refactor: commitment-based fund flow

[ozwaldorf]

Summary

• fund() takes commitment hash H(recipient, [token,] amount, salt) and collect() takes salt to verify
• ReceiptValidator extracts fields from proof instead of asserting against immutables
• Collapse reward/payment/originalReward into single deposit field; cancelAndWithdraw returns all
• Bond minimum lowered from 50% to 0.25% of deposit
• -7% contract size, -5.8% ERC20 deploy gas; 71 tests passing

[ozwaldorf]

Rational: 50% of reward -> 0.25% of deposit

Since deposit = transfer amount + reward, anchoring the bond to total deposit (not just reward) makes the bond scale with the value being transferred.

Examples

Given:

reward = $2 + gas + 0.5% * T
deposit = transfer + reward

Transfer	Deposit	Old bond (50% reward)	New bond (0.25% deposit)	Bond / reward
$100	$103	$1.25	$0.26	7%
$1,000	$1,008	$3.50	$2.52	31%
$100,000	$100,503	$251	$251	50%
$1,000,000	$1,005,003	$2,500	$2,512	50%

Properties

• Converges to the old 50%-of-reward ratio at steady state (0.25% * T ~= 0.5 * platform fee), so the security invariant is preserved without needing a split reward/payment storage layout.
• Griefing becomes strictly unprofitable for large transfers: a $1M transfer grief costs $2,512 per cycle to deny $5,003 of reward — attacker loses more than they deny.
• At small transfers, griefing is cheap in absolute terms but limited in damage ($0.78 over 15 min to deny $3.50). Mild harassment, not an economic attack.
• Escalation is now gradual (+0.25% per seized bond) instead of doubling, keeping the market accessible to new executors after a failure.