From 0273fe29e4ee6cf84daa1d7ee57cc2be096995d3 Mon Sep 17 00:00:00 2001 From: Kayos Date: Sat, 9 May 2026 20:33:39 -0700 Subject: [PATCH] =?UTF-8?q?audits:=20settle=20path=20landed=20=E2=80=94=20?= =?UTF-8?q?full=206/6=20escrow=20builders=20proven=20on=20chain?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Settle path (4 txs): - open a878900c09022381f332ca2cea1b4624202ebdbd6f3a83fd9de07475bb98bd6b - bob deposit ef8910101e88b63abb28ec9b511616e3465075b8d34d5eeb9703efe1876a62bf - agree bbfd57c3acb68ddb76d6b92c0dbe8ba9cb21ca88ad6370d19f00822c3b69d655 - settle 4b52312ce264dba74a6fde6c2ccb597696022c8919470f23670e2746db10d1ff agreed_at_ms=1778381375000 + lock_period_ms=1_800_000 = 1778383175000 earliest_settle. Tip at settle submit: 1778383733000 (558s past). recipient (bob) receives 10 ADA at enterprise address. Settle requires no party signer — preprod drove as fee-payer only. Validator's Settle branch executed cleanly: state==Agreed check, strict-> time gate, recipient payout via value_geq_value(paid, in_value). MED-2/3 fix (slot-derived validity_lower_ms) held a second time under different timing. Total escrow value cycled through validator across all three E2E paths: 5+10+10 = 25 tADA, 9 successful txs across 6 distinct validator branches (open as no-script, deposit, agree, veto, settle, refund). Zero failed txs, zero collateral burns. Code surface complete. Next: drop escrow_wip flag (task #48) per Cobb's 2026-05-09 directive — replace compile-time gate with runtime "use at own risk" note when an agent calls escrow_open. --- audits/2026-05-09-escrow-e2e.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/audits/2026-05-09-escrow-e2e.md b/audits/2026-05-09-escrow-e2e.md index 28ea38e..4bc9a22 100644 --- a/audits/2026-05-09-escrow-e2e.md +++ b/audits/2026-05-09-escrow-e2e.md @@ -31,17 +31,17 @@ Total tADA cycled through validator: 10 ADA (5 from each party). Refunded to ent | (wait) | — | tip elapsed past open_deadline (~165s past) before next step | | Refund-timeout | `41590ac6ed069586e650da58858436cfe6be51a865069a7a4b40f795dfcdbff9` | escrow_refund_timeout builder; `lower > open_deadline_ms` strict-`>` time gate proven; HIGH-2 deposits-sum invariant proven on a single-deposit escrow; single-output refund (2 ADA back to party_a's enterprise address). | -## Settle path (6th builder, NOT YET TESTED) +## Settle path (6th builder) -Deferred — requires a 30-minute `lock_period_ms` to elapse between Agree -and Settle. Setup: open + 2 deposits + Agree + wait 30 min + Settle. -Run as a separate session when the window is convenient. +| Step | tx hash | What it proves | +|------|---------|----------------| +| Open | `a878900c09022381f332ca2cea1b4624202ebdbd6f3a83fd9de07475bb98bd6b` | escrow_open with deadline=tip+1h, lock=30min, recipient=bob | +| Deposit (bob) | `ef8910101e88b63abb28ec9b511616e3465075b8d34d5eeb9703efe1876a62bf` | bob adds 5 ADA, deposits=[(preprod,5),(bob,5)], second time the V3 validator's Deposit branch ran on chain | +| Agree | `bbfd57c3acb68ddb76d6b92c0dbe8ba9cb21ca88ad6370d19f00822c3b69d655` | both-party multi-sig (driver=preprod, co-signer=bob); state Open→Agreed{at=1778381375000} | +| (wait) | — | tip elapsed past `agreed_at + lock_period_ms` (~1778383175000) — actual tip at settle: 1778383733 = 558s past | +| Settle | `4b52312ce264dba74a6fde6c2ccb597696022c8919470f23670e2746db10d1ff` | escrow_settle builder; `lower > agreed_at + lock_period` strict-`>` time gate proven; **MED-2/3 fix held a second time** under different timing; recipient (bob) gets 10 ADA at his enterprise address; no party signer required (preprod drove as fee-payer only) | -The Settle builder + validator branch are unit-tested in -`crates/aldabra-dao/src/builder/escrow_settle.rs` (5 tests covering -not-Agreed reject, lock-not-elapsed reject, empty-escrow reject, -happy-path full payout, anyone-can-drive). On-chain validation is the -final gap. +**All 6 builders proven on chain.** ## What this E2E proved on chain