pezkuwichain/pwap
1
0
Fork 0
mirror of https://github.com/pezkuwichain/pwap.git synced 2026-04-25 02:57:56 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(p2p): OKX-level security upgrade with Edge Functions

Browse Source 
- Add process-withdraw Edge Function for blockchain withdrawals
- Update verify-deposit Edge Function with @pezkuwi/api
- Add withdrawal limits (daily/monthly) and fee system
- Add hot wallet configuration with production address
- Add admin roles for dispute resolution
- Add COMBINED SQL migration with full P2P system
- Encrypt payment details with AES-256-GCM
- Prevent TX hash reuse with UNIQUE constraint
This commit is contained in:
Kurdistan Tech Ministry
2026-01-29 03:12:02 +03:00
parent 6c922bcf34
commit f23eee2fb9
9 changed files with 3539 additions and 337 deletions
Download Patch File Download Diff File Expand all files Collapse all files
web/supabase/functions/process-withdraw/index.ts
+461
View File
@@ -0,0 +1,461 @@
// process-withdraw Edge Function
// Processes withdrawal requests by sending tokens from hot wallet to user wallet
// Uses @pezkuwi/api for blockchain transactions
import { serve } from 'https://deno.land/std@0.168.0/http/server.ts'
import { createClient } from 'npm:@supabase/supabase-js@2'
import { ApiPromise, WsProvider, Keyring } from 'npm:@pezkuwi/api@16.5.11'
import { cryptoWaitReady } from 'npm:@pezkuwi/util-crypto@14.0.11'
const corsHeaders = {
'Access-Control-Allow-Origin': '*',
'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
}
// Platform hot wallet address
const PLATFORM_WALLET = '5HN6sFM7TbPQazmfhJP1kU8itw7Tb2A9UML8TwSYRwiN9q5Z'
// RPC endpoint
const RPC_ENDPOINT = 'wss://rpc.pezkuwichain.io'
// Token decimals
const DECIMALS = 12
// PEZ asset ID
const PEZ_ASSET_ID = 1
// Minimum withdrawal amounts
const MIN_WITHDRAW = {
HEZ: 1,
PEZ: 10
}
// Withdrawal fee (in tokens)
const WITHDRAW_FEE = {
HEZ: 0.1,
PEZ: 1
}
interface WithdrawRequest {
requestId?: string // If processing specific request
token?: 'HEZ' | 'PEZ'
amount?: number
walletAddress?: string
}
// Cache API connection
let apiInstance: ApiPromise | null = null
async function getApi(): Promise<ApiPromise> {
if (apiInstance && apiInstance.isConnected) {
return apiInstance
}
const provider = new WsProvider(RPC_ENDPOINT)
apiInstance = await ApiPromise.create({ provider })
return apiInstance
}
// Send tokens from hot wallet
async function sendTokens(
api: ApiPromise,
privateKey: string,
toAddress: string,
token: string,
amount: number
): Promise<{ success: boolean; txHash?: string; error?: string }> {
try {
// Initialize crypto
await cryptoWaitReady()
// Create keyring and add hot wallet
const keyring = new Keyring({ type: 'sr25519' })
const hotWallet = keyring.addFromUri(privateKey)
// Verify hot wallet address matches expected
if (hotWallet.address !== PLATFORM_WALLET) {
return {
success: false,
error: 'CRITICAL: Private key does not match platform wallet address!'
}
}
// Convert amount to chain units
const amountBN = BigInt(Math.floor(amount * Math.pow(10, DECIMALS)))
// Build transaction
let tx
if (token === 'HEZ') {
// Native token transfer
tx = api.tx.balances.transferKeepAlive(toAddress, amountBN)
} else if (token === 'PEZ') {
// Asset transfer
tx = api.tx.assets.transfer(PEZ_ASSET_ID, toAddress, amountBN)
} else {
return { success: false, error: 'Invalid token' }
}
// Sign and send transaction
return new Promise((resolve) => {
let txHash: string
tx.signAndSend(hotWallet, { nonce: -1 }, (result) => {
txHash = result.txHash.toHex()
if (result.status.isInBlock) {
console.log(`TX in block: ${result.status.asInBlock.toHex()}`)
}
if (result.status.isFinalized) {
// Check for errors
const dispatchError = result.dispatchError
if (dispatchError) {
if (dispatchError.isModule) {
const decoded = api.registry.findMetaError(dispatchError.asModule)
resolve({
success: false,
txHash,
error: `${decoded.section}.${decoded.name}: ${decoded.docs.join(' ')}`
})
} else {
resolve({
success: false,
txHash,
error: dispatchError.toString()
})
}
} else {
resolve({
success: true,
txHash
})
}
}
if (result.isError) {
resolve({
success: false,
txHash,
error: 'Transaction failed'
})
}
}).catch((error) => {
resolve({
success: false,
error: error.message
})
})
// Timeout after 60 seconds
setTimeout(() => {
resolve({
success: false,
txHash,
error: 'Transaction timeout - please check explorer for status'
})
}, 60000)
})
} catch (error) {
console.error('Send tokens error:', error)
return {
success: false,
error: error.message
}
}
}
serve(async (req) => {
// Handle CORS preflight
if (req.method === 'OPTIONS') {
return new Response(null, { headers: corsHeaders })
}
try {
// Get authorization header
const authHeader = req.headers.get('Authorization')
if (!authHeader) {
return new Response(
JSON.stringify({ success: false, error: 'Missing authorization header' }),
{ status: 401, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
)
}
// Create Supabase clients
const supabaseUrl = Deno.env.get('SUPABASE_URL')!
const supabaseAnonKey = Deno.env.get('SUPABASE_ANON_KEY')!
const supabaseServiceKey = Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')!
// Get hot wallet private key from secrets
const hotWalletPrivateKey = Deno.env.get('PLATFORM_PRIVATE_KEY')
if (!hotWalletPrivateKey) {
console.error('PLATFORM_PRIVATE_KEY not configured')
return new Response(
JSON.stringify({ success: false, error: 'Withdrawal service not configured' }),
{ status: 500, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
)
}
// User client (to get user ID)
const userClient = createClient(supabaseUrl, supabaseAnonKey, {
global: { headers: { Authorization: authHeader } }
})
// Service role client
const serviceClient = createClient(supabaseUrl, supabaseServiceKey)
// Get current user
const { data: { user }, error: userError } = await userClient.auth.getUser()
if (userError || !user) {
return new Response(
JSON.stringify({ success: false, error: 'Unauthorized' }),
{ status: 401, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
)
}
// Parse request body
const body: WithdrawRequest = await req.json()
let { requestId, token, amount, walletAddress } = body
// Mode 1: Process existing request by ID
if (requestId) {
const { data: request, error: reqError } = await serviceClient
.from('p2p_deposit_withdraw_requests')
.select('*')
.eq('id', requestId)
.eq('user_id', user.id)
.eq('request_type', 'withdraw')
.eq('status', 'pending')
.single()
if (reqError || !request) {
return new Response(
JSON.stringify({ success: false, error: 'Withdrawal request not found or already processed' }),
{ status: 404, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
)
}
token = request.token as 'HEZ' | 'PEZ'
amount = parseFloat(request.amount)
walletAddress = request.wallet_address
}
// Mode 2: Create new withdrawal request
else {
if (!token || !amount || !walletAddress) {
return new Response(
JSON.stringify({ success: false, error: 'Missing required fields: token, amount, walletAddress' }),
{ status: 400, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
)
}
// Validate token
if (!['HEZ', 'PEZ'].includes(token)) {
return new Response(
JSON.stringify({ success: false, error: 'Invalid token. Must be HEZ or PEZ' }),
{ status: 400, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
)
}
// Validate amount
if (amount < MIN_WITHDRAW[token]) {
return new Response(
JSON.stringify({
success: false,
error: `Minimum withdrawal is ${MIN_WITHDRAW[token]} ${token}`
}),
{ status: 400, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
)
}
// Validate wallet address format (Substrate SS58)
if (!walletAddress.match(/^5[A-HJ-NP-Za-km-z1-9]{47}$/)) {
return new Response(
JSON.stringify({ success: false, error: 'Invalid wallet address format' }),
{ status: 400, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
)
}
// Check withdrawal limits first
const { data: limitCheck, error: limitError } = await serviceClient
.rpc('check_withdrawal_limit', {
p_user_id: user.id,
p_amount: amount
})
if (limitError || !limitCheck?.allowed) {
return new Response(
JSON.stringify({
success: false,
error: limitCheck?.error || 'Withdrawal limit check failed',
dailyRemaining: limitCheck?.daily_remaining,
monthlyRemaining: limitCheck?.monthly_remaining
}),
{ status: 400, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
)
}
// Create withdrawal request using database function
const { data: requestResult, error: requestError } = await serviceClient
.rpc('request_withdraw', {
p_user_id: user.id,
p_token: token,
p_amount: amount,
p_wallet_address: walletAddress
})
if (requestError || !requestResult?.success) {
return new Response(
JSON.stringify({
success: false,
error: requestResult?.error || requestError?.message || 'Failed to create withdrawal request'
}),
{ status: 400, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
)
}
requestId = requestResult.request_id
}
// Update request status to processing
await serviceClient
.from('p2p_deposit_withdraw_requests')
.update({ status: 'processing' })
.eq('id', requestId)
// Calculate net amount after fee
const fee = WITHDRAW_FEE[token as 'HEZ' | 'PEZ']
const netAmount = amount! - fee
if (netAmount <= 0) {
await serviceClient
.from('p2p_deposit_withdraw_requests')
.update({
status: 'failed',
error_message: 'Amount too small after fee deduction'
})
.eq('id', requestId)
return new Response(
JSON.stringify({ success: false, error: 'Amount too small after fee deduction' }),
{ status: 400, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
)
}
console.log(`Processing withdrawal: ${netAmount} ${token} to ${walletAddress}`)
// Connect to blockchain
const api = await getApi()
// Send tokens
const sendResult = await sendTokens(
api,
hotWalletPrivateKey,
walletAddress!,
token!,
netAmount
)
if (!sendResult.success) {
// Refund the locked balance
await serviceClient.rpc('refund_escrow_internal', {
p_user_id: user.id,
p_token: token,
p_amount: amount,
p_reference_type: 'withdraw_failed',
p_reference_id: requestId
})
await serviceClient
.from('p2p_deposit_withdraw_requests')
.update({
status: 'failed',
error_message: sendResult.error,
processed_at: new Date().toISOString()
})
.eq('id', requestId)
return new Response(
JSON.stringify({
success: false,
error: sendResult.error || 'Blockchain transaction failed',
txHash: sendResult.txHash
}),
{ status: 500, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
)
}
// Success! Complete the withdrawal using database function
const { data: completeResult, error: completeError } = await serviceClient
.rpc('complete_withdraw', {
p_user_id: user.id,
p_token: token,
p_amount: amount,
p_tx_hash: sendResult.txHash,
p_request_id: requestId
})
if (completeError) {
console.error('Failed to complete withdrawal in DB:', completeError)
// TX was sent, but DB update failed - log for manual reconciliation
}
// Update request status
await serviceClient
.from('p2p_deposit_withdraw_requests')
.update({
status: 'completed',
blockchain_tx_hash: sendResult.txHash,
fee_amount: fee,
net_amount: netAmount,
processed_at: new Date().toISOString()
})
.eq('id', requestId)
// Record in withdrawal limits
await serviceClient.rpc('record_withdrawal_limit', {
p_user_id: user.id,
p_amount: amount
})
// Log to audit
await serviceClient
.from('p2p_audit_log')
.insert({
user_id: user.id,
action: 'withdraw_completed',
entity_type: 'withdraw_request',
entity_id: requestId,
details: {
token,
amount: amount,
net_amount: netAmount,
fee,
wallet_address: walletAddress,
tx_hash: sendResult.txHash
}
})
console.log(`Withdrawal successful: ${sendResult.txHash}`)
return new Response(
JSON.stringify({
success: true,
txHash: sendResult.txHash,
amount: netAmount,
fee,
token,
walletAddress,
message: 'Withdrawal processed successfully'
}),
{ status: 200, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
)
} catch (error) {
console.error('Edge function error:', error)
return new Response(
JSON.stringify({ success: false, error: 'Internal server error' }),
{ status: 500, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
)
}
})
web/supabase/functions/verify-deposit/index.ts
+355 -285
View File
@@ -1,338 +1,408 @@
/**
* P2P Deposit Verification Edge Function
*
* This function verifies deposit transactions on the blockchain and credits
* the user's internal P2P balance.
*
* Flow:
* 1. User sends tokens to platform wallet (from frontend)
* 2. User calls this function with tx hash
* 3. Function verifies transaction on-chain:
* - Confirms tx is finalized
* - Confirms correct recipient (platform wallet)
* - Confirms amount matches claimed amount
* - Confirms token type
* 4. Credits user's internal balance
* 5. Creates audit record
*/
// verify-deposit Edge Function
// OKX-level security: Verifies blockchain transactions before crediting balances
// Uses @pezkuwi/api for blockchain verification
// @ts-expect-error - Deno imports
import { serve } from "https://deno.land/std@0.168.0/http/server.ts";
// @ts-expect-error - Deno imports
import { createClient } from "https://esm.sh/@supabase/supabase-js@2";
// @ts-expect-error - Pezkuwi imports for Deno
import { ApiPromise, WsProvider } from "https://esm.sh/@pezkuwi/api@14.0.5";
import { serve } from 'https://deno.land/std@0.168.0/http/server.ts'
import { createClient } from 'npm:@supabase/supabase-js@2'
import { ApiPromise, WsProvider } from 'npm:@pezkuwi/api@16.5.11'
// Configuration
const SUPABASE_URL = Deno.env.get("SUPABASE_URL")!;
const SUPABASE_SERVICE_ROLE_KEY = Deno.env.get("SUPABASE_SERVICE_ROLE_KEY")!;
const PLATFORM_WALLET_ADDRESS = Deno.env.get("PLATFORM_WALLET_ADDRESS") || "5DFwqK698vL4gXHEcanaewnAqhxJ2rjhAogpSTHw3iwGDwd3";
const RPC_ENDPOINT = Deno.env.get("RPC_ENDPOINT") || "wss://rpc.pezkuwichain.io:9944";
// Decimals
const DECIMALS = 12;
// Tolerance for amount verification (0.1%)
const AMOUNT_TOLERANCE = 0.001;
interface VerifyDepositRequest {
txHash: string;
token: "HEZ" | "PEZ";
expectedAmount: number;
const corsHeaders = {
'Access-Control-Allow-Origin': '*',
'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
}
/**
* Parse block events to find transfer details
*/
function findTransferInEvents(
api: ApiPromise,
events: Array<{ event: { section: string; method: string; data: unknown[] } }>,
token: string
): { from: string; to: string; amount: bigint } | null {
for (const { event } of events) {
// Native HEZ transfer
if (token === "HEZ" && event.section === "balances" && event.method === "Transfer") {
const [from, to, amount] = event.data as [
{ toString: () => string },
{ toString: () => string },
{ toBigInt: () => bigint }
];
return {
from: from.toString(),
to: to.toString(),
amount: amount.toBigInt(),
};
}
// Platform hot wallet address (PRODUCTION)
const PLATFORM_WALLET = '5HN6sFM7TbPQazmfhJP1kU8itw7Tb2A9UML8TwSYRwiN9q5Z'
// Asset transfer (PEZ)
if (token === "PEZ" && event.section === "assets" && event.method === "Transferred") {
const [, from, to, amount] = event.data as [
unknown,
{ toString: () => string },
{ toString: () => string },
{ toBigInt: () => bigint }
];
return {
from: from.toString(),
to: to.toString(),
amount: amount.toBigInt(),
};
}
// RPC endpoint for PezkuwiChain
const RPC_ENDPOINT = 'wss://rpc.pezkuwichain.io'
// Token decimals
const DECIMALS = 12
// PEZ asset ID
const PEZ_ASSET_ID = 1
interface DepositRequest {
txHash: string
token: 'HEZ' | 'PEZ'
expectedAmount: number
}
// Cache API connection
let apiInstance: ApiPromise | null = null
async function getApi(): Promise<ApiPromise> {
if (apiInstance && apiInstance.isConnected) {
return apiInstance
}
return null;
const provider = new WsProvider(RPC_ENDPOINT)
apiInstance = await ApiPromise.create({ provider })
return apiInstance
}
serve(async (req: Request) => {
// CORS headers
const headers = {
"Access-Control-Allow-Origin": "*",
"Access-Control-Allow-Headers": "authorization, x-client-info, apikey, content-type",
"Content-Type": "application/json",
};
// Verify transaction on blockchain using @pezkuwi/api
async function verifyTransactionOnChain(
txHash: string,
token: string,
expectedAmount: number
): Promise<{ valid: boolean; actualAmount?: number; from?: string; error?: string }> {
try {
// Validate transaction hash format (0x + 64 hex chars)
if (!txHash.match(/^0x[a-fA-F0-9]{64}$/)) {
return { valid: false, error: 'Invalid transaction hash format' }
}
const api = await getApi()
// Get block hash from extrinsic hash
// In Substrate, we need to find which block contains this extrinsic
// Method 1: Query recent blocks to find the extrinsic
const latestHeader = await api.rpc.chain.getHeader()
const latestBlockNumber = latestHeader.number.toNumber()
// Search last 100 blocks for the transaction
const searchDepth = 100
let foundBlock = null
let foundExtrinsicIndex = -1
for (let i = 0; i < searchDepth; i++) {
const blockNumber = latestBlockNumber - i
if (blockNumber < 0) break
const blockHash = await api.rpc.chain.getBlockHash(blockNumber)
const signedBlock = await api.rpc.chain.getBlock(blockHash)
// Check each extrinsic in the block
for (let j = 0; j < signedBlock.block.extrinsics.length; j++) {
const ext = signedBlock.block.extrinsics[j]
const extHash = ext.hash.toHex()
if (extHash === txHash) {
foundBlock = { hash: blockHash, number: blockNumber, block: signedBlock }
foundExtrinsicIndex = j
break
}
}
if (foundBlock) break
}
if (!foundBlock) {
return {
valid: false,
error: 'Transaction not found in recent blocks. It may be too old or not yet finalized.'
}
}
// Get events for this block
const apiAt = await api.at(foundBlock.hash)
const events = await apiAt.query.system.events()
// Find transfer events for our extrinsic
const extrinsicEvents = events.filter((event) => {
const { phase } = event
return phase.isApplyExtrinsic && phase.asApplyExtrinsic.toNumber() === foundExtrinsicIndex
})
// Check for success
const successEvent = extrinsicEvents.find((event) =>
api.events.system.ExtrinsicSuccess.is(event.event)
)
if (!successEvent) {
const failedEvent = extrinsicEvents.find((event) =>
api.events.system.ExtrinsicFailed.is(event.event)
)
if (failedEvent) {
return { valid: false, error: 'Transaction failed on-chain' }
}
return { valid: false, error: 'Transaction status unknown' }
}
// Find transfer event
let transferEvent = null
let from = ''
let to = ''
let amount = BigInt(0)
if (token === 'HEZ') {
// Native token transfer (balances.Transfer)
transferEvent = extrinsicEvents.find((event) =>
api.events.balances.Transfer.is(event.event)
)
if (transferEvent) {
const [fromAddr, toAddr, value] = transferEvent.event.data
from = fromAddr.toString()
to = toAddr.toString()
amount = BigInt(value.toString())
}
} else if (token === 'PEZ') {
// Asset transfer (assets.Transferred)
transferEvent = extrinsicEvents.find((event) =>
api.events.assets.Transferred.is(event.event)
)
if (transferEvent) {
const [assetId, fromAddr, toAddr, value] = transferEvent.event.data
// Verify it's the correct asset
if (assetId.toNumber() !== PEZ_ASSET_ID) {
return { valid: false, error: 'Wrong asset transferred' }
}
from = fromAddr.toString()
to = toAddr.toString()
amount = BigInt(value.toString())
}
}
if (!transferEvent) {
return { valid: false, error: 'No transfer event found in transaction' }
}
// Verify recipient is platform wallet
if (to !== PLATFORM_WALLET) {
return {
valid: false,
error: `Transaction recipient (${to}) does not match platform wallet`
}
}
// Convert amount to human readable
const actualAmount = Number(amount) / Math.pow(10, DECIMALS)
// Verify amount matches (allow 0.1% tolerance)
const tolerance = expectedAmount * 0.001
if (Math.abs(actualAmount - expectedAmount) > tolerance) {
return {
valid: false,
error: `Amount mismatch. Expected: ${expectedAmount}, Actual: ${actualAmount}`,
actualAmount
}
}
// Check if block is finalized
const finalizedHash = await api.rpc.chain.getFinalizedHead()
const finalizedHeader = await api.rpc.chain.getHeader(finalizedHash)
const finalizedNumber = finalizedHeader.number.toNumber()
if (foundBlock.number > finalizedNumber) {
return {
valid: false,
error: 'Transaction not yet finalized. Please wait a few more blocks.'
}
}
return {
valid: true,
actualAmount,
from
}
} catch (error) {
console.error('Blockchain verification error:', error)
return {
valid: false,
error: `Verification failed: ${error.message}`
}
}
}
serve(async (req) => {
// Handle CORS preflight
if (req.method === "OPTIONS") {
return new Response("ok", { headers });
if (req.method === 'OPTIONS') {
return new Response(null, { headers: corsHeaders })
}
try {
// Get user from JWT
const authHeader = req.headers.get("Authorization");
// Get authorization header
const authHeader = req.headers.get('Authorization')
if (!authHeader) {
return new Response(
JSON.stringify({ error: "Unauthorized" }),
{ status: 401, headers }
);
JSON.stringify({ success: false, error: 'Missing authorization header' }),
{ status: 401, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
)
}
// Initialize Supabase client with user's JWT
const supabaseAnon = createClient(
SUPABASE_URL,
Deno.env.get("SUPABASE_ANON_KEY")!,
{
global: {
headers: { Authorization: authHeader },
},
}
);
// Create Supabase clients
const supabaseUrl = Deno.env.get('SUPABASE_URL')!
const supabaseAnonKey = Deno.env.get('SUPABASE_ANON_KEY')!
const supabaseServiceKey = Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')!
// User client (to get user ID)
const userClient = createClient(supabaseUrl, supabaseAnonKey, {
global: { headers: { Authorization: authHeader } }
})
// Service role client (to process deposit)
const serviceClient = createClient(supabaseUrl, supabaseServiceKey)
// Get current user
const { data: { user }, error: userError } = await supabaseAnon.auth.getUser();
const { data: { user }, error: userError } = await userClient.auth.getUser()
if (userError || !user) {
return new Response(
JSON.stringify({ error: "Authentication failed" }),
{ status: 401, headers }
);
JSON.stringify({ success: false, error: 'Unauthorized' }),
{ status: 401, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
)
}
// Parse request body
const { txHash, token, expectedAmount }: VerifyDepositRequest = await req.json();
const body: DepositRequest = await req.json()
const { txHash, token, expectedAmount } = body
// Validate input
if (!txHash || !token || !expectedAmount) {
return new Response(
JSON.stringify({ error: "Missing required fields: txHash, token, expectedAmount" }),
{ status: 400, headers }
);
JSON.stringify({ success: false, error: 'Missing required fields: txHash, token, expectedAmount' }),
{ status: 400, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
)
}
if (!["HEZ", "PEZ"].includes(token)) {
if (!['HEZ', 'PEZ'].includes(token)) {
return new Response(
JSON.stringify({ error: "Invalid token type" }),
{ status: 400, headers }
);
JSON.stringify({ success: false, error: 'Invalid token. Must be HEZ or PEZ' }),
{ status: 400, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
)
}
if (expectedAmount <= 0) {
return new Response(
JSON.stringify({ error: "Invalid amount" }),
{ status: 400, headers }
);
JSON.stringify({ success: false, error: 'Amount must be greater than 0' }),
{ status: 400, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
)
}
// Initialize service role client for database operations
const supabase = createClient(SUPABASE_URL, SUPABASE_SERVICE_ROLE_KEY);
// Check if TX hash already processed
const { data: existingRequest } = await serviceClient
.from('p2p_deposit_withdraw_requests')
.select('id, status')
.eq('blockchain_tx_hash', txHash)
.single()
// Check if this tx hash has already been processed
const { data: existingDeposit } = await supabase
.from("p2p_deposit_withdraw_requests")
.select("id")
.eq("blockchain_tx_hash", txHash)
.single();
if (existingRequest) {
if (existingRequest.status === 'completed') {
return new Response(
JSON.stringify({
success: false,
error: 'This transaction has already been processed',
existingRequestId: existingRequest.id
}),
{ status: 400, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
)
}
}
if (existingDeposit) {
// Create or update deposit request (processing status)
const { data: depositRequest, error: requestError } = await serviceClient
.from('p2p_deposit_withdraw_requests')
.upsert({
user_id: user.id,
request_type: 'deposit',
token,
amount: expectedAmount,
wallet_address: PLATFORM_WALLET,
blockchain_tx_hash: txHash,
status: 'processing'
}, {
onConflict: 'blockchain_tx_hash'
})
.select()
.single()
if (requestError) {
console.error('Failed to create deposit request:', requestError)
return new Response(
JSON.stringify({ error: "This transaction has already been processed" }),
{ status: 400, headers }
);
JSON.stringify({ success: false, error: 'Failed to create deposit request' }),
{ status: 500, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
)
}
console.log(`Verifying deposit: ${txHash} for ${expectedAmount} ${token}`);
// Verify transaction on blockchain
console.log(`Verifying deposit: TX=${txHash}, Token=${token}, Amount=${expectedAmount}`)
const verification = await verifyTransactionOnChain(txHash, token, expectedAmount)
// Connect to blockchain
const provider = new WsProvider(RPC_ENDPOINT);
const api = await ApiPromise.create({ provider });
await api.isReady;
try {
// Get block hash from transaction hash
// Note: In Substrate, we need to search for the extrinsic
// This is a simplified version - production should use indexer
const extrinsicHash = txHash;
// Try to get the extrinsic status
// In production, you'd use a block explorer API or indexer
// For now, we'll search recent blocks
const currentBlock = await api.rpc.chain.getBlock();
const currentBlockNumber = currentBlock.block.header.number.toNumber();
let foundTransfer = null;
let blockHash = null;
// Search last 100 blocks for the transaction
for (let i = 0; i < 100; i++) {
const blockNumber = currentBlockNumber - i;
if (blockNumber < 0) break;
const hash = await api.rpc.chain.getBlockHash(blockNumber);
const signedBlock = await api.rpc.chain.getBlock(hash);
const allRecords = await api.query.system.events.at(hash);
// Check each extrinsic in the block
signedBlock.block.extrinsics.forEach((extrinsic, index) => {
if (extrinsic.hash.toHex() === extrinsicHash) {
// Found the transaction! Get its events
const events = (allRecords as unknown as Array<{ phase: { isApplyExtrinsic: boolean; asApplyExtrinsic: { eq: (n: number) => boolean } }; event: { section: string; method: string; data: unknown[] } }>)
.filter(({ phase }) => phase.isApplyExtrinsic && phase.asApplyExtrinsic.eq(index))
.map(({ event }) => ({ event: { section: event.section, method: event.method, data: event.data as unknown[] } }));
// Check if transaction was successful
const success = events.some(
({ event }) =>
event.section === "system" && event.method === "ExtrinsicSuccess"
);
if (success) {
foundTransfer = findTransferInEvents(api, events, token);
blockHash = hash.toHex();
}
}
});
if (foundTransfer) break;
}
if (!foundTransfer) {
await api.disconnect();
return new Response(
JSON.stringify({
error: "Transaction not found or not finalized. Please wait a few minutes and try again.",
}),
{ status: 400, headers }
);
}
// Verify the transfer details
const { to, amount } = foundTransfer;
// Check recipient is platform wallet
if (to !== PLATFORM_WALLET_ADDRESS) {
await api.disconnect();
return new Response(
JSON.stringify({
error: "Transaction recipient is not the platform wallet",
}),
{ status: 400, headers }
);
}
// Convert amount to human-readable
const actualAmount = Number(amount) / Math.pow(10, DECIMALS);
// Check amount matches (with tolerance for rounding)
const amountDiff = Math.abs(actualAmount - expectedAmount) / expectedAmount;
if (amountDiff > AMOUNT_TOLERANCE) {
await api.disconnect();
return new Response(
JSON.stringify({
error: `Amount mismatch. Expected ${expectedAmount}, found ${actualAmount}`,
}),
{ status: 400, headers }
);
}
await api.disconnect();
// All checks passed! Credit the user's internal balance
// Create deposit request record
const { data: depositRequest, error: insertError } = await supabase
.from("p2p_deposit_withdraw_requests")
.insert({
user_id: user.id,
request_type: "deposit",
token,
amount: actualAmount,
wallet_address: foundTransfer.from,
blockchain_tx_hash: txHash,
status: "completed",
processed_at: new Date().toISOString(),
if (!verification.valid) {
// Update request status to failed
await serviceClient
.from('p2p_deposit_withdraw_requests')
.update({
status: 'failed',
error_message: verification.error,
processed_at: new Date().toISOString()
})
.select()
.single();
if (insertError) {
throw new Error(`Failed to create deposit record: ${insertError.message}`);
}
// Credit internal balance using the process_deposit function
const { data: balanceResult, error: balanceError } = await supabase.rpc(
"process_deposit",
{
p_user_id: user.id,
p_token: token,
p_amount: actualAmount,
p_tx_hash: txHash,
}
);
if (balanceError) {
throw new Error(`Failed to credit balance: ${balanceError.message}`);
}
// Parse result
const result = typeof balanceResult === "string" ? JSON.parse(balanceResult) : balanceResult;
if (!result.success) {
throw new Error(result.error || "Failed to credit balance");
}
console.log(`Successfully verified deposit ${txHash}: ${actualAmount} ${token}`);
.eq('id', depositRequest.id)
return new Response(
JSON.stringify({
success: true,
message: `Successfully deposited ${actualAmount} ${token}`,
depositId: depositRequest.id,
amount: actualAmount,
token,
txHash,
blockHash,
success: false,
error: verification.error || 'Transaction verification failed'
}),
{ headers }
);
} catch (error) {
await api.disconnect();
throw error;
{ status: 400, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
)
}
} catch (error: unknown) {
const errorMessage = error instanceof Error ? error.message : "Unknown error";
console.error("Error verifying deposit:", errorMessage);
// Transaction verified! Process deposit using service role
const { data: processResult, error: processError } = await serviceClient
.rpc('process_deposit', {
p_user_id: user.id,
p_token: token,
p_amount: verification.actualAmount || expectedAmount,
p_tx_hash: txHash,
p_request_id: depositRequest.id
})
if (processError) {
console.error('Failed to process deposit:', processError)
await serviceClient
.from('p2p_deposit_withdraw_requests')
.update({
status: 'failed',
error_message: processError.message,
processed_at: new Date().toISOString()
})
.eq('id', depositRequest.id)
return new Response(
JSON.stringify({ success: false, error: 'Failed to process deposit' }),
{ status: 500, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
)
}
if (!processResult?.success) {
return new Response(
JSON.stringify({
success: false,
error: processResult?.error || 'Deposit processing failed'
}),
{ status: 400, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
)
}
// Success!
console.log(`Deposit successful: User=${user.id}, Amount=${verification.actualAmount || expectedAmount} ${token}`)
return new Response(
JSON.stringify({ error: errorMessage }),
{ status: 500, headers }
);
JSON.stringify({
success: true,
amount: verification.actualAmount || expectedAmount,
token,
newBalance: processResult.new_balance,
txHash,
message: 'Deposit verified and credited successfully'
}),
{ status: 200, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
)
} catch (error) {
console.error('Edge function error:', error)
return new Response(
JSON.stringify({ success: false, error: 'Internal server error' }),
{ status: 500, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
)
}
});
})