sui: `disable_transceiver` could remove the last transceiver

[johnsaigle]

disable_transceiver should revert if there is only one remaining transceiver. Otherwise, an admin could accidentally remove the last one, which would disable the protocol.

native-token-transfers/sui/packages/ntt/sources/state.move

Lines 284 to 295 in e06ef71

	public fun disable_transceiver<T>(self: &mut State<T>, _: &AdminCap, id: u8) {
	self.transceivers.disable_transceiver(id);
	// After disabling a transceiver, check if the threshold needs to be reduced
	// to ensure it doesn't exceed the number of enabled transceivers
	let enabled_count = self.transceivers.get_enabled_transceivers().count_ones();
	if (enabled_count < self.threshold) {
	self.threshold = enabled_count;
	};
	check_threshold_invariants(self);
	}

native-token-transfers/sui/packages/ntt/sources/state.move

Lines 351 to 364 in e06ef71

	/// Check threshold invariants to ensure consistency
	fun check_threshold_invariants<T>(state: &State<T>) {
	let threshold = state.threshold;
	let enabled_count = state.transceivers.get_enabled_transceivers().count_ones();
	// Invariant: threshold <= enabled transceivers count
	assert!(threshold <= enabled_count, EThresholdTooHigh);
	// If there are enabled transceivers, threshold must be > 0
	// (If all transceivers are disabled, threshold can be 0)
	if (enabled_count > 0) {
	assert!(threshold > 0, EZeroThreshold);
	}
	}

See also

• svm: deregister_transceiver could remove the last transceiver #692
• https://github.com/wormhole-foundation/native-token-transfers/blob/e06ef718b79414b1144ef0ba9d27b73aad9e31c1/docs/INVARIANTS.md#inv-025-minimum-transceiver-requirement