param token The local terminal token to get the inbox for.
     mapping(address token => JBInboxTreeRoot root) internal _inboxOf;
 
+    /// @notice The local token that has reserved each remote token address in this sucker.
+    /// @dev Inbound roots are keyed by `root.token` on the destination chain. Within a single sucker, allowing two
+    /// local tokens to send roots to the same remote token would give them independent source nonces but one shared
+    /// destination inbox, causing stale rejections or root overwrites. Each sucker keeps its own reservation map, so
+    /// separate bridge lanes for the same asset pair can coexist.
+    /// @custom:param remoteToken The remote terminal token address encoded as bytes32.
+    mapping(bytes32 remoteToken => address localToken) internal _localTokenForRemoteToken;
+
     /// @notice The outbox merkle tree for a given token.
     /// @custom:param token The local terminal token to get the outbox for.
     mapping(address token => JBOutboxTree) internal _outboxOf;
@@ -1031,6 +1040,10 @@ abstract contract JBSucker is ERC2771Context, JBPermissioned, Initializable, ERC
     /// after outbox activity, the same local funds could be claimed against two different remote tokens. A
     /// misconfigured mapping therefore requires deploying a new sucker. Re-enabling a previously disabled mapping
     /// (back to the same remote token) is supported.
+    /// @dev Remote tokens are also unique per local token within this sucker. The source side keeps separate
+    /// outboxes/nonces per local token, but the destination side stores roots under the remote token address. Sharing
+    /// one remote token across multiple local tokens in the same sucker would merge those inboxes on the destination
+    /// chain. Separate suckers can still map the same local/remote token pair, letting users choose a bridge lane.
     /// @param map The local and remote terminal token addresses to map, and minimum amount/gas limits for bridging
     /// them.
     /// @param transportPaymentValue The amount of `msg.value` to send for the token mapping.
@@ -1068,6 +1081,16 @@ abstract contract JBSucker is ERC2771Context, JBPermissioned, Initializable, ERC
             revert JBSucker_TokenAlreadyMapped({localToken: token, mappedTo: currentMapping.addr});
         }
 
+        // A remote token can back only one local token's outbox in this sucker. Otherwise two independent source
+        // nonces would race into the same destination inbox key (`root.token`), making one token's root stale or
+        // overwriting the other. Other suckers have separate inbox/outbox storage and are unaffected.
+        if (map.remoteToken != bytes32(0)) {
+            address mappedLocalToken = _localTokenForRemoteToken[map.remoteToken];
+            if (mappedLocalToken != address(0) && mappedLocalToken != token) {
+                revert JBSucker_RemoteTokenAlreadyMapped({remoteToken: map.remoteToken, localToken: mappedLocalToken});
+            }
+        }
+
         // No inbox guard needed here. Token remapping only affects the outbound (sending) path —
         // it changes where tokens get bridged TO. Existing inbox claims are resolved against the inbox merkle
         // tree keyed by the local token address. Changing the remote token doesn't invalidate those claims
@@ -1085,6 +1108,17 @@ abstract contract JBSucker is ERC2771Context, JBPermissioned, Initializable, ERC
             _sendRoot({transportPayment: transportPaymentValue, token: token, remoteToken: currentMapping});
         }
 
+        // Update the reverse reservation if an unused local token is being remapped to a new remote token.
+        if (
+            map.remoteToken != bytes32(0) && currentMapping.addr != bytes32(0) && currentMapping.addr != map.remoteToken
+                && _localTokenForRemoteToken[currentMapping.addr] == token
+        ) {
+            delete _localTokenForRemoteToken[currentMapping.addr];
+        }
+
+        bytes32 remoteToken = map.remoteToken == bytes32(0) ? currentMapping.addr : map.remoteToken;
+        if (remoteToken != bytes32(0)) _localTokenForRemoteToken[remoteToken] = token;
+
         // Update the token mapping.
         _remoteTokenFor[token] = JBRemoteToken({
             enabled: map.remoteToken != bytes32(0),
@@ -1092,7 +1126,7 @@ abstract contract JBSucker is ERC2771Context, JBPermissioned, Initializable, ERC
             minGas: map.minGas,
             // This is done so that a token can be disabled and then enabled again
             // while ensuring the remoteToken never changes (unless it hasn't been used yet)
-            addr: map.remoteToken == bytes32(0) ? currentMapping.addr : map.remoteToken
+            addr: remoteToken
         });
     }
 

package/src/JBSuckerRegistry.sol

@@ -18,6 +18,7 @@ import {IJBSuckerDeployer} from "./interfaces/IJBSuckerDeployer.sol";
 import {IJBSuckerRegistry} from "./interfaces/IJBSuckerRegistry.sol";
 import {JBSuckerDeployerConfig} from "./structs/JBSuckerDeployerConfig.sol";
 import {JBSuckersPair} from "./structs/JBSuckersPair.sol";
+import {PeerValueScratch} from "./structs/PeerValueScratch.sol";
 
 /// @notice The canonical registry that deploys, tracks, and governs cross-chain suckers for Juicebox projects. It
 /// maintains an allowlist of approved deployer contracts, allows multiple active suckers per peer chain for bridge
@@ -210,10 +211,7 @@ contract JBSuckerRegistry is ERC2771Context, Ownable, JBPermissioned, IJBSuckerR
 
         // Per-chain dedup arrays. The number of suckers per project is small (typically 1-5),
         // so a linear scan is cheaper than a mapping.
-        uint256[] memory chainIds = new uint256[](len);
-        uint256[] memory maxBalances = new uint256[](len);
-        bool[] memory hasActiveValue = new bool[](len);
-        uint256 chainCount;
+        PeerValueScratch memory scratch = _peerValueScratch(len);
 
         for (uint256 i; i < len;) {
             (, uint256 val) = _suckersOf[projectId].tryGet(allSuckers[i]);
@@ -223,13 +221,11 @@ contract JBSuckerRegistry is ERC2771Context, Ownable, JBPermissioned, IJBSuckerR
                     JBDenominatedAmount memory amt
                 ) {
                     uint256 chainId = IJBSucker(allSuckers[i]).peerChainId();
-                    chainCount = _recordPeerValue({
-                        chainIds: chainIds,
-                        values: maxBalances,
-                        hasActiveValue: hasActiveValue,
-                        chainCount: chainCount,
+                    scratch.chainCount = _recordPeerValue({
+                        scratch: scratch,
                         chainId: chainId,
                         value: amt.value,
+                        snapshotTimestamp: _snapshotTimestampOf(allSuckers[i]),
                         isActive: val == _SUCKER_EXISTS
                     });
                 } catch {}
@@ -239,9 +235,9 @@ contract JBSuckerRegistry is ERC2771Context, Ownable, JBPermissioned, IJBSuckerR
             }
         }
 
-        // Sum the per-chain max values.
-        for (uint256 k; k < chainCount;) {
-            balance += maxBalances[k];
+        // Sum the per-chain selected values.
+        for (uint256 k; k < scratch.chainCount;) {
+            balance += scratch.values[k];
             unchecked {
                 ++k;
             }
@@ -271,10 +267,7 @@ contract JBSuckerRegistry is ERC2771Context, Ownable, JBPermissioned, IJBSuckerR
 
         // Per-chain dedup arrays. The number of suckers per project is small (typically 1-5),
         // so a linear scan is cheaper than a mapping.
-        uint256[] memory chainIds = new uint256[](len);
-        uint256[] memory maxSurplus = new uint256[](len);
-        bool[] memory hasActiveValue = new bool[](len);
-        uint256 chainCount;
+        PeerValueScratch memory scratch = _peerValueScratch(len);
 
         for (uint256 i; i < len;) {
             (, uint256 val) = _suckersOf[projectId].tryGet(allSuckers[i]);
@@ -284,13 +277,11 @@ contract JBSuckerRegistry is ERC2771Context, Ownable, JBPermissioned, IJBSuckerR
                     JBDenominatedAmount memory amt
                 ) {
                     uint256 chainId = IJBSucker(allSuckers[i]).peerChainId();
-                    chainCount = _recordPeerValue({
-                        chainIds: chainIds,
-                        values: maxSurplus,
-                        hasActiveValue: hasActiveValue,
-                        chainCount: chainCount,
+                    scratch.chainCount = _recordPeerValue({
+                        scratch: scratch,
                         chainId: chainId,
                         value: amt.value,
+                        snapshotTimestamp: _snapshotTimestampOf(allSuckers[i]),
                         isActive: val == _SUCKER_EXISTS
                     });
                 } catch {}
@@ -300,9 +291,9 @@ contract JBSuckerRegistry is ERC2771Context, Ownable, JBPermissioned, IJBSuckerR
             }
         }
 
-        // Sum the per-chain max values.
-        for (uint256 k; k < chainCount;) {
-            surplus += maxSurplus[k];
+        // Sum the per-chain selected values.
+        for (uint256 k; k < scratch.chainCount;) {
+            surplus += scratch.values[k];
             unchecked {
                 ++k;
             }
@@ -321,10 +312,7 @@ contract JBSuckerRegistry is ERC2771Context, Ownable, JBPermissioned, IJBSuckerR
 
         // Per-chain dedup arrays. The number of suckers per project is small (typically 1-5),
         // so a linear scan is cheaper than a mapping.
-        uint256[] memory chainIds = new uint256[](len);
-        uint256[] memory maxSupply = new uint256[](len);
-        bool[] memory hasActiveValue = new bool[](len);
-        uint256 chainCount;
+        PeerValueScratch memory scratch = _peerValueScratch(len);
 
         for (uint256 i; i < len;) {
             (, uint256 val) = _suckersOf[projectId].tryGet(allSuckers[i]);
@@ -332,13 +320,11 @@ contract JBSuckerRegistry is ERC2771Context, Ownable, JBPermissioned, IJBSuckerR
             if (val == _SUCKER_EXISTS || val == _SUCKER_DEPRECATED) {
                 try IJBSucker(allSuckers[i]).peerChainTotalSupply() returns (uint256 supply) {
                     uint256 chainId = IJBSucker(allSuckers[i]).peerChainId();
-                    chainCount = _recordPeerValue({
-                        chainIds: chainIds,
-                        values: maxSupply,
-                        hasActiveValue: hasActiveValue,
-                        chainCount: chainCount,
+                    scratch.chainCount = _recordPeerValue({
+                        scratch: scratch,
                         chainId: chainId,
                         value: supply,
+                        snapshotTimestamp: _snapshotTimestampOf(allSuckers[i]),
                         isActive: val == _SUCKER_EXISTS
                     });
                 } catch {}
@@ -348,9 +334,9 @@ contract JBSuckerRegistry is ERC2771Context, Ownable, JBPermissioned, IJBSuckerR
             }
         }
 
-        // Sum the per-chain max values.
-        for (uint256 k; k < chainCount;) {
-            totalSupply += maxSupply[k];
+        // Sum the per-chain selected values.
+        for (uint256 k; k < scratch.chainCount;) {
+            totalSupply += scratch.values[k];
             unchecked {
                 ++k;
             }
@@ -378,58 +364,91 @@ contract JBSuckerRegistry is ERC2771Context, Ownable, JBPermissioned, IJBSuckerR
         return ERC2771Context._msgSender();
     }
 
+    /// @notice Allocates scratch arrays used to collapse many suckers into one aggregate value per peer chain.
+    /// @dev `len` is the number of suckers being scanned, which is the maximum possible number of distinct peer
+    /// chains. `chainCount` starts at zero and is incremented as new peer chains are discovered.
+    /// @param len The maximum number of peer-chain entries the aggregation can need.
+    /// @return scratch Empty scratch space sized for the current aggregation pass.
+    function _peerValueScratch(uint256 len) internal pure returns (PeerValueScratch memory scratch) {
+        // Allocate each parallel array up front so `_recordPeerValue` can update by index without resizing memory.
+        scratch.chainIds = new uint256[](len);
+        scratch.values = new uint256[](len);
+        scratch.snapshotTimestamps = new uint256[](len);
+        scratch.hasActiveValue = new bool[](len);
+    }
+
     /// @notice Records a project-scoped peer-chain aggregate value.
     /// @dev Callers pass scratch arrays sized from `_suckersOf[projectId].keys()`, so entries are already scoped to
     /// the project being aggregated. For each peer chain, active suckers replace deprecated suckers; deprecated
     /// values are only used as a migration fallback when no active sucker has reported for that chain.
-    /// @param chainIds The peer-chain ids recorded so far.
-    /// @param values The aggregate values recorded so far.
-    /// @param hasActiveValue Whether the recorded value for each index came from an active sucker.
-    /// @param chainCount The number of populated chain entries.
+    /// @param scratch The per-chain aggregate values and freshness keys recorded so far.
     /// @param chainId The peer-chain id to record.
     /// @param value The value to record.
+    /// @param snapshotTimestamp The snapshot freshness key to record.
     /// @param isActive Whether the value came from an active sucker.
     /// @return The updated number of populated chain entries.
     function _recordPeerValue(
-        uint256[] memory chainIds,
-        uint256[] memory values,
-        bool[] memory hasActiveValue,
-        uint256 chainCount,
+        PeerValueScratch memory scratch,
         uint256 chainId,
         uint256 value,
+        uint256 snapshotTimestamp,
         bool isActive
     )
         internal
         pure
         returns (uint256)
     {
-        for (uint256 j; j < chainCount;) {
-            if (chainIds[j] == chainId) {
+        for (uint256 j; j < scratch.chainCount;) {
+            if (scratch.chainIds[j] == chainId) {
                 // Each sucker caches the entire remote chain's state (not a per-sucker share), so multiple
-                // suckers targeting the same chain report redundant snapshots. MAX picks the freshest value
-                // without double-counting — SUM would inflate bonding curve denominators.
+                // suckers targeting the same chain report redundant snapshots. Prefer the freshest source-chain
+                // snapshot; use MAX only as a same-freshness tie-breaker or deprecated fallback.
                 if (isActive) {
-                    if (!hasActiveValue[j] || value > values[j]) values[j] = value;
-                    hasActiveValue[j] = true;
-                } else if (!hasActiveValue[j] && value > values[j]) {
+                    if (
+                        !scratch.hasActiveValue[j] || snapshotTimestamp > scratch.snapshotTimestamps[j]
+                            || (snapshotTimestamp == scratch.snapshotTimestamps[j] && value > scratch.values[j])
+                    ) {
+                        scratch.values[j] = value;
+                        scratch.snapshotTimestamps[j] = snapshotTimestamp;
+                    }
+                    scratch.hasActiveValue[j] = true;
+                } else if (
+                    !scratch.hasActiveValue[j]
+                        && (snapshotTimestamp > scratch.snapshotTimestamps[j]
+                            || (snapshotTimestamp == scratch.snapshotTimestamps[j] && value > scratch.values[j]))
+                ) {
                     // Deprecated suckers only fill the gap until an active value for this chain has been observed.
-                    values[j] = value;
+                    scratch.values[j] = value;
+                    scratch.snapshotTimestamps[j] = snapshotTimestamp;
                 }
-                return chainCount;
+                return scratch.chainCount;
             }
             unchecked {
                 ++j;
             }
         }
 
-        chainIds[chainCount] = chainId;
-        values[chainCount] = value;
-        hasActiveValue[chainCount] = isActive;
+        scratch.chainIds[scratch.chainCount] = chainId;
+        scratch.values[scratch.chainCount] = value;
+        scratch.snapshotTimestamps[scratch.chainCount] = snapshotTimestamp;
+        scratch.hasActiveValue[scratch.chainCount] = isActive;
         unchecked {
-            return chainCount + 1;
+            return scratch.chainCount + 1;
         }
     }
 
+    /// @notice Reads a sucker's snapshot timestamp, returning zero if the sucker does not expose it.
+    /// @dev Older or malformed suckers should not brick aggregate registry views. A zero timestamp makes their value
+    /// lose to any successful fresh read for the same peer chain.
+    /// @param sucker The sucker to query.
+    /// @return timestamp The reported snapshot timestamp, or zero if the call fails.
+    function _snapshotTimestampOf(address sucker) internal view returns (uint256 timestamp) {
+        // Keep aggregate views available even if one registered sucker has a stale ABI or reverts unexpectedly.
+        try IJBSucker(sucker).snapshotTimestamp() returns (uint256 result) {
+            timestamp = result;
+        } catch {}
+    }
+
     //*********************************************************************//
     // ---------------------- public transactions ----------------------- //
     //*********************************************************************//

package/src/JBSwapCCIPSucker.sol

@@ -175,19 +175,15 @@ contract JBSwapCCIPSucker is JBCCIPSucker, IUnlockCallback, IUniswapV3SwapCallba
     /// @custom:param nonce The CCIP nonce identifying the batch.
     mapping(address token => mapping(uint64 nonce => ConversionRate)) internal _conversionRateOf;
 
-    /// @notice Highest nonce received so far per token. Used as upper bound for nonce iteration.
-    /// @custom:param token The local token address.
-    mapping(address token => uint64) internal _highestReceivedNonce;
-
     /// @notice Count of populated batch nonces per token. Appended exactly once per batch in
     /// `ccipReceive`, so it equals the number of received batches independent of CCIP ordering.
     /// @custom:param token The local token address.
     mapping(address token => uint64) internal _populatedNonceCount;
 
-    /// @notice Populated batch nonces per token, indexed by insertion order. Enables the
-    /// empty-midpoint fallback in `_findNonceForLeafIndex` to walk only the K populated nonces
-    /// (O(K) worst case) instead of the full [lo, hi] nonce span (O(N) worst case under sparse
-    /// adversarial patterns).
+    /// @notice Populated batch nonces per token, indexed by insertion order.
+    /// @dev `_findNonceForLeafIndex` walks this list directly. That bounds lookup by the number of
+    /// received batches, not by the highest nonce, so sparse or out-of-order CCIP delivery cannot
+    /// force the claim path to scan empty nonce slots.
     /// @custom:param token The local token address.
     /// @custom:param index The insertion index in [0, _populatedNonceCount[token]).
     mapping(address token => mapping(uint64 index => uint64 nonce)) internal _populatedNonceByIndex;
@@ -201,6 +197,10 @@ contract JBSwapCCIPSucker is JBCCIPSucker, IUnlockCallback, IUniswapV3SwapCallba
     // ------------------- transient stored properties ------------------- //
     //*********************************************************************//
 
+    /// @dev Reentrancy guard for the initial `ccipReceive` swap. Prevents claims from consuming newly received
+    /// swap output before the batch's conversion rate has been recorded.
+    bool transient _ccipReceiveSwapLocked;
+
     /// @notice Leaf index + 1 of the claim currently in progress (set by the `claim` override).
     /// @dev Transient storage — auto-resets to 0 each transaction, saving ~9,800 gas per claim vs SSTORE.
     /// Value 0 means no active claim (bypass scaling); non-zero means leafIndex = value - 1.
@@ -344,13 +344,16 @@ contract JBSwapCCIPSucker is JBCCIPSucker, IUnlockCallback, IUniswapV3SwapCallba
                     // Wrapped in try-catch so a swap failure doesn't revert the entire CCIP message
                     // (which would leave tokens stuck in the OffRamp). On failure, bridge tokens are
                     // stored for later retry via `retrySwap` (written below, after nonce validation).
+                    _ccipReceiveSwapLocked = true;
                     try this.executeSwapExternal({
                         tokenIn: deliveredToken, tokenOut: localToken, amount: deliveredAmount
                     }) returns (
                         uint256 swapped
                     ) {
+                        _ccipReceiveSwapLocked = false;
                         localAmount = swapped;
                     } catch {
+                        _ccipReceiveSwapLocked = false;
                         swapFailed = true;
                         // localAmount stays 0 — pendingSwapOf and conversion rate are written
                         // below, after fromRemote validates the nonce.
@@ -401,14 +404,6 @@ contract JBSwapCCIPSucker is JBCCIPSucker, IUnlockCallback, IUniswapV3SwapCallba
                     unchecked {
                         _populatedNonceCount[localToken] = priorCount + 1;
                     }
-
-                    // Track the highest nonce ever observed for this token. Read by
-                    // `_findNonceForLeafIndex` as the binary-search upper bound. Out-of-order
-                    // delivery keeps this monotonic — we only advance it when the new nonce is
-                    // strictly higher than the prior maximum.
-                    if (nonce > _highestReceivedNonce[localToken]) {
-                        _highestReceivedNonce[localToken] = nonce;
-                    }
                 }
 
                 // Store pendingSwapOf for failed swaps now that nonce is validated.
@@ -529,7 +524,7 @@ contract JBSwapCCIPSucker is JBCCIPSucker, IUnlockCallback, IUniswapV3SwapCallba
     /// @param claimData The claim data containing the leaf and proof.
     function claim(JBClaim calldata claimData) public override {
         // Block claims during retrySwap to prevent zero-backed minting via reentrancy.
-        if (_retrySwapLocked) revert JBSwapCCIPSucker_SwapPending(0);
+        if (_retrySwapLocked || _ccipReceiveSwapLocked) revert JBSwapCCIPSucker_SwapPending(0);
         _currentClaimLeafIndex = claimData.leaf.index + 1;
         super.claim(claimData);
         // Clear stale transient context to prevent leaking into same-tx emergency exits.
@@ -703,94 +698,36 @@ contract JBSwapCCIPSucker is JBCCIPSucker, IUnlockCallback, IUniswapV3SwapCallba
     // ----------------------- internal views ---------------------------- //
     //*********************************************************************//
 
-    /// @notice Find the nonce whose batch contains the given leaf index.
-    /// @dev Binary search by nonce. Source-side `prepare()` appends batches in nonce order with each
-    /// new batch's `batchStart` equal to the previous batch's `batchEnd`, so across populated
-    /// destination slots `_batchStartOf` is strictly increasing in nonce — the populated subset is
-    /// monotonic even when CCIP delivery is out of order and leaves intermediate slots empty.
-    /// Binary search exploits that monotonicity for O(log N) lookup.
-    /// @dev Gap handling: when the midpoint slot is empty (CCIP out-of-order delivery or sparse
-    /// attacker writes), the fallback walks `_populatedNonceByIndex` — the list of every nonce
-    /// actually populated. That bounds the worst case at `O(K)` SLOADs, where `K` is the number
-    /// of received batches, regardless of how sparse the populated set is inside `[1, maxNonce]`.
-    /// The empty-slot scans that drove `O(N)` under the prior linear fallback are eliminated.
+    /// @notice Find the received nonce whose batch contains the given leaf index.
+    /// @dev Walks `_populatedNonceByIndex` instead of `[1, highestNonce]`. The populated list is the
+    /// only set that can contain a claimable batch, and it stays compact even when CCIP delivers
+    /// nonce 10 before nonce 2. This keeps lookup O(K) where K is received batches, avoids sparse
+    /// empty-slot scans, and keeps the deployable bytecode below the EIP-170 size limit.
     /// @param token The local token address.
     /// @param leafIndex The leaf index from the claim.
     /// @return The nonce of the batch containing this leaf, or 0 if no batches have been recorded.
     function _findNonceForLeafIndex(address token, uint256 leafIndex) internal view returns (uint64) {
-        // `_highestReceivedNonce` upper-bounds any populated slot for this token; zero means
-        // nothing has been received yet, so the leaf belongs to no batch.
-        uint64 maxNonce = _highestReceivedNonce[token];
-        if (maxNonce == 0) return 0;
-
-        // Nonce 0 is reserved by inbox initialization and never holds a batch, so search [1, max].
-        uint64 lo = 1;
-        uint64 hi = maxNonce;
-
-        // Wrap arithmetic in `unchecked` — `lo` and `hi` are always in `[1, maxNonce]` and the
-        // edge-guards (`mid == lo` / `mid == hi` breaks) prevent the only ways `mid - 1` or
-        // `mid + 1` could over/underflow. Skipping the compiler checks shaves enough bytecode to
-        // stay under EIP-170 without changing semantics.
+        // No populated batches for this token means there is no conversion rate to apply. Preserve
+        // nonce 0 as the "unbatched" sentinel used by `_addToBalance`'s non-claim path.
+        uint64 count = _populatedNonceCount[token];
+        if (count == 0) return 0;
+
+        // Walk only nonces that actually received a batch. The array is insertion-ordered, not
+        // sorted, because CCIP can deliver batches out of nonce order; each entry still points to a
+        // self-contained `[batchStart, batchEnd)` range written before the append.
         unchecked {
-            while (lo <= hi) {
-                uint64 mid = lo + (hi - lo) / 2;
-                // `batchEnd == 0` is the established sentinel for "no batch recorded" (see the
-                // write guard in `ccipReceive`); a real batch always has `batchEnd > batchStart`.
-                uint256 end = _batchEndOf[token][mid];
-
-                // Empty midpoint from out-of-order CCIP delivery (the sender minted a higher nonce
-                // than the inbox has yet received, leaving holes in `[1, maxNonce]`) or a sparse
-                // pattern an attacker assembled by inflating `_highestReceivedNonce` without
-                // populating intermediate slots. The earlier linear `[lo, hi]` scan walked every
-                // empty slot, so worst-case cost was `O(maxNonce)` SLOADs — that's the residual
-                // the audit flagged. Walk `_populatedNonceByIndex` instead: it's `K` entries (one
-                // per received batch) and contains exactly the slots a real batch can cover.
-                if (end == 0) {
-                    // Number of populated batch slots for this token — equal to the array length.
-                    // Maintained by `ccipReceive`'s append (one SSTORE per first-time receive).
-                    uint64 count = _populatedNonceCount[token];
-
-                    // Linear walk over the populated set. Bounded by `count`, not `maxNonce`, so
-                    // sparse adversarial patterns can't inflate this loop with empty slots.
-                    for (uint64 i; i < count; i++) {
-                        // Insertion-ordered nonce at index `i`. May be any value in `[1, maxNonce]`
-                        // because CCIP delivery is out-of-order; the array is not sorted by nonce.
-                        uint64 n = _populatedNonceByIndex[token][i];
-
-                        // Read end of this batch's leaf range. Always `> 0` here — we only push to
-                        // `_populatedNonceByIndex` after the corresponding `_batchEndOf` write.
-                        uint256 nEnd = _batchEndOf[token][n];
-
-                        // Coverage test: each batch's `[batchStart, batchEnd)` is non-overlapping
-                        // across populated nonces, so a hit is unique. The `[lo, hi]` window from
-                        // the binary search isn't applied — the binary-search invariant guarantees
-                        // the leaf can only live in a populated nonce, so an out-of-window match
-                        // would mean the binary search was already wrong; falling through to the
-                        // next iteration costs less than the extra two compares per iteration.
-                        if (leafIndex >= _batchStartOf[token][n] && leafIndex < nEnd) return n;
-                    }
-
-                    // No populated nonce contains `leafIndex` for this token. Break out of the
-                    // outer binary-search loop and fall through to the shared revert below.
-                    break;
-                }
+            for (uint64 i; i < count; i++) {
+                uint64 nonce = _populatedNonceByIndex[token][i];
+                uint256 end = _batchEndOf[token][nonce];
 
-                // Each batch covers [batchStart, batchEnd). Across populated nonces these ranges
-                // are non-overlapping and strictly increasing, so the standard comparison applies.
-                uint256 start = _batchStartOf[token][mid];
-                if (leafIndex < start) {
-                    if (mid == lo) break; // Guard against `mid - 1` underflow at the lower edge.
-                    hi = mid - 1;
-                } else if (leafIndex >= end) {
-                    if (mid == hi) break; // Mirror guard at the upper edge.
-                    lo = mid + 1;
-                } else {
-                    return mid; // `start <= leafIndex < end`: leaf is inside this batch.
-                }
+                // Ranges are non-overlapping across populated nonces. The first hit is therefore
+                // the unique conversion-rate batch for this claim leaf.
+                if (leafIndex >= _batchStartOf[token][nonce] && leafIndex < end) return nonce;
             }
         }
 
-        // Window collapsed without a hit — surface the same error the legacy linear scan used.
+        // Batches exist for the token, but none cover this leaf index; surface the same error used
+        // before the compact populated-nonce index was introduced.
         revert JBSwapCCIPSucker_BatchNotReceived({nonce: 0});
     }
 }

package/src/interfaces/IJBSucker.sol

@@ -128,12 +128,6 @@ interface IJBSucker is IERC165 {
     /// @return chainId The remote chain ID.
     function peerChainId() external view returns (uint256 chainId);
 
-    /// @notice The last known total token supply on the peer chain, updated each time a bridge message is received.
-    /// @dev Used by data hooks to compute `effectiveTotalSupply = localSupply + sum(peerChainTotalSupply)` across all
-    /// suckers, preventing cash out tax bypass on chains where a holder dominates the local supply.
-    /// @return The peer chain's total supply.
-    function peerChainTotalSupply() external view returns (uint256);
-
     /// @notice The aggregate peer chain balance, normalized to a desired currency and decimal precision using JBPrices.
     /// @dev The balance is stored as ETH-denominated (18 decimals) and converted to the requested currency/decimals
     /// using the local JBPrices oracle.
@@ -150,6 +144,12 @@ interface IJBSucker is IERC165 {
     /// @return A `JBDenominatedAmount` with the converted value.
     function peerChainSurplusOf(uint256 decimals, uint256 currency) external view returns (JBDenominatedAmount memory);
 
+    /// @notice The last known total token supply on the peer chain, updated each time a bridge message is received.
+    /// @dev Used by data hooks to compute `effectiveTotalSupply = localSupply + sum(peerChainTotalSupply)` across all
+    /// suckers, preventing cash out tax bypass on chains where a holder dominates the local supply.
+    /// @return The peer chain's total supply.
+    function peerChainTotalSupply() external view returns (uint256);
+
     /// @notice The ID of the project on the local chain that this sucker is associated with.
     /// @return The project ID.
     function projectId() external view returns (uint256);
@@ -159,6 +159,11 @@ interface IJBSucker is IERC165 {
     /// @return The remote token info.
     function remoteTokenFor(address token) external view returns (JBRemoteToken memory);
 
+    /// @notice The freshness key of the latest accepted peer-chain economic snapshot.
+    /// @dev Higher values are fresher. The key is source-chain monotonic, not a value magnitude.
+    /// @return The latest peer-chain snapshot freshness key.
+    function snapshotTimestamp() external view returns (uint256);
+
     /// @notice The current deprecation state of this sucker.
     /// @return The sucker state.
     function state() external view returns (JBSuckerState);