BUFX v1 is a venue and request layer. It does not custody Telarana liquidity, execute Circle Gateway, implement a perp engine, or manage Morpho collateral.
In scope:
BuFxTelaranaRequestRouterBuFxVenueRequestRouterBuFxFeeConfigBuFxFeeCollector- SDK encoding, signing, deployment, and indexing helpers
Out of scope for BUFX v1:
- Circle Gateway mint execution
- Telarana hub liquidity routing
- Morpho and MetaMorpho accounting
- Perp margin, funding, PnL, and liquidations
- BUFX owner can configure routes, fee config, submitters, RFQ makers, and perp intent caps.
- Authorized submitters can relay trader-signed or trader-approved requests, but cannot bypass trader signatures for signature flows.
- Telarana Gateway hooks own Gateway attestation, minting, and destination-hub execution.
- Fee collection is separate from Telarana liquidity and user margin.
- Misconfigured route receiver could point BUFX requests at the wrong Telarana hook.
- Authorized submitter compromise could spam valid direct-submit paths, but cannot forge EIP-712 trader signatures.
- RFQ maker allowlist compromise could allow bad quotes into the request stream.
- Perp liquidity requests are only intents; downstream systems must not treat them as settled positions.
- Fee config owner can change market-specific fee parameters within contract caps.
- Route validation rejects zero addresses, zero chain IDs, disabled routes, and same-domain routes.
- Testnet readiness rejects missing or duplicated Arc/Fuji Gateway hook addresses.
- EIP-712 signatures include chain ID, verifying contract, request payload hash, and trader nonce.
- RFQ requests require allowlisted makers, nonzero quote IDs, positive amounts, min output, and quote expiry.
- Perp liquidity intent requires enabled market caps, max notional, max size delta, max deadline buffer, nonzero account, and nonzero margin.
- Fee math keeps referral and treasury allocations explicit and tested with fuzz conservation checks.
- Confirm BUFX never calls Circle Gateway directly.
- Confirm Gateway hook addresses are real Telarana deployments before live deploy.
- Confirm every privileged setter is owner-only.
- Confirm signed request hashes match SDK typed data exactly.
- Confirm request IDs cannot collide under practical deployment assumptions.
- Confirm emitted events contain enough indexed fields for analytics without storing campaign state.
- Confirm fee collection cannot mix BUFX revenue with Telarana liquidity, user margin, or insurance funds.