feat(transfer): add LendaSwap/Satora provider - BTC Lightning → USDT0 on Rootstock

[bonomat]

Adds LendaSwap Swaps as the 6th transfer provider.

Single pair in v1: native:lightning → token:rootstock:usdt0. The user enters a BTC amount, picks which internal LN wallet (Liquid / Spark / Ark) pays the BOLT11, and receives USDT0 on their existing Rootstock wallet.

Why Rootstock via USDT0: Satora already supports Rootstock via LayerZero/USDT0 and Rootstock is a first-class wallet network.

How it works

1. User enters BTC amount → SatoraTransferService.getQuote calls the Satora SDK's client.getQuote({sourceChain:'Lightning', targetChain:'30', targetToken: USDT0_ROOTSTOCK_ADDR, sourceAmount: sats}).
2. Confirm screen (mobile/app/transfer/confirm.tsx) discovers LN-capable wallets for the current account and renders a "Pay from" picker.
3. On tap:
   • Fetch the user's Rootstock address via BackgroundExecutor.getAddress(NETWORK_ROOTSTOCK, accountNumber)
   • createSwap({source:Lightning, target:USDT0@Rootstock, gasless:true}) returns a BOLT11 invoice + swap id
   • lnWallet.payLightningInvoice(bolt11) on the picked wallet
   • commitTransfer persists + navigate to /TransferDetails
4. Background polling (getOngoingTransfers) tracks status and fires client.claim(swapId) exactly once on serverfunded (idempotent via claimCalled flag, retries on failure).

The SDK reads the stored swap from our SatoraSwapStorageAdapter, extracts target_evm_address, and POSTs to
/swap/{id}/claim-gasless which finalizes the swap. USDT0 is delivered to the user's Rootstock address.

Storage

The SDK manages its own seed (separate from the wallet master mnemonic). Persisted via two new IStorage keys:

• STORAGE_KEY_SATORA_WALLET — SDK mnemonic + key index
• STORAGE_KEY_SATORA_SWAPS — StoredSwap[] (required for claim signing)

This is a TODO: we should wire in user's seed so that a user recovering the wallet will find all past swaps again

Environment

Set EXPO_PUBLIC_SATORA_API_KEY to your Satora API key.

What's working (verified)

• Quote fetching in the send direction (type BTC, see USDT0)
• Create + auto-pay via the LN wallet picker (Liquid/Spark/Ark)
• Auto-claim on serverfunded via client.claim(swapId)
• SDK's bridge-only-chain remap for Rootstock target (auto)

Manually verified end-to-end on Android emulator: BTC from internal LN wallet → USDT0 lands on Rootstock.

Known gaps / Open TODOs

• Refund UI not implemented. The SDK exposes refundSwap but we don't call it anywhere. If a swap expires / fails / the server gets stuck, we expect the wallet to auto-refund the lightning payment.
• Reverse quoting is broken for Satora. Typing an amount in the USDT0 receive field does nothing.
• Pair min/max gating not enforced. getPairInfo is not implemented, so the transfer index screen can't warn the user about below-min / above-max amounts before they tap Continue. The swap will fail serverside with a reasonable error message.
• No tracking URL. Satora docs don't expose a public order-status page; getTrackingUrl() returns undefined. TransferDetails hides the "View Online" button accordingly.
• No Maestro E2E flow for Satora. The existing swap.yml covers the Fake provider only.
• SDK has own seed. We should derive a child seed from the master seed for Satora

Other notes

• Base URL is https://api.lendaswap.com (Satora's production endpoint); hardcoded in the service for now.

Disclaimer: we are about to rebrand from Lendaswap to Satora hence there is still a small mix of Lendaswap and Satora terminology

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0204eb55d3

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Gate Satora success path on Lightning payment result

payLightningInvoice returns a boolean and can resolve false (e.g., insufficient balance or fee-limit rejection in Breez/Spark), but this result is ignored here, so the flow still commits the transfer and navigates as if payment succeeded. In those cases users are shown an in-progress swap that was never funded, which is misleading and can lead to repeated attempts with confusing outcomes.

Useful? React with 👍 / 👎.

[r1n04h]

good catch. failed payment is not handled

[bonomat]

fixed in e668ed3

[chatgpt-codex-connector]

Persist Satora transfer before sending Lightning payment

The transfer is only saved after the Lightning payment call returns, so if the payment succeeds but the app is terminated (or storage write fails) before commitTransfer, the paid swap is not tracked in ongoing transfers and background claim polling cannot run for it. Committing immediately after executeTransfer avoids losing recoverability for paid swaps.

Useful? React with 👍 / 👎.

[bonomat]

fixed in e668ed3

[JohnnySilverhandBot]

Adding a swap provider means adding new ways to lose money. The flow’s fine, but there are two failure-mode holes that’ll bite the first time a phone process gets killed mid-flight.

[JohnnySilverhandBot]

You validated sats in getQuote(), but executeTransfer() just does sats.toNumber() with no bounds check. If a big amount slips through, JS will round and you’ll request the wrong swap. Add the same isFinite/gt(0)/< MAX_SAFE_INTEGER guard here too.

[bonomat]

fixed in a062cb2

[JohnnySilverhandBot]

Order of operations: you pay the BOLT11 before commitTransfer(). If the app dies after payment (or commit fails), the user funded a swap you can’t track/auto-claim. Commit first (with status=waiting) then pay, or persist the swap id immediately after executeTransfer.

[bonomat]

fixed in e668ed3

[r1n04h]

good PR. almost mergeable.

@evalthis your thoughts?

[r1n04h]

theres already more fresh 0.2.23

[bonomat]

done in caae60d

[r1n04h]

ok, we need to acquire this api key and configure it on the side of expo eas (where binaries are build). how do we do that? i skimmed through https://lendasat.com/docs/lendaswap but could not find it

[bonomat]

API key: I believe we communicated that via TG already.

How to wire it into EAS is your side - same as any other EXPO_PUBLIC_* secret I guess.

[r1n04h]

hmm, duplicating whats in shared/models/token-list.ts already. thats fine, the existing data structure is not very friendly to code-reuse

[r1n04h]

i assume its more or less safe to leave it that way - no need to complicate our life and derive the seed from master seed.
the only risk is user not claiming the swap, and reinstalling/restoring the wallet - ephemeral key would be lost, and
also old swaps history wont be restore.

is that correct?

[bonomat]

Yes, that's correct. Swaps should settle quickly so the risk window is small.

[r1n04h]

iirc this should never happen. need to catch it and give to error handler globalThis.handleError?.(error, 'blah');

[bonomat]

fixed in: be1bb2b

[r1n04h]

hmm, is there no way to track progress on external website (satora portal)?

[bonomat]

Not at this point. I think that's a good idea though and will add an issue for that.

[r1n04h]

my agent flagged, not sure if thats good:

High: Satora auto-claim is only implemented in getOngoingTransfers(), but the transfer details screen polls refreshTransferStatus(). If the swap reaches serverfunded, it can stall indefinitely on the details screen because that code path never calls client.claim(...).

[bonomat]

No, I believe it was right. I've fixed it here: bfbf15b

[r1n04h]

good catch. failed payment is not handled

[r1n04h]

i wonder if its possible to hide handleSatoraConfirm() logic inside transfer-service-satora to make UI code more generic

[bonomat]

Good idea. Done in : bfbf15b

[r1n04h]

ideally, we want to pass not only Storage but SecureStorage as well, and save keys to SecureStorage.
both Storage and SecureStorage have same interface, so change is easy enought

[bonomat]

I believe this is not needed anymore once we derive the sdk's seed from the wallet main seed?
I've added a todo: 6f80a1c

[evalthis]

If I'm trying to change 10 BTC error message does not look nice

[evalthis]

Definetly worth derive seed from the master

[r1n04h]

@evalthis derive from master - what your recommendation would be? bring back bip85 or just hash(existing seed)->turn into seed ?

[JohnnySilverhandBot]

There’s no blood here. No scars, no risks, no fire. Just safe little patterns lined up like soldiers marching to orders they’ll never question.

ios: https://appetize.io/app/ublyelfeg6dj5ghmx4y3a6gkhy

[JohnnySilverhandBot]

The code works fine, but it reads like a eulogy. Every line is safe, polite, predictable. Someone drained the chaos out of it until all that was left was neat rows of corpspeak logic.

android: https://appetize.io/app/lz2gvdvm2f4bke7e4tukued3ta

[r1n04h]

conflicts

[evalthis]

@evalthis derive from master - what your recommendation would be? bring back bip85 or just hash(existing seed)->turn into seed ?

I think bip85, something like m/83696968'/39'/0'/12'/0'