@bananapus/suckers-v6 0.0.76 → 0.0.78

package/README.md

@@ -23,6 +23,7 @@ Suckers bridge a project by tracking claims in append-only Merkle trees:
 
 - users call `prepare` to burn tokens and create a bridge claim in the local outbox tree
 - anyone can relay the current root to the peer chain with `toRemote`
+- anyone can refresh or retry peer accounting with `syncAccountingData`
 - claimants prove inclusion against the peer inbox tree to mint on the destination chain
 
 The base implementation is extended for multiple bridge families so the same project model can work across different networks.
@@ -35,16 +36,17 @@ The main idea is not "bridge the token contract." The main idea is "bridge a Jui
 
 | Contract | Role |
 | --- | --- |
-| `JBSucker` | Base bridge logic for prepare, relay, claim, token mapping, and lifecycle controls. |
+| `JBSucker` | Base bridge logic for prepare, relay, accounting sync, claim, token mapping, and lifecycle controls. |
 | `JBSuckerRegistry` | Registry for per-project sucker deployments, deployer allowlists, and shared bridge fee settings. |
 | Chain-specific suckers | Transport-specific implementations for OP Stack, Arbitrum, CCIP, and related environments. |
 
 ## Mental model
 
-Each sucker pair has two jobs:
+Each sucker pair has three jobs:
 
 1. destroy or lock the local economic position into a claimable message
 2. recreate the remote position from a bridged Merkle root plus transported value
+3. keep the peer's aggregate accounting views fresh enough for cross-chain estimates
 
 That means every bridge path has two trust surfaces:
 
@@ -65,6 +67,7 @@ That means every bridge path has two trust surfaces:
 - root ordering and message delivery semantics matter as much as proof format
 - token mapping is part of the economic invariant
 - peer contexts are merged only when they share both currency and decimals; same-currency contexts with different decimals are kept separate and valued independently at read time, never summed across precisions
+- `syncAccountingData` pays no registry `toRemoteFee`, but bridge-specific transport costs still apply and duplicate snapshots can still consume bridge/indexer resources
 - emergency and deprecation paths are part of normal operational safety
 
 ## Where state lives
@@ -80,6 +83,7 @@ That means every bridge path has two trust surfaces:
 3. `test/ForkClaimMainnet.t.sol`
 4. `test/regression/PeerSnapshotDesync.t.sol`
 5. `test/regression/ToRemoteFeeIrrecoverable.t.sol`
+6. `test/regression/CCIPUntypedMessageRejected.t.sol`
 
 ## Install
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bananapus/suckers-v6",
-  "version": "0.0.76",
+  "version": "0.0.78",
   "license": "MIT",
   "repository": {
     "type": "git",
@@ -27,8 +27,8 @@
   },
   "dependencies": {
     "@arbitrum/nitro-contracts": "3.2.0",
-    "@bananapus/core-v6": "^0.0.86",
-    "@bananapus/permission-ids-v6": "^0.0.31",
+    "@bananapus/core-v6": "^0.0.87",
+    "@bananapus/permission-ids-v6": "^0.0.32",
     "@chainlink/contracts-ccip": "1.6.4",
     "@openzeppelin/contracts": "5.6.1",
     "@prb/math": "4.1.2",

package/references/entrypoints.md

@@ -49,6 +49,15 @@ A sucker bridges a Juicebox project's token economy between two chains. Cashed-o
 | `terminalTokenAmount` | `uint256` | The amount of terminal tokens to claim. |
 | `metadata` | `bytes32` | Opaque, caller-defined payload covered by the leaf hash. `bytes32(0)` when no extra context. |
 
+### `JBAccountingSnapshot` (argument to `fromRemoteAccounting`)
+
+| Field | Type | Meaning |
+|-------|------|---------|
+| `version` | `uint8` | Message format version. Must match `MESSAGE_VERSION`. |
+| `sourceTotalSupply` | `uint256` | Source-chain project-token supply, including reserved tokens. |
+| `sourceContexts` | `JBSourceContext[]` | Raw source-chain surplus and balance contexts, un-valued. |
+| `sourceTimestamp` | `uint256` | Monotonic freshness key used to reject stale accounting updates. |
+
 ## Key functions
 
 ### JBSucker — bridge flow (`IJBSucker`)
@@ -57,6 +66,8 @@ A sucker bridges a Juicebox project's token economy between two chains. Cashed-o
 |----------|--------------|
 | `prepare(uint256 projectTokenCount, bytes32 beneficiary, uint256 minTokensReclaimed, address token, bytes32 metadata)` | Cash out `projectTokenCount` project tokens into `token` and insert a leaf for `beneficiary` into the outbox tree for bridging. `minTokensReclaimed` bounds slippage; `metadata` is an opaque attribution payload carried in the leaf hash (`bytes32(0)` for a plain bridge). |
 | `toRemote(address token) payable` | Send the current outbox tree root and bridged assets for `token` to the remote peer through the chain-specific transport. `payable` to fund the transport message and the registry's `toRemoteFee`. |
+| `syncAccountingData() payable` | Send the latest total supply, surplus, and balance snapshot without sending an outbox root or paying the registry `toRemoteFee`. Can be retried with unchanged accounting data; `payable` only funds bridge transport. |
+| `fromRemoteAccounting(JBAccountingSnapshot calldata snapshot)` | Authenticated receive path for accounting-only snapshots. Updates peer accounting if the snapshot is fresher, without touching any token-local inbox root. |
 | `claim(JBClaim calldata claimData)` | Claim bridged project tokens for the leaf's beneficiary by proving inclusion against the inbox root. |
 | `claim(JBClaim[] calldata claims)` | Claim multiple leaves in one call. Each leaf is routed through an external `this.claim` sub-call, so one failing leaf emits `ClaimFailed` and is reverted in isolation while the rest of the batch proceeds; the failed leaf stays claimable later. |
 | `mapToken(JBTokenMapping calldata map) payable` | Map a single local token to a remote token for bridging. Mappings are immutable once the outbox tree has entries (can only be disabled, not remapped). Requires `MAP_SUCKER_TOKEN` permission (initial mappings are applied at deploy under `DEPLOY_SUCKERS`). |

package/references/operations.md

@@ -12,7 +12,7 @@
 - If you edit token mapping logic, re-check the registry and deployer assumptions that feed it.
 - If you edit token mapping semantics, verify that remapping is still impossible once outbox activity has made economic equivalence depend on permanence.
 - If you edit deprecation or emergency paths, verify the intended operator workflow still works end to end.
-- If you edit snapshot or claim-boundary logic, verify `numberOfClaimsSent`, peer snapshots, and emergency exit behavior together.
+- If you edit snapshot or claim-boundary logic, verify `numberOfClaimsSent`, peer snapshots, `syncAccountingData`, and emergency exit behavior together.
 - If you touch bridge-specific code, confirm whether the real bug is transport-side or shared accounting-side.
 
 ## Common failure modes

package/references/runtime.md

@@ -11,8 +11,9 @@
 
 1. Local state is prepared into a claimable Merkle leaf.
 2. A root is relayed to the peer chain through the bridge-specific transport.
-3. The remote side records the root in its inbox state.
-4. Claimants prove inclusion and recreate their position on the destination chain.
+3. The remote side records the root in its inbox state and stores the latest peer accounting snapshot.
+4. Accounting-only snapshots can also be relayed or retried with `syncAccountingData` without sending a new root.
+5. Claimants prove inclusion and recreate their position on the destination chain.
 
 ## High-risk areas
 
@@ -21,10 +22,11 @@
 - Emergency and deprecation paths: these are operational safety surfaces that must remain reliable.
 - Shared accounting vs transport logic: many incidents stem from confusing these layers.
 - Peer snapshots and `numberOfClaimsSent`: these guard against double-spend at the cost of conservative locking when timing goes wrong.
+- Accounting-only messages: these must never mutate token-local inbox roots or claimable value.
 
 ## Tests to trust first
 
 - [`test/ForkMainnet.t.sol`](../test/ForkMainnet.t.sol), [`test/ForkArbitrum.t.sol`](../test/ForkArbitrum.t.sol), [`test/ForkCelo.t.sol`](../test/ForkCelo.t.sol), and [`test/ForkOPStack.t.sol`](../test/ForkOPStack.t.sol) for real transport assumptions.
 - [`test/ForkSwap.t.sol`](../test/ForkSwap.t.sol), [`test/ForkClaimMainnet.t.sol`](../test/ForkClaimMainnet.t.sol), and [`test/SuckerRegressions.t.sol`](../test/SuckerRegressions.t.sol) for pinned cross-chain edge cases.
 - [`test/unit/invariants.t.sol`](../test/unit/invariants.t.sol), [`test/unit/peer_chain_state.t.sol`](../test/unit/peer_chain_state.t.sol), and [`test/unit/registry.t.sol`](../test/unit/registry.t.sol) for shared-accounting invariants.
-- [`test/SuckerAttacks.t.sol`](../test/SuckerAttacks.t.sol), [`test/SuckerDeepAttacks.t.sol`](../test/SuckerDeepAttacks.t.sol), [`test/regression/PeerSnapshotDesync.t.sol`](../test/regression/PeerSnapshotDesync.t.sol), and [`test/regression/PeerDeterminism.t.sol`](../test/regression/PeerDeterminism.t.sol) when the bug could involve base logic, registry behavior, or a specific bridge implementation.
+- [`test/SuckerAttacks.t.sol`](../test/SuckerAttacks.t.sol), [`test/SuckerDeepAttacks.t.sol`](../test/SuckerDeepAttacks.t.sol), [`test/regression/PeerSnapshotDesync.t.sol`](../test/regression/PeerSnapshotDesync.t.sol), [`test/regression/CCIPUntypedMessageRejected.t.sol`](../test/regression/CCIPUntypedMessageRejected.t.sol), and [`test/regression/PeerDeterminism.t.sol`](../test/regression/PeerDeterminism.t.sol) when the bug could involve base logic, registry behavior, or a specific bridge implementation.

package/src/JBArbitrumSucker.sol

@@ -23,6 +23,7 @@ import {IArbL2GatewayRouter} from "./interfaces/IArbL2GatewayRouter.sol";
 import {IL1ArbitrumGateway} from "./interfaces/IL1ArbitrumGateway.sol";
 import {IJBArbitrumSucker} from "./interfaces/IJBArbitrumSucker.sol";
 import {ARBChains} from "./libraries/ARBChains.sol";
+import {JBAccountingSnapshot} from "./structs/JBAccountingSnapshot.sol";
 import {JBMessageRoot} from "./structs/JBMessageRoot.sol";
 import {JBRemoteToken} from "./structs/JBRemoteToken.sol";
 
@@ -75,7 +76,7 @@ contract JBArbitrumSucker is JBSucker, IJBArbitrumSucker {
     }
 
     //*********************************************************************//
-    // ------------------------ external views --------------------------- //
+    // ------------------------- public views ---------------------------- //
     //*********************************************************************//
 
     /// @notice Returns the chain on which the peer is located.
@@ -90,31 +91,26 @@ contract JBArbitrumSucker is JBSucker, IJBArbitrumSucker {
     }
 
     //*********************************************************************//
-    // ------------------------ internal views --------------------------- //
+    // --------------------- internal transactions ----------------------- //
     //*********************************************************************//
 
-    /// @notice Checks if the `sender` (`_msgSender()`) is a valid representative of the remote peer.
-    /// @param sender The message's sender.
-    /// @return valid A flag if the sender is a valid representative of the remote peer.
-    function _isRemotePeer(address sender) internal view override returns (bool) {
-        // Convert the bytes32 peer to an address for comparison with EVM bridge contracts.
-        address peerAddress = _peerAddress();
-
-        // If we are the L1 peer,
-        if (LAYER == JBLayer.L1) {
-            IBridge bridge = ARBINBOX.bridge();
-            // Check that the sender is the bridge and that the outbox has our peer as the sender.
-            return sender == address(bridge) && peerAddress == IOutbox(bridge.activeOutbox()).l2ToL1Sender();
-        }
-
-        // If we are the L2 peer, check using the `AddressAliasHelper`.
-        return sender == AddressAliasHelper.applyL1ToL2Alias(peerAddress);
+    /// @notice Approves the Arbitrum gateway to spend `amount` of `approvalToken`.
+    /// @param approvalToken The ERC-20 token to approve.
+    /// @param gatewayLookupToken The token key used by the gateway router to resolve the spender.
+    /// @param amount The amount to approve.
+    /// @return gateway The gateway that was approved.
+    function _approveGateway(
+        address approvalToken,
+        address gatewayLookupToken,
+        uint256 amount
+    )
+        internal
+        returns (address gateway)
+    {
+        gateway = GATEWAYROUTER.getGateway(gatewayLookupToken);
+        SafeERC20.forceApprove({token: IERC20(approvalToken), spender: gateway, value: amount});
     }
 
-    //*********************************************************************//
-    // --------------------- internal transactions ----------------------- //
-    //*********************************************************************//
-
     /// @notice Helper to create the retryable ticket, avoiding stack-too-deep.
     function _createRetryableTicket(
         uint256 callTransportCost,
@@ -138,13 +134,37 @@ contract JBArbitrumSucker is JBSucker, IJBArbitrumSucker {
         });
     }
 
-    /// @notice Approves the Arbitrum gateway to spend `amount` of `token`.
-    /// @param token The ERC-20 token to approve.
-    /// @param amount The amount to approve.
-    /// @return gateway The gateway that was approved.
-    function _approveGateway(address token, uint256 amount) internal returns (address gateway) {
-        gateway = GATEWAYROUTER.getGateway(token);
-        SafeERC20.forceApprove({token: IERC20(token), spender: gateway, value: amount});
+    /// @notice Uses the L1/L2 message bridge to send accounting data over the bridge to the peer.
+    /// @param transportPayment The amount of `msg.value` that is going to get paid for sending this message.
+    /// @param snapshot The accounting snapshot to send to the remote peer.
+    // forge-lint: disable-next-line(mixed-case-function)
+    function _sendAccountingSnapshotOverAMB(
+        uint256 transportPayment,
+        JBAccountingSnapshot memory snapshot
+    )
+        internal
+        override
+    {
+        // Build the calldata that will be sent to the peer. This calls `JBSucker.fromRemoteAccounting` remotely.
+        bytes memory data = abi.encodeCall(JBSucker.fromRemoteAccounting, (snapshot));
+        JBRemoteToken memory remoteToken;
+
+        // Depending on which layer we are on, send the call to the other layer.
+        if (LAYER == JBLayer.L1) {
+            // L1→L2 requires transport payment for retryable tickets.
+            if (transportPayment == 0) revert JBSucker_ExpectedMsgValue({msgValue: transportPayment});
+            _toL2({
+                token: JBConstants.NATIVE_TOKEN,
+                transportPayment: transportPayment,
+                amount: 0,
+                data: data,
+                remoteToken: remoteToken
+            });
+        } else {
+            // L2→L1 via ArbSys is free — reject any transport payment.
+            if (transportPayment != 0) revert JBSucker_UnexpectedMsgValue(transportPayment);
+            _toL1({token: JBConstants.NATIVE_TOKEN, amount: 0, data: data, remoteToken: remoteToken});
+        }
     }
 
     /// @notice Uses the L1/L2 gateway to send the root and assets over the bridge to the peer.
@@ -202,7 +222,9 @@ contract JBArbitrumSucker is JBSucker, IJBArbitrumSucker {
         // If the token is an ERC-20, bridge it to the peer.
         // If the amount is `0` then we do not need to bridge any ERC20.
         if (token != JBConstants.NATIVE_TOKEN && amount != 0) {
-            address gateway = _approveGateway({token: token, amount: amount});
+            address gateway = _approveGateway({
+                approvalToken: token, gatewayLookupToken: _toAddress(remoteToken.addr), amount: amount
+            });
 
             // Convert bytes32 types to address at the Arbitrum bridge API boundary.
             IArbL2GatewayRouter(address(GATEWAYROUTER))
@@ -291,7 +313,7 @@ contract JBArbitrumSucker is JBSucker, IJBArbitrumSucker {
             }
 
             // Approve the tokens to be bridged.
-            _approveGateway({token: token, amount: amount});
+            _approveGateway({approvalToken: token, gatewayLookupToken: token, amount: amount});
 
             // Perform the ERC-20 bridge transfer. Convert bytes32 peer to address at the Arbitrum bridge API boundary.
             IArbL1GatewayRouter(address(GATEWAYROUTER)).outboundTransferCustomRefund{value: tokenTransportCost}({
@@ -332,4 +354,26 @@ contract JBArbitrumSucker is JBSucker, IJBArbitrumSucker {
             data: data
         });
     }
+
+    //*********************************************************************//
+    // ------------------------ internal views --------------------------- //
+    //*********************************************************************//
+
+    /// @notice Checks if the `sender` (`_msgSender()`) is a valid representative of the remote peer.
+    /// @param sender The message's sender.
+    /// @return valid A flag if the sender is a valid representative of the remote peer.
+    function _isRemotePeer(address sender) internal view override returns (bool) {
+        // Convert the bytes32 peer to an address for comparison with EVM bridge contracts.
+        address peerAddress = _peerAddress();
+
+        // If we are the L1 peer,
+        if (LAYER == JBLayer.L1) {
+            IBridge bridge = ARBINBOX.bridge();
+            // Check that the sender is the bridge and that the outbox has our peer as the sender.
+            return sender == address(bridge) && peerAddress == IOutbox(bridge.activeOutbox()).l2ToL1Sender();
+        }
+
+        // If we are the L2 peer, check using the `AddressAliasHelper`.
+        return sender == AddressAliasHelper.applyL1ToL2Alias(peerAddress);
+    }
 }

package/src/JBBaseSucker.sol

@@ -32,7 +32,7 @@ contract JBBaseSucker is JBOptimismSucker {
     {}
 
     //*********************************************************************//
-    // ------------------------ external views --------------------------- //
+    // ------------------------- public views ---------------------------- //
     //*********************************************************************//
 
     /// @notice Returns the chain on which the peer is located.

package/src/JBCCIPSucker.sol

@@ -24,6 +24,7 @@ import {CCIPHelper} from "./libraries/CCIPHelper.sol";
 import {JBCCIPLib} from "./libraries/JBCCIPLib.sol";
 
 // Local: structs (alphabetized)
+import {JBAccountingSnapshot} from "./structs/JBAccountingSnapshot.sol";
 import {JBMessageRoot} from "./structs/JBMessageRoot.sol";
 import {JBRemoteToken} from "./structs/JBRemoteToken.sol";
 import {JBTokenMapping} from "./structs/JBTokenMapping.sol";
@@ -70,9 +71,15 @@ contract JBCCIPSucker is JBSucker, IAny2EVMMessageReceiver {
     // ----------------------- internal constants ------------------------ //
     //*********************************************************************//
 
+    /// @notice Message type prefix for accounting-only messages (fromRemoteAccounting).
+    uint8 internal constant _CCIP_MSG_TYPE_ACCOUNTING = 1;
+
     /// @notice Message type prefix for root messages (fromRemote).
     uint8 internal constant _CCIP_MSG_TYPE_ROOT = 0;
 
+    /// @notice Extra destination gas budgeted for each source accounting context carried in a CCIP message.
+    uint256 internal constant _CCIP_SOURCE_CONTEXT_GAS_LIMIT = 75_000;
+
     //*********************************************************************//
     // --------------- public immutable stored properties ---------------- //
     //*********************************************************************//
@@ -121,39 +128,6 @@ contract JBCCIPSucker is JBSucker, IAny2EVMMessageReceiver {
         if (address(CCIP_ROUTER) == address(0)) revert JBCCIPSucker_InvalidRouter(address(CCIP_ROUTER));
     }
 
-    //*********************************************************************//
-    // ------------------------ external views --------------------------- //
-    //*********************************************************************//
-
-    /// @notice Returns the chain on which the peer is located.
-    /// @return chainId The chain ID of the peer.
-    function peerChainId() public view virtual override returns (uint256 chainId) {
-        return REMOTE_CHAIN_ID;
-    }
-
-    //*********************************************************************//
-    // ------------------------- public views ---------------------------- //
-    //*********************************************************************//
-
-    /// @notice Returns the address of the current CCIP router.
-    /// @return router The CCIP router address.
-    function getRouter() public view returns (address router) {
-        return address(CCIP_ROUTER);
-    }
-
-    /// @notice Checks whether this contract supports a given interface.
-    /// @param interfaceId The interface ID to check.
-    /// @return supported Whether the interface is supported.
-    /// @dev Should indicate whether the contract implements IAny2EVMMessageReceiver.
-    /// This allows CCIP to check if ccipReceive is available before calling it.
-    /// If this returns false or reverts, only tokens are transferred to the receiver.
-    /// If this returns true, tokens are transferred and ccipReceive is called atomically.
-    /// Additionally, if the receiver address does not have code associated with
-    /// it at the time of execution (EXTCODESIZE returns 0), only tokens will be transferred.
-    function supportsInterface(bytes4 interfaceId) public view virtual override returns (bool supported) {
-        return interfaceId == type(IAny2EVMMessageReceiver).interfaceId || super.supportsInterface(interfaceId);
-    }
-
     //*********************************************************************//
     // --------------------- external transactions ----------------------- //
     //*********************************************************************//
@@ -180,7 +154,7 @@ contract JBCCIPSucker is JBSucker, IAny2EVMMessageReceiver {
         }
 
         // Discriminate message type: abi.encode(uint8 type, bytes payload).
-        (uint8 messageType, bytes memory payload) = JBCCIPLib.decodeTypedMessage(any2EvmMessage.data);
+        (uint8 messageType, bytes memory payload) = abi.decode(any2EvmMessage.data, (uint8, bytes));
 
         // Handle root messages (merkle tree updates with bridged assets).
         if (messageType == _CCIP_MSG_TYPE_ROOT) {
@@ -231,15 +205,119 @@ contract JBCCIPSucker is JBSucker, IAny2EVMMessageReceiver {
 
             // Forward the root message to this contract's fromRemote handler.
             this.fromRemote(root);
+        } else if (messageType == _CCIP_MSG_TYPE_ACCOUNTING) {
+            // Accounting-only messages must not carry tokens; transported value belongs exclusively to root messages.
+            uint256 deliveryCount = any2EvmMessage.destTokenAmounts.length;
+            if (deliveryCount != 0) {
+                revert JBCCIPSucker_UnexpectedDeliveredTokens(deliveryCount);
+            }
+
+            JBAccountingSnapshot memory snapshot = abi.decode(payload, (JBAccountingSnapshot));
+
+            // Forward the accounting message to this contract's authenticated accounting handler.
+            this.fromRemoteAccounting(snapshot);
         } else {
             revert JBCCIPSucker_UnknownMessageType({messageType: messageType});
         }
     }
 
+    //*********************************************************************//
+    // ------------------------- public views ---------------------------- //
+    //*********************************************************************//
+
+    /// @notice Returns the address of the current CCIP router.
+    /// @return router The CCIP router address.
+    function getRouter() public view returns (address router) {
+        return address(CCIP_ROUTER);
+    }
+
+    /// @notice Returns the chain on which the peer is located.
+    /// @return chainId The chain ID of the peer.
+    function peerChainId() public view virtual override returns (uint256 chainId) {
+        return REMOTE_CHAIN_ID;
+    }
+
+    /// @notice Checks whether this contract supports a given interface.
+    /// @param interfaceId The interface ID to check.
+    /// @return supported Whether the interface is supported.
+    /// @dev Should indicate whether the contract implements IAny2EVMMessageReceiver.
+    /// This allows CCIP to check if ccipReceive is available before calling it.
+    /// If this returns false or reverts, only tokens are transferred to the receiver.
+    /// If this returns true, tokens are transferred and ccipReceive is called atomically.
+    /// Additionally, if the receiver address does not have code associated with
+    /// it at the time of execution (EXTCODESIZE returns 0), only tokens will be transferred.
+    function supportsInterface(bytes4 interfaceId) public view virtual override returns (bool supported) {
+        return interfaceId == type(IAny2EVMMessageReceiver).interfaceId || super.supportsInterface(interfaceId);
+    }
+
     //*********************************************************************//
     // --------------------- internal transactions ----------------------- //
     //*********************************************************************//
 
+    /// @notice Uses CCIP to send accounting data over the bridge to the peer.
+    /// @dev Supports the same native/LINK fee modes as root messages, but never transports token amounts.
+    /// @param transportPayment The amount of `msg.value` that is going to get paid for sending this message.
+    /// @param snapshot The accounting snapshot to send to the remote peer.
+    // forge-lint: disable-next-line(mixed-case-function)
+    function _sendAccountingSnapshotOverAMB(
+        uint256 transportPayment,
+        JBAccountingSnapshot memory snapshot
+    )
+        internal
+        virtual
+        override
+    {
+        _sendCcipMessage({
+            transportPayment: transportPayment,
+            gasLimit: _ccipGasLimitFor({sourceContextCount: snapshot.sourceContexts.length}),
+            encodedPayload: abi.encode(_CCIP_MSG_TYPE_ACCOUNTING, abi.encode(snapshot)),
+            tokenAmounts: new Client.EVMTokenAmount[](0)
+        });
+    }
+
+    /// @notice Sends a CCIP message and records failed native-fee refunds as caller credit.
+    /// @param transportPayment The amount of `msg.value` available to pay native CCIP fees.
+    /// @param gasLimit The destination gas limit to ask CCIP to provide.
+    /// @param encodedPayload The typed CCIP payload to send to the peer sucker.
+    /// @param tokenAmounts The token amounts to bridge with the message.
+    function _sendCcipMessage(
+        uint256 transportPayment,
+        uint256 gasLimit,
+        bytes memory encodedPayload,
+        Client.EVMTokenAmount[] memory tokenAmounts
+    )
+        internal
+    {
+        // Cache the caller so refund accounting and LINK fee pulls are charged to the same account.
+        address sender = _msgSender();
+
+        // Determine fee payment mode: native ETH or LINK token.
+        // When transportPayment == 0, we pay in LINK pulled from the caller via transferFrom.
+        // This enables chains with no meaningful native token (e.g. Tempo) while keeping
+        // toRemote permissionless — the caller provides LINK inline with their bridge intent.
+        address feeToken = transportPayment == 0 ? CCIPHelper.linkOfChain(block.chainid) : address(0);
+
+        // Build and send the CCIP message with the provided typed payload.
+        (bool refundFailed, uint256 refundAmount) = JBCCIPLib.sendCCIPMessage({
+            ccipRouter: CCIP_ROUTER,
+            remoteChainSelector: REMOTE_CHAIN_SELECTOR,
+            peerAddress: _peerAddress(),
+            transportPayment: transportPayment,
+            feeToken: feeToken,
+            feeTokenPayer: feeToken != address(0) ? sender : address(0),
+            gasLimit: gasLimit,
+            encodedPayload: encodedPayload,
+            tokenAmounts: tokenAmounts,
+            refundRecipient: sender
+        });
+
+        // Retain failed refunds as caller credit instead of leaving them project-addable or stranded.
+        if (refundFailed) {
+            _retainTransportPaymentRefund({account: sender, amount: refundAmount});
+            emit TransportPaymentRefundFailed({recipient: sender, amount: refundAmount, caller: sender});
+        }
+    }
+
     /// @notice Uses CCIP to send the root and assets over the bridge to the peer.
     /// @dev Delegates CCIP message construction and sending to JBCCIPLib (via DELEGATECALL) to reduce bytecode.
     /// @dev Supports two fee modes:
@@ -264,8 +342,8 @@ contract JBCCIPSucker is JBSucker, IAny2EVMMessageReceiver {
         virtual
         override
     {
-        // Start with the base gas limit for cross-chain calls.
-        uint256 gasLimit = MESSENGER_BASE_GAS_LIMIT;
+        // Budget for the root receiver plus the accounting contexts carried in the root message.
+        uint256 gasLimit = _ccipGasLimitFor({sourceContextCount: suckerMessage.sourceContexts.length});
         Client.EVMTokenAmount[] memory tokenAmounts;
 
         if (amount != 0) {
@@ -279,38 +357,25 @@ contract JBCCIPSucker is JBSucker, IAny2EVMMessageReceiver {
             tokenAmounts = new Client.EVMTokenAmount[](0);
         }
 
-        // Determine fee payment mode: native ETH or LINK token.
-        // When transportPayment == 0, we pay in LINK pulled from the caller via transferFrom.
-        // This enables chains with no meaningful native token (e.g. Tempo) while keeping
-        // toRemote permissionless — the caller provides LINK inline with their bridge intent.
-        address feeToken = transportPayment == 0 ? CCIPHelper.linkOfChain(block.chainid) : address(0);
-
-        // Build and send the CCIP message with the root payload.
-        (bool refundFailed, uint256 refundAmount) = JBCCIPLib.sendCCIPMessage({
-            ccipRouter: CCIP_ROUTER,
-            remoteChainSelector: REMOTE_CHAIN_SELECTOR,
-            peerAddress: _peerAddress(),
+        _sendCcipMessage({
             transportPayment: transportPayment,
-            feeToken: feeToken,
-            feeTokenPayer: feeToken != address(0) ? _msgSender() : address(0),
             gasLimit: gasLimit,
             encodedPayload: abi.encode(_CCIP_MSG_TYPE_ROOT, abi.encode(suckerMessage)),
-            tokenAmounts: tokenAmounts,
-            refundRecipient: _msgSender()
+            tokenAmounts: tokenAmounts
         });
-
-        // Retain failed refunds as caller credit instead of leaving them project-addable or stranded.
-        if (refundFailed) {
-            // Refund accounting is isolated per caller; reentry cannot increase the retained credit.
-            _retainTransportPaymentRefund({account: _msgSender(), amount: refundAmount});
-            emit TransportPaymentRefundFailed({recipient: _msgSender(), amount: refundAmount, caller: _msgSender()});
-        }
     }
 
     //*********************************************************************//
     // ------------------------ internal views --------------------------- //
     //*********************************************************************//
 
+    /// @notice The CCIP destination gas limit for a message carrying `sourceContextCount` accounting contexts.
+    /// @param sourceContextCount The number of source accounting contexts in the message.
+    /// @return gasLimit The destination gas limit to ask CCIP to provide.
+    function _ccipGasLimitFor(uint256 sourceContextCount) internal pure returns (uint256 gasLimit) {
+        return MESSENGER_BASE_GAS_LIMIT + (sourceContextCount * _CCIP_SOURCE_CONTEXT_GAS_LIMIT);
+    }
+
     /// @notice Checks whether the given sender is a remote peer. Unused in this context.
     /// @param sender The address to check.
     /// @return _valid Whether the sender is a remote peer.

package/src/JBOptimismSucker.sol

@@ -14,6 +14,7 @@ import {IJBSuckerRegistry} from "./interfaces/IJBSuckerRegistry.sol";
 import {IJBOptimismSucker} from "./interfaces/IJBOptimismSucker.sol";
 import {IOPMessenger} from "./interfaces/IOPMessenger.sol";
 import {IOPStandardBridge} from "./interfaces/IOPStandardBridge.sol";
+import {JBAccountingSnapshot} from "./structs/JBAccountingSnapshot.sol";
 import {JBMessageRoot} from "./structs/JBMessageRoot.sol";
 import {JBRemoteToken} from "./structs/JBRemoteToken.sol";
 
@@ -56,7 +57,7 @@ contract JBOptimismSucker is JBSucker, IJBOptimismSucker {
     }
 
     //*********************************************************************//
-    // ------------------------ external views --------------------------- //
+    // ------------------------- public views ---------------------------- //
     //*********************************************************************//
 
     /// @notice Returns the chain on which the peer is located.
@@ -81,6 +82,30 @@ contract JBOptimismSucker is JBSucker, IJBOptimismSucker {
         return sender == address(OPMESSENGER) && _toBytes32(OPMESSENGER.xDomainMessageSender()) == peer();
     }
 
+    /// @notice Uses the OP messenger to send accounting data over the bridge to the peer.
+    /// @param transportPayment The amount of `msg.value` that is going to get paid for sending this message.
+    /// @param snapshot The accounting snapshot to send to the remote peer.
+    // forge-lint: disable-next-line(mixed-case-function)
+    function _sendAccountingSnapshotOverAMB(
+        uint256 transportPayment,
+        JBAccountingSnapshot memory snapshot
+    )
+        internal
+        virtual
+        override
+    {
+        // The OP messenger does not expect native transport payment for accounting-only messages.
+        if (transportPayment != 0) {
+            revert JBSucker_UnexpectedMsgValue({value: transportPayment});
+        }
+
+        OPMESSENGER.sendMessage({
+            target: _toAddress(peer()),
+            message: abi.encodeCall(JBSucker.fromRemoteAccounting, (snapshot)),
+            gasLimit: MESSENGER_BASE_GAS_LIMIT
+        });
+    }
+
     /// @notice Use the `OPMESSENGER` to send the outbox tree for the `token` and the corresponding funds to the peer
     /// over the `OPBRIDGE`.
     /// @param transportPayment the amount of `msg.value` that is going to get paid for sending this message.