How the Bridge Works

What is wWJK?

Wrapped Wojakcoin (wWJK) is a 1:1 backed ERC-20 token on supported EVM chains. It lets Wojakcoin (WJK) participate in EVM DeFi, DEXs, and wallets without changing the native Wojakcoin chain.

Current Trust Model

WJK → wWJK (Deposit)

Deposit WJK on the Wojakcoin network and receive wWJK on the EVM chain. After 70 WJK confirmations (~70 min), relayers verify and mint wWJK to your wallet.

1. 1
   Create a deposit intent.Connect your EVM wallet and enter the amount. The frontend generates OP_RETURN metadata containing your EVM address — this routes wWJK to your wallet automatically.
2. 2
   Send WJK to the custody address.Transfer native WJK to the bridge custody address shown in the UI, and attach the OP_RETURN metadata. You can send from any self-custody wallet.
3. 3
   Auto-detect on-chain.After sending, click "I've Sent" in the bridge UI. The frontend scans the Wojakcoin chain directly for your transaction by matching the OP_RETURN metadata to your EVM address — no manual TXID entry needed.
4. 4
   Wait for 70 WJK confirmations (~70 minutes).The relayer waits for 70 block confirmations to prevent double-spend and reorg attacks. Wojakcoin mines approximately 1 block per minute.
5. 5
   Relayers verify and sign.Each relayer watches the custody address on the Wojakcoin chain directly — detection does not depend on this frontend. Each independently checks: OP_RETURN contains a valid EVM address, amount ≥ 2 WJK, TXID not previously processed on the bridge contract. They each sign an EIP-712 Deposit attestation binding chainId + bridge address + recipient + amount + TXID.
6. 6
   wWJK minted on EVM.Once 2 valid signatures are collected, a relayer calls registerDepositClaim()to register the deposit on-chain. You then call claimDeposit() to mintwWJK to your wallet minus the 0.5% fee (user pays EVM gas). The daily mint limit is checked at registration time.

wWJK → WJK (Withdrawal)

Burn your wWJK on the EVM chain and receive native WJK to your Wojakcoin wallet. An elected leader relayer builds the WJK UTXO transaction, registers an on-chain claim for it, and the other relayers independently verify and co-sign before it is broadcast.

1. 1
   Approve and initiate.Approve the bridge contract to spend your wWJK, then call initiateWithdrawal(amount, jkcAddress, maxFeeBps). The maxFeeBps parameter is a slippage guard — the call reverts if the current fee is higher than your specified maximum. Your wWJK is burned (net amount) and the fee is retained by the bridge.
2. 2
   On-chain event emitted.The contract emits WithdrawalInitiated with your WJK destination address and net amount after fee. The fee is fixed at the moment of initiation — it cannot change later even if the owner updates feeBps.
3. 3
   A leader is elected and claims the payout on-chain.One relayer is deterministically elected leader for your withdrawal (rotating every timeout, anchored to the EVM block timestamp so all relayers agree on the schedule). The leader builds the WJK payout transaction, then registers its fingerprint on the PayoutCoordinator contract via claimPayout() — before any signature is shared. The contract rejects a second claim while one is active, so only one payout transaction can ever gather signatures.
4. 4
   Co-signers verify everything independently.Each co-signing relayer re-verifies the proposal against on-chain data only: the WithdrawalInitiated event (destination + amounts), every input UTXO (owned by custody and still unspent), every output (your address, exact net amount, change back to custody), and that the proposal matches the active on-chain claim. Only then does it add its multisig signature.
5. 5
   WJK arrives in your wallet.Once 2-of-3 signatures are collected, the transaction is broadcast to the Wojakcoinnetwork. You receive native WJK minus a small WJKnetwork fee. The payout embeds your withdrawal's EVM transaction hash as an OP_RETURN output — a public, verifiable link between the burn on the EVM chain and the payout on the Wojakcoin chain.
6. 6
   The withdrawal is closed on-chain.Relayers co-sign an EIP-712 WithdrawalConfirmed attestation with the WJKtransaction ID and submit confirmWithdrawal(). The contract marks your withdrawal completed and permanently records the WJK TXID — the same TXID can never close two withdrawals.

Smart Contract Safeguards

The following protections are enforced by the smart contract — they cannot be overridden by the relayers or the owner.

• Replay protection. processedTxids permanently records every completed WJK deposit, and processedJkcTxids records every WJK payout TXID — the same transaction can never mint twice or close two withdrawals. Resubmitting reverts with AlreadyProcessed.
• Payout claim board. A separate PayoutCoordinator contract records which single WJK transaction is being signed for each withdrawal, before any signature exists. Relayers refuse to co-sign anything that does not match the active claim — even a relayer that lost all local state cannot be tricked into signing a competing payout. The coordinator holds no funds and reads its relayer set live from the bridge, so rotating relayers on the bridge applies everywhere at once.
• EIP-712 structured signatures. Each relayer signature commits to the exact chain ID, bridge address, recipient, amount, and WJK TXID using typed data signing. A signature from one chain or contract is useless on another.
• Duplicate signer prevention. A single relayer cannot submit two copies of their own signature to meet the threshold — the contract checks for duplicate signers in each call.
• Daily mint rate limit. A configurable maxDailyMint cap (default 5M wWJK/day) limits how much can be minted per 24-hour window. Even if all 3 relayer keys were compromised, an attacker could only mint up to this limit per day, giving the team time to pause the bridge and respond.
• Reentrancy guard. registerDepositClaim(), claimDeposit(), and refundFailedWithdrawal() use ReentrancyGuard. State is always updated before external token transfers (CEI pattern).
• Pause / emergency stop. The owner can pause all deposits and withdrawals instantly. If paused for more than 7 days with no owner action, anyone can trigger an emergency unpause to prevent the contract being frozen forever.
• Fee cap. The bridge fee cannot exceed 1% (100 bps) — hardcoded in the contract. The owner cannot change this cap.
• Minimum deposit. Transactions below 2 WJK / 2 wWJK are rejected to prevent dust spam.
• Ownership protection. Ownership transfer requires two steps (propose + accept). renounceOwnership() is permanently disabled — the contract cannot be made ownerless accidentally.
• Fee stored at initiation. The withdrawal fee is set at the moment you call initiateWithdrawal(). A later fee change by the owner does not affect pending withdrawals.

Risks & Honest Limitations

• Relayer collusion (Phase 1 risk). All 3 relayer nodes are controlled by the same team. If the team colluded or was coerced, 2 of the 3 keys could mint wWJKbeyond users' deposits. The daily rate limit reduces this to a maximum of maxDailyMint wWJK per day. This risk is addressed in Phase 2 with independent relayer operators.
• WJK custody key compromise. The Wojakcoin UTXO custody address is a 2-of-3 P2SH multisig. If 2 of the 3 private keys are stolen, the WJK in the custody wallet can be drained. Mitigation: keys are stored on separate hardware with no internet connectivity.
• Relayer liveness. If all 3 nodes go offline, new deposits and withdrawals stall. Your funds are never at risk — wWJK in the contract is safe, and you can cancel a pending withdrawal after 7 days. Service resumes when nodes come back online.
• Wojakcoin reorg. The 70-confirmation requirement makes a successful reorg attack on a processed deposit extremely unlikely (~70× harder than a 1-confirmation attack).
• Frontend trust. The frontend is a convenience layer, not a security layer. A compromised or replaced frontend could show a wrong custody address. Always verify the custody address against the official source before sending large amounts.
• Wrong WJK address. Wojakcoin UTXO transactions are irreversible. If you enter an incorrect destination address during withdrawal, the funds cannot be recovered. Triple-check before confirming.
• Supply cap. The bridge cannot mint more than 54,000,000 wWJK total (matching the WJK supply cap). Daily mint rate limits provide additional protection. Withdrawals (wWJK → WJK) burn tokens, reducing circulating supply.

Fees

A 0.5% bridge fee is charged on both deposits and withdrawals. The fee is deducted from the transferred amount — you always receive slightly less than you send. Fees accumulate as wWJK inside the bridge contract and are periodically withdrawn by the owner to fund operations.

The fee is capped at 1% maximum by the contract — the owner cannot set it higher. The current fee is always visible in the bridge UI before you confirm a transaction.

Minimum transaction size: 2 WJK / wWJK. Amounts below this threshold are rejected to prevent spam.

Gas Costs (EVM)

Relayers call registerDepositClaim() to register deposits on-chain (they pay a small amount of EVM gas). Users then call claimDeposit() to mint theirwWJK to their own wallet — users pay their own EVM gas for claiming. The 0.5% bridge fee funds bridge operations; no separate gas tank is used.