Files split into erasure-coded shards, spread across independent providers, and held to account by on-chain Merkle proofs and slashing. Cheat, and you lose your stake.
§01 — In plain English
Instead of trusting one company to hold your files, you rent space from many strangers' computers — and they have to keep proving they still have your data, or they lose money. No trust required.
A photo, a backup, anything — stored somewhere that won't lose it or read it.
Chopped into pieces and copied — like shredding a letter and photocopying each strip.
Each piece goes to a different stranger's computer. No one holds the whole thing.
The network quizzes each host: prove you still hold piece #4 — or get fined.
Hosts post a deposit to join. Lose data or lie, and it's taken away automatically.
Enough copies survive to rebuild your file — checked to be byte-identical.
§02 — Two ways to order
Every deal on the market is one of two order types. Same proofs, same slashing — different shape of guarantee.
Upload a file, it's shredded, matched, and proven — done. No one edits it after, not even you. One price for the deal, no ongoing bill.
Lock a block of capacity ahead of time, then drag files in and out over the reservation period. A Share Drive, not a single upload.
§04 — Why bother
The same job as a cloud drive — but nobody in the middle you have to trust.
No central operator can pull your data. Content lives across independent, economically-bonded providers.
Files are encrypted client-side before they're chunked and spread across strangers — no provider, platform, or government ever holds a full plaintext copy to search, scan, or hand over.
Prove data is still held over time via periodic Merkle challenges — useful for compliance and long-term backups.
A working reference for a token-priced order book where supply and demand for storage meet on-chain.
A minimal, readable end-to-end model of proofs-of-storage, slashing, and erasure coding to learn or build from.
§05 — Follow the money
You pay one storage fee. It splits three ways — and none of it relies on trust. Every payout is a rule in the contract, not a promise.
Band width ≈ share of the fee. Every split is a rule in the contract — the provider earns the bulk as they keep proving, the keeper's cut (on by default, capped ≤10%) only applies to completed deals. Network gas is a separate, external cost paid to whoever runs the blockchain — not part of this split.
The bulk — streamed as they keep proving they hold your data. Their pay for the service. (≈97.5% + collateral back)
A small cut funds the matcher and auditor — the machinery that pairs deals and catches cheaters. (capped fee (≤10%), on by default)
Tiny gas fee per transaction, paid to whoever runs the blockchain. Standard, unavoidable, external. (network gas)
If a provider loses your data, their collateral for that deal is handed straight to you — not the protocol. You're compensated, automatically.
The keeper's cut only applies to completed deals. A failed deal refunds the client in full — the protocol earns nothing from your loss.
The contract can't mint or hide funds. What you pay in always equals provider + fee + collateral out — provable on-chain.
§06 — Why smart contracts
An off-chain marketplace still needs someone to hold the money and decide who's honest. Putting the rules in a smart contract removes that someone.
Neither party holds the money — the contract does. Slashing, refunds and payouts fire automatically the instant a proof passes, fails, or a deadline lapses. No arbitrator, no support ticket.
Payment sits escrowed in the contract, not with the client or a middleman. It only moves per rules anyone can read in advance — nobody can freeze it, spend it, or quietly change the terms.
Slashing, refunds and payouts fire the instant a proof fails or a deal completes. No support ticket, no arbitrator, no waiting on a company's goodwill.
The contract code and every past deal, payment and slash are on-chain and auditable by anyone — not a private ledger you have to take on faith.
§07 — The network
Client posts a request. The keeper matches bids and spreads shards across providers. Everyone settles on the chain — cheaters get slashed.
§08 — Price discovery
No central giant sets the price. Providers post asks (the least they'll accept per shard); clients post bids (the most they'll pay). The keeper clears the cheapest reputation-adjusted ask against each open bid — supply and demand find the price on-chain.
There is no oracle or operator setting rates. Price emerges from what providers offer and clients accept.
Asks are ranked by an effective price — a weak proof/completion record ranks a provider as if pricier, so reliability wins deals.
When a bid covers the cheapest eligible ask, the keeper pairs them by price-time priority and opens the on-chain deal.
§09 — Provider scoring
Every provider carries an on-chain track record. Three ratios — deal completion, proof pass rate, retrieval audits — average into a reputation score. That score becomes a price multiplier: a spotless record stays at 1.0×, a fully-bad one doubles to 2.0×. Cheap-but-unreliable sinks below honest providers that cost a bit more.
reputationBP = avg(deal%, proof%, audit%)theneffectivePrice = ask × (2 − reputationBP)No history scores neutral (1.0×) — a clean slate, not a penalty. Honest veterans still outrank them once they build a record.
Retrieval-audit reliability only counts once a provider has real audit history, so an absent signal never helps or hurts.
A failed proof or timeout burns stake and drops deal/proof ratios — raising the price multiplier on every future bid.
§10 — Uptime SLA
A provider commits to a minimum uptime and prices around it. A rotating quorum of staked keepers — not the client — challenges them to prove it, every epoch. Fall short, and collateral is slashed proportional to the shortfall: the client is refunded, and the keepers who caught it get paid from the slash.
A provider commits to a minimum uptime and is scored against that number, not a universal 100% — realistic for home hardware, priced accordingly.
Every vote is checked against the on-chain proof. Lie, and it's discarded, your bond is slashable, and your score drops you off future committees — but the score favors recent votes, so honest streaks earn a seat back.
A breach slashes collateral proportional to the shortfall. Most goes to the wronged client, a cut funds the protocol, and a bounty pays the keepers who caught it — policing your peers is worth something.
§11 — Design case study
Everything above proves a filled deal is really held. But a "Share Drive" — a fixed block of capacity reserved for a period, then drag-filled with files over time — needs the same guarantee for an empty block, and an empty block has nothing to challenge. This is the design problem worked through below: how do you stop a provider selling space it doesn't physically have?
An empty block stores nothing: just a capacity lock plus a per-share collateral bond. Overselling is caught at write time — the possession challenge fails and the bond is slashed on the spot.
A provider seals its empty capacity from a seed (a few KB) and proves cryptographically it holds the space — Filecoin's guarantee, without uploading empty bytes. Same reservation slot, heavier machinery.
| Model | Upload @ reserve | Seal time | Mint cost | Time to proof |
|---|---|---|---|---|
| Thin | ≈0 (few tx) | seconds | ≈$0 | none — checked at write time |
| Slow-seal padding | 64 KB seed | ~10–30 min | ≈$0.01 | fast — merkle open |
| Chia proof-of-space | 64 B seed | ~20 min – 1 h | ≈$0.05 | fast — disk lookups |
| Filecoin PoRep | 224 B seed | ~7–14 h | ≈$0.90 + $10k rig | GPU SNARK every 24 h — recurring |
| Thick (padding upload) | full 200 GB | 27 min – 4.4 h | ≈$0 (bandwidth-bound) | fast — merkle open |
"Mint cost" is the one-time electricity to seal the empty reservation, at $0.15/kWh (Filecoin's $8–12k GPU rig is separate, one-time hardware). "Time to proof" is the ongoing per-challenge response once sealed — cheap everywhere except Filecoin, whose WindowPoSt SNARK is a real recurring GPU cost. The MVP ships thin; the reservation slot is built so a stronger seal can drop in later without a protocol re-architecture.
This table covers only the empty block, before any file lands in it. Writing a file into it is the ordinary store flow already covered above — erasure-coded upload, a matched deal per shard, gas, the provider's fee — the same for every model. What differs is whether that write also forces a re-seal, below.
| Model | Re-mint on write? | Granularity | Extra time | Extra cost |
|---|---|---|---|---|
| Thin | no | — | — | +$0 |
| Slow-seal padding | yes | per 100 MB block (fine) | ~3–9 s for 1 GB | +≈$0 (negligible) |
| Chia proof-of-space | yes | whole plot (~101 GB, coarse) | ~20–30 min | +≈$0.05 — same as a fresh reserve |
| Filecoin PoRep | yes | whole sector (32 GiB, coarse) | ~1–2 h | +≈$0.13/sector |
| Thick (padding upload) | no | — | — | +$0 (padding already real bytes) |
Thin and thick never re-seal — nothing was committed to the empty bytes, or the padding was already real, uploaded bytes. Slow-seal reseals just the touched 100 MB blocks, so a small file barely registers. Chia and Filecoin can't reseal at file granularity — the unit is a whole plot or sector, so even a 1 KB write re-mints the same ~101 GB / 32 GiB unit as an empty reserve. That coarseness is the practical case against them for a drag-and-drop drive, on top of the raw compute cost above.
A drive locks a fixed block of capacity — say 100 GB — for a period, then files are drag-dropped into it over time as separate erasure-coded writes.
Every provider posts a bond against a reservation. Fail to hold what was promised and the bond is slashed to the client — the incentive, not a promise.
No new machinery: it reuses the order book's reservedFor field, the existing possession challenge, and the same erasure-coding client already does per file.
For everyday users, thin plus the existing possession challenge already deters a lying provider — the bond is slashed the moment a file lands and can't be produced. Proof-of-space slots into the same reservation primitive later, for operators who need the empty space itself provably held before any bytes arrive.
§12 — The technology
A thin on-chain contract layer plus an off-chain Go stack. The chain settles payments and slashing; bitswap moves the bytes.
PaymentToken, StorageMarket order book, DealManager lifecycle, ProofVerifier and ReputationRegistry run on-chain. The chain is the source of truth for deals, payments, and slashing.
Each actor runs an in-process bitswap node — no DHT. Shards move directly between clients and providers over content-addressed transfers.
Files are chunked at 1 KiB; each leaf is keccak256(index || chunk). Providers prove they still hold a shard by answering random Merkle challenges, or get slashed.
A file splits into S shards × R copies — you choose S and R to dial durability up or down. On-chain anti-affinity spreads pieces across distinct providers so no single node can hold a whole stripe.
Clients, providers, and keepers are Go daemons. A keeper matches bids to asks by price + reputation and audits providers with challenges and timeouts.
Providers stake to participate. Failed proofs (SlashedFailedProof) or missed deadlines (SlashedTimeout) burn stake and drop reputation — cheating costs money.
§13 — Features
Honest providers get paid. Cheaters get slashed. Your file comes back verified.
You never trust a provider's word. Every stored shard is provably held or the provider is slashed on-chain.
Retrieval reconstructs the file from surviving honest copies and verifies it byte-for-byte, even when nodes go offline or corrupt data.
The keeper ranks bids by price and reputation, so reliable providers win more deals over time.
make demo spins up a 9-node market (7 honest + 2 cheaters) in containers with real cross-container bitswap.
make demo-local runs the whole 20-provider market as goroutines in a single process — no Docker needed.
A React UI shows shards distribute, cheaters turn red, and balances + reputation update in real time.
Spin up the full market locally in one command, or read how every proof, payment and slash works on-chain.