The one new contract · 3-model converged design

FeeRouter — Converged Design The single piece of new on-chain code. Designed, then reviewed by real Grok + Gemini + Codex — all three returned request_changes and converged. v1 folds every fix and cuts three things for leanness.

DESIGN APPROVED (3/3 converged) BUILD greenlit → sub building (TDD, local) no on-chain deploy without operator

What it does: sits as the receiver of Shyft's audited attestation-fee module and turns a single-recipient fee into a configurable split — payable in USDT or the Shyft token, routed to treasury / burn / receivers. The audit surfaced a hard constraint that shaped the whole design: the module pays native via .send (2300 gas), so the router must accumulate then distribute, never split on receipt.

Architecture (confirmed by all 3 models)

IN (≤2300 gas)

receive()

Trivial, accumulate-only — survives the module's .send. ERC20 mode lands tokens directly.

→

SPLIT (pull-safe)

distribute(token)

Floor-split by bps; a failing recipient is cached + skipped, never reverts the batch; dust→treasury.

→

OUT

treasury · burn · claim()

SafeERC20 + native call; burn = transfer to 0x…dEaD; recipients claim() any deferred amounts.

The convergence — all three said request_changes

Real dispatches, not simulated. Each independently flagged the same blocker (recipient-revert DoS) and the same rug-vector (rescue), and pushed to cut the conversion adapter.

⚡ Grok 4.3

VERDICT: request_changes · ddfa2dd2

"single malicious/failing recipient DoSes the entire split"; rescue can drain fees; dust + burn undefined.

✦ Gemini

VERDICT: request_changes · dee456a7

"critical DoS via native transfer reverts"; conversion adapter "over-engineered… remove"; retroactive-split theft.

◇ Codex

VERDICT: request_changes

rescue can extract pending fees (#1); USDT no-bool is a module-boundary rule; transfer ownership to multisig before wiring.

v1 = every fix folded + three cuts

✂ CUT for leanness (anti-over-engineering)

In-contract USDT→Shyft conversion — no Stable DEX, slippage/sandwich risk; route via an external treasury/swapper later. Gemini + Codex + Grok

pause() — governance surface with no runbook need in the attestation path. Codex

token-native burn — RMTToken.burn is self-only; burn = transfer to 0x…dEaD. Grok + Codex

🔒 HARDENED (required in v1)

rescue() can't touch fee tokens — reverts for USDT/Shyft; only frees foreign stuck tokens. all 3

Fault-isolated distribute() — failed payout cached to owed[] + claim(); never reverts the batch. Grok+Gemini BLOCKER

Deterministic dust → treasury in distribute() + event; zero residual. all 3

setSplits() flushes first — no retroactive split theft. Gemini

Ownable2Step + multisig before wiring; events on every economics change. all 3

Module-boundary rule: BASE/native for USDT-gas; ERC20 mode only for Shyft/RMT (the module itself calls transferFrom). Codex

Where this sits in the pipeline

✓

PLAN approved

✓

DESIGN 3/3

▸ now

BUILD (sub)

VALIDATE

then

AUDIT + red-team

last

DEPLOY (operator)

Provenance. FeeRouter design v0 → real cross-model review (Grok grok-4.3 dispatch ddfa2dd2, Gemini dispatch dee456a7, Codex via runtime) → all request_changes, converged → v1. Architecture (accumulate-then-distribute) confirmed sound by all three; the 2300-gas constraint is from the audited TrustAnchorStorage_PaymentModule.processPayment.
Status. DESIGN approved; BUILD greenlit to the sub-builder (TDD, local only — no on-chain deploy without operator faucet). Next: VALIDATE → formal signed AUDIT panel → red-team → operator deploy. No new contracts beyond FeeRouter.