Slashing
Slashing is the enforcement mechanism that gives ShipLock its credibility. When a project misses its deadline, anyone can trigger the slash. No permissions, no governance, no admin — pure deterministic enforcement.
The Canonical Slashing Rule
A project is slashable if all three conditions are true:
now > graceEndsAt
AND hasAcceptedCheckinForCycle == false
AND lastSlashedCycleNonce != cycleNonceThis rule is objective and does not depend on indexers, UI state, or any human decision. It can be verified directly via RPC.
When Can Slashing Happen?
The timeline:
- Deadline passes — grace buffer begins
- Grace ends — if no accepted check-in exists for the cycle
- Slash becomes permissionless — anyone can call
slash(project_id)
The project will show a Violation status on its detail page.
How to Slash
Anyone calls slash(project_id) on the smart contract:
- No special permissions required
- No stake required
- No approval process
- Only SOL needed for the transaction fee
The slasher (executor) earns a bounty for triggering the enforcement.
Slash Distribution
When a slash is executed, the slashed percentage of the bond is distributed:
| Recipient | Share | Purpose |
|---|---|---|
| Community Pool | 50% | Protocol sustainability |
| Burn Address | 20% | Deflationary pressure |
| Watcher Rewards | 20% | Incentivize validation |
| Slasher (executor) | 10% | Bounty for enforcement |
Example
A project with a 100,000 SHIP bond and 5% slash rate:
- 5,000 SHIP total slashed
- 2,500 SHIP → community pool
- 1,000 SHIP → burned
- 1,000 SHIP → watcher rewards
- 500 SHIP → executor bounty
What Happens After a Slash?
After the slash executes:
- Slash amount is transferred from the bond vault
lastSlashedCycleNonceis set tocycleNonce(prevents re-slashing)- Cycle advances to the next period:
cycleNonce += 1cycleStartAt = nownextDeadlineAt = now + cadencegraceEndsAt = nextDeadlineAt + grace
- The project continues — it can try again in the new cycle
A slash doesn't kill the project. It's a penalty, not a termination. The project continues unless its bond is fully depleted.
Double-Slash Prevention
Each cycle can only be slashed once. The on-chain program enforces this using:
if lastSlashedCycleNonce == cycleNonce:
reject slashEven if multiple users try to slash the same cycle, only the first transaction succeeds.
Multiple Violations
Each missed deadline compounds. If a project misses multiple deadlines in a row:
- 1st miss: 5% slashed
- 2nd miss: 5% of remaining slashed
- 3rd miss: 5% of remaining slashed
The bond is never fully drained in a single event. But repeated violations rapidly deplete the bond and damage credibility.
Bond Depletion
If the bond falls below a minimum viable amount after repeated slashes, the project is effectively terminated. The UI displays "Bond depleted" and the project can no longer operate.
Edge Cases
Exactly at graceEndsAt
Strict inequality: slashable only if now > graceEndsAt (not >=). This gives the project the full grace period.
Endorsement arrives at exact window end
Endorsements count only if now <= endorseWindowEndsAt. An endorsement at exactly the boundary is valid.
Indexer lag
The UI must not rely on the indexer for slash eligibility. If the indexer is behind:
- Show a warning to the user
- Allow direct RPC check for on-chain state
- Slashing should always work via direct contract call
Project owner disappears
Not an issue. Enforcement is completely permissionless. The project either ships or gets slashed — no dependency on the owner being present.
Simultaneous slash attempts
Only the first transaction succeeds. Subsequent attempts for the same cycle are rejected by the on-chain program due to the lastSlashedCycleNonce check.
Why Permissionless Enforcement Matters
If slashing required governance approval or admin action:
- Enforcement would be slow and political
- Teams could lobby to avoid consequences
- The system would lose credibility
By making slashing permissionless and bounty-incentivized, ShipLock ensures that enforcement actually happens without depending on any single actor.