How it works
A rate limit is a ceiling on how much value can leave or enter a chain over one path in one window. When tokens start moving abnormally fast, the limit throttles the flow without freezing normal transfer activity, buying governance time to respond. The middleware applies to ICS-20 transfers only. Limits are defined and configured independently per pair of denom and path. A path is identified by a channel ID (IBC v1) or a client ID (IBC v2). Flow limits are set by chain governance.Rate limiting and transfers
The middleware wraps the transfer application. Every transfer passes through its accounting before reaching core IBC on the way out or the application on the way in. On a typical chain, the outbound path runs from the transfer module, up through any packet forward middleware, through rate limiting, and finally to the IBC core that sends the packet. The inbound path runs in reverse. The middleware acts on four points in a packet’s life:- It checks the outflow when a packet is sent.
- It checks the inflow when a packet is received.
- It reverts a recorded outflow when a sent packet fails.
- It reverts a recorded outflow when a sent packet times out.
Quotas, flows, and channel value
Three pieces decide every transfer:- Quota: the outbound cap, the inbound cap, and the window length.
- Flow: the inflow so far, the outflow so far, and the channel value for this window.
- Channel value: the total on-chain supply of the denom, read from the bank module. It is the denominator that turns a percentage cap into an absolute amount.
- Net outflow is the outflow minus the inflow plus the new amount.
- Net inflow is the inflow minus the outflow plus the new amount.
MaxPercentSend of 10.
The outbound threshold is 100,000, which is 10% of supply. Suppose the current window has recorded 60,000 of outflow and 20,000 of inflow.
A new outbound transfer is allowed only if the net outflow stays at or below 100,000:
Rolling windows and resets
A flow accumulates within a fixed window and returns to zero when the window elapses. The window length is the quota’s duration in hours. The module tracks time as an hourly epoch that advances once per block, and each limit resets when the elapsed epoch count is a multiple of its duration. A limit with a 24-hour duration therefore resets once a day. A reset does three things:- It zeroes the inflow and outflow.
- It re-reads the channel value from current supply, so the caps track the token’s supply as it changes.
- It clears the record of packets still in flight for that path.
Reversal on failed acknowledgements and timeouts
An outbound transfer counts against the flow the moment it is sent, before the receiving chain has confirmed it. That count is provisional:- If the packet is acknowledged successfully, the outflow stands.
- If the acknowledgement carries an error or the packet times out, the middleware reverts the outflow so a failed transfer does not consume the limit.
Whitelists and blacklists
Two lists override the quota logic at the edges:- A whitelist entry is a specific sender and receiver address pair. Transfers between a whitelisted pair skip rate limiting entirely and do not update the flow. This suits trusted or protocol-controlled routes.
- A blacklist entry is a denom. Any transfer of a blacklisted denom is rejected outright, regardless of quota.
- It rejects a blacklisted denom.
- It allows any path that has no limit configured.
- It exempts a whitelisted address pair.
- It applies the quota.
Next steps
- Integrate the rate limiting middleware into a chain for IBC v1 and v2.
- Configure rate limits through governance.