@layerzerolabs/protocol-stellar-v2 0.2.18 → 0.2.20

package/contracts/oapps/{oft → oft-core}/src/tests/test_utils.rs

@@ -4,7 +4,7 @@
 
 use crate::{
     codec::oft_msg_codec::OFTMessage,
-    oft::OFTClient,
+    oft_core::OFTClient,
     types::{OFTReceipt, SendParam},
 };
 use endpoint_v2::{LayerZeroReceiverClient, MessagingFee, MessagingParams, MessagingReceipt, Origin};
@@ -104,15 +104,21 @@ pub fn create_origin(src_eid: u32, sender: &BytesN<32>, nonce: u64) -> Origin {
 // ==================== Test OFT Contracts ====================
 
 mod test_mint_burn_oft {
-    extern crate self as oft;
-
-    use crate::initialize_oft;
-    use crate::oft::{OFTInternal, OFT};
-    use crate::oft_impl;
-    use crate::types::OFTReceipt;
+    use crate::{
+        self as oft_core,
+        oft_core::{lz_receive, OFTCore, OFTInternal},
+        types::OFTReceipt,
+    };
     use endpoint_v2::Origin;
     use oapp::oapp_receiver::LzReceiveInternal;
-    use soroban_sdk::{contractimpl, Address, Bytes, BytesN, Env};
+    use soroban_sdk::{contractclient, contractimpl, Address, Bytes, BytesN, Env};
+
+    #[contractclient(name = "MintBurnTokenClient")]
+    #[allow(dead_code)]
+    trait MintBurnToken {
+        fn mint(env: Env, to: Address, amount: i128);
+        fn burn(env: Env, from: Address, amount: i128);
+    }
 
     #[oapp_macros::oapp]
     pub struct TestMintBurnOFT;
@@ -127,12 +133,12 @@ mod test_mint_burn_oft {
             delegate: &Option<Address>,
             shared_decimals: u32,
         ) {
-            initialize_oft::<Self>(env, owner, token, endpoint, delegate, shared_decimals)
+            Self::__initialize_oft(env, owner, token, endpoint, delegate, shared_decimals)
         }
     }
 
     #[contractimpl(contracttrait)]
-    impl OFT for TestMintBurnOFT {}
+    impl OFTCore for TestMintBurnOFT {}
 
     impl LzReceiveInternal for TestMintBurnOFT {
         fn __lz_receive(
@@ -144,32 +150,36 @@ mod test_mint_burn_oft {
             executor: &Address,
             value: i128,
         ) {
-            oft_impl::lz_receive::<Self>(env, executor, origin, guid, message, extra_data, value)
+            lz_receive::<Self>(env, executor, origin, guid, message, extra_data, value)
         }
     }
 
     impl OFTInternal for TestMintBurnOFT {
         fn __debit(env: &Env, sender: &Address, amount_ld: i128, min_amount_ld: i128, dst_eid: u32) -> OFTReceipt {
-            crate::oft_types::mint_burn::debit::<Self>(env, sender, amount_ld, min_amount_ld, dst_eid)
+            // Inline mint_burn::debit implementation
+            let receipt = Self::__debit_view(env, amount_ld, min_amount_ld, dst_eid);
+            MintBurnTokenClient::new(env, &Self::token(env)).burn(sender, &receipt.amount_received_ld);
+            receipt
         }
 
-        fn __credit(env: &Env, to: &Address, amount_ld: i128, src_eid: u32) -> i128 {
-            crate::oft_types::mint_burn::credit::<Self>(env, to, amount_ld, src_eid)
+        fn __credit(env: &Env, to: &Address, amount_ld: i128, _src_eid: u32) -> i128 {
+            // Inline mint_burn::credit implementation
+            MintBurnTokenClient::new(env, &Self::token(env)).mint(to, &amount_ld);
+            amount_ld
         }
     }
 }
 pub use test_mint_burn_oft::TestMintBurnOFT;
 
 mod test_lock_unlock_oft {
-    extern crate self as oft;
-
-    use crate::initialize_oft;
-    use crate::oft::{OFTInternal, OFT};
-    use crate::oft_impl;
-    use crate::types::OFTReceipt;
+    use crate::{
+        self as oft_core,
+        oft_core::{lz_receive, OFTCore, OFTInternal},
+        types::OFTReceipt,
+    };
     use endpoint_v2::Origin;
     use oapp::oapp_receiver::{LzReceiveInternal, OAppReceiver};
-    use soroban_sdk::{contractimpl, Address, Bytes, BytesN, Env};
+    use soroban_sdk::{contractimpl, token::TokenClient, Address, Bytes, BytesN, Env};
 
     #[oapp_macros::oapp(custom = [receiver])]
     pub struct TestLockUnlockOFT;
@@ -184,12 +194,12 @@ mod test_lock_unlock_oft {
             delegate: &Option<Address>,
             shared_decimals: u32,
         ) {
-            initialize_oft::<Self>(env, owner, token, endpoint, delegate, shared_decimals)
+            Self::__initialize_oft(env, owner, token, endpoint, delegate, shared_decimals)
         }
     }
 
     #[contractimpl(contracttrait)]
-    impl OFT for TestLockUnlockOFT {}
+    impl OFTCore for TestLockUnlockOFT {}
 
     impl LzReceiveInternal for TestLockUnlockOFT {
         fn __lz_receive(
@@ -201,7 +211,7 @@ mod test_lock_unlock_oft {
             executor: &Address,
             value: i128,
         ) {
-            oft_impl::lz_receive::<Self>(env, executor, origin, guid, message, extra_data, value)
+            lz_receive::<Self>(env, executor, origin, guid, message, extra_data, value)
         }
     }
 
@@ -211,11 +221,20 @@ mod test_lock_unlock_oft {
 
     impl OFTInternal for TestLockUnlockOFT {
         fn __debit(env: &Env, sender: &Address, amount_ld: i128, min_amount_ld: i128, dst_eid: u32) -> OFTReceipt {
-            crate::oft_types::lock_unlock::debit::<Self>(env, sender, amount_ld, min_amount_ld, dst_eid)
+            // Inline lock_unlock::debit implementation
+            let receipt: OFTReceipt = Self::__debit_view(env, amount_ld, min_amount_ld, dst_eid);
+            TokenClient::new(env, &Self::token(env)).transfer(
+                sender,
+                env.current_contract_address(),
+                &receipt.amount_received_ld,
+            );
+            receipt
         }
 
-        fn __credit(env: &Env, to: &Address, amount_ld: i128, src_eid: u32) -> i128 {
-            crate::oft_types::lock_unlock::credit::<Self>(env, to, amount_ld, src_eid)
+        fn __credit(env: &Env, to: &Address, amount_ld: i128, _src_eid: u32) -> i128 {
+            // Inline lock_unlock::credit implementation
+            TokenClient::new(env, &Self::token(env)).transfer(&env.current_contract_address(), to, &amount_ld);
+            amount_ld
         }
     }
 }

package/contracts/oapps/{oft → oft-core}/src/utils.rs

@@ -38,7 +38,7 @@ pub fn remove_dust(amount_ld: i128, conversion_rate: i128) -> i128 {
 ///
 /// # Returns
 /// A 32-byte payload (contract ID hash or Ed25519 public key)
-pub fn address_to_bytes32(address: &Address) -> BytesN<32> {
+pub fn address_payload(address: &Address) -> BytesN<32> {
     match address.to_payload().unwrap() {
         AddressPayload::ContractIdHash(payload) => payload,
         AddressPayload::AccountIdPublicKeyEd25519(payload) => payload,

package/contracts/upgrader/src/lib.rs

@@ -2,45 +2,25 @@
 
 //! # Upgrader Contract
 //!
-//! A stateless utility contract for performing upgrade and migrate operations on upgradeable contracts.
-//!
-//! This contract provides a convenient way to upgrade other contracts, especially useful for
-//! performing upgrade+migrate atomically in a single transaction.
+//! A stateless utility contract for performing atomic upgrade and migrate operations
+//! on contracts implementing the [`Upgradeable`](utils::upgradeable::Upgradeable) trait.
 //!
 //! ## Security Model
 //!
-//! The Upgrader is a permissionless utility - anyone can call it, but security is enforced
-//! by the target contract's authorization checks. When you call `upgrader.upgrade()`, the target
-//! contract's `#[only_auth]` guard ensures only the target's authorizer can successfully upgrade it.
+//! The Upgrader is permissionless - anyone can call it, but security is enforced by the
+//! target contract's authorization checks. The target contract's `#[only_auth]` guard
+//! ensures only its authorizer can successfully upgrade it.
 //!
 //! ## Usage
 //!
-//! Deploy this contract once, then anyone can use it to upgrade contracts they own.
-//!
 //! ```ignore
-//! // Deploy upgrader (no initialization needed)
-//! let upgrader_id = env.register(Upgrader, ());
 //! let upgrader = UpgraderClient::new(&env, &upgrader_id);
-//!
-//! // Upgrade a contract (you must be the target contract's owner)
-//! upgrader.upgrade(&target_contract, &new_wasm_hash);
-//!
-//! // Or upgrade and migrate in one transaction
-//! let migration_data = vec![&env, val1, val2];
-//! upgrader.upgrade_and_migrate(&target_contract, &new_wasm_hash, migration_data);
+//! let migration_data = my_data.to_xdr(&env);
+//! upgrader.upgrade_and_migrate(&target_contract, &new_wasm_hash, &migration_data);
 //! ```
 
-use soroban_sdk::{contract, contractclient, contractimpl, symbol_short, Address, BytesN, Env, Symbol, Vec};
-
-/// Symbol for the migrate function call
-pub const MIGRATE: Symbol = symbol_short!("migrate");
-
-/// Trait representing an upgradeable contract's interface
-#[contractclient(name = "UpgradeableContractClient")]
-pub trait UpgradeableContract {
-    /// Upgrades the contract to new WASM bytecode
-    fn upgrade(env: &Env, new_wasm_hash: BytesN<32>);
-}
+use soroban_sdk::{contract, contractimpl, xdr::ToXdr, Address, Bytes, BytesN, Env};
+use utils::upgradeable::UpgradeableClient;
 
 /// Upgrader contract for managing upgrades of other contracts.
 ///
@@ -51,46 +31,39 @@ pub struct Upgrader;
 
 #[contractimpl]
 impl Upgrader {
-    /// Upgrade a target contract and run its migration in a single transaction
+    /// Upgrades a target contract without custom migration data.
+    ///
+    /// This is a convenience wrapper that calls `upgrade_and_migrate` with empty migration data.
+    ///
+    /// # Arguments
+    /// * `contract_address` - The address of the contract to upgrade
+    /// * `wasm_hash` - The hash of the new WASM bytecode
+    pub fn upgrade(env: &Env, contract_address: &Address, wasm_hash: &BytesN<32>) {
+        Self::upgrade_and_migrate(env, contract_address, wasm_hash, &().to_xdr(env));
+    }
+
+    /// Upgrades a target contract and runs its migration in a single transaction.
     ///
     /// The caller must be authorized as the authorizer of the target contract.
     /// This is enforced by the target contract's `#[only_auth]` check.
     ///
-    /// This is useful for atomic upgrades where you want to ensure the migration
-    /// happens immediately after the upgrade, or the entire operation fails.
-    ///
     /// # Arguments
     /// * `contract_address` - The address of the contract to upgrade
     /// * `wasm_hash` - The hash of the new WASM bytecode
-    /// * `migration_data` - A vector of values to pass to the migrate function.
-    ///   The types of these values depend on the target contract's MigrationData type.
+    /// * `migration_data` - XDR-encoded bytes to pass to the migrate function.
+    ///   Use `value.to_xdr(&env)` to encode the target contract's MigrationData type.
     ///
     /// # Example
     /// ```ignore
-    /// // For a contract with MigrationData = (u32, bool)
-    /// let migration_data = vec![
-    ///     &env,
-    ///     42u32.into_val(&env),
-    ///     true.into_val(&env),
-    /// ];
-    /// upgrader.upgrade_and_migrate(&contract_addr, &wasm_hash, migration_data);
+    /// let migration_data = my_data.to_xdr(&env);
+    /// upgrader.upgrade_and_migrate(&contract_addr, &wasm_hash, &migration_data);
     /// ```
-    pub fn upgrade_and_migrate(
-        env: &Env,
-        contract_address: &Address,
-        wasm_hash: BytesN<32>,
-        migration_data: Vec<soroban_sdk::Val>,
-    ) {
-        let contract_client = UpgradeableContractClient::new(env, contract_address);
-
-        // First upgrade the contract
-        contract_client.upgrade(&wasm_hash);
-
-        // Then call migrate with the provided data
-        // We use invoke_contract because the migration data type is unknown to this contract
-        env.invoke_contract::<()>(contract_address, &MIGRATE, migration_data);
+    pub fn upgrade_and_migrate(env: &Env, contract_address: &Address, wasm_hash: &BytesN<32>, migration_data: &Bytes) {
+        let client = UpgradeableClient::new(env, contract_address);
+        client.upgrade(wasm_hash);
+        client.migrate(migration_data);
     }
 }
 
 #[cfg(test)]
-mod tests;
+mod tests;

package/contracts/upgrader/src/tests/test_upgrader.rs

@@ -1,6 +1,6 @@
 extern crate std;
 
-use soroban_sdk::{contractclient, testutils::Address as _, Address, BytesN, Env, TryIntoVal};
+use soroban_sdk::{contractclient, testutils::Address as _, xdr::ToXdr, Address, BytesN, Env};
 
 use crate::{Upgrader, UpgraderClient};
 
@@ -17,16 +17,20 @@ trait TestUpgradeableContract2 {
 }
 
 mod contract_v1 {
-    // #[contract]
-    // #[upgradeable]
-    // #[ownable]
-    // pub struct TestUpgradeableContract;
+    //#![no_std]
 
-    // impl UpgradeableInternal for TestUpgradeableContract {
-    //     type MigrationData = ();
+    // use soroban_sdk::{contractimpl, Env, Symbol, Address, contractclient};
+    // use utils::{ upgradeable::UpgradeableInternal};
+    // use common_macros::lz_contract;
 
-    //     fn _migrate(env: &Env, _migration_data: &Self::MigrationData) {
-    //         env.storage().instance().set(&Symbol::new(env, "counter"), &2);
+    // #[lz_contract(upgradeable)]
+    // pub struct DummyContract;
+
+    // impl UpgradeableInternal for DummyContract {
+    //     type MigrationData = u32;
+
+    //     fn __migrate(env: &Env, migration_data: &Self::MigrationData) {
+    //         env.storage().instance().set(&Symbol::new(env, "counter2"), migration_data);
     //     }
     // }
 
@@ -35,34 +39,37 @@ mod contract_v1 {
     //     fn counter(env: &Env) -> u32;
     // }
 
-    // #[contract_impl]
-    // impl TestUpgradeable for TestUpgradeableContract {
+    // #[contractimpl]
+    // impl TestUpgradeable for DummyContract {
     //     fn counter(env: &Env) -> u32 {
     //         env.storage().instance().get(&Symbol::new(env, "counter")).unwrap_or(0)
     //     }
     // }
 
-    // #[contract_impl]
-    // impl TestUpgradeableContract {
+    // #[contractimpl]
+    // impl DummyContract {
     //     pub fn __constructor(env: &Env, owner: &Address) {
     //         Self::init_owner(env, owner);
     //         env.storage().instance().set(&Symbol::new(env, "counter"), &1_u32);
     //     }
     // }
-    use super::MigrationData;
     soroban_sdk::contractimport!(file = "./src/tests/test_data/test_upgradeable_contract1.wasm");
 }
 mod contract_v2 {
-    // #[contract]
-    // #[upgradeable]
-    // #[ownable]
-    // pub struct TestUpgradeableContract;
+    //#![no_std]
+
+    // use soroban_sdk::{contractimpl, Env, Symbol, Address, contractclient};
+    // use utils::{ upgradeable::UpgradeableInternal};
+    // use common_macros::lz_contract;
+
+    // #[lz_contract(upgradeable)]
+    // pub struct DummyContract;
 
-    // impl UpgradeableInternal for TestUpgradeableContract {
-    //     type MigrationData = ();
+    // impl UpgradeableInternal for DummyContract {
+    //     type MigrationData = u32;
 
-    //     fn _migrate(env: &Env, _migration_data: &Self::MigrationData) {
-    //         env.storage().instance().set(&Symbol::new(env, "counter2"), &2_u32);
+    //     fn __migrate(env: &Env, migration_data: &Self::MigrationData) {
+    //         env.storage().instance().set(&Symbol::new(env, "counter2"), migration_data);
     //     }
     // }
 
@@ -72,8 +79,8 @@ mod contract_v2 {
     //     fn counter2(env: &Env) -> u32;
     // }
 
-    // #[contract_impl]
-    // impl TestUpgradeable for TestUpgradeableContract {
+    // #[contractimpl]
+    // impl TestUpgradeable for DummyContract {
     //     fn counter(env: &Env) -> u32 {
     //         env.storage().instance().get(&Symbol::new(env, "counter")).unwrap_or(0)
     //     }
@@ -82,7 +89,14 @@ mod contract_v2 {
     //         env.storage().instance().get(&Symbol::new(env, "counter2")).unwrap_or(0)
     //     }
     // }
-    use super::MigrationData;
+
+    // #[contractimpl]
+    // impl DummyContract {
+    //     pub fn __constructor(env: &Env, owner: &Address) {
+    //         Self::init_owner(env, owner);
+    //         env.storage().instance().set(&Symbol::new(env, "counter"), &1_u32);
+    //     }
+    // }
     soroban_sdk::contractimport!(file = "./src/tests/test_data/test_upgradeable_contract2.wasm");
 }
 
@@ -90,9 +104,6 @@ fn install_new_wasm(e: &Env) -> BytesN<32> {
     e.deployer().upload_contract_wasm(contract_v2::WASM)
 }
 
-#[allow(dead_code)]
-type MigrationData = ();
-
 #[test]
 fn test_upgrade_with_upgrader() {
     let e = Env::default();
@@ -107,14 +118,12 @@ fn test_upgrade_with_upgrader() {
     let upgrader_client = UpgraderClient::new(&e, &upgrader);
 
     let new_wasm_hash = install_new_wasm(&e);
-
-    upgrader_client.upgrade_and_migrate(
-        &contract_id,
-        &new_wasm_hash,
-        &soroban_sdk::vec![&e, ().try_into_val(&e).unwrap()],
-    );
+    let counter_value = 2_u32;
+    // Encode migration data as XDR bytes
+    let migration_data = counter_value.to_xdr(&e);
+    upgrader_client.upgrade_and_migrate(&contract_id, &new_wasm_hash, &migration_data);
 
     let client_v2 = TestUpgradeableContractClient2::new(&e, &contract_id);
 
-    assert_eq!(client_v2.counter2(), 2);
+    assert_eq!(client_v2.counter2(), counter_value);
 }

package/contracts/utils/src/buffer_reader.rs

@@ -92,6 +92,7 @@ impl<'a> BufferReader<'a> {
         value
     }
 
+    /// Reads all bytes from current position to the end of the buffer.
     pub fn read_bytes_until_end(&mut self) -> Bytes {
         self.read_bytes(self.remaining_len())
     }

package/contracts/utils/src/errors.rs

@@ -27,8 +27,12 @@ pub enum TtlConfigurableError {
 /// OwnableError: 1030-1039
 #[contract_error]
 pub enum OwnableError {
-    OwnerAlreadySet = 1030,
+    InvalidPendingOwner = 1030,
+    InvalidTtl,
+    NoPendingTransfer,
+    OwnerAlreadySet,
     OwnerNotSet,
+    TransferInProgress,
 }
 
 /// BytesExtError: 1040-1049
@@ -40,7 +44,9 @@ pub enum BytesExtError {
 /// UpgradeableError: 1050-1059
 #[contract_error]
 pub enum UpgradeableError {
-    MigrationNotAllowed = 1050,
+    InvalidMigrationData = 1050,
+    MigrationNotAllowed,
+    UpgradesFrozen,
 }
 
 /// MultisigError: 1060-1069

package/contracts/utils/src/ownable.rs

@@ -6,7 +6,7 @@ use soroban_sdk::{assert_with_error, contractevent, Address, Env};
 // Ownable events
 // ===========================================================================
 
-/// Event emitted when ownership is transferred.
+/// Event emitted when ownership is transferred (both single-step and two-step completion).
 #[contractevent]
 #[derive(Clone, Debug, Eq, PartialEq)]
 pub struct OwnershipTransferred {
@@ -14,6 +14,15 @@ pub struct OwnershipTransferred {
     pub new_owner: Address,
 }
 
+/// Event emitted when a 2-step ownership transfer is proposed.
+#[contractevent]
+#[derive(Clone, Debug, Eq, PartialEq)]
+pub struct OwnershipTransferring {
+    pub old_owner: Address,
+    pub new_owner: Address,
+    pub ttl: u32,
+}
+
 /// Event emitted when ownership is renounced.
 #[contractevent]
 #[derive(Clone, Debug, Eq, PartialEq)]
@@ -30,6 +39,10 @@ pub struct OwnershipRenounced {
 pub enum OwnableStorage {
     #[instance(Address)]
     Owner,
+    /// Pending owner for 2-step transfer. Stored in temporary storage with TTL -
+    /// automatically expires if not accepted in time.
+    #[temporary(Address)]
+    PendingOwner,
 }
 
 // ===========================================================================
@@ -40,23 +53,126 @@ pub enum OwnableStorage {
 ///
 /// Extends `Auth` to provide owner-based authorization. The `Auth::authorizer()`
 /// implementation should return the owner address for Ownable contracts.
+///
+/// Supports both single-step and two-step ownership transfer:
+/// - Single-step: `transfer_ownership` - Immediate transfer (use with caution)
+/// - Two-step: `propose_ownership_transfer` + `accept_ownership` - Safer, requires new owner to accept
 #[contract_trait]
 pub trait Ownable: Sized + Auth {
+    // ===========================================================================
+    // View functions
+    // ===========================================================================
+
     /// Returns the current owner address, or None if no owner is set.
     fn owner(env: &Env) -> Option<Address> {
         OwnableStorage::owner(env)
     }
 
-    /// Transfers ownership to a new address. Requires current owner authorization.
+    /// Returns the pending owner address for 2-step transfer, or None if no transfer is pending.
+    fn pending_owner(env: &Env) -> Option<Address> {
+        OwnableStorage::pending_owner(env)
+    }
+
+    // ===========================================================================
+    // Single-step transfer (immediate)
+    // ===========================================================================
+
+    /// Transfers ownership immediately to a new address.
+    ///
+    /// Use with caution - if you transfer to a wrong address, ownership is lost forever.
+    /// Consider using `propose_ownership_transfer` instead.
+    ///
+    /// # Panics
+    /// - `OwnerNotSet` if no owner is currently set
+    /// - `TransferInProgress` if a 2-step transfer is in progress
     fn transfer_ownership(env: &Env, new_owner: &Address) {
         let old_owner = enforce_owner_auth::<Self>(env);
+        assert_no_pending_transfer::<Self>(env);
+
         OwnableStorage::set_owner(env, new_owner);
         OwnershipTransferred { old_owner, new_owner: new_owner.clone() }.publish(env);
     }
 
-    /// Permanently renounces ownership. Requires current owner authorization.
+    // ===========================================================================
+    // Two-step transfer (safer)
+    // ===========================================================================
+
+    /// Proposes an ownership transfer to a new address.
+    ///
+    /// The new owner must call `accept_ownership()` within `ttl` ledgers
+    /// to complete the transfer. The pending transfer will automatically expire after.
+    ///
+    /// # Arguments
+    /// - `new_owner` - The proposed new owner
+    /// - `ttl` - Number of ledgers the new owner has to accept.
+    ///   Use `0` to cancel a pending transfer (new_owner must match pending).
+    ///
+    /// # Panics
+    /// - `OwnerNotSet` if no owner is currently set
+    /// - `NoPendingTransfer` when cancelling and no pending transfer exists
+    /// - `InvalidTtl` if ttl exceeds max TTL
+    /// - `InvalidPendingOwner` when cancelling with wrong new_owner address
+    fn propose_ownership_transfer(env: &Env, new_owner: &Address, ttl: u32) {
+        let old_owner = enforce_owner_auth::<Self>(env);
+
+        // Cancel case: ttl == 0
+        if ttl == 0 {
+            let pending = Self::pending_owner(env).unwrap_or_panic(env, OwnableError::NoPendingTransfer);
+
+            // Verify new_owner matches pending (prevents accidental cancellation)
+            assert_with_error!(env, pending == *new_owner, OwnableError::InvalidPendingOwner);
+
+            OwnableStorage::remove_pending_owner(env);
+            return;
+        }
+
+        // Initiate case: validate ttl
+        assert_with_error!(env, ttl <= env.storage().max_ttl(), OwnableError::InvalidTtl);
+
+        // Store pending owner with TTL
+        OwnableStorage::set_pending_owner(env, new_owner);
+        OwnableStorage::extend_pending_owner_ttl(env, ttl, ttl);
+
+        OwnershipTransferring { old_owner, new_owner: new_owner.clone(), ttl }.publish(env);
+    }
+
+    /// Accepts a pending 2-step ownership transfer.
+    ///
+    /// Must be called by the pending owner before the TTL expires.
+    ///
+    /// # Panics
+    /// - `NoPendingTransfer` if there is no pending transfer (or it expired)
+    fn accept_ownership(env: &Env) {
+        let new_owner = Self::pending_owner(env).unwrap_or_panic(env, OwnableError::NoPendingTransfer);
+
+        // Require authorization from the pending owner
+        new_owner.require_auth();
+
+        // Safe to unwrap: owner must exist if pending_owner exists because:
+        // 1. pending_owner can only be set via propose_ownership_transfer, which requires owner auth
+        // 2. renounce_ownership is blocked while a 2-step transfer is in progress
+        let old_owner = OwnableStorage::owner(env).unwrap();
+
+        // Transfer ownership
+        OwnableStorage::remove_pending_owner(env);
+        OwnableStorage::set_owner(env, &new_owner);
+
+        OwnershipTransferred { old_owner, new_owner }.publish(env);
+    }
+
+    // ===========================================================================
+    // Renounce
+    // ===========================================================================
+
+    /// Permanently renounces ownership.
+    ///
+    /// # Panics
+    /// - `OwnerNotSet` if no owner is currently set
+    /// - `TransferInProgress` if a 2-step transfer is in progress (cancel it first)
     fn renounce_ownership(env: &Env) {
         let old_owner = enforce_owner_auth::<Self>(env);
+        assert_no_pending_transfer::<Self>(env);
+
         OwnableStorage::remove_owner(env);
         OwnershipRenounced { old_owner }.publish(env);
     }
@@ -86,3 +202,9 @@ pub fn enforce_owner_auth<T: Ownable>(env: &Env) -> Address {
 pub fn require_owner_auth<T: Ownable>(env: &Env) {
     let _ = enforce_owner_auth::<T>(env);
 }
+
+/// Asserts that no 2-step ownership transfer is in progress.
+/// Panics with `TransferInProgress` if a pending transfer exists.
+fn assert_no_pending_transfer<T: Ownable>(env: &Env) {
+    assert_with_error!(env, T::pending_owner(env).is_none(), OwnableError::TransferInProgress);
+}

package/contracts/utils/src/tests/option_ext.rs

@@ -10,7 +10,7 @@ fn unwrap_or_panic_some_returns_value() {
 
 #[test]
 fn unwrap_or_panic_none_panics_with_error() {
-    const EXPECTED: &str = "Error(Contract, #1031)"; // OwnerNotSet
+    const EXPECTED: &str = "Error(Contract, #1034)"; // OwnerNotSet
     assert_panics_contains("none unwrap_or_panic", EXPECTED, || {
         let env = Env::default();
         let _got: u32 = None::<u32>.unwrap_or_panic(&env, OwnableError::OwnerNotSet);