Proposal: merge ETHBucket and ETHRefund

[ldct]

While working on funding/topping-up channels-on-plasma, a security problem with using both ETHBucket and ETHRefund was discovered. Basically, a problem happens if the ETHBucket app gets an outcome set and the interpreter called, before the ETHRefund app gets an outcome set. This is avoidable in channels-on-ethereum but only barely (i.e., we have to be careful with the adjudication layer not to break it) and not possible in general in channels-on-plasma without adding "atomic withdrawal" to the plasma contract, a feature which is conceptually confusing and seems to have no other benefits.

It might be cleaner to extend the ETHBucket app to have a leftoverGoesTo address that collects designates who should get the leftover funds, as well as a threshold that this.balance must exceed, failing which getOutcome will fail. This makes the funding mechanism less fragile, i.e., compatible with more variants of plasma, adjudication layer choices, encumberments etc.

[snario]

I'm worried about having getOutcome ever fail because that breaks the "escape criterion" which states that a user should always have a path to a "finalizable outcome" on-chain in a finite time.

[ldct]

getOutcome has to fail atomically for ETHBucket anyway, since we only record whether the interpreter call succeeded or not, and can't store partial information

[snario]

Is there a way to avoid breaking the escape criterion @IIIIllllIIIIllllIIIIllllIIIIllllIIIIll or do view functions fundamentally not adhere to the criterion?

[ldct]

I think the escape criterion is not satisfiable if the state channel mechanism does not know how long to wait for "all funds" to arrive. If it does know, we can put a timeout into the ETHBucket such that after that timeout, funds are distributed even if the whole thing is underfunded. This timeout could be set to be equivalent to the challenge length.