@bananapus/suckers-v6 0.0.57 → 0.0.58

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bananapus/suckers-v6",
-  "version": "0.0.57",
+  "version": "0.0.58",
   "license": "MIT",
   "repository": {
     "type": "git",
@@ -26,7 +26,7 @@
   },
   "dependencies": {
     "@arbitrum/nitro-contracts": "3.2.0",
-    "@bananapus/core-v6": "^0.0.60",
+    "@bananapus/core-v6": "^0.0.66",
     "@bananapus/permission-ids-v6": "^0.0.27",
     "@chainlink/contracts-ccip": "1.6.4",
     "@chainlink/local": "0.2.7",

package/src/JBBaseSucker.sol

@@ -16,7 +16,7 @@ contract JBBaseSucker is JBOptimismSucker {
     // ---------------------------- constructor -------------------------- //
     //*********************************************************************//
 
-    /// @param deployer A contract that deploys the clones for this contracts.
+    /// @param deployer A contract that deploys clones of this contract.
     /// @param directory A contract storing directories of terminals and controllers for each project.
     /// @param permissions A contract storing permissions.
     /// @param prices The price oracle used to convert peer-chain balances and surplus.

package/src/JBCeloSucker.sol

@@ -35,7 +35,7 @@ contract JBCeloSucker is JBOptimismSucker {
     // ---------------------------- constructor -------------------------- //
     //*********************************************************************//
 
-    /// @param deployer A contract that deploys the clones for this contracts.
+    /// @param deployer A contract that deploys clones of this contract.
     /// @param directory A contract storing directories of terminals and controllers for each project.
     /// @param permissions A contract storing permissions.
     /// @param prices The price oracle used to convert peer-chain balances and surplus.
@@ -135,7 +135,7 @@ contract JBCeloSucker is JBOptimismSucker {
     {
         index; // Silence unused parameter warning (not needed for Celo bridge).
 
-        // Revert if there's a `msg.value`. The OP bridge does not expect to be paid.
+        // Revert if there's a `msg.value`. The Celo bridge does not expect to be paid.
         if (transportPayment != 0) {
             revert JBSucker_UnexpectedMsgValue({value: transportPayment});
         }

package/src/JBOptimismSucker.sol

@@ -36,7 +36,7 @@ contract JBOptimismSucker is JBSucker, IJBOptimismSucker {
     // ---------------------------- constructor -------------------------- //
     //*********************************************************************//
 
-    /// @param deployer A contract that deploys the clones for this contracts.
+    /// @param deployer A contract that deploys clones of this contract.
     /// @param directory A contract storing directories of terminals and controllers for each project.
     /// @param permissions A contract storing permissions.
     /// @param prices The price oracle used to convert peer-chain balances and surplus.

package/src/JBSucker.sol

@@ -95,12 +95,10 @@ abstract contract JBSucker is ERC2771Context, JBPermissioned, Initializable, ERC
     // ------------------------- public constants ------------------------ //
     //*********************************************************************//
 
-    /// @notice A reasonable minimum gas limit for a basic cross-chain call. The minimum amount of gas required to call
-    /// the `fromRemote` (successfully/safely) on the remote chain.
+    /// @notice A reasonable minimum gas limit for a basic cross-chain call to `fromRemote` on the remote chain.
     uint32 public constant override MESSENGER_BASE_GAS_LIMIT = 300_000;
 
-    /// @notice A reasonable minimum gas limit used when bridging ERC-20s. The minimum amount of gas required to
-    /// (successfully/safely) perform a transfer on the remote chain.
+    /// @notice A reasonable minimum gas limit for performing an ERC-20 transfer on the remote chain.
     uint32 public constant override MESSENGER_ERC20_MIN_GAS_LIMIT = 200_000;
 
     /// @notice The message format version. Used to reject incompatible messages from remote chains.
@@ -601,7 +599,7 @@ abstract contract JBSucker is ERC2771Context, JBPermissioned, Initializable, ERC
             account: _ownerOf(_projectId), projectId: _projectId, permissionId: JBPermissionIds.SET_SUCKER_DEPRECATION
         });
 
-        // This is the earliest time for when the sucker can be considered deprecated.
+        // This is the earliest time the sucker can be considered deprecated.
         // There is a mandatory delay to allow for remaining messages to be received.
         // This should be called on both sides of the suckers, preferably with a matching timestamp.
         uint256 nextEarliestDeprecationTime = block.timestamp + _maxMessagingDelay();
@@ -804,7 +802,7 @@ abstract contract JBSucker is ERC2771Context, JBPermissioned, Initializable, ERC
             return JBSuckerState.ENABLED;
         }
 
-        // The sucker will soon be considered deprecated, this functions only as a warning to users.
+        // The sucker is close to deprecation; this state only warns users.
         // Deprecation state is intentionally time-based.
         // forge-lint: disable-next-line(block-timestamp)
         if (block.timestamp < _deprecatedAfter - _maxMessagingDelay()) {
@@ -960,7 +958,7 @@ abstract contract JBSucker is ERC2771Context, JBPermissioned, Initializable, ERC
         }
     }
 
-    /// @notice The action(s) to perform after a user has succesfully proven their claim.
+    /// @notice Actions to perform after a user has successfully proven their claim.
     /// @param terminalToken The terminal token to suck.
     /// @param terminalTokenAmount The amount of terminal tokens.
     /// @param projectTokenAmount The amount of project tokens.
@@ -1204,10 +1202,8 @@ abstract contract JBSucker is ERC2771Context, JBPermissioned, Initializable, ERC
     }
 
     /// @notice Send the outbox root for the specified token to the remote peer.
-    /// @dev The call may have a `transportPayment` for bridging native tokens. Require it to be `0` if it is not
-    /// needed. Make sure if a value being paid to the bridge is expected to revert if the given value is `0`.
-    /// @param transportPayment the amount of `msg.value` that is going to get paid for sending this message. (usually
-    /// derived from `msg.value`)
+    /// @dev Some bridges require a nonzero `transportPayment`; zero-cost bridges must reject nonzero values.
+    /// @param transportPayment The amount of `msg.value` paid to the transport for this message.
     /// @param token The terminal token to bridge the merkle tree of.
     /// @param remoteToken The remote token which the `token` is mapped to.
     function _sendRoot(uint256 transportPayment, address token, JBRemoteToken memory remoteToken) internal virtual {
@@ -1324,8 +1320,7 @@ abstract contract JBSucker is ERC2771Context, JBPermissioned, Initializable, ERC
         // Register the leaf as executed to prevent double-spending.
         _executedFor[terminalToken].set(index);
 
-        // Calculate the root based on the leaf, the branch, and the index.
-        // Compare to the current root, Revert if they do not match.
+        // Calculate the root and compare it to the current inbox root.
         _validateBranchRoot({
             expectedRoot: _inboxOf[terminalToken].root,
             projectTokenCount: projectTokenCount,
@@ -1371,7 +1366,7 @@ abstract contract JBSucker is ERC2771Context, JBPermissioned, Initializable, ERC
             index: index
         });
 
-        // Compare to the current root, Revert if they do not match.
+        // Revert if the computed root does not match the expected inbox root.
         if (root != expectedRoot) {
             revert JBSucker_InvalidProof({root: root, inboxRoot: expectedRoot});
         }
@@ -1453,8 +1448,7 @@ abstract contract JBSucker is ERC2771Context, JBPermissioned, Initializable, ERC
             _executedFor[emergencyExitAddress].set(index);
         }
 
-        // Calculate the root based on the leaf, the branch, and the index.
-        // Compare to the current root, Revert if they do not match.
+        // Calculate the root and compare it to the current outbox root.
         _validateBranchRoot({
             expectedRoot: _computeOutboxRoot(_outboxOf[terminalToken].tree),
             projectTokenCount: projectTokenCount,

package/src/JBSuckerRegistry.sol

@@ -35,6 +35,7 @@ contract JBSuckerRegistry is ERC2771Context, Ownable, JBPermissioned, IJBSuckerR
     error JBSuckerRegistry_InvalidDeployer(IJBSuckerDeployer deployer);
     error JBSuckerRegistry_SuckerDoesNotBelongToProject(uint256 projectId, address sucker);
     error JBSuckerRegistry_SuckerIsNotDeprecated(address sucker, JBSuckerState suckerState);
+    error JBSuckerRegistry_ZeroPeerChainId(address sucker);
 
     //*********************************************************************//
     // ------------------------- public constants ------------------------ //
@@ -142,8 +143,9 @@ contract JBSuckerRegistry is ERC2771Context, Ownable, JBPermissioned, IJBSuckerR
             (, uint256 val) = _suckersOf[projectId].tryGet(allSuckers[i]);
             if (val == _SUCKER_EXISTS) {
                 IJBSucker sucker = IJBSucker(allSuckers[i]);
-                pairs[j] =
-                    JBSuckersPair({local: address(sucker), remote: sucker.peer(), remoteChainId: sucker.peerChainId()});
+                pairs[j] = JBSuckersPair({
+                    local: address(sucker), remote: sucker.peer(), remoteChainId: _peerChainIdOf(sucker)
+                });
                 unchecked {
                     ++j;
                 }
@@ -220,7 +222,7 @@ contract JBSuckerRegistry is ERC2771Context, Ownable, JBPermissioned, IJBSuckerR
                 try IJBSucker(allSuckers[i]).peerChainBalanceOf({decimals: decimals, currency: currency}) returns (
                     JBDenominatedAmount memory amt
                 ) {
-                    uint256 chainId = IJBSucker(allSuckers[i]).peerChainId();
+                    uint256 chainId = _peerChainIdOf(IJBSucker(allSuckers[i]));
                     scratch.chainCount = _recordPeerValue({
                         scratch: scratch,
                         chainId: chainId,
@@ -276,7 +278,7 @@ contract JBSuckerRegistry is ERC2771Context, Ownable, JBPermissioned, IJBSuckerR
                 try IJBSucker(allSuckers[i]).peerChainSurplusOf({decimals: decimals, currency: currency}) returns (
                     JBDenominatedAmount memory amt
                 ) {
-                    uint256 chainId = IJBSucker(allSuckers[i]).peerChainId();
+                    uint256 chainId = _peerChainIdOf(IJBSucker(allSuckers[i]));
                     scratch.chainCount = _recordPeerValue({
                         scratch: scratch,
                         chainId: chainId,
@@ -319,7 +321,7 @@ contract JBSuckerRegistry is ERC2771Context, Ownable, JBPermissioned, IJBSuckerR
             // Include both active and deprecated suckers in aggregate economic views.
             if (val == _SUCKER_EXISTS || val == _SUCKER_DEPRECATED) {
                 try IJBSucker(allSuckers[i]).peerChainTotalSupply() returns (uint256 supply) {
-                    uint256 chainId = IJBSucker(allSuckers[i]).peerChainId();
+                    uint256 chainId = _peerChainIdOf(IJBSucker(allSuckers[i]));
                     scratch.chainCount = _recordPeerValue({
                         scratch: scratch,
                         chainId: chainId,
@@ -377,6 +379,14 @@ contract JBSuckerRegistry is ERC2771Context, Ownable, JBPermissioned, IJBSuckerR
         scratch.hasActiveValue = new bool[](len);
     }
 
+    /// @notice Reads a sucker's peer chain ID, reverting if the sucker cannot identify a real peer chain.
+    /// @param sucker The sucker to query.
+    /// @return chainId The non-zero peer chain ID.
+    function _peerChainIdOf(IJBSucker sucker) internal view returns (uint256 chainId) {
+        chainId = sucker.peerChainId();
+        if (chainId == 0) revert JBSuckerRegistry_ZeroPeerChainId({sucker: address(sucker)});
+    }
+
     /// @notice Records a project-scoped peer-chain aggregate value.
     /// @dev Callers pass scratch arrays sized from `_suckersOf[projectId].keys()`, so entries are already scoped to
     /// the project being aggregated. For each peer chain, active suckers replace deprecated suckers; deprecated
@@ -544,6 +554,7 @@ contract JBSuckerRegistry is ERC2771Context, Ownable, JBPermissioned, IJBSuckerR
             // Create the sucker.
             IJBSucker sucker = configuration.deployer
             .createForSender({localProjectId: projectId, salt: salt, peer: configuration.peer});
+            _peerChainIdOf(sucker);
             suckers[i] = address(sucker);
 
             // Store the sucker as being deployed for this project.

package/src/JBSwapCCIPSucker.sol

@@ -88,6 +88,7 @@ contract JBSwapCCIPSucker is JBCCIPSucker, IUnlockCallback, IUniswapV3SwapCallba
 
     error JBSwapCCIPSucker_BatchNotReceived(uint64 nonce);
     error JBSwapCCIPSucker_CallerNotPoolManager(address caller);
+    error JBSwapCCIPSucker_DuplicateBatch(uint64 nonce);
     error JBSwapCCIPSucker_InvalidBridgeToken(address bridgeToken, address wrappedNativeToken);
     error JBSwapCCIPSucker_NoPendingSwap(address localToken, uint64 nonce, bool retrySwapLocked);
     error JBSwapCCIPSucker_OnlySelf(address caller, address expected);
@@ -336,6 +337,19 @@ contract JBSwapCCIPSucker is JBCCIPSucker, IUnlockCallback, IUniswapV3SwapCallba
                 }
             }
 
+            // Detect an already-processed batch before the swap path. The inbox nonce alone cannot be used here:
+            // CCIP can deliver nonce 2 before nonce 1, and nonce 1 still needs its self-described batch metadata.
+            if (
+                _batchEndOf[localToken][nonce] != 0 || _conversionRateOf[localToken][nonce].leafTotal != 0
+                    || pendingSwapOf[localToken][nonce].bridgeAmount != 0
+            ) {
+                if (deliveredAmount != 0) {
+                    revert JBSwapCCIPSucker_DuplicateBatch({nonce: nonce});
+                }
+
+                return;
+            }
+
             // After the validation block above, `deliveredToken != address(0)` iff a delivery was present,
             // because the invariants ensure it equals `BRIDGE_TOKEN` (a non-zero ERC-20) whenever there is one.
             if (deliveredToken != address(0)) {
@@ -378,61 +392,54 @@ contract JBSwapCCIPSucker is JBCCIPSucker, IUnlockCallback, IUniswapV3SwapCallba
             //
             // Detect "already seen" without extra storage: a nonce has been processed if it has
             // either a batch range (batchEnd > 0) or a conversion rate / pending swap recorded.
-            if (
-                _batchEndOf[localToken][nonce] == 0 && _conversionRateOf[localToken][nonce].leafTotal == 0
-                    && pendingSwapOf[localToken][nonce].leafTotal == 0
-            ) {
-                // Record the batch range so _findNonceForLeafIndex can resolve leaf ownership
-                // independently of nonce ordering. Each nonce is self-describing: [start, end).
-                if (batchEnd > 0) {
-                    // Record this batch's half-open leaf range `[batchStart, batchEnd)`. Self-
-                    // describing per-nonce — no implicit chain across nonces — so out-of-order
-                    // delivery can still resolve a leaf to its batch.
-                    _batchStartOf[localToken][nonce] = batchStart;
-                    _batchEndOf[localToken][nonce] = batchEnd;
-
-                    // Append `nonce` to the populated-nonce list for this token. The outer
-                    // `_batchEndOf == 0 && _conversionRateOf == 0 && pendingSwapOf == 0` guard
-                    // fires at most once per (token, nonce), so each populated nonce is appended
-                    // exactly once — the array stays duplicate-free without extra checks.
-                    //
-                    // Reading `_populatedNonceCount[localToken]` first into a local lets us write
-                    // the new slot and the new count in a single read-modify-write pair (one
-                    // SLOAD, two SSTOREs to distinct slots). The `unchecked` increment is safe:
-                    // `priorCount` is bounded by the total number of populated nonces, which is
-                    // upper-bounded by the CCIP nonce space (`uint64`) — overflow requires more
-                    // batches than `uint64.max`, which the inbox can never produce.
-                    uint64 priorCount = _populatedNonceCount[localToken];
-                    _populatedNonceByIndex[localToken][priorCount] = nonce;
-                    unchecked {
-                        _populatedNonceCount[localToken] = priorCount + 1;
-                    }
+            // Record the batch range so _findNonceForLeafIndex can resolve leaf ownership
+            // independently of nonce ordering. Each nonce is self-describing: [start, end).
+            if (batchEnd > 0) {
+                // Record this batch's half-open leaf range `[batchStart, batchEnd)`. Self-
+                // describing per-nonce — no implicit chain across nonces — so out-of-order
+                // delivery can still resolve a leaf to its batch.
+                _batchStartOf[localToken][nonce] = batchStart;
+                _batchEndOf[localToken][nonce] = batchEnd;
+
+                // Append `nonce` to the populated-nonce list for this token. The duplicate guard
+                // above fires at most once per (token, nonce), so each populated nonce is appended
+                // exactly once — the array stays duplicate-free without extra checks.
+                //
+                // Reading `_populatedNonceCount[localToken]` first into a local lets us write
+                // the new slot and the new count in a single read-modify-write pair (one
+                // SLOAD, two SSTOREs to distinct slots). The `unchecked` increment is safe:
+                // `priorCount` is bounded by the total number of populated nonces, which is
+                // upper-bounded by the CCIP nonce space (`uint64`) — overflow requires more
+                // batches than `uint64.max`, which the inbox can never produce.
+                uint64 priorCount = _populatedNonceCount[localToken];
+                _populatedNonceByIndex[localToken][priorCount] = nonce;
+                unchecked {
+                    _populatedNonceCount[localToken] = priorCount + 1;
                 }
+            }
+
+            // Store pendingSwapOf for failed swaps now that nonce is validated.
+            if (swapFailed) {
+                pendingSwapOf[localToken][nonce] =
+                    PendingSwap({bridgeToken: deliveredToken, bridgeAmount: deliveredAmount, leafTotal: leafTotal});
+            }
 
-                // Store pendingSwapOf for failed swaps now that nonce is validated.
-                if (swapFailed) {
+            // Zero-output swap guard: When a swap succeeds but returns zero local tokens, the
+            // batch must NOT be marked claimable. Without this guard, `_addToBalance` would see
+            // `pendingSwapOf.bridgeAmount == 0` (no pending swap stored) and allow claims to
+            // proceed — minting the full bridged project-token amount while adding zero terminal
+            // backing, breaking cross-chain solvency.
+            //
+            // Route zero-output swaps into `pendingSwapOf` so the swap can be retried via
+            // `retrySwap` once pool conditions improve. Only store the conversion rate when
+            // the swap produced a positive local amount.
+            if (leafTotal > 0 && !swapFailed) {
+                if (localAmount == 0 && deliveredAmount > 0) {
                     pendingSwapOf[localToken][nonce] =
                         PendingSwap({bridgeToken: deliveredToken, bridgeAmount: deliveredAmount, leafTotal: leafTotal});
-                }
-
-                // Zero-output swap guard: When a swap succeeds but returns zero local tokens, the
-                // batch must NOT be marked claimable. Without this guard, `_addToBalance` would see
-                // `pendingSwapOf.bridgeAmount == 0` (no pending swap stored) and allow claims to
-                // proceed — minting the full bridged project-token amount while adding zero terminal
-                // backing, breaking cross-chain solvency.
-                //
-                // Route zero-output swaps into `pendingSwapOf` so the swap can be retried via
-                // `retrySwap` once pool conditions improve. Only store the conversion rate when
-                // the swap produced a positive local amount.
-                if (leafTotal > 0 && !swapFailed) {
-                    if (localAmount == 0 && deliveredAmount > 0) {
-                        pendingSwapOf[localToken][nonce] = PendingSwap({
-                            bridgeToken: deliveredToken, bridgeAmount: deliveredAmount, leafTotal: leafTotal
-                        });
-                    } else {
-                        _conversionRateOf[localToken][nonce] =
-                            ConversionRate({leafTotal: leafTotal, localTotal: localAmount});
-                    }
+                } else {
+                    _conversionRateOf[localToken][nonce] =
+                        ConversionRate({leafTotal: leafTotal, localTotal: localAmount});
                 }
             }
         } else {