Add lit-bridge: permissionless cross-chain token bridge#482
Open
clawdbot-glitch003 wants to merge 5 commits into
Open
Add lit-bridge: permissionless cross-chain token bridge#482clawdbot-glitch003 wants to merge 5 commits into
clawdbot-glitch003 wants to merge 5 commits into
Conversation
Add lit-bridge: a permissionless burn/mint cross-chain token bridge whose verification is a content-addressed Lit Action (M-of-N RPC consensus over in-TEE-decrypted RPC keys) instead of a validator set. Includes a Safe-governed on-chain config registry, native gas prepay (IGP-style) so the relayer never overspends, a 0.1% fee skim to a treasury, and an auto-relayer driven by lit-triggers chain-event triggers. Ships the verification action + unit tests, Foundry contracts (BridgeConfigRegistry + Ownable2Step BridgeToken) + tests, setup/relay/governance scripts, and a Safe-upgrade runbook. Also adds base-sepolia + arbitrum-sepolia chain specs to lit-triggers for the relayer. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add scripts/retryPoller.js — sweeps recent BurnInitiated, checks usedBurnIds on the destination, and re-relays any un-minted burns (recovers ones the single-fire lit-triggers relayer missed; idempotent via the on-chain replay guard). Resolves the finality follow-up: the relayer can wait for finality because the poller retries until the mint lands. Add docs/bringing-a-token-to-new-chains.md (issuer onboarding guide) and link it + the retry poller from the README. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add scripts/proposeAccepts.js to propose the Ownable2Step acceptOwnership() Safe txs that complete the registry/token governance handoff. It checks for a Safe per chain and skips (with a warning) any chain where the Safe isn't deployed — Safes are per-chain, so a contract transferred to a Safe address only works once that Safe exists on its chain. Document the two-step, per-chain handoff in the upgrade runbook. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
… framing Web UI (static/): ethers-from-CDN page served by the stateless Rocket service. Reads the bridgeable chains from a new GET /api/config (driven by CHAINS_JSON + TOKEN_SYMBOL + FEE_BPS), connects the user's wallet, and burns straight from the browser with the relayer gas prepay attached as value, then polls usedBurnIds on the destination to show completion. Service stores nothing. config.rs grows a ChainInfo struct + chains/token_symbol/fee_bps fields parsed from CHAINS_JSON; main.rs already serves /api/config. Ownership framing cleanup: handoffToSafe.js now hands off ONLY the shared registry (token contracts are per-issuer, not platform-owned), and the onboarding doc gains a "Who owns what" section making the platform-vs-issuer split explicit. README status updated to reflect mainnet + governance + UI. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
Dependency limit exceeded — report not shown. This pull request scan exceeded the 10,000-dependency limit applied to this scan, so the results are incomplete and may be inaccurate. To avoid reporting false positives, Socket has not posted a report. Upgrade your plan to raise the dependency limit and get complete reports, or view the partial scan in the dashboard. Socket is always free for open source. If this is a non-commercial open source project, contact us to request a free Team account. |
Codex challenge run against the UI commit surfaced real footguns; fixes: - XSS: the UI rendered status/error text and chain-name <option>s via innerHTML, so RPC/wallet error strings (externally influenced) and config values could inject markup. Now all dynamic values render as text/DOM nodes (setStatus takes string|Node parts; options built with textContent), and explorer links are validated to http(s) before becoming an <a> (no javascript:/data: hrefs). - Stale recipient: switching wallet accounts left an auto-filled recipient pointing at the old account (burn from B, mint to A). Now the recipient tracks the connected account while auto-filled and stops once the user edits it. - Fee quote ignored feeFlat: contract charges feeFlat + amount*feeBps/1e4, UI quoted only the bps part. Added fee_flat to /api/config (from FEE_FLAT, whole tokens) and the quote, plus a warning when the fee meets/exceeds the amount. - Chain-switch race: verify web3.getNetwork().chainId == source before burning. - Stale balance reads: sequence-guard the async balance write. - Overpaid prepay: warn before signing if the dest RPC quotes an absurd prepay (it pools in the token and isn't refunded). - Stuck-mint message no longer over-promises auto-completion; explains the retry poller + self-submit recovery and surfaces the burnId. - proposeAccepts.js is now registry-only, matching the registry-only handoffToSafe.js (it previously queued token acceptOwnership() txs that would revert since their ownership was never transferred). - .env.example CHAINS_JSON: documented the no-secrets/public-RPC and same-native constraints (cross-native pairs burn but never auto-relay). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds
lit-bridge, a permissionless burn/mint cross-chain token bridge (a Hyperlane Warp Routes competitor) whose verification is a content-addressed Lit Action — reading the source chain over N independent RPCs with M-of-N consensus and in-TEE-decrypted RPC keys — instead of a validator set. The on-chain pieces are a Safe-governedBridgeConfigRegistry(per-chain RPC config + quorum) and anOwnable2StepBridgeTokenwith replay protection, a 0.1% fee skim to a treasury, and a native gas prepay so the relayer can never be made to overspend. Auto-relaying runs onlit-triggerschain-event triggers (this PR also addsbase-sepolia/arbitrum-sepoliachain specs tolit-triggers) plus a retry poller (scripts/retryPoller.js) that recovers any burns the single-fire trigger missed. It ships the verification action + unit tests, Foundry contracts + tests, the setup/relay/Safe-governance scripts, and docs (a Safe-upgrade runbook and a token-issuer onboarding guide), alongside the design doc (plans/hyperlane-competitor.md). It is live and validated end-to-end on Base + Arbitrum mainnet; deferred follow-ups (existing-token wrapping via router contracts, treasury→gas loop, web UI) are noted in the plan.🤖 Generated with Claude Code