feat: add CreditMessagingRecovery for emergency credit recovery

[clauBv23]

Problem

Credits in Stargate V2 act as a capacity gate — they must be held on a chain before tokens can be redeemed or sent cross-chain. When a chain is deprecated without properly returning its credits to origin chains, those credits become permanently lost. This leaves pools with real token balances but depleted path credits, blocking all user exit paths.

Example: Sei USDT pool holds $27.7k but only $4.2k in usable credits — $23.5k is effectively locked with no way out.

Credits are not a security primitive (they do not custody funds — every actual fund movement requires independent authorization via LP tokens or a valid cross-chain token message). They are a liveness primitive.

Solution

CreditMessagingRecovery extends CreditMessaging with two owner-only admin functions. Both operate locally only — no LayerZero message is ever sent, no cross-chain coordination is required, and no LZ fees are incurred.

mintCredits(CreditBatch[], reason) — increases credits on the current chain by calling ICreditMessagingHandler.receiveCredits(0, credits) directly, bypassing the normal credit validation. Used to restore lost credits on affected chains.

burnCredits(TargetCreditBatch[], reason) — decreases credits on the current chain by calling ICreditMessagingHandler.sendCredits(0, targets) locally, stopping before _lzSend. Uses minAmount = amount (all-or-nothing), reverting if the path has insufficient credits. Used to correct over-minted credits.

Both functions require a non-empty plain-text reason string that is emitted on-chain as a permanent audit trail, as per the team discussion.

Safety

• Credits cannot move funds on their own. Over-injecting local credits beyond pool balance causes failed transactions — the pool physically cannot send what it does not hold. Over-burning locks funds in the pool (same situation as the bug being fixed).
• mintCredits and burnCredits are onlyOwner (multisig), not planner-accessible.
• sendCredits remains planner-accessible and unchanged.
• Treasury fees and recoverToken are unaffected — they operate on poolBalanceSD and treasuryFee, which credits never touch.
• No LZ message means no DVN dependency, no peer configuration needed, and no cross-chain reorg risk.

Changes

• New contract — src/messaging/CreditMessagingRecovery.sol
  Extends CreditMessaging with mintCredits and burnCredits.

• New interface — src/interfaces/ICreditMessagingRecovery.sol
  Exposes the admin functions, the CreditMessagingRecovery_EmptyReason error, and the CreditsMinted / CreditsBurned events.

• Deploy script — deploy/003-deploy-message.ts
  Non-alt chains now deploy CreditMessagingRecovery under the existing CreditMessaging deployment name. Alt chains continue deploying CreditMessagingAlt unchanged.

• Unit tests — test/unitest/messaging/Messaging.CreditRecovery.t.sol
  Extends CreditMessagingTest to prove backward compatibility — all parent tests run against CreditMessagingRecovery. Recovery-specific coverage includes: access control, empty reason revert, unavailable asset revert, local-only operation (no PacketSent event), multiple batches with multiple credits per batch, partial burns (handler returns less than requested), and empty credits arrays.

• Existing credit messaging tests — test/unitest/messaging/Messaging.Credit.t.sol
  Added tests asserting that mintCredits and burnCredits produce an empty revert (function does not exist) on the base CreditMessaging contract.

TBD

• Should we create a similar contract for alt chains? For now CreditMessagingAlt is unchanged — the mesh can be balanced using a single CreditMessagingRecovery deployment.
• There are invariant tests that check that total credits equal pool balance.
  Mint/burn intentionally breaks this invariant — but so did the original bug: disconnecting a chain without returning credits already left the mesh in a state where total credits no longer matched pool balances. We decided against adjusting the invariant tests since these are emergency-only functions and the fuzzer is better spent on the normal credit flow. Gathering team thoughts on this.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 4543ff1

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[Copilot]

Pull request overview

Adds an emergency-only credit recovery mechanism to Stargate V2 EVM messaging by introducing an owner-controlled MintBurnCreditMessaging contract that can mint credits cross-chain without local deduction and burn local credits without sending an LZ message, plus deployment + unit test updates.

Changes:

• Introduces MintBurnCreditMessaging with mintCredits, burnCredits, and quoteMintCredits.
• Adds IMintBurnCreditMessaging interface for the new admin API surface.
• Updates deployment to use MintBurnCreditMessaging (non-ALT) while keeping the deployment name CreditMessaging, and adds/updates unit tests.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
packages/stg-evm-v2/test/unitest/messaging/Messaging.MintBurnCredit.t.sol	New unit tests for mint/burn credit emergency flows and access control.
packages/stg-evm-v2/test/unitest/messaging/Messaging.Credit.t.sol	Adds assertions that base CreditMessaging does not expose mint/burn functions (but encoding needs fixing).
packages/stg-evm-v2/src/messaging/MintBurnCreditMessaging.sol	New contract extending CreditMessaging with owner-only mint/burn credit operations and fee quoting.
packages/stg-evm-v2/src/interfaces/IMintBurnCreditMessaging.sol	New interface for emergency credit management API (parameter locations/events need alignment with intent).
packages/stg-evm-v2/deploy/003-deploy-message.ts	Deploys MintBurnCreditMessaging under the CreditMessaging deployment name for non-ALT networks.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

mintCredits / quoteMintCredits can be called with _batches that contain zero total credits (empty array or batches with empty credits). In that case totalCreditNum becomes 0 and _buildOptions(_dstEid, 0) produces an options payload with a 0 gas value, then mintCredits still calls _lzSend with a no-op message. Consider adding a guard to revert (or no-op without sending) when totalCreditNum == 0, mirroring CreditMessaging.sendCredits which skips _lzSend when there are no credits to send.

[clauBv23]

intentionally omitted. mintCredits and burnCredits are emergency owner-only operations that require careful review by signers and engineers before execution, including a mandatory non-empty reason. The inputs are expected to be validated off-chain before the multisig signs. This check for dummies seems not needed imo

[ravinagill15]

Nice 🚀 let's add a changeset as well

[tinom9]

Unrelated to the code, but have we thought about how the planner/indexer will handle the new event topology?

[clauBv23]

you mean when new credits were created?

I'm not sure we have an indexer here. I think the planner just queries all the information on-chain and gets the real credits in the mesh. Will double check

[tinom9]

I don't know how the new events will affect any backend system that we already have, since CreditsSent and CreditsReceived are emitted.

[clauBv23]

Just confirmed the indexer does not index credits moving

[tinom9]

I'd consider renaming to CreditMessagingRecoverable, CreditMessagingAdjustable, or CreditMessagingMintableBurnable to keep the consistency with Stargate contract names:

1. Suffixes over prefixes. This feels like something we should respect.
2. Use-cases over actions (StargatePoolMigratable instead of StargatePoolBurnable). This is more subjective and I don't have a strong opinion.

We could also consider renaming mintCredits and burnCredits to mintCreditsForRecovery and burnCreditsForRecovery. No strong opinion here either, just sharing my thoughts.

[clauBv23]

I agree, however, I renamed to CreditMessagingMintableBurnable, I agree with "Use-cases over actions" but I don't like CreditMessagingRecoverable or CreditMessagingAdjustable and I cannot find a better name that describes the use case 🤔

[clauBv23]

Renamed to CreditMessagingRecovery it's a credit messaging contract that performs recovery.
658e380

Kept the function names as mintCredits and burnCredits for now, I don't like adding the for recovery, it seems too verbose.

I have been thinking about restoreCredits / trimCredits, first one implies bringing something back to what it should be, and second implies removing excess, both suggest the recovery intent. But not sure if it would make it harder to understand if the credits are increasing or decreasing. wdyt @tinom9 ?

[tinom9]

restoreCredits and trimCredits seem less verbose, what do they really mean? I prefer mint-burn.

[tinom9]

Let's update the PR title?

[clauBv23]

updated PR title and description. Keeping mint burn for now

[tinom9]

I don't love that we're mocking this.

It's a fundamentally important integration of this contract.

That said, this is consistent with the codebase, so I think it's okay to keep this file as is.

Can we have some integration tests though?

[clauBv23]

agree we should add integratio test for this

[clauBv23]

added f6cd53a

[tinom9]

Let's index assetId?

Suggested change

	event CreditsMinted(uint16 assetId, Credit[] credits, string reason);
	event CreditsMinted(uint16 indexed assetId, Credit[] credits, string reason);

Same for CreditsBurned.

[clauBv23]

asset id is removed now, it would be on each CreditBatch item

[tinom9]

What about testing behaviour with both StargatePool and StargateOFT, instead of StargateBase mocks?

[clauBv23]

added 6b56b75

[tinom9]

Contracts look good to me!

[TRileySchwarz]

Only comment I would make is I dont like the name CreditMessagingRecovery, really should be something like CreditMessagingV2 imo.

Further to that, I think to simplify the system and risk of deploying on new chains, that perhaps we deploy this on arbitrum only, and not new chains moving forward. We dont need to know that before sending to audit, and also regarding the contract name, not a huge deal to change mid audit as well. The rest of impl makes sense.

Another thing to note is that currently if the planner has the contract paused, then we cant mint or burn credits. So this creates a bit of an issue if it MUST remain paused during the mint.burn recovery or migration / chain deprecation. However I think this is fine becaause worst case the owner can 1: transfer 'planner' to the owner, 2: unpause 3: mint/burncredits, 4: pause, 5: transfer planner back to the planner. This creates an atomic situation albeit, quite complicated.

[tinom9]

My intuition is that we only want to deploy once.

if so, I don't love CreditMessagingV2 naming, since it implies the next version (V2) of the same thing (credit messaging). I'd stick to use-case.

• StargatePool -> StargatePoolMigratable.
• CreditMessaging -> CreditMessagingRecovery / CreditMessagingRecoverable.

[clauBv23]

I also think this should be deployed on a single chain. @tironiigor’s plan was to deploy the new version from now on, but I agree we could deploy it on one of the main chains and continue using the current one elsewhere.

Regarding the name, I don’t have a strong opinion. I’m not a big fan of CreditMessagingRecovery either, but I don’t have a better suggestion. That said, I agree with @tino that if we go with a single-chain deployment, calling it CreditMessagingV2 could be misleading since we’d deploy V1 to new chains.

On the planner pausing point,good observation. The owner can ultimately take over the role and mint/burn if needed. It’s not ideal, but it’s possible, and everything can be done atomically. So I’d keep it in mind, but I don’t see it as an issue

[TRileySchwarz]

Yeah, fair if only 1 deployment shouldnt be v2, but we can brainstorm a better name. Igor agrees on doing it only one chain, as long as the migration (vs. just a new version on expansion) isnt too chaotic. Looking into that now