feat: Read router fees from on-chain FeeCalculator by dianacarvalho1 · Pull Request #250 · propeller-heads/fynd

dianacarvalho1 · 2026-06-16T10:44:17Z

Fynd now reads router fees from the FeeCalculator contract at startup and refreshes them every 5 minutes via a background fetcher, replacing the previously hardcoded fee values.

Done:

Resolve the FeeCalculator address from the Tycho Router, then read the default router fees, per-client fee overrides, and the fee-unit precision scale (MAX_FEE_BPS).
Apply fees per order by client address, falling back to the default fee when the client has no override. Uses the client fee receiver to identify the client if set, if not it uses the order sender.
Encode using only fetched on-chain values; return an error instead of encoding when fees are not yet loaded.
Add RouterFees/FeeRates types and a SharedRouterFees handle shared between the encoder and the fetcher
- Track the last successful fetch time on RouterFees
Gate Solver::wait_until_ready and GET /v1/health on router fees having been loaded at least once.
Return 503 from /v1/health when the last successful fetch is over an hour old, so a liveness probe restarts the service.

dianacarvalho1 · 2026-06-16T10:46:00Z

+/// This is the calldata convention between Fynd and the router (`clientFeeBps`), independent
+/// of the FeeCalculator's internal precision. The contract scales `clientFeeBps` into its own
+/// fee units by `max_fee_units / LEGACY_BPS_DENOMINATOR`.
+pub const LEGACY_BPS_DENOMINATOR: u64 = 10_000;


note that when we resolve this mismatch between the router and the fee calculator (and do a new router deployment) Fynd won't be able to automatically update, the clients will need to update their Fynd version

Fynd now reads router fees from the FeeCalculator contract at startup and refreshes them every 5 minutes via a background fetcher, replacing the previously hardcoded fee values. Done: - Resolve the FeeCalculator address from the Tycho Router, then read the default router fees, per-client fee overrides, and the fee-unit precision scale (MAX_FEE_BPS). - Apply fees per order by client address, falling back to the default fee when the client has no override. Uses the client fee receiver to identify the client if set, if not it uses the order sender. - Encode using only fetched on-chain values; return an error instead of encoding when fees are not yet loaded. - Add RouterFees/FeeRates types and a SharedRouterFees handle shared between the encoder and the fetcher. Took 1 hour 34 minutes Took 19 seconds Took 11 seconds

github-actions · 2026-06-16T10:52:15Z

No API Breaking Changes Detected

The PR title signals breaking changes, but cargo-semver-checks found none.
If the breaking change is behavioral, CLI, or config-level (not public Rust API), this is expected.
Otherwise, consider using fix: instead of feat: in the PR title.

Troshchk

Thank you @dianacarvalho1! 💫
I left a couple of questions for my understanding

louise-poole

Just some small comments - otherwise looks good! 👍

louise-poole · 2026-06-16T10:56:39Z

+        println!(
+            "mainnet router fees: max_fee_units={}, default_on_output={}, \
+             default_on_client_fee={}, custom_clients={}",
+            fees.max_fee_units(),
+            default_rates.on_output(),
+            default_rates.on_client_fee(),
+            fees.custom_client_count(),
+        );


We don't usually have a println in our tests... couldt hese not just be asserts?

I didn't want to have asserts because the contract fees might actually change for real and then we have a broken test 😕

- Track the last successful fetch time on RouterFees - Gate Solver::wait_until_ready and GET /v1/health on router fees having been loaded at least once. - Return 503 from /v1/health when the last successful fetch is over an hour old, so a liveness probe restarts the service. Took 41 minutes

Troshchk

Thank you!

tamaralipows

Thank you! I've double checked the logic and it all looks perfect. Glad this has also been added to the health check

tamaralipows · 2026-06-16T17:02:40Z

+            for (client, fees) in page.clients.into_iter().zip(page.fees) {
+                // Resolve each field against the defaults here, mirroring
+                // FeeCalculator._getFeeInfo, so the stored pair is the effective rate.
+                let on_output = if fees.hasCustomFeeOnOutput {
+                    fees.feeBpsOnOutput
+                } else {
+                    default_fee_on_output
+                };
+                let on_client_fee = if fees.hasCustomFeeOnClientFee {
+                    fees.feeBpsOnClientFee
+                } else {
+                    default_fee_on_client_fee
+                };
+                custom_fees
+                    .insert(Bytes::from(client.as_slice().to_vec()), (on_output, on_client_fee));
+            }


Took 2 minutes

Add RouterFees::fallback() (0.1 bps on output) and initialise SharedRouterFees with it, so encoding never fails when on-chain fees haven't been fetched yet. Drop the router fee readiness and staleness checks from /v1/health, plus the now-dead ROUTER_FEE_STALE_THRESHOLD and fetch-timestamp tracking. Took 12 minutes

Took 20 seconds

socket-security · 2026-06-17T14:02:00Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	cargo/tokio@1.52.1 ⏵ 1.52.3
	cargo/tycho-execution@0.304.2 ⏵ 0.313.0	⁺¹
	cargo/tycho-simulation@0.304.2 ⏵ 0.313.0
	cargo/reqwest@0.13.2 ⏵ 0.13.4	⁺²
	cargo/typetag@0.2.21 ⏵ 0.2.22
	cargo/serde_json@1.0.149 ⏵ 1.0.150
	cargo/serde_with@3.18.0 ⏵ 3.21.0
	cargo/sha2@0.11.0
	cargo/chrono@0.4.44 ⏵ 0.4.45
	cargo/metrics@0.24.3 ⏵ 0.24.6
	cargo/utoipa@5.4.0 ⏵ 5.5.0
	cargo/uuid@1.23.1 ⏵ 1.23.3

View full report

socket-security · 2026-06-17T14:02:02Z

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert (click "▶" to expand/collapse)
Warn		Obfuscated code: cargo `libc` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: `?` → `cargo/reqwest@0.12.28` → `cargo/futures@0.3.32` → `cargo/actix-web@4.13.0` → `cargo/tempfile@3.27.0` → `cargo/sha2@0.11.0` → `cargo/alloy@1.8.3` → `cargo/alloy-chains@0.2.34` → `cargo/tokio@1.52.3` → `cargo/metrics@0.24.6` → `cargo/reqwest@0.13.4` → `cargo/chrono@0.4.45` → `cargo/uuid@1.23.3` → `cargo/tycho-simulation@0.313.0` → `cargo/tycho-execution@0.313.0` → `cargo/sha2@0.10.9` → `cargo/sha2@0.9.9` → `cargo/tokio-tungstenite@0.20.1` → `cargo/zstd@0.13.3` → `cargo/num_cpus@1.17.0` → `cargo/dialoguer@0.11.0` → `cargo/opentelemetry@0.27.1` → `cargo/opentelemetry-otlp@0.27.0` → `cargo/tracing-opentelemetry@0.28.0` → `cargo/metrics-exporter-prometheus@0.16.2` → `cargo/wiremock@0.6.5` → `cargo/opentelemetry_sdk@0.27.1` → `cargo/tokio-tungstenite@0.28.0` → `cargo/libc@0.2.186` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore cargo/libc@0.2.186`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: cargo `openssl` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: `?` → `cargo/reqwest@0.12.28` → `cargo/tokio-tungstenite@0.20.1` → `cargo/tokio-tungstenite@0.28.0` → `cargo/openssl@0.10.81` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore cargo/openssl@0.10.81`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: cargo `tokio` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: Cargo.lock → `cargo/tokio@1.52.3` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore cargo/tokio@1.52.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: cargo `zerocopy` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: `?` → `cargo/reqwest@0.12.28` → `cargo/alloy@1.8.3` → `cargo/alloy-chains@0.2.34` → `cargo/metrics@0.24.6` → `cargo/reqwest@0.13.4` → `cargo/tycho-simulation@0.313.0` → `cargo/tycho-execution@0.313.0` → `cargo/tokio-tungstenite@0.20.1` → `cargo/opentelemetry-otlp@0.27.0` → `cargo/metrics-exporter-prometheus@0.16.2` → `cargo/opentelemetry_sdk@0.27.1` → `cargo/tokio-tungstenite@0.28.0` → `cargo/zerocopy@0.8.52` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore cargo/zerocopy@0.8.52`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

dianacarvalho1 self-assigned this Jun 16, 2026

dianacarvalho1 commented Jun 16, 2026

View reviewed changes

dianacarvalho1 force-pushed the fee-taking/dc/ENG-6014-auto-update-fees branch from 56c57d9 to 6e06eda Compare June 16, 2026 10:49

Troshchk reviewed Jun 16, 2026

View reviewed changes

Comment thread fynd-core/src/encoding/encoder.rs

Comment thread fynd-core/src/solver.rs

Comment thread fynd-core/src/encoding/fee_fetcher.rs

louise-poole reviewed Jun 16, 2026

View reviewed changes

Troshchk approved these changes Jun 16, 2026

View reviewed changes

tamaralipows approved these changes Jun 16, 2026

View reviewed changes

louise-poole reviewed Jun 17, 2026

View reviewed changes

Comment thread fynd-rpc/src/api/handlers.rs Outdated

dianacarvalho1 added 3 commits June 17, 2026 13:06

chore: Add fee breakdown to fynd-swap-cli

69b0958

Took 2 minutes

docs: Update the Router fee on output to 0.1 bps

1375449

Took 20 seconds

Conversation

dianacarvalho1 commented Jun 16, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

dianacarvalho1 Jun 16, 2026

Choose a reason for hiding this comment

Uh oh!

github-actions Bot commented Jun 16, 2026

No API Breaking Changes Detected

Uh oh!

Troshchk left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

louise-poole left a comment

Choose a reason for hiding this comment

Uh oh!

louise-poole Jun 16, 2026

Choose a reason for hiding this comment

Uh oh!

dianacarvalho1 Jun 16, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Troshchk left a comment

Choose a reason for hiding this comment

Uh oh!

tamaralipows left a comment

Choose a reason for hiding this comment

Uh oh!

tamaralipows Jun 16, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

socket-security Bot commented Jun 17, 2026

Uh oh!

socket-security Bot commented Jun 17, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

dianacarvalho1 commented Jun 16, 2026 •

edited

Loading