Skip to content

fix(R-C-01): isolated liquidity + outflow rate limits#76

Merged
sh3ifu merged 6 commits into
script/R-M-03-R-W-16-update-fundsOut-interaction-scriptfrom
bridge-R-C-01-outflow-guards
Jun 30, 2026
Merged

fix(R-C-01): isolated liquidity + outflow rate limits#76
sh3ifu merged 6 commits into
script/R-M-03-R-W-16-update-fundsOut-interaction-scriptfrom
bridge-R-C-01-outflow-guards

Conversation

@sh3ifu

@sh3ifu sh3ifu commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

R-C-01 — on-chain constraints on the enclave money path

Closes the CRITICAL gap where a compromised TEE quorum could drain the whole
Bridge pool in one fundsOut. Two layered, independent on-chain limits bound
every release; both are applied before any external interaction, so a downstream
revert rolls them back atomically.

Level 1 — isolated per-chain liquidity

lockedLiquidity[chainId]: fundsIn credits the deposit's destinationChainId
by netAmount; fundsOut debits the release's sourceChainId by the gross
amount, reverting InsufficientChainLiquidity if it would exceed it. A release
can never draw more than was actually bridged toward that chain — closing the
cross-route drain (incl. NullSettlementModule routes that had no accounting).

Level 2 — per-chain + global outflow rate limit

A continuously-refilling token bucket (OutflowRateLimiter, src/libraries/)
caps how fast a release can drain liquidity:

  • chainBuckets[sourceChainId] (per-chain) + globalBucket (aggregate — a
    compromised shared TEE could otherwise drain every per-chain cap in one window);
  • fundsOut spends both; either short → revert + rollback;
  • fail-closed: an unconfigured/disabled source chain reverts
    LimitNotConfigured;
  • setOutflowLimit / setGlobalOutflowLimit (onlyOwner, federation timelock):
    validate 0 < rate < capacity, prime full on first enable, never gift on
    reconfiguration, clamp on decrease;
  • availableOutflow / availableGlobalOutflow preview the live allowance;
  • refill min(capacity, tokens + elapsed*rate) is overflow-safe for any valid config.

@sh3ifu sh3ifu changed the title Bridge r c 01 outflow guards fix(R-C-01): isolated liquidity + outflow rate limits Jun 25, 2026
@sh3ifu sh3ifu requested review from MaiborodaY and crawter and removed request for MaiborodaY June 26, 2026 07:12
* test(R-C-01): isolated-liquidity regressions + round-trip fuzz

* test(R-C-01): outflow rate-limit regressions + refill fuzz

* test(R-C-01): outflow rate-limit regressions + refill fuzz

* fix(R-M-01): RgbSettlementModule verifies opId existence + exact amount (#79)
@sh3ifu sh3ifu merged commit 3bd659f into script/R-M-03-R-W-16-update-fundsOut-interaction-script Jun 30, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants