fix: ensure mint amount is greater than the dust limit (#1178)

* Handle the case where the deposit amount is below the dust limit in stacks validation
* Handle low mint amounts during deposit request filtering
* Make sure that we validate mint amount and dust amounts in bitcoin validation

Author: djordon

signer/src/bitcoin/utxo.rs

@@ -51,6 +51,7 @@ use crate::storage::model::TxOutput;
 use crate::storage::model::TxOutputType;
 use crate::storage::model::TxPrevout;
 use crate::storage::model::TxPrevoutType;
+use crate::DEPOSIT_DUST_LIMIT;
 
 /// The minimum incremental fee rate in sats per virtual byte for RBF
 /// transactions.
@@ -172,11 +173,14 @@ impl SbtcRequests {
             })
             .map(RequestRef::Withdrawal);
 
-        // Filter deposit requests based on two constraints:
-        // 1. The user's max fee must be >= our minimum required fee for deposits
-        //     (based on fixed deposit tx size)
+        // Filter deposit requests based on four constraints:
+        // 1. The user's max fee must be >= our minimum required fee for
+        //     deposits (based on fixed deposit tx size)
         // 2. The deposit amount must be less than the per-deposit limit
-        // 3. The total amount being minted must stay under the maximum allowed mintable amount
+        // 3. The total amount being minted must stay under the maximum
+        //    allowed mintable amount
+        // 4. The mint amount is above the deposit dust limit in the smart
+        //    contract.
         let minimum_deposit_fee = self.compute_minimum_fee(SOLO_DEPOSIT_TX_VSIZE);
         let max_mintable_cap = self.sbtc_limits.max_mintable_cap().to_sat();
         let per_deposit_cap = self.sbtc_limits.per_deposit_cap().to_sat();
@@ -191,6 +195,9 @@ impl SbtcRequests {
                 } else {
                     false
                 };
+            if req.amount.saturating_sub(minimum_deposit_fee) < DEPOSIT_DUST_LIMIT {
+                return None;
+            }
             if is_fee_valid && is_within_per_deposit_cap && is_within_max_mintable_cap {
                 amount_to_mint += req.amount;
                 Some(RequestRef::Deposit(req))
@@ -2849,6 +2856,63 @@ mod tests {
         assert_eq!(total_amount, accepted_amount);
     }
 
+    #[test_case(
+        create_deposit(
+            DEPOSIT_DUST_LIMIT + SOLO_DEPOSIT_TX_VSIZE as u64,
+            10_000,
+            0
+        ),
+        true; "deposit amounts over the dust limit accepted")]
+    #[test_case(
+        create_deposit(
+            DEPOSIT_DUST_LIMIT + SOLO_DEPOSIT_TX_VSIZE as u64 - 1,
+            10_000,
+            0
+        ),
+        false; "deposit amounts under the dust limit rejected")]
+    fn deposit_requests_respect_dust_limits(req: DepositRequest, is_included: bool) {
+        let outpoint = req.outpoint;
+        let public_key = XOnlyPublicKey::from_str(X_ONLY_PUBLIC_KEY1).unwrap();
+
+        // We use a fee rate of 1 to simplify the computation. The
+        // filtering done here uses a heuristic where we take the maximum
+        // fee that the user could pay, and subtract that amount from the
+        // deposit amount. The maximum fee that a user could pay is the
+        // SOLO_DEPOSIT_TX_VSIZE times the fee rate so with a fee rate of 1
+        // we should filter the request if the deposit amount is less than
+        // SOLO_DEPOSIT_TX_VSIZE + DEPOSIT_DUST_LIMIT.
+        let requests = SbtcRequests {
+            deposits: vec![create_deposit(2500000, 100000, 0), req],
+            withdrawals: vec![],
+            signer_state: SignerBtcState {
+                utxo: SignerUtxo {
+                    outpoint: generate_outpoint(300_000, 0),
+                    amount: 300_000_000,
+                    public_key,
+                },
+                fee_rate: 1.0,
+                public_key,
+                last_fees: None,
+                magic_bytes: [0; 2],
+            },
+            num_signers: 11,
+            accept_threshold: 6,
+            sbtc_limits: SbtcLimits::default(),
+        };
+
+        // Let's construct the unsigned transaction and check to see if we
+        // include it in the deposit requests in the transaction.
+        let tx = requests.construct_transactions().unwrap().pop().unwrap();
+        let request_is_included = tx
+            .requests
+            .iter()
+            .filter_map(RequestRef::as_deposit)
+            .find(|req| req.outpoint == outpoint)
+            .is_some();
+
+        assert_eq!(request_is_included, is_included);
+    }
+
     #[test]
     fn test_construct_transactions_capped_by_number() {
         // with 30 deposits and 30 withdrawals with 4 votes against each, we should generate 60 distinct transactions

signer/src/bitcoin/validation.rs

@@ -23,6 +23,7 @@ use crate::storage::model::BitcoinWithdrawalOutput;
 use crate::storage::model::QualifiedRequestId;
 use crate::storage::model::SignerVotes;
 use crate::storage::DbRead;
+use crate::DEPOSIT_DUST_LIMIT;
 use crate::DEPOSIT_LOCKTIME_BLOCK_BUFFER;
 
 use super::utxo::DepositRequest;
@@ -264,7 +265,7 @@ impl BitcoinPreSignRequest {
                 .deposit_reports
                 .get(&key)
                 // This should never happen because we have already validated that we have all the reports.
-                .ok_or(InputValidationResult::Unknown.into_error(btc_ctx))?;
+                .ok_or_else(|| InputValidationResult::Unknown.into_error(btc_ctx))?;
             deposits.push((report.to_deposit_request(votes), report.clone()));
         }
 
@@ -273,7 +274,7 @@ impl BitcoinPreSignRequest {
                 .withdrawal_reports
                 .get(id)
                 // This should never happen because we have already validated that we have all the reports.
-                .ok_or(WithdrawalValidationResult::Unknown.into_error(btc_ctx))?;
+                .ok_or_else(|| WithdrawalValidationResult::Unknown.into_error(btc_ctx))?;
             withdrawals.push((report.to_withdrawal_request(votes), report.clone()));
         }
 
@@ -508,6 +509,9 @@ impl SbtcReports {
 pub enum InputValidationResult {
     /// The deposit request passed validation
     Ok,
+    /// The deposit request amount, less the fees, would be rejected from
+    /// the smart contract during the complete-deposit contract call.
+    MintAmountBelowDustLimit,
     /// The deposit request amount exceeds the allowed per-deposit cap.
     AmountTooHigh,
     /// The assessed fee exceeds the max-fee in the deposit request.
@@ -730,6 +734,10 @@ impl DepositRequestReport {
             return InputValidationResult::FeeTooHigh;
         }
 
+        if self.amount.saturating_sub(assessed_fee.to_sat()) < DEPOSIT_DUST_LIMIT {
+            return InputValidationResult::MintAmountBelowDustLimit;
+        }
+
         // Let's check whether we rejected this deposit.
         match self.can_accept {
             Some(true) => (),
@@ -1063,6 +1071,38 @@ mod tests {
         status: InputValidationResult::FeeTooHigh,
         chain_tip_height: 2,
     } ; "one-sat-too-high-fee-amount")]
+    #[test_case(DepositReportErrorMapping {
+        report: DepositRequestReport {
+            status: DepositConfirmationStatus::Confirmed(0, BitcoinBlockHash::from([0; 32])),
+            can_sign: Some(true),
+            can_accept: Some(true),
+            amount: TX_FEE.to_sat() + DEPOSIT_DUST_LIMIT - 1,
+            max_fee: TX_FEE.to_sat(),
+            lock_time: LockTime::from_height(DEPOSIT_LOCKTIME_BLOCK_BUFFER + 3),
+            outpoint: OutPoint::null(),
+            deposit_script: ScriptBuf::new(),
+            reclaim_script: ScriptBuf::new(),
+            signers_public_key: *sbtc::UNSPENDABLE_TAPROOT_KEY,
+        },
+        status: InputValidationResult::MintAmountBelowDustLimit,
+        chain_tip_height: 2,
+    } ; "one-sat-under-dust-amount")]
+    #[test_case(DepositReportErrorMapping {
+        report: DepositRequestReport {
+            status: DepositConfirmationStatus::Confirmed(0, BitcoinBlockHash::from([0; 32])),
+            can_sign: Some(true),
+            can_accept: Some(true),
+            amount: TX_FEE.to_sat() + DEPOSIT_DUST_LIMIT,
+            max_fee: TX_FEE.to_sat(),
+            lock_time: LockTime::from_height(DEPOSIT_LOCKTIME_BLOCK_BUFFER + 3),
+            outpoint: OutPoint::null(),
+            deposit_script: ScriptBuf::new(),
+            reclaim_script: ScriptBuf::new(),
+            signers_public_key: *sbtc::UNSPENDABLE_TAPROOT_KEY,
+        },
+        status: InputValidationResult::Ok,
+        chain_tip_height: 2,
+    } ; "at-dust-amount")]
     #[test_case(DepositReportErrorMapping {
         report: DepositRequestReport {
             status: DepositConfirmationStatus::Confirmed(0, BitcoinBlockHash::from([0; 32])),

signer/src/lib.rs

@@ -78,6 +78,11 @@ pub const MAX_REORG_BLOCK_COUNT: i64 = 10;
 /// per block.
 pub const MAX_TX_PER_BITCOIN_BLOCK: i64 = 25;
 
+/// This is the dust limit for deposits in the sBTC smart contracts.
+/// Deposit amounts that is less than this amount will be rejected by the
+/// smart contract.
+pub const DEPOSIT_DUST_LIMIT: u64 = 546;
+
 /// These are all build info variables. Many of them are set in build.rs.
 
 /// The name of the binary that is being run,

signer/src/stacks/contracts.rs

@@ -54,6 +54,7 @@ use crate::storage::model::BitcoinBlockRef;
 use crate::storage::model::BitcoinTxId;
 use crate::storage::model::ToLittleEndianOrder as _;
 use crate::storage::DbRead;
+use crate::DEPOSIT_DUST_LIMIT;
 
 use super::api::StacksInteract;
 
@@ -347,7 +348,7 @@ impl AsContractCall for CompleteDepositV1 {
     ///    as an input.
     /// 5. That the recipients in the transaction matches that of the
     ///    deposit request.
-    /// 6. That the amount to mint does not exceed the deposit amount.
+    /// 6. That the amount to mint is above the dust amount.
     /// 7. That the fee matches the expected assessed fee for the outpoint.
     /// 8. That the fee is less than the specified max-fee.
     /// 9. That the first input into the sweep transaction is the signers'
@@ -387,7 +388,7 @@ impl CompleteDepositV1 {
     ///    of swept deposit requests.
     /// 5. That the recipients in the transaction matches that of the
     ///    deposit request.
-    /// 6. That the amount to mint does not exceed the deposit amount.
+    /// 6. That the amount to mint is above the dust amount.
     /// 7. That the fee matches the expected assessed fee for the outpoint.
     /// 8. That the fee is less than the specified max-fee.
     ///
@@ -418,10 +419,10 @@ impl CompleteDepositV1 {
         if &self.recipient != deposit_request.recipient.deref() {
             return Err(DepositErrorMsg::RecipientMismatch.into_error(req_ctx, self));
         }
-        // 6. Check that the amount to mint does not exceed the deposit
+        // 6. Check that the amount to mint is above the dust amount
         //    amount.
-        if self.amount > deposit_request.amount {
-            return Err(DepositErrorMsg::InvalidMintAmount.into_error(req_ctx, self));
+        if self.amount < DEPOSIT_DUST_LIMIT {
+            return Err(DepositErrorMsg::AmountBelowDustLimit.into_error(req_ctx, self));
         }
         // 7. That the fee matches the expected assessed fee for the outpoint.
         if fee.to_sat() + self.amount != deposit_request.amount {
@@ -547,19 +548,20 @@ impl std::error::Error for DepositValidationError {
 /// transactions.
 #[derive(Debug, thiserror::Error, PartialEq, Eq)]
 pub enum DepositErrorMsg {
+    /// The smart contract has a dust limit which is used to rejects
+    /// contract calls if the mint amount is below that limit. We check for
+    /// that condition here before minting.
+    #[error("the amount to mint is below the dust limit in the smart contract")]
+    AmountBelowDustLimit,
     /// The smart contract deployer is fixed, so this should always match.
-    #[error("The deployer in the transaction does not match the expected deployer")]
+    #[error("the deployer in the transaction does not match the expected deployer")]
     DeployerMismatch,
     /// The fee paid to the bitcoin miners exceeded the max fee.
     #[error("fee paid to the bitcoin miners exceeded the max fee")]
     FeeTooHigh,
     /// The supplied fee does not match what is expected.
     #[error("the supplied fee does not match what is expected")]
     IncorrectFee,
-    /// The amount to mint must not exceed the amount in the deposit
-    /// request.
-    #[error("amount to mint exceeded the amount in the deposit request")]
-    InvalidMintAmount,
     /// The deposit outpoint is missing from the indicated sweep
     /// transaction.
     #[error("deposit outpoint is missing from the indicated sweep transaction")]

signer/src/testing/block_observer.rs

@@ -103,7 +103,7 @@ impl TestHarness {
             vout: Vec::new(),
             block_hash: response
                 .block_hash
-                .unwrap_or(bitcoin::BlockHash::all_zeros()),
+                .unwrap_or_else(bitcoin::BlockHash::all_zeros),
             confirmations: 0,
             block_time: 0,
         };