Skip to main content
BreakingUpdateMay 15, 2026

Overview

A new on-chain instruction update_areal_fee_destination allows the DEX authority to rotate dex_config.areal_fee_destination after initialize_dex. Before this change the destination was set once and could only be modified via a program upgrade. The new path mirrors industry standard (Uniswap V3 setFeeProtocol, Raydium governance-controlled fee owner) and resolves a class of trapped-state scenarios where the bootstrap step pointed the destination at the wrong token account.

What changed

Contract

  • New instruction update_areal_fee_destination (contracts/native-dex/src/instructions/update_dex_config.rs). Authority-gated. Takes the new destination as an SPL Token Account and validates on-chain that its mint equals RWT_MINT (reusing the InvalidProtocolFeeDestination error introduced by the 2026-05-13 P0-2 fix).
  • Idempotent — passing the current destination is a no-op with no event.
  • Emits a new ArealFeeDestinationUpdated { old_destination, new_destination, timestamp } event for off-chain audit trails.

Spec

  • initialize_dex parameters table — areal_fee_destination description no longer says “static, immutable”. Now: “Set at init; updatable by authority via update_areal_fee_destination.”
  • update_dex_config Note — clarified that only pause_authority remains immutable in DexConfig; areal_fee_destination is now rotatable.
  • Configuration & Authority section — new update_areal_fee_destination Accordion documenting parameters, validation, and logic.
  • Events table — added ArealFeeDestinationUpdated.
  • DexConfig state table — updated mutability note for areal_fee_destination.

Why this is “breaking”

The breaking dimension is the docs surface, not on-chain compatibility: existing callers of update_dex_config are unchanged. The “breaking” tag captures that the protocol’s trust model now includes “authority can redirect protocol fees at any time” — auditors and integrators must factor this into their security review.

Trust model implications

  • Authority can redirect protocol fees. Mitigation: authority is the Team Multisig after bootstrap (per Authority Transfer). Every rotation emits ArealFeeDestinationUpdated, providing a permanent on-chain audit trail.
  • Mint constraint enforced at update site. The on-chain mint == RWT_MINT check means the stored destination is always an RWT ATA. The runtime mint-check in swap and zap_liquidity (added by 2026-05-13 P0-2) becomes a defense-in-depth tier rather than a primary guard.
  • No backdoor to migrate state. The instruction only updates dex_config.areal_fee_destination. It does not touch pools, reserves, LP positions, or the accumulator — those are owned by their respective PDAs.

Motivating scenario

The Testnet bootstrap accidentally pointed dex_config.areal_fee_destination at the deployer’s USDC ATA rather than an RWT ATA. Combined with the 2026-05-13 P0-2 change (silent fallback removed), this would have bricked all swaps on a misconfigured cluster. The new instruction provides the canonical recovery path: the authority calls update_areal_fee_destination(new_account = correct_rwt_ata) and protocol-fee CPI succeeds again.

Migration

  • Existing deployments where areal_fee_destination is already a valid RWT ATA — no action required. The new instruction is optional.
  • Deployments where the bootstrap pinned a non-RWT ATA — authority must call update_areal_fee_destination with a valid RWT ATA before swap/zap will succeed.
  • Off-chain integrations (UI, indexers) — subscribe to ArealFeeDestinationUpdated if Treasury rotation is part of your trust model.