@keep-network/tbtc-v2 0.1.1-dev.1 → 0.1.1-dev.10

package/contracts/bridge/BitcoinTx.sol

@@ -0,0 +1,104 @@
+// SPDX-License-Identifier: MIT
+
+// ██████████████     ▐████▌     ██████████████
+// ██████████████     ▐████▌     ██████████████
+//               ▐████▌    ▐████▌
+//               ▐████▌    ▐████▌
+// ██████████████     ▐████▌     ██████████████
+// ██████████████     ▐████▌     ██████████████
+//               ▐████▌    ▐████▌
+//               ▐████▌    ▐████▌
+//               ▐████▌    ▐████▌
+//               ▐████▌    ▐████▌
+//               ▐████▌    ▐████▌
+//               ▐████▌    ▐████▌
+
+pragma solidity 0.8.4;
+
+/// @title Bitcoin transaction
+/// @notice Allows to reference Bitcoin raw transaction in Solidity.
+/// @dev See https://developer.bitcoin.org/reference/transactions.html#raw-transaction-format
+///
+///      Raw Bitcon transaction data:
+///
+///      | Bytes  |     Name     |        BTC type        |        Description        |
+///      |--------|--------------|------------------------|---------------------------|
+///      | 4      | version      | int32_t (LE)           | TX version number         |
+///      | varies | tx_in_count  | compactSize uint (LE)  | Number of TX inputs       |
+///      | varies | tx_in        | txIn[]                 | TX inputs                 |
+///      | varies | tx_out count | compactSize uint (LE)  | Number of TX outputs      |
+///      | varies | tx_out       | txOut[]                | TX outputs                |
+///      | 4      | lock_time    | uint32_t (LE)          | Unix time or block number |
+///
+//
+///      Non-coinbase transaction input (txIn):
+///
+///      | Bytes  |       Name       |        BTC type        |                 Description                 |
+///      |--------|------------------|------------------------|---------------------------------------------|
+///      | 36     | previous_output  | outpoint               | The previous outpoint being spent           |
+///      | varies | script bytes     | compactSize uint (LE)  | The number of bytes in the signature script |
+///      | varies | signature script | char[]                 | The signature script, empty for P2WSH       |
+///      | 4      | sequence         | uint32_t (LE)          | Sequence number                             |
+///
+///
+///      The reference to transaction being spent (outpoint):
+///
+///      | Bytes | Name  |   BTC type    |               Description                |
+///      |-------|-------|---------------|------------------------------------------|
+///      |    32 | hash  | char[32]      | Hash of the transaction to spend         |
+///      |    4  | index | uint32_t (LE) | Index of the specific output from the TX |
+///
+///
+///      Transaction output (txOut):
+///
+///      | Bytes  |      Name       |     BTC type          |             Description              |
+///      |--------|-----------------|-----------------------|--------------------------------------|
+///      | 8      | value           | int64_t (LE)          | Number of satoshis to spend          |
+///      | 1+     | pk_script_bytes | compactSize uint (LE) | Number of bytes in the pubkey script |
+///      | varies | pk_script       | char[]                | Pubkey script                        |
+///
+///      compactSize uint format:
+///
+///      |                  Value                  | Bytes |                    Format                    |
+///      |-----------------------------------------|-------|----------------------------------------------|
+///      | >= 0 && <= 252                          | 1     | uint8_t                                      |
+///      | >= 253 && <= 0xffff                     | 3     | 0xfd followed by the number as uint16_t (LE) |
+///      | >= 0x10000 && <= 0xffffffff             | 5     | 0xfe followed by the number as uint32_t (LE) |
+///      | >= 0x100000000 && <= 0xffffffffffffffff | 9     | 0xff followed by the number as uint64_t (LE) |
+///
+///      (*) compactSize uint is often references as VarInt)
+///
+library BitcoinTx {
+    /// @notice Represents Bitcoin transaction data for funding BTC deposit
+    ///         P2(W)SH transaction.
+    struct Info {
+        /// @notice Bitcoin transaction version
+        /// @dev `version` from raw Bitcon transaction data.
+        ///      Encoded as 4-bytes signed integer, little endian.
+        bytes4 version;
+        /// @notice All Bitcoin transaction inputs, prepended by the number of
+        ///         transaction inputs.
+        /// @dev `tx_in_count | tx_in` from raw Bitcon transaction data.
+        ///
+        ///      The number of transaction inputs encoded as compactSize
+        ///      unsigned integer, little-endian.
+        ///
+        ///      Note that some popular block explorers reverse the order of
+        ///      bytes from `outpoint`'s `hash` and display it as big-endian.
+        ///      Solidity code of Bridge expects hashes in little-endian, just
+        ///      like they are represented in a raw Bitcoin transaction.
+        bytes inputVector;
+        /// @notice All Bitcoin transaction outputs prepended by the number of
+        ///         transaction outputs.
+        /// @dev `tx_out_count | tx_out` from raw Bitcoin transaction data.
+        ///
+        ///       The number of transaction outputs encoded as a compactSize
+        ///       unsigned integer, little-endian.
+        bytes outputVector;
+        /// @notice Bitcoin transaction locktime.
+        ///
+        /// @dev `lock_time` from raw Bitcoin transaction data.
+        ///      Encoded as 4-bytes unsigned integer, little endian.
+        bytes4 locktime;
+    }
+}

package/contracts/bridge/Bridge.sol

@@ -0,0 +1,346 @@
+// SPDX-License-Identifier: MIT
+
+// ██████████████     ▐████▌     ██████████████
+// ██████████████     ▐████▌     ██████████████
+//               ▐████▌    ▐████▌
+//               ▐████▌    ▐████▌
+// ██████████████     ▐████▌     ██████████████
+// ██████████████     ▐████▌     ██████████████
+//               ▐████▌    ▐████▌
+//               ▐████▌    ▐████▌
+//               ▐████▌    ▐████▌
+//               ▐████▌    ▐████▌
+//               ▐████▌    ▐████▌
+//               ▐████▌    ▐████▌
+
+pragma solidity 0.8.4;
+
+import "@openzeppelin/contracts/access/Ownable.sol";
+
+import {BTCUtils} from "@keep-network/bitcoin-spv-sol/contracts/BTCUtils.sol";
+import {BytesLib} from "@keep-network/bitcoin-spv-sol/contracts/BytesLib.sol";
+
+import "./BitcoinTx.sol";
+
+/// @title Bitcoin Bridge
+/// @notice Bridge manages BTC deposit and redemption flow and is increasing and
+///         decreasing balances in the Bank as a result of BTC deposit and
+///         redemption operations performed by depositors and redeemers.
+///
+///         Depositors send BTC funds to the most recently created off-chain
+///         ECDSA wallet of the bridge using pay-to-script-hash (P2SH) or
+///         pay-to-witness-script-hash (P2WSH) containing hashed information
+///         about the depositor’s Ethereum address. Then, the depositor reveals
+///         their Ethereum address along with their deposit blinding factor,
+///         refund public key hash and refund locktime to the Bridge on Ethereum
+///         chain. The off-chain ECDSA wallet listens for these sorts of
+///         messages and when it gets one, it checks the Bitcoin network to make
+///         sure the deposit lines up. If it does, the off-chain ECDSA wallet
+///         may decide to pick the deposit transaction for sweeping, and when
+///         the sweep operation is confirmed on the Bitcoin network, the ECDSA
+///         wallet informs the Bridge about the sweep increasing appropriate
+///         balances in the Bank.
+/// @dev Bridge is an upgradeable component of the Bank.
+contract Bridge is Ownable {
+    using BTCUtils for bytes;
+    using BytesLib for bytes;
+
+    /// @notice Represents data which must be revealed by the depositor during
+    ///         deposit reveal.
+    struct RevealInfo {
+        // Index of the funding output belonging to the funding transaction.
+        uint8 fundingOutputIndex;
+        // Ethereum depositor address.
+        address depositor;
+        // The blinding factor as 8 bytes. Byte endianness doesn't matter
+        // as this factor is not interpreted as uint.
+        bytes8 blindingFactor;
+        // The compressed Bitcoin public key (33 bytes and 02 or 03 prefix)
+        // of the deposit's wallet hashed in the HASH160 Bitcoin opcode style.
+        bytes20 walletPubKeyHash;
+        // The compressed Bitcoin public key (33 bytes and 02 or 03 prefix)
+        // that can be used to make the deposit refund after the refund
+        // locktime passes. Hashed in the HASH160 Bitcoin opcode style.
+        bytes20 refundPubKeyHash;
+        // The refund locktime (4-byte LE). Interpreted according to locktime
+        // parsing rules described in:
+        // https://developer.bitcoin.org/devguide/transactions.html#locktime-and-sequence-number
+        // and used with OP_CHECKLOCKTIMEVERIFY opcode as described in:
+        // https://github.com/bitcoin/bips/blob/master/bip-0065.mediawiki
+        bytes4 refundLocktime;
+        // Address of the Bank vault to which the deposit is routed to.
+        // Optional, can be 0x0. The vault must be trusted by the Bridge.
+        address vault;
+    }
+
+    /// @notice Represents tBTC deposit data.
+    struct DepositInfo {
+        // Ethereum depositor address.
+        address depositor;
+        // Deposit amount in satoshi (8-byte LE). For example:
+        // 0.0001 BTC = 10000 satoshi = 0x1027000000000000
+        bytes8 amount;
+        // UNIX timestamp the deposit was revealed at.
+        uint32 revealedAt;
+        // Address of the Bank vault the deposit is routed to.
+        // Optional, can be 0x0.
+        address vault;
+    }
+
+    /// @notice Indicates if the vault with the given address is trusted or not.
+    ///         Depositors can route their revealed deposits only to trusted
+    ///         vaults and have trusted vaults notified about new deposits as
+    ///         soon as these deposits get swept. Vaults not trusted by the
+    ///         Bridge can still be used by Bank balance owners on their own
+    ///         responsibility - anyone can approve their Bank balance to any
+    ///         address.
+    mapping(address => bool) public isVaultTrusted;
+
+    /// @notice Collection of all unswept deposits indexed by
+    ///         keccak256(fundingTxHash | fundingOutputIndex).
+    ///         The fundingTxHash is LE bytes32 and fundingOutputIndex an uint8.
+    ///         This mapping may contain valid and invalid deposits and the
+    ///         wallet is responsible for validating them before attempting to
+    ///         execute a sweep.
+    ///
+    /// TODO: Explore the possibility of storing just a hash of DepositInfo.
+    mapping(uint256 => DepositInfo) public unswept;
+
+    event DepositRevealed(
+        bytes32 fundingTxHash,
+        uint8 fundingOutputIndex,
+        address depositor,
+        bytes8 blindingFactor,
+        bytes20 walletPubKeyHash,
+        bytes20 refundPubKeyHash,
+        bytes4 refundLocktime,
+        address vault
+    );
+
+    event VaultStatusUpdated(address indexed vault, bool isTrusted);
+
+    /// @notice Allows the Governance to mark the given vault address as trusted
+    ///         or no longer trusted. Vaults are not trusted by default.
+    ///         Trusted vault must meet the following criteria:
+    ///         - `IVault.receiveBalanceIncrease` must have a known, low gas
+    ///           cost.
+    ///         - `IVault.receiveBalanceIncrease` must never revert.
+    /// @dev Without restricting reveal only to trusted vaults, malicious
+    ///      vaults not meeting the criteria would be able to nuke sweep proof
+    ///      transactions executed by ECDSA wallet with  deposits routed to
+    ///      them.
+    /// @param vault The address of the vault
+    /// @param isTrusted flag indicating whether the vault is trusted or not
+    /// @dev Can only be called by the Governance.
+    function setVaultStatus(address vault, bool isTrusted) external onlyOwner {
+        isVaultTrusted[vault] = isTrusted;
+        emit VaultStatusUpdated(vault, isTrusted);
+    }
+
+    /// @notice Used by the depositor to reveal information about their P2(W)SH
+    ///         Bitcoin deposit to the Bridge on Ethereum chain. The off-chain
+    ///         wallet listens for revealed deposit events and may decide to
+    ///         include the revealed deposit in the next executed sweep.
+    ///         Information about the Bitcoin deposit can be revealed before or
+    ///         after the Bitcoin transaction with P2(W)SH deposit is mined on
+    ///         the Bitcoin chain. Worth noting, the gas cost of this function
+    ///         scales with the number of P2(W)SH transaction inputs and
+    ///         outputs. The deposit may be routed to one of the trusted vaults.
+    ///         When a deposit is routed to a vault, vault gets notified when
+    ///         the deposit gets swept and it may execute the appropriate action.
+    /// @param fundingTx Bitcoin funding transaction data, see `BitcoinTx.Info`
+    /// @param reveal Deposit reveal data, see `RevealInfo struct
+    /// @dev Requirements:
+    ///      - `reveal.vault` must be 0x0 or point to a trusted vault
+    ///      - `reveal.fundingOutputIndex` must point to the actual P2(W)SH
+    ///        output of the BTC deposit transaction
+    ///      - `reveal.depositor` must be the Ethereum address used in the
+    ///        P2(W)SH BTC deposit transaction,
+    ///      - `reveal.blindingFactor` must be the blinding factor used in the
+    ///        P2(W)SH BTC deposit transaction,
+    ///      - `reveal.walletPubKeyHash` must be the wallet pub key hash used in
+    ///        the P2(W)SH BTC deposit transaction,
+    ///      - `reveal.refundPubKeyHash` must be the refund pub key hash used in
+    ///        the P2(W)SH BTC deposit transaction,
+    ///      - `reveal.refundLocktime` must be the refund locktime used in the
+    ///        P2(W)SH BTC deposit transaction,
+    ///      - BTC deposit for the given `fundingTxHash`, `fundingOutputIndex`
+    ///        can be revealed only one time.
+    ///
+    ///      If any of these requirements is not met, the wallet _must_ refuse
+    ///      to sweep the deposit and the depositor has to wait until the
+    ///      deposit script unlocks to receive their BTC back.
+    function revealDeposit(
+        BitcoinTx.Info calldata fundingTx,
+        RevealInfo calldata reveal
+    ) external {
+        require(
+            reveal.vault == address(0) || isVaultTrusted[reveal.vault],
+            "Vault is not trusted"
+        );
+
+        bytes memory expectedScript =
+            abi.encodePacked(
+                hex"14", // Byte length of depositor Ethereum address.
+                reveal.depositor,
+                hex"75", // OP_DROP
+                hex"08", // Byte length of blinding factor value.
+                reveal.blindingFactor,
+                hex"75", // OP_DROP
+                hex"76", // OP_DUP
+                hex"a9", // OP_HASH160
+                hex"14", // Byte length of a compressed Bitcoin public key hash.
+                reveal.walletPubKeyHash,
+                hex"87", // OP_EQUAL
+                hex"63", // OP_IF
+                hex"ac", // OP_CHECKSIG
+                hex"67", // OP_ELSE
+                hex"76", // OP_DUP
+                hex"a9", // OP_HASH160
+                hex"14", // Byte length of a compressed Bitcoin public key hash.
+                reveal.refundPubKeyHash,
+                hex"88", // OP_EQUALVERIFY
+                hex"04", // Byte length of refund locktime value.
+                reveal.refundLocktime,
+                hex"b1", // OP_CHECKLOCKTIMEVERIFY
+                hex"75", // OP_DROP
+                hex"ac", // OP_CHECKSIG
+                hex"68" // OP_ENDIF
+            );
+
+        bytes memory fundingOutput =
+            fundingTx.outputVector.extractOutputAtIndex(
+                reveal.fundingOutputIndex
+            );
+        bytes memory fundingOutputHash = fundingOutput.extractHash();
+
+        if (fundingOutputHash.length == 20) {
+            // A 20-byte output hash is used by P2SH. That hash is constructed
+            // by applying OP_HASH160 on the locking script. A 20-byte output
+            // hash is used as well by P2PKH and P2WPKH (OP_HASH160 on the
+            // public key). However, since we compare the actual output hash
+            // with an expected locking script hash, this check will succeed only
+            // for P2SH transaction type with expected script hash value. For
+            // P2PKH and P2WPKH, it will fail on the output hash comparison with
+            // the expected locking script hash.
+            require(
+                keccak256(fundingOutputHash) ==
+                    keccak256(expectedScript.hash160()),
+                "Wrong 20-byte script hash"
+            );
+        } else if (fundingOutputHash.length == 32) {
+            // A 32-byte output hash is used by P2WSH. That hash is constructed
+            // by applying OP_SHA256 on the locking script.
+            require(
+                fundingOutputHash.toBytes32() == sha256(expectedScript),
+                "Wrong 32-byte script hash"
+            );
+        } else {
+            revert("Wrong script hash length");
+        }
+
+        // Resulting TX hash is in native Bitcoin little-endian format.
+        bytes32 fundingTxHash =
+            abi
+                .encodePacked(
+                fundingTx
+                    .version,
+                fundingTx
+                    .inputVector,
+                fundingTx
+                    .outputVector,
+                fundingTx
+                    .locktime
+            )
+                .hash256();
+
+        DepositInfo storage deposit =
+            unswept[
+                uint256(
+                    keccak256(
+                        abi.encodePacked(
+                            fundingTxHash,
+                            reveal.fundingOutputIndex
+                        )
+                    )
+                )
+            ];
+        require(deposit.revealedAt == 0, "Deposit already revealed");
+
+        bytes8 fundingOutputAmount;
+        /* solhint-disable-next-line no-inline-assembly */
+        assembly {
+            // First 8 bytes (little-endian) of the funding output represents
+            // its value. To take the value, we need to jump over the first
+            // word determining the array length, load the array, and trim it
+            // by putting it to a bytes8.
+            fundingOutputAmount := mload(add(fundingOutput, 32))
+        }
+
+        deposit.amount = fundingOutputAmount;
+        deposit.depositor = reveal.depositor;
+        /* solhint-disable-next-line not-rely-on-time */
+        deposit.revealedAt = uint32(block.timestamp);
+        deposit.vault = reveal.vault;
+
+        emit DepositRevealed(
+            fundingTxHash,
+            reveal.fundingOutputIndex,
+            reveal.depositor,
+            reveal.blindingFactor,
+            reveal.walletPubKeyHash,
+            reveal.refundPubKeyHash,
+            reveal.refundLocktime,
+            reveal.vault
+        );
+    }
+
+    /// @notice Used by the wallet to prove the BTC deposit sweep transaction
+    ///         and to update Bank balances accordingly. Sweep is only accepted
+    ///         if it satisfies SPV proof.
+    ///
+    ///         The function is performing Bank balance updates by first
+    ///         computing the Bitcoin fee for the sweep transaction. The fee is
+    ///         divided evenly between all swept deposits. Each depositor
+    ///         receives a balance in the bank equal to the amount inferred
+    ///         during the reveal transaction, minus their fee share.
+    ///
+    ///         It is possible to prove the given sweep only one time.
+    /// @param sweepTx Bitcoin sweep transaction data.
+    /// @param merkleProof The merkle proof of transaction inclusion in a block.
+    /// @param txIndexInBlock Transaction index in the block (0-indexed).
+    /// @param bitcoinHeaders Single bytestring of 80-byte bitcoin headers,
+    ///                       lowest height first.
+    function sweep(
+        BitcoinTx.Info calldata sweepTx,
+        bytes memory merkleProof,
+        uint256 txIndexInBlock,
+        bytes memory bitcoinHeaders
+    ) external {
+        // TODO We need to read `fundingTxHash`, `fundingOutputIndex` from
+        //      `sweepTx.inputVector`. We then hash them to obtain deposit
+        //      identifier and read DepositInfo. From DepositInfo we know what
+        //      amount was inferred during deposit reveal transaction and we
+        //      use that amount to update their Bank balance, minus fee.
+        //
+        // TODO We need to validate if the sum in the output minus the
+        //      amount from the previous wallet balance input minus fees is
+        //      equal to the amount by which Bank balances were increased.
+        //
+        // TODO We need to validate `sweepTx.outputVector` to see if the balance
+        //      was not transferred away from the wallet before increasing
+        //      balances in the bank.
+        //
+        // TODO Delete deposit from unswept mapping or mark it as swept
+        //      depending on the gas costs. Alternatively, do not allow to
+        //      use the same TX input vector twice. Sweep should be provable
+        //      only one time.
+    }
+
+    // TODO It is possible a malicious wallet can sweep deposits that can not
+    //      be later proved on Ethereum. For example, a deposit with
+    //      an incorrect amount revealed. We need to provide a function for honest
+    //      depositors, next to sweep, to prove their swept balances on Ethereum
+    //      selectively, based on deposits they have earlier received.
+    //      (UPDATE PR #90: Is it still the case since amounts are inferred?)
+}

package/contracts/vault/IVault.sol

@@ -0,0 +1,60 @@
+// SPDX-License-Identifier: MIT
+
+// ██████████████     ▐████▌     ██████████████
+// ██████████████     ▐████▌     ██████████████
+//               ▐████▌    ▐████▌
+//               ▐████▌    ▐████▌
+// ██████████████     ▐████▌     ██████████████
+// ██████████████     ▐████▌     ██████████████
+//               ▐████▌    ▐████▌
+//               ▐████▌    ▐████▌
+//               ▐████▌    ▐████▌
+//               ▐████▌    ▐████▌
+//               ▐████▌    ▐████▌
+//               ▐████▌    ▐████▌
+
+pragma solidity 0.8.4;
+
+/// @title Bank Vault interface
+/// @notice `IVault` is an interface for a smart contract consuming Bank
+///         balances of other contracts or externally owned accounts (EOA).
+interface IVault {
+    /// @notice Called by the Bank in `approveBalanceAndCall` function after
+    ///         the balance `owner` approved `amount` of their balance in the
+    ///         Bank for the vault. This way, the depositor can approve balance
+    ///         and call the vault to use the approved balance in a single
+    ///         transaction.
+    /// @param owner Address of the Bank balance owner who approved their
+    ///        balance to be used by the vault
+    /// @param amount The amount of the Bank balance approved by the owner
+    ///        to be used by the vault
+    // @dev The implementation must ensure this function can only be called
+    ///      by the Bank. The Bank does _not_ guarantee that the `amount`
+    ///      approved by the `owner` currently exists on their balance. That is,
+    ///      the `owner` could approve more balance than they currently have.
+    ///      This works the same as `Bank.approve` function. The vault must
+    ///      ensure the actual balance is checked before performing any action
+    ///      based on it.
+    function receiveBalanceApproval(address owner, uint256 amount) external;
+
+    /// @notice Called by the Bank in `increaseBalanceAndCall` function after
+    ///         increasing the balance in the Bank for the vault. It happens in
+    ///         the same transaction in which deposits were swept by the Bridge.
+    ///         This allows the depositor to route their deposit revealed to the
+    ///         Bridge to the particular smart contract (vault) in the same
+    ///         transaction in which the deposit is revealed. This way, the
+    ///         depositor does not have to execute additional transaction after
+    ///         the deposit gets swept by the Bridge to approve and transfer
+    ///         their balance to the vault.
+    /// @param depositors Addresses of depositors whose deposits have been swept
+    /// @param depositedAmounts Amounts deposited by individual depositors and
+    ///        swept
+    /// @dev The implementation must ensure this function can only be called
+    ///      by the Bank. The Bank guarantees that the vault's balance was
+    ///      increased by the sum of all deposited amounts before this function
+    ///      is called, in the same transaction.
+    function receiveBalanceIncrease(
+        address[] calldata depositors,
+        uint256[] calldata depositedAmounts
+    ) external;
+}

package/contracts/vault/TBTCVault.sol

@@ -0,0 +1,146 @@
+// SPDX-License-Identifier: MIT
+
+// ██████████████     ▐████▌     ██████████████
+// ██████████████     ▐████▌     ██████████████
+//               ▐████▌    ▐████▌
+//               ▐████▌    ▐████▌
+// ██████████████     ▐████▌     ██████████████
+// ██████████████     ▐████▌     ██████████████
+//               ▐████▌    ▐████▌
+//               ▐████▌    ▐████▌
+//               ▐████▌    ▐████▌
+//               ▐████▌    ▐████▌
+//               ▐████▌    ▐████▌
+//               ▐████▌    ▐████▌
+
+pragma solidity 0.8.4;
+
+import "./IVault.sol";
+import "../bank/Bank.sol";
+import "../token/TBTC.sol";
+
+/// @title TBTC application vault
+/// @notice TBTC is a fully Bitcoin-backed ERC-20 token pegged to the price of
+///         Bitcoin. It facilitates Bitcoin holders to act on the Ethereum
+///         blockchain and access the decentralized finance (DeFi) ecosystem.
+///         TBTC Vault mints and redeems TBTC based on Bitcoin balances in the
+///         Bank.
+/// @dev TBTC Vault is the owner of TBTC token contract and is the only contract
+///      minting the token.
+contract TBTCVault is IVault {
+    Bank public bank;
+    TBTC public tbtcToken;
+
+    event Minted(address indexed to, uint256 amount);
+
+    event Redeemed(address indexed from, uint256 amount);
+
+    modifier onlyBank() {
+        require(msg.sender == address(bank), "Caller is not the Bank");
+        _;
+    }
+
+    constructor(Bank _bank, TBTC _tbtcToken) {
+        require(
+            address(_bank) != address(0),
+            "Bank can not be the zero address"
+        );
+
+        require(
+            address(_tbtcToken) != address(0),
+            "TBTC token can not be the zero address"
+        );
+
+        bank = _bank;
+        tbtcToken = _tbtcToken;
+    }
+
+    /// @notice Transfers the given `amount` of the Bank balance from caller
+    ///         to TBTC Vault, and mints `amount` of TBTC to the caller.
+    /// @dev TBTC Vault must have an allowance for caller's balance in the Bank
+    ///      for at least `amount`.
+    /// @param amount Amount of TBTC to mint
+    function mint(uint256 amount) external {
+        address minter = msg.sender;
+        require(
+            bank.balanceOf(minter) >= amount,
+            "Amount exceeds balance in the bank"
+        );
+        _mint(minter, amount);
+        bank.transferBalanceFrom(minter, address(this), amount);
+    }
+
+    /// @notice Transfers the given `amount` of the Bank balance from the caller
+    ///         to TBTC Vault and mints `amount` of TBTC to the caller.
+    /// @dev Can only be called by the Bank via `approveBalanceAndCall`.
+    /// @param owner The owner who approved their Bank balance
+    /// @param amount Amount of TBTC to mint
+    function receiveBalanceApproval(address owner, uint256 amount)
+        external
+        override
+        onlyBank
+    {
+        require(
+            bank.balanceOf(owner) >= amount,
+            "Amount exceeds balance in the bank"
+        );
+        _mint(owner, amount);
+        bank.transferBalanceFrom(owner, address(this), amount);
+    }
+
+    /// @notice Mints the same amount of TBTC as the deposited amount for each
+    ///         depositor in the array. Can only be called by the Bank after the
+    ///         Bridge swept deposits and Bank increased balance for the
+    ///         vault.
+    /// @dev Fails if `depositors` array is empty. Expects the length of
+    ///      `depositors` and `depositedAmounts` is the same.
+    function receiveBalanceIncrease(
+        address[] calldata depositors,
+        uint256[] calldata depositedAmounts
+    ) external override onlyBank {
+        require(depositors.length != 0, "No depositors specified");
+        for (uint256 i = 0; i < depositors.length; i++) {
+            _mint(depositors[i], depositedAmounts[i]);
+        }
+    }
+
+    /// @notice Burns `amount` of TBTC from the caller's account and transfers
+    ///         `amount` back to the caller's balance in the Bank.
+    /// @dev Caller must have at least `amount` of TBTC approved to
+    ///       TBTC Vault.
+    /// @param amount Amount of TBTC to redeem
+    function redeem(uint256 amount) external {
+        _redeem(msg.sender, amount);
+    }
+
+    /// @notice Burns `amount` of TBTC from the caller's account and transfers
+    ///         `amount` back to the caller's balance in the Bank.
+    /// @dev This function is doing the same as `redeem` but it allows to
+    ///      execute redemption without an additional approval transaction.
+    ///      The function can be called only via `approveAndCall` of TBTC token.
+    /// @param from TBTC token holder executing redemption
+    /// @param amount Amount of TBTC to redeem
+    /// @param token TBTC token address
+    function receiveApproval(
+        address from,
+        uint256 amount,
+        address token,
+        bytes calldata
+    ) external {
+        require(token == address(tbtcToken), "Token is not TBTC");
+        require(msg.sender == token, "Only TBTC caller allowed");
+        _redeem(from, amount);
+    }
+
+    // slither-disable-next-line calls-loop
+    function _mint(address minter, uint256 amount) internal {
+        emit Minted(minter, amount);
+        tbtcToken.mint(minter, amount);
+    }
+
+    function _redeem(address redeemer, uint256 amount) internal {
+        emit Redeemed(redeemer, amount);
+        tbtcToken.burnFrom(redeemer, amount);
+        bank.transferBalance(redeemer, amount);
+    }
+}