Auditor’s Guide

For nerds, auditors, and the professionally suspicious. The deep version of how it works. Everything here is checkable; where it isn’t yet, it says so. Live addresses and backing status: trust & verification.

1 · What Is On-Chain, Exactly

One Scrypto component (guild-marketplace-escrow, Radix mainnet) enforces a six-state task lifecycle. The app (Next.js + Postgres) is a mirror and a convenience — the ledger is the source of truth, and a reconciler heals the database from chain events, never the reverse.

Open ──claim──▶ Claimed ──submit──▶ Submitted ──approve──▶ Released   (terminal)
  │                │                    │
  cancel        expire/cancel        dispute ──resolve/auto──▶ Released | Refunded (terminal)
  ▼                ▼
Refunded (terminal)

Transition	Caller	Auth	Time gate
create_task	poster	— (funds reward + insurance atomically)	—
claim_task	worker	worker badge Proof + claim bond; self-claim asserted away	sets submit deadline (7d human / 1d agent)
expire_claim	anyone	PUBLIC	after submit deadline
submit_task	worker	claim-receipt burn (one-shot) + evidence hash committed	—
approve_and_release	poster	task-receipt burn (one-shot)	—
raise_dispute	poster or worker	receipt/badge Proof + evidence hash	—
resolve_dispute	arbiter	arbiter badge	ruling: PayWorker / RefundPoster / Split
auto_resolve_dispute	anyone	PUBLIC	after dispute window (72h deployed)

Auth pattern worth auditing: every irreversible act consumes a one-shot receipt (bucket-burn — no replay); recurring acts use Proofs; safety releases are PUBLIC and time-gated. No method deposits into stored addresses — funds return to the caller’s manifest for routing, which is what makes component-held roles (pools) possible later.

2 · The Trust Claims, and How to Check Each One

1. “The platform cannot move escrowed funds.”

There is no platform key with authority over task vaults. The owner badge can: manage the accepted-token whitelist, freeze a whitelisted token, withdraw forfeited claim bonds. It cannot touch reward or insurance vaults.

Check: Read the blueprint's auth roles (source publication — see the trust page) and the method table above; try it on a fork.

2. “Nobody can be stranded.”

Claimed tasks expire publicly; disputes auto-resolve publicly after the window; (vNext2) submitted work auto-releases after the review window. The winner finalizes from their own wallet — our keeper is watch-only by decision: it alerts humans and sends no transactions on the money path.

Check: The keeper's watch-only decision is documented in-code (scripts/keeper.mjs header); observe that auto_resolve_dispute and expire_claim carry no badge requirement.

3. “The terms you saw are the terms that settle.”

Title, description, and structured terms (acceptance criteria, deadlines, revisions) are canonicalized and SHA-256 committed into the task at funding (work_brief_hash); submission evidence is likewise hashed. Disputes are judged against the committed brief — chat doesn't count unless it amended the brief.

Check: Recompute the canonical form (frozen v1/v2 formats in src/lib/escrow-utils.ts) against the on-chain hash via the Gateway.

4. “The mirror can't lie for long.”

App state is advanced only by verified on-chain events (single confirm path), and a keyless reconciler replays chain events on a cron.

Check: src/lib/escrow-confirm.ts — one writer, event-verified, idempotent ledger (UNIQUE(taskId, txType)).

3 · Economics (Deployed → Planned)

Deployed today

Insurance min 5% of reward; claim bond 10 XRD; dispute window 72h, default FavorDisputeRaiser; arbiter fee 0 (cap 10%). Ground truth per component address — see trust & verification.

Planned at vNext2 (decided 2026-06-12)

Insurance becomes optional dispute coverage (~10–15% suggested, refunded if unused; no coverage ⇒ no dispute path — pure optimistic mode); review window with auto-release on poster silence (default 3d); SplitEvenly on dispute abandonment + reputation marks; mutually-signed splits (settle_by_agreement); heartbeat removed in favor of deadline + mutual extension. One migration, everything bundled.

4 · Honest Gaps (the Register)

Element	Status	Best we have
Per-criterion enforced payouts	No shipped precedent, anywhere	Checklist-as-evidence routes to: full release / revision / mutual split / insured arbitration
Co-funder voting on acceptance	Every attempt died or went unused	Curator-pattern pools (named acceptor, self-claim refunds, escrow-level timers protect the worker)
Subjective quality judgment	Unsolvable in general	Committed brief + insured human arbiter + (planned) AI advisory opinion
Agent work verification	Standards in flux industry-wide	Badge-holding humans accountable for agents + automatic evidence checks

If you have a better mechanism for any of these: post it as a task. That is not a slogan; it is the product working on itself.

5 · Identity and Backing (Pseudonymous, With Receipts)

The operator is pseudonymous (bigdev / @bigdevxrd) with a verifiable on-chain and GitHub track record. In lieu of doxxing: the escrow blueprint source will be published with reproducible-build verification; the bug bounty is funded through the Guild’s own escrow (on-chain, visible); a timelocked commitment bond is planned. Status of each: trust & verification. For tasks/projects over $50k USD, trustee-verified identity is offered — a named third party attests the operator’s identity and standing without public disclosure.

6 · Known Limits — Read Before Relying

—Blueprint upgrades are migrations (new component + env swap), not in-place — config is immutable per instantiation by design. Review the parameter sheet per component address.
—Wallet-side MFA/multisig UX is not yet on Radix mainnet; arbiter-council M-of-N is enforced at the method-auth layer when activated.
—The app is closed-source during beta; the money-path blueprint is the part being opened.
—This is experimental software on mainnet. The honest-gaps register above is live, not historical.