@keep-network/tbtc-v2 0.1.1-dev.22 → 0.1.1-dev.25

package/contracts/bridge/Bridge.sol

@@ -19,9 +19,12 @@ import "@openzeppelin/contracts/access/Ownable.sol";
 
 import {BTCUtils} from "@keep-network/bitcoin-spv-sol/contracts/BTCUtils.sol";
 import {BytesLib} from "@keep-network/bitcoin-spv-sol/contracts/BytesLib.sol";
+import {IWalletOwner as EcdsaWalletOwner} from "@keep-network/ecdsa/contracts/api/IWalletOwner.sol";
 
 import "../bank/Bank.sol";
 import "./BitcoinTx.sol";
+import "./EcdsaLib.sol";
+import "./Wallets.sol";
 
 /// @title Interface for the Bitcoin relay
 /// @notice Contains only the methods needed by tBTC v2. The Bitcoin relay
@@ -54,10 +57,11 @@ interface IRelay {
 ///         wallet informs the Bridge about the sweep increasing appropriate
 ///         balances in the Bank.
 /// @dev Bridge is an upgradeable component of the Bank.
-contract Bridge is Ownable {
+contract Bridge is Ownable, EcdsaWalletOwner {
     using BTCUtils for bytes;
     using BTCUtils for uint256;
     using BytesLib for bytes;
+    using Wallets for Wallets.Data;
 
     /// @notice Represents data which must be revealed by the depositor during
     ///         deposit reveal.
@@ -165,36 +169,6 @@ contract Bridge is Ownable {
         uint64 changeValue;
     }
 
-    /// @notice Represents wallet state:
-    enum WalletState {
-        /// @dev The wallet is unknown to the Bridge.
-        Unknown,
-        /// @dev The wallet can sweep deposits and accept redemption requests.
-        Active,
-        /// @dev The wallet was deemed unhealthy and is expected to move their
-        ///      outstanding funds to another wallet. The wallet can still
-        ///      fulfill their pending redemption requests although new
-        ///      redemption requests and new deposit reveals are not accepted.
-        MovingFunds,
-        /// @dev The wallet moved or redeemed all their funds and cannot
-        ///      perform any action.
-        Closed,
-        /// @dev The wallet committed a fraud that was reported. The wallet is
-        ///      blocked and can not perform any actions in the Bridge.
-        ///      Off-chain coordination with the wallet operators is needed to
-        ///      recover funds.
-        Terminated
-    }
-
-    /// @notice Holds information about a wallet.
-    struct Wallet {
-        // Current state of the wallet.
-        WalletState state;
-        // The total redeemable value of pending redemption requests targeting
-        // that wallet.
-        uint64 pendingRedemptionsValue;
-    }
-
     /// @notice The number of confirmations on the Bitcoin chain required to
     ///         successfully evaluate an SPV proof.
     uint256 public immutable txProofDifficultyFactor;
@@ -212,13 +186,21 @@ contract Bridge is Ownable {
     ///         Treasury takes part in the operators rewarding process.
     address public immutable treasury;
 
+    /// TODO: Make it governable.
+    /// @notice The minimal amount that can be requested for deposit.
+    ///         Value of this parameter must take into account the value of
+    ///         `depositTreasuryFeeDivisor` and `depositTxMaxFee`
+    ///         parameters in order to make requests that can incur the
+    ///         treasury and transaction fee and still satisfy the depositor.
+    uint64 public depositDustThreshold;
+
     /// TODO: Make it governable.
     /// @notice Divisor used to compute the treasury fee taken from each
     ///         deposit and transferred to the treasury upon sweep proof
     ///         submission. That fee is computed as follows:
     ///         `treasuryFee = depositedAmount / depositTreasuryFeeDivisor`
     ///         For example, if the treasury fee needs to be 2% of each deposit,
-    ///         the `redemptionTreasuryFeeDivisor` should be set to `50`
+    ///         the `depositTreasuryFeeDivisor` should be set to `50`
     ///         because `1/50 = 0.02 = 2%`.
     uint64 public depositTreasuryFeeDivisor;
 
@@ -279,15 +261,6 @@ contract Bridge is Ownable {
     ///         validating them before attempting to execute a sweep.
     mapping(uint256 => DepositRequest) public deposits;
 
-    /// @notice Maps the 20-byte wallet public key hash (computed using
-    ///         Bitcoin HASH160 over the compressed ECDSA public key) to
-    ///         the latest wallet's main UTXO computed as
-    ///         keccak256(txHash | txOutputIndex | txOutputValue). The `tx`
-    ///         prefix refers to the transaction which created that main UTXO.
-    ///         The txHash is bytes32 (ordered as in Bitcoin internally),
-    ///         txOutputIndex an uint32, and txOutputValue an uint64 value.
-    mapping(bytes20 => bytes32) public mainUtxos;
-
     /// @notice Collection of all pending redemption requests indexed by
     ///         redemption key built as
     ///         keccak256(walletPubKeyHash | redeemerOutputScript). The
@@ -302,8 +275,6 @@ contract Bridge is Ownable {
     ///           successfully
     ///         - `notifyRedemptionTimeout` in case the request was reported
     ///           to be timed out
-    ///         - `submitRedemptionFraudProof` in case the request was handled
-    ///           in an fraudulent way amount-wise.
     mapping(uint256 => RedemptionRequest) public pendingRedemptions;
 
     /// @notice Collection of all timed out redemptions requests indexed by
@@ -324,14 +295,39 @@ contract Bridge is Ownable {
     // slither-disable-next-line uninitialized-state
     mapping(uint256 => RedemptionRequest) public timedOutRedemptions;
 
-    /// @notice Maps the 20-byte wallet public key hash (computed using
-    ///         Bitcoin HASH160 over the compressed ECDSA public key) to the
-    ///         basic wallet information like state and pending
-    ///         redemptions value.
-    ///
-    // TODO: Remove that Slither disable once this variable is used.
-    // slither-disable-next-line uninitialized-state
-    mapping(bytes20 => Wallet) public wallets;
+    /// @notice State related with wallets.
+    Wallets.Data internal wallets;
+
+    event WalletCreationPeriodUpdated(uint32 newCreationPeriod);
+
+    event WalletBtcBalanceRangeUpdated(
+        uint64 newMinBtcBalance,
+        uint64 newMaxBtcBalance
+    );
+
+    event WalletMaxAgeUpdated(uint32 newMaxAge);
+
+    event NewWalletRequested();
+
+    event NewWalletRegistered(
+        bytes32 indexed ecdsaWalletID,
+        bytes20 indexed walletPubKeyHash
+    );
+
+    event WalletMovingFunds(
+        bytes32 indexed ecdsaWalletID,
+        bytes20 indexed walletPubKeyHash
+    );
+
+    event WalletClosed(
+        bytes32 indexed ecdsaWalletID,
+        bytes20 indexed walletPubKeyHash
+    );
+
+    event WalletTerminated(
+        bytes32 indexed ecdsaWalletID,
+        bytes20 indexed walletPubKeyHash
+    );
 
     event VaultStatusUpdated(address indexed vault, bool isTrusted);
 
@@ -367,6 +363,7 @@ contract Bridge is Ownable {
         address _bank,
         address _relay,
         address _treasury,
+        address _ecdsaWalletRegistry,
         uint256 _txProofDifficultyFactor
     ) {
         require(_bank != address(0), "Bank address cannot be zero");
@@ -381,16 +378,62 @@ contract Bridge is Ownable {
         txProofDifficultyFactor = _txProofDifficultyFactor;
 
         // TODO: Revisit initial values.
+        depositDustThreshold = 1000000; // 1000000 satoshi = 0.01 BTC
         depositTxMaxFee = 1000; // 1000 satoshi
         depositTreasuryFeeDivisor = 2000; // 1/2000 == 5bps == 0.05% == 0.0005
         redemptionDustThreshold = 1000000; // 1000000 satoshi = 0.01 BTC
         redemptionTreasuryFeeDivisor = 2000; // 1/2000 == 5bps == 0.05% == 0.0005
         redemptionTxMaxFee = 1000; // 1000 satoshi
         redemptionTimeout = 172800; // 48 hours
+
+        // TODO: Revisit initial values.
+        wallets.init(_ecdsaWalletRegistry);
+        wallets.setCreationPeriod(1 weeks);
+        wallets.setBtcBalanceRange(1 * 1e8, 10 * 1e8); // [1 BTC, 10 BTC]
+        wallets.setMaxAge(26 weeks); // ~6 months
     }
 
-    // TODO: Add function `onNewWalletCreated` according to discussion:
-    //       https://github.com/keep-network/tbtc-v2/pull/128#discussion_r809885230
+    /// @notice Updates parameters used by the `Wallets` library.
+    /// @param creationPeriod New value of the wallet creation period
+    /// @param minBtcBalance New value of the minimum BTC balance
+    /// @param maxBtcBalance New value of the maximum BTC balance
+    /// @param maxAge New value of the wallet maximum age
+    /// @dev Requirements:
+    ///      - Caller must be the contract owner.
+    ///      - Minimum BTC balance must be greater than zero
+    ///      - Maximum BTC balance must be greater than minimum BTC balance
+    function updateWalletsParameters(
+        uint32 creationPeriod,
+        uint64 minBtcBalance,
+        uint64 maxBtcBalance,
+        uint32 maxAge
+    ) external onlyOwner {
+        wallets.setCreationPeriod(creationPeriod);
+        wallets.setBtcBalanceRange(minBtcBalance, maxBtcBalance);
+        wallets.setMaxAge(maxAge);
+    }
+
+    /// @return creationPeriod Value of the wallet creation period
+    /// @return minBtcBalance Value of the minimum BTC balance
+    /// @return maxBtcBalance Value of the maximum BTC balance
+    /// @return maxAge Value of the wallet max age
+    function getWalletsParameters()
+        external
+        view
+        returns (
+            uint32 creationPeriod,
+            uint64 minBtcBalance,
+            uint64 maxBtcBalance,
+            uint32 maxAge
+        )
+    {
+        creationPeriod = wallets.creationPeriod;
+        minBtcBalance = wallets.minBtcBalance;
+        maxBtcBalance = wallets.maxBtcBalance;
+        maxAge = wallets.maxAge;
+
+        return (creationPeriod, minBtcBalance, maxBtcBalance, maxAge);
+    }
 
     /// @notice Allows the Governance to mark the given vault address as trusted
     ///         or no longer trusted. Vaults are not trusted by default.
@@ -410,6 +453,105 @@ contract Bridge is Ownable {
         emit VaultStatusUpdated(vault, isTrusted);
     }
 
+    /// @notice Requests creation of a new wallet. This function just
+    ///         forms a request and the creation process is performed
+    ///         asynchronously. Once a wallet is created, the ECDSA Wallet
+    ///         Registry will notify this contract by calling the
+    ///         `__ecdsaWalletCreatedCallback` function.
+    /// @param activeWalletMainUtxo Data of the active wallet's main UTXO, as
+    ///        currently known on the Ethereum chain.
+    /// @dev Requirements:
+    ///      - `activeWalletMainUtxo` components must point to the recent main
+    ///        UTXO of the given active wallet, as currently known on the
+    ///        Ethereum chain. If there is no active wallet at the moment, or
+    ///        the active wallet has no main UTXO, this parameter can be
+    ///        empty as it is ignored.
+    ///      - Wallet creation must not be in progress
+    ///      - If the active wallet is set, one of the following
+    ///        conditions must be true:
+    ///        - The active wallet BTC balance is above the minimum threshold
+    ///          and the active wallet is old enough, i.e. the creation period
+    ///          was elapsed since its creation time
+    ///        - The active wallet BTC balance is above the maximum threshold
+    function requestNewWallet(BitcoinTx.UTXO calldata activeWalletMainUtxo)
+        external
+    {
+        wallets.requestNewWallet(activeWalletMainUtxo);
+    }
+
+    /// @notice A callback function that is called by the ECDSA Wallet Registry
+    ///         once a new ECDSA wallet is created.
+    /// @param ecdsaWalletID Wallet's unique identifier.
+    /// @param publicKeyX Wallet's public key's X coordinate.
+    /// @param publicKeyY Wallet's public key's Y coordinate.
+    /// @dev Requirements:
+    ///      - The only caller authorized to call this function is `registry`
+    ///      - Given wallet data must not belong to an already registered wallet
+    function __ecdsaWalletCreatedCallback(
+        bytes32 ecdsaWalletID,
+        bytes32 publicKeyX,
+        bytes32 publicKeyY
+    ) external override {
+        wallets.registerNewWallet(ecdsaWalletID, publicKeyX, publicKeyY);
+    }
+
+    /// @notice A callback function that is called by the ECDSA Wallet Registry
+    ///         once a wallet heartbeat failure is detected.
+    /// @param publicKeyX Wallet's public key's X coordinate
+    /// @param publicKeyY Wallet's public key's Y coordinate
+    /// @dev Requirements:
+    ///      - The only caller authorized to call this function is `registry`
+    ///      - Wallet must be in Live state
+    function __ecdsaWalletHeartbeatFailedCallback(
+        bytes32,
+        bytes32 publicKeyX,
+        bytes32 publicKeyY
+    ) external override {
+        wallets.notifyWalletHeartbeatFailed(publicKeyX, publicKeyY);
+    }
+
+    /// @notice Notifies that the wallet is either old enough or has too few
+    ///         satoshis left and qualifies to be closed.
+    /// @param walletPubKeyHash 20-byte public key hash of the wallet
+    /// @param walletMainUtxo Data of the wallet's main UTXO, as currently
+    ///        known on the Ethereum chain.
+    /// @dev Requirements:
+    ///      - Wallet must not be set as the current active wallet
+    ///      - Wallet must exceed the wallet maximum age OR the wallet BTC
+    ///        balance must be lesser than the minimum threshold. If the latter
+    ///        case is true, the `walletMainUtxo` components must point to the
+    ///        recent main UTXO of the given wallet, as currently known on the
+    ///        Ethereum chain. If the wallet has no main UTXO, this parameter
+    ///        can be empty as it is ignored since the wallet balance is
+    ///        assumed to be zero.
+    ///      - Wallet must be in Live state
+    function notifyCloseableWallet(
+        bytes20 walletPubKeyHash,
+        BitcoinTx.UTXO calldata walletMainUtxo
+    ) external {
+        wallets.notifyCloseableWallet(walletPubKeyHash, walletMainUtxo);
+    }
+
+    /// @notice Gets details about a registered wallet.
+    /// @param walletPubKeyHash The 20-byte wallet public key hash (computed
+    ///        using Bitcoin HASH160 over the compressed ECDSA public key)
+    /// @return Wallet details.
+    function getWallet(bytes20 walletPubKeyHash)
+        external
+        view
+        returns (Wallets.Wallet memory)
+    {
+        return wallets.registeredWallets[walletPubKeyHash];
+    }
+
+    /// @notice Gets the public key hash of the active wallet.
+    /// @return The 20-byte public key hash (computed using Bitcoin HASH160
+    ///         over the compressed ECDSA public key) of the active wallet.
+    ///         Returns bytes20(0) if there is no active wallet at the moment.
+    function getActiveWalletPubKeyHash() external view returns (bytes20) {
+        return wallets.activeWalletPubKeyHash;
+    }
+
     /// @notice Determines the current Bitcoin SPV proof difficulty context.
     /// @return proofDifficulty Bitcoin proof difficulty context.
     function proofDifficultyContext()
@@ -468,7 +610,7 @@ contract Bridge is Ownable {
             "Vault is not trusted"
         );
 
-        // TODO: Validate if `walletPubKeyHash` is a known and active wallet.
+        // TODO: Validate if `walletPubKeyHash` is a known and live wallet.
         // TODO: Should we enforce a specific locktime at contract level?
 
         bytes memory expectedScript = abi.encodePacked(
@@ -549,7 +691,10 @@ contract Bridge is Ownable {
 
         uint64 fundingOutputAmount = fundingOutput.extractValue();
 
-        // TODO: Check the amount against the dust threshold.
+        require(
+            fundingOutputAmount >= depositDustThreshold,
+            "Deposit amount too small"
+        );
 
         deposit.amount = fundingOutputAmount;
         deposit.depositor = reveal.depositor;
@@ -634,7 +779,11 @@ contract Bridge is Ownable {
             uint64 sweepTxOutputValue
         ) = processSweepTxOutput(sweepTx.outputVector);
 
-        // TODO: Validate if `walletPubKeyHash` is a known and active wallet.
+        Wallets.Wallet storage wallet = wallets.registeredWallets[
+            walletPubKeyHash
+        ];
+
+        // TODO: Validate if `walletPubKeyHash` is a known and live wallet.
 
         // Check if the main UTXO for given wallet exists. If so, validate
         // passed main UTXO data against the stored hash and use them for
@@ -644,7 +793,7 @@ contract Bridge is Ownable {
             0,
             0
         );
-        bytes32 mainUtxoHash = mainUtxos[walletPubKeyHash];
+        bytes32 mainUtxoHash = wallet.mainUtxoHash;
         if (mainUtxoHash != bytes32(0)) {
             require(
                 keccak256(
@@ -712,7 +861,7 @@ contract Bridge is Ownable {
         // Record this sweep data and assign them to the wallet public key hash
         // as new main UTXO. Transaction output index is always 0 as sweep
         // transaction always contains only one output.
-        mainUtxos[walletPubKeyHash] = keccak256(
+        wallet.mainUtxoHash = keccak256(
             abi.encodePacked(sweepTxHash, uint32(0), sweepTxOutputValue)
         );
 
@@ -983,7 +1132,7 @@ contract Bridge is Ownable {
     /// @notice Requests redemption of the given amount from the specified
     ///         wallet to the redeemer Bitcoin output script.
     /// @param walletPubKeyHash The 20-byte wallet public key hash (computed
-    //         using Bitcoin HASH160 over the compressed ECDSA public key)
+    ///        using Bitcoin HASH160 over the compressed ECDSA public key)
     /// @param mainUtxo Data of the wallet's main UTXO, as currently known on
     ///        the Ethereum chain
     /// @param redeemerOutputScript The redeemer's length-prefixed output
@@ -998,7 +1147,7 @@ contract Bridge is Ownable {
     ///        `amount - (amount / redemptionTreasuryFeeDivisor) - redemptionTxMaxFee`.
     ///        Fees values are taken at the moment of request creation.
     /// @dev Requirements:
-    ///      - Wallet behind `walletPubKeyHash` must be active
+    ///      - Wallet behind `walletPubKeyHash` must be live
     ///      - `mainUtxo` components must point to the recent main UTXO
     ///        of the given wallet, as currently known on the Ethereum chain.
     ///      - `redeemerOutputScript` must be a proper Bitcoin script
@@ -1015,12 +1164,16 @@ contract Bridge is Ownable {
         bytes calldata redeemerOutputScript,
         uint64 amount
     ) external {
+        Wallets.Wallet storage wallet = wallets.registeredWallets[
+            walletPubKeyHash
+        ];
+
         require(
-            wallets[walletPubKeyHash].state == WalletState.Active,
-            "Wallet must be in Active state"
+            wallet.state == Wallets.WalletState.Live,
+            "Wallet must be in Live state"
         );
 
-        bytes32 mainUtxoHash = mainUtxos[walletPubKeyHash];
+        bytes32 mainUtxoHash = wallet.mainUtxoHash;
         require(
             mainUtxoHash != bytes32(0),
             "No main UTXO for the given wallet"
@@ -1082,7 +1235,7 @@ contract Bridge is Ownable {
 
         // Check if given redemption key is not used by a pending redemption.
         // There is no need to check for existence in `timedOutRedemptions`
-        // since the wallet's state is changed to other than Active after
+        // since the wallet's state is changed to other than Live after
         // first time out is reported so making new requests is not possible.
         // slither-disable-next-line incorrect-equality
         require(
@@ -1103,12 +1256,9 @@ contract Bridge is Ownable {
         // wallet we need to subtract the total value of all pending redemptions
         // from that wallet's main UTXO value. Given that the treasury fee is
         // not redeemed from the wallet, we are subtracting it.
-        wallets[walletPubKeyHash].pendingRedemptionsValue +=
-            amount -
-            treasuryFee;
+        wallet.pendingRedemptionsValue += amount - treasuryFee;
         require(
-            mainUtxo.txOutputValue >=
-                wallets[walletPubKeyHash].pendingRedemptionsValue,
+            mainUtxo.txOutputValue >= wallet.pendingRedemptionsValue,
             "Insufficient wallet funds"
         );
 
@@ -1205,11 +1355,15 @@ contract Bridge is Ownable {
             walletPubKeyHash
         );
 
-        WalletState walletState = wallets[walletPubKeyHash].state;
+        Wallets.Wallet storage wallet = wallets.registeredWallets[
+            walletPubKeyHash
+        ];
+
+        Wallets.WalletState walletState = wallet.state;
         require(
-            walletState == WalletState.Active ||
-                walletState == WalletState.MovingFunds,
-            "Wallet must be in Active or MovingFuds state"
+            walletState == Wallets.WalletState.Live ||
+                walletState == Wallets.WalletState.MovingFunds,
+            "Wallet must be in Live or MovingFuds state"
         );
 
         // Process redemption transaction outputs to extract some info required
@@ -1222,7 +1376,7 @@ contract Bridge is Ownable {
         if (outputsInfo.changeValue > 0) {
             // If the change value is grater than zero, it means the change
             // output exists and can be used as new wallet's main UTXO.
-            mainUtxos[walletPubKeyHash] = keccak256(
+            wallet.mainUtxoHash = keccak256(
                 abi.encodePacked(
                     redemptionTxHash,
                     outputsInfo.changeIndex,
@@ -1233,11 +1387,10 @@ contract Bridge is Ownable {
             // If the change value is zero, it means the change output doesn't
             // exists and no funds left on the wallet. Delete the main UTXO
             // for that wallet to represent that state in a proper way.
-            delete mainUtxos[walletPubKeyHash];
+            delete wallet.mainUtxoHash;
         }
 
-        wallets[walletPubKeyHash].pendingRedemptionsValue -= outputsInfo
-            .totalBurnableValue;
+        wallet.pendingRedemptionsValue -= outputsInfo.totalBurnableValue;
 
         emit RedemptionsCompleted(walletPubKeyHash, redemptionTxHash);
 
@@ -1263,7 +1416,9 @@ contract Bridge is Ownable {
         bytes20 walletPubKeyHash
     ) internal view {
         // Assert that main UTXO for passed wallet exists in storage.
-        bytes32 mainUtxoHash = mainUtxos[walletPubKeyHash];
+        bytes32 mainUtxoHash = wallets
+            .registeredWallets[walletPubKeyHash]
+            .mainUtxoHash;
         require(mainUtxoHash != bytes32(0), "No main UTXO for given wallet");
 
         // Assert that passed main UTXO parameter is the same as in storage and
@@ -1526,7 +1681,7 @@ contract Bridge is Ownable {
     //          by copying the entire `RedemptionRequest` struct there. No need
     //          to check if `timedOutRedemptions` mapping already contains
     //          that key because `requestRedemption` blocks requests targeting
-    //          non-active wallets. Because `notifyRedemptionTimeout` changes
+    //          non-live wallets. Because `notifyRedemptionTimeout` changes
     //          wallet state after first call (point 9), there is no possibility
     //          that the given redemption key could be reported as timed out
     //          multiple times. At the same time, if the given redemption key
@@ -1537,83 +1692,6 @@ contract Bridge is Ownable {
     //       7. Reduce the `pendingRedemptionsValue` (`wallets` mapping) for
     //          given wallet by request's redeemable amount computed as
     //          `requestedAmount - treasuryFee`.
-    //       8. Punish the wallet, probably by slashing its operators.
-    //       9. Change wallet's state in `wallets` mapping to `MovingFunds` in
-    //          order to prevent against new redemption requests hitting
-    //          that wallet.
-    //      10. Expect the wallet to transfer its funds to another healthy
-    //          wallet (just as in case of failed heartbeat). The wallet is
-    //          expected to finish the already queued redemption requests
-    //          before moving funds but we are not going to enforce it on-chain.
-
-    // TODO: Function `submitRedemptionFraudProof`
-    //
-    //       Deposit and redemption fraud proofs are challenging to implement
-    //       and it may happen we will have to rely on the coverage pool
-    //       (https://github.com/keep-network/coverage-pools) and DAO to
-    //       reimburse unlucky depositors and bring back the balance to the
-    //       system in case  of a wallet fraud by liquidating a part of the
-    //       coverage pool manually.
-    //
-    //       The probability of 51-of-100 wallet being fraudulent is negligible:
-    //       https://github.com/keep-network/tbtc-v2/blob/main/docs/rfc/rfc-2.adoc#111-group-size-and-threshold
-    //       and the coverage pool would be there to bring the balance back in
-    //       case we are unlucky and malicious wallet emerges.
-    //
-    //       We do not want to slash for a misbehavior that is not provable
-    //       on-chain and it is possible to construct such a Bitcoin transaction
-    //       that is not provable on Ethereum, see
-    //       https://consensys.net/diligence/blog/2020/05/tbtc-navigating-the-cross-chain-conundrum
-    //
-    //       The algorithm described below assumes we will be able to prove the
-    //       TX on Ethereum which may not always be the case. Consider the steps
-    //       below as an idea, and not necessarily how this function will be
-    //       implemented because it may happen this function will never be
-    //       implemented, given the Bitcoin transaction size problems.
-    //
-    //       The algorithm:
-    //       1. Take a `BitcoinTx.Info` and `BitcoinTx.Proof` of the
-    //          fraudulent transaction. It should also accept `walletPubKeyHash`
-    //          and index of fraudulent output. Probably index of fraudulent
-    //          input will be also required if the transaction is supposed
-    //          to have a bad input vector.
-    //       2. Perform SPV proof to make sure it occurred on Bitcoin chain.
-    //          If not - revert.
-    //       3. Check if wallet state is Active or MovingFunds. If not, revert.
-    //       4. Validate the number of inputs. If there is one input and it
-    //          points to the wallet's main UTXO - move to point 5. If there
-    //          are multiple inputs and there is wallet's main UTXO in the set,
-    //          check if this is  a sweep transaction. If it's not a sweep,
-    //          consider it as fraudulent and move to point 6.
-    //          In all other cases revert the call.
-    //       5. Extract the output and analyze its type. The output is not
-    //          a fraud and the call should be reverted ONLY IF one of the
-    //          following conditions is true:
-    //          - Output is a requested redemption held by `pendingRedemptions`
-    //            and output value fulfills the request range. There is an
-    //            open question if a misfunded request should be removed
-    //            from `pendingRedemptions` (probably yes) and whether the
-    //            redeemer should be reimbursed in case of an underfund.
-    //          - Output is a timed out redemption held by `timedOutRedemptions`
-    //            and output value fulfills the request range.
-    //          - Output is a proper change i.e. a single output targeting
-    //            the wallet PKH back and having a non-zero value.
-    //          - Wallet is in MovingFunds state, the output points to the
-    //            expected target wallet, have non-zero value, and is a single
-    //            output in the vector.
-    //          In all other cases consider the transaction as fraud and
-    //          proceed to point 6.
-    //       6. Punish the wallet, probably by severely slashing its operators.
-    //       7. Change wallet's state in `wallets` mapping to `Terminated` in
-    //          order to prevent against new redemption requests hitting
-    //          that wallet. This also prevents against reporting a fraud
-    //          multiple times for one transaction (see point 3) and blocks
-    //          submission of sweep and redemption proofs. `Terminated` wallet
-    //          is blocked in the Bridge forever. If the fraud was a mistake
-    //          done by the wallet and the wallet is still honest deep in its
-    //          heart, the wallet can coordinate off-chain to recover the BTC
-    //          and donate it to another wallet. If they recover all of the
-    //          remaining BTC, DAO might decide to reward them with tokens so
-    //          that they can have at least some portion of their slashed
-    //          tokens back.
+    //       8. Call `wallets.notifyRedemptionTimedOut` to propagate timeout
+    //          consequences to the wallet.
 }

package/contracts/bridge/EcdsaLib.sol

@@ -0,0 +1,30 @@
+pragma solidity ^0.8.9;
+
+import "@keep-network/bitcoin-spv-sol/contracts/BytesLib.sol";
+
+library EcdsaLib {
+    using BytesLib for bytes;
+
+    /// @notice Converts public key X and Y coordinates (32-byte each) to a
+    ///         compressed public key (33-byte). Compressed public key is X
+    ///         coordinate prefixed with `02` or `03` based on the Y coordinate parity.
+    ///         It is expected that the uncompressed public key is stripped
+    ///         (i.e. it is not prefixed with `04`).
+    /// @param x Wallet's public key's X coordinate.
+    /// @param y Wallet's public key's Y coordinate.
+    /// @return Compressed public key (33-byte), prefixed with `02` or `03`.
+    function compressPublicKey(bytes32 x, bytes32 y)
+        internal
+        pure
+        returns (bytes memory)
+    {
+        bytes1 prefix;
+        if (uint256(y) % 2 == 0) {
+            prefix = hex"02";
+        } else {
+            prefix = hex"03";
+        }
+
+        return bytes.concat(prefix, x);
+    }
+}