When the relay service goes offline or becomes unresponsive during a gasless redeem, the client has no automatic recovery path. The pending relay task stays in limbo until it ages out, and the user must manually intervene using the emergency GaslessRedeemCalldata RPC - which itself requires someone with ETH to submit the calldata.
Specific concerns
-
No failover: The wallet supports only a single relay URL. If it goes down, gasless redeems fail with no alternative.
-
No automatic retry: checkPendingRelays polls the relay for status, but if the relay is unreachable, the task just stays pending. There's an existing TODO in the code: // TODO: give up? delete pending tx?
-
Nonce gap window: A pending relay task reserves a contract nonce via nextContractNonce. New submissions during the 10-minute signedRedeemDeadline window would use nonce N+1, which fails on-chain if nonce N was never consumed. The nonce ages out, but during that window recovery is blocked.
-
Trade timeout risk: While the relay is down, the swap's lock time continues ticking. If recovery takes too long, the counterparty can refund. Gasless redeems are intended for bootstrapping small balances, so the financial risk is bounded, but the user experience is poor.
-
Emergency fallback is manual: GaslessRedeemCalldata exists as an RPC method to build pre-signed calldata that anyone can submit, but there is no UI integration or automated trigger when the relay is detected as down.
Possible improvements
- Support multiple relay URLs with automatic failover.
- Detect relay failure (e.g. N consecutive health check failures) and surface a user-visible warning.
- Auto-trigger the emergency calldata flow when the relay is unresponsive and the swap lock time is approaching.
- Clear stale nonce reservations earlier when the relay is confirmed down, rather than waiting for the full deadline to expire.
When the relay service goes offline or becomes unresponsive during a gasless redeem, the client has no automatic recovery path. The pending relay task stays in limbo until it ages out, and the user must manually intervene using the emergency
GaslessRedeemCalldataRPC - which itself requires someone with ETH to submit the calldata.Specific concerns
No failover: The wallet supports only a single relay URL. If it goes down, gasless redeems fail with no alternative.
No automatic retry:
checkPendingRelayspolls the relay for status, but if the relay is unreachable, the task just stays pending. There's an existing TODO in the code:// TODO: give up? delete pending tx?Nonce gap window: A pending relay task reserves a contract nonce via
nextContractNonce. New submissions during the 10-minutesignedRedeemDeadlinewindow would use nonce N+1, which fails on-chain if nonce N was never consumed. The nonce ages out, but during that window recovery is blocked.Trade timeout risk: While the relay is down, the swap's lock time continues ticking. If recovery takes too long, the counterparty can refund. Gasless redeems are intended for bootstrapping small balances, so the financial risk is bounded, but the user experience is poor.
Emergency fallback is manual:
GaslessRedeemCalldataexists as an RPC method to build pre-signed calldata that anyone can submit, but there is no UI integration or automated trigger when the relay is detected as down.Possible improvements