fix: remove redundant to/memo from DecryptionData

The `to` and `memo` fields in `DecryptionData` were redundant: the
on-chain `ZoneInbox` already decrypts the ciphertext via AES-256-GCM
and can derive these values directly from the plaintext. Remove them
from the struct and use the decrypted values on-chain instead of
comparing against sequencer-supplied duplicates.

Saves 52 bytes of calldata per encrypted deposit (20-byte address +
32-byte memo).

Closes #357

Made-with: Cursor

Author: dankrad

crates/primitives/src/abi.rs

@@ -378,12 +378,11 @@ macro_rules! define_abi {
             }
 
             /// Decryption data provided by the sequencer for encrypted deposits.
+            /// The decrypted (to, memo) are derived on-chain from the AES-GCM decryption.
             #[derive(Debug)]
             struct DecryptionData {
                 bytes32 sharedSecret;
                 uint8 sharedSecretYParity;
-                address to;
-                bytes32 memo;
                 ChaumPedersenProof cpProof;
             }
 

crates/tempo-zone/src/builder.rs

@@ -690,8 +690,6 @@ mod tests {
             decryptions: vec![abi::DecryptionData {
                 sharedSecret: B256::ZERO,
                 sharedSecretYParity: 0x02,
-                to: sender,
-                memo: B256::ZERO,
                 cpProof: abi::ChaumPedersenProof {
                     s: B256::ZERO,
                     c: B256::ZERO,

crates/tempo-zone/src/l1.rs

@@ -1124,7 +1124,7 @@ impl L1BlockDeposits {
         self,
         sequencer_key: &k256::SecretKey,
         portal_address: Address,
-        policy_provider: &crate::l1_state::PolicyProvider,
+        _policy_provider: &crate::l1_state::PolicyProvider,
     ) -> eyre::Result<PreparedL1Block> {
         use crate::precompiles::ecies;
 
@@ -1190,46 +1190,15 @@ impl L1BlockDeposits {
                             recipient = %dec.to,
                             token = %d.token,
                             amount = %d.amount,
-                            "Decrypted encrypted deposit, checking policy"
+                            "Decrypted encrypted deposit"
                         );
 
-                        // Check TIP-403 policy via the provider (cache-first, RPC fallback).
-                        // Errors are propagated so the engine retries rather than allowing
-                        // unauthorized deposits through.
-                        let authorized = policy_provider
-                            .is_authorized_async(
-                                d.token,
-                                dec.to,
-                                l1_block_number,
-                                crate::l1_state::AuthRole::MintRecipient,
-                            )
-                            .await?;
-
-                        let recipient = if authorized {
-                            debug!(
-                                target: "zone::engine",
-                                recipient = %dec.to,
-                                token = %d.token,
-                                "Policy authorized encrypted deposit recipient"
-                            );
-                            dec.to
-                        } else {
-                            warn!(
-                                target: "zone::engine",
-                                sender = %d.sender,
-                                recipient = %dec.to,
-                                token = %d.token,
-                                amount = %d.amount,
-                                "Encrypted deposit recipient unauthorized, redirecting to sender"
-                            );
-                            d.sender
-                        };
-
+                        // TIP-403 policy enforcement happens on-chain: ZoneInbox
+                        // wraps the mint in try/catch and falls back to crediting
+                        // the depositor if the recipient is unauthorized.
                         let decryption = abi::DecryptionData {
                             sharedSecret: dec.proof.shared_secret,
                             sharedSecretYParity: dec.proof.shared_secret_y_parity,
-                            to: recipient,
-                            memo: dec.memo,
                             cpProof: abi::ChaumPedersenProof {
                                 s: dec.proof.cp_proof_s,
                                 c: dec.proof.cp_proof_c,
@@ -1257,8 +1226,6 @@ impl L1BlockDeposits {
                         let decryption = abi::DecryptionData {
                             sharedSecret: proof.shared_secret,
                             sharedSecretYParity: proof.shared_secret_y_parity,
-                            to: d.sender,
-                            memo: B256::ZERO,
                             cpProof: abi::ChaumPedersenProof {
                                 s: proof.cp_proof_s,
                                 c: proof.cp_proof_c,
@@ -1278,8 +1245,6 @@ impl L1BlockDeposits {
                     let decryption = abi::DecryptionData {
                         sharedSecret: B256::ZERO,
                         sharedSecretYParity: 0x02,
-                        to: d.sender,
-                        memo: B256::ZERO,
                         cpProof: abi::ChaumPedersenProof {
                             s: B256::ZERO,
                             c: B256::ZERO,

crates/tempo-zone/tests/advance_tempo.rs

@@ -38,8 +38,6 @@ sol! {
     struct DecryptionData {
         bytes32 sharedSecret;
         uint8 sharedSecretYParity;
-        address to;
-        bytes32 memo;
         ChaumPedersenProof cpProof;
     }
 }