💻

Data termination penalty—design sketch

Creator

Alex North

Created

May 21, 2023 9:09 PM

Project

Storage Programmability

“Data termination penalty” is a term for replacing the built-in market’s minimum mandatory deal collateral with data assurance penalties enforced by the miner actor instead.

If we assume that mandatory data assurance penalties are something the network should enforce for all data, this change would unblock subsequent changes to:

avoid costs & limitations of the built-in market actor for simple no-payment FIL+ data, and
support user smart contracts as brokers for alternative deal types,

while maintaining the economic behaviour.

However, since this penalty is only 2.7% of the penalty for sector termination, we could instead just decide that mandatory data assurance is not worth the effort/complexity, and leave it up to smart contracts instead.

👉

Summary: - Apply data termination penalty in the miner actor - Account for QAP in the data termination penalty formulation - Reduce or remove deal collaterals from the built-in market actor

Background

The built-in storage market actor requires a minimum provider collateral for each deal. This is intended to provide a level of assurance/reliability to deal clients, and also has the effect of raising the risks/costs of serving a deal.

Calculated on raw storage, unaffected by FIL+
Burnt (not paid to the client) if a deal is ended early
Locks up some (trivial) amount of tokens for the deal duration, a benefit to holders.
Calculation: CircSupply * 1% * DealSize / max(NetworkRawPower, BaselinePower)

For reference, as of April 2023 for 32GiB:

	Verified	Unverified
Deal collateral	0.0089	0.0089
Initial pledge	2.171	0.2172
DC days of reward	2.4	24
DC / initial pledge	0.4%	4%
Termination fee	0.3331	0.0333
DC / termination fee	2.7%	27%

As a fraction of block rewards or pledge, the minimum deal collateral is thus a 10x cost for unverified vs verified deals. Similarly, deal collateral represents ~1/4 of sector termination penalty for unverified deals, but only ~1/40 for verified deals. Again, this is a 10x penalty for unverified vs verified deals, relative to network incentives.

The total contribution of deal collaterals to locked pledge tokens grows with utilisation, but is always tiny. At 100% sector utilisation with FIL+ deals, total deal collateral would be only 0.33% of total locking (~0.1% of circulating supply). Deal collateral is a trivial contribution to total locking benefits to token holders.

Problems

Two independent problems with this mechanism are:

Assuming that some mandatory network data assurance is appropriate, implementing it in the built-in market actor forces all deals to use that actor (costly) and restricts deals to terms that the built-in market can handle (very limiting).
Basing deal collateral on raw byte power is a relative disadvantage to unverified deals, substantially raising their cost and risk relative to block rewards and other penalties. This may hold back SPs from earning revenue from client-paid deals without the operational overheads of FIL+.

These problems suggest two goals:

Decouple data termination penalties from the built-in market actor, applying them regardless of any deal.
Scale data termination penalties in proportion to power so that un/verified deals attract a level of mandatory assurance & cost in proportion to network rewards.

Proposal

Enforce a data termination penalty in the miner actor. Align penalty amounts with power/rewards/pledge/termination-fee. Optionally, reduce or remove the built-in market actor’s locking of deal collateral.

Apply data termination penalty in miner actor

Reinterpret the existing per-sector [Verified]DealWeight fields as recording the amount of sector space-time occupied by non-zero data, without reference to deals in any particular market.

All current values in these fields remain valid.
No migration required

Alter the sector termination penalty calculation to add a new data termination penalty.

The new penalty is burnt whenever a sector with non-zero data is terminated prior to its commitment epoch.

Account for QAP in the termination penalty formulation

Calculate data termination penalty as:

CircSupply * K * (10 * VerifiedDealSize + DealSize) / max(NetworkRawPower, BaselinePower), where [Verified]DealSize is [Verified]DealWeight divided by the sector’s commitment duration, and K = 0.001 (i.e. 0.1%)

Circulating supply and network power inputs are inspected at the epoch the penalty is charged (no memoization in state).

This formulation is similar to the existing “deal collateral” penalty, except:

Verified deal size is multiplied by 10, and the constant K is divided by 10. This maintains the magnitude of the penalty for verified deals (the vast majority today) and reduces it for unverified deals, so the penalty is in proportion to existing incentive mechanisms.

💡

Evaluating this formulation raises the possibility that a different formulation might be better in the future. - Does dividing by the exponential baseline function make sense long term? - Promising alternatives include basing on block rewards (c.f. termination fee), circulating supply, or a fraction of initial pledge (includes a rewards part and a supply part).

Adjust built-in market actor

Remove (unused) client deal collateral from the built-in storage market actor.

Remove all code associated with locking client or provider deal collateral (but retain escrow of deal fees to be paid by client).

Remove built-in market locked funds from the circulating supply definition and calculation. This is a simplification and preparation for the built-in market to not be involved in every deal.

Unlock existing provider deal collateral from the built-in storage market actor. These deals are now secured by the equivalent data termination penalty.

Unlock currently locked amounts so they may be redeemed by the SP
Migrate deals states to zero the collateral fields

There are then some options for how to adjust the built-in market’s behaviour

Make no change. The built-in market requires mandatory deal collateral over and above the deal termination fee, but subsequent changes will make the built-in market actor an optional part of data onboarding.
Set the minimum provider deal collateral policy to zero. A deal proposal can require provider collateral, but the market doesn’t force it to be non-zero.
Change the built-in market’s deal collateral to only cover the period between deal publishing and deal activation (which is not covered by the data termination penalty).
Remove deal collateral functionality for future deals. Reject deal proposals that specify a non-zero provider deal collateral.

Rationale

This proposal decouples the deal collateral/data termination penalty from the built-in market actor while preserving the economic behaviour.

The data termination penalty is enforced by the miner actor so that it applies to all sector utilisation, whether or not an associated deal is made in the built-in storage market actor, an alternative market, a data DAO, or completely off-chain.

Relative to the present state, the penalty is reduced for unverified data. This avoids disproportionately penalising failure to maintain unverified data relative to verified data, as a proportion of block rewards. The penalty for verified data is maintained, while the cost/risk associated with storing unverified data is reduced.

💡

The data termination penalty complements sector termination penalties. Any part of the sector termination penalty that is intended to assure data stability should be captured by parameters here, instead. If sector termination penalties are reduced, it may be appropriate to increase this data termination penalty. See FIP discussion about termination penalty simplification.

The deal collateral locking requirement is removed from the built-in market actor without replacing it with an equivalent additional collateral in the miner actor because:

the miner already holds a vastly greater (30x) amount as sector initial pledge, sufficient to cover any penalty
the trivial amount locked is of no practical benefit to token holders, while imposing cost and complexity on the protocol design

Impact

The primary impact is incremental decoupling of the built-in market actor from the miner actor and essential storage operations, while retaining network-enforced data assurance penalties. This change unblocks subsequent changes that can let SPs onboard FIL+ verified data directly, avoiding costs and limitations associated with the built-in market actor for the common case when there is no additional client payments. Clients and SPs would then also be able to use other user-programmed smart contracts to mediate storage.

Depending on the path chosen for the existing collateral functionality, impacts to product are:

A client will no longer need to calculate minimum collateral amounts as part of constructing a valid deal proposal (if minimum is zero or functionality removed).
A miner will no longer be required to post deal collateral to the built-in market actor in advance of publishing deals, refresh collateral balances, handle failures associated with insufficient collateral etc. (if minimum is zero or functionality removed).
A client cannot chose the value of deal termination penalty (if functionality removed or changed to cover activation).

Future clients will be chose the value of collateral held for their benefit in alternative market smart contracts.

A miner faces no penalty for failing to activate a published deal in time (if functionality removed).

The simplest thing to do is just to drop this feature.

Impact on economics:

The built-in market’s balance is ~230k FIL (but not all of this is locked deal collateral). Unlocking this releases an amount a little over 1 day’s mining emissions, but <1 day’s vesting. This doesn’t seem worth smoothing over.

Future changes

Additional changes are required in order to support direct FIL+ deals and smart contracts dealing directly with storage. Such changes are primarily miner API and interaction changes that enable the SP to specify CommD directly. An older sketch of these is #298.

Support for re-snap and data deletion

Any centralised deal collateral or termination penalty introduces challenges to supporting well-intentioned data deletion (i.e. where a client desires or consents to deletion). A sector/data commitment is designed to secure the data committed for some duration. Data applications (markets, DAOs etc) may rely on such commitments. If an SP can re-snap to alter the data stored in a sector at will, smart contracts can have no assurance that their data is still stored. But if the SP can’t re-snap, they can’t delete data even when the client consents.

A full exploration of the problem and solution space is beyond scope here, except to note that avoiding all protocol-enforced data collateral/penalties would possibly simplify support for data deletion.

Alternatives

No mandatory client data assurance

An even simpler alternative is to just allow sector data to sidestep the built-in market actor without any data termination penalty. We could then move on to supporting direct FIL+ deals and smart contracts with no additional effort. The proposal above is framed against deal assurance being necessary at the network level, over and above sector termination penalties (by 2.7%), but if it isn’t then we don’t need a data termination penalty at all.

The built-in market actor would still be functional, and probably the dominant deal broker for some time. It can still have some collateral policy (see the options above), but it would no longer be a necessary part of any data onboarding.

This would constitute a minor change in economic policy, while the primary proposal is to just re-implement the current policy in a simpler and more extensible way.