Add XCM Escrow Input Settler for Polkadot Cross-Chain Intent Settlement

[KitHat]

Summary

This PR introduces InputSettlerXCMEscrow, a smart contract that extends the OIF (Open Intents Framework) to support direct XCM (Cross-Consensus Messaging) execution on Polkadot parachains. When a user's intent can be fully satisfied through XCM teleport, the contract bypasses the standard escrow flow and executes the transfer immediately via the XCM precompile.

Features

Core Contract (InputSettlerXCMEscrow.sol)

• Composite Pattern: Wraps the original InputSettlerEscrow from the OIF framework, providing seamless fallback for non-XCM scenarios
• XCM Path Detection: Automatically determines if an order can be executed via XCM by checking:
  • All output destinations and tokens are whitelisted for teleport
  • Chain IDs fit within uint32 (Polkadot parachain limitation)
  • Amounts fit within uint128 (XCM amount limitation)
  • Input amounts cover all required output amounts per token
• XCM Message Construction: Uses Cisco's library (ILibrary.teleport) to construct properly formatted XCM messages
• XCM Execution: Executes XCM messages through the AssetHub precompile (IXcm.execute)
• Whitelist Management: Owner-controlled allowlist for token/destination pairs via allowTeleport() and forbidTeleport()
• Graceful Fallback: Non-XCM-eligible orders seamlessly fall back to standard escrow flow

Flow Behavior

Flow	Behavior
open()	XCM execution when eligible, otherwise delegates to baseSettler
openFor()	Delegates to baseSettler (XCM path TODO)
finalise()	Delegates to baseSettler
finaliseWithSignature()	Delegates to baseSettler
purchaseOrder()	Delegates to baseSettler
orderIdentifier()	Delegates to baseSettler

Implementation Details

Token Handling

• XCM Path: Collects only the output amounts (users keep excess input tokens)
• Escrow Path: Collects full input amounts (standard escrow behavior)

Interfaces Added

• IXcm.sol: Interface for Polkadot's XCM precompile with execute(), send(), and weighMessage() functions
• ILibrary.sol: Interface for XCM message construction library

Testing

Comprehensive test suite (InputSettlerXCMEscrow.test.js) with 28 test cases covering:

• ✅ Deployment and ownership verification
• ✅ Whitelist management (allowTeleport/forbidTeleport)
• ✅ XCM availability detection for various conditions
• ✅ XCM execution with proper event emission
• ✅ Fallback to base settler when XCM unavailable
• ✅ Token collection logic (XCM vs escrow paths)
• ✅ Input/output amount validation and aggregation
• ✅ Multiple outputs to different destinations
• ✅ Edge cases (empty arrays, zero addresses, overflow protection)
• ✅ Transaction atomicity (revert on XCM failure preserves user funds)

Files Changed

File	Description
contracts/InputSettlerXCMEscrow.sol	Main contract implementation
contracts/interfaces/IXcm.sol	XCM precompile interface
contracts/interfaces/ILibrary.sol	Library interface for XCM message construction
contracts/test/MockXcm.sol	Mock XCM precompile for testing
contracts/test/MockLibrary.sol	Mock library for testing
contracts/test/MockERC20.sol	Mock ERC20 token for testing
ignition/modules/InputSettlerXCMEscrow.ts	Hardhat Ignition deployment module
test/InputSettlerXCMEscrow.test.js	Test suite

Security Considerations

• Owner-only whitelist management prevents unauthorized token/destination combinations
• Transaction atomicity ensures user funds are safe if XCM execution fails
• uint128 amount validation prevents silent truncation in XCM messages
• Input coverage validation ensures sufficient funds before XCM execution

Future Work

• Implement XCM path for openFor() with signature validation
• Add support for non-teleport XCM operations (reserve-backed transfers)
• Gas optimization for multiple output processing

Related Issue

Closes #2

---

Summary by CodeRabbit

Release Notes

• New Features

  • Added cross-chain escrow functionality enabling transactions across supported blockchain networks
  • Introduced administrative controls to manage approved destination chains and tokens
  • Implemented automatic fallback mechanism for standard processing when cross-chain paths are unavailable
  • Enhanced token safety with automatic approval management

• Tests

  • Added comprehensive test coverage for cross-chain escrow operations, validation, and edge cases

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[4meta5]

comments were questions so they are non-blocking unless a solidity expert chimes in otherwise

[bidzyyys]

@CodeRabbit review

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

Introduces InputSettlerXCMEscrow contract that extends InputSettlerEscrow to enable XCM-based cross-chain token settlement. The contract manages a whitelist of allowed token-destination pairs, validates orders, collects/approves tokens, constructs and executes XCM teleport messages via precompile, then reverts approvals. Falls back to base settler for incompatible flows. Includes supporting interfaces, mock contracts for testing, deployment module, and comprehensive test suites covering admin controls, validation, edge cases, and XCM execution.

Changes

Cohort / File(s)	Summary
Core Contract Implementation contracts/InputSettlerXCMEscrow.sol	New XCM escrow contract extending InputSettlerPurchase with IInputSettlerEscrow. Implements XCM-enabled flow with token collection, approval management, validation (outputs, inputs, coverage), XCM message execution, and fallback to base settler. Includes admin controls (allowTeleport, forbidTeleport, setXCMEnabled) and domain separation for EIP712.
Interface Definitions contracts/interfaces/ILibrary.sol, contracts/interfaces/IXcm.sol	Added ILibrary interface for teleport(paraId, beneficiary, amount) function. Added IXcm interface with Weight struct and methods: execute(message, weight), send(destination, message), weighMessage(message).
Test Mock Contracts contracts/test/MockERC20.sol, contracts/test/MockLibrary.sol, contracts/test/MockXcm.sol	Added MockERC20 with mint/burn utilities. Added MockLibrary implementing ILibrary with configurable token and response payload. Added MockXcm implementing IXcm with configurable execution state and weight values.
Deployment Module ignition/modules/InputSettlerXCMEscrow.ts	Hardhat Ignition module deploying InputSettlerEscrow (baseSettler) and InputSettlerXCMEscrow with mock addresses and returning both deployed instances.
Test Helper Utilities test/helpers/inputSettlerXCMEscrowHelper.js	Centralized test scaffolding: constants (chain IDs, amounts, limits, payloads), toBytes32 helper, setupInputSettlerXCMEscrow async factory, createOrderFactory, createOutput helper.
Test Suites test/InputSettlerXCMEscrow.admin.test.js, test/InputSettlerXCMEscrow.edge-cases.test.js, test/InputSettlerXCMEscrow.validation.test.js, test/InputSettlerXCMEscrow.xcm.test.js	Comprehensive test coverage: admin functions (allowTeleport, forbidTeleport, setXCMEnabled, access control), edge cases (empty inputs/outputs, zero recipients, max tokens, amount overflow), input/output validation and aggregation logic, XCM execution paths with fallback behavior.

Sequence Diagram

sequenceDiagram
    participant User
    participant XCMEscrow as InputSettlerXCMEscrow
    participant BaseSettler as InputSettlerEscrow
    participant MockXcm as XCM Precompile
    participant MockLibrary as Teleport Library
    participant Token as ERC20 Token

    User->>XCMEscrow: open(order)
    activate XCMEscrow
    
    alt XCM Path Available
        XCMEscrow->>XCMEscrow: _checkXCMAvailable()
        XCMEscrow->>XCMEscrow: Calculate transfer amounts from outputs
        XCMEscrow->>Token: approve(address, amount)
        Token-->>XCMEscrow: Approved
        
        loop For each output
            XCMEscrow->>MockLibrary: teleport(paraId, recipient, amount)
            MockLibrary->>Token: transferFrom(user, library, amount)
            Token-->>MockLibrary: Transferred
            MockLibrary-->>XCMEscrow: teleportMessage
            
            XCMEscrow->>MockXcm: send(destination, message)
            MockXcm-->>XCMEscrow: Sent
            XCMEscrow->>XCMEscrow: emit XCMTeleportExecuted
        end
        
        XCMEscrow->>Token: approve(address, 0)
        Token-->>XCMEscrow: Revoked
        
    else XCM Not Available
        XCMEscrow->>BaseSettler: open(order)
        BaseSettler-->>User: Open flow executed
    end
    
    deactivate XCMEscrow

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

• InputSettlerXCMEscrow.sol: Dense validation logic across multiple validation paths (_checkXCMAvailable, _validateOutputsForXCM, _validateInputsForXCM, _verifyInputsCoverOutputs). Complex token collection and approval management with revocation semantics. XCM message construction and execution flow requires careful verification of state transitions.
• Token collection and approval flows: Cross-contract interactions with token contracts and XCM precompile must handle reentrancy and approval management correctly across both XCM and fallback paths.
• Test coverage adequacy: Four test suites with varying concerns (admin, validation, edge cases, XCM-specific logic). Verify that validation checks are comprehensive and edge cases properly exercise fallback behavior.
• Integration points: Review interactions between InputSettlerXCMEscrow and BaseSettler, proper delegation of non-open functions, and state consistency across paths.

Poem

🐰 Hoppy paths cross the chains so wide,
XCM tunnels, where tokens glide,
Whitelists guard with admin care,
Base settler catches those unaware—
A rabbit's escrow, both swift and fair! ✨

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely describes the main addition: a new XCM Escrow Input Settler contract for Polkadot cross-chain intent settlement.
Linked Issues check	✅ Passed	The PR implements all coding objectives from issue #2: composites InputSettlerEscrow, manages teleport whitelist with owner controls, constructs/executes XCM messages via ILibrary and IXcm precompile, enables XCM path only when whole intent is executable, maintains existing behavior for other flows, and includes comprehensive tests.
Out of Scope Changes check	✅ Passed	All changes are directly related to the XCM Escrow Input Settler implementation. The PR includes the core contract, supporting interfaces, test mocks, deployment module, and test suite—all necessary for delivering the linked issue requirements.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

Tip

📝 Customizable high-level summaries are now available in beta!

You can now customize how CodeRabbit generates the high-level summary in your pull requests — including its content, structure, tone, and formatting.

• Provide your own instructions using the high_level_summary_instructions setting.
• Format the summary however you like (bullet lists, tables, multi-section layouts, contributor stats, etc.).
• Use high_level_summary_in_walkthrough to move the summary from the description to the walkthrough section.

Example instruction:

"Divide the high-level summary into five sections:

1. 📝 Description — Summarize the main change in 50–60 words, explaining what was done.
2. 📓 References — List relevant issues, discussions, documentation, or related PRs.
3. 📦 Dependencies & Requirements — Mention any new/updated dependencies, environment variable changes, or configuration updates.
4. 📊 Contributor Summary — Include a Markdown table showing contributions:
   | Contributor | Lines Added | Lines Removed | Files Changed |
5. ✔️ Additional Notes — Add any extra reviewer context.
   Keep each section concise (under 200 words) and use bullet or numbered lists for clarity."

Note: This feature is currently in beta for Pro-tier users, and pricing will be announced later.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (7)

ignition/modules/InputSettlerXCMEscrow.ts (1)

8-10: Zero address default for inkLibrary may cause silent deployment failures.

While the comment notes users should provide this parameter for real networks, deploying with the zero address will result in failed XCM teleport calls at runtime. Consider adding deployment-time validation or a more explicit warning mechanism.

You could add a validation in the deployment script or emit a warning:

const inkLibrary = m.getParameter("inkLibrary", "0x0000000000000000000000000000000000000000");
// Add a comment that deployment will fail XCM calls if inkLibrary is not configured

contracts/test/MockERC20.sol (1)

1-16: LGTM for test purposes.

The mock is appropriate for testing. The public mint/burn functions without access control are acceptable for a test-only contract.

Minor note: This uses pragma ^0.8.20 while other new contracts use ^0.8.28 or ^0.8.26. Consider aligning pragma versions for consistency across the codebase.

test/InputSettlerXCMEscrow.admin.test.js (1)

61-71: Consider adding access control test for forbidTeleport.

The allowTeleport function has an access control test (lines 51-58), but forbidTeleport lacks one. For completeness, consider adding a test verifying that non-owners cannot call forbidTeleport.

it("Should revert if forbidTeleport not called by owner", async function () {
    const tokenAddress = await token.getAddress();
    await inputSettlerXCMEscrow.allowTeleport(DESTINATION_CHAIN_ID, tokenAddress);
    
    await expect(
        inputSettlerXCMEscrow.connect(user).forbidTeleport(DESTINATION_CHAIN_ID, tokenAddress)
    ).to.be.revertedWithCustomError(inputSettlerXCMEscrow, "OwnableUnauthorizedAccount")
        .withArgs(user.address);
});

test/InputSettlerXCMEscrow.xcm.test.js (1)

47-59: Minor: to.be.emit vs to.emit syntax.

Line 57-58 uses .to.be.emit(baseSettler, "Open") while other tests use .to.emit(...). Both syntaxes work in Chai, but for consistency with the rest of the test suite (e.g., line 68), consider using .to.emit(...).

-            await expect(inputSettlerXCMEscrow.connect(user).open(order))
-                .to.be.emit(baseSettler, "Open");
+            await expect(inputSettlerXCMEscrow.connect(user).open(order))
+                .to.emit(baseSettler, "Open");

contracts/test/MockLibrary.sol (1)

22-33: Mock burn behavior may not match how approvals are wired in the XCM path

teleport pulls tokens from msg.sender using safeTransferFrom, which requires msg.sender (the XCM escrow contract) to approve this mock as spender. In the XCM path, _collectAndApproveTokens approves the XCM precompile, not the inkLibrary / MockLibrary, so this mock transfer will revert if tokenAddress is set and the function is actually exercised.

If the intent is only to simulate message construction and an event, you can either:

• Keep tokenAddress at address(0) in tests, or
• Adjust the mock to not rely on ERC20 allowances (e.g., just emit TeleportCalled and return teleportMessage), or
• Change the XCM path setup in tests to also approve MockLibrary if you want to assert token “burning”.

Please double‑check how this is used in the tests and whether you actually need the safeTransferFrom here.

contracts/InputSettlerXCMEscrow.sol (2)

94-107: Verify escrow fallback token flow matches InputSettlerEscrow.open expectations

In the non‑XCM branch, you:

• Pre‑collect tokens from msg.sender into this contract and approve baseSettler, then
• Call InputSettlerEscrow(baseSettler).open(order).

This assumes that InputSettlerEscrow.open will pull funds from msg.sender (the XCM escrow wrapper) using allowances, not directly from order.user, and that there’s no additional expectation about balances or allowances on the original user.

If InputSettlerEscrow.open instead:

• Pulls directly from order.user, or
• Relies on allowances from order.user to baseSettler,

then this pre‑collection/approval pattern could be redundant or even break flows.

Please double‑check the base settler’s implementation and ensure:

• Its notion of “payer” matches this wrapper’s behavior, and
• There’s no path where inputs are unintentionally collected twice or from the wrong address.

---

197-244: Coverage check logic is correct but slightly more complex than necessary

_verifyInputsCoverOutputs correctly aggregates required output amounts per token and subtracts available inputs, then verifies that all requirements are fully covered. The approach is O(n²) due to the linear scan in _findInArray, but given expected order sizes that’s acceptable.

If you want to simplify a bit without changing behavior, you could replace the manual overflow check:

uint256 newAmount = tempOutputAmounts[idx] + amount;
require(newAmount >= tempOutputAmounts[idx], "Output amount overflow");

with just the assignment, since Solidity 0.8+ already reverts on overflow:

uint256 newAmount = tempOutputAmounts[idx] + amount;

This is optional and only reduces redundant checks.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 98fda55 and 59f908a.

📒 Files selected for processing (12)

• contracts/InputSettlerXCMEscrow.sol (1 hunks)
• contracts/interfaces/ILibrary.sol (1 hunks)
• contracts/interfaces/IXcm.sol (1 hunks)
• contracts/test/MockERC20.sol (1 hunks)
• contracts/test/MockLibrary.sol (1 hunks)
• contracts/test/MockXcm.sol (1 hunks)
• ignition/modules/InputSettlerXCMEscrow.ts (1 hunks)
• test/InputSettlerXCMEscrow.admin.test.js (1 hunks)
• test/InputSettlerXCMEscrow.edge-cases.test.js (1 hunks)
• test/InputSettlerXCMEscrow.validation.test.js (1 hunks)
• test/InputSettlerXCMEscrow.xcm.test.js (1 hunks)
• test/helpers/inputSettlerXCMEscrowHelper.js (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (2)

test/InputSettlerXCMEscrow.edge-cases.test.js (1)

test/helpers/inputSettlerXCMEscrowHelper.js (8)

• inputSettlerXCMEscrow (72-78)
• token (81-81)
• STANDARD_AMOUNT (19-19)
• DESTINATION_CHAIN_ID (8-8)
• ZERO_BYTES32 (37-37)
• MOCK_XCM_MESSAGE_BYTES (32-32)
• MAX_TOKENS_TEST_COUNT (41-41)
• INITIAL_TOKEN_BALANCE (18-18)

test/helpers/inputSettlerXCMEscrowHelper.js (4)

test/InputSettlerXCMEscrow.admin.test.js (5)

• require (1-1)
• require (2-2)
• require (3-10)
• inputSettlerXCMEscrow (13-13)
• createOrder (21-21)

test/InputSettlerXCMEscrow.edge-cases.test.js (5)

• require (1-1)
• require (2-2)
• require (3-14)
• inputSettlerXCMEscrow (17-17)
• createOrder (25-25)

test/InputSettlerXCMEscrow.validation.test.js (5)

• require (1-1)
• require (2-2)
• require (3-16)
• inputSettlerXCMEscrow (19-19)
• createOrder (27-27)

test/InputSettlerXCMEscrow.xcm.test.js (5)

• require (1-1)
• require (2-2)
• require (3-21)
• inputSettlerXCMEscrow (24-24)
• createOrder (32-32)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: test

🔇 Additional comments (15)

contracts/interfaces/ILibrary.sol (1)

1-10: LGTM!

The interface is clean and minimal. The parameter types (uint32, bytes32, uint128) align well with XCM/Polkadot conventions where chain IDs are 32-bit, beneficiaries are 32-byte account IDs, and amounts are 128-bit.

ignition/modules/InputSettlerXCMEscrow.ts (1)

12-24: LGTM!

The deployment module correctly chains the base settler deployment with the XCM settler, passing the required constructor arguments. Returning both contracts enables proper access for subsequent configuration.

test/InputSettlerXCMEscrow.admin.test.js (1)

74-97: Approval amount exceeds required amount—intentional?

At line 80, the approval uses DOUBLE_AMOUNT while the default order uses STANDARD_AMOUNT. This works but may be intentional to test that excess approval doesn't cause issues. If so, consider adding a comment clarifying this is deliberate testing of over-approval scenarios.

test/InputSettlerXCMEscrow.edge-cases.test.js (2)

114-142: Verify near-overflow test arithmetic.

The test computes totalAmount - ethers.parseEther(INITIAL_TOKEN_BALANCE) at line 122. This assumes the user already has INITIAL_TOKEN_BALANCE minted (likely in setupInputSettlerXCMEscrow). The arithmetic is correct for testing uint256 boundaries.

However, note that halfAmount = totalAmount / BigInt("2") at line 124 will truncate for odd values. Since totalAmount is (2^256 - 1) which is odd, the two halfAmount outputs will sum to totalAmount - 1, not totalAmount. This means the test is actually testing input > sum(outputs) scenario rather than exact match. This is fine but may not match the comment's intent at line 118.

---

40-62: Good boundary testing for empty arrays.

These tests appropriately verify that the contract handles empty inputs and outputs gracefully without reverting unexpectedly. The comment clarifies that empty inputs trigger the fallback path.

test/InputSettlerXCMEscrow.validation.test.js (3)

178-201: Fallback test logic depends on amount constant values.

The comment at line 198 states "Total outputs = 160, input = 150". This expects LARGE_AMOUNT < 2 * MEDIUM_AMOUNT. If LARGE_AMOUNT = "150" and MEDIUM_AMOUNT = "80", then 150 < 160, which triggers fallback correctly. The test logic is sound assuming these values.

---

204-231: LGTM!

Good test coverage for multiple outputs to different destinations with proper event assertions.

---

151-176: Amount constants match test comments accurately.

The constants are correctly defined:

• MEDIUM_AMOUNT = "80" → Two outputs of 80 each = 160 total
• DOUBLE_AMOUNT = "200" → Input amount

The comment at line 173 stating "Total outputs = 160, input = 200" is correct and the test properly validates the aggregation scenario.

contracts/interfaces/IXcm.sol (1)

1-41: LGTM!

Well-documented interface that accurately reflects the Polkadot XCM precompile. The Weight struct properly models the two-dimensional weight system (ref_time, proof_size), and the NatSpec documentation with links to Polkadot docs is helpful for developers.

test/InputSettlerXCMEscrow.xcm.test.js (4)

146-164: Good atomicity testing.

This test properly verifies that when the XCM precompile fails, the entire transaction reverts and user funds remain safe. This is critical for security.

---

167-181: Appropriate use of describe.skip for unimplemented feature.

The openFor XCM path is marked as TODO per PR objectives. Using describe.skip keeps the test structure in place for future implementation while clearly indicating it's not yet active.

---

183-271: Thorough token collection semantics testing.

These tests properly verify the key behavioral difference between XCM and baseSettler paths:

• XCM path: collects only output amounts (excess stays with user)
• BaseSettler path: collects full input amounts

This is important for users to understand the economic implications of each path.

---

273-296: Good allowance verification.

Verifying that XCM path approves xcmPrecompile and not baseSettler ensures the correct contract receives spending approval. The post-execution check that both allowances are zero confirms proper cleanup.

contracts/test/MockXcm.sol (1)

6-41: Mock XCM precompile behavior looks appropriate for testing

The mock cleanly separates execute, send, and weighMessage, with configurable success and weight and clear events. This is sufficient and easy to reason about for unit tests.

test/helpers/inputSettlerXCMEscrowHelper.js (1)

29-33: Based on my verification, I found that MOCK_XCM_MESSAGE_BYTES is always wrapped with ethers.toUtf8Bytes() before being passed to contract calls across all test files (InputSettlerXCMEscrow.xcm.test.js, InputSettlerXCMEscrow.validation.test.js, and InputSettlerXCMEscrow.edge-cases.test.js).

Since ethers.toUtf8Bytes() interprets its input as a plain UTF-8 string (not hex), the value "0xmsg" is intentionally treated as literal text. The presence of "g" is not problematic—it's simply part of the string being converted to bytes. The original review comment's concern about invalid hex rejection does not apply here.

The constant value and its usage are correct and consistent.

Likely an incorrect or invalid review comment.

[bidzyyys]

@CodeRabbit review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[bidzyyys]

First pass

[bidzyyys]

Looks much better!
Can you investigate this comment: https://github.com/OpenZeppelin/openzeppelin-polkadot-xcm/pull/7/files#r2565488382

[bidzyyys]

Looks good to me.