Merge pull request #3207 from DFXswiss/develop

Release: develop -> main

Author: TaprootFreak

migration/1771340546052-AddCountryManualReviewRequired.js

@@ -0,0 +1,30 @@
+/**
+ * @typedef {import('typeorm').MigrationInterface} MigrationInterface
+ * @typedef {import('typeorm').QueryRunner} QueryRunner
+ */
+
+/**
+ * @class
+ * @implements {MigrationInterface}
+ */
+module.exports = class AddCountryManualReviewRequired1771340546052 {
+    name = 'AddCountryManualReviewRequired1771340546052'
+
+    /**
+     * @param {QueryRunner} queryRunner
+     */
+    async up(queryRunner) {
+        await queryRunner.query(`ALTER TABLE "country" ADD "manualReviewRequired" bit NOT NULL CONSTRAINT "DF_e1a3302c583e7c2e4afcbe524f9" DEFAULT 0`);
+        await queryRunner.query(`ALTER TABLE "country" ADD "manualReviewRequiredOrganization" bit NOT NULL CONSTRAINT "DF_4852972602f8b5412de725340f9" DEFAULT 0`);
+    }
+
+    /**
+     * @param {QueryRunner} queryRunner
+     */
+    async down(queryRunner) {
+        await queryRunner.query(`ALTER TABLE "country" DROP CONSTRAINT "DF_4852972602f8b5412de725340f9"`);
+        await queryRunner.query(`ALTER TABLE "country" DROP COLUMN "manualReviewRequiredOrganization"`);
+        await queryRunner.query(`ALTER TABLE "country" DROP CONSTRAINT "DF_e1a3302c583e7c2e4afcbe524f9"`);
+        await queryRunner.query(`ALTER TABLE "country" DROP COLUMN "manualReviewRequired"`);
+    }
+}

src/shared/models/country/country.entity.ts

@@ -57,6 +57,12 @@ export class Country extends IEntity {
   @Column({ default: AmlRule.DEFAULT })
   amlRule: AmlRule;
 
+  @Column({ default: false })
+  manualReviewRequired: boolean;
+
+  @Column({ default: false })
+  manualReviewRequiredOrganization: boolean;
+
   @Column({ length: 'MAX', nullable: true })
   enabledKycDocuments: string; // semicolon separated KycDocuments
 

src/subdomains/core/liquidity-management/adapters/actions/clementine-bridge.adapter.ts

@@ -20,6 +20,7 @@ import { Blockchain } from 'src/integration/blockchain/shared/enums/blockchain.e
 import { isAsset } from 'src/shared/models/active';
 import { Asset, AssetType } from 'src/shared/models/asset/asset.entity';
 import { AssetService } from 'src/shared/models/asset/asset.service';
+import { SettingService } from 'src/shared/models/setting/setting.service';
 import { DfxLogger } from 'src/shared/services/dfx-logger';
 import { LiquidityManagementOrder } from '../../entities/liquidity-management-order.entity';
 import { LiquidityManagementSystem } from '../../enums';
@@ -34,9 +35,9 @@ export enum ClementineBridgeCommands {
 }
 
 /**
- * Correlation ID format for tracking operations:
- * - Deposit: clementine:deposit:{depositAddress}:{btcTxId}
- * - Withdraw: clementine:withdraw:{step}:{signerAddress}:{destinationAddress}:{withdrawalUtxo}:{optimisticSig}:{operatorSig}
+ * Correlation ID format for tracking operations (base64-encoded JSON after prefix):
+ * - Deposit: clementine:deposit:{base64(DepositCorrelationData)}
+ * - Withdraw: clementine:withdraw:{base64(WithdrawCorrelationData)}
  *
  * Withdrawal steps: dust_sent, scanning, signatures_generated, sent_to_bridge, waiting_optimistic, sent_to_operators
  */
@@ -72,6 +73,12 @@ const BITCOIN_RELAY_CONFIRMATIONS: Record<ClementineNetwork, number> = {
   [ClementineNetwork.TESTNET4]: 100,
 };
 
+interface DepositCorrelationData {
+  depositAddress: string;
+  citreaAddress: string;
+  btcTxId?: string;
+}
+
 interface WithdrawCorrelationData {
   step: string;
   signerAddress: string;
@@ -107,6 +114,7 @@ export class ClementineBridgeAdapter extends LiquidityActionAdapter {
     private readonly assetService: AssetService,
     private readonly bitcoinFeeService: BitcoinFeeService,
     private readonly bitcoinTestnet4FeeService: BitcoinTestnet4FeeService,
+    private readonly settingService: SettingService,
   ) {
     super(LiquidityManagementSystem.CLEMENTINE_BRIDGE);
 
@@ -152,6 +160,10 @@ export class ClementineBridgeAdapter extends LiquidityActionAdapter {
   /**
    * Deposit BTC to receive cBTC on Citrea
    * Note: Clementine uses a fixed bridge amount of 10 BTC
+   *
+   * Deposit is a two-step process:
+   * 1. Generate deposit address (returns pending_confirmation)
+   * 2. After manual approval, send BTC to deposit address
    */
   private async deposit(order: LiquidityManagementOrder): Promise<CorrelationId> {
     const {
@@ -189,19 +201,21 @@ export class ClementineBridgeAdapter extends LiquidityActionAdapter {
     const { depositAddress } = await this.clementineClient.depositStart(this.recoveryTaprootAddress, citreaAddress);
 
     this.logger.info(
-      `Deposit address generated: ${depositAddress}, recovery: ${this.recoveryTaprootAddress}, citrea: ${citreaAddress}`,
+      `Deposit address generated: ${depositAddress}, recovery: ${this.recoveryTaprootAddress}, citrea: ${citreaAddress}. Waiting for manual approval before sending BTC.`,
     );
 
     // Update order with fixed amount
     order.inputAmount = CLEMENTINE_BRIDGE_AMOUNT_BTC;
     order.inputAsset = bitcoinAsset.name;
     order.outputAsset = citreaAsset.name;
 
-    // Send BTC to the deposit address
-    const btcTxId = await this.sendBtcToAddress(depositAddress, CLEMENTINE_BRIDGE_AMOUNT_BTC);
+    // Store deposit data - BTC will be sent after manual approval
+    const correlationData: DepositCorrelationData = {
+      depositAddress,
+      citreaAddress,
+    };
 
-    // Store deposit address and txId in correlation ID for status checks
-    return `${CORRELATION_PREFIX.DEPOSIT}${depositAddress}:${btcTxId}`;
+    return `${CORRELATION_PREFIX.DEPOSIT}${this.encodeDepositCorrelation(correlationData)}`;
   }
 
   /**
@@ -291,21 +305,44 @@ export class ClementineBridgeAdapter extends LiquidityActionAdapter {
     }
 
     try {
-      // Extract deposit address and BTC txId from correlation ID
-      const correlationData = order.correlationId.replace(CORRELATION_PREFIX.DEPOSIT, '');
-      const [depositAddress, btcTxId] = correlationData.split(':');
+      const correlationData = this.decodeDepositCorrelation(
+        order.correlationId.replace(CORRELATION_PREFIX.DEPOSIT, ''),
+      );
 
-      // Step 1: Verify the Bitcoin transaction has enough confirmations for block relay
-      if (btcTxId && !(await this.isBtcTxRelayConfirmed(btcTxId))) {
+      this.logger.verbose(
+        `Deposit check: address=${correlationData.depositAddress}, btcTxId=${correlationData.btcTxId ?? 'pending'}`,
+      );
+
+      // Step 1: If no BTC sent yet, wait for manual approval via Setting
+      if (!correlationData.btcTxId) {
+        const isConfirmed = await this.isDepositApproved(correlationData.depositAddress);
+        if (!isConfirmed) {
+          this.logger.verbose(
+            `Deposit ${correlationData.depositAddress}: waiting for manual approval (add to 'clementineApprovedDeposits' setting)`,
+          );
+          return false;
+        }
+
+        await this.removeDepositApproval(correlationData.depositAddress);
+
+        const btcTxId = await this.sendBtcToAddress(correlationData.depositAddress, CLEMENTINE_BRIDGE_AMOUNT_BTC);
+        correlationData.btcTxId = btcTxId;
+        order.correlationId = `${CORRELATION_PREFIX.DEPOSIT}${this.encodeDepositCorrelation(correlationData)}`;
+        this.logger.info(`Deposit ${correlationData.depositAddress}: approved and BTC sent, txId=${btcTxId}`);
+        return false;
+      }
+
+      // Step 2: Verify the Bitcoin transaction has enough confirmations for block relay
+      if (correlationData.btcTxId && !(await this.isBtcTxRelayConfirmed(correlationData.btcTxId))) {
         this.logger.verbose(
-          `Deposit ${depositAddress}: BTC TX not yet confirmed (need ${BITCOIN_RELAY_CONFIRMATIONS[this.network]}+)`,
+          `Deposit ${correlationData.depositAddress}: BTC TX not yet confirmed (need ${BITCOIN_RELAY_CONFIRMATIONS[this.network]}+)`,
         );
         return false;
       }
 
-      // Step 2: Check Clementine deposit status
-      const depositStatus = await this.clementineClient.depositStatus(depositAddress);
-      this.logger.verbose(`Deposit ${depositAddress}: Clementine status = ${depositStatus.status}`);
+      // Step 3: Check Clementine deposit status
+      const depositStatus = await this.clementineClient.depositStatus(correlationData.depositAddress);
+      this.logger.verbose(`Deposit ${correlationData.depositAddress}: Clementine status = ${depositStatus.status}`);
 
       if (depositStatus.status === 'failed') {
         throw new OrderFailedException(`Clementine deposit failed: ${depositStatus.errorMessage ?? 'Unknown error'}`);
@@ -322,6 +359,17 @@ export class ClementineBridgeAdapter extends LiquidityActionAdapter {
     }
   }
 
+  private async isDepositApproved(depositAddress: string): Promise<boolean> {
+    const approvedDeposits = await this.settingService.getObj<string[]>('clementineApprovedDeposits', []);
+    return approvedDeposits.includes(depositAddress);
+  }
+
+  private async removeDepositApproval(depositAddress: string): Promise<void> {
+    const approvedDeposits = await this.settingService.getObj<string[]>('clementineApprovedDeposits', []);
+    const updated = approvedDeposits.filter((addr) => addr !== depositAddress);
+    await this.settingService.setObj('clementineApprovedDeposits', updated);
+  }
+
   private async checkWithdrawCompletion(order: LiquidityManagementOrder): Promise<boolean> {
     const {
       pipeline: {
@@ -589,6 +637,14 @@ export class ClementineBridgeAdapter extends LiquidityActionAdapter {
     return true;
   }
 
+  private encodeDepositCorrelation(data: DepositCorrelationData): string {
+    return Buffer.from(JSON.stringify(data)).toString('base64');
+  }
+
+  private decodeDepositCorrelation(encoded: string): DepositCorrelationData {
+    return JSON.parse(Buffer.from(encoded, 'base64').toString('utf-8'));
+  }
+
   private encodeWithdrawCorrelation(data: WithdrawCorrelationData): string {
     return Buffer.from(JSON.stringify(data)).toString('base64');
   }

src/subdomains/generic/kyc/dto/kyc-error.enum.ts

@@ -29,6 +29,7 @@ export enum KycError {
   IP_COUNTRY_MISMATCH = 'IpCountryMismatch',
   COUNTRY_IP_COUNTRY_MISMATCH = 'CountryIpCountryMismatch',
   RESIDENCE_PERMIT_CHECK_REQUIRED = 'ResidencePermitCheckRequired',
+  MANUAL_REVIEW_REQUIRED = 'ManualReviewRequired',
 
   // Recommendation errors
   EXPIRED_RECOMMENDATION = 'ExpiredRecommendation',
@@ -91,6 +92,7 @@ export const KycErrorMap: Record<KycError, string> = {
   [KycError.INCORRECT_INFO]: 'Incorrect response',
   [KycError.RESIDENCE_PERMIT_CHECK_REQUIRED]: undefined,
   [KycError.EXPIRED_STEP]: 'Your documents are expired',
+  [KycError.MANUAL_REVIEW_REQUIRED]: undefined,
 };
 
 export const KycReasonMap: { [e in KycError]?: KycStepReason } = {

src/subdomains/generic/kyc/services/kyc.service.ts

@@ -207,7 +207,7 @@ export class KycService {
         status: ReviewStatus.INTERNAL_REVIEW,
         userData: { kycSteps: { name: KycStepName.NATIONALITY_DATA, status: ReviewStatus.COMPLETED } },
       },
-      relations: { userData: { users: true, wallet: true, kycFiles: true } },
+      relations: { userData: { users: true, wallet: true, kycFiles: true, organization: { country: true } } },
     });
 
     for (const entity of entities) {
@@ -1470,10 +1470,15 @@ export class KycService {
 
     // Country & verifiedName check
     const userCountry =
-      identStep.userData.organizationCountry ?? identStep.userData.verifiedCountry ?? identStep.userData.country;
+      identStep.userData.organizationCountry ??
+      identStep.userData.organization.country ??
+      identStep.userData.verifiedCountry ??
+      identStep.userData.country;
+
     if (identStep.userData.accountType === AccountType.PERSONAL) {
       // Personal Account
-      if (userCountry && !userCountry.dfxEnable) errors.push(KycError.COUNTRY_NOT_ALLOWED);
+      if (!userCountry.dfxEnable) errors.push(KycError.COUNTRY_NOT_ALLOWED);
+      if (userCountry.manualReviewRequired) errors.push(KycError.MANUAL_REVIEW_REQUIRED);
 
       if (!identStep.userData.verifiedName && identStep.userData.status === UserDataStatus.ACTIVE) {
         errors.push(KycError.VERIFIED_NAME_MISSING);
@@ -1485,7 +1490,8 @@ export class KycService {
       }
     } else {
       // Business Account
-      if (userCountry && !userCountry.dfxOrganizationEnable) errors.push(KycError.COUNTRY_NOT_ALLOWED);
+      if (!userCountry.dfxOrganizationEnable) errors.push(KycError.COUNTRY_NOT_ALLOWED);
+      if (userCountry.manualReviewRequiredOrganization) errors.push(KycError.MANUAL_REVIEW_REQUIRED);
     }
 
     return errors;

src/subdomains/supporting/payin/strategies/register/impl/cardano.strategy.ts

@@ -20,11 +20,18 @@ import { RegisterStrategy } from './base/register.strategy';
 export class CardanoStrategy extends RegisterStrategy {
   protected logger: DfxLogger = new DfxLogger(CardanoStrategy);
 
+  private readonly cardanoPaymentDepositAddress: string;
+
   constructor(
     private readonly payInCardanoService: PayInCardanoService,
     private readonly transactionRequestService: TransactionRequestService,
   ) {
     super();
+
+    this.cardanoPaymentDepositAddress = CardanoUtil.createWallet({
+      seed: Config.payment.cardanoSeed,
+      index: 0,
+    }).address;
   }
 
   get blockchain(): Blockchain {
@@ -39,6 +46,8 @@ export class CardanoStrategy extends RegisterStrategy {
       this.blockchain,
     );
 
+    if (this.cardanoPaymentDepositAddress) activeDepositAddresses.push(this.cardanoPaymentDepositAddress);
+
     await this.processNewPayInEntries(activeDepositAddresses.map((a) => BlockchainAddress.create(a, this.blockchain)));
   }
 
@@ -126,8 +135,7 @@ export class CardanoStrategy extends RegisterStrategy {
     return payInEntries;
   }
 
-  private getTxType(depositAddress: string): PayInType {
-    const paymentAddress = CardanoUtil.createWallet({ seed: Config.payment.cardanoSeed, index: 0 }).address;
-    return Util.equalsIgnoreCase(paymentAddress, depositAddress) ? PayInType.PAYMENT : PayInType.DEPOSIT;
+  private getTxType(address: string): PayInType {
+    return Util.equalsIgnoreCase(this.cardanoPaymentDepositAddress, address) ? PayInType.PAYMENT : PayInType.DEPOSIT;
   }
 }

src/subdomains/supporting/realunit/controllers/realunit.controller.ts

@@ -362,7 +362,7 @@ export class RealUnitController {
     @GetJwt() jwt: JwtPayload,
     @Body() dto: RealUnitEmailRegistrationDto,
   ): Promise<RealUnitEmailRegistrationResponseDto> {
-    const status = await this.realunitService.registerEmail(jwt.account, jwt.address, dto);
+    const status = await this.realunitService.registerEmail(jwt.account, dto);
     return { status };
   }
 

src/subdomains/supporting/realunit/dto/realunit-dto.mapper.ts

@@ -32,11 +32,15 @@ export class RealUnitDtoMapper {
 
     const historicalBalancesFilled = TimeseriesUtils.fillMissingDates(historicalBalances);
 
-    dto.historicalBalances = historicalBalancesFilled.map((hb) => ({
-      balance: hb.balance,
-      timestamp: hb.created,
-      valueChf: Util.round(historicalPricesMap.get(Util.isoDate(hb.created))?.chf * Number(hb.balance), 4),
-    }));
+    dto.historicalBalances = historicalBalancesFilled.map((hb) => {
+      const price = historicalPricesMap.get(Util.isoDate(hb.created));
+      return {
+        balance: hb.balance,
+        timestamp: hb.created,
+        valueChf: Util.round(price?.chf * Number(hb.balance), 4),
+        valueEur: Util.round(price?.eur * Number(hb.balance), 4),
+      };
+    });
 
     return dto;
   }

src/subdomains/supporting/realunit/dto/realunit.dto.ts

@@ -15,6 +15,9 @@ export class HistoricalBalanceDto {
 
   @ApiPropertyOptional({ description: 'Valuation in CHF at this point in time' })
   valueChf?: number;
+
+  @ApiPropertyOptional({ description: 'Valuation in EUR at this point in time' })
+  valueEur?: number;
 }
 
 export class PageInfoDto implements PageInfo {