@keep-network/tbtc-v2 0.1.1-dev.23 → 0.1.1-dev.26

package/contracts/bridge/Bridge.sol

@@ -19,9 +19,13 @@ import "@openzeppelin/contracts/access/Ownable.sol";
 
 import {BTCUtils} from "@keep-network/bitcoin-spv-sol/contracts/BTCUtils.sol";
 import {BytesLib} from "@keep-network/bitcoin-spv-sol/contracts/BytesLib.sol";
+import {IWalletOwner as EcdsaWalletOwner} from "@keep-network/ecdsa/contracts/api/IWalletOwner.sol";
 
 import "../bank/Bank.sol";
 import "./BitcoinTx.sol";
+import "./EcdsaLib.sol";
+import "./Wallets.sol";
+import "./Frauds.sol";
 
 /// @title Interface for the Bitcoin relay
 /// @notice Contains only the methods needed by tBTC v2. The Bitcoin relay
@@ -54,10 +58,12 @@ interface IRelay {
 ///         wallet informs the Bridge about the sweep increasing appropriate
 ///         balances in the Bank.
 /// @dev Bridge is an upgradeable component of the Bank.
-contract Bridge is Ownable {
+contract Bridge is Ownable, EcdsaWalletOwner {
     using BTCUtils for bytes;
     using BTCUtils for uint256;
     using BytesLib for bytes;
+    using Frauds for Frauds.Data;
+    using Wallets for Wallets.Data;
 
     /// @notice Represents data which must be revealed by the depositor during
     ///         deposit reveal.
@@ -165,36 +171,6 @@ contract Bridge is Ownable {
         uint64 changeValue;
     }
 
-    /// @notice Represents wallet state:
-    enum WalletState {
-        /// @dev The wallet is unknown to the Bridge.
-        Unknown,
-        /// @dev The wallet can sweep deposits and accept redemption requests.
-        Active,
-        /// @dev The wallet was deemed unhealthy and is expected to move their
-        ///      outstanding funds to another wallet. The wallet can still
-        ///      fulfill their pending redemption requests although new
-        ///      redemption requests and new deposit reveals are not accepted.
-        MovingFunds,
-        /// @dev The wallet moved or redeemed all their funds and cannot
-        ///      perform any action.
-        Closed,
-        /// @dev The wallet committed a fraud that was reported. The wallet is
-        ///      blocked and can not perform any actions in the Bridge.
-        ///      Off-chain coordination with the wallet operators is needed to
-        ///      recover funds.
-        Terminated
-    }
-
-    /// @notice Holds information about a wallet.
-    struct Wallet {
-        // Current state of the wallet.
-        WalletState state;
-        // The total redeemable value of pending redemption requests targeting
-        // that wallet.
-        uint64 pendingRedemptionsValue;
-    }
-
     /// @notice The number of confirmations on the Bitcoin chain required to
     ///         successfully evaluate an SPV proof.
     uint256 public immutable txProofDifficultyFactor;
@@ -287,14 +263,15 @@ contract Bridge is Ownable {
     ///         validating them before attempting to execute a sweep.
     mapping(uint256 => DepositRequest) public deposits;
 
-    /// @notice Maps the 20-byte wallet public key hash (computed using
-    ///         Bitcoin HASH160 over the compressed ECDSA public key) to
-    ///         the latest wallet's main UTXO computed as
-    ///         keccak256(txHash | txOutputIndex | txOutputValue). The `tx`
-    ///         prefix refers to the transaction which created that main UTXO.
-    ///         The txHash is bytes32 (ordered as in Bitcoin internally),
-    ///         txOutputIndex an uint32, and txOutputValue an uint64 value.
-    mapping(bytes20 => bytes32) public mainUtxos;
+    //TODO: Remember to update this map when implementing transferring funds
+    //      between wallets (insert the main UTXO that was used as the input).
+    /// @notice Collection of main UTXOs that are honestly spent indexed by
+    ///         keccak256(fundingTxHash | fundingOutputIndex). The fundingTxHash
+    ///         is bytes32 (ordered as in Bitcoin internally) and
+    ///         fundingOutputIndex an uint32. A main UTXO is considered honestly
+    ///         spent if it was used as an input of a transaction that have been
+    ///         proven in the Bridge.
+    mapping(uint256 => bool) public spentMainUTXOs;
 
     /// @notice Collection of all pending redemption requests indexed by
     ///         redemption key built as
@@ -310,8 +287,6 @@ contract Bridge is Ownable {
     ///           successfully
     ///         - `notifyRedemptionTimeout` in case the request was reported
     ///           to be timed out
-    ///         - `submitRedemptionFraudProof` in case the request was handled
-    ///           in an fraudulent way amount-wise.
     mapping(uint256 => RedemptionRequest) public pendingRedemptions;
 
     /// @notice Collection of all timed out redemptions requests indexed by
@@ -332,17 +307,60 @@ contract Bridge is Ownable {
     // slither-disable-next-line uninitialized-state
     mapping(uint256 => RedemptionRequest) public timedOutRedemptions;
 
-    /// @notice Maps the 20-byte wallet public key hash (computed using
-    ///         Bitcoin HASH160 over the compressed ECDSA public key) to the
-    ///         basic wallet information like state and pending
-    ///         redemptions value.
-    ///
-    // TODO: Remove that Slither disable once this variable is used.
-    // slither-disable-next-line uninitialized-state
-    mapping(bytes20 => Wallet) public wallets;
+    /// @notice Contains parameters related to frauds and the collection of all
+    ///         submitted fraud challenges.
+    Frauds.Data internal frauds;
+
+    /// @notice State related with wallets.
+    Wallets.Data internal wallets;
+
+    event WalletCreationPeriodUpdated(uint32 newCreationPeriod);
+
+    event WalletBtcBalanceRangeUpdated(
+        uint64 newMinBtcBalance,
+        uint64 newMaxBtcBalance
+    );
+
+    event WalletMaxAgeUpdated(uint32 newMaxAge);
+
+    event NewWalletRequested();
+
+    event NewWalletRegistered(
+        bytes32 indexed ecdsaWalletID,
+        bytes20 indexed walletPubKeyHash
+    );
+
+    event WalletMovingFunds(
+        bytes32 indexed ecdsaWalletID,
+        bytes20 indexed walletPubKeyHash
+    );
+
+    event WalletClosed(
+        bytes32 indexed ecdsaWalletID,
+        bytes20 indexed walletPubKeyHash
+    );
+
+    event WalletTerminated(
+        bytes32 indexed ecdsaWalletID,
+        bytes20 indexed walletPubKeyHash
+    );
 
     event VaultStatusUpdated(address indexed vault, bool isTrusted);
 
+    event FraudSlashingAmountUpdated(uint256 newFraudSlashingAmount);
+
+    event FraudNotifierRewardMultiplierUpdated(
+        uint256 newFraudNotifierRewardMultiplier
+    );
+
+    event FraudChallengeDefeatTimeoutUpdated(
+        uint256 newFraudChallengeDefeatTimeout
+    );
+
+    event FraudChallengeDepositAmountUpdated(
+        uint256 newFraudChallengeDepositAmount
+    );
+
     event DepositRevealed(
         bytes32 fundingTxHash,
         uint32 fundingOutputIndex,
@@ -371,10 +389,26 @@ contract Bridge is Ownable {
         bytes32 redemptionTxHash
     );
 
+    event FraudChallengeSubmitted(
+        bytes20 walletPublicKeyHash,
+        bytes32 sighash,
+        uint8 v,
+        bytes32 r,
+        bytes32 s
+    );
+
+    event FraudChallengeDefeated(bytes20 walletPublicKeyHash, bytes32 sighash);
+
+    event FraudChallengeDefeatTimedOut(
+        bytes20 walletPublicKeyHash,
+        bytes32 sighash
+    );
+
     constructor(
         address _bank,
         address _relay,
         address _treasury,
+        address _ecdsaWalletRegistry,
         uint256 _txProofDifficultyFactor
     ) {
         require(_bank != address(0), "Bank address cannot be zero");
@@ -396,10 +430,59 @@ contract Bridge is Ownable {
         redemptionTreasuryFeeDivisor = 2000; // 1/2000 == 5bps == 0.05% == 0.0005
         redemptionTxMaxFee = 1000; // 1000 satoshi
         redemptionTimeout = 172800; // 48 hours
+        frauds.setSlashingAmount(10000 * 1e18); // 10000 T
+        frauds.setNotifierRewardMultiplier(100); // 100%
+        frauds.setChallengeDefeatTimeout(7 days);
+        frauds.setChallengeDepositAmount(2 ether);
+
+        // TODO: Revisit initial values.
+        wallets.init(_ecdsaWalletRegistry);
+        wallets.setCreationPeriod(1 weeks);
+        wallets.setBtcBalanceRange(1 * 1e8, 10 * 1e8); // [1 BTC, 10 BTC]
+        wallets.setMaxAge(26 weeks); // ~6 months
     }
 
-    // TODO: Add function `onNewWalletCreated` according to discussion:
-    //       https://github.com/keep-network/tbtc-v2/pull/128#discussion_r809885230
+    /// @notice Updates parameters used by the `Wallets` library.
+    /// @param creationPeriod New value of the wallet creation period
+    /// @param minBtcBalance New value of the minimum BTC balance
+    /// @param maxBtcBalance New value of the maximum BTC balance
+    /// @param maxAge New value of the wallet maximum age
+    /// @dev Requirements:
+    ///      - Caller must be the contract owner.
+    ///      - Minimum BTC balance must be greater than zero
+    ///      - Maximum BTC balance must be greater than minimum BTC balance
+    function updateWalletsParameters(
+        uint32 creationPeriod,
+        uint64 minBtcBalance,
+        uint64 maxBtcBalance,
+        uint32 maxAge
+    ) external onlyOwner {
+        wallets.setCreationPeriod(creationPeriod);
+        wallets.setBtcBalanceRange(minBtcBalance, maxBtcBalance);
+        wallets.setMaxAge(maxAge);
+    }
+
+    /// @return creationPeriod Value of the wallet creation period
+    /// @return minBtcBalance Value of the minimum BTC balance
+    /// @return maxBtcBalance Value of the maximum BTC balance
+    /// @return maxAge Value of the wallet max age
+    function getWalletsParameters()
+        external
+        view
+        returns (
+            uint32 creationPeriod,
+            uint64 minBtcBalance,
+            uint64 maxBtcBalance,
+            uint32 maxAge
+        )
+    {
+        creationPeriod = wallets.creationPeriod;
+        minBtcBalance = wallets.minBtcBalance;
+        maxBtcBalance = wallets.maxBtcBalance;
+        maxAge = wallets.maxAge;
+
+        return (creationPeriod, minBtcBalance, maxBtcBalance, maxAge);
+    }
 
     /// @notice Allows the Governance to mark the given vault address as trusted
     ///         or no longer trusted. Vaults are not trusted by default.
@@ -419,6 +502,105 @@ contract Bridge is Ownable {
         emit VaultStatusUpdated(vault, isTrusted);
     }
 
+    /// @notice Requests creation of a new wallet. This function just
+    ///         forms a request and the creation process is performed
+    ///         asynchronously. Once a wallet is created, the ECDSA Wallet
+    ///         Registry will notify this contract by calling the
+    ///         `__ecdsaWalletCreatedCallback` function.
+    /// @param activeWalletMainUtxo Data of the active wallet's main UTXO, as
+    ///        currently known on the Ethereum chain.
+    /// @dev Requirements:
+    ///      - `activeWalletMainUtxo` components must point to the recent main
+    ///        UTXO of the given active wallet, as currently known on the
+    ///        Ethereum chain. If there is no active wallet at the moment, or
+    ///        the active wallet has no main UTXO, this parameter can be
+    ///        empty as it is ignored.
+    ///      - Wallet creation must not be in progress
+    ///      - If the active wallet is set, one of the following
+    ///        conditions must be true:
+    ///        - The active wallet BTC balance is above the minimum threshold
+    ///          and the active wallet is old enough, i.e. the creation period
+    ///          was elapsed since its creation time
+    ///        - The active wallet BTC balance is above the maximum threshold
+    function requestNewWallet(BitcoinTx.UTXO calldata activeWalletMainUtxo)
+        external
+    {
+        wallets.requestNewWallet(activeWalletMainUtxo);
+    }
+
+    /// @notice A callback function that is called by the ECDSA Wallet Registry
+    ///         once a new ECDSA wallet is created.
+    /// @param ecdsaWalletID Wallet's unique identifier.
+    /// @param publicKeyX Wallet's public key's X coordinate.
+    /// @param publicKeyY Wallet's public key's Y coordinate.
+    /// @dev Requirements:
+    ///      - The only caller authorized to call this function is `registry`
+    ///      - Given wallet data must not belong to an already registered wallet
+    function __ecdsaWalletCreatedCallback(
+        bytes32 ecdsaWalletID,
+        bytes32 publicKeyX,
+        bytes32 publicKeyY
+    ) external override {
+        wallets.registerNewWallet(ecdsaWalletID, publicKeyX, publicKeyY);
+    }
+
+    /// @notice A callback function that is called by the ECDSA Wallet Registry
+    ///         once a wallet heartbeat failure is detected.
+    /// @param publicKeyX Wallet's public key's X coordinate
+    /// @param publicKeyY Wallet's public key's Y coordinate
+    /// @dev Requirements:
+    ///      - The only caller authorized to call this function is `registry`
+    ///      - Wallet must be in Live state
+    function __ecdsaWalletHeartbeatFailedCallback(
+        bytes32,
+        bytes32 publicKeyX,
+        bytes32 publicKeyY
+    ) external override {
+        wallets.notifyWalletHeartbeatFailed(publicKeyX, publicKeyY);
+    }
+
+    /// @notice Notifies that the wallet is either old enough or has too few
+    ///         satoshis left and qualifies to be closed.
+    /// @param walletPubKeyHash 20-byte public key hash of the wallet
+    /// @param walletMainUtxo Data of the wallet's main UTXO, as currently
+    ///        known on the Ethereum chain.
+    /// @dev Requirements:
+    ///      - Wallet must not be set as the current active wallet
+    ///      - Wallet must exceed the wallet maximum age OR the wallet BTC
+    ///        balance must be lesser than the minimum threshold. If the latter
+    ///        case is true, the `walletMainUtxo` components must point to the
+    ///        recent main UTXO of the given wallet, as currently known on the
+    ///        Ethereum chain. If the wallet has no main UTXO, this parameter
+    ///        can be empty as it is ignored since the wallet balance is
+    ///        assumed to be zero.
+    ///      - Wallet must be in Live state
+    function notifyCloseableWallet(
+        bytes20 walletPubKeyHash,
+        BitcoinTx.UTXO calldata walletMainUtxo
+    ) external {
+        wallets.notifyCloseableWallet(walletPubKeyHash, walletMainUtxo);
+    }
+
+    /// @notice Gets details about a registered wallet.
+    /// @param walletPubKeyHash The 20-byte wallet public key hash (computed
+    ///        using Bitcoin HASH160 over the compressed ECDSA public key)
+    /// @return Wallet details.
+    function getWallet(bytes20 walletPubKeyHash)
+        external
+        view
+        returns (Wallets.Wallet memory)
+    {
+        return wallets.registeredWallets[walletPubKeyHash];
+    }
+
+    /// @notice Gets the public key hash of the active wallet.
+    /// @return The 20-byte public key hash (computed using Bitcoin HASH160
+    ///         over the compressed ECDSA public key) of the active wallet.
+    ///         Returns bytes20(0) if there is no active wallet at the moment.
+    function getActiveWalletPubKeyHash() external view returns (bytes20) {
+        return wallets.activeWalletPubKeyHash;
+    }
+
     /// @notice Determines the current Bitcoin SPV proof difficulty context.
     /// @return proofDifficulty Bitcoin proof difficulty context.
     function proofDifficultyContext()
@@ -477,7 +659,7 @@ contract Bridge is Ownable {
             "Vault is not trusted"
         );
 
-        // TODO: Validate if `walletPubKeyHash` is a known and active wallet.
+        // TODO: Validate if `walletPubKeyHash` is a known and live wallet.
         // TODO: Should we enforce a specific locktime at contract level?
 
         bytes memory expectedScript = abi.encodePacked(
@@ -646,7 +828,11 @@ contract Bridge is Ownable {
             uint64 sweepTxOutputValue
         ) = processSweepTxOutput(sweepTx.outputVector);
 
-        // TODO: Validate if `walletPubKeyHash` is a known and active wallet.
+        Wallets.Wallet storage wallet = wallets.registeredWallets[
+            walletPubKeyHash
+        ];
+
+        // TODO: Validate if `walletPubKeyHash` is a known and live wallet.
 
         // Check if the main UTXO for given wallet exists. If so, validate
         // passed main UTXO data against the stored hash and use them for
@@ -656,7 +842,7 @@ contract Bridge is Ownable {
             0,
             0
         );
-        bytes32 mainUtxoHash = mainUtxos[walletPubKeyHash];
+        bytes32 mainUtxoHash = wallet.mainUtxoHash;
         if (mainUtxoHash != bytes32(0)) {
             require(
                 keccak256(
@@ -724,7 +910,7 @@ contract Bridge is Ownable {
         // Record this sweep data and assign them to the wallet public key hash
         // as new main UTXO. Transaction output index is always 0 as sweep
         // transaction always contains only one output.
-        mainUtxos[walletPubKeyHash] = keccak256(
+        wallet.mainUtxoHash = keccak256(
             abi.encodePacked(sweepTxHash, uint32(0), sweepTxOutputValue)
         );
 
@@ -896,6 +1082,15 @@ contract Bridge is Ownable {
                 // the expected main UTXO.
                 info.inputsTotalValue += mainUtxo.txOutputValue;
                 mainUtxoFound = true;
+
+                // Main UTXO used as an input, mark it as spent.
+                spentMainUTXOs[
+                    uint256(
+                        keccak256(
+                            abi.encodePacked(outpointTxHash, outpointIndex)
+                        )
+                    )
+                ] = true;
             } else {
                 revert("Unknown input type");
             }
@@ -995,7 +1190,7 @@ contract Bridge is Ownable {
     /// @notice Requests redemption of the given amount from the specified
     ///         wallet to the redeemer Bitcoin output script.
     /// @param walletPubKeyHash The 20-byte wallet public key hash (computed
-    //         using Bitcoin HASH160 over the compressed ECDSA public key)
+    ///        using Bitcoin HASH160 over the compressed ECDSA public key)
     /// @param mainUtxo Data of the wallet's main UTXO, as currently known on
     ///        the Ethereum chain
     /// @param redeemerOutputScript The redeemer's length-prefixed output
@@ -1010,7 +1205,7 @@ contract Bridge is Ownable {
     ///        `amount - (amount / redemptionTreasuryFeeDivisor) - redemptionTxMaxFee`.
     ///        Fees values are taken at the moment of request creation.
     /// @dev Requirements:
-    ///      - Wallet behind `walletPubKeyHash` must be active
+    ///      - Wallet behind `walletPubKeyHash` must be live
     ///      - `mainUtxo` components must point to the recent main UTXO
     ///        of the given wallet, as currently known on the Ethereum chain.
     ///      - `redeemerOutputScript` must be a proper Bitcoin script
@@ -1027,12 +1222,16 @@ contract Bridge is Ownable {
         bytes calldata redeemerOutputScript,
         uint64 amount
     ) external {
+        Wallets.Wallet storage wallet = wallets.registeredWallets[
+            walletPubKeyHash
+        ];
+
         require(
-            wallets[walletPubKeyHash].state == WalletState.Active,
-            "Wallet must be in Active state"
+            wallet.state == Wallets.WalletState.Live,
+            "Wallet must be in Live state"
         );
 
-        bytes32 mainUtxoHash = mainUtxos[walletPubKeyHash];
+        bytes32 mainUtxoHash = wallet.mainUtxoHash;
         require(
             mainUtxoHash != bytes32(0),
             "No main UTXO for the given wallet"
@@ -1094,7 +1293,7 @@ contract Bridge is Ownable {
 
         // Check if given redemption key is not used by a pending redemption.
         // There is no need to check for existence in `timedOutRedemptions`
-        // since the wallet's state is changed to other than Active after
+        // since the wallet's state is changed to other than Live after
         // first time out is reported so making new requests is not possible.
         // slither-disable-next-line incorrect-equality
         require(
@@ -1115,12 +1314,9 @@ contract Bridge is Ownable {
         // wallet we need to subtract the total value of all pending redemptions
         // from that wallet's main UTXO value. Given that the treasury fee is
         // not redeemed from the wallet, we are subtracting it.
-        wallets[walletPubKeyHash].pendingRedemptionsValue +=
-            amount -
-            treasuryFee;
+        wallet.pendingRedemptionsValue += amount - treasuryFee;
         require(
-            mainUtxo.txOutputValue >=
-                wallets[walletPubKeyHash].pendingRedemptionsValue,
+            mainUtxo.txOutputValue >= wallet.pendingRedemptionsValue,
             "Insufficient wallet funds"
         );
 
@@ -1217,11 +1413,15 @@ contract Bridge is Ownable {
             walletPubKeyHash
         );
 
-        WalletState walletState = wallets[walletPubKeyHash].state;
+        Wallets.Wallet storage wallet = wallets.registeredWallets[
+            walletPubKeyHash
+        ];
+
+        Wallets.WalletState walletState = wallet.state;
         require(
-            walletState == WalletState.Active ||
-                walletState == WalletState.MovingFunds,
-            "Wallet must be in Active or MovingFuds state"
+            walletState == Wallets.WalletState.Live ||
+                walletState == Wallets.WalletState.MovingFunds,
+            "Wallet must be in Live or MovingFuds state"
         );
 
         // Process redemption transaction outputs to extract some info required
@@ -1234,7 +1434,7 @@ contract Bridge is Ownable {
         if (outputsInfo.changeValue > 0) {
             // If the change value is grater than zero, it means the change
             // output exists and can be used as new wallet's main UTXO.
-            mainUtxos[walletPubKeyHash] = keccak256(
+            wallet.mainUtxoHash = keccak256(
                 abi.encodePacked(
                     redemptionTxHash,
                     outputsInfo.changeIndex,
@@ -1245,11 +1445,10 @@ contract Bridge is Ownable {
             // If the change value is zero, it means the change output doesn't
             // exists and no funds left on the wallet. Delete the main UTXO
             // for that wallet to represent that state in a proper way.
-            delete mainUtxos[walletPubKeyHash];
+            delete wallet.mainUtxoHash;
         }
 
-        wallets[walletPubKeyHash].pendingRedemptionsValue -= outputsInfo
-            .totalBurnableValue;
+        wallet.pendingRedemptionsValue -= outputsInfo.totalBurnableValue;
 
         emit RedemptionsCompleted(walletPubKeyHash, redemptionTxHash);
 
@@ -1257,6 +1456,187 @@ contract Bridge is Ownable {
         bank.transferBalance(treasury, outputsInfo.totalTreasuryFee);
     }
 
+    /// @notice Submits a fraud challenge indicating that a UTXO being under
+    ///         wallet control was unlocked by the wallet but was not used
+    ///         according to the protocol rules. That means the wallet signed
+    ///         a transaction input pointing to that UTXO and there is a unique
+    ///         sighash and signature pair associated with that input. This
+    ///         function uses those parameters to create a fraud accusation that
+    ///         proves a given transaction input unlocking the given UTXO was
+    ///         actually signed by the wallet. This function cannot determine
+    ///         whether the transaction was actually broadcast and the input was
+    ///         consumed in a fraudulent way so it just opens a challenge period
+    ///         during which the wallet can defeat the challenge by submitting
+    ///         proof of a transaction that consumes the given input according
+    ///         to protocol rules. To prevent spurious allegations, the caller
+    ///         must deposit ETH that is returned back upon justified fraud
+    ///         challenge or confiscated otherwise.
+    /// @param walletPublicKey The public key of the wallet in the uncompressed
+    ///        and unprefixed format (64 bytes)
+    /// @param sighash The hash that was used to produce the ECDSA signature
+    ///        that is the subject of the fraud claim. This hash is constructed
+    ///        by applying double SHA-256 over a serialized subset of the
+    ///        transaction. The exact subset used as hash preimage depends on
+    ///        the transaction input the signature is produced for. See BIP-143
+    ///        for reference
+    /// @param signature Bitcoin signature in the R/S/V format
+    /// @dev Requirements:
+    ///      - Wallet behind `walletPubKey` must be in `Live` or `MovingFunds`
+    ///        state
+    ///      - The challenger must send appropriate amount of ETH used as
+    ///        fraud challenge deposit
+    ///      - The signature (represented by r, s and v) must be generated by
+    ///        the wallet behind `walletPubKey` during signing of `sighash`
+    ///      - Wallet can be challenged for the given signature only once
+    /// TODO: Consider using wallet public key in the X/Y form to avoid slicing.
+    function submitFraudChallenge(
+        bytes calldata walletPublicKey,
+        bytes32 sighash,
+        BitcoinTx.RSVSignature calldata signature
+    ) external payable {
+        bytes memory compressedWalletPublicKey = EcdsaLib.compressPublicKey(
+            walletPublicKey.slice32(0),
+            walletPublicKey.slice32(32)
+        );
+        bytes20 walletPubKeyHash = compressedWalletPublicKey.hash160View();
+
+        Wallets.Wallet storage wallet = wallets.registeredWallets[
+            walletPubKeyHash
+        ];
+
+        require(
+            wallet.state == Wallets.WalletState.Live ||
+                wallet.state == Wallets.WalletState.MovingFunds,
+            "Wallet is neither in Live nor MovingFunds state"
+        );
+
+        frauds.submitFraudChallenge(
+            walletPublicKey,
+            walletPubKeyHash,
+            sighash,
+            signature
+        );
+    }
+
+    /// @notice Allows to defeat a pending fraud challenge against a wallet if
+    ///         the transaction that spends the UTXO follows the protocol rules.
+    ///         In order to defeat the challenge the same `walletPublicKey` and
+    ///         signature (represented by `r`, `s` and `v`) must be provided as
+    ///         were used in the fraud challenge. Additionally a preimage must
+    ///         be provided which was used to calculate the sighash during input
+    ///         signing. The fraud challenge defeat attempt will only succeed if
+    ///         the inputs in the preimage are considered honestly spent by the
+    ///         wallet. Therefore the transaction spending the UTXO must be
+    ///         proven in the Bridge before a challenge defeat is called.
+    ///         If successfully defeated, the fraud challenge is marked as
+    ///         resolved and the amount of ether deposited by the challenger is
+    ///         sent to the treasury.
+    /// @param walletPublicKey The public key of the wallet in the uncompressed
+    ///        and unprefixed format (64 bytes)
+    /// @param preimage The preimage which produces sighash used to generate the
+    ///        ECDSA signature that is the subject of the fraud claim. It is a
+    ///        serialized subset of the transaction. The exact subset used as
+    ///        the preimage depends on the transaction input the signature is
+    ///        produced for. See BIP-143 for reference
+    /// @param witness Flag indicating whether the preimage was produced for a
+    ///        witness input. True for witness, false for non-witness input
+    /// @dev Requirements:
+    ///      - `walletPublicKey` and `sighash` calculated as `hash256(preimage)`
+    ///        must identify an open fraud challenge
+    ///      - the preimage must be a valid preimage of a transaction generated
+    ///        according to the protocol rules and already proved in the Bridge
+    ///      - before a defeat attempt is made the transaction that spends the
+    ///        given UTXO must be proven in the Bridge
+    /// TODO: Consider using wallet public key in the X/Y form to avoid slicing.
+    function defeatFraudChallenge(
+        bytes calldata walletPublicKey,
+        bytes calldata preimage,
+        bool witness
+    ) external {
+        uint256 utxoKey = frauds.unwrapChallenge(
+            walletPublicKey,
+            preimage,
+            witness
+        );
+
+        // Check that the UTXO key identifies a correctly spent UTXO.
+        require(
+            deposits[utxoKey].sweptAt > 0 || spentMainUTXOs[utxoKey],
+            "Spent UTXO not found among correctly spent UTXOs"
+        );
+
+        frauds.defeatChallenge(walletPublicKey, preimage, treasury);
+    }
+
+    /// @notice Notifies about defeat timeout for the given fraud challenge.
+    ///         Can be called only if there was a fraud challenge identified by
+    ///         the provided `walletPublicKey` and `sighash` and it was not
+    ///         defeated on time. The amount of time that needs to pass after
+    ///         a fraud challenge is reported is indicated by the
+    ///         `challengeDefeatTimeout`. After a successful fraud challenge
+    ///         defeat timeout notification the fraud challenge is marked as
+    ///         resolved, the stake of each operator is slashed, the ether
+    ///         deposited is returned to the challenger and the challenger is
+    ///         rewarded.
+    /// @param walletPublicKey The public key of the wallet in the uncompressed
+    ///        and unprefixed format (64 bytes)
+    /// @param sighash The hash that was used to produce the ECDSA signature
+    ///        that is the subject of the fraud claim. This hash is constructed
+    ///        by applying double SHA-256 over a serialized subset of the
+    ///        transaction. The exact subset used as hash preimage depends on
+    ///        the transaction input the signature is produced for. See BIP-143
+    ///        for reference
+    /// @dev Requirements:
+    ///      - `walletPublicKey`and `sighash` must identify an open fraud
+    ///        challenge
+    ///      - the amount of time indicated by `challengeDefeatTimeout` must
+    ///        pass after the challenge was reported
+    /// TODO: Consider using wallet public key in the X/Y form to avoid slicing.
+    function notifyFraudChallengeDefeatTimeout(
+        bytes calldata walletPublicKey,
+        bytes32 sighash
+    ) external {
+        frauds.notifyFraudChallengeDefeatTimeout(walletPublicKey, sighash);
+    }
+
+    /// @notice Returns parameters used by the `Frauds` library.
+    /// @return slashingAmount Value of the slashing amount
+    /// @return notifierRewardMultiplier Value of the notifier reward multiplier
+    /// @return challengeDefeatTimeout Value of the challenge defeat timeout
+    /// @return challengeDepositAmount Value of the challenge deposit amount
+    function getFraudParameters()
+        external
+        view
+        returns (
+            uint256 slashingAmount,
+            uint256 notifierRewardMultiplier,
+            uint256 challengeDefeatTimeout,
+            uint256 challengeDepositAmount
+        )
+    {
+        slashingAmount = frauds.slashingAmount;
+        notifierRewardMultiplier = frauds.notifierRewardMultiplier;
+        challengeDefeatTimeout = frauds.challengeDefeatTimeout;
+        challengeDepositAmount = frauds.challengeDepositAmount;
+
+        return (
+            slashingAmount,
+            notifierRewardMultiplier,
+            challengeDefeatTimeout,
+            challengeDepositAmount
+        );
+    }
+
+    /// @notice Returns the fraud challenge identified by the given key built
+    ///         as keccak256(walletPublicKey|sighash|v|r|s).
+    function fraudChallenges(uint256 challengeKey)
+        external
+        view
+        returns (Frauds.FraudChallenge memory)
+    {
+        return frauds.challenges[challengeKey];
+    }
+
     /// @notice Validates whether the redemption Bitcoin transaction input
     ///         vector contains a single input referring to the wallet's main
     ///         UTXO. Reverts in case the validation fails.
@@ -1273,9 +1653,11 @@ contract Bridge is Ownable {
         bytes memory redemptionTxInputVector,
         BitcoinTx.UTXO calldata mainUtxo,
         bytes20 walletPubKeyHash
-    ) internal view {
+    ) internal {
         // Assert that main UTXO for passed wallet exists in storage.
-        bytes32 mainUtxoHash = mainUtxos[walletPubKeyHash];
+        bytes32 mainUtxoHash = wallets
+            .registeredWallets[walletPubKeyHash]
+            .mainUtxoHash;
         require(mainUtxoHash != bytes32(0), "No main UTXO for given wallet");
 
         // Assert that passed main UTXO parameter is the same as in storage and
@@ -1302,6 +1684,15 @@ contract Bridge is Ownable {
                 mainUtxo.txOutputIndex == redemptionTxOutpointIndex,
             "Redemption transaction input must point to the wallet's main UTXO"
         );
+
+        // Main UTXO used as an input, mark it as spent.
+        spentMainUTXOs[
+            uint256(
+                keccak256(
+                    abi.encodePacked(mainUtxo.txHash, mainUtxo.txOutputIndex)
+                )
+            )
+        ] = true;
     }
 
     /// @notice Processes the Bitcoin redemption transaction input vector. It
@@ -1538,7 +1929,7 @@ contract Bridge is Ownable {
     //          by copying the entire `RedemptionRequest` struct there. No need
     //          to check if `timedOutRedemptions` mapping already contains
     //          that key because `requestRedemption` blocks requests targeting
-    //          non-active wallets. Because `notifyRedemptionTimeout` changes
+    //          non-live wallets. Because `notifyRedemptionTimeout` changes
     //          wallet state after first call (point 9), there is no possibility
     //          that the given redemption key could be reported as timed out
     //          multiple times. At the same time, if the given redemption key
@@ -1549,83 +1940,6 @@ contract Bridge is Ownable {
     //       7. Reduce the `pendingRedemptionsValue` (`wallets` mapping) for
     //          given wallet by request's redeemable amount computed as
     //          `requestedAmount - treasuryFee`.
-    //       8. Punish the wallet, probably by slashing its operators.
-    //       9. Change wallet's state in `wallets` mapping to `MovingFunds` in
-    //          order to prevent against new redemption requests hitting
-    //          that wallet.
-    //      10. Expect the wallet to transfer its funds to another healthy
-    //          wallet (just as in case of failed heartbeat). The wallet is
-    //          expected to finish the already queued redemption requests
-    //          before moving funds but we are not going to enforce it on-chain.
-
-    // TODO: Function `submitRedemptionFraudProof`
-    //
-    //       Deposit and redemption fraud proofs are challenging to implement
-    //       and it may happen we will have to rely on the coverage pool
-    //       (https://github.com/keep-network/coverage-pools) and DAO to
-    //       reimburse unlucky depositors and bring back the balance to the
-    //       system in case  of a wallet fraud by liquidating a part of the
-    //       coverage pool manually.
-    //
-    //       The probability of 51-of-100 wallet being fraudulent is negligible:
-    //       https://github.com/keep-network/tbtc-v2/blob/main/docs/rfc/rfc-2.adoc#111-group-size-and-threshold
-    //       and the coverage pool would be there to bring the balance back in
-    //       case we are unlucky and malicious wallet emerges.
-    //
-    //       We do not want to slash for a misbehavior that is not provable
-    //       on-chain and it is possible to construct such a Bitcoin transaction
-    //       that is not provable on Ethereum, see
-    //       https://consensys.net/diligence/blog/2020/05/tbtc-navigating-the-cross-chain-conundrum
-    //
-    //       The algorithm described below assumes we will be able to prove the
-    //       TX on Ethereum which may not always be the case. Consider the steps
-    //       below as an idea, and not necessarily how this function will be
-    //       implemented because it may happen this function will never be
-    //       implemented, given the Bitcoin transaction size problems.
-    //
-    //       The algorithm:
-    //       1. Take a `BitcoinTx.Info` and `BitcoinTx.Proof` of the
-    //          fraudulent transaction. It should also accept `walletPubKeyHash`
-    //          and index of fraudulent output. Probably index of fraudulent
-    //          input will be also required if the transaction is supposed
-    //          to have a bad input vector.
-    //       2. Perform SPV proof to make sure it occurred on Bitcoin chain.
-    //          If not - revert.
-    //       3. Check if wallet state is Active or MovingFunds. If not, revert.
-    //       4. Validate the number of inputs. If there is one input and it
-    //          points to the wallet's main UTXO - move to point 5. If there
-    //          are multiple inputs and there is wallet's main UTXO in the set,
-    //          check if this is  a sweep transaction. If it's not a sweep,
-    //          consider it as fraudulent and move to point 6.
-    //          In all other cases revert the call.
-    //       5. Extract the output and analyze its type. The output is not
-    //          a fraud and the call should be reverted ONLY IF one of the
-    //          following conditions is true:
-    //          - Output is a requested redemption held by `pendingRedemptions`
-    //            and output value fulfills the request range. There is an
-    //            open question if a misfunded request should be removed
-    //            from `pendingRedemptions` (probably yes) and whether the
-    //            redeemer should be reimbursed in case of an underfund.
-    //          - Output is a timed out redemption held by `timedOutRedemptions`
-    //            and output value fulfills the request range.
-    //          - Output is a proper change i.e. a single output targeting
-    //            the wallet PKH back and having a non-zero value.
-    //          - Wallet is in MovingFunds state, the output points to the
-    //            expected target wallet, have non-zero value, and is a single
-    //            output in the vector.
-    //          In all other cases consider the transaction as fraud and
-    //          proceed to point 6.
-    //       6. Punish the wallet, probably by severely slashing its operators.
-    //       7. Change wallet's state in `wallets` mapping to `Terminated` in
-    //          order to prevent against new redemption requests hitting
-    //          that wallet. This also prevents against reporting a fraud
-    //          multiple times for one transaction (see point 3) and blocks
-    //          submission of sweep and redemption proofs. `Terminated` wallet
-    //          is blocked in the Bridge forever. If the fraud was a mistake
-    //          done by the wallet and the wallet is still honest deep in its
-    //          heart, the wallet can coordinate off-chain to recover the BTC
-    //          and donate it to another wallet. If they recover all of the
-    //          remaining BTC, DAO might decide to reward them with tokens so
-    //          that they can have at least some portion of their slashed
-    //          tokens back.
+    //       8. Call `wallets.notifyRedemptionTimedOut` to propagate timeout
+    //          consequences to the wallet.
 }