spike: CoW rebalancer integration, proven against mainnet#7
Merged
Conversation
De-risking spike for Stage 3, before building the full rebalancer. Proves the protocol can be a first-class CoW trader and that the order encoding matches the real GPv2Settlement, against live mainnet. - GPv2Order: minimal port of CoW's order struct, TYPE_HASH, and EIP-712 digest (abi.encode, byte-for-byte equivalent to their assembly struct hashing). - CoWOrderHandler (spike): implements ERC-1271 isValidSignature so the real GPv2Settlement accepts orders it has not pre-signed, validating each order against on-chain state (sell a registered constituent into USDC, paid to the vault, at an oracle-anchored minimum-out). The digest is rebound to the decoded order so a solver cannot pair a valid digest with a different order. Scope: sell leg only, no delta sizing or epoch lifecycle; the real integration makes the vault the order owner. - MockGPv2Settlement: faithful mock of the EIP-1271 verify-then-move-tokens path for deterministic, no-network testing. Findings: on a mainnet fork the handler reconstructs the exact digest the real settlement verifies (domain separator and relayer match the live contracts), isValidSignature returns the magic value for a derived order and reverts on tamper, the mock settle moves tokens with proportional partial fills, and isValidSignature costs ~14.7k gas per order (paid by solvers, not the vault). CoW can carry the rebalance design. 11 unit tests plus 3 mainnet-fork tests. CI runs fork tests as a non-blocking best-effort step (needs a mainnet RPC); the mainnet endpoint is in foundry.toml.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
The de-risking spike for Stage 3, run before committing to the full rebalancer. The goal is to answer the one question that gates whether this design works: can the protocol be a first-class CoW trader, and does our order encoding match what the real GPv2Settlement verifies on-chain. Both are now proven against live mainnet.
What
GPv2Order: minimal port of CoW's order struct,TYPE_HASH, and EIP-712 digest, usingabi.encodewhich is byte-for-byte equivalent to CoW's assembly struct hashing.CoWOrderHandler(spike): implements ERC-1271isValidSignatureso the real GPv2Settlement accepts orders it has not pre-signed, validating each presented order against on-chain state (a sell of a registered constituent into USDC, paid to the vault, at an oracle-anchored minimum-out). The digest is rebound to the decoded order, so a solver cannot pair a valid order's digest with the encoding of a different order. Scope is the sell leg only, with no delta sizing or epoch lifecycle; in the real integration the vault is the order owner.MockGPv2Settlement: a faithful mock of CoW's verify-then-move-tokens path for deterministic, no-network testing.Findings (the point of the spike)
0x9008...and0xC92E..., and the independently recomputed EIP-712 domain formula matches too.isValidSignaturereturns the magic value for a state-derived order and reverts on tamper (below minOut, wrong receiver, wrong buy token, unregistered sell token, digest/order mismatch).isValidSignaturecosts about 14.7k gas per order, paid by solvers rather than the vault, so a 100-constituent reweight is affordable by construction.Conclusion: CoW can carry the rebalance design. The remaining unproven piece is a full on-chain
settle()through a registered solver with live liquidity, which is the natural first integration test for the real rebalancer.Testing and CI
11 unit tests plus 3 mainnet-fork tests, all passing. The CI workflow runs the fork tests as a non-blocking best-effort step (they need a mainnet RPC), and the
mainnetendpoint is configured infoundry.toml. The non-fork suite is 97 tests.