Architecture Overview
- MetaERC20Hub (canonical chain): Locks the native asset, tracks escrowed balances, and dispatches mint instructions to spokes. Receives
UnlockRequest
messages to release canonical tokens. Maintains a validator-reviewed buffer for high-value relays. - MetaERC20Spoke (remote chains): Mints and burns the synthetic representation of the token. Routes transfers either directly to another spoke or back through the hub depending on security thresholds.
- MetaERC20Base: Shared logic that handles transfer bookkeeping, deterministic transfer IDs, domain registration, and dispatching through
IMetalayerRouter
.
AccessControlDefaultAdminRulesUpgradeable
and inherit Metalayer’s interchain security guarantees.
Message Types
MetaToken messages are encoded viaMetaERC20MessageStruct
and fall into one of four categories:
Type | Description |
---|---|
MintRequest | Spoke mints synthetic tokens to the recipient. Default for spoke-to-spoke transfers. |
UnlockRequest | Hub releases canonical tokens to the recipient after a spoke burn. |
SecurityRelay | Spoke-to-spoke transfer exceeding the configured threshold. Buffered on the hub for manual validator approval. |
AdminAction | Reserved for emergency reissue or administrative overrides. |
Transfer Flows
Hub → Spoke
- User deposits canonical tokens into the Hub (
MetaERC20Hub
). - Hub locks funds and emits a
MintRequest
to the destination spoke. - Spoke mints the synthetic supply to the recipient after converting decimals if necessary.
Spoke → Hub
- User calls
transferRemote
on the spoke with the hub domain and target recipient. - Spoke burns the synthetic tokens and emits an
UnlockRequest
to the hub. - Hub validates the request against locked balance and releases canonical tokens.
Spoke → Spoke (Standard)
- Spoke burns the source-chain synthetic tokens and generates a
MintRequest
for the destination spoke. - Destination spoke mints the requested amount to the recipient address.
Spoke → Spoke (High Value)
- If
amount >= securityThreshold
, the spoke emits aSecurityRelay
targeting the hub instead of the destination spoke. - Hub buffers the transfer and emits
SecurityRelayBuffered
until an operator withVALIDATOR_ROLE
reviews the request. - Upon approval, the hub re-dispatches the transfer as a
MintRequest
to the destination spoke.
On-Chain Integration
Tokens expose a single entry point for user transfers:transferRemote
internally:
- Validates the destination domain and recipient.
- Records the transfer for replay protection and TTL-based pruning.
- Dispatches the encoded MetaERC20 message via
metalayerRouter.dispatch
using the spoke’s configured finality state and gas limit.
gasFee
, call the spoke’s quoteDispatchFee()
helper (available in the deployed package) or invoke router.quoteDispatch
directly with the token’s configured gas limit and finality state.
Roles & Governance
Contract | Role | Purpose |
---|---|---|
Hub | DEFAULT_ADMIN_ROLE | Owns upgrades and role assignment. |
Hub | ADMIN_ROLE | Manages domain mappings, gas limits, and TTL windows. |
Hub | VALIDATOR_ROLE | Approves or rejects buffered SecurityRelay transfers. |
Spoke | DEFAULT_ADMIN_ROLE | Owns upgrades and role assignment. |
Spoke | ADMIN_ROLE | Updates thresholds, domain mappings, and gas configuration. |
Operational Controls
- TTL Window: Transfers older than the configured TTL can be pruned to reclaim storage.
- Security Threshold: Adjustable per spoke; setting to zero forces all transfers through the hub, while high values favour low-latency spoke-to-spoke routing.
- Gas Limits: Each deployment specifies a max gas limit enforced when dispatching through the router to prevent runaway costs.
- Emergency Procedures: Hub admins can perform
MetaERC20AdminUnlock
to release stuck funds; spoke admins canMetaERC20AdminReissue
synthetic balances if a destination chain requires remediation.
Deployment Information
- Deterministic addresses and per-network configuration will be published alongside each rollout; reach out to Caldera for the latest deployment matrix.
- All deployments share the same message format and can be upgraded without breaking deterministic transfer IDs, provided the storage layout gaps are respected.