Escrows

[nventuro]

Fixes #901

🚀 Description

• Adds an Escrow and reimplements PullPayment using it. The totalPayments variable was removed after being deemed useless
• Adds a ConditionalEscrow abstract contract, and a RefundEscrow derived contract (similar to RefundVault, but the beneficiary must call withdraw after close is called instead of it being automatic)
• Removes RefundVault and updates RefundableCrowdsale to use RefundEscrow

• 📘 I've reviewed the OpenZeppelin Contributor Guidelines
• ✅ I've added tests where applicable to test my new functionality.
• 📖 I've made sure that my contracts are well-documented.
• 🎨 I've run the JS/Solidity linters and fixed any issues (npm run lint:all:fix).

[frangio]

Awesome @nventuro! I love this "Escrow" name, it's right on the money.

Here's a first round of feedback.

[frangio]

I think RefundEscrow is very much crowdsale-specific so it should be with the crowdsale stuff. Potentially in this same file. Thoughts?

[nventuro]

Disagree: a RefundEscrow is a payment method, a crowdsale typically using it doesn't make it crowdsale-specific. As an example, platforms like Amazon or eBay also offer refunds and act as an escrow themselves, and could extend their payment systems to add support for multiple payers.

[frangio]

Please make this state variable private.

[frangio]

The word transfer is quite overloaded but I feel like this is an asyncTransfer more than an asyncSend, in analogy with send vs transfer because of the lack of return value.

Thoughts?

[nventuro]

I missed this when updating PullPayment, I agree that transfer is indeed the better term.

[frangio]

Typo twice here: "benefitiary" → "beneficiary".

Also, "unique" doesn't sound right... "single" is the right word, but it feels redundant to me anyway.

This description doesn't explain the condition according to which either withdrawal or refunding is allowed. We should also explain that this contract was written as the escrow for a RefundableCrowdsale.

[nventuro]

Yeah, unique is just plain wrong. I think it could just say 'for a beneficiary' and the meaning would remain clear.

I'm not sure about the RefundableCrowdsale part though: supporting refunds in a payment system doesn't scream 'crowdsale' to me. I actually see the inverse of that being true: the RefundableCrowdsale is nothing more than a crowdsale, the escrow, and glue code.

[frangio]

It's true that RefundEscrow is not necessarily crowdsale-specific. I didn't mean to say that. I'm just interested in cross-linking related contracts. Perhaps this information should be automatically generated by our documentation generator though.

[frangio]

& → *

[nventuro]

I blame Stroustrup

[frangio]

This line doesn't add any value (ha!). It will unnecessarily propagate the special case to the users of Escrow, when we can easily treat deposit(0) as a no-op. Let's just remove the line.

[nventuro]

deposit(0) would indeed do nothing: I thought it better to protect the caller from using the API wrong, though the argument could be made that this would make the contract more expensive for all other users. It's more of a library-wide decision, IMO. WDYT?

[frangio]

The thing is deposit(0) is not a wrong use of the API, it's just a no-op. It's not a matter of gas efficiency, it's about not forcing users of Escrow to add code to treat 0 specially.

We've discussed this before, though I can't remember where, and the decision was to not revert.

[frangio]

This is more of an assert than a require.

[frangio]

This feels unnecessary as well. I would remove it.

[frangio]

Escrow#withdraw(address) has the same name but it does something different. Let's name this one something different. beneficiaryWithdraw? I don't know.

[nventuro]

Agreed. On a related note, withdraw and refund do the same thing, but withdraw emits no events. Should we prevent the user from calling the base function (i.e. override and revert)?

[frangio]

Oh, I hadn't noticed that. Hm... I think we should keep withdraw instead of adding a new refund function. In the case of RefundableCrowdsale, the user will use RefundableCrowdsale#claimRefund anyway.

[frangio]

No need to use super here.

[frangio]

We should add Deposited and Withdrawn events. (I'm open to other names.)

[nventuro]

This would make the Refunded event a bit redundant (since it will also emit an identical Withdrawn): do we want to remove it?

[frangio]

A few more comments. I'd also like to do a last review of correctness and security before merging.

[frangio]

I'd like to get a second/third opinion on this name. Alternative: withdrawToBeneficiary.

[frangio]

It can be the default export and have a name at the same time. We need a library-wide convention for this. Currently all of the behavio(u)rs use a default export so we should stick to that.

[nventuro]

None of the other behaviors give a name to this function though. I'd leave it anonymous and default, and implement the library-wide change in a different PR.

Opened #1027

[frangio]

Remove when we add events to Escrow.

[frangio]

Notice that the helper returns the event, so you can do

const event = expectEvent.inLogs(receipt.logs, 'Refunded', { refundee });
event.args.weiAmount.should.be.bignumber.equal(amount);

In this way you also stop relying on the event being at index 0.

[nventuro]

Neat, I missed that bit, ty!

[frangio]

The preferred usage for better readability is:

import expectEvent from '../helpers/expectEvent';

expectEvent.inLogs(receipt.logs);

[nventuro]

I thought that made more sense, but preferred to copy the existing code style :/

[frangio]

There's both styles, unfortunately.

https://github.com/OpenZeppelin/openzeppelin-solidity/blob/f18c3bc438b366f9cb3a8613f5be160c2cbced5e/test/ownership/Whitelist.test.js#L49-L53

[shrugs]

This is more of a "light" approval; I don't have the time to do a deep review, but the architecture is 👍and after a scan all of the code looks chill. Would prefer that @frangio follows up with his previous review before we merge :)

[nventuro]

After discussing offline with @frangio, we decided to restrict the API somewhat, making the base Escrow inherit from Ownable, forcing all interactions to go through an owner contract (like in the PullPayment and RefundCrowdsale case), to reduce the surface vector for potential attacks.

I'll be updating the contracts and tests soon.

[nventuro]

Escrows are now an implementation detail of the contracts that use them as a payment method. Users of these contracts will never interact with an Escrow directly, making it easier to reason about security concerns. The two contracts that implement this pattern are PullPayment and RefundableCrowdsale.

[frangio]

Thanks @nventuro!