@keep-network/tbtc-v2 0.1.1-dev.31 → 0.1.1-dev.34

package/contracts/bridge/Bridge.sol

@@ -22,6 +22,7 @@ import {BytesLib} from "@keep-network/bitcoin-spv-sol/contracts/BytesLib.sol";
 import {IWalletOwner as EcdsaWalletOwner} from "@keep-network/ecdsa/contracts/api/IWalletOwner.sol";
 
 import "../bank/Bank.sol";
+import "./BridgeState.sol";
 import "./BitcoinTx.sol";
 import "./EcdsaLib.sol";
 import "./Wallets.sol";
@@ -58,59 +59,20 @@ interface IRelay {
 ///         wallet informs the Bridge about the sweep increasing appropriate
 ///         balances in the Bank.
 /// @dev Bridge is an upgradeable component of the Bank.
+///
+/// TODO: All wallets-related operations that are currently done directly
+///       by the Bridge can be probably delegated to the Wallets library.
+///       Examples of such operations are main UTXO or pending redemptions
+///       value updates.
 contract Bridge is Ownable, EcdsaWalletOwner {
-    using BTCUtils for bytes;
-    using BTCUtils for uint256;
-    using BytesLib for bytes;
+    using BridgeState for BridgeState.Storage;
+    using Deposit for BridgeState.Storage;
     using Frauds for Frauds.Data;
     using Wallets for Wallets.Data;
 
-    /// @notice Represents data which must be revealed by the depositor during
-    ///         deposit reveal.
-    struct RevealInfo {
-        // Index of the funding output belonging to the funding transaction.
-        uint32 fundingOutputIndex;
-        // Ethereum depositor address.
-        address depositor;
-        // The blinding factor as 8 bytes. Byte endianness doesn't matter
-        // as this factor is not interpreted as uint.
-        bytes8 blindingFactor;
-        // The compressed Bitcoin public key (33 bytes and 02 or 03 prefix)
-        // of the deposit's wallet hashed in the HASH160 Bitcoin opcode style.
-        bytes20 walletPubKeyHash;
-        // The compressed Bitcoin public key (33 bytes and 02 or 03 prefix)
-        // that can be used to make the deposit refund after the refund
-        // locktime passes. Hashed in the HASH160 Bitcoin opcode style.
-        bytes20 refundPubKeyHash;
-        // The refund locktime (4-byte LE). Interpreted according to locktime
-        // parsing rules described in:
-        // https://developer.bitcoin.org/devguide/transactions.html#locktime-and-sequence-number
-        // and used with OP_CHECKLOCKTIMEVERIFY opcode as described in:
-        // https://github.com/bitcoin/bips/blob/master/bip-0065.mediawiki
-        bytes4 refundLocktime;
-        // Address of the Bank vault to which the deposit is routed to.
-        // Optional, can be 0x0. The vault must be trusted by the Bridge.
-        address vault;
-    }
-
-    /// @notice Represents tBTC deposit data.
-    struct DepositRequest {
-        // Ethereum depositor address.
-        address depositor;
-        // Deposit amount in satoshi.
-        uint64 amount;
-        // UNIX timestamp the deposit was revealed at.
-        uint32 revealedAt;
-        // Address of the Bank vault the deposit is routed to.
-        // Optional, can be 0x0.
-        address vault;
-        // Treasury TBTC fee in satoshi at the moment of deposit reveal.
-        uint64 treasuryFee;
-        // UNIX timestamp the deposit was swept at. Note this is not the
-        // time when the deposit was swept on the Bitcoin chain but actually
-        // the time when the sweep proof was delivered to the Ethereum chain.
-        uint32 sweptAt;
-    }
+    using BTCUtils for bytes;
+    using BTCUtils for uint256;
+    using BytesLib for bytes;
 
     /// @notice Represents an outcome of the sweep Bitcoin transaction
     ///         inputs processing.
@@ -173,44 +135,29 @@ contract Bridge is Ownable, EcdsaWalletOwner {
 
     /// @notice The number of confirmations on the Bitcoin chain required to
     ///         successfully evaluate an SPV proof.
-    uint256 public immutable txProofDifficultyFactor;
+    uint256 public txProofDifficultyFactor;
 
     /// TODO: Revisit whether it should be governable or not.
     /// @notice Address of the Bank this Bridge belongs to.
-    Bank public immutable bank;
+    Bank public bank;
 
     /// TODO: Make it governable.
     /// @notice Handle to the Bitcoin relay.
-    IRelay public immutable relay;
+    IRelay public relay;
 
     /// TODO: Revisit whether it should be governable or not.
     /// @notice Address where the redemptions treasury fees will be sent to.
     ///         Treasury takes part in the operators rewarding process.
-    address public immutable treasury;
+    address public treasury;
 
-    /// TODO: Make it governable.
-    /// @notice The minimal amount that can be requested for deposit.
-    ///         Value of this parameter must take into account the value of
-    ///         `depositTreasuryFeeDivisor` and `depositTxMaxFee`
-    ///         parameters in order to make requests that can incur the
-    ///         treasury and transaction fee and still satisfy the depositor.
-    uint64 public depositDustThreshold;
-
-    /// TODO: Make it governable.
-    /// @notice Divisor used to compute the treasury fee taken from each
-    ///         deposit and transferred to the treasury upon sweep proof
-    ///         submission. That fee is computed as follows:
-    ///         `treasuryFee = depositedAmount / depositTreasuryFeeDivisor`
-    ///         For example, if the treasury fee needs to be 2% of each deposit,
-    ///         the `depositTreasuryFeeDivisor` should be set to `50`
-    ///         because `1/50 = 0.02 = 2%`.
-    uint64 public depositTreasuryFeeDivisor;
+    BridgeState.Storage internal self;
 
     /// TODO: Make it governable.
     /// @notice Maximum amount of BTC transaction fee that can be incurred by
     ///         each swept deposit being part of the given sweep
     ///         transaction. If the maximum BTC transaction fee is exceeded,
     ///         such transaction is considered a fraud.
+    /// @dev This is a per-deposit input max fee for the sweep transaction.
     uint64 public depositTxMaxFee;
 
     /// TODO: Make it governable.
@@ -236,6 +183,7 @@ contract Bridge is Ownable, EcdsaWalletOwner {
     ///         each redemption request being part of the given redemption
     ///         transaction. If the maximum BTC transaction fee is exceeded, such
     ///         transaction is considered a fraud.
+    /// @dev This is a per-redemption output max fee for the redemption transaction.
     uint64 public redemptionTxMaxFee;
 
     /// TODO: Make it governable.
@@ -246,25 +194,15 @@ contract Bridge is Ownable, EcdsaWalletOwner {
     ///         to the redeemer in full amount.
     uint256 public redemptionTimeout;
 
-    /// @notice Indicates if the vault with the given address is trusted or not.
-    ///         Depositors can route their revealed deposits only to trusted
-    ///         vaults and have trusted vaults notified about new deposits as
-    ///         soon as these deposits get swept. Vaults not trusted by the
-    ///         Bridge can still be used by Bank balance owners on their own
-    ///         responsibility - anyone can approve their Bank balance to any
-    ///         address.
-    mapping(address => bool) public isVaultTrusted;
-
-    /// @notice Collection of all revealed deposits indexed by
-    ///         keccak256(fundingTxHash | fundingOutputIndex).
-    ///         The fundingTxHash is bytes32 (ordered as in Bitcoin internally)
-    ///         and fundingOutputIndex an uint32. This mapping may contain valid
-    ///         and invalid deposits and the wallet is responsible for
-    ///         validating them before attempting to execute a sweep.
-    mapping(uint256 => DepositRequest) public deposits;
+    /// TODO: Make it governable.
+    /// @notice Maximum amount of the total BTC transaction fee that is
+    ///         acceptable in a single moving funds transaction.
+    /// @dev This is a TOTAL max fee for the moving funds transaction. Note that
+    ///      `depositTxMaxFee` is per single deposit and `redemptionTxMaxFee`
+    ///      if per single redemption. `movingFundsTxMaxTotalFee` is a total fee
+    ///      for the entire transaction.
+    uint64 public movingFundsTxMaxTotalFee;
 
-    //TODO: Remember to update this map when implementing transferring funds
-    //      between wallets (insert the main UTXO that was used as the input).
     /// @notice Collection of main UTXOs that are honestly spent indexed by
     ///         keccak256(fundingTxHash | fundingOutputIndex). The fundingTxHash
     ///         is bytes32 (ordered as in Bitcoin internally) and
@@ -406,6 +344,11 @@ contract Bridge is Ownable, EcdsaWalletOwner {
         bytes32 sighash
     );
 
+    event MovingFundsCompleted(
+        bytes20 walletPubKeyHash,
+        bytes32 movingFundsTxHash
+    );
+
     constructor(
         address _bank,
         address _relay,
@@ -425,13 +368,16 @@ contract Bridge is Ownable, EcdsaWalletOwner {
         txProofDifficultyFactor = _txProofDifficultyFactor;
 
         // TODO: Revisit initial values.
-        depositDustThreshold = 1000000; // 1000000 satoshi = 0.01 BTC
-        depositTxMaxFee = 1000; // 1000 satoshi
-        depositTreasuryFeeDivisor = 2000; // 1/2000 == 5bps == 0.05% == 0.0005
+        self.depositDustThreshold = 1000000; // 1000000 satoshi = 0.01 BTC
+        depositTxMaxFee = 10000; // 10000 satoshi
+        self.depositTreasuryFeeDivisor = 2000; // 1/2000 == 5bps == 0.05% == 0.0005
         redemptionDustThreshold = 1000000; // 1000000 satoshi = 0.01 BTC
         redemptionTreasuryFeeDivisor = 2000; // 1/2000 == 5bps == 0.05% == 0.0005
-        redemptionTxMaxFee = 1000; // 1000 satoshi
+        redemptionTxMaxFee = 10000; // 10000 satoshi
         redemptionTimeout = 172800; // 48 hours
+        movingFundsTxMaxTotalFee = 10000; // 10000 satoshi
+
+        // TODO: Revisit initial values.
         frauds.setSlashingAmount(10000 * 1e18); // 10000 T
         frauds.setNotifierRewardMultiplier(100); // 100%
         frauds.setChallengeDefeatTimeout(7 days);
@@ -500,7 +446,7 @@ contract Bridge is Ownable, EcdsaWalletOwner {
     /// @param isTrusted flag indicating whether the vault is trusted or not
     /// @dev Can only be called by the Governance.
     function setVaultStatus(address vault, bool isTrusted) external onlyOwner {
-        isVaultTrusted[vault] = isTrusted;
+        self.isVaultTrusted[vault] = isTrusted;
         emit VaultStatusUpdated(vault, isTrusted);
     }
 
@@ -655,124 +601,9 @@ contract Bridge is Ownable, EcdsaWalletOwner {
     ///      deposit script unlocks to receive their BTC back.
     function revealDeposit(
         BitcoinTx.Info calldata fundingTx,
-        RevealInfo calldata reveal
+        Deposit.RevealInfo calldata reveal
     ) external {
-        require(
-            wallets.registeredWallets[reveal.walletPubKeyHash].state ==
-                Wallets.WalletState.Live,
-            "Wallet is not in Live state"
-        );
-
-        require(
-            reveal.vault == address(0) || isVaultTrusted[reveal.vault],
-            "Vault is not trusted"
-        );
-
-        // TODO: Should we enforce a specific locktime at contract level?
-
-        bytes memory expectedScript = abi.encodePacked(
-            hex"14", // Byte length of depositor Ethereum address.
-            reveal.depositor,
-            hex"75", // OP_DROP
-            hex"08", // Byte length of blinding factor value.
-            reveal.blindingFactor,
-            hex"75", // OP_DROP
-            hex"76", // OP_DUP
-            hex"a9", // OP_HASH160
-            hex"14", // Byte length of a compressed Bitcoin public key hash.
-            reveal.walletPubKeyHash,
-            hex"87", // OP_EQUAL
-            hex"63", // OP_IF
-            hex"ac", // OP_CHECKSIG
-            hex"67", // OP_ELSE
-            hex"76", // OP_DUP
-            hex"a9", // OP_HASH160
-            hex"14", // Byte length of a compressed Bitcoin public key hash.
-            reveal.refundPubKeyHash,
-            hex"88", // OP_EQUALVERIFY
-            hex"04", // Byte length of refund locktime value.
-            reveal.refundLocktime,
-            hex"b1", // OP_CHECKLOCKTIMEVERIFY
-            hex"75", // OP_DROP
-            hex"ac", // OP_CHECKSIG
-            hex"68" // OP_ENDIF
-        );
-
-        bytes memory fundingOutput = fundingTx
-            .outputVector
-            .extractOutputAtIndex(reveal.fundingOutputIndex);
-        bytes memory fundingOutputHash = fundingOutput.extractHash();
-
-        if (fundingOutputHash.length == 20) {
-            // A 20-byte output hash is used by P2SH. That hash is constructed
-            // by applying OP_HASH160 on the locking script. A 20-byte output
-            // hash is used as well by P2PKH and P2WPKH (OP_HASH160 on the
-            // public key). However, since we compare the actual output hash
-            // with an expected locking script hash, this check will succeed only
-            // for P2SH transaction type with expected script hash value. For
-            // P2PKH and P2WPKH, it will fail on the output hash comparison with
-            // the expected locking script hash.
-            require(
-                fundingOutputHash.slice20(0) == expectedScript.hash160View(),
-                "Wrong 20-byte script hash"
-            );
-        } else if (fundingOutputHash.length == 32) {
-            // A 32-byte output hash is used by P2WSH. That hash is constructed
-            // by applying OP_SHA256 on the locking script.
-            require(
-                fundingOutputHash.toBytes32() == sha256(expectedScript),
-                "Wrong 32-byte script hash"
-            );
-        } else {
-            revert("Wrong script hash length");
-        }
-
-        // Resulting TX hash is in native Bitcoin little-endian format.
-        bytes32 fundingTxHash = abi
-            .encodePacked(
-                fundingTx.version,
-                fundingTx.inputVector,
-                fundingTx.outputVector,
-                fundingTx.locktime
-            )
-            .hash256View();
-
-        DepositRequest storage deposit = deposits[
-            uint256(
-                keccak256(
-                    abi.encodePacked(fundingTxHash, reveal.fundingOutputIndex)
-                )
-            )
-        ];
-        require(deposit.revealedAt == 0, "Deposit already revealed");
-
-        uint64 fundingOutputAmount = fundingOutput.extractValue();
-
-        require(
-            fundingOutputAmount >= depositDustThreshold,
-            "Deposit amount too small"
-        );
-
-        deposit.amount = fundingOutputAmount;
-        deposit.depositor = reveal.depositor;
-        /* solhint-disable-next-line not-rely-on-time */
-        deposit.revealedAt = uint32(block.timestamp);
-        deposit.vault = reveal.vault;
-        deposit.treasuryFee = depositTreasuryFeeDivisor > 0
-            ? fundingOutputAmount / depositTreasuryFeeDivisor
-            : 0;
-
-        emit DepositRevealed(
-            fundingTxHash,
-            reveal.fundingOutputIndex,
-            reveal.depositor,
-            fundingOutputAmount,
-            reveal.blindingFactor,
-            reveal.walletPubKeyHash,
-            reveal.refundPubKeyHash,
-            reveal.refundLocktime,
-            reveal.vault
-        );
+        self.revealDeposit(wallets, fundingTx, reveal);
     }
 
     /// @notice Used by the wallet to prove the BTC deposit sweep transaction
@@ -836,39 +667,10 @@ contract Bridge is Ownable, EcdsaWalletOwner {
             uint64 sweepTxOutputValue
         ) = processSweepTxOutput(sweepTx.outputVector);
 
-        Wallets.Wallet storage wallet = wallets.registeredWallets[
-            walletPubKeyHash
-        ];
-
-        Wallets.WalletState walletState = wallet.state;
-        require(
-            walletState == Wallets.WalletState.Live ||
-                walletState == Wallets.WalletState.MovingFunds,
-            "Wallet must be in Live or MovingFunds state"
-        );
-
-        // Check if the main UTXO for given wallet exists. If so, validate
-        // passed main UTXO data against the stored hash and use them for
-        // further processing. If no main UTXO exists, use empty data.
-        BitcoinTx.UTXO memory resolvedMainUtxo = BitcoinTx.UTXO(
-            bytes32(0),
-            0,
-            0
-        );
-        bytes32 mainUtxoHash = wallet.mainUtxoHash;
-        if (mainUtxoHash != bytes32(0)) {
-            require(
-                keccak256(
-                    abi.encodePacked(
-                        mainUtxo.txHash,
-                        mainUtxo.txOutputIndex,
-                        mainUtxo.txOutputValue
-                    )
-                ) == mainUtxoHash,
-                "Invalid main UTXO data"
-            );
-            resolvedMainUtxo = mainUtxo;
-        }
+        (
+            Wallets.Wallet storage wallet,
+            BitcoinTx.UTXO memory resolvedMainUtxo
+        ) = resolveSweepingWallet(walletPubKeyHash, mainUtxo);
 
         // Process sweep transaction inputs and extract all information needed
         // to perform deposit bookkeeping.
@@ -940,6 +742,57 @@ contract Bridge is Ownable, EcdsaWalletOwner {
         // TODO: Handle deposits having `vault` set.
     }
 
+    /// @notice Resolves sweeping wallet based on the provided wallet public key
+    ///         hash. Validates the wallet state and current main UTXO, as
+    ///         currently known on the Ethereum chain.
+    /// @param walletPubKeyHash public key hash of the wallet proving the sweep
+    ///        Bitcoin transaction.
+    /// @param mainUtxo Data of the wallet's main UTXO, as currently known on
+    ///        the Ethereum chain. If no main UTXO exists for the given wallet,
+    ///        this parameter is ignored
+    /// @dev Requirements:
+    ///     - Sweeping wallet must be either in Live or MovingFunds state.
+    ///     - If the main UTXO of the sweeping wallet exists in the storage,
+    ///       the passed `mainUTXO` parameter must be equal to the stored one.
+    function resolveSweepingWallet(
+        bytes20 walletPubKeyHash,
+        BitcoinTx.UTXO calldata mainUtxo
+    )
+        internal
+        returns (
+            Wallets.Wallet storage wallet,
+            BitcoinTx.UTXO memory resolvedMainUtxo
+        )
+    {
+        wallet = wallets.registeredWallets[walletPubKeyHash];
+
+        Wallets.WalletState walletState = wallet.state;
+        require(
+            walletState == Wallets.WalletState.Live ||
+                walletState == Wallets.WalletState.MovingFunds,
+            "Wallet must be in Live or MovingFunds state"
+        );
+
+        // Check if the main UTXO for given wallet exists. If so, validate
+        // passed main UTXO data against the stored hash and use them for
+        // further processing. If no main UTXO exists, use empty data.
+        resolvedMainUtxo = BitcoinTx.UTXO(bytes32(0), 0, 0);
+        bytes32 mainUtxoHash = wallet.mainUtxoHash;
+        if (mainUtxoHash != bytes32(0)) {
+            require(
+                keccak256(
+                    abi.encodePacked(
+                        mainUtxo.txHash,
+                        mainUtxo.txOutputIndex,
+                        mainUtxo.txOutputValue
+                    )
+                ) == mainUtxoHash,
+                "Invalid main UTXO data"
+            );
+            resolvedMainUtxo = mainUtxo;
+        }
+    }
+
     /// @notice Processes the Bitcoin sweep transaction output vector by
     ///         extracting the single output and using it to gain additional
     ///         information required for further processing (e.g. value and
@@ -1055,7 +908,7 @@ contract Bridge is Ownable, EcdsaWalletOwner {
                 uint256 inputLength
             ) = parseTxInputAt(sweepTxInputVector, inputStartingIndex);
 
-            DepositRequest storage deposit = deposits[
+            Deposit.Request storage deposit = self.deposits[
                 uint256(
                     keccak256(abi.encodePacked(outpointTxHash, outpointIndex))
                 )
@@ -1302,7 +1155,7 @@ contract Bridge is Ownable, EcdsaWalletOwner {
 
         // Check that the UTXO key identifies a correctly spent UTXO.
         require(
-            deposits[utxoKey].sweptAt > 0 || spentMainUTXOs[utxoKey],
+            self.deposits[utxoKey].sweptAt > 0 || spentMainUTXOs[utxoKey],
             "Spent UTXO not found among correctly spent UTXOs"
         );
 
@@ -1595,9 +1448,9 @@ contract Bridge is Ownable, EcdsaWalletOwner {
             proofDifficultyContext()
         );
 
-        // Perform validation of the redemption transaction input. Specifically,
-        // check if it refers to the expected wallet's main UTXO.
-        validateRedemptionTxInput(
+        // Process the redemption transaction input. Specifically, check if it
+        // refers to the expected wallet's main UTXO.
+        processWalletOutboundTxInput(
             redemptionTx.inputVector,
             mainUtxo,
             walletPubKeyHash
@@ -1646,10 +1499,14 @@ contract Bridge is Ownable, EcdsaWalletOwner {
         bank.transferBalance(treasury, outputsInfo.totalTreasuryFee);
     }
 
-    /// @notice Validates whether the redemption Bitcoin transaction input
-    ///         vector contains a single input referring to the wallet's main
-    ///         UTXO. Reverts in case the validation fails.
-    /// @param redemptionTxInputVector Bitcoin redemption transaction input
+    /// @notice Checks whether an outbound Bitcoin transaction performed from
+    ///         the given wallet has an input vector that contains a single
+    ///         input referring to the wallet's main UTXO. Marks that main UTXO
+    ///         as correctly spent if the validation succeeds. Reverts otherwise.
+    ///         There are two outbound transactions from a wallet possible: a
+    ///         redemption transaction or a moving funds to another wallet
+    ///         transaction.
+    /// @param walletOutboundTxInputVector Bitcoin outbound transaction's input
     ///        vector. This function assumes vector's structure is valid so it
     ///        must be validated using e.g. `BTCUtils.validateVin` function
     ///        before it is passed here
@@ -1657,9 +1514,9 @@ contract Bridge is Ownable, EcdsaWalletOwner {
     ///        the Ethereum chain.
     /// @param walletPubKeyHash 20-byte public key hash (computed using Bitcoin
     //         HASH160 over the compressed ECDSA public key) of the wallet which
-    ///        performed the redemption transaction.
-    function validateRedemptionTxInput(
-        bytes memory redemptionTxInputVector,
+    ///        performed the outbound transaction.
+    function processWalletOutboundTxInput(
+        bytes memory walletOutboundTxInputVector,
         BitcoinTx.UTXO calldata mainUtxo,
         bytes20 walletPubKeyHash
     ) internal {
@@ -1682,16 +1539,16 @@ contract Bridge is Ownable, EcdsaWalletOwner {
             "Invalid main UTXO data"
         );
 
-        // Assert that the single redemption transaction input actually
+        // Assert that the single outbound transaction input actually
         // refers to the wallet's main UTXO.
         (
-            bytes32 redemptionTxOutpointTxHash,
-            uint32 redemptionTxOutpointIndex
-        ) = processRedemptionTxInput(redemptionTxInputVector);
+            bytes32 outpointTxHash,
+            uint32 outpointIndex
+        ) = parseWalletOutboundTxInput(walletOutboundTxInputVector);
         require(
-            mainUtxo.txHash == redemptionTxOutpointTxHash &&
-                mainUtxo.txOutputIndex == redemptionTxOutpointIndex,
-            "Redemption transaction input must point to the wallet's main UTXO"
+            mainUtxo.txHash == outpointTxHash &&
+                mainUtxo.txOutputIndex == outpointIndex,
+            "Outbound transaction input must point to the wallet's main UTXO"
         );
 
         // Main UTXO used as an input, mark it as spent.
@@ -1704,10 +1561,13 @@ contract Bridge is Ownable, EcdsaWalletOwner {
         ] = true;
     }
 
-    /// @notice Processes the Bitcoin redemption transaction input vector. It
-    ///         extracts the single input then the transaction hash and output
-    ///         index from its outpoint.
-    /// @param redemptionTxInputVector Bitcoin redemption transaction input
+    /// @notice Parses the input vector of an outbound Bitcoin transaction
+    ///         performed from the given wallet. It extracts the single input
+    ///         then the transaction hash and output index from its outpoint.
+    ///         There are two outbound transactions from a wallet possible: a
+    ///         redemption transaction or a moving funds to another wallet
+    ///         transaction.
+    /// @param walletOutboundTxInputVector Bitcoin outbound transaction input
     ///        vector. This function assumes vector's structure is valid so it
     ///        must be validated using e.g. `BTCUtils.validateVin` function
     ///        before it is passed here
@@ -1715,12 +1575,10 @@ contract Bridge is Ownable, EcdsaWalletOwner {
     ///         pointed in the input's outpoint.
     /// @return outpointIndex 4-byte index of the Bitcoin transaction output
     ///         which is pointed in the input's outpoint.
-    function processRedemptionTxInput(bytes memory redemptionTxInputVector)
-        internal
-        pure
-        returns (bytes32 outpointTxHash, uint32 outpointIndex)
-    {
-        // To determine the total number of redemption transaction inputs,
+    function parseWalletOutboundTxInput(
+        bytes memory walletOutboundTxInputVector
+    ) internal pure returns (bytes32 outpointTxHash, uint32 outpointIndex) {
+        // To determine the total number of Bitcoin transaction inputs,
         // we need to parse the compactSize uint (VarInt) the input vector is
         // prepended by. That compactSize uint encodes the number of vector
         // elements using the format presented in:
@@ -1728,13 +1586,13 @@ contract Bridge is Ownable, EcdsaWalletOwner {
         // We don't need asserting the compactSize uint is parseable since it
         // was already checked during `validateVin` validation.
         // See `BitcoinTx.inputVector` docs for more details.
-        (, uint256 inputsCount) = redemptionTxInputVector.parseVarInt();
+        (, uint256 inputsCount) = walletOutboundTxInputVector.parseVarInt();
         require(
             inputsCount == 1,
-            "Redemption transaction must have a single input"
+            "Outbound transaction must have a single input"
         );
 
-        bytes memory input = redemptionTxInputVector.extractInputAtIndex(0);
+        bytes memory input = walletOutboundTxInputVector.extractInputAtIndex(0);
 
         outpointTxHash = input.extractInputTxIdLE();
 
@@ -1797,11 +1655,26 @@ contract Bridge is Ownable, EcdsaWalletOwner {
         // scripts that can be used to lock the change. This is done upfront to
         // save on gas. Both scripts have a strict format defined by Bitcoin.
         //
-        // The P2PKH script has format <0x1976a914> <20-byte PKH> <0x88ac>.
+        // The P2PKH script has the byte format: <0x1976a914> <20-byte PKH> <0x88ac>.
+        // According to https://en.bitcoin.it/wiki/Script#Opcodes this translates to:
+        // - 0x19: Byte length of the entire script
+        // - 0x76: OP_DUP
+        // - 0xa9: OP_HASH160
+        // - 0x14: Byte length of the public key hash
+        // - 0x88: OP_EQUALVERIFY
+        // - 0xac: OP_CHECKSIG
+        // which matches the P2PKH structure as per:
+        // https://en.bitcoin.it/wiki/Transaction#Pay-to-PubkeyHash
         bytes32 walletP2PKHScriptKeccak = keccak256(
             abi.encodePacked(hex"1976a914", walletPubKeyHash, hex"88ac")
         );
-        // The P2WPKH script has format <0x160014> <20-byte PKH>.
+        // The P2WPKH script has the byte format: <0x160014> <20-byte PKH>.
+        // According to https://en.bitcoin.it/wiki/Script#Opcodes this translates to:
+        // - 0x16: Byte length of the entire script
+        // - 0x00: OP_0
+        // - 0x14: Byte length of the public key hash
+        // which matches the P2WPKH structure as per:
+        // https://github.com/bitcoin/bips/blob/master/bip-0141.mediawiki#P2WPKH
         bytes32 walletP2WPKHScriptKeccak = keccak256(
             abi.encodePacked(hex"160014", walletPubKeyHash)
         );
@@ -1827,7 +1700,7 @@ contract Bridge is Ownable, EcdsaWalletOwner {
             // Extract the value from given output.
             uint64 outputValue = output.extractValue();
             // The output consists of an 8-byte value and a variable length
-            // script. To extract that script we slice the output staring from
+            // script. To extract that script we slice the output starting from
             // 9th byte until the end.
             bytes memory outputScript = output.slice(8, output.length - 8);
 
@@ -2006,4 +1879,292 @@ contract Bridge is Ownable, EcdsaWalletOwner {
         // Return the requested amount of tokens to the redeemer
         bank.transferBalance(request.redeemer, request.requestedAmount);
     }
+
+    /// @notice Used by the wallet to prove the BTC moving funds transaction
+    ///         and to make the necessary state changes. Moving funds is only
+    ///         accepted if it satisfies SPV proof.
+    ///
+    ///         The function validates the moving funds transaction structure
+    ///         by checking if it actually spends the main UTXO of the declared
+    ///         wallet and locks the value on the pre-committed target wallets
+    ///         using a reasonable transaction fee. If all preconditions are
+    ///         met, this functions closes the source wallet.
+    ///
+    ///         It is possible to prove the given moving funds transaction only
+    ///         one time.
+    /// @param movingFundsTx Bitcoin moving funds transaction data
+    /// @param movingFundsProof Bitcoin moving funds proof data
+    /// @param mainUtxo Data of the wallet's main UTXO, as currently known on
+    ///        the Ethereum chain
+    /// @param walletPubKeyHash 20-byte public key hash (computed using Bitcoin
+    ///        HASH160 over the compressed ECDSA public key) of the wallet
+    ///        which performed the moving funds transaction
+    /// @dev Requirements:
+    ///      - `movingFundsTx` components must match the expected structure. See
+    ///        `BitcoinTx.Info` docs for reference. Their values must exactly
+    ///        correspond to appropriate Bitcoin transaction fields to produce
+    ///        a provable transaction hash.
+    ///      - The `movingFundsTx` should represent a Bitcoin transaction with
+    ///        exactly 1 input that refers to the wallet's main UTXO. That
+    ///        transaction should have 1..n outputs corresponding to the
+    ///        pre-committed target wallets. Outputs must be ordered in the
+    ///        same way as their corresponding target wallets are ordered
+    ///        within the target wallets commitment.
+    ///      - `movingFundsProof` components must match the expected structure.
+    ///        See `BitcoinTx.Proof` docs for reference. The `bitcoinHeaders`
+    ///        field must contain a valid number of block headers, not less
+    ///        than the `txProofDifficultyFactor` contract constant.
+    ///      - `mainUtxo` components must point to the recent main UTXO
+    ///        of the given wallet, as currently known on the Ethereum chain.
+    ///        Additionally, the recent main UTXO on Ethereum must be set.
+    ///      - `walletPubKeyHash` must be connected with the main UTXO used
+    ///        as transaction single input.
+    ///      - The wallet that `walletPubKeyHash` points to must be in the
+    ///        MovingFunds state.
+    ///      - The target wallets commitment must be submitted by the wallet
+    ///        that `walletPubKeyHash` points to.
+    ///      - The total Bitcoin transaction fee must be lesser or equal
+    ///        to `movingFundsTxMaxTotalFee` governable parameter.
+    function submitMovingFundsProof(
+        BitcoinTx.Info calldata movingFundsTx,
+        BitcoinTx.Proof calldata movingFundsProof,
+        BitcoinTx.UTXO calldata mainUtxo,
+        bytes20 walletPubKeyHash
+    ) external {
+        // The actual transaction proof is performed here. After that point, we
+        // can assume the transaction happened on Bitcoin chain and has
+        // a sufficient number of confirmations as determined by
+        // `txProofDifficultyFactor` constant.
+        bytes32 movingFundsTxHash = BitcoinTx.validateProof(
+            movingFundsTx,
+            movingFundsProof,
+            proofDifficultyContext()
+        );
+
+        // Process the moving funds transaction input. Specifically, check if
+        // it refers to the expected wallet's main UTXO.
+        processWalletOutboundTxInput(
+            movingFundsTx.inputVector,
+            mainUtxo,
+            walletPubKeyHash
+        );
+
+        (
+            bytes32 targetWalletsHash,
+            uint256 outputsTotalValue
+        ) = processMovingFundsTxOutputs(movingFundsTx.outputVector);
+
+        require(
+            mainUtxo.txOutputValue - outputsTotalValue <=
+                movingFundsTxMaxTotalFee,
+            "Transaction fee is too high"
+        );
+
+        wallets.notifyFundsMoved(walletPubKeyHash, targetWalletsHash);
+
+        emit MovingFundsCompleted(walletPubKeyHash, movingFundsTxHash);
+    }
+
+    /// @notice Processes the moving funds Bitcoin transaction output vector
+    ///         and extracts information required for further processing.
+    /// @param movingFundsTxOutputVector Bitcoin moving funds transaction output
+    ///        vector. This function assumes vector's structure is valid so it
+    ///        must be validated using e.g. `BTCUtils.validateVout` function
+    ///        before it is passed here
+    /// @return targetWalletsHash keccak256 hash over the list of actual
+    ///         target wallets used in the transaction.
+    /// @return outputsTotalValue Sum of all outputs values.
+    /// @dev Requirements:
+    ///      - The `movingFundsTxOutputVector` must be parseable, i.e. must
+    ///        be validated by the caller as stated in their parameter doc.
+    ///      - Each output must refer to a 20-byte public key hash.
+    ///      - The total outputs value must be evenly divided over all outputs.
+    function processMovingFundsTxOutputs(bytes memory movingFundsTxOutputVector)
+        internal
+        view
+        returns (bytes32 targetWalletsHash, uint256 outputsTotalValue)
+    {
+        // Determining the total number of Bitcoin transaction outputs in
+        // the same way as for number of inputs. See `BitcoinTx.outputVector`
+        // docs for more details.
+        (
+            uint256 outputsCompactSizeUintLength,
+            uint256 outputsCount
+        ) = movingFundsTxOutputVector.parseVarInt();
+
+        // To determine the first output starting index, we must jump over
+        // the compactSize uint which prepends the output vector. One byte
+        // must be added because `BtcUtils.parseVarInt` does not include
+        // compactSize uint tag in the returned length.
+        //
+        // For >= 0 && <= 252, `BTCUtils.determineVarIntDataLengthAt`
+        // returns `0`, so we jump over one byte of compactSize uint.
+        //
+        // For >= 253 && <= 0xffff there is `0xfd` tag,
+        // `BTCUtils.determineVarIntDataLengthAt` returns `2` (no
+        // tag byte included) so we need to jump over 1+2 bytes of
+        // compactSize uint.
+        //
+        // Please refer `BTCUtils` library and compactSize uint
+        // docs in `BitcoinTx` library for more details.
+        uint256 outputStartingIndex = 1 + outputsCompactSizeUintLength;
+
+        bytes20[] memory targetWallets = new bytes20[](outputsCount);
+        uint64[] memory outputsValues = new uint64[](outputsCount);
+
+        // Outputs processing loop.
+        for (uint256 i = 0; i < outputsCount; i++) {
+            uint256 outputLength = movingFundsTxOutputVector
+                .determineOutputLengthAt(outputStartingIndex);
+
+            bytes memory output = movingFundsTxOutputVector.slice(
+                outputStartingIndex,
+                outputLength
+            );
+
+            // Extract the output script payload.
+            bytes memory targetWalletPubKeyHashBytes = output.extractHash();
+            // Output script payload must refer to a known wallet public key
+            // hash which is always 20-byte.
+            require(
+                targetWalletPubKeyHashBytes.length == 20,
+                "Target wallet public key hash must have 20 bytes"
+            );
+
+            bytes20 targetWalletPubKeyHash = targetWalletPubKeyHashBytes
+                .slice20(0);
+
+            // The next step is making sure that the 20-byte public key hash
+            // is actually used in the right context of a P2PKH or P2WPKH
+            // output. To do so, we must extract the full script from the output
+            // and compare with the expected P2PKH and P2WPKH scripts
+            // referring to that 20-byte public key hash. The output consists
+            // of an 8-byte value and a variable length script. To extract the
+            // script we slice the output starting from 9th byte until the end.
+            bytes32 outputScriptKeccak = keccak256(
+                output.slice(8, output.length - 8)
+            );
+            // Build the expected P2PKH script which has the following byte
+            // format: <0x1976a914> <20-byte PKH> <0x88ac>. According to
+            // https://en.bitcoin.it/wiki/Script#Opcodes this translates to:
+            // - 0x19: Byte length of the entire script
+            // - 0x76: OP_DUP
+            // - 0xa9: OP_HASH160
+            // - 0x14: Byte length of the public key hash
+            // - 0x88: OP_EQUALVERIFY
+            // - 0xac: OP_CHECKSIG
+            // which matches the P2PKH structure as per:
+            // https://en.bitcoin.it/wiki/Transaction#Pay-to-PubkeyHash
+            bytes32 targetWalletP2PKHScriptKeccak = keccak256(
+                abi.encodePacked(
+                    hex"1976a914",
+                    targetWalletPubKeyHash,
+                    hex"88ac"
+                )
+            );
+            // Build the expected P2WPKH script which has the following format:
+            // <0x160014> <20-byte PKH>. According to
+            // https://en.bitcoin.it/wiki/Script#Opcodes this translates to:
+            // - 0x16: Byte length of the entire script
+            // - 0x00: OP_0
+            // - 0x14: Byte length of the public key hash
+            // which matches the P2WPKH structure as per:
+            // https://github.com/bitcoin/bips/blob/master/bip-0141.mediawiki#P2WPKH
+            bytes32 targetWalletP2WPKHScriptKeccak = keccak256(
+                abi.encodePacked(hex"160014", targetWalletPubKeyHash)
+            );
+            // Make sure the actual output script matches either the P2PKH
+            // or P2WPKH format.
+            require(
+                outputScriptKeccak == targetWalletP2PKHScriptKeccak ||
+                    outputScriptKeccak == targetWalletP2WPKHScriptKeccak,
+                "Output must be P2PKH or P2WPKH"
+            );
+
+            // Add the wallet public key hash to the list that will be used
+            // to build the result list hash. There is no need to check if
+            // given output is a change here because the actual target wallet
+            // list must be exactly the same as the pre-committed target wallet
+            // list which is guaranteed to be valid.
+            targetWallets[i] = targetWalletPubKeyHash;
+
+            // Extract the value from given output.
+            outputsValues[i] = output.extractValue();
+            outputsTotalValue += outputsValues[i];
+
+            // Make the `outputStartingIndex` pointing to the next output by
+            // increasing it by current output's length.
+            outputStartingIndex += outputLength;
+        }
+
+        // Compute the indivisible remainder that remains after dividing the
+        // outputs total value over all outputs evenly.
+        uint256 outputsTotalValueRemainder = outputsTotalValue % outputsCount;
+        // Compute the minimum allowed output value by dividing the outputs
+        // total value (reduced by the remainder) by the number of outputs.
+        uint256 minOutputValue = (outputsTotalValue -
+            outputsTotalValueRemainder) / outputsCount;
+        // Maximum possible value is the minimum value with the remainder included.
+        uint256 maxOutputValue = minOutputValue + outputsTotalValueRemainder;
+
+        for (uint256 i = 0; i < outputsCount; i++) {
+            require(
+                minOutputValue <= outputsValues[i] &&
+                    outputsValues[i] <= maxOutputValue,
+                "Transaction amount is not distributed evenly"
+            );
+        }
+
+        targetWalletsHash = keccak256(abi.encodePacked(targetWallets));
+
+        return (targetWalletsHash, outputsTotalValue);
+    }
+
+    /// @notice Returns the current values of Bridge deposit parameters.
+    /// @return depositDustThreshold The minimal amount that can be requested
+    ///         to deposit. Value of this parameter must take into account the
+    ///         value of `depositTreasuryFeeDivisor` and `depositTxMaxFee`
+    ///         parameters in order to make requests that can incur the
+    ///         treasury and transaction fee and still satisfy the depositor.
+    /// @return depositTreasuryFeeDivisor Divisor used to compute the treasury
+    ///         fee taken from each deposit and transferred to the treasury upon
+    ///         sweep proof submission. That fee is computed as follows:
+    ///         `treasuryFee = depositedAmount / depositTreasuryFeeDivisor`
+    ///         For example, if the treasury fee needs to be 2% of each deposit,
+    ///         the `depositTreasuryFeeDivisor` should be set to `50`
+    ///         because `1/50 = 0.02 = 2%`.
+    function depositParameters()
+        external
+        view
+        returns (uint64 depositDustThreshold, uint64 depositTreasuryFeeDivisor)
+    {
+        depositDustThreshold = self.depositDustThreshold;
+        depositTreasuryFeeDivisor = self.depositTreasuryFeeDivisor;
+    }
+
+    /// @notice Indicates if the vault with the given address is trusted or not.
+    ///         Depositors can route their revealed deposits only to trusted
+    ///         vaults and have trusted vaults notified about new deposits as
+    ///         soon as these deposits get swept. Vaults not trusted by the
+    ///         Bridge can still be used by Bank balance owners on their own
+    ///         responsibility - anyone can approve their Bank balance to any
+    ///         address.
+    function isVaultTrusted(address vault) external view returns (bool) {
+        return self.isVaultTrusted[vault];
+    }
+
+    /// @notice Collection of all revealed deposits indexed by
+    ///         keccak256(fundingTxHash | fundingOutputIndex).
+    ///         The fundingTxHash is bytes32 (ordered as in Bitcoin internally)
+    ///         and fundingOutputIndex an uint32. This mapping may contain valid
+    ///         and invalid deposits and the wallet is responsible for
+    ///         validating them before attempting to execute a sweep.
+    function deposits(uint256 depositKey)
+        external
+        view
+        returns (Deposit.Request memory)
+    {
+        // TODO: rename to getDeposit?
+        return self.deposits[depositKey];
+    }
 }