@bananapus/suckers-v6 0.0.77 → 0.0.79

package/README.md

@@ -22,7 +22,8 @@ The codebase includes multiple bridge variants, but the canonical deployment and
 Suckers bridge a project by tracking claims in append-only Merkle trees:
 
 - users call `prepare` to burn tokens and create a bridge claim in the local outbox tree
-- anyone can relay the current root to the peer chain with `toRemote`
+- anyone can relay the current root to the peer chain with `toRemote`, which also gossips the project's per-source-chain accounting bundle
+- anyone can refresh or retry the accounting gossip bundle with `syncAccountingData`
 - claimants prove inclusion against the peer inbox tree to mint on the destination chain
 
 The base implementation is extended for multiple bridge families so the same project model can work across different networks.
@@ -35,16 +36,17 @@ The main idea is not "bridge the token contract." The main idea is "bridge a Jui
 
 | Contract | Role |
 | --- | --- |
-| `JBSucker` | Base bridge logic for prepare, relay, claim, token mapping, and lifecycle controls. |
+| `JBSucker` | Base bridge logic for prepare, relay, accounting sync, claim, token mapping, and lifecycle controls. |
 | `JBSuckerRegistry` | Registry for per-project sucker deployments, deployer allowlists, and shared bridge fee settings. |
 | Chain-specific suckers | Transport-specific implementations for OP Stack, Arbitrum, CCIP, and related environments. |
 
 ## Mental model
 
-Each sucker pair has two jobs:
+Each sucker pair has three jobs:
 
 1. destroy or lock the local economic position into a claimable message
 2. recreate the remote position from a bridged Merkle root plus transported value
+3. keep a per-source-chain accounting store fresh enough for cross-chain estimates, gossiping every chain's record across the sucker mesh
 
 That means every bridge path has two trust surfaces:
 
@@ -64,7 +66,9 @@ That means every bridge path has two trust surfaces:
 - do not reason about suckers as if they were generic ERC-20 bridges
 - root ordering and message delivery semantics matter as much as proof format
 - token mapping is part of the economic invariant
-- peer contexts are merged only when they share both currency and decimals; same-currency contexts with different decimals are kept separate and valued independently at read time, never summed across precisions
+- peer contexts are merged only when they share both currency and decimals; same-currency contexts with different decimals are kept separate and valued independently at read time, never summed across precisions — and this merge applies per source chain, since each chain's record is stored and folded on its own
+- accounting propagates as a gossip bundle: a sucker sends its own chain's record plus every peer-chain record the project knows (gathered through the registry), so one sync round from a hub propagates every chain's data to every spoke without a direct sucker between each pair
+- `syncAccountingData` pays no registry `toRemoteFee`, but bridge-specific transport costs still apply and duplicate bundles can still consume bridge/indexer resources
 - emergency and deprecation paths are part of normal operational safety
 
 ## Where state lives
@@ -80,6 +84,7 @@ That means every bridge path has two trust surfaces:
 3. `test/ForkClaimMainnet.t.sol`
 4. `test/regression/PeerSnapshotDesync.t.sol`
 5. `test/regression/ToRemoteFeeIrrecoverable.t.sol`
+6. `test/regression/CCIPUntypedMessageRejected.t.sol`
 
 ## Install
 

package/foundry.toml

@@ -3,6 +3,8 @@ solc = '0.8.28'
 bytecode_hash = "none"
 evm_version = 'cancun'
 optimizer_runs = 200
+# The IR pipeline keeps the per-chain accounting suckers (Arbitrum, CCIP) under the EIP-170 runtime size limit.
+via_ir = true
 libs = ["node_modules", "lib"]
 fs_permissions = [{ access = "read-write", path = "./"}]
 # Archived, unused contracts (e.g. JBSwapCCIPSucker) and their tests live under `archive/` folders and are

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bananapus/suckers-v6",
-  "version": "0.0.77",
+  "version": "0.0.79",
   "license": "MIT",
   "repository": {
     "type": "git",

package/references/entrypoints.md

@@ -49,6 +49,26 @@ A sucker bridges a Juicebox project's token economy between two chains. Cashed-o
 | `terminalTokenAmount` | `uint256` | The amount of terminal tokens to claim. |
 | `metadata` | `bytes32` | Opaque, caller-defined payload covered by the leaf hash. `bytes32(0)` when no extra context. |
 
+### `JBAccountingSnapshot` (argument to `fromRemoteAccounting`)
+
+A cross-chain accounting gossip bundle: the sending chain's own record plus every peer-chain record it currently holds.
+
+| Field | Type | Meaning |
+|-------|------|---------|
+| `version` | `uint8` | Message format version. Must match `MESSAGE_VERSION`. |
+| `accounts` | `JBChainAccounting[]` | One accounting record per source chain known to the sender (its own chain plus forwarded peers), each carrying its origin chain id and freshness key. The receiver stores the freshest record per source chain. |
+
+The same `JBChainAccounting[] accounts` bundle is also carried by the root message `JBMessageRoot` (alongside `token`, `amount`, and `remoteRoot`), so a `toRemote` send propagates accounting too.
+
+### `JBChainAccounting` (one source chain's record in a bundle)
+
+| Field | Type | Meaning |
+|-------|------|---------|
+| `chainId` | `uint256` | The source chain this record describes. A receiver ignores a record for its own chain or chain 0. |
+| `totalSupply` | `uint256` | Source-chain project-token supply, including reserved tokens. |
+| `contexts` | `JBSourceContext[]` | Raw source-chain surplus and balance contexts, un-valued (in the source chain's own token addresses and decimals). |
+| `timestamp` | `uint256` | Monotonic source-chain freshness key, gated independently per source chain. |
+
 ## Key functions
 
 ### JBSucker — bridge flow (`IJBSucker`)
@@ -57,6 +77,8 @@ A sucker bridges a Juicebox project's token economy between two chains. Cashed-o
 |----------|--------------|
 | `prepare(uint256 projectTokenCount, bytes32 beneficiary, uint256 minTokensReclaimed, address token, bytes32 metadata)` | Cash out `projectTokenCount` project tokens into `token` and insert a leaf for `beneficiary` into the outbox tree for bridging. `minTokensReclaimed` bounds slippage; `metadata` is an opaque attribution payload carried in the leaf hash (`bytes32(0)` for a plain bridge). |
 | `toRemote(address token) payable` | Send the current outbox tree root and bridged assets for `token` to the remote peer through the chain-specific transport. `payable` to fund the transport message and the registry's `toRemoteFee`. |
+| `syncAccountingData() payable` | Send the cross-chain accounting gossip bundle — this chain's own record plus every peer-chain record it holds (gathered across the project's suckers via the registry, minus the destination) — without sending an outbox root or paying the registry `toRemoteFee`. Can be retried with unchanged data; `payable` only funds bridge transport. |
+| `fromRemoteAccounting(JBAccountingSnapshot calldata snapshot)` | Authenticated receive path for an accounting-only gossip bundle. Stores the freshest record per source chain, without touching any token-local inbox root. |
 | `claim(JBClaim calldata claimData)` | Claim bridged project tokens for the leaf's beneficiary by proving inclusion against the inbox root. |
 | `claim(JBClaim[] calldata claims)` | Claim multiple leaves in one call. Each leaf is routed through an external `this.claim` sub-call, so one failing leaf emits `ClaimFailed` and is reverted in isolation while the rest of the batch proceeds; the failed leaf stays claimable later. |
 | `mapToken(JBTokenMapping calldata map) payable` | Map a single local token to a remote token for bridging. Mappings are immutable once the outbox tree has entries (can only be disabled, not remapped). Requires `MAP_SUCKER_TOKEN` permission (initial mappings are applied at deploy under `DEPLOY_SUCKERS`). |
@@ -86,8 +108,12 @@ A sucker bridges a Juicebox project's token economy between two chains. Cashed-o
 | `outboxOf(address token)` | The outbox merkle tree (`JBOutboxTree`) for a token. |
 | `amountToAddToBalanceOf(address token)` | Tokens received from bridging that are waiting to be added to the project's terminal balance. |
 | `executedLeafHashOf(address token, uint256 index)` | The committed leaf hash at `(token, index)`, or `bytes32(0)` if unexecuted. Beneficiary contracts re-derive this to authenticate a settlement that a front-runner's direct `claim` already executed. |
-| `peerChainTotalSupply()` | The last-known peer-chain total token supply (used by data hooks to compute effective cross-chain supply). |
-| `peerChainContextsOf()` | Per-context raw surplus and balance from the latest peer snapshot, with chain ID and freshness key. Un-valued (each context in its own currency/decimals). |
+| `peerChainIds(bool includeVirtual)` | The peer chains this sucker reports accounting for: its directly-connected peer, plus — when `includeVirtual` is true — every chain learned about through gossip. The registry aggregates the `includeVirtual: true` set. |
+| `peerChainAccountsOf()` | The raw, un-valued `JBChainAccounting[]` record this sucker holds for every known peer chain. The registry reads this to gather a project's cross-chain knowledge and re-gossip it. |
+| `peerChainContextsOf(uint256 chainId)` | Per-context surplus and balance for one peer chain, resolved to local currencies and folded at read time. Un-valued; returned with the chain's freshness key. |
+| `peerChainTotalSupplyOf(uint256 chainId)` | The last-known total token supply on one peer chain (the registry sums these to compute effective cross-chain supply). |
+| `peerChainTotalSupplyValue(uint256 chainId)` | One peer chain's total supply bundled with its chain id and freshness key (`JBPeerChainValue`). |
+| `snapshotTimestampOf(uint256 chainId)` | The freshness key of the latest accepted record for one peer chain. |
 | `retainedToRemoteFeeOf(address account)` | ETH owed to `account` from a failed `toRemote` fee payment. |
 | `retainedTransportPaymentRefundOf(address account)` | ETH owed to `account` from a failed transport-payment refund. |
 
@@ -105,7 +131,8 @@ A sucker bridges a Juicebox project's token economy between two chains. Cashed-o
 | `suckerPairsOf(uint256 projectId)` | The local/remote sucker pairs (`JBSuckersPair[]`) for a project. |
 | `isSuckerOf(uint256 projectId, address addr)` | Whether `addr` is a registry-deployed sucker for the project. |
 | `suckerDeployerIsAllowed(address deployer)` | Whether a deployer is on the allowlist. |
-| `remoteTotalSupplyOf(uint256 projectId)` | Combined peer-chain total supply across all remote chains (dedups same-peer suckers by freshest snapshot). |
-| `totalRemoteSurplusOf(uint256 projectId, uint256 currency, uint256 decimals)` | Combined peer-chain surplus valued into `currency`. Matching-currency contexts taken at par; missing cross-currency feed skips that sucker (conservative). |
+| `peerChainAccountsOf(uint256 projectId, uint256 exceptChainId)` | The freshest accounting record per source chain across all of a project's suckers, deduped and minus `exceptChainId` — the peer set a sucker forwards when re-gossiping. |
+| `remoteTotalSupplyOf(uint256 projectId)` | Combined peer-chain total supply across all remote chains (aggregates every (sucker, chain) pair, deduped per source chain by freshest record). |
+| `totalRemoteSurplusOf(uint256 projectId, uint256 currency, uint256 decimals)` | Combined peer-chain surplus valued into `currency`. Matching-currency contexts taken at par; a missing cross-currency feed skips that (sucker, chain) (conservative). |
 | `totalRemoteBalanceOf(uint256 projectId, uint256 currency, uint256 decimals)` | Combined peer-chain balance valued into `currency`, same valuation rules as above. |
 | `toRemoteFee()` / `MAX_TO_REMOTE_FEE()` | The current `toRemote` fee and its hardcoded ceiling. |

package/references/operations.md

@@ -12,7 +12,7 @@
 - If you edit token mapping logic, re-check the registry and deployer assumptions that feed it.
 - If you edit token mapping semantics, verify that remapping is still impossible once outbox activity has made economic equivalence depend on permanence.
 - If you edit deprecation or emergency paths, verify the intended operator workflow still works end to end.
-- If you edit snapshot or claim-boundary logic, verify `numberOfClaimsSent`, peer snapshots, and emergency exit behavior together.
+- If you edit snapshot or claim-boundary logic, verify `numberOfClaimsSent`, peer snapshots, `syncAccountingData`, and emergency exit behavior together.
 - If you touch bridge-specific code, confirm whether the real bug is transport-side or shared accounting-side.
 
 ## Common failure modes

package/references/runtime.md

@@ -11,8 +11,9 @@
 
 1. Local state is prepared into a claimable Merkle leaf.
 2. A root is relayed to the peer chain through the bridge-specific transport.
-3. The remote side records the root in its inbox state.
-4. Claimants prove inclusion and recreate their position on the destination chain.
+3. The remote side records the root in its inbox state and stores the latest peer accounting snapshot.
+4. Accounting-only snapshots can also be relayed or retried with `syncAccountingData` without sending a new root.
+5. Claimants prove inclusion and recreate their position on the destination chain.
 
 ## High-risk areas
 
@@ -21,10 +22,11 @@
 - Emergency and deprecation paths: these are operational safety surfaces that must remain reliable.
 - Shared accounting vs transport logic: many incidents stem from confusing these layers.
 - Peer snapshots and `numberOfClaimsSent`: these guard against double-spend at the cost of conservative locking when timing goes wrong.
+- Accounting-only messages: these must never mutate token-local inbox roots or claimable value.
 
 ## Tests to trust first
 
 - [`test/ForkMainnet.t.sol`](../test/ForkMainnet.t.sol), [`test/ForkArbitrum.t.sol`](../test/ForkArbitrum.t.sol), [`test/ForkCelo.t.sol`](../test/ForkCelo.t.sol), and [`test/ForkOPStack.t.sol`](../test/ForkOPStack.t.sol) for real transport assumptions.
 - [`test/ForkSwap.t.sol`](../test/ForkSwap.t.sol), [`test/ForkClaimMainnet.t.sol`](../test/ForkClaimMainnet.t.sol), and [`test/SuckerRegressions.t.sol`](../test/SuckerRegressions.t.sol) for pinned cross-chain edge cases.
 - [`test/unit/invariants.t.sol`](../test/unit/invariants.t.sol), [`test/unit/peer_chain_state.t.sol`](../test/unit/peer_chain_state.t.sol), and [`test/unit/registry.t.sol`](../test/unit/registry.t.sol) for shared-accounting invariants.
-- [`test/SuckerAttacks.t.sol`](../test/SuckerAttacks.t.sol), [`test/SuckerDeepAttacks.t.sol`](../test/SuckerDeepAttacks.t.sol), [`test/regression/PeerSnapshotDesync.t.sol`](../test/regression/PeerSnapshotDesync.t.sol), and [`test/regression/PeerDeterminism.t.sol`](../test/regression/PeerDeterminism.t.sol) when the bug could involve base logic, registry behavior, or a specific bridge implementation.
+- [`test/SuckerAttacks.t.sol`](../test/SuckerAttacks.t.sol), [`test/SuckerDeepAttacks.t.sol`](../test/SuckerDeepAttacks.t.sol), [`test/regression/PeerSnapshotDesync.t.sol`](../test/regression/PeerSnapshotDesync.t.sol), [`test/regression/CCIPUntypedMessageRejected.t.sol`](../test/regression/CCIPUntypedMessageRejected.t.sol), and [`test/regression/PeerDeterminism.t.sol`](../test/regression/PeerDeterminism.t.sol) when the bug could involve base logic, registry behavior, or a specific bridge implementation.

package/src/JBArbitrumSucker.sol

@@ -23,6 +23,7 @@ import {IArbL2GatewayRouter} from "./interfaces/IArbL2GatewayRouter.sol";
 import {IL1ArbitrumGateway} from "./interfaces/IL1ArbitrumGateway.sol";
 import {IJBArbitrumSucker} from "./interfaces/IJBArbitrumSucker.sol";
 import {ARBChains} from "./libraries/ARBChains.sol";
+import {JBAccountingSnapshot} from "./structs/JBAccountingSnapshot.sol";
 import {JBMessageRoot} from "./structs/JBMessageRoot.sol";
 import {JBRemoteToken} from "./structs/JBRemoteToken.sol";
 
@@ -75,7 +76,7 @@ contract JBArbitrumSucker is JBSucker, IJBArbitrumSucker {
     }
 
     //*********************************************************************//
-    // ------------------------ external views --------------------------- //
+    // ------------------------- public views ---------------------------- //
     //*********************************************************************//
 
     /// @notice Returns the chain on which the peer is located.
@@ -90,37 +91,34 @@ contract JBArbitrumSucker is JBSucker, IJBArbitrumSucker {
     }
 
     //*********************************************************************//
-    // ------------------------ internal views --------------------------- //
+    // --------------------- internal transactions ----------------------- //
     //*********************************************************************//
 
-    /// @notice Checks if the `sender` (`_msgSender()`) is a valid representative of the remote peer.
-    /// @param sender The message's sender.
-    /// @return valid A flag if the sender is a valid representative of the remote peer.
-    function _isRemotePeer(address sender) internal view override returns (bool) {
-        // Convert the bytes32 peer to an address for comparison with EVM bridge contracts.
-        address peerAddress = _peerAddress();
-
-        // If we are the L1 peer,
-        if (LAYER == JBLayer.L1) {
-            IBridge bridge = ARBINBOX.bridge();
-            // Check that the sender is the bridge and that the outbox has our peer as the sender.
-            return sender == address(bridge) && peerAddress == IOutbox(bridge.activeOutbox()).l2ToL1Sender();
-        }
-
-        // If we are the L2 peer, check using the `AddressAliasHelper`.
-        return sender == AddressAliasHelper.applyL1ToL2Alias(peerAddress);
+    /// @notice Approves the Arbitrum gateway to spend `amount` of `approvalToken`.
+    /// @param approvalToken The ERC-20 token to approve.
+    /// @param gatewayLookupToken The token key used by the gateway router to resolve the spender.
+    /// @param amount The amount to approve.
+    /// @return gateway The gateway that was approved.
+    function _approveGateway(
+        address approvalToken,
+        address gatewayLookupToken,
+        uint256 amount
+    )
+        internal
+        returns (address gateway)
+    {
+        gateway = GATEWAYROUTER.getGateway(gatewayLookupToken);
+        SafeERC20.forceApprove({token: IERC20(approvalToken), spender: gateway, value: amount});
     }
 
-    //*********************************************************************//
-    // --------------------- internal transactions ----------------------- //
-    //*********************************************************************//
-
     /// @notice Helper to create the retryable ticket, avoiding stack-too-deep.
+    /// @param gasLimit The destination L2 gas to provision, scaled to the message's gossip bundle.
     function _createRetryableTicket(
         uint256 callTransportCost,
         uint256 nativeValue,
         uint256 maxSubmissionCost,
         uint256 maxFeePerGas,
+        uint256 gasLimit,
         bytes memory data
     )
         internal
@@ -132,19 +130,44 @@ contract JBArbitrumSucker is JBSucker, IJBArbitrumSucker {
             maxSubmissionCost: maxSubmissionCost,
             excessFeeRefundAddress: _msgSender(),
             callValueRefundAddress: peerAddress,
-            gasLimit: MESSENGER_BASE_GAS_LIMIT,
+            gasLimit: gasLimit,
             maxFeePerGas: maxFeePerGas,
             data: data
         });
     }
 
-    /// @notice Approves the Arbitrum gateway to spend `amount` of `token`.
-    /// @param token The ERC-20 token to approve.
-    /// @param amount The amount to approve.
-    /// @return gateway The gateway that was approved.
-    function _approveGateway(address token, uint256 amount) internal returns (address gateway) {
-        gateway = GATEWAYROUTER.getGateway(token);
-        SafeERC20.forceApprove({token: IERC20(token), spender: gateway, value: amount});
+    /// @notice Uses the L1/L2 message bridge to send accounting data over the bridge to the peer.
+    /// @param transportPayment The amount of `msg.value` that is going to get paid for sending this message.
+    /// @param snapshot The accounting snapshot to send to the remote peer.
+    // forge-lint: disable-next-line(mixed-case-function)
+    function _sendAccountingSnapshotOverAMB(
+        uint256 transportPayment,
+        JBAccountingSnapshot memory snapshot
+    )
+        internal
+        override
+    {
+        // Build the calldata that will be sent to the peer. This calls `JBSucker.fromRemoteAccounting` remotely.
+        bytes memory data = abi.encodeCall(JBSucker.fromRemoteAccounting, (snapshot));
+        JBRemoteToken memory remoteToken;
+
+        // Depending on which layer we are on, send the call to the other layer.
+        if (LAYER == JBLayer.L1) {
+            // L1→L2 requires transport payment for retryable tickets.
+            if (transportPayment == 0) revert JBSucker_ExpectedMsgValue({msgValue: transportPayment});
+            _toL2({
+                token: JBConstants.NATIVE_TOKEN,
+                transportPayment: transportPayment,
+                amount: 0,
+                data: data,
+                remoteToken: remoteToken,
+                gasLimit: _messagingGasLimit({accounts: snapshot.accounts})
+            });
+        } else {
+            // L2→L1 via ArbSys is free — reject any transport payment.
+            if (transportPayment != 0) revert JBSucker_UnexpectedMsgValue(transportPayment);
+            _toL1({token: JBConstants.NATIVE_TOKEN, amount: 0, data: data, remoteToken: remoteToken});
+        }
     }
 
     /// @notice Uses the L1/L2 gateway to send the root and assets over the bridge to the peer.
@@ -171,7 +194,12 @@ contract JBArbitrumSucker is JBSucker, IJBArbitrumSucker {
             // L1→L2 requires transport payment for retryable tickets.
             if (transportPayment == 0) revert JBSucker_ExpectedMsgValue({msgValue: transportPayment});
             _toL2({
-                token: token, transportPayment: transportPayment, amount: amount, data: data, remoteToken: remoteToken
+                token: token,
+                transportPayment: transportPayment,
+                amount: amount,
+                data: data,
+                remoteToken: remoteToken,
+                gasLimit: _messagingGasLimit({accounts: message.accounts})
             });
         } else {
             // L2→L1 via ArbSys is free — reject any transport payment.
@@ -202,7 +230,9 @@ contract JBArbitrumSucker is JBSucker, IJBArbitrumSucker {
         // If the token is an ERC-20, bridge it to the peer.
         // If the amount is `0` then we do not need to bridge any ERC20.
         if (token != JBConstants.NATIVE_TOKEN && amount != 0) {
-            address gateway = _approveGateway({token: token, amount: amount});
+            address gateway = _approveGateway({
+                approvalToken: token, gatewayLookupToken: _toAddress(remoteToken.addr), amount: amount
+            });
 
             // Convert bytes32 types to address at the Arbitrum bridge API boundary.
             IArbL2GatewayRouter(address(GATEWAYROUTER))
@@ -233,12 +263,14 @@ contract JBArbitrumSucker is JBSucker, IJBArbitrumSucker {
     /// @param token The token to bridge.
     /// @param amount The amount of tokens to bridge.
     /// @param data The calldata to send to the remote chain. This calls `JBSucker.fromRemote` on the remote peer.
+    /// @param gasLimit The destination L2 gas to provision, scaled to the message's gossip bundle.
     function _toL2(
         address token,
         uint256 transportPayment,
         uint256 amount,
         bytes memory data,
-        JBRemoteToken memory remoteToken
+        JBRemoteToken memory remoteToken,
+        uint256 gasLimit
     )
         internal
     {
@@ -251,8 +283,9 @@ contract JBArbitrumSucker is JBSucker, IJBArbitrumSucker {
             maxSubmissionCost =
                 ARBINBOX.calculateRetryableSubmissionFee({dataLength: data.length, baseFee: maxFeePerGas});
 
-            // Tracks the cost for the call to the remote peer.
-            callTransportCost = maxSubmissionCost + (MESSENGER_BASE_GAS_LIMIT * maxFeePerGas);
+            // Tracks the cost for the call to the remote peer. Scaled to the bundle so a larger mesh's accounting
+            // store does not run out of gas on the destination.
+            callTransportCost = maxSubmissionCost + (gasLimit * maxFeePerGas);
         }
 
         // If the token is an ERC-20, bridge it to the peer.
@@ -291,7 +324,7 @@ contract JBArbitrumSucker is JBSucker, IJBArbitrumSucker {
             }
 
             // Approve the tokens to be bridged.
-            _approveGateway({token: token, amount: amount});
+            _approveGateway({approvalToken: token, gatewayLookupToken: token, amount: amount});
 
             // Perform the ERC-20 bridge transfer. Convert bytes32 peer to address at the Arbitrum bridge API boundary.
             IArbL1GatewayRouter(address(GATEWAYROUTER)).outboundTransferCustomRefund{value: tokenTransportCost}({
@@ -329,7 +362,30 @@ contract JBArbitrumSucker is JBSucker, IJBArbitrumSucker {
             nativeValue: nativeValue,
             maxSubmissionCost: maxSubmissionCost,
             maxFeePerGas: maxFeePerGas,
+            gasLimit: gasLimit,
             data: data
         });
     }
+
+    //*********************************************************************//
+    // ------------------------ internal views --------------------------- //
+    //*********************************************************************//
+
+    /// @notice Checks if the `sender` (`_msgSender()`) is a valid representative of the remote peer.
+    /// @param sender The message's sender.
+    /// @return valid A flag if the sender is a valid representative of the remote peer.
+    function _isRemotePeer(address sender) internal view override returns (bool) {
+        // Convert the bytes32 peer to an address for comparison with EVM bridge contracts.
+        address peerAddress = _peerAddress();
+
+        // If we are the L1 peer,
+        if (LAYER == JBLayer.L1) {
+            IBridge bridge = ARBINBOX.bridge();
+            // Check that the sender is the bridge and that the outbox has our peer as the sender.
+            return sender == address(bridge) && peerAddress == IOutbox(bridge.activeOutbox()).l2ToL1Sender();
+        }
+
+        // If we are the L2 peer, check using the `AddressAliasHelper`.
+        return sender == AddressAliasHelper.applyL1ToL2Alias(peerAddress);
+    }
 }

package/src/JBBaseSucker.sol

@@ -32,7 +32,7 @@ contract JBBaseSucker is JBOptimismSucker {
     {}
 
     //*********************************************************************//
-    // ------------------------ external views --------------------------- //
+    // ------------------------- public views ---------------------------- //
     //*********************************************************************//
 
     /// @notice Returns the chain on which the peer is located.

package/src/JBCCIPSucker.sol

@@ -24,6 +24,8 @@ import {CCIPHelper} from "./libraries/CCIPHelper.sol";
 import {JBCCIPLib} from "./libraries/JBCCIPLib.sol";
 
 // Local: structs (alphabetized)
+import {JBAccountingSnapshot} from "./structs/JBAccountingSnapshot.sol";
+import {JBChainAccounting} from "./structs/JBChainAccounting.sol";
 import {JBMessageRoot} from "./structs/JBMessageRoot.sol";
 import {JBRemoteToken} from "./structs/JBRemoteToken.sol";
 import {JBTokenMapping} from "./structs/JBTokenMapping.sol";
@@ -70,6 +72,9 @@ contract JBCCIPSucker is JBSucker, IAny2EVMMessageReceiver {
     // ----------------------- internal constants ------------------------ //
     //*********************************************************************//
 
+    /// @notice Message type prefix for accounting-only messages (fromRemoteAccounting).
+    uint8 internal constant _CCIP_MSG_TYPE_ACCOUNTING = 1;
+
     /// @notice Message type prefix for root messages (fromRemote).
     uint8 internal constant _CCIP_MSG_TYPE_ROOT = 0;
 
@@ -121,39 +126,6 @@ contract JBCCIPSucker is JBSucker, IAny2EVMMessageReceiver {
         if (address(CCIP_ROUTER) == address(0)) revert JBCCIPSucker_InvalidRouter(address(CCIP_ROUTER));
     }
 
-    //*********************************************************************//
-    // ------------------------ external views --------------------------- //
-    //*********************************************************************//
-
-    /// @notice Returns the chain on which the peer is located.
-    /// @return chainId The chain ID of the peer.
-    function peerChainId() public view virtual override returns (uint256 chainId) {
-        return REMOTE_CHAIN_ID;
-    }
-
-    //*********************************************************************//
-    // ------------------------- public views ---------------------------- //
-    //*********************************************************************//
-
-    /// @notice Returns the address of the current CCIP router.
-    /// @return router The CCIP router address.
-    function getRouter() public view returns (address router) {
-        return address(CCIP_ROUTER);
-    }
-
-    /// @notice Checks whether this contract supports a given interface.
-    /// @param interfaceId The interface ID to check.
-    /// @return supported Whether the interface is supported.
-    /// @dev Should indicate whether the contract implements IAny2EVMMessageReceiver.
-    /// This allows CCIP to check if ccipReceive is available before calling it.
-    /// If this returns false or reverts, only tokens are transferred to the receiver.
-    /// If this returns true, tokens are transferred and ccipReceive is called atomically.
-    /// Additionally, if the receiver address does not have code associated with
-    /// it at the time of execution (EXTCODESIZE returns 0), only tokens will be transferred.
-    function supportsInterface(bytes4 interfaceId) public view virtual override returns (bool supported) {
-        return interfaceId == type(IAny2EVMMessageReceiver).interfaceId || super.supportsInterface(interfaceId);
-    }
-
     //*********************************************************************//
     // --------------------- external transactions ----------------------- //
     //*********************************************************************//
@@ -180,7 +152,7 @@ contract JBCCIPSucker is JBSucker, IAny2EVMMessageReceiver {
         }
 
         // Discriminate message type: abi.encode(uint8 type, bytes payload).
-        (uint8 messageType, bytes memory payload) = JBCCIPLib.decodeTypedMessage(any2EvmMessage.data);
+        (uint8 messageType, bytes memory payload) = abi.decode(any2EvmMessage.data, (uint8, bytes));
 
         // Handle root messages (merkle tree updates with bridged assets).
         if (messageType == _CCIP_MSG_TYPE_ROOT) {
@@ -231,15 +203,119 @@ contract JBCCIPSucker is JBSucker, IAny2EVMMessageReceiver {
 
             // Forward the root message to this contract's fromRemote handler.
             this.fromRemote(root);
+        } else if (messageType == _CCIP_MSG_TYPE_ACCOUNTING) {
+            // Accounting-only messages must not carry tokens; transported value belongs exclusively to root messages.
+            uint256 deliveryCount = any2EvmMessage.destTokenAmounts.length;
+            if (deliveryCount != 0) {
+                revert JBCCIPSucker_UnexpectedDeliveredTokens(deliveryCount);
+            }
+
+            JBAccountingSnapshot memory snapshot = abi.decode(payload, (JBAccountingSnapshot));
+
+            // Forward the accounting message to this contract's authenticated accounting handler.
+            this.fromRemoteAccounting(snapshot);
         } else {
             revert JBCCIPSucker_UnknownMessageType({messageType: messageType});
         }
     }
 
+    //*********************************************************************//
+    // ------------------------- public views ---------------------------- //
+    //*********************************************************************//
+
+    /// @notice Returns the address of the current CCIP router.
+    /// @return router The CCIP router address.
+    function getRouter() public view returns (address router) {
+        return address(CCIP_ROUTER);
+    }
+
+    /// @notice Returns the chain on which the peer is located.
+    /// @return chainId The chain ID of the peer.
+    function peerChainId() public view virtual override returns (uint256 chainId) {
+        return REMOTE_CHAIN_ID;
+    }
+
+    /// @notice Checks whether this contract supports a given interface.
+    /// @param interfaceId The interface ID to check.
+    /// @return supported Whether the interface is supported.
+    /// @dev Should indicate whether the contract implements IAny2EVMMessageReceiver.
+    /// This allows CCIP to check if ccipReceive is available before calling it.
+    /// If this returns false or reverts, only tokens are transferred to the receiver.
+    /// If this returns true, tokens are transferred and ccipReceive is called atomically.
+    /// Additionally, if the receiver address does not have code associated with
+    /// it at the time of execution (EXTCODESIZE returns 0), only tokens will be transferred.
+    function supportsInterface(bytes4 interfaceId) public view virtual override returns (bool supported) {
+        return interfaceId == type(IAny2EVMMessageReceiver).interfaceId || super.supportsInterface(interfaceId);
+    }
+
     //*********************************************************************//
     // --------------------- internal transactions ----------------------- //
     //*********************************************************************//
 
+    /// @notice Uses CCIP to send accounting data over the bridge to the peer.
+    /// @dev Supports the same native/LINK fee modes as root messages, but never transports token amounts.
+    /// @param transportPayment The amount of `msg.value` that is going to get paid for sending this message.
+    /// @param snapshot The accounting snapshot to send to the remote peer.
+    // forge-lint: disable-next-line(mixed-case-function)
+    function _sendAccountingSnapshotOverAMB(
+        uint256 transportPayment,
+        JBAccountingSnapshot memory snapshot
+    )
+        internal
+        virtual
+        override
+    {
+        _sendCcipMessage({
+            transportPayment: transportPayment,
+            gasLimit: _messagingGasLimit({accounts: snapshot.accounts}),
+            encodedPayload: abi.encode(_CCIP_MSG_TYPE_ACCOUNTING, abi.encode(snapshot)),
+            tokenAmounts: new Client.EVMTokenAmount[](0)
+        });
+    }
+
+    /// @notice Sends a CCIP message and records failed native-fee refunds as caller credit.
+    /// @param transportPayment The amount of `msg.value` available to pay native CCIP fees.
+    /// @param gasLimit The destination gas limit to ask CCIP to provide.
+    /// @param encodedPayload The typed CCIP payload to send to the peer sucker.
+    /// @param tokenAmounts The token amounts to bridge with the message.
+    function _sendCcipMessage(
+        uint256 transportPayment,
+        uint256 gasLimit,
+        bytes memory encodedPayload,
+        Client.EVMTokenAmount[] memory tokenAmounts
+    )
+        internal
+    {
+        // Cache the caller so refund accounting and LINK fee pulls are charged to the same account.
+        address sender = _msgSender();
+
+        // Determine fee payment mode: native ETH or LINK token.
+        // When transportPayment == 0, we pay in LINK pulled from the caller via transferFrom.
+        // This enables chains with no meaningful native token (e.g. Tempo) while keeping
+        // toRemote permissionless — the caller provides LINK inline with their bridge intent.
+        address feeToken = transportPayment == 0 ? CCIPHelper.linkOfChain(block.chainid) : address(0);
+
+        // Build and send the CCIP message with the provided typed payload.
+        (bool refundFailed, uint256 refundAmount) = JBCCIPLib.sendCCIPMessage({
+            ccipRouter: CCIP_ROUTER,
+            remoteChainSelector: REMOTE_CHAIN_SELECTOR,
+            peerAddress: _peerAddress(),
+            transportPayment: transportPayment,
+            feeToken: feeToken,
+            feeTokenPayer: feeToken != address(0) ? sender : address(0),
+            gasLimit: gasLimit,
+            encodedPayload: encodedPayload,
+            tokenAmounts: tokenAmounts,
+            refundRecipient: sender
+        });
+
+        // Retain failed refunds as caller credit instead of leaving them project-addable or stranded.
+        if (refundFailed) {
+            _retainTransportPaymentRefund({account: sender, amount: refundAmount});
+            emit TransportPaymentRefundFailed({recipient: sender, amount: refundAmount, caller: sender});
+        }
+    }
+
     /// @notice Uses CCIP to send the root and assets over the bridge to the peer.
     /// @dev Delegates CCIP message construction and sending to JBCCIPLib (via DELEGATECALL) to reduce bytecode.
     /// @dev Supports two fee modes:
@@ -264,8 +340,8 @@ contract JBCCIPSucker is JBSucker, IAny2EVMMessageReceiver {
         virtual
         override
     {
-        // Start with the base gas limit for cross-chain calls.
-        uint256 gasLimit = MESSENGER_BASE_GAS_LIMIT;
+        // Budget for the root receiver plus the accounting contexts carried in the root message.
+        uint256 gasLimit = _messagingGasLimit({accounts: suckerMessage.accounts});
         Client.EVMTokenAmount[] memory tokenAmounts;
 
         if (amount != 0) {
@@ -279,32 +355,12 @@ contract JBCCIPSucker is JBSucker, IAny2EVMMessageReceiver {
             tokenAmounts = new Client.EVMTokenAmount[](0);
         }
 
-        // Determine fee payment mode: native ETH or LINK token.
-        // When transportPayment == 0, we pay in LINK pulled from the caller via transferFrom.
-        // This enables chains with no meaningful native token (e.g. Tempo) while keeping
-        // toRemote permissionless — the caller provides LINK inline with their bridge intent.
-        address feeToken = transportPayment == 0 ? CCIPHelper.linkOfChain(block.chainid) : address(0);
-
-        // Build and send the CCIP message with the root payload.
-        (bool refundFailed, uint256 refundAmount) = JBCCIPLib.sendCCIPMessage({
-            ccipRouter: CCIP_ROUTER,
-            remoteChainSelector: REMOTE_CHAIN_SELECTOR,
-            peerAddress: _peerAddress(),
+        _sendCcipMessage({
             transportPayment: transportPayment,
-            feeToken: feeToken,
-            feeTokenPayer: feeToken != address(0) ? _msgSender() : address(0),
             gasLimit: gasLimit,
             encodedPayload: abi.encode(_CCIP_MSG_TYPE_ROOT, abi.encode(suckerMessage)),
-            tokenAmounts: tokenAmounts,
-            refundRecipient: _msgSender()
+            tokenAmounts: tokenAmounts
         });
-
-        // Retain failed refunds as caller credit instead of leaving them project-addable or stranded.
-        if (refundFailed) {
-            // Refund accounting is isolated per caller; reentry cannot increase the retained credit.
-            _retainTransportPaymentRefund({account: _msgSender(), amount: refundAmount});
-            emit TransportPaymentRefundFailed({recipient: _msgSender(), amount: refundAmount, caller: _msgSender()});
-        }
     }
 
     //*********************************************************************//