arbitration for audit vaults #492
Comments
|
|
|
separate arbitrator contract for each vault? |
|
init params of create vault should include the arbitrator contract and its init params |
|
|
i updated the text and added some plurals, the procedure remains the same.
yes. A clone of course.
we can have a
i meant this as a short way to say "the arbitrator chooses a new bountypercentage and beneficiary"
So only the address at |
Not sure what does that mean? The vault is "locked" during the entire time there's an open claim. Also, which token should the deposit be (always ETH? ERC20 settable on init?) and how much should it be for |
what i meant is the arbitrator is now responsible for releasing the lock
shay was thinking usdc, oli was dreaming about it being hats. Let's make it an erc20 settable on init, consider making it changeable |
erc20 - think of 50 usdc but it should be changeable
this is all handled by the HATVault contract (or i misunderstand your question? :)
well it cannot be too late, the idea is that the arbitrator is in control once the dispute is started, and the vault reamin locked until the arbitrator decides on a new distribution.. what is still missing form the spec is how the refunds (there could be several claims) will happen, though, i am not sure what the most straightforward wau to handle that is |
I don't think this is possible with our current structure, nor do we want that because we don't want the vault to be locked forever if the arbitrator doesn't respond.
Changeable means settable on init for each project or really allow changing the bond size with some setBondValue function?
Now the arbitrator contract only can call the approveClaim and dismissClaim before the expiration time. Should that be possible to do by the governance at any time, or only if a dispute was resolved?
We can't just lock the vault potentially forever though, that's too dangerous |
What I was thinking is to let the arbitrator, when calling resolveClaim (or with a separate refundDisputers function when needed) pass an array of disputers and just mark each as claimable for refund, then the disputers can call claimRefund to claim their deposits |
|
Also, should the arbitrator be allowed to make a resolution without a dispute being submitted in the contract? |
We are not. HATVault has logic that allows anyone to dismiss the claim after a timeout, https://github.com/hats-finance/hats-contracts/blob/develop/contracts/HATVault.sol#L353
I see no reason to introduce this. If nobody disputes, there is no problem. If the arbitrator wants to make a resolution by itself, it can alsows first create a dispute and then resolve it. |
Yes, that was my point, it's not going to be locked until arbitrator releases it necessarily, so if the arbitrator is not responding fast enough, there might be valid disputes that should be refunded but was not reviewed on time, and the arbitrator might want to refund it after the claim was already resolved. |
Ok, and should the hats governance be able to dismiss or approve the claim before the arbitrator suggest a resolution? Or before the challenge period ends? Or only once the arbitrator suggests a resolution/ dismisses all disputes on the claim? |
motivation: at the payout moment, projects have strong incentives to pay out as little as possible. We introduce an "audit arbitrator" - this will typically be a trusted third party, perhaps a connected audit firm - that has the possibility to overrule the committee's decision. In any case, the decision will be ratified by hats governance just as before
process - high level
process - details and implementation
Q the dispute can either start from an informal process (i.e. committe creates the payout, hacker contacts arbitrator, arbitrator stops the process) or more formal (i..e hacker creates the dispute and pays a deposit to cover the costs of the arbitration (he will get back if he wins). We work out the formal process here but we can also do a simplified version.
We will create a new
AuditArbitratorcontract, which has the following state variables:address public immutable vault(i.e. the AuditArbitrator contract has ajn immutable reference to the vault set on initialization)address public immutable arbitratoraddress public immutable hatsGovernancehacker is not happy and calls
auditarbitrator.dispute(claimId, ipfsdata)vault.challengeClaim(claimId), the vault now remains locked until the arbitratror releases itauditarbitrator.arbitrator()contacts the hacker(s) (with the info from ipfsdata), does it's due diligence, etc, and will call either (2a)auditarbitrator.dismissDispute()(to signal that none of the received disputes are considered right)(2b)
auditarbitrator.resolveDispute(newBeneficiary, newBountyPercentage)(to propose a new payout based on the dispute(s) received)dismissDispute, the disputer(s) loses their depositresolveDispute, (all) disputers get their deposit back. The auditarbitrator gets a fee paid from the vault. We could also formalize this fee structure, but in practice the newBeneficiary will be a distribution contract, ad the arbitrator con include it's own addrss as part of the distributionauditarbitrator.hatsGovernance()can now either call:dismissClaimwhich will dismiss all claims and reset the vault to the origianl (pre-claim) stateapproveClaim()which will approve the claim put forward by the arbitrator (i.e. if the arbitrator dismissed the dispute, it will approve the original claim made by the committee, if the arbitrator resolved the dispute, it will approve the arbitrators new claim.The text was updated successfully, but these errors were encountered: