Bridge

Bridge

Bridge manages BTC deposit and redemption flow and is increasing and decreasing balances in the Bank as a result of BTC deposit and redemption operations performed by depositors and redeemers.

Depositors send BTC funds to the most recently created off-chain ECDSA wallet of the bridge using pay-to-script-hash (P2SH) or pay-to-witness-script-hash (P2WSH) containing hashed information about the depositor’s Ethereum address. Then, the depositor reveals their Ethereum address along with their deposit blinding factor, refund public key hash and refund locktime to the Bridge on Ethereum chain. The off-chain ECDSA wallet listens for these sorts of messages and when it gets one, it checks the Bitcoin network to make sure the deposit lines up. If it does, the off-chain ECDSA wallet may decide to pick the deposit transaction for sweeping, and when the sweep operation is confirmed on the Bitcoin network, the ECDSA wallet informs the Bridge about the sweep increasing appropriate balances in the Bank.

Bridge is an upgradeable component of the Bank. The order of functionalities in this contract is: deposit, sweep, redemption, moving funds, wallet lifecycle, frauds, parameters.

self

struct BridgeState.Storage self

DepositRevealed

event DepositRevealed(bytes32 fundingTxHash, uint32 fundingOutputIndex, address depositor, uint64 amount, bytes8 blindingFactor, bytes20 walletPubKeyHash, bytes20 refundPubKeyHash, bytes4 refundLocktime, address vault)

DepositsSwept

event DepositsSwept(bytes20 walletPubKeyHash, bytes32 sweepTxHash)

RedemptionRequested

event RedemptionRequested(bytes20 walletPubKeyHash, bytes redeemerOutputScript, address redeemer, uint64 requestedAmount, uint64 treasuryFee, uint64 txMaxFee)

RedemptionsCompleted

event RedemptionsCompleted(bytes20 walletPubKeyHash, bytes32 redemptionTxHash)

RedemptionTimedOut

event RedemptionTimedOut(bytes20 walletPubKeyHash, bytes redeemerOutputScript)

WalletMovingFunds

event WalletMovingFunds(bytes32 ecdsaWalletID, bytes20 walletPubKeyHash)

MovingFundsCommitmentSubmitted

event MovingFundsCommitmentSubmitted(bytes20 walletPubKeyHash, bytes20[] targetWallets, address submitter)

MovingFundsTimeoutReset

event MovingFundsTimeoutReset(bytes20 walletPubKeyHash)

MovingFundsCompleted

event MovingFundsCompleted(bytes20 walletPubKeyHash, bytes32 movingFundsTxHash)

MovingFundsTimedOut

event MovingFundsTimedOut(bytes20 walletPubKeyHash)

MovingFundsBelowDustReported

event MovingFundsBelowDustReported(bytes20 walletPubKeyHash)

MovedFundsSwept

event MovedFundsSwept(bytes20 walletPubKeyHash, bytes32 sweepTxHash)

MovedFundsSweepTimedOut

event MovedFundsSweepTimedOut(bytes20 walletPubKeyHash, bytes32 movingFundsTxHash, uint32 movingFundsTxOutputIndex)

NewWalletRequested

event NewWalletRequested()

NewWalletRegistered

event NewWalletRegistered(bytes32 ecdsaWalletID, bytes20 walletPubKeyHash)

WalletClosing

event WalletClosing(bytes32 ecdsaWalletID, bytes20 walletPubKeyHash)

WalletClosed

event WalletClosed(bytes32 ecdsaWalletID, bytes20 walletPubKeyHash)

WalletTerminated

event WalletTerminated(bytes32 ecdsaWalletID, bytes20 walletPubKeyHash)

FraudChallengeSubmitted

event FraudChallengeSubmitted(bytes20 walletPubKeyHash, bytes32 sighash, uint8 v, bytes32 r, bytes32 s)

FraudChallengeDefeated

event FraudChallengeDefeated(bytes20 walletPubKeyHash, bytes32 sighash)

FraudChallengeDefeatTimedOut

event FraudChallengeDefeatTimedOut(bytes20 walletPubKeyHash, bytes32 sighash)

VaultStatusUpdated

event VaultStatusUpdated(address vault, bool isTrusted)

SpvMaintainerStatusUpdated

event SpvMaintainerStatusUpdated(address spvMaintainer, bool isTrusted)

DepositParametersUpdated

event DepositParametersUpdated(uint64 depositDustThreshold, uint64 depositTreasuryFeeDivisor, uint64 depositTxMaxFee, uint32 depositRevealAheadPeriod)

RedemptionParametersUpdated

event RedemptionParametersUpdated(uint64 redemptionDustThreshold, uint64 redemptionTreasuryFeeDivisor, uint64 redemptionTxMaxFee, uint64 redemptionTxMaxTotalFee, uint32 redemptionTimeout, uint96 redemptionTimeoutSlashingAmount, uint32 redemptionTimeoutNotifierRewardMultiplier)

MovingFundsParametersUpdated

event MovingFundsParametersUpdated(uint64 movingFundsTxMaxTotalFee, uint64 movingFundsDustThreshold, uint32 movingFundsTimeoutResetDelay, uint32 movingFundsTimeout, uint96 movingFundsTimeoutSlashingAmount, uint32 movingFundsTimeoutNotifierRewardMultiplier, uint16 movingFundsCommitmentGasOffset, uint64 movedFundsSweepTxMaxTotalFee, uint32 movedFundsSweepTimeout, uint96 movedFundsSweepTimeoutSlashingAmount, uint32 movedFundsSweepTimeoutNotifierRewardMultiplier)

WalletParametersUpdated

event WalletParametersUpdated(uint32 walletCreationPeriod, uint64 walletCreationMinBtcBalance, uint64 walletCreationMaxBtcBalance, uint64 walletClosureMinBtcBalance, uint32 walletMaxAge, uint64 walletMaxBtcTransfer, uint32 walletClosingPeriod)

FraudParametersUpdated

event FraudParametersUpdated(uint96 fraudChallengeDepositAmount, uint32 fraudChallengeDefeatTimeout, uint96 fraudSlashingAmount, uint32 fraudNotifierRewardMultiplier)

TreasuryUpdated

event TreasuryUpdated(address treasury)

onlySpvMaintainer

modifier onlySpvMaintainer()

constructor

constructor() public

initialize

function initialize(address _bank, address _relay, address _treasury, address _ecdsaWalletRegistry, address payable _reimbursementPool, uint96 _txProofDifficultyFactor) external

Initializes upgradable contract on deployment.

Parameters

revealDeposit

function revealDeposit(struct BitcoinTx.Info fundingTx, struct Deposit.DepositRevealInfo reveal) external

Used by the depositor to reveal information about their P2(W)SH Bitcoin deposit to the Bridge on Ethereum chain. The off-chain wallet listens for revealed deposit events and may decide to include the revealed deposit in the next executed sweep. Information about the Bitcoin deposit can be revealed before or after the Bitcoin transaction with P2(W)SH deposit is mined on the Bitcoin chain. Worth noting, the gas cost of this function scales with the number of P2(W)SH transaction inputs and outputs. The deposit may be routed to one of the trusted vaults. When a deposit is routed to a vault, vault gets notified when the deposit gets swept and it may execute the appropriate action.

Requirements:

• This function must be called by the same Ethereum address as the one used in the P2(W)SH BTC deposit transaction as a depositor,

• reveal.walletPubKeyHash must identify a Live wallet,

• reveal.vault must be 0x0 or point to a trusted vault,

• reveal.fundingOutputIndex must point to the actual P2(W)SH output of the BTC deposit transaction,

• reveal.blindingFactor must be the blinding factor used in the P2(W)SH BTC deposit transaction,

• reveal.walletPubKeyHash must be the wallet pub key hash used in the P2(W)SH BTC deposit transaction,

• reveal.refundPubKeyHash must be the refund pub key hash used in the P2(W)SH BTC deposit transaction,

• reveal.refundLocktime must be the refund locktime used in the P2(W)SH BTC deposit transaction,

• BTC deposit for the given fundingTxHash, fundingOutputIndex can be revealed only one time.

If any of these requirements is not met, the wallet must refuse to sweep the deposit and the depositor has to wait until the deposit script unlocks to receive their BTC back.

Parameters

submitDepositSweepProof

function submitDepositSweepProof(struct BitcoinTx.Info sweepTx, struct BitcoinTx.Proof sweepProof, struct BitcoinTx.UTXO mainUtxo, address vault) external

Used by the wallet to prove the BTC deposit sweep transaction and to update Bank balances accordingly. Sweep is only accepted if it satisfies SPV proof.

The function is performing Bank balance updates by first computing the Bitcoin fee for the sweep transaction. The fee is divided evenly between all swept deposits. Each depositor receives a balance in the bank equal to the amount inferred during the reveal transaction, minus their fee share.

It is possible to prove the given sweep only one time.

Requirements:

• sweepTx components must match the expected structure. See BitcoinTx.Info docs for reference. Their values must exactly correspond to appropriate Bitcoin transaction fields to produce a provable transaction hash,

• The sweepTx should represent a Bitcoin transaction with 1..n inputs. If the wallet has no main UTXO, all n inputs should correspond to P2(W)SH revealed deposits UTXOs. If the wallet has an existing main UTXO, one of the n inputs must point to that main UTXO and remaining n-1 inputs should correspond to P2(W)SH revealed deposits UTXOs. That transaction must have only one P2(W)PKH output locking funds on the 20-byte wallet public key hash,

• All revealed deposits that are swept by sweepTx must have their vault parameters set to the same address as the address passed in the vault function parameter,

• sweepProof components must match the expected structure. See BitcoinTx.Proof docs for reference. The bitcoinHeaders field must contain a valid number of block headers, not less than the txProofDifficultyFactor contract constant,

• mainUtxo components must point to the recent main UTXO of the given wallet, as currently known on the Ethereum chain. If there is no main UTXO, this parameter is ignored.

Parameters

requestRedemption

function requestRedemption(bytes20 walletPubKeyHash, struct BitcoinTx.UTXO mainUtxo, bytes redeemerOutputScript, uint64 amount) external

Requests redemption of the given amount from the specified wallet to the redeemer Bitcoin output script. Handles the simplest case in which the redeemer's balance is decreased in the Bank.

Requirements:

• Wallet behind walletPubKeyHash must be live,

• mainUtxo components must point to the recent main UTXO of the given wallet, as currently known on the Ethereum chain,

• redeemerOutputScript must be a proper Bitcoin script,

• redeemerOutputScript cannot have wallet PKH as payload,

• amount must be above or equal the redemptionDustThreshold,

• Given walletPubKeyHash and redeemerOutputScript pair can be used for only one pending request at the same time,

• Wallet must have enough Bitcoin balance to process the request,

• Redeemer must make an allowance in the Bank that the Bridge contract can spend the given amount.

Parameters

receiveBalanceApproval

function receiveBalanceApproval(address balanceOwner, uint256 amount, bytes redemptionData) external

Requests redemption of the given amount from the specified wallet to the redeemer Bitcoin output script. Used by Bank.approveBalanceAndCall. Can handle more complex cases where balance owner may be someone else than the redeemer. For example, vault redeeming its balance for some depositor.

Requirements:

• The caller must be the Bank,

• Wallet behind walletPubKeyHash must be live,

• mainUtxo components must point to the recent main UTXO of the given wallet, as currently known on the Ethereum chain,

• redeemerOutputScript must be a proper Bitcoin script,

• redeemerOutputScript cannot have wallet PKH as payload,

• amount must be above or equal the redemptionDustThreshold,

• Given walletPubKeyHash and redeemerOutputScript pair can be used for only one pending request at the same time,

• Wallet must have enough Bitcoin balance to process the request.

Note on upgradeability: Bridge is an upgradeable contract deployed behind a TransparentUpgradeableProxy. Accepting redemption data as bytes provides great flexibility. The Bridge is just like any other contract with a balance approved in the Bank and can be upgraded to another version without being bound to a particular interface forever. This flexibility comes with the cost - developers integrating their vaults and dApps with Bridge using approveBalanceAndCall need to pay extra attention to redemptionData and adjust the code in case the expected structure of redemptionData changes.

Parameters

submitRedemptionProof

function submitRedemptionProof(struct BitcoinTx.Info redemptionTx, struct BitcoinTx.Proof redemptionProof, struct BitcoinTx.UTXO mainUtxo, bytes20 walletPubKeyHash) external

Used by the wallet to prove the BTC redemption transaction and to make the necessary bookkeeping. Redemption is only accepted if it satisfies SPV proof.

The function is performing Bank balance updates by burning the total redeemed Bitcoin amount from Bridge balance and transferring the treasury fee sum to the treasury address.

It is possible to prove the given redemption only one time.

Requirements:

• redemptionTx components must match the expected structure. See BitcoinTx.Info docs for reference. Their values must exactly correspond to appropriate Bitcoin transaction fields to produce a provable transaction hash,

• The redemptionTx should represent a Bitcoin transaction with exactly 1 input that refers to the wallet's main UTXO. That transaction should have 1..n outputs handling existing pending redemption requests or pointing to reported timed out requests. There can be also 1 optional output representing the change and pointing back to the 20-byte wallet public key hash. The change should be always present if the redeemed value sum is lower than the total wallet's BTC balance,

• redemptionProof components must match the expected structure. See BitcoinTx.Proof docs for reference. The bitcoinHeaders field must contain a valid number of block headers, not less than the txProofDifficultyFactor contract constant,

• mainUtxo components must point to the recent main UTXO of the given wallet, as currently known on the Ethereum chain. Additionally, the recent main UTXO on Ethereum must be set,

• walletPubKeyHash must be connected with the main UTXO used as transaction single input. Other remarks:

• Putting the change output as the first transaction output can save some gas because the output processing loop begins each iteration by checking whether the given output is the change thus uses some gas for making the comparison. Once the change is identified, that check is omitted in further iterations.

Parameters

notifyRedemptionTimeout

function notifyRedemptionTimeout(bytes20 walletPubKeyHash, uint32[] walletMembersIDs, bytes redeemerOutputScript) external

Notifies that there is a pending redemption request associated with the given wallet, that has timed out. The redemption request is identified by the key built as keccak256(keccak256(redeemerOutputScript) | walletPubKeyHash). The results of calling this function:

• The pending redemptions value for the wallet will be decreased by the requested amount (minus treasury fee),

• The tokens taken from the redeemer on redemption request will be returned to the redeemer,

• The request will be moved from pending redemptions to timed-out redemptions,

• If the state of the wallet is Live or MovingFunds, the wallet operators will be slashed and the notifier will be rewarded,

• If the state of wallet is Live, the wallet will be closed or marked as MovingFunds (depending on the presence or absence of the wallet's main UTXO) and the wallet will no longer be marked as the active wallet (if it was marked as such).

Requirements:

• The wallet must be in the Live or MovingFunds or Terminated state,

• The redemption request identified by walletPubKeyHash and redeemerOutputScript must exist,

• The expression keccak256(abi.encode(walletMembersIDs)) must be exactly the same as the hash stored under membersIdsHash for the given walletID. Those IDs are not directly stored in the contract for gas efficiency purposes but they can be read from appropriate DkgResultSubmitted and DkgResultApproved events of the WalletRegistry contract,

• The amount of time defined by redemptionTimeout must have passed since the redemption was requested (the request must be timed-out).

Parameters

submitMovingFundsCommitment

function submitMovingFundsCommitment(bytes20 walletPubKeyHash, struct BitcoinTx.UTXO walletMainUtxo, uint32[] walletMembersIDs, uint256 walletMemberIndex, bytes20[] targetWallets) external

Submits the moving funds target wallets commitment. Once all requirements are met, that function registers the target wallets commitment and opens the way for moving funds proof submission. The caller is reimbursed for the transaction costs.

Requirements:

• The source wallet must be in the MovingFunds state,

• The source wallet must not have pending redemption requests,

• The source wallet must not have pending moved funds sweep requests,

• The source wallet must not have submitted its commitment already,

• The expression keccak256(abi.encode(walletMembersIDs)) must be exactly the same as the hash stored under membersIdsHash for the given source wallet in the ECDSA registry. Those IDs are not directly stored in the contract for gas efficiency purposes but they can be read from appropriate DkgResultSubmitted and DkgResultApproved events,

• The walletMemberIndex must be in range [1, walletMembersIDs.length],

• The caller must be the member of the source wallet signing group at the position indicated by walletMemberIndex parameter,

• The walletMainUtxo components must point to the recent main UTXO of the source wallet, as currently known on the Ethereum chain,

• Source wallet BTC balance must be greater than zero,

• At least one Live wallet must exist in the system,

• Submitted target wallets count must match the expected count N = min(liveWalletsCount, ceil(walletBtcBalance / walletMaxBtcTransfer)) where N > 0,

• Each target wallet must be not equal to the source wallet,

• Each target wallet must follow the expected order i.e. all target wallets 20-byte public key hashes represented as numbers must form a strictly increasing sequence without duplicates,

• Each target wallet must be in Live state.

Parameters

resetMovingFundsTimeout

function resetMovingFundsTimeout(bytes20 walletPubKeyHash) external

Resets the moving funds timeout for the given wallet if the target wallet commitment cannot be submitted due to a lack of live wallets in the system.

Requirements:

• The wallet must be in the MovingFunds state,

• The target wallets commitment must not be already submitted for the given moving funds wallet,

• Live wallets count must be zero,

• The moving funds timeout reset delay must be elapsed.

Parameters

submitMovingFundsProof

function submitMovingFundsProof(struct BitcoinTx.Info movingFundsTx, struct BitcoinTx.Proof movingFundsProof, struct BitcoinTx.UTXO mainUtxo, bytes20 walletPubKeyHash) external

Used by the wallet to prove the BTC moving funds transaction and to make the necessary state changes. Moving funds is only accepted if it satisfies SPV proof.

The function validates the moving funds transaction structure by checking if it actually spends the main UTXO of the declared wallet and locks the value on the pre-committed target wallets using a reasonable transaction fee. If all preconditions are met, this functions closes the source wallet.

It is possible to prove the given moving funds transaction only one time.

Requirements:

• movingFundsTx components must match the expected structure. See BitcoinTx.Info docs for reference. Their values must exactly correspond to appropriate Bitcoin transaction fields to produce a provable transaction hash,

• The movingFundsTx should represent a Bitcoin transaction with exactly 1 input that refers to the wallet's main UTXO. That transaction should have 1..n outputs corresponding to the pre-committed target wallets. Outputs must be ordered in the same way as their corresponding target wallets are ordered within the target wallets commitment,

• movingFundsProof components must match the expected structure. See BitcoinTx.Proof docs for reference. The bitcoinHeaders field must contain a valid number of block headers, not less than the txProofDifficultyFactor contract constant,

• mainUtxo components must point to the recent main UTXO of the given wallet, as currently known on the Ethereum chain. Additionally, the recent main UTXO on Ethereum must be set,

• walletPubKeyHash must be connected with the main UTXO used as transaction single input,

• The wallet that walletPubKeyHash points to must be in the MovingFunds state,

• The target wallets commitment must be submitted by the wallet that walletPubKeyHash points to,

• The total Bitcoin transaction fee must be lesser or equal to movingFundsTxMaxTotalFee governable parameter.

Parameters

notifyMovingFundsTimeout

function notifyMovingFundsTimeout(bytes20 walletPubKeyHash, uint32[] walletMembersIDs) external

Notifies about a timed out moving funds process. Terminates the wallet and slashes signing group members as a result.

Requirements:

• The wallet must be in the MovingFunds state,

• The moving funds timeout must be actually exceeded,

• The expression keccak256(abi.encode(walletMembersIDs)) must be exactly the same as the hash stored under membersIdsHash for the given walletID. Those IDs are not directly stored in the contract for gas efficiency purposes but they can be read from appropriate DkgResultSubmitted and DkgResultApproved events of the WalletRegistry contract.

Parameters

notifyMovingFundsBelowDust

function notifyMovingFundsBelowDust(bytes20 walletPubKeyHash, struct BitcoinTx.UTXO mainUtxo) external

Notifies about a moving funds wallet whose BTC balance is below the moving funds dust threshold. Ends the moving funds process and begins wallet closing immediately.

Requirements:

• The wallet must be in the MovingFunds state,

• The mainUtxo components must point to the recent main UTXO of the given wallet, as currently known on the Ethereum chain. If the wallet has no main UTXO, this parameter can be empty as it is ignored,

• The wallet BTC balance must be below the moving funds threshold.

Parameters

submitMovedFundsSweepProof

function submitMovedFundsSweepProof(struct BitcoinTx.Info sweepTx, struct BitcoinTx.Proof sweepProof, struct BitcoinTx.UTXO mainUtxo) external

Used by the wallet to prove the BTC moved funds sweep transaction and to make the necessary state changes. Moved funds sweep is only accepted if it satisfies SPV proof.

The function validates the sweep transaction structure by checking if it actually spends the moved funds UTXO and the sweeping wallet's main UTXO (optionally), and if it locks the value on the sweeping wallet's 20-byte public key hash using a reasonable transaction fee. If all preconditions are met, this function updates the sweeping wallet main UTXO, thus their BTC balance.

It is possible to prove the given sweep transaction only one time.

Requirements:

• sweepTx components must match the expected structure. See BitcoinTx.Info docs for reference. Their values must exactly correspond to appropriate Bitcoin transaction fields to produce a provable transaction hash,

• The sweepTx should represent a Bitcoin transaction with the first input pointing to a moved funds sweep request targeted to the wallet, and optionally, the second input pointing to the wallet's main UTXO, if the sweeping wallet has a main UTXO set. There should be only one output locking funds on the sweeping wallet 20-byte public key hash,

• sweepProof components must match the expected structure. See BitcoinTx.Proof docs for reference. The bitcoinHeaders field must contain a valid number of block headers, not less than the txProofDifficultyFactor contract constant,

• mainUtxo components must point to the recent main UTXO of the sweeping wallet, as currently known on the Ethereum chain. If there is no main UTXO, this parameter is ignored,

• The sweeping wallet must be in the Live or MovingFunds state,

• The total Bitcoin transaction fee must be lesser or equal to movedFundsSweepTxMaxTotalFee governable parameter.

Parameters

notifyMovedFundsSweepTimeout

function notifyMovedFundsSweepTimeout(bytes32 movingFundsTxHash, uint32 movingFundsTxOutputIndex, uint32[] walletMembersIDs) external

Notifies about a timed out moved funds sweep process. If the wallet is not terminated yet, that function terminates the wallet and slashes signing group members as a result. Marks the given sweep request as TimedOut.

Requirements:

• The moved funds sweep request must be in the Pending state,

• The moved funds sweep timeout must be actually exceeded,

• The wallet must be either in the Live or MovingFunds or Terminated state,

• The expression keccak256(abi.encode(walletMembersIDs)) must be exactly the same as the hash stored under membersIdsHash for the given walletID. Those IDs are not directly stored in the contract for gas efficiency purposes but they can be read from appropriate DkgResultSubmitted and DkgResultApproved events of the WalletRegistry contract.

Parameters

requestNewWallet

function requestNewWallet(struct BitcoinTx.UTXO activeWalletMainUtxo) external

Requests creation of a new wallet. This function just forms a request and the creation process is performed asynchronously. Once a wallet is created, the ECDSA Wallet Registry will notify this contract by calling the __ecdsaWalletCreatedCallback function.

Requirements:

• activeWalletMainUtxo components must point to the recent main UTXO of the given active wallet, as currently known on the Ethereum chain. If there is no active wallet at the moment, or the active wallet has no main UTXO, this parameter can be empty as it is ignored,

• Wallet creation must not be in progress,

• If the active wallet is set, one of the following conditions must be true:

• The active wallet BTC balance is above the minimum threshold and the active wallet is old enough, i.e. the creation period was elapsed since its creation time,

• The active wallet BTC balance is above the maximum threshold.

Parameters

__ecdsaWalletCreatedCallback

function __ecdsaWalletCreatedCallback(bytes32 ecdsaWalletID, bytes32 publicKeyX, bytes32 publicKeyY) external

A callback function that is called by the ECDSA Wallet Registry once a new ECDSA wallet is created.

Requirements:

• The only caller authorized to call this function is registry,

• Given wallet data must not belong to an already registered wallet.

Parameters

__ecdsaWalletHeartbeatFailedCallback

function __ecdsaWalletHeartbeatFailedCallback(bytes32, bytes32 publicKeyX, bytes32 publicKeyY) external

A callback function that is called by the ECDSA Wallet Registry once a wallet heartbeat failure is detected.

Requirements:

• The only caller authorized to call this function is registry,

• Wallet must be in Live state.

Parameters

notifyWalletCloseable

function notifyWalletCloseable(bytes20 walletPubKeyHash, struct BitcoinTx.UTXO walletMainUtxo) external

Notifies that the wallet is either old enough or has too few satoshi left and qualifies to be closed.

Requirements:

• Wallet must not be set as the current active wallet,

• Wallet must exceed the wallet maximum age OR the wallet BTC balance must be lesser than the minimum threshold. If the latter case is true, the walletMainUtxo components must point to the recent main UTXO of the given wallet, as currently known on the Ethereum chain. If the wallet has no main UTXO, this parameter can be empty as it is ignored since the wallet balance is assumed to be zero,

• Wallet must be in Live state.

Parameters

notifyWalletClosingPeriodElapsed

function notifyWalletClosingPeriodElapsed(bytes20 walletPubKeyHash) external

Notifies about the end of the closing period for the given wallet. Closes the wallet ultimately and notifies the ECDSA registry about this fact.

Requirements:

• The wallet must be in the Closing state,

• The wallet closing period must have elapsed.

Parameters

submitFraudChallenge

function submitFraudChallenge(bytes walletPublicKey, bytes preimageSha256, struct BitcoinTx.RSVSignature signature) external payable

Submits a fraud challenge indicating that a UTXO being under wallet control was unlocked by the wallet but was not used according to the protocol rules. That means the wallet signed a transaction input pointing to that UTXO and there is a unique sighash and signature pair associated with that input. This function uses those parameters to create a fraud accusation that proves a given transaction input unlocking the given UTXO was actually signed by the wallet. This function cannot determine whether the transaction was actually broadcast and the input was consumed in a fraudulent way so it just opens a challenge period during which the wallet can defeat the challenge by submitting proof of a transaction that consumes the given input according to protocol rules. To prevent spurious allegations, the caller must deposit ETH that is returned back upon justified fraud challenge or confiscated otherwise.

Requirements:

• Wallet behind walletPublicKey must be in Live or MovingFunds or Closing state,

• The challenger must send appropriate amount of ETH used as fraud challenge deposit,

• The signature (represented by r, s and v) must be generated by the wallet behind walletPubKey during signing of sighash which was calculated from preimageSha256,

• Wallet can be challenged for the given signature only once.

Parameters

defeatFraudChallenge

function defeatFraudChallenge(bytes walletPublicKey, bytes preimage, bool witness) external

Allows to defeat a pending fraud challenge against a wallet if the transaction that spends the UTXO follows the protocol rules. In order to defeat the challenge the same walletPublicKey and signature (represented by r, s and v) must be provided as were used to calculate the sighash during input signing. The fraud challenge defeat attempt will only succeed if the inputs in the preimage are considered honestly spent by the wallet. Therefore the transaction spending the UTXO must be proven in the Bridge before a challenge defeat is called. If successfully defeated, the fraud challenge is marked as resolved and the amount of ether deposited by the challenger is sent to the treasury.

Requirements:

• walletPublicKey and sighash calculated as hash256(preimage) must identify an open fraud challenge,

• the preimage must be a valid preimage of a transaction generated according to the protocol rules and already proved in the Bridge,

• before a defeat attempt is made the transaction that spends the given UTXO must be proven in the Bridge.

Parameters

defeatFraudChallengeWithHeartbeat

function defeatFraudChallengeWithHeartbeat(bytes walletPublicKey, bytes heartbeatMessage) external

Allows to defeat a pending fraud challenge against a wallet by proving the sighash and signature were produced for an off-chain wallet heartbeat message following a strict format. In order to defeat the challenge the same walletPublicKey and signature (represented by r, s and v) must be provided as were used to calculate the sighash during heartbeat message signing. The fraud challenge defeat attempt will only succeed if the signed message follows a strict format required for heartbeat messages. If successfully defeated, the fraud challenge is marked as resolved and the amount of ether deposited by the challenger is sent to the treasury.

Requirements:

• walletPublicKey and sighash calculated as hash256(heartbeatMessage) must identify an open fraud challenge,

• heartbeatMessage must follow a strict format of heartbeat messages.

Parameters

notifyFraudChallengeDefeatTimeout

function notifyFraudChallengeDefeatTimeout(bytes walletPublicKey, uint32[] walletMembersIDs, bytes preimageSha256) external

Notifies about defeat timeout for the given fraud challenge. Can be called only if there was a fraud challenge identified by the provided walletPublicKey and sighash and it was not defeated on time. The amount of time that needs to pass after a fraud challenge is reported is indicated by the challengeDefeatTimeout. After a successful fraud challenge defeat timeout notification the fraud challenge is marked as resolved, the stake of each operator is slashed, the ether deposited is returned to the challenger and the challenger is rewarded.

Requirements:

• The wallet must be in the Live or MovingFunds or Closing or Terminated state,

• The walletPublicKey and sighash calculated from preimageSha256 must identify an open fraud challenge,

• The expression keccak256(abi.encode(walletMembersIDs)) must be exactly the same as the hash stored under membersIdsHash for the given walletID. Those IDs are not directly stored in the contract for gas efficiency purposes but they can be read from appropriate DkgResultSubmitted and DkgResultApproved events of the WalletRegistry contract,

• The amount of time indicated by challengeDefeatTimeout must pass after the challenge was reported.

Parameters

setVaultStatus

function setVaultStatus(address vault, bool isTrusted) external

Allows the Governance to mark the given vault address as trusted or no longer trusted. Vaults are not trusted by default. Trusted vault must meet the following criteria:

• IVault.receiveBalanceIncrease must have a known, low gas cost,

• IVault.receiveBalanceIncrease must never revert.

Without restricting reveal only to trusted vaults, malicious vaults not meeting the criteria would be able to nuke sweep proof transactions executed by ECDSA wallet with deposits routed to them. Can only be called by the Governance.

Parameters

setSpvMaintainerStatus

function setSpvMaintainerStatus(address spvMaintainer, bool isTrusted) external

Allows the Governance to mark the given address as trusted or no longer trusted SPV maintainer. Addresses are not trusted as SPV maintainers by default.

The SPV proof does not check whether the transaction is a part of the Bitcoin mainnet, it only checks whether the transaction has been mined performing the required amount of work as on Bitcoin mainnet. The possibility of submitting SPV proofs is limited to trusted SPV maintainers. The system expects transaction confirmations with the required work accumulated, so trusted SPV maintainers can not prove the transaction without providing the required Bitcoin proof of work. Trusted maintainers address the issue of an economic game between tBTC and Bitcoin mainnet where large Bitcoin mining pools can decide to use their hash power to mine fake Bitcoin blocks to prove them in tBTC instead of receiving Bitcoin miner rewards. Can only be called by the Governance.

Parameters

updateDepositParameters

function updateDepositParameters(uint64 depositDustThreshold, uint64 depositTreasuryFeeDivisor, uint64 depositTxMaxFee, uint32 depositRevealAheadPeriod) external

of depositTreasuryFeeDivisor and depositTxMaxFee parameters in order to make requests that can incur the treasury and transaction fee and still satisfy the depositor.

Requirements:

• Deposit dust threshold must be greater than zero,

• Deposit dust threshold must be greater than deposit TX max fee,

• Deposit transaction max fee must be greater than zero.

Parameters

updateRedemptionParameters

function updateRedemptionParameters(uint64 redemptionDustThreshold, uint64 redemptionTreasuryFeeDivisor, uint64 redemptionTxMaxFee, uint64 redemptionTxMaxTotalFee, uint32 redemptionTimeout, uint96 redemptionTimeoutSlashingAmount, uint32 redemptionTimeoutNotifierRewardMultiplier) external

Updates parameters of redemptions.

Requirements:

• Redemption dust threshold must be greater than moving funds dust threshold,

• Redemption dust threshold must be greater than the redemption TX max fee,

• Redemption transaction max fee must be greater than zero,

• Redemption transaction max total fee must be greater than or equal to the redemption transaction per-request max fee,

• Redemption timeout must be greater than zero,

• Redemption timeout notifier reward multiplier must be in the range [0, 100].

Parameters

updateMovingFundsParameters

function updateMovingFundsParameters(uint64 movingFundsTxMaxTotalFee, uint64 movingFundsDustThreshold, uint32 movingFundsTimeoutResetDelay, uint32 movingFundsTimeout, uint96 movingFundsTimeoutSlashingAmount, uint32 movingFundsTimeoutNotifierRewardMultiplier, uint16 movingFundsCommitmentGasOffset, uint64 movedFundsSweepTxMaxTotalFee, uint32 movedFundsSweepTimeout, uint96 movedFundsSweepTimeoutSlashingAmount, uint32 movedFundsSweepTimeoutNotifierRewardMultiplier) external

Updates parameters of moving funds.

Requirements:

• Moving funds transaction max total fee must be greater than zero,

• Moving funds dust threshold must be greater than zero and lower than the redemption dust threshold,

• Moving funds timeout reset delay must be greater than zero,

• Moving funds timeout must be greater than the moving funds timeout reset delay,

• Moving funds timeout notifier reward multiplier must be in the range [0, 100],

• Moved funds sweep transaction max total fee must be greater than zero,

• Moved funds sweep timeout must be greater than zero,

• Moved funds sweep timeout notifier reward multiplier must be in the range [0, 100].

Parameters

updateWalletParameters

function updateWalletParameters(uint32 walletCreationPeriod, uint64 walletCreationMinBtcBalance, uint64 walletCreationMaxBtcBalance, uint64 walletClosureMinBtcBalance, uint32 walletMaxAge, uint64 walletMaxBtcTransfer, uint32 walletClosingPeriod) external

Requirements:

• Wallet maximum BTC balance must be greater than the wallet minimum BTC balance,

• Wallet maximum BTC transfer must be greater than zero,

• Wallet closing period must be greater than zero.

updateFraudParameters

function updateFraudParameters(uint96 fraudChallengeDepositAmount, uint32 fraudChallengeDefeatTimeout, uint96 fraudSlashingAmount, uint32 fraudNotifierRewardMultiplier) external

Updates parameters related to frauds.

Requirements:

• Fraud challenge defeat timeout must be greater than 0,

• Fraud notifier reward multiplier must be in the range [0, 100].

Parameters

updateTreasury

function updateTreasury(address treasury) external

Updates treasury address. The treasury receives the system fees.

The treasury address must not be 0x0.

Parameters

deposits

function deposits(uint256 depositKey) external view returns (struct Deposit.DepositRequest)

Collection of all revealed deposits indexed by keccak256(fundingTxHash | fundingOutputIndex). The fundingTxHash is bytes32 (ordered as in Bitcoin internally) and fundingOutputIndex an uint32. This mapping may contain valid and invalid deposits and the wallet is responsible for validating them before attempting to execute a sweep.

pendingRedemptions

function pendingRedemptions(uint256 redemptionKey) external view returns (struct Redemption.RedemptionRequest)

Collection of all pending redemption requests indexed by redemption key built as keccak256(keccak256(redeemerOutputScript) | walletPubKeyHash). The walletPubKeyHash is the 20-byte wallet's public key hash (computed using Bitcoin HASH160 over the compressed ECDSA public key) and redeemerOutputScript is a Bitcoin script (P2PKH, P2WPKH, P2SH or P2WSH) that will be used to lock redeemed BTC as requested by the redeemer. Requests are added to this mapping by the requestRedemption method (duplicates not allowed) and are removed by one of the following methods:

• submitRedemptionProof in case the request was handled successfully,

• notifyRedemptionTimeout in case the request was reported to be timed out.

timedOutRedemptions

function timedOutRedemptions(uint256 redemptionKey) external view returns (struct Redemption.RedemptionRequest)

Collection of all timed out redemptions requests indexed by redemption key built as keccak256(keccak256(redeemerOutputScript) | walletPubKeyHash). The walletPubKeyHash is the 20-byte wallet's public key hash (computed using Bitcoin HASH160 over the compressed ECDSA public key) and redeemerOutputScript is the Bitcoin script (P2PKH, P2WPKH, P2SH or P2WSH) that is involved in the timed out request. Only one method can add to this mapping:

• notifyRedemptionTimeout which puts the redemption key to this mapping based on a timed out request stored previously in pendingRedemptions mapping. Only one method can remove entries from this mapping:

• submitRedemptionProof in case the timed out redemption request was a part of the proven transaction.

spentMainUTXOs

function spentMainUTXOs(uint256 utxoKey) external view returns (bool)

Collection of main UTXOs that are honestly spent indexed by keccak256(fundingTxHash | fundingOutputIndex). The fundingTxHash is bytes32 (ordered as in Bitcoin internally) and fundingOutputIndex an uint32. A main UTXO is considered honestly spent if it was used as an input of a transaction that have been proven in the Bridge.

wallets

function wallets(bytes20 walletPubKeyHash) external view returns (struct Wallets.Wallet)

Gets details about a registered wallet.

Parameters

Return Values

activeWalletPubKeyHash

function activeWalletPubKeyHash() external view returns (bytes20)

Gets the public key hash of the active wallet.

Return Values

liveWalletsCount

function liveWalletsCount() external view returns (uint32)

Gets the live wallets count.

Return Values

fraudChallenges

function fraudChallenges(uint256 challengeKey) external view returns (struct Fraud.FraudChallenge)

Returns the fraud challenge identified by the given key built as keccak256(walletPublicKey|sighash).

movedFundsSweepRequests

function movedFundsSweepRequests(uint256 requestKey) external view returns (struct MovingFunds.MovedFundsSweepRequest)

Collection of all moved funds sweep requests indexed by keccak256(movingFundsTxHash | movingFundsOutputIndex). The movingFundsTxHash is bytes32 (ordered as in Bitcoin internally) and movingFundsOutputIndex an uint32. Each entry is actually an UTXO representing the moved funds and is supposed to be swept with the current main UTXO of the recipient wallet.

Parameters

Return Values

isVaultTrusted

function isVaultTrusted(address vault) external view returns (bool)

Indicates if the vault with the given address is trusted or not. Depositors can route their revealed deposits only to trusted vaults and have trusted vaults notified about new deposits as soon as these deposits get swept. Vaults not trusted by the Bridge can still be used by Bank balance owners on their own responsibility - anyone can approve their Bank balance to any address.

depositParameters

function depositParameters() external view returns (uint64 depositDustThreshold, uint64 depositTreasuryFeeDivisor, uint64 depositTxMaxFee, uint32 depositRevealAheadPeriod)

Returns the current values of Bridge deposit parameters.

Return Values

redemptionParameters

function redemptionParameters() external view returns (uint64 redemptionDustThreshold, uint64 redemptionTreasuryFeeDivisor, uint64 redemptionTxMaxFee, uint64 redemptionTxMaxTotalFee, uint32 redemptionTimeout, uint96 redemptionTimeoutSlashingAmount, uint32 redemptionTimeoutNotifierRewardMultiplier)

Returns the current values of Bridge redemption parameters.

Return Values

movingFundsParameters

function movingFundsParameters() external view returns (uint64 movingFundsTxMaxTotalFee, uint64 movingFundsDustThreshold, uint32 movingFundsTimeoutResetDelay, uint32 movingFundsTimeout, uint96 movingFundsTimeoutSlashingAmount, uint32 movingFundsTimeoutNotifierRewardMultiplier, uint16 movingFundsCommitmentGasOffset, uint64 movedFundsSweepTxMaxTotalFee, uint32 movedFundsSweepTimeout, uint96 movedFundsSweepTimeoutSlashingAmount, uint32 movedFundsSweepTimeoutNotifierRewardMultiplier)

Returns the current values of Bridge moving funds between wallets parameters.

Return Values

walletParameters

function walletParameters() external view returns (uint32 walletCreationPeriod, uint64 walletCreationMinBtcBalance, uint64 walletCreationMaxBtcBalance, uint64 walletClosureMinBtcBalance, uint32 walletMaxAge, uint64 walletMaxBtcTransfer, uint32 walletClosingPeriod)

Return Values

fraudParameters

function fraudParameters() external view returns (uint96 fraudChallengeDepositAmount, uint32 fraudChallengeDefeatTimeout, uint96 fraudSlashingAmount, uint32 fraudNotifierRewardMultiplier)

Returns the current values of Bridge fraud parameters.

Return Values

contractReferences

function contractReferences() external view returns (contract Bank bank, contract IRelay relay, contract IWalletRegistry ecdsaWalletRegistry, contract ReimbursementPool reimbursementPool)

Returns the addresses of contracts Bridge is interacting with.

Return Values

treasury

function treasury() external view returns (address)

Address where the deposit treasury fees will be sent to. Treasury takes part in the operators rewarding process.

txProofDifficultyFactor

function txProofDifficultyFactor() external view returns (uint256)

The number of confirmations on the Bitcoin chain required to successfully evaluate an SPV proof.