Option A: CosmWasm Vault + Watcher (hardest guarantees)

When the source chain supports CosmWasm with staking calls.

Architecture

• Vault contract (source): Holds user deposits, can only Delegate, Undelegate, and Withdraw to depositor. No Bank Send, no ICS-20, no arbitrary calls.
• Receipt contract or ledger (destination): Mints a non-transferable receipt that represents the user’s claim. Burn to redeem.
• Watcher set: Off-chain committee that proposes stake ratio changes. Their instructions are only hints. The vault verifies reality via chain state before acting.

How the watcher controls ratio safely

• Watcher submits a signed message: {target_ratio, max_delegate, max_undelegate, epoch, heartbeat}.
• Vault enforces:
  • Hysteresis band: Only act if current ratio is outside [target−h, target+h].
  • Rate limits: Per epoch caps on delegate and undelegate.
  • Invariant checks: locked + delegated == total_deposits − penalties.
  • Proof gate: Before delegating or undelegating, the vault queries on-chain state (or receives an IBC proof) to validate balances and unbonding queues.
  • Committee threshold: Use a multisig or threshold signature across N watchers. Single signer cannot move funds.

Redemption

• User burns receipt on destination.
• Destination sends IBC message to the vault: redeem(deposit_id, amount).
• Vault places the amount into an unbonding queue, then pays out to the depositor after unbonding. Optional small LP buffer for instant exits.

Failure containment

• Circuit breaker: Pause actions if deviation from NAV exceeds X percent, if slash detected, or if watcher quorum fails.
• Validator policy: Diversified set with caps, auto-redelegate around jailed validators, no self-delegation to conflicts.
• Slash reserve: Optional reserve to cushion minor slashes.

Mermaid: Vault + Watcher

sequenceDiagram
  autonumber
  participant U as User
  participant Vault as Wasm Vault (Source)
  participant Stk as Staking Module
  participant W as Watcher Committee
  participant Rel as Relayer
  participant Dst as Destination
  participant Rec as Receipt (non-transferable)

  U->>Vault: Deposit native
  W-->>Vault: Signed ratio hint {target, epoch}
  Vault->>Vault: Verify threshold, epoch, rate limits, proofs
  Vault->>Stk: Delegate or Undelegate to reach target band
  Vault-->>Dst: IBC packet: credit receipt
  Rel-->>Dst: Relay packet
  Dst->>Rec: Mint receipt to U

  U->>Rec: Burn for redemption
  Rec-->>Vault: IBC redeem request
  Vault->>Stk: Undelegate queued amount
  Stk-->>Vault: Unbond complete
  Vault-->>U: Withdraw underlying

Option B: User ICA Address + Controller + Watcher (works without Wasm)