@bananapus/suckers-v6 0.0.59 → 0.0.60

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bananapus/suckers-v6",
-  "version": "0.0.59",
+  "version": "0.0.60",
   "license": "MIT",
   "repository": {
     "type": "git",

package/src/JBCCIPSucker.sol

@@ -38,7 +38,11 @@ contract JBCCIPSucker is JBSucker, IAny2EVMMessageReceiver {
     //*********************************************************************//
 
     error JBCCIPSucker_InvalidRouter(address router);
+    error JBCCIPSucker_PositiveRootWithoutDelivery(uint256 rootAmount);
+    error JBCCIPSucker_UnderDeliveredAmount(uint256 delivered, uint256 rootAmount);
+    error JBCCIPSucker_UnexpectedDeliveredTokens(uint256 count);
     error JBCCIPSucker_UnknownMessageType(uint8 messageType);
+    error JBCCIPSucker_WrongDeliveredToken(address delivered, address expected);
 
     //*********************************************************************//
     // ------------------------------ events ----------------------------- //
@@ -175,6 +179,42 @@ contract JBCCIPSucker is JBSucker, IAny2EVMMessageReceiver {
             // Decode the root message from the payload.
             JBMessageRoot memory root = abi.decode(payload, (JBMessageRoot));
 
+            // Cross-check the delivered tokens against the advertised root before recording anything.
+            //
+            // The send-side guarantees at most one entry in `destTokenAmounts`: length 0 for zero-value batches,
+            // length 1 for value-bearing batches. A compromised peer (or a malformed CCIP delivery) that violates
+            // these invariants would otherwise let `fromRemote` record a root advertising more value than was
+            // bridged, letting later claims mint project tokens against unrelated balance until the inbox runs dry.
+            // `JBSwapCCIPSucker.ccipReceive` already enforces equivalent reverts for the swap variant; mirror
+            // them here so both variants share a single defensive baseline.
+            uint256 deliveryCount = any2EvmMessage.destTokenAmounts.length;
+            if (deliveryCount > 1) {
+                revert JBCCIPSucker_UnexpectedDeliveredTokens(deliveryCount);
+            }
+            if (deliveryCount == 0) {
+                if (root.amount > 0) revert JBCCIPSucker_PositiveRootWithoutDelivery(root.amount);
+            } else {
+                Client.EVMTokenAmount calldata delivered = any2EvmMessage.destTokenAmounts[0];
+
+                // For NATIVE_TOKEN bridges the delivered ERC-20 is the wrapped native token (CCIP cannot transport
+                // raw native), so the token-identity check happens inside `unwrapReceivedTokens` against the
+                // router-reported wrapped native address. For everything else, the delivered token must equal the
+                // local mapped token the root advertises.
+                if (root.token != bytes32(uint256(uint160(JBConstants.NATIVE_TOKEN)))) {
+                    address expectedToken = _toAddress(root.token);
+                    if (delivered.token != expectedToken) {
+                        revert JBCCIPSucker_WrongDeliveredToken({delivered: delivered.token, expected: expectedToken});
+                    }
+                }
+
+                // The bridged amount must back at least the value the root advertises. A short delivery against a
+                // positive root is the structural twin of "no delivery + positive root" — both leave the inbox
+                // recording more claimable value than it actually holds.
+                if (delivered.amount < root.amount) {
+                    revert JBCCIPSucker_UnderDeliveredAmount({delivered: delivered.amount, rootAmount: root.amount});
+                }
+            }
+
             // Only unwrap wrapped native token when the root targets native token (not when claiming it as ERC-20).
             if (root.token == bytes32(uint256(uint160(JBConstants.NATIVE_TOKEN)))) {
                 JBCCIPLib.unwrapReceivedTokens({

package/src/JBSucker.sol

@@ -90,6 +90,7 @@ abstract contract JBSucker is ERC2771Context, JBPermissioned, Initializable, ERC
     error JBSucker_UnexpectedMsgValue(uint256 value);
     error JBSucker_ZeroBeneficiary(bytes32 beneficiary);
     error JBSucker_ZeroERC20Token(uint256 projectId);
+    error JBSucker_ZeroProjectTokenCount();
 
     //*********************************************************************//
     // ------------------------- public constants ------------------------ //
@@ -553,6 +554,14 @@ abstract contract JBSucker is ERC2771Context, JBPermissioned, Initializable, ERC
         external
         override
     {
+        // Reject zero-token prepares. A zero-token prepare burns nothing and reclaims nothing, but it still inserts a
+        // leaf into the outbox tree and lets `toRemote` ship a zero-value bridge message — a permissionless way to
+        // inflate the per-token populated-nonce list on swap-CCIP suckers, taxing every legitimate claim with extra
+        // lookup work and eventually exceeding the block gas limit.
+        if (projectTokenCount == 0) {
+            revert JBSucker_ZeroProjectTokenCount();
+        }
+
         // Make sure the beneficiary is not the zero address, as this would revert when minting on the remote chain.
         if (beneficiary == bytes32(0)) {
             revert JBSucker_ZeroBeneficiary({beneficiary: beneficiary});

package/src/JBSwapCCIPSucker.sol

@@ -376,7 +376,15 @@ contract JBSwapCCIPSucker is JBCCIPSucker, IUnlockCallback, IUniswapV3SwapCallba
             // either a batch range (batchEnd > 0) or a conversion rate / pending swap recorded.
             // Record the batch range so _findNonceForLeafIndex can resolve leaf ownership
             // independently of nonce ordering. Each nonce is self-describing: [start, end).
-            if (batchEnd > 0) {
+            //
+            // Only record metadata for batches that carry value (`leafTotal > 0`). The base-sucker
+            // `prepare` revert on zero `projectTokenCount` blocks the legitimate spam entry point,
+            // but a compromised peer or a `projectTokenCount = 1`-style bypass could still ship a
+            // zero-leaf root over the bridge. Skipping the metadata write here ensures such roots
+            // cannot inflate `_populatedNonceByIndex` and tax future `_findNonceForLeafIndex`
+            // walks. Roots with `leafTotal == 0` carry no claimable leaves, so there is nothing
+            // for `_findNonceForLeafIndex` to resolve against them.
+            if (batchEnd > 0 && leafTotal > 0) {
                 // Record this batch's half-open leaf range `[batchStart, batchEnd)`. Self-
                 // describing per-nonce — no implicit chain across nonces — so out-of-order
                 // delivery can still resolve a leaf to its batch.

package/src/libraries/JBSwapPoolLib.sol

@@ -619,7 +619,14 @@ library JBSwapPoolLib {
         });
     }
 
-    /// @notice Get a V4 quote with dynamic slippage. Hooked pools must serve TWAP; hookless pools use spot fallback.
+    /// @notice Get a V4 quote with dynamic slippage. Hooked pools must serve TWAP for BOTH the price tick and the
+    /// liquidity input into sigmoid slippage; hookless pools fall back to spot for both.
+    /// @dev Matches the buyback hook's TWAP pattern (`JBSwapLib.getQuoteFromOracle`): for hooked routes we derive
+    /// `harmonicMeanLiquidity` from the oracle's `secondsPerLiquidityCumulativeX128s`, not from
+    /// `PoolManager.getLiquidity` (which returns current spot and is JIT-LP-manipulable across a single block).
+    /// Sigmoid slippage tolerance is driven by `amountIn / liquidity`; feeding spot liquidity into a TWAP-derived
+    /// tick lets an LP shrink the denominator in the same block as a CCIP delivery, ballooning the tolerance to
+    /// `MAX_SLIPPAGE` (88%) for a one-shot per-batch immutable conversion rate that all claimers then inherit.
     /// @param config The swap configuration (pool manager, wrapped native token addresses).
     /// @param key The V4 pool key to quote against.
     /// @param normalizedTokenIn The normalized input token address.
@@ -644,37 +651,54 @@ library JBSwapPoolLib {
         PoolId id = key.toId();
 
         {
-            // If the pool has a hook, require a TWAP from the geomean oracle.
+            // If the pool has a hook, require a TWAP from the geomean oracle for both price AND liquidity.
             if (address(key.hooks) != address(0)) {
                 // Build the observation window: [_V4_TWAP_WINDOW seconds ago, now].
                 uint32[] memory secondsAgos = new uint32[](2);
                 secondsAgos[0] = _V4_TWAP_WINDOW;
                 secondsAgos[1] = 0;
 
-                // Read the TWAP from the hook's geomean oracle. The seconds-per-liquidity array is not used for
-                // price checks.
-                (int56[] memory tickCumulatives,) =
+                // Read both the TWAP tick and the seconds-per-liquidity series so liquidity is also time-averaged.
+                (int56[] memory tickCumulatives, uint160[] memory secondsPerLiquidityCumulativeX128s) =
                     IGeomeanOracle(address(key.hooks)).observe({key: key, secondsAgos: secondsAgos});
-                if (tickCumulatives.length < 2) {
+                if (tickCumulatives.length < 2 || secondsPerLiquidityCumulativeX128s.length < 2) {
                     revert JBSwapPoolLib_InsufficientTwapHistory({
                         pool: address(key.hooks), availableWindow: tickCumulatives.length, requiredWindow: 2
                     });
                 }
 
-                // Compute the arithmetic mean tick from the cumulative tick difference.
-                // The geomean oracle returns the same int24 tick domain used by Uniswap pools.
+                // Compute the arithmetic mean tick from the cumulative tick difference, rounding negative values
+                // toward negative infinity to match Uniswap's oracle pattern and the buyback hook.
+                int56 tickCumulativesDelta = tickCumulatives[1] - tickCumulatives[0];
                 // forge-lint: disable-next-line(unsafe-typecast)
-                tick = int24((tickCumulatives[1] - tickCumulatives[0]) / int56(int32(_V4_TWAP_WINDOW)));
+                tick = int24(tickCumulativesDelta / int56(int32(_V4_TWAP_WINDOW)));
+                // forge-lint: disable-next-line(unsafe-typecast)
+                if (tickCumulativesDelta < 0 && tickCumulativesDelta % int56(int32(_V4_TWAP_WINDOW)) != 0) {
+                    tick--;
+                }
+
+                // Derive harmonic-mean liquidity from the seconds-per-liquidity delta. This is the same shape the
+                // buyback hook uses (`JBSwapLib.getQuoteFromOracle`) and resists JIT-LP liquidity removal in the
+                // delivery block — the manipulation has to persist across the full TWAP window to move the average.
+                uint160 secondsPerLiquidityDelta =
+                    secondsPerLiquidityCumulativeX128s[1] - secondsPerLiquidityCumulativeX128s[0];
+
+                if (secondsPerLiquidityDelta > 0) {
+                    // Safe: `(uint256(_V4_TWAP_WINDOW) << 128) / secondsPerLiquidityDelta` fits in uint128 because
+                    // _V4_TWAP_WINDOW is at most a uint32 (~4.3B) and the divisor is > 0 in this branch.
+                    // forge-lint: disable-next-line(unsafe-typecast)
+                    liquidity = uint128((uint256(_V4_TWAP_WINDOW) << 128) / uint256(secondsPerLiquidityDelta));
+                }
+                // If `secondsPerLiquidityDelta == 0`, liquidity stays 0 and the no-liquidity revert below fires —
+                // refuse to quote a hooked route whose averaged liquidity is degenerate.
             } else {
                 // Hookless V4 spot pools are only selected when no TWAP-capable route exists.
                 (, tick,,) = config.poolManager.getSlot0(id);
+                liquidity = config.poolManager.getLiquidity(id);
             }
-
-            // Query the pool's current in-range liquidity.
-            liquidity = config.poolManager.getLiquidity(id);
         }
 
-        // Revert if the pool has no in-range liquidity.
+        // Revert if the pool has no usable in-range liquidity (spot for hookless, TWAP-derived for hooked).
         if (liquidity == 0) revert JBSwapPoolLib_NoLiquidity({pool: address(0), poolId: id});
 
         // V4 uses address(0) for native ETH — compute quoting addresses inline to save stack slots.
@@ -864,8 +888,8 @@ library JBSwapPoolLib {
         return _observationIsOldEnough({observationTimestamp: observationTimestamp, window: _DEFAULT_TWAP_WINDOW});
     }
 
-    /// @notice Check whether a V4 hooked pool can return cumulative ticks for the required TWAP window.
-    /// @dev Hookless pools return false. Reverting hooks and hooks that return fewer than two cumulative tick values
+    /// @notice Check whether a V4 hooked pool can return TWAP price and liquidity for the required window.
+    /// @dev Hookless pools return false. Reverting hooks and hooks that return incomplete or degenerate oracle data
     /// are treated as unusable for TWAP routing.
     /// @param key The V4 pool key whose hook should be probed.
     /// @return True if the hook can serve both the historical and current cumulative tick observations.
@@ -876,12 +900,12 @@ library JBSwapPoolLib {
         secondsAgos[0] = _V4_TWAP_WINDOW;
         secondsAgos[1] = 0;
 
-        // Pool discovery intentionally probes candidate hooks in a bounded pool list. The seconds-per-liquidity array
-        // is not needed for the history check.
+        // Pool discovery intentionally probes candidate hooks in a bounded pool list.
         try IGeomeanOracle(address(key.hooks)).observe({key: key, secondsAgos: secondsAgos}) returns (
-            int56[] memory tickCumulatives, uint160[] memory
+            int56[] memory tickCumulatives, uint160[] memory secondsPerLiquidityCumulativeX128s
         ) {
-            return tickCumulatives.length >= 2;
+            if (tickCumulatives.length < 2 || secondsPerLiquidityCumulativeX128s.length < 2) return false;
+            return secondsPerLiquidityCumulativeX128s[1] > secondsPerLiquidityCumulativeX128s[0];
         } catch {
             return false;
         }