STORAGE MARKET
Solidity · Go · IPFS bitswap

Decentralised storage, kept honest by proof

Files split into erasure-coded shards, spread across independent providers, and held to account by on-chain Merkle proofs and slashing. Cheat, and you lose your stake.

keccak256 leaves·erasure S×R shards·price-time matching
shard distributionlive
FILEbackup.zipS1S2S3S4provider ✓provider ✓provider ✓provider ✗
proof heldslashed — rebuilt from survivors
1 KiB
Merkle proof leaf
2.0×
max slashing multiplier
≤10%
protocol fee · on by default
20
providers in local demo

§01 — In plain English

What is this, really?

Instead of trusting one company to hold your files, you rent space from many strangers' computers — and they have to keep proving they still have your data, or they lose money. No trust required.

01
Upload

You have a file

A photo, a backup, anything — stored somewhere that won't lose it or read it.

02
Split

It gets shredded

Chopped into pieces and copied — like shredding a letter and photocopying each strip.

03
Match

Pieces spread out

Each piece goes to a different stranger's computer. No one holds the whole thing.

04
Prove

They must prove it

The network quizzes each host: prove you still hold piece #4 — or get fined.

05
Slash

Money keeps them honest

Hosts post a deposit to join. Lose data or lie, and it's taken away automatically.

06
Retrieve

You get it back, whole

Enough copies survive to rebuild your file — checked to be byte-identical.

§02 — Two ways to order

Pick the order that fits your data

Every deal on the market is one of two order types. Same proofs, same slashing — different shape of guarantee.

File orderimmutable

Pay once, sealed forever

Upload a file, it's shredded, matched, and proven — done. No one edits it after, not even you. One price for the deal, no ongoing bill.

  • Cheapest way to store — you pay for exactly the bytes you sent
  • Best for backups, archives, one-shot uploads you'll never touch again
  • Content-addressed: the file's identity is its proof, tamper is instantly visible
  • Share fast: one link carries the manifest, friends pull it peer-to-peer, encrypted end-to-end
How sharing works
Disk ordermutable

Reserve space, use it like a drive

Lock a block of capacity ahead of time, then drag files in and out over the reservation period. A Share Drive, not a single upload.

  • Add, replace, or delete files as your data changes — no re-uploading everything
  • Best for active workloads: ongoing backups, working sets, anything that isn't final yet
  • Capacity is bonded up front — a provider that oversells gets slashed the moment it can't produce
How reservation is proven

§03 — Sharing

Encrypt here, share with a link

Your file is encrypted in your browser before it is ever shredded — the key is generated on your device and never uploaded, so providers only ever hold ciphertext. To share, hand someone a single link carrying the manifest (shard map + Merkle root) and that key, tucked in the URL fragment where it never reaches a server.

client-side encryption · plaintext & key never leave your device
YOUR DEVICE
Key generated locally
File encrypted (AES-GCM)
Shredded into encrypted shards
NETWORKholds ciphertext only
S1S2S3S4

Only encrypted shards leave your machine — no provider, keeper or gateway can read the file.

shareable link · capability URL
https://dsm.link/f/bafybeigk7d3q…q4#k=7f3a9c…e19
gateway · any DSM nodemanifest CID · shard map + Merkle rootdecryption key · stays in the # fragment
The part after # is the URL fragment — browsers keep it client-side and never send it in a request. Gateways and providers only ever see encrypted shards.
01

Encrypted in your browser

The file is sealed with a key generated on your device (AES-GCM). The key is never uploaded — providers and gateways only ever hold ciphertext.

02

A pointer, not a payload

The link names the manifest, not the file. The recipient resolves it to a shard map, pulls the encrypted pieces peer-to-peer, and rebuilds locally.

03

Verified before it opens

The manifest carries the Merkle root. Every shard is checked against it as it arrives, so a tampered or missing piece is caught before anything is decrypted.

04

Revoke by re-keying

Rotate the key and republish the manifest; links you already shared resolve to shards they can no longer decrypt. Optional expiry can be baked into the deal.

§04 — Why bother

What you get out of it

The same job as a cloud drive — but nobody in the middle you have to trust.

Normal cloud storage
  • One company can lose, leak, or lock your data
  • They can read your files
  • They can raise prices or shut down
  • "Trust us, it's backed up" — you can't check
  • One outage takes everyone offline
This network
  • Spread across many independent hosts, with redundancy you control — no single point of failure
  • Hosts hold scrambled pieces, not readable files
  • Peers set the price on an open market — not central giants
  • Hosts must prove your data is safe, on the record
  • Cheaters are fined automatically; honest ones earn

Where it fits

— anywhere you need storage you can verify instead of trust.

Censorship-resistant storage

No central operator can pull your data. Content lives across independent, economically-bonded providers.

Nothing to scan

Files are encrypted client-side before they're chunked and spread across strangers — no provider, platform, or government ever holds a full plaintext copy to search, scan, or hand over.

Verifiable archival

Prove data is still held over time via periodic Merkle challenges — useful for compliance and long-term backups.

Storage marketplaces

A working reference for a token-priced order book where supply and demand for storage meet on-chain.

Research + teaching

A minimal, readable end-to-end model of proofs-of-storage, slashing, and erasure coding to learn or build from.

§05 — Follow the money

Who gets paid, and for what

You pay one storage fee. It splits three ways — and none of it relies on trust. Every payout is a rule in the contract, not a promise.

one market-cleared fee → revenue split · band width = share

Band width ≈ share of the fee. Every split is a rule in the contract — the provider earns the bulk as they keep proving, the keeper's cut (on by default, capped ≤10%) only applies to completed deals. Network gas is a separate, external cost paid to whoever runs the blockchain — not part of this split.

01

Provider

The bulk — streamed as they keep proving they hold your data. Their pay for the service. (≈97.5% + collateral back)

02

Keeper / protocol

A small cut funds the matcher and auditor — the machinery that pairs deals and catches cheaters. (capped fee (≤10%), on by default)

03

The chain

Tiny gas fee per transaction, paid to whoever runs the blockchain. Standard, unavoidable, external. (network gas)

04

Cheaters pay you

If a provider loses your data, their collateral for that deal is handed straight to you — not the protocol. You're compensated, automatically.

05

No skimming on failure

The keeper's cut only applies to completed deals. A failed deal refunds the client in full — the protocol earns nothing from your loss.

06

Every token accounted for

The contract can't mint or hide funds. What you pay in always equals provider + fee + collateral out — provable on-chain.

§06 — Why smart contracts

Code as the referee, not a company

An off-chain marketplace still needs someone to hold the money and decide who's honest. Putting the rules in a smart contract removes that someone.

funds in escrow → released only by code
honouredslashedClientpays fee up frontProviderlocks collateralSmart contractescrow · rules in codeProof holdspayment streamsFails / timeoutcollateral → client

Neither party holds the money — the contract does. Slashing, refunds and payouts fire automatically the instant a proof passes, fails, or a deadline lapses. No arbitrator, no support ticket.

01

No counterparty risk

Payment sits escrowed in the contract, not with the client or a middleman. It only moves per rules anyone can read in advance — nobody can freeze it, spend it, or quietly change the terms.

02

Enforcement is automatic

Slashing, refunds and payouts fire the instant a proof fails or a deal completes. No support ticket, no arbitrator, no waiting on a company's goodwill.

03

Every rule is public

The contract code and every past deal, payment and slash are on-chain and auditable by anyone — not a private ledger you have to take on faith.

§07 — The network

How the market is wired

Client posts a request. The keeper matches bids and spreads shards across providers. Everyone settles on the chain — cheaters get slashed.

Clientuploads fileKeepermatch + auditProvider ✓shard heldProvider ✓shard heldProvider ✓shard heldProvider ✗slashedOn-chain contractspayments · proofs · slashing
  • honest provider — proves it holds the shard
  • cheater — failed proof or timeout, stake burned
  • shard transfer (bitswap)
  • on-chain settlement

§08 — Price discovery

A peer-to-peer order book

No central giant sets the price. Providers post asks (the least they'll accept per shard); clients post bids (the most they'll pay). The keeper clears the cheapest reputation-adjusted ask against each open bid — supply and demand find the price on-chain.

Provider asks · supplyqty
70rep C7
63rep B11
55rep B14
48rep A9
42rep A6
clearing price55tokens / shard
Client bids · demandqty
60max pay12
55max pay10
50max pay8
44max pay15
38max pay5
01

No admin price

There is no oracle or operator setting rates. Price emerges from what providers offer and clients accept.

02

Reputation tilts the book

Asks are ranked by an effective price — a weak proof/completion record ranks a provider as if pricier, so reliability wins deals.

03

Match = a deal

When a bid covers the cheapest eligible ask, the keeper pairs them by price-time priority and opens the on-chain deal.

§09 — Provider scoring

Reputation is priced in

Every provider carries an on-chain track record. Three ratios — deal completion, proof pass rate, retrieval audits — average into a reputation score. That score becomes a price multiplier: a spotless record stays at 1.0×, a fully-bad one doubles to 2.0×. Cheap-but-unreliable sinks below honest providers that cost a bit more.

reputationBP = avg(deal%, proof%, audit%)theneffectivePrice = ask × (2 − reputationBP)
01provider-bravo1.05×
deal completion95%
proof pass rate94%
retrieval audits95%
ask 4851 effectivescore 95
02provider-alpha1.00×
deal completion100%
proof pass rate100%
retrieval audits100%
ask 5252 effectivescore 100
03provider-charlie1.28×
deal completion71%
proof pass rate73%
retrieval audits
ask 4254 effectivescore 72
04provider-delta1.75×
deal completion29%
proof pass rate29%
retrieval audits18%
ask 4070 effectivescore 25
01

New providers aren't punished

No history scores neutral (1.0×) — a clean slate, not a penalty. Honest veterans still outrank them once they build a record.

02

Audits fold in when earned

Retrieval-audit reliability only counts once a provider has real audit history, so an absent signal never helps or hurts.

03

Slashing scars the score

A failed proof or timeout burns stake and drops deal/proof ratios — raising the price multiplier on every future bid.

§10 — Uptime SLA

A committee keeps your provider honest

A provider commits to a minimum uptime and prices around it. A rotating quorum of staked keepers — not the client — challenges them to prove it, every epoch. Fall short, and collateral is slashed proportional to the shortfall: the client is refunded, and the keepers who caught it get paid from the slash.

COMMITTEEepoch-rotated · deterministic-randombonded stake · requiredvote-agreement ≥ 95 · scoredprobation slots · newcomersKeeper Achallenge #12Keeper Bchallenge #12Keeper Cchallenge #12Keeper Dchallenge #12Providercommitted 90%measured 81%2 proved · 1 missed · 1 provedQuorum voteshortfall 900 bpsbreach — slash firesClient refundbulk of the slashCommittee bountypaid to reportersChain cutprotocol fee
  • challenge issued
  • proof served in window
  • missed / timed out
  • quorum breach — graduated slash, not all-or-nothing
01

Judged against your own commitment

A provider commits to a minimum uptime and is scored against that number, not a universal 100% — realistic for home hardware, priced accordingly.

02

The committee is watched too

Every vote is checked against the on-chain proof. Lie, and it's discarded, your bond is slashable, and your score drops you off future committees — but the score favors recent votes, so honest streaks earn a seat back.

03

Slash pays the people watching

A breach slashes collateral proportional to the shortfall. Most goes to the wronged client, a cut funds the protocol, and a bounty pays the keepers who caught it — policing your peers is worth something.

§11 — Design case study

Reserving space before it's filled

Everything above proves a filled deal is really held. But a "Share Drive" — a fixed block of capacity reserved for a period, then drag-filled with files over time — needs the same guarantee for an empty block, and an empty block has nothing to challenge. This is the design problem worked through below: how do you stop a provider selling space it doesn't physically have?

Design used here — cheap, economic

Thin — economic hold

An empty block stores nothing: just a capacity lock plus a per-share collateral bond. Overselling is caught at write time — the possession challenge fails and the bond is slashed on the spot.

Alternative design — expensive, physical

Proof-of-space seal

A provider seals its empty capacity from a seed (a few KB) and proves cryptographically it holds the space — Filecoin's guarantee, without uploading empty bytes. Same reservation slot, heavier machinery.

cost of reserving 200 GB raw, empty · thin → thick
ModelUpload @ reserveSeal timeMint costTime to proof
Thin≈0 (few tx)seconds≈$0none — checked at write time
Slow-seal padding64 KB seed~10–30 min≈$0.01fast — merkle open
Chia proof-of-space64 B seed~20 min – 1 h≈$0.05fast — disk lookups
Filecoin PoRep224 B seed~7–14 h≈$0.90 + $10k rigGPU SNARK every 24 h — recurring
Thick (padding upload)full 200 GB27 min – 4.4 h≈$0 (bandwidth-bound)fast — merkle open

"Mint cost" is the one-time electricity to seal the empty reservation, at $0.15/kWh (Filecoin's $8–12k GPU rig is separate, one-time hardware). "Time to proof" is the ongoing per-challenge response once sealed — cheap everywhere except Filecoin, whose WindowPoSt SNARK is a real recurring GPU cost. The MVP ships thin; the reservation slot is built so a stronger seal can drop in later without a protocol re-architecture.

This table covers only the empty block, before any file lands in it. Writing a file into it is the ordinary store flow already covered above — erasure-coded upload, a matched deal per shard, gas, the provider's fee — the same for every model. What differs is whether that write also forces a re-seal, below.

extra cost to write a 1 GB file into an already-reserved slot
ModelRe-mint on write?GranularityExtra timeExtra cost
Thinno+$0
Slow-seal paddingyesper 100 MB block (fine)~3–9 s for 1 GB+≈$0 (negligible)
Chia proof-of-spaceyeswhole plot (~101 GB, coarse)~20–30 min+≈$0.05 — same as a fresh reserve
Filecoin PoRepyeswhole sector (32 GiB, coarse)~1–2 h+≈$0.13/sector
Thick (padding upload)no+$0 (padding already real bytes)

Thin and thick never re-seal — nothing was committed to the empty bytes, or the padding was already real, uploaded bytes. Slow-seal reseals just the touched 100 MB blocks, so a small file barely registers. Chia and Filecoin can't reseal at file granularity — the unit is a whole plot or sector, so even a 1 KB write re-mints the same ~101 GB / 32 GiB unit as an empty reserve. That coarseness is the practical case against them for a drag-and-drop drive, on top of the raw compute cost above.

01

Reservation, not just deals

A drive locks a fixed block of capacity — say 100 GB — for a period, then files are drag-dropped into it over time as separate erasure-coded writes.

02

Oversell has a cost

Every provider posts a bond against a reservation. Fail to hold what was promised and the bond is slashed to the client — the incentive, not a promise.

03

Same primitives as everything above

No new machinery: it reuses the order book's reservedFor field, the existing possession challenge, and the same erasure-coding client already does per file.

04

Enough for most, upgradeable if not

For everyday users, thin plus the existing possession challenge already deters a lying provider — the bond is slashed the moment a file lands and can't be produced. Proof-of-space slots into the same reservation primitive later, for operators who need the empty space itself provably held before any bytes arrive.

§12 — The technology

Proofs, not promises

A thin on-chain contract layer plus an off-chain Go stack. The chain settles payments and slashing; bitswap moves the bytes.

Merkle challenge–response · prove you still hold leaf 2
ROOTH01H23L0L1L2 ✓L3
proof path returned by the providersibling hash supplied to recompute the root
system architecture · on-chain truth, off-chain work
ON-CHAIN · Soliditysource of truth for deals, payments & slashing
PaymentTokenStorageMarket · order bookDealManagerProofVerifierReputationRegistry
▲ settle payments · slashread deals · reputation ▼
OFF-CHAIN · Go daemonsrun the market and move the bytes
ClientProvider · stakesKeeper · match + auditembedded IPFS · bitswap
01

Solidity smart contracts

PaymentToken, StorageMarket order book, DealManager lifecycle, ProofVerifier and ReputationRegistry run on-chain. The chain is the source of truth for deals, payments, and slashing.

02

Embedded IPFS (boxo / bitswap)

Each actor runs an in-process bitswap node — no DHT. Shards move directly between clients and providers over content-addressed transfers.

03

Merkle challenge–response proofs

Files are chunked at 1 KiB; each leaf is keccak256(index || chunk). Providers prove they still hold a shard by answering random Merkle challenges, or get slashed.

04

Erasure-coded shards + anti-affinity

A file splits into S shards × R copies — you choose S and R to dial durability up or down. On-chain anti-affinity spreads pieces across distinct providers so no single node can hold a whole stripe.

05

Go off-chain stack

Clients, providers, and keepers are Go daemons. A keeper matches bids to asks by price + reputation and audits providers with challenges and timeouts.

06

Provider staking + slashing

Providers stake to participate. Failed proofs (SlashedFailedProof) or missed deadlines (SlashedTimeout) burn stake and drop reputation — cheating costs money.

§13 — Features

Built to withstand bad actors

Honest providers get paid. Cheaters get slashed. Your file comes back verified.

Trustless by proof

You never trust a provider's word. Every stored shard is provably held or the provider is slashed on-chain.

Survives cheaters

Retrieval reconstructs the file from surviving honest copies and verifies it byte-for-byte, even when nodes go offline or corrupt data.

Reputation-ranked matching

The keeper ranks bids by price and reputation, so reliable providers win more deals over time.

Real cross-node demo

make demo spins up a 9-node market (7 honest + 2 cheaters) in containers with real cross-container bitswap.

One-command local run

make demo-local runs the whole 20-provider market as goroutines in a single process — no Docker needed.

Live distribution view

A React UI shows shards distribute, cheaters turn red, and balances + reputation update in real time.

Storage you verify, not trust

Spin up the full market locally in one command, or read how every proof, payment and slash works on-chain.