Skip to content

Add lit-bridge: permissionless cross-chain token bridge#482

Open
clawdbot-glitch003 wants to merge 5 commits into
mainfrom
glitch003/hyperlane-competitor-plan
Open

Add lit-bridge: permissionless cross-chain token bridge#482
clawdbot-glitch003 wants to merge 5 commits into
mainfrom
glitch003/hyperlane-competitor-plan

Conversation

@clawdbot-glitch003

@clawdbot-glitch003 clawdbot-glitch003 commented Jun 10, 2026

Copy link
Copy Markdown
Collaborator

Adds lit-bridge, a permissionless burn/mint cross-chain token bridge (a Hyperlane Warp Routes competitor) whose verification is a content-addressed Lit Action — reading the source chain over N independent RPCs with M-of-N consensus and in-TEE-decrypted RPC keys — instead of a validator set. The on-chain pieces are a Safe-governed BridgeConfigRegistry (per-chain RPC config + quorum) and an Ownable2Step BridgeToken with replay protection, a 0.1% fee skim to a treasury, and a native gas prepay so the relayer can never be made to overspend. Auto-relaying runs on lit-triggers chain-event triggers (this PR also adds base-sepolia/arbitrum-sepolia chain specs to lit-triggers) plus a retry poller (scripts/retryPoller.js) that recovers any burns the single-fire trigger missed. It ships the verification action + unit tests, Foundry contracts + tests, the setup/relay/Safe-governance scripts, and docs (a Safe-upgrade runbook and a token-issuer onboarding guide), alongside the design doc (plans/hyperlane-competitor.md). It is live and validated end-to-end on Base + Arbitrum mainnet; deferred follow-ups (existing-token wrapping via router contracts, treasury→gas loop, web UI) are noted in the plan.

🤖 Generated with Claude Code

Add lit-bridge: a permissionless burn/mint cross-chain token bridge whose
verification is a content-addressed Lit Action (M-of-N RPC consensus over
in-TEE-decrypted RPC keys) instead of a validator set. Includes a Safe-governed
on-chain config registry, native gas prepay (IGP-style) so the relayer never
overspends, a 0.1% fee skim to a treasury, and an auto-relayer driven by
lit-triggers chain-event triggers. Ships the verification action + unit tests,
Foundry contracts (BridgeConfigRegistry + Ownable2Step BridgeToken) + tests,
setup/relay/governance scripts, and a Safe-upgrade runbook. Also adds
base-sepolia + arbitrum-sepolia chain specs to lit-triggers for the relayer.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@clawdbot-glitch003
clawdbot-glitch003 requested a review from a team June 10, 2026 23:28
glitch003 and others added 3 commits June 10, 2026 16:38
Add scripts/retryPoller.js — sweeps recent BurnInitiated, checks usedBurnIds on
the destination, and re-relays any un-minted burns (recovers ones the single-fire
lit-triggers relayer missed; idempotent via the on-chain replay guard). Resolves
the finality follow-up: the relayer can wait for finality because the poller
retries until the mint lands. Add docs/bringing-a-token-to-new-chains.md (issuer
onboarding guide) and link it + the retry poller from the README.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add scripts/proposeAccepts.js to propose the Ownable2Step acceptOwnership() Safe
txs that complete the registry/token governance handoff. It checks for a Safe
per chain and skips (with a warning) any chain where the Safe isn't deployed —
Safes are per-chain, so a contract transferred to a Safe address only works once
that Safe exists on its chain. Document the two-step, per-chain handoff in the
upgrade runbook.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
… framing

Web UI (static/): ethers-from-CDN page served by the stateless Rocket
service. Reads the bridgeable chains from a new GET /api/config (driven by
CHAINS_JSON + TOKEN_SYMBOL + FEE_BPS), connects the user's wallet, and burns
straight from the browser with the relayer gas prepay attached as value, then
polls usedBurnIds on the destination to show completion. Service stores
nothing.

config.rs grows a ChainInfo struct + chains/token_symbol/fee_bps fields parsed
from CHAINS_JSON; main.rs already serves /api/config.

Ownership framing cleanup: handoffToSafe.js now hands off ONLY the shared
registry (token contracts are per-issuer, not platform-owned), and the
onboarding doc gains a "Who owns what" section making the platform-vs-issuer
split explicit. README status updated to reflect mainnet + governance + UI.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@socket-security

socket-security Bot commented Jun 19, 2026

Copy link
Copy Markdown

Dependency limit exceeded — report not shown.

This pull request scan exceeded the 10,000-dependency limit applied to this scan, so the results are incomplete and may be inaccurate. To avoid reporting false positives, Socket has not posted a report.

Upgrade your plan to raise the dependency limit and get complete reports, or view the partial scan in the dashboard.

Socket is always free for open source. If this is a non-commercial open source project, contact us to request a free Team account.

Codex challenge run against the UI commit surfaced real footguns; fixes:

- XSS: the UI rendered status/error text and chain-name <option>s via innerHTML,
  so RPC/wallet error strings (externally influenced) and config values could
  inject markup. Now all dynamic values render as text/DOM nodes (setStatus takes
  string|Node parts; options built with textContent), and explorer links are
  validated to http(s) before becoming an <a> (no javascript:/data: hrefs).
- Stale recipient: switching wallet accounts left an auto-filled recipient
  pointing at the old account (burn from B, mint to A). Now the recipient tracks
  the connected account while auto-filled and stops once the user edits it.
- Fee quote ignored feeFlat: contract charges feeFlat + amount*feeBps/1e4, UI
  quoted only the bps part. Added fee_flat to /api/config (from FEE_FLAT, whole
  tokens) and the quote, plus a warning when the fee meets/exceeds the amount.
- Chain-switch race: verify web3.getNetwork().chainId == source before burning.
- Stale balance reads: sequence-guard the async balance write.
- Overpaid prepay: warn before signing if the dest RPC quotes an absurd prepay
  (it pools in the token and isn't refunded).
- Stuck-mint message no longer over-promises auto-completion; explains the retry
  poller + self-submit recovery and surfaces the burnId.
- proposeAccepts.js is now registry-only, matching the registry-only
  handoffToSafe.js (it previously queued token acceptOwnership() txs that would
  revert since their ownership was never transferred).
- .env.example CHAINS_JSON: documented the no-secrets/public-RPC and same-native
  constraints (cross-native pairs burn but never auto-relay).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants