|
208 | 208 | - **Enforcement**: Assertions on transceiver management code paths |
209 | 209 | - **Code Reference**: `TransceiverRegistry.sol` (EVM) |
210 | 210 |
|
211 | | -### INV-023: Attestation Threshold Bounds |
| 211 | +### INV-023: Minimum and Maximum Threshold Bounds |
212 | 212 |
|
213 | | -- **Invariant**: `threshold <= number_of_enabled_transceivers && threshold > 0` |
| 213 | +- **Invariant**: Threshold must be 1) greater than zero and 2) less than or equal to the number of enabled transceivers |
214 | 214 | - **Description**: Attestation threshold must not exceed available transceivers and must be positive |
215 | 215 | - **Enforcement**: Explicit bounds checking in threshold setting functions |
216 | | -- **Error Codes**: `ThresholdTooHigh`, `ZeroThreshold` (EVM/Solana), **MISSING VALIDATION** (Sui) |
| 216 | +- **Error Codes**: `ThresholdTooHigh`, `ZeroThreshold` (EVM/Solana) |
217 | 217 | - **Code Reference**: `_checkThresholdInvariants()` (EVM), error enforcement (Solana), `EThresholdTooHigh` (Sui) |
218 | 218 |
|
219 | | -### INV-024: Non-Zero Threshold Requirement |
220 | | - |
221 | | -- **Invariant**: Threshold must be greater than zero (after initial deployment) |
222 | | -- **Description**: Prevents configuration where messages cannot be approved due to zero threshold |
223 | | -- **Enforcement**: Zero threshold validation when transceivers exist |
224 | | -- **Error Codes**: `ZeroThreshold` (EVM/Solana), `EZeroThreshold` (Sui) |
225 | | -- **Code Reference**: `if (numTransceivers.registered > 0 && threshold == 0) revert ZeroThreshold();` |
226 | | - |
227 | | -### INV-025: Minimum Transceiver Requirement |
| 219 | +### INV-024: Minimum Transceiver Requirement |
228 | 220 |
|
229 | 221 | - **Invariant**: At least one transceiver must be enabled for operations (after initial deployment) |
230 | 222 | - **Description**: Prevents operations when no transceivers are available to process messages |
231 | 223 | - **Enforcement**: Enabled transceiver count validation before operations |
232 | 224 | - **Error Codes**: `NoEnabledTransceivers` (EVM), `NoRegisteredTransceivers` (Solana) |
233 | 225 |
|
234 | | -### INV-026: Transceiver Registration Requirement |
| 226 | +### INV-025: Transceiver Registration Requirement |
235 | 227 |
|
236 | 228 | - **Invariant**: A transceiver cannot be unregistered and its index must not change |
237 | 229 | - **Description**: Transceivers should never be truly deleted, only disabled. This preserves their index into the bitmap which is crucial for attestation. |
238 | 230 | - **Enforcement**: Assertions on transceiver management code paths |
239 | 231 |
|
240 | | -### INV-027: Transceiver Registration Requirement |
| 232 | +### INV-026: Transceiver index should always increase |
241 | 233 |
|
242 | 234 | - **Invariant**: The next transceiver index must always increase monotically |
243 | 235 | - **Description**: The next transceiver index should always go up by one. This guarantees uniqueness of indices into the bitmap which is crucial for attestation. |
244 | 236 | - **Enforcement**: Assertions on transceiver management code paths |
245 | 237 |
|
246 | 238 | ## Timing and Release Controls |
247 | 239 |
|
248 | | -### INV-028: Release Timing Validation |
| 240 | +### INV-027: Release Timing Validation |
249 | 241 |
|
250 | 242 | - **Invariant**: Transfers can only be released after rate limit delay expires |
251 | 243 | - **Description**: Enforces time-based delays for rate-limited transfers |
252 | 244 | - **Enforcement**: Timestamp validation before transfer release |
253 | 245 | - **Error Codes**: `CantReleaseYet` (Solana), `ECantReleaseYet` (Sui) |
254 | 246 | - **Code Reference**: Rate limiter queue system with timestamp checks, `try_release()` functions |
255 | 247 |
|
256 | | -### INV-029: Transfer Redemption Controls |
| 248 | +### INV-028: Transfer Redemption Controls |
257 | 249 |
|
258 | 250 | - **Invariant**: Transfers must be properly approved and not already redeemed before processing |
259 | 251 | - **Description**: Prevents unauthorized or duplicate transfer redemptions |
|
263 | 255 |
|
264 | 256 | ## Message Size Constraints |
265 | 257 |
|
266 | | -### INV-030: Payload Length Limitation |
| 258 | +### INV-029: Payload Length Limitation |
267 | 259 |
|
268 | 260 | - **Invariant**: NttManagerMessages and AdditionalPayloads must not exceed uint16 in size |
269 | 261 | - **Description**: Prevents unbounded message sizes that could cause processing issues |
270 | 262 | - **Enforcement**: Assertions in encoding logic |
271 | 263 | - **Error Codes**: `PayloadTooLong` (EVM) |
272 | 264 | - **Code Reference**: `TransceiverStructs.sol` (EVM), implementation of `Writable` trait for `NativeTokenTransfer` (Solana) |
273 | 265 |
|
274 | | -### INV-031: Transceiver Instruction Length Limitation |
| 266 | +### INV-030: Transceiver Instruction Length Limitation |
275 | 267 |
|
276 | 268 | - **Invariant**: Individual transceiver instruction payloads must not exceed uint8 in size |
277 | 269 | - **Description**: Prevents unbounded message sizes that could cause processing issues |
|
0 commit comments