fix(pallet-tft-bridge): reject creating an already-executed refund#1093
Merged
Conversation
create_stellar_refund_transaction_or_add_sig only checked whether the refund existed in RefundTransactions, not whether it had already been executed. A refund that was already executed (e.g. quarantined by the bridge after a permanently undeliverable Stellar submission) could be silently recreated, re-arming the on_finalize retry loop. Add an ExecutedRefundTransactions guard, mirroring the existing checks in propose_or_vote_stellar_mint_transaction and propose_stellar_burn_transaction_or_add_sig. The bridge already recovers from the resulting RefundTransactionAlreadyExecuted error via the IsRefundedAlready check in RetryCreateRefundTransactionOrAddSig. Note: spec_version is intentionally not bumped here; that is handled at release time via `make version-bump` (see docs/production/releases.md). Refs #1089 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
sameh-farouk
force-pushed
the
fix/pallet-refund-executed-guard
branch
from
514cb39 to
698b4a4
Compare
This was referenced Jun 1, 2026
Closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
create_stellar_refund_transaction_or_add_sigonly checked whether the refund existed inRefundTransactions, not whether it had already been executed. A refund that was already executed — e.g. quarantined by the bridge after a permanently undeliverable Stellar submission (see #1089 / companion bridge PR) — could be silently recreated, re-arming theon_finalizeretry loop.This is also a consistency gap: the mint and burn paths already guard against re-creating an executed transaction; the refund path was the lone exception.
propose_or_vote_stellar_mint_transaction→ checksExecutedMintTransactionspropose_stellar_burn_transaction_or_add_sig→ checksExecutedBurnTransactionscreate_stellar_refund_transaction_or_add_sig→ checked neither (onlyRefundTransactions::contains_key)Fix
Add an
ExecutedRefundTransactionsguard, returningRefundTransactionAlreadyExecuted, mirroring the mint/burn checks.The bridge already recovers from this error gracefully:
RetryCreateRefundTransactionOrAddSigre-checksIsRefundedAlreadyafter a failed create and exits cleanly, so no bridge change is required.Scope notes
spec_versionbump. Perdocs/production/releases.md, version/spec bumps are a release-time step (make version-bump). This PR is a runtime logic change and requires a runtime upgrade at release.transaction_versionunchanged.Tests
TDD: added
creating_refund_for_already_executed_transaction_fails(watched it fail — re-creation returnedOkinstead of the error — then added the guard). Full pallet suite: 19 passed.Refs #1089
🤖 Generated with Claude Code