@across-protocol/contracts 5.0.11-alpha.4 → 5.0.12-alpha.1

package/contracts/external/interfaces/CCTPInterfaces.sol

@@ -58,6 +58,14 @@ interface ITokenMessenger {
 }
 
 interface ITokenMessengerV2 {
+    /**
+     * @notice Minter responsible for minting and burning tokens on the local domain.
+     * Used on destination to prove that a received message would mint via the expected
+     * TokenMinter, and to resolve the local token that corresponds to a remote burnToken.
+     * https://github.com/circlefin/evm-cctp-contracts/blob/63ab1f0ac06ce0793c0bbfbb8d09816bc211386d/src/v2/TokenMessengerV2.sol
+     */
+    function localMinter() external view returns (ITokenMinter minter);
+
     // Source: https://github.com/circlefin/evm-cctp-contracts/blob/63ab1f0ac06ce0793c0bbfbb8d09816bc211386d/src/v2/TokenMessengerV2.sol#L138C1-L166C15
     /**
      * @notice Deposits and burns tokens from sender to be minted on destination domain.
@@ -139,6 +147,16 @@ interface ITokenMinter {
      * @return burnLimit maximum burn amount per message for token
      */
     function burnLimitsPerMessage(address token) external view returns (uint256);
+
+    /**
+     * @notice Returns the local token that is associated with the given remote burnToken on `remoteDomain`.
+     * Returns address(0) when no link has been configured.
+     * https://github.com/circlefin/evm-cctp-contracts/blob/63ab1f0ac06ce0793c0bbfbb8d09816bc211386d/src/TokenMinter.sol#L155
+     * @param remoteDomain CCTP source domain
+     * @param remoteToken burnToken (as bytes32) on the remote domain
+     * @return localToken the locally-minted token, or address(0) if the pair is not linked
+     */
+    function getLocalToken(uint32 remoteDomain, bytes32 remoteToken) external view returns (address localToken);
 }
 
 /**

package/contracts/handlers/MulticallHandler.sol

@@ -10,7 +10,13 @@ import "@openzeppelin/contracts-v4/security/ReentrancyGuard.sol";
 /**
  * @title Across Multicall contract that allows a user to specify a series of calls that should be made by the handler
  * via the message field in the deposit.
- * @dev This contract makes the calls blindly. The contract will send any remaining tokens The caller should ensure that the tokens received by the handler are completely consumed.
+ * @dev This contract makes the calls blindly. The caller should ensure that the tokens received by the handler are
+ * completely consumed; otherwise leftover balances will be sent to the fallbackRecipient (when one is provided)
+ * or remain on this contract.
+ *
+ * @dev This contract is a stateless utility with no per-user accounting or admin rescue. Tokens delivered to it
+ * are expected to be consumed in the same transaction; any balances left on the contract can be claimed by any
+ * caller.
  */
 contract MulticallHandler is AcrossMessageHandler, ReentrancyGuard {
     using SafeERC20 for IERC20;

package/contracts/interfaces/SponsoredCCTPInterface.sol

@@ -24,6 +24,17 @@ interface SponsoredCCTPInterface is SponsoredExecutionModeInterface {
     // Error thrown when the CCTP message transmitter receive message fails.
     error CCTPMessageTransmitterFailed();
 
+    // Error thrown when the amount actually minted into this contract by the CCTP call does not match
+    // the `amount - feeExecuted` encoded in the message.
+    error InvalidMintedAmount();
+
+    // Error thrown when the CCTP message's top-level `recipient` is not the configured TokenMessenger.
+    error InvalidRecipient();
+
+    // Error thrown when the TokenMinter does not link the message's remote burnToken to this periphery's
+    // `baseToken` on the local domain.
+    error InvalidMintedToken();
+
     // Error thrown when direct flow destination handler is not a contract.
     error InvalidDirectHandler();
 

package/contracts/libraries/SafeTransferERC20.sol

@@ -0,0 +1,21 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity ^0.8.0;
+
+import { IERC20 } from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
+import { SafeERC20 } from "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";
+
+/**
+ * @notice Mixin exposing a virtual `_safeTransfer` hook. Default implementation uses
+ *         OZ `SafeERC20.safeTransfer`. Inheritors may override to swap in alternative
+ *         ERC20 transfer semantics.
+ */
+abstract contract SafeTransferERC20 {
+    // This mixin is the only place in the codebase permitted to call `IERC20.safeTransfer`
+    // directly. Inheriting contracts restrict their own `using` directives to exclude
+    // `safeTransfer` so all transfer call sites are forced through this overridable hook.
+    using { SafeERC20.safeTransfer } for IERC20;
+
+    function _safeTransfer(address token, address to, uint256 amount) internal virtual {
+        IERC20(token).safeTransfer(to, amount);
+    }
+}

package/contracts/libraries/SponsoredCCTPQuoteLib.sol

@@ -89,6 +89,28 @@ library SponsoredCCTPQuoteLib {
         );
     }
 
+    /**
+     * @notice Reads the top-level CCTP message `recipient` (i.e. the contract MessageTransmitter delivers to,
+     * typically the TokenMessenger that performs the mint). Assumes `message` has passed length validation.
+     */
+    function extractRecipient(bytes memory message) internal pure returns (bytes32) {
+        return message.toBytes32(RECIPIENT_INDEX);
+    }
+
+    /**
+     * @notice Reads the CCTP source domain from the message header. Assumes `message` has passed length validation.
+     */
+    function extractSourceDomain(bytes memory message) internal pure returns (uint32) {
+        return message.toUint32(SOURCE_DOMAIN_INDEX);
+    }
+
+    /**
+     * @notice Reads the burnToken (as bytes32) from the burn message body. Assumes `message` has passed length validation.
+     */
+    function extractBurnToken(bytes memory message) internal pure returns (bytes32) {
+        return message.toBytes32(MESSAGE_BODY_INDEX + BURN_TOKEN_INDEX);
+    }
+
     /**
      * @notice Validates the message that is received from CCTP. If this checks fails, then the quote on source chain was invalid
      * and we are unable to retrieve user's address to send the funds to. In that case the funds will stay in this contract.

package/contracts/libraries/TronTransferLib.sol

@@ -0,0 +1,42 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity ^0.8.0;
+
+import { IERC20 } from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
+
+/**
+ * @notice Balance-delta ERC20 transfer for tokens whose `transfer` returns non-standard
+ *         values. Specifically targets Tron USDT, which returns false even on success.
+ * @dev Two-error model: `_safeTransferBalanceCheck` reverts with `TronTransferCallReverted`
+ *      if the underlying call reverts, or `TronTransferBalanceMismatch` if the call returns
+ *      but the recipient's balance does not increase by exactly `amount`. `_balanceDeltaTransfer`
+ *      is the bool-pair primitive both wrappers (revert / no-revert) share — callers needing a
+ *      collapsed bool can AND the two flags. Assumes no fee-on-transfer.
+ *
+ *      IERC20 and IERC20Upgradeable produce bytewise-identical calldata for
+ *      `transfer(address,uint256)` and `balanceOf(address)`, so this library is safe to call
+ *      from contracts using either OZ variant.
+ */
+library TronTransferLib {
+    error TronTransferCallReverted();
+    error TronTransferBalanceMismatch();
+
+    /// @dev Returns (callOk, balanceOk). callOk=false means the low-level call reverted;
+    ///      balanceOk=false means the call returned but balance did not change by exactly `amount`.
+    ///      When callOk=false, balanceOk is also false (no balance check performed).
+    function _balanceDeltaTransfer(
+        address token,
+        address to,
+        uint256 amount
+    ) internal returns (bool callOk, bool balanceOk) {
+        uint256 pre = IERC20(token).balanceOf(to);
+        (callOk, ) = token.call(abi.encodeCall(IERC20.transfer, (to, amount)));
+        if (!callOk) return (false, false);
+        balanceOk = IERC20(token).balanceOf(to) == pre + amount;
+    }
+
+    function _safeTransferBalanceCheck(address token, address to, uint256 amount) internal {
+        (bool callOk, bool balanceOk) = _balanceDeltaTransfer(token, to, amount);
+        if (!callOk) revert TronTransferCallReverted();
+        if (!balanceOk) revert TronTransferBalanceMismatch();
+    }
+}

package/contracts/periphery/SpokePoolPeriphery.sol

@@ -21,6 +21,10 @@ import { AddressToBytes32 } from "../libraries/AddressConverters.sol";
  * @title SwapProxy
  * @notice A dedicated proxy contract that isolates swap execution to mitigate frontrunning vulnerabilities.
  * The SpokePoolPeriphery transfers tokens to this contract, which performs the swap and returns tokens back to the periphery.
+ *
+ * @dev This contract is a stateless utility with no per-user accounting or admin rescue. Tokens delivered to it
+ * are expected to be consumed in the same transaction; any balances left on the contract can be claimed by any
+ * caller.
  * @custom:security-contact bugs@across.to
  */
 contract SwapProxy is ReentrancyGuard {

package/contracts/periphery/counterfactual/CounterfactualDepositSpokePool.sol

@@ -8,6 +8,7 @@ import { EIP712 } from "@openzeppelin/contracts/utils/cryptography/EIP712.sol";
 import { V3SpokePoolInterface } from "../../interfaces/V3SpokePoolInterface.sol";
 import { ICounterfactualImplementation } from "../../interfaces/ICounterfactualImplementation.sol";
 import { NATIVE_ASSET, BPS_SCALAR } from "./CounterfactualConstants.sol";
+import { SafeTransferERC20 } from "../../libraries/SafeTransferERC20.sol";
 
 /**
  * @notice Route parameters committed to in the merkle leaf.
@@ -51,8 +52,11 @@ struct SpokePoolSubmitterData {
  *      cannot sign `speedUpV3Deposit` messages.
  * @custom:security-contact bugs@across.to
  */
-contract CounterfactualDepositSpokePool is ICounterfactualImplementation, EIP712 {
-    using SafeERC20 for IERC20;
+contract CounterfactualDepositSpokePool is ICounterfactualImplementation, EIP712, SafeTransferERC20 {
+    // Restrict the `using` attachment to `forceApprove` only. All `safeTransfer` calls must go
+    // through the `_safeTransfer` hook (inherited from `SafeTransferERC20`) so chain-specific
+    // variants can override transfer semantics in one place.
+    using { SafeERC20.forceApprove } for IERC20;
 
     uint256 internal constant EXCHANGE_RATE_SCALAR = 1e18;
 
@@ -152,7 +156,7 @@ contract CounterfactualDepositSpokePool is ICounterfactualImplementation, EIP712
                 (bool success, ) = sd.executionFeeRecipient.call{ value: dp.executionFee }("");
                 if (!success) revert NativeTransferFailed();
             } else {
-                IERC20(inputToken).safeTransfer(sd.executionFeeRecipient, dp.executionFee);
+                _safeTransfer(inputToken, sd.executionFeeRecipient, dp.executionFee);
             }
         }
 

package/contracts/periphery/counterfactual/CounterfactualDepositSpokePoolTr.sol

@@ -0,0 +1,36 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity ^0.8.0;
+
+import { CounterfactualDepositSpokePool } from "./CounterfactualDepositSpokePool.sol";
+import { TronTransferLib } from "../../libraries/TronTransferLib.sol";
+
+/**
+ * @title CounterfactualDepositSpokePoolTr
+ * @notice Tron-specific variant of `CounterfactualDepositSpokePool` for chains where the
+ *         input token may be Tron USDT (whose `transfer` returns false on success).
+ * @dev Inherits everything from the mainline implementation and overrides the
+ *      `_safeTransfer` hook to use a balance-delta success check that tolerates
+ *      Tron USDT's non-standard return value. `forceApprove` is unaffected — `approve`
+ *      returns true correctly on Tron USDT.
+ *
+ *      The EIP-712 domain name is inherited from the parent (`CounterfactualDepositSpokePool`).
+ *      Cross-implementation signature replay is already prevented by the `verifyingContract`
+ *      field of the EIP-712 domain: each clone's address is derived via CREATE2 from its
+ *      implementation address, so a signature for a mainline clone does not verify against
+ *      a Tron-variant clone.
+ * @custom:security-contact bugs@across.to
+ */
+contract CounterfactualDepositSpokePoolTr is CounterfactualDepositSpokePool {
+    constructor(
+        address _spokePool,
+        address _signer,
+        address _wrappedNativeToken
+    ) CounterfactualDepositSpokePool(_spokePool, _signer, _wrappedNativeToken) {} // solhint-disable-line no-empty-blocks
+
+    /// @dev TRON OVERRIDE: was `IERC20(token).safeTransfer(to, amount)` in the parent.
+    ///      `TronTransferLib._safeTransferBalanceCheck` uses a balance-delta success check so it
+    ///      tolerates Tron USDT's non-standard `transfer` return value.
+    function _safeTransfer(address token, address to, uint256 amount) internal override {
+        TronTransferLib._safeTransferBalanceCheck(token, to, amount);
+    }
+}

package/contracts/periphery/counterfactual/WithdrawImplementation.sol

@@ -1,10 +1,9 @@
 // SPDX-License-Identifier: BUSL-1.1
 pragma solidity ^0.8.0;
 
-import { IERC20 } from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
-import { SafeERC20 } from "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";
 import { ICounterfactualImplementation } from "../../interfaces/ICounterfactualImplementation.sol";
 import { NATIVE_ASSET } from "./CounterfactualConstants.sol";
+import { SafeTransferERC20 } from "../../libraries/SafeTransferERC20.sol";
 
 /**
  * @notice Withdrawal parameters committed to in the merkle leaf.
@@ -22,9 +21,7 @@ struct WithdrawParams {
  * @dev Called via delegatecall from the CounterfactualDeposit dispatcher. `address(this)` is the clone
  *      and `msg.sender` is the original caller.
  */
-contract WithdrawImplementation is ICounterfactualImplementation {
-    using SafeERC20 for IERC20;
-
+contract WithdrawImplementation is ICounterfactualImplementation, SafeTransferERC20 {
     event Withdraw(address indexed token, address indexed to, uint256 amount);
 
     error Unauthorized();
@@ -46,7 +43,7 @@ contract WithdrawImplementation is ICounterfactualImplementation {
             (bool success, ) = to.call{ value: amount }("");
             if (!success) revert NativeTransferFailed();
         } else {
-            IERC20(token).safeTransfer(to, amount);
+            _safeTransfer(token, to, amount);
         }
 
         emit Withdraw(token, to, amount);

package/contracts/periphery/counterfactual/WithdrawImplementationTron.sol

@@ -0,0 +1,22 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity ^0.8.0;
+
+import { WithdrawImplementation } from "./WithdrawImplementation.sol";
+import { TronTransferLib } from "../../libraries/TronTransferLib.sol";
+
+/**
+ * @title WithdrawImplementationTron
+ * @notice Tron-specific variant of `WithdrawImplementation`. Inherits from the mainline
+ *         contract and overrides the `_safeTransfer` hook to use a balance-delta
+ *         success check that tolerates Tron USDT's non-standard `transfer` return value.
+ *         Native-asset withdrawals are unchanged.
+ * @custom:security-contact bugs@across.to
+ */
+contract WithdrawImplementationTron is WithdrawImplementation {
+    /// @dev TRON OVERRIDE: was `IERC20(token).safeTransfer(to, amount)` in the parent.
+    ///      `TronTransferLib._safeTransferBalanceCheck` uses a balance-delta success check so it
+    ///      tolerates Tron USDT's non-standard `transfer` return value.
+    function _safeTransfer(address token, address to, uint256 amount) internal override {
+        TronTransferLib._safeTransferBalanceCheck(token, to, amount);
+    }
+}

package/contracts/periphery/mintburn/ArbitraryEVMFlowExecutor.sol

@@ -60,9 +60,17 @@ abstract contract ArbitraryEVMFlowExecutor {
         // Decode the compressed action data
         CompressedCall[] memory compressedCalls = abi.decode(params.actionData, (CompressedCall[]));
 
-        // Snapshot balances
-        uint256 initialAmountSnapshot = IERC20(params.initialToken).balanceOf(address(this));
-        uint256 finalAmountSnapshot = IERC20(params.commonParams.finalToken).balanceOf(address(this));
+        // Sweep any pre-existing dust on MulticallHandler so it cannot pollute our balance snapshots
+        _drainMulticallHandlerDust(params.initialToken);
+        if (params.commonParams.finalToken != params.initialToken) {
+            _drainMulticallHandlerDust(params.commonParams.finalToken);
+        }
+
+        bool differentTokens = params.initialToken != params.commonParams.finalToken;
+
+        // Read "starting balance initial token"(sBI) and "starting balance final token"(sBF)
+        uint256 sBI = IERC20(params.initialToken).balanceOf(address(this));
+        uint256 sBF = differentTokens ? IERC20(params.commonParams.finalToken).balanceOf(address(this)) : sBI;
 
         // Transfer tokens to MulticallHandler
         IERC20(params.initialToken).safeTransfer(multicallHandler, params.commonParams.amountInEVM);
@@ -82,19 +90,21 @@ abstract contract ArbitraryEVMFlowExecutor {
             instructions
         );
 
-        uint256 finalAmount;
-        // This means the swap (if one was intended) didn't happen (action failed), so we use the initial token as the final token.
-        if (initialAmountSnapshot == IERC20(params.initialToken).balanceOf(address(this))) {
-            params.commonParams.finalToken = params.initialToken;
-            finalAmount = params.commonParams.amountInEVM;
-        } else {
-            uint256 finalBalance = IERC20(params.commonParams.finalToken).balanceOf(address(this));
-            if (finalBalance >= finalAmountSnapshot) {
-                // This means the swap did happen, so we check the balance of the output token and send it.
-                finalAmount = finalBalance - finalAmountSnapshot;
+        // Default to initial-token accounting; overwrite below if finalToken was actually produced.
+        // Ending balance initial token
+        uint256 eBI = IERC20(params.initialToken).balanceOf(address(this));
+        uint256 finalAmount = params.commonParams.amountInEVM + eBI - sBI;
+        if (differentTokens) {
+            // Ending balance final token
+            uint256 eBF = IERC20(params.commonParams.finalToken).balanceOf(address(this));
+
+            // Any positive finalToken delta is treated as successful execution when initialToken != finalToken. If any
+            // (or all) of the initialToken amount is unspent during the execution, it lands back into this contract and
+            // can be withdrawn by the admin
+            if (eBF > sBF) {
+                finalAmount = eBF - sBF;
             } else {
-                // If we somehow lost final tokens (e.g. by depositing into some contract), just set the finalAmount to 0.
-                finalAmount = 0;
+                params.commonParams.finalToken = params.initialToken;
             }
         }
 
@@ -155,6 +165,19 @@ abstract contract ArbitraryEVMFlowExecutor {
         return abi.encode(instructions);
     }
 
+    /// @notice Drains any pre-existing balance of token from MulticallHandler
+    function _drainMulticallHandlerDust(address token) internal {
+        if (IERC20(token).balanceOf(multicallHandler) == 0) return;
+
+        // Empty instructions with `fallbackRecipient` set. Causes MulticallHandler to call `_drainRemainingTokens`, which
+        // does a safeTransfer of `token` to `fallbackRecipient`, this contract, essentially removing dust
+        bytes memory instructions = abi.encode(
+            MulticallHandler.Instructions({ calls: new MulticallHandler.Call[](0), fallbackRecipient: address(this) })
+        );
+
+        MulticallHandler(payable(multicallHandler)).handleV3AcrossMessage(token, 0, address(this), instructions);
+    }
+
     /// @notice Calculates proportional fees to sponsor in finalToken, given the fees to sponsor in initial token and initial amount
     function _calcExtraFeesFinal(
         uint256 amount,

package/contracts/periphery/mintburn/sponsored-cctp/SponsoredCCTPDstPeriphery.sol

@@ -2,7 +2,7 @@
 pragma solidity ^0.8.0;
 
 import { BaseModuleHandler } from "../BaseModuleHandler.sol";
-import { IMessageTransmitterV2 } from "../../../external/interfaces/CCTPInterfaces.sol";
+import { IMessageTransmitterV2, ITokenMessengerV2 } from "../../../external/interfaces/CCTPInterfaces.sol";
 import { SponsoredCCTPQuoteLib } from "../../../libraries/SponsoredCCTPQuoteLib.sol";
 import { SponsoredCCTPInterface } from "../../../interfaces/SponsoredCCTPInterface.sol";
 import { Bytes32ToAddress } from "../../../libraries/AddressConverters.sol";
@@ -27,6 +27,10 @@ contract SponsoredCCTPDstPeriphery is BaseModuleHandler, SponsoredCCTPInterface,
     /// @notice The CCTP message transmitter contract.
     IMessageTransmitterV2 public immutable cctpMessageTransmitter;
 
+    /// @notice The CCTP token messenger contract that is the expected top-level recipient of MessageTransmitter
+    /// deliveries and owns the TokenMinter used to resolve burnToken -> local token for non-direct-deposit flows.
+    ITokenMessengerV2 public immutable cctpTokenMessenger;
+
     /// @notice Base token associated with this handler. The one we receive from the CCTP bridge
     address public immutable baseToken;
 
@@ -52,6 +56,8 @@ contract SponsoredCCTPDstPeriphery is BaseModuleHandler, SponsoredCCTPInterface,
     /**
      * @notice Constructor for the SponsoredCCTPDstPeriphery contract.
      * @param _cctpMessageTransmitter The address of the CCTP message transmitter contract.
+     * @param _cctpTokenMessenger The address of the CCTP token messenger contract. Used to pin that a received
+     * message actually routed through the real mint flow and that the remote burnToken links to `baseToken`.
      * @param _signer The address of the signer that was used to sign the quotes.
      * @param _donationBox The address of the donation box contract. This is used to store funds that are used for sponsored flows.
      * @param _baseToken The address of the base token which would be the USDC on HyperEVM.
@@ -59,6 +65,7 @@ contract SponsoredCCTPDstPeriphery is BaseModuleHandler, SponsoredCCTPInterface,
      */
     constructor(
         address _cctpMessageTransmitter,
+        address _cctpTokenMessenger,
         address _signer,
         address _donationBox,
         address _baseToken,
@@ -67,6 +74,7 @@ contract SponsoredCCTPDstPeriphery is BaseModuleHandler, SponsoredCCTPInterface,
         baseToken = _baseToken;
 
         cctpMessageTransmitter = IMessageTransmitterV2(_cctpMessageTransmitter);
+        cctpTokenMessenger = ITokenMessengerV2(_cctpTokenMessenger);
 
         MainStorage storage $ = _getMainStorage();
         $.signer = _signer;
@@ -127,10 +135,15 @@ contract SponsoredCCTPDstPeriphery is BaseModuleHandler, SponsoredCCTPInterface,
         bytes memory message,
         bytes memory attestation
     ) external nonReentrant onlyRole(PERMISSIONED_BOT_ROLE) {
+        uint256 baseBalBefore = IERC20Metadata(baseToken).balanceOf(address(this));
         bool success = cctpMessageTransmitter.receiveMessage(message, attestation);
         if (!success) {
             return;
         }
+        // Forward only what the CCTP call actually credited to this contract, so a message that mints nothing
+        // (wrong recipient, unlinked burnToken, etc.) cannot drain this contract's prior `baseToken` balance.
+        uint256 baseBalAfter = IERC20Metadata(baseToken).balanceOf(address(this));
+        uint256 mintedAmount = baseBalAfter - baseBalBefore;
 
         // Use try-catch to handle potential abi.decode reverts gracefully
         try this.validateMessage(message) returns (bool isValid) {
@@ -141,19 +154,14 @@ contract SponsoredCCTPDstPeriphery is BaseModuleHandler, SponsoredCCTPInterface,
             // Malformed message that causes abi.decode to revert then early return
             return;
         }
-        (SponsoredCCTPInterface.SponsoredCCTPQuote memory quote, uint256 feeExecuted) = SponsoredCCTPQuoteLib
-            .getSponsoredCCTPQuoteData(message);
-
-        _getMainStorage().usedNonces[quote.nonce] = true;
+        (SponsoredCCTPInterface.SponsoredCCTPQuote memory quote, ) = SponsoredCCTPQuoteLib.getSponsoredCCTPQuoteData(
+            message
+        );
 
-        IERC20Metadata(baseToken).safeTransfer(quote.finalRecipient.toAddress(), quote.amount - feeExecuted);
+        address finalRecipient = quote.finalRecipient.toAddress();
+        IERC20Metadata(baseToken).safeTransfer(finalRecipient, mintedAmount);
 
-        emit EmergencyReceiveMessage(
-            quote.nonce,
-            quote.finalRecipient.toAddress(),
-            baseToken,
-            quote.amount - feeExecuted
-        );
+        emit EmergencyReceiveMessage(quote.nonce, finalRecipient, baseToken, mintedAmount);
     }
 
     /**
@@ -168,6 +176,20 @@ contract SponsoredCCTPDstPeriphery is BaseModuleHandler, SponsoredCCTPInterface,
         bytes memory attestation,
         bytes memory signature
     ) external nonReentrant authorizeFundedFlow {
+        // Check that the CCTP message was actually routed through our TokenMessenger (which owns the mint flow),
+        // and that its TokenMinter links the remote burnToken to our `baseToken` on this domain.
+        if (SponsoredCCTPQuoteLib.extractRecipient(message).toAddressUnchecked() != address(cctpTokenMessenger)) {
+            revert InvalidRecipient();
+        }
+        address localToken = cctpTokenMessenger.localMinter().getLocalToken(
+            SponsoredCCTPQuoteLib.extractSourceDomain(message),
+            SponsoredCCTPQuoteLib.extractBurnToken(message)
+        );
+        if (localToken != baseToken) {
+            revert InvalidMintedToken();
+        }
+
+        uint256 baseBalBefore = IERC20Metadata(baseToken).balanceOf(address(this));
         bool success = cctpMessageTransmitter.receiveMessage(message, attestation);
         if (!success) {
             revert CCTPMessageTransmitterFailed();
@@ -188,6 +210,13 @@ contract SponsoredCCTPDstPeriphery is BaseModuleHandler, SponsoredCCTPInterface,
         (SponsoredCCTPInterface.SponsoredCCTPQuote memory quote, uint256 feeExecuted) = SponsoredCCTPQuoteLib
             .getSponsoredCCTPQuoteData(message);
 
+        // Confirm the CCTP call actually minted `baseToken` to this contract.
+        uint256 baseBalAfter = IERC20Metadata(baseToken).balanceOf(address(this));
+        uint256 amountAfterFees = quote.amount - feeExecuted;
+        if (baseBalAfter - baseBalBefore != amountAfterFees) {
+            revert InvalidMintedAmount();
+        }
+
         // Validate the quote and the signature. Revert on invalid to prevent griefing attacks
         // where an attacker provides correct message/attestation but invalid signature.
         _validateQuoteOrRevert(quote, signature);

package/contracts/sp1-helios/SP1AutoVerifier.sol

@@ -4,7 +4,7 @@ pragma solidity ^0.8.25;
 import { ISP1Verifier } from "@sp1-contracts/src/ISP1Verifier.sol";
 
 /// @title SP1 Auto Verifier
-/// @notice A no-op verifier that accepts any proof. Useful for testing SP1Helios without real proofs.
+/// @notice A no-op verifier that accepts any proof.
 contract SP1AutoVerifier is ISP1Verifier {
     // pure is intentionally stricter than the interface's view; Solidity allows this and it's correct for a no-op.
     function verifyProof(bytes32, bytes calldata, bytes calldata) external pure {}

package/contracts/spoke-pools/SpokePool.sol

@@ -11,6 +11,7 @@ import "../upgradeable/MultiCallerUpgradeable.sol";
 import "../upgradeable/EIP712CrossChainUpgradeable.sol";
 import "../upgradeable/AddressLibUpgradeable.sol";
 import "../libraries/AddressConverters.sol";
+import { SafeTransferERC20 } from "../libraries/SafeTransferERC20.sol";
 import { IOFT, SendParam, MessagingFee } from "../interfaces/IOFT.sol";
 import { OFTTransportAdapter } from "../libraries/OFTTransportAdapter.sol";
 
@@ -39,9 +40,13 @@ abstract contract SpokePool is
     MultiCallerUpgradeable,
     EIP712CrossChainUpgradeable,
     IDestinationSettler,
-    OFTTransportAdapter
+    OFTTransportAdapter,
+    SafeTransferERC20
 {
-    using SafeERC20Upgradeable for IERC20Upgradeable;
+    // Restrict the `using` attachment to `safeTransferFrom` only. All `safeTransfer` calls must go
+    // through the `_safeTransfer` hook (inherited from `SafeTransferERC20`) so chain-specific
+    // variants can override transfer semantics in one place.
+    using { SafeERC20Upgradeable.safeTransferFrom } for IERC20Upgradeable;
     using AddressLibUpgradeable for address;
     using Bytes32ToAddress for bytes32;
     using AddressToBytes32 for address;
@@ -1241,7 +1246,7 @@ abstract contract SpokePool is
         uint256 refund = relayerRefund[l2TokenAddress.toAddress()][msg.sender];
         if (refund == 0) revert NoRelayerRefundToClaim();
         relayerRefund[l2TokenAddress.toAddress()][msg.sender] = 0;
-        IERC20Upgradeable(l2TokenAddress.toAddress()).safeTransfer(refundAddress.toAddress(), refund);
+        _safeTransfer(l2TokenAddress.toAddress(), refundAddress.toAddress(), refund);
 
         emit ClaimedRelayerRefund(l2TokenAddress, refundAddress, refund, msg.sender);
     }
@@ -1429,7 +1434,7 @@ abstract contract SpokePool is
     // Re-implementation of OZ _callOptionalReturnBool to use private logic. Function executes a transfer and returns a
     // bool indicating if the external call was successful, rather than reverting. Original method:
     // https://github.com/OpenZeppelin/openzeppelin-contracts/blob/28aed34dc5e025e61ea0390c18cac875bfde1a78/contracts/token/ERC20/utils/SafeERC20.sol#L188
-    function _noRevertTransfer(address token, address to, uint256 amount) internal returns (bool) {
+    function _noRevertTransfer(address token, address to, uint256 amount) internal virtual returns (bool) {
         bool success;
         uint256 returnSize;
         uint256 returnValue;
@@ -1548,7 +1553,7 @@ abstract contract SpokePool is
             wrappedNativeToken.withdraw(amount);
             AddressLibUpgradeable.sendValue(to, amount);
         } else {
-            IERC20Upgradeable(address(wrappedNativeToken)).safeTransfer(to, amount);
+            _safeTransfer(address(wrappedNativeToken), to, amount);
         }
     }
 
@@ -1662,7 +1667,7 @@ abstract contract SpokePool is
         } else {
             // Note: Similar to note above, send token directly from the contract to the user in the slow relay case.
             if (!isSlowFill) IERC20Upgradeable(outputToken).safeTransferFrom(msg.sender, recipientToSend, amountToSend);
-            else IERC20Upgradeable(outputToken).safeTransfer(recipientToSend, amountToSend);
+            else _safeTransfer(outputToken, recipientToSend, amountToSend);
         }
 
         bytes memory updatedMessage = relayExecution.updatedMessage;

package/contracts/spoke-pools/Tron_SpokePool.sol

@@ -0,0 +1,65 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity ^0.8.0;
+
+import { IERC20 } from "@openzeppelin/contracts-v4/token/ERC20/IERC20.sol";
+
+import { Universal_SpokePool } from "./Universal_SpokePool.sol";
+import { ITokenMessenger } from "../external/interfaces/CCTPInterfaces.sol";
+import { TronTransferLib } from "../libraries/TronTransferLib.sol";
+
+/**
+ * @notice Tron-specific SpokePool variant that handles non-standard ERC20 implementations.
+ * @dev Tron USDT's `transfer` always returns false on success, which breaks the return-value
+ *      checks in `SafeERC20.safeTransfer` and `SpokePool._noRevertTransfer`. This variant
+ *      overrides both base hooks (`_noRevertTransfer` and `_safeTransfer`) to delegate to
+ *      `TronTransferLib`, which performs a balance-delta success check. `transferFrom` is
+ *      correct on Tron USDT, so paths using `safeTransferFrom` are unchanged.
+ *
+ *      Assumes Tether's `basisPointsRate` fee-on-transfer mechanism stays at zero. If it
+ *      is ever activated, balance-delta will report failure on successful transfers and
+ *      USDT routes on this contract will wedge until disabled operationally.
+ * @custom:security-contact bugs@across.to
+ */
+contract Tron_SpokePool is Universal_SpokePool {
+    /// @custom:oz-upgrades-unsafe-allow constructor
+    constructor(
+        uint256 _adminUpdateBufferSeconds,
+        address _helios,
+        address _hubPoolStore,
+        address _wrappedNativeTokenAddress,
+        uint32 _depositQuoteTimeBuffer,
+        uint32 _fillDeadlineBuffer,
+        IERC20 _l2Usdc,
+        ITokenMessenger _cctpTokenMessenger,
+        uint32 _oftDstEid,
+        uint256 _oftFeeCap
+    )
+        Universal_SpokePool(
+            _adminUpdateBufferSeconds,
+            _helios,
+            _hubPoolStore,
+            _wrappedNativeTokenAddress,
+            _depositQuoteTimeBuffer,
+            _fillDeadlineBuffer,
+            _l2Usdc,
+            _cctpTokenMessenger,
+            _oftDstEid,
+            _oftFeeCap
+        )
+    {} // solhint-disable-line no-empty-blocks
+
+    /// @dev Replaces base implementation's return-value-based success detection with a
+    ///      balance-delta check. Required because Tron USDT's `transfer` returns false
+    ///      even on successful transfers.
+    function _noRevertTransfer(address token, address to, uint256 amount) internal override returns (bool) {
+        (bool callOk, bool balanceOk) = TronTransferLib._balanceDeltaTransfer(token, to, amount);
+        return callOk && balanceOk;
+    }
+
+    /// @dev Revert-on-failure variant; reverts with `TronTransferCallReverted` or
+    ///      `TronTransferBalanceMismatch` so callers can distinguish failure modes.
+    ///      Replaces the base `safeTransfer` call sites (claimRelayerRefund, slow-fill ERC20 path).
+    function _safeTransfer(address token, address to, uint256 amount) internal override {
+        TronTransferLib._safeTransferBalanceCheck(token, to, amount);
+    }
+}