feat(blockchain): cross-chain ADR-015 deposit reference#4
Merged
Conversation
SubmitDeposit now takes a DepositDestination{Account, Ref}: the opaque
ADR-015 sub-account reference travels alongside the account as side-data,
never interpreted on-chain, so deposits are filterable per (account, ref).
- EVM / SOL emit it in the deposit call / instruction; the Solana program
artifact + binding are refreshed to the reference-carrying
deposit_sol/deposit_spl.
- XRPL moves from a DestinationTag to a ynet-account memo (20-byte account
followed by the 32-byte reference), matching the observe-side decoder.
- BTC has no side-data channel on a plain send — the account is encoded in
the per-account deposit address — so a non-zero reference is rejected.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
RotationFinalizer.Validate checked that every input present in the packed sweep was a valid, confirmed vault UTXO, but never checked that the sweep spent ALL currently-owned UTXOs. A sweep that silently omitted some inputs would still pass, and once the rotation pivot lands the old vault is abandoned — any unswept UTXO is stranded there with no path to move it under the new signer set. Add a completeness check: re-list the owned UTXO set at the configured confirmation depth and require exact set-equality with the tx inputs, erroring on a count mismatch or any omitted owned UTXO. Reuses the current-vault finalizer already built for input summation. Adds TestRotationValidateRejectsPartialSweep: a full sweep validates, a sweep with one input dropped is rejected naming the omitted UTXO. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
RotationFinalizer.Submit relied on the contract binding's implicit gas auto-estimation for the updateSigners call. updateSigners takes dynamic-array arguments (address[], uint256, bytes[]), and the binding's built-in estimate trips a known go-ethereum gotcha on dynamic args that returns a too-low gas limit (or an estimation error outright), so the rotation transaction can revert out-of-gas — a liveness failure on the signer-rotation path. Estimate gas explicitly, mirroring the withdrawal path: pack the updateSigners calldata, run a single eth_estimateGas against it, and set opts.GasLimit to the result padded by the configured multiplier. Called after applyFees and before the binding call. A comment documents the dynamic-array gotcha so the explicit estimate is not removed later. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
SelectUTXOs gains a maxInputs bound (Config.MaxInputsPerWithdrawal); when covering a withdrawal would exceed it, the vault is too fragmented for a standard-size tx, signalled by the new ErrTooFragmented. ConsolidationFinalizer folds a bounded batch of the vault's smallest UTXOs back into one base-vault output (Pack/Validate/Sign/Submit), shrinking the count so withdrawals keep fitting. It is partial by design (same vault, no pivot), so unlike the rotation sweep it carries no completeness rule; Sign/Submit reuse the current-vault machinery. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Pack autofills the multi-sign fee from the construction-time threshold, so a quorum-raising rotation underpays once the SignerQuorum grows. Add an optional ThresholdResolver hook (SetThresholdResolver) the withdrawal and rotation finalizers consult for the live SignerQuorum; unset keeps the static threshold. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds an opaque sub-account reference to the deposit API across all chains, building on the EVM binding from #2.
API
VaultDepositor.SubmitDepositnow takes acore.DepositDestination:The reference is side-data — never interpreted on-chain — so deposits are filterable per
(Account, Ref). An observer folds it into the account URI; the submit side just carries it.Per-chain
deposit(account, asset, amount, reference)..so) + binding refreshed to the reference-carryingdeposit_sol/deposit_spl(account, reference, amount); depositor forwardsRef.DestinationTagto aynet-accountmemo (20-byte account || 32-byte reference), matching the observe-side decoder. NewaccountMemo+ unit test.Refis rejected.Scope / breaking
SubmitDeposit's signature changes (pre-1.0).VerifyDepositunchanged. Tag as v0.1.2 after merge.Verification
go generate,go build/vet(incl.-tags=integration),go test -count=1 ./...— all green. SOL program id unchanged (98eVpih…); integration deposit flows updated toDepositDestination.🤖 Generated with Claude Code