feat: don't process sanctioned BTC and SUI address

Signed-off-by: Ravindra Meena <rmeena840@gmail.com>

Author: rmeena840

packages/btcindexer/db/migrations/0001_initial_schema.sql

@@ -124,3 +124,11 @@ CREATE TABLE IF NOT EXISTS presign_objects (
 ) STRICT;
 
 CREATE INDEX IF NOT EXISTS presign_objects_sui_network_created_at ON presign_objects(sui_network, created_at);
+
+CREATE TABLE IF NOT EXISTS SanctionedCryptoAddresses (
+    wallet_address VARCHAR(255) PRIMARY KEY,
+    address_type VARCHAR(3) NOT NULL,
+    CONSTRAINT chk_address_type CHECK (address_type IN ('BTC', 'SUI'))
+);
+
+CREATE INDEX idx_type ON SanctionedCryptoAddresses(address_type);

packages/btcindexer/src/btcindexer.ts

@@ -34,20 +34,13 @@ import type {
 	NbtcPkgCfg,
 	NbtcDepositAddrsMap,
 } from "./models";
-import { MintTxStatus, InsertBlockStatus } from "./models";
+import { MintTxStatus, InsertBlockStatus, btcNetworkCfg } from "./models";
 import type { Electrs } from "./electrs";
 import { ElectrsService, ELECTRS_URLS_BY_NETWORK } from "./electrs";
 import { fetchNbtcAddresses, fetchPackageConfigs, type Storage } from "./storage";
 import { CFStorage } from "./cf-storage";
 import type { PutNbtcTxResponse } from "./rpc-interface";
 
-const btcNetworkCfg: Record<BtcNet, Network> = {
-	[BtcNet.MAINNET]: networks.bitcoin,
-	[BtcNet.TESTNET]: networks.testnet,
-	[BtcNet.REGTEST]: networks.regtest,
-	[BtcNet.SIGNET]: networks.testnet,
-};
-
 interface ConfirmingTxCandidate<T> {
 	id: string | number;
 	blockHeight: number;
@@ -76,7 +69,7 @@ export async function indexerFromEnv(env: Env): Promise<Indexer> {
 	const suiClients = new Map<SuiNet, SuiClient>();
 	for (const p of packageConfigs) {
 		if (!suiClients.has(p.sui_network))
-			suiClients.set(p.sui_network, new SuiClient(p, mnemonic));
+			suiClients.set(p.sui_network, new SuiClient(p, mnemonic, env.DB));
 	}
 
 	const electrsClients = new Map<BtcNet, ElectrsService>();

packages/btcindexer/src/index.ts

@@ -11,6 +11,7 @@ import { logError, logger } from "@gonative-cc/lib/logger";
 import HttpRouter from "./router";
 import { type BlockQueueRecord } from "@gonative-cc/lib/nbtc";
 import { processBlockBatch } from "./queue-handler";
+import { processSanctionedAddress } from "./sanction";
 
 // Export RPC entrypoints for service bindings
 export { RPC } from "./rpc";
@@ -73,12 +74,25 @@ export default {
 
 	// the scheduled handler is invoked at the interval set in our wrangler.jsonc's
 	// [[triggers]] configuration.
-	async scheduled(_event: ScheduledController, env: Env, _ctx): Promise<void> {
+	async scheduled(event: ScheduledController, env: Env, _ctx): Promise<void> {
 		logger.debug({ msg: "Cron job starting" });
 		try {
-			const indexer = await indexerFromEnv(env);
-			await indexer.updateConfirmationsAndFinalize();
-			await indexer.processFinalizedTransactions();
+			const trigger = event.cron;
+			switch (trigger) {
+				case "0 1 * * *":
+					await processSanctionedAddress(env);
+					break;
+				case "* * * * *":
+					{
+						const indexer = await indexerFromEnv(env);
+						await indexer.updateConfirmationsAndFinalize();
+						await indexer.processFinalizedTransactions();
+					}
+					break;
+				default:
+					logger.info({ msg: "Unknown schedule triggered" });
+			}
+
 			logger.info({ msg: "Cron job finished successfully" });
 		} catch (e) {
 			logError({ msg: "Cron job failed", method: "scheduled" }, e);

packages/btcindexer/src/models.ts

@@ -1,4 +1,4 @@
-import { Transaction } from "bitcoinjs-lib";
+import { networks, Transaction, type Network } from "bitcoinjs-lib";
 import { BitcoinTxStatus, BtcNet, type BlockQueueRecord } from "@gonative-cc/lib/nbtc";
 import type { NbtcPkg, SuiNet } from "@gonative-cc/lib/nsui";
 
@@ -195,3 +195,10 @@ export const enum InsertBlockStatus {
 }
 
 export type InsertBlockResult = InsertBlockStatus;
+
+export const btcNetworkCfg: Record<BtcNet, Network> = {
+	[BtcNet.MAINNET]: networks.bitcoin,
+	[BtcNet.TESTNET]: networks.testnet,
+	[BtcNet.REGTEST]: networks.regtest,
+	[BtcNet.SIGNET]: networks.testnet,
+};

packages/btcindexer/src/sanction.ts

@@ -0,0 +1,108 @@
+import { logError, logger } from "@gonative-cc/lib/logger";
+import { StringDecoder } from "string_decoder";
+
+interface WalletEntity {
+	properties: {
+		currency: string[];
+		publicKey: string[];
+	};
+}
+
+interface SanctionEntity {
+	properties: {
+		cryptoWallets?: WalletEntity[];
+	};
+}
+
+const URL = "https://data.opensanctions.org/datasets/latest/us_ofac_sdn/targets.nested.json";
+
+export async function processSanctionedAddress(env: Env) {
+	try {
+		logger.debug({ msg: "Downloading and processing..." });
+
+		const response = await fetch(URL);
+		if (!response.body) throw new Error("No response body");
+
+		const btcAddresses: string[] = [];
+		const suiAddresses: string[] = [];
+		const decoder = new StringDecoder("utf8");
+		let buffer = "";
+
+		// Helper to process a single entity line
+		const processLine = (line: string) => {
+			if (!line.trim()) return;
+			const entity: SanctionEntity = JSON.parse(line);
+
+			if (entity.properties?.cryptoWallets) {
+				for (const wallet of entity.properties.cryptoWallets) {
+					const currency = wallet.properties.currency?.[0]?.toUpperCase();
+					const address = wallet.properties.publicKey?.[0];
+
+					if (!currency || !address) continue;
+
+					if (currency === "XBT") btcAddresses.push(address);
+					if (currency === "SUI") suiAddresses.push(address);
+				}
+			}
+		};
+
+		// Stream processing
+		const reader = response.body.getReader();
+
+		while (true) {
+			const { done, value } = await reader.read();
+			if (done) break;
+
+			buffer += decoder.write(Buffer.from(value));
+			const lines = buffer.split("\n");
+			buffer = lines.pop() || "";
+
+			for (const line of lines) {
+				processLine(line);
+			}
+		}
+
+		// Handle leftover buffer
+		if (buffer.trim()) processLine(buffer);
+
+		logger.debug({
+			msg: `Found ${btcAddresses.length} BTC and ${suiAddresses.length} SUI addresses.`,
+		});
+
+		// --- Database Transaction (Batch) ---
+
+		const statements: D1PreparedStatement[] = [
+			env.DB.prepare("DELETE FROM SanctionedCryptoAddresses"),
+		];
+
+		// Add BTC inserts
+		btcAddresses.forEach((addr) => {
+			statements.push(
+				env.DB.prepare(
+					"INSERT OR IGNORE INTO SanctionedCryptoAddresses (wallet_address, address_type) VALUES (?, ?)",
+				).bind(addr, "BTC"),
+			);
+		});
+
+		// Add SUI inserts
+		suiAddresses.forEach((addr) => {
+			statements.push(
+				env.DB.prepare(
+					"INSERT INTO SanctionedCryptoAddresses (wallet_address, address_type) VALUES (?, ?)",
+				).bind(addr, "SUI"),
+			);
+		});
+
+		await env.DB.batch(statements);
+
+		logger.debug({
+			msg: `"Database updated successfully.`,
+		});
+	} catch (err) {
+		const error = err as Error;
+		logError({
+			method: "processSanctionedAddress",
+			msg: error.message || "Error processing sanctioned address",
+		});
+	}
+}

packages/btcindexer/src/sui_client.ts

@@ -3,9 +3,11 @@ import { SuiClient as Client, getFullnodeUrl } from "@mysten/sui/client";
 import type { Signer } from "@mysten/sui/cryptography";
 import { Ed25519Keypair } from "@mysten/sui/keypairs/ed25519";
 import { Transaction as SuiTransaction } from "@mysten/sui/transactions";
-import type { MintBatchArg, NbtcPkgCfg, SuiTxDigest } from "./models";
+import { btcNetworkCfg, type MintBatchArg, type NbtcPkgCfg, type SuiTxDigest } from "./models";
 import { logError, logger } from "@gonative-cc/lib/logger";
 import { nBTCContractModule } from "@gonative-cc/nbtc";
+import { Transaction, payments, script } from "bitcoinjs-lib";
+import type { D1Database } from "@cloudflare/workers-types";
 
 const LC_MODULE = "light_client";
 
@@ -18,20 +20,22 @@ export interface SuiClientI {
 
 export type SuiClientConstructor = (config: NbtcPkgCfg) => SuiClientI;
 
-export function NewSuiClient(mnemonic: string): SuiClientConstructor {
-	return (config: NbtcPkgCfg) => new SuiClient(config, mnemonic);
+export function NewSuiClient(mnemonic: string, db: D1Database): SuiClientConstructor {
+	return (config: NbtcPkgCfg) => new SuiClient(config, mnemonic, db);
 }
 
 export class SuiClient implements SuiClientI {
 	private client: Client;
 	private signer: Signer;
 	private config: NbtcPkgCfg;
+	private db: D1Database;
 
-	constructor(config: NbtcPkgCfg, mnemonic: string) {
+	constructor(config: NbtcPkgCfg, mnemonic: string, db?: D1Database) {
 		this.config = config;
 		this.client = new Client({ url: getFullnodeUrl(config.sui_network) });
 		// TODO: instead of mnemonic, let's use the Signer interface in the config
 		this.signer = Ed25519Keypair.deriveKeypair(mnemonic);
+		this.db = db!;
 		logger.debug({
 			msg: "Sui Client Initialized",
 			suiSignerAddress: this.signer.getPublicKey().toSuiAddress(),
@@ -129,6 +133,17 @@ export class SuiClient implements SuiClientI {
 			const proofLittleEndian = args.proof.proofPath.map((p) => Array.from(p));
 			const txBytes = Array.from(args.tx.toBuffer());
 
+			// Extract sender address and check sanctions
+			const senderAddress = await this.extractSenderAddress(args.tx);
+			if (senderAddress && (await this.isSanctioned(senderAddress))) {
+				logger.error({
+					msg: "Sanctioned address detected, skipping mint",
+					txId: args.tx.getId(),
+					senderAddress,
+				});
+				continue;
+			}
+
 			tx.add(
 				nBTCContractModule.mint({
 					package: this.config.nbtc_pkg,
@@ -168,6 +183,58 @@ export class SuiClient implements SuiClientI {
 		return [success, result.digest];
 	}
 
+	private async extractSenderAddress(tx: Transaction): Promise<string | null> {
+		try {
+			if (tx.ins.length === 0) return null;
+
+			const firstInput = tx.ins[0];
+			const network = btcNetworkCfg[this.config.btc_network];
+
+			if (firstInput && firstInput.witness && firstInput.witness.length >= 2) {
+				const pubKey = firstInput.witness[1];
+				const { address } = payments.p2wpkh({
+					pubkey: pubKey,
+					network: network,
+				});
+				return address || null;
+			}
+
+			const scriptSig = firstInput?.script;
+			if (scriptSig && scriptSig.length >= 65) {
+				const chunks = script.decompile(scriptSig);
+				if (!chunks) return null;
+
+				const pubKey = chunks[chunks.length - 1] as Buffer;
+
+				const { address } = payments.p2pkh({
+					pubkey: pubKey,
+					network: network,
+				});
+				return address || null;
+			}
+
+			return null;
+		} catch (e) {
+			console.error("Failed to extract sender address", e);
+			return null;
+		}
+	}
+
+	private async isSanctioned(btcAddress: string): Promise<boolean> {
+		try {
+			const result = await this.db
+				.prepare(
+					"SELECT 1 FROM SanctionedCryptoAddresses WHERE wallet_address = ? AND address_type = 'BTC'",
+				)
+				.bind(btcAddress)
+				.first();
+			return result !== null;
+		} catch (e) {
+			logError({ method: "isSanctioned", msg: "Failed to check sanctions", btcAddress }, e);
+			return false;
+		}
+	}
+
 	/**
 	 * Wrapper for mintNbtcBatch that catches pre-submission errors.
 	 * Returns:

packages/btcindexer/wrangler.jsonc

@@ -12,7 +12,7 @@
   },
   "triggers": {
     // every one minute
-    "crons": ["* * * * *"],
+    "crons": ["* * * * *", "0 1 * * *"],
   },
   "compatibility_flags": ["nodejs_compat"],
   /**