Separate storage collateral and pledge collateral #60
Comments
|
@decentralion Is this something you'd have bandwidth to help document? Thanks! |
|
I can help document if I have some more context on what's expected here. What are the relevant sections of the spec? What info do we need to communicate? Etc. cc @whyrusleeping |
|
I'm guessing we want something like this in the spec: https://github.com/filecoin-project/cryptoeconomics/blob/master/docs/filecoin_collateral.md I'll work with @whyrusleeping to get the relevant context together and post it here! |
|
At a high level (mostly recap, this is what @decentralion and I have talked about before) we have two types of collateral, pledge collateral and storage collateral. Both are needed per sector committed. The pledge collateral needed per sector is set by the network, the storage collateral per miner is set individually per miner on creation (parameter to the constructor). Concrete changes that should be made:
|
|
[Copied from #294] In the actor spec, ArbitrateDeal pseudocode mentions both burning pledge collateral and transferring storage collateral to the client. How this storage collateral is represented and where it comes from isn't specified. On being slashed in mining spec opens a discussion and TODO for disambiguating the two collaterals throughout the spec. My impression from conversations elsewhere suggest we're currently intending to identify both. Assuming we do follow through with storage collateral, we'll need:
Accounting for storage collateral is complicated somewhat by the fact that the details of a successful deal are never posted on chain. How can the network validate sufficient collateral has been posted? A model and spec for storage collateral is blocking go-filecoin completing deal arbitration and slashing implementation. |
heh, unfortunate overlap in word choice here. 'pledged' was not intended to overlap in meaning with 'pledge collateral'. Should change to 'posted' or similar (referring the the collateral the miner already has put up, not specific collateral)
The collateral is simply held by the miner actor. This can be clarified in the spec.
Correct, thus this issue.
The idea is that its a fixed amount per byte, without any sort of time period in the units. A miner would pick an amount that they create their miner actor with, and have that be fixed over time. This has lower implementation complexity than other solutions.
Since all collateral is held by the miner actor, any funds transferred to the miner actor count as posting collateral (either through a direct payment to the miner actor, or as funds included with another message like CommitSector)
A mechanism for retrieving just storage collateral from a 'completed' deal without removing the sector in question is not planned. To retrieve locked collateral a miner must remove the sector. Collateral balances then get updated during SubmitPoSt, and can be retrieved by a call to DePledge (which should probably be renamed to just 'WithdrawCollateral').
AbitrateDeal does this
The slashing auction and delegated slashing are two separate things. Delegated slashing already works, ArbitrateDeal accepts only a Deal, which may be submitted by anyone. This allows the client to give their deal objects to anyone so those people may slash the miner. To implement the auction, we need to send an increasing-over-time portion of the funds to the caller of ArbitrateDeal instead of sending it all to the client. This needs to be written.
Collateral checks are made when the miner commits a sector to the chain. If the miner does not have sufficient collateral, then the call to CommitSector will fail. If the miner is not able to post the sector in the agreed upon time frame (by the deals start date) the client may close their payment channel, and possibly slash the miner. This specific case of ArbitrateDeal would need to be implemented, as the current function only allows the client to slash the miner for removing sectors before the deal is complete (not for never having posted the sector). I filed an issue to discuss this at #306 |
|
Thanks for those responses. A model of a fixed per-byte amount, attached to sector bytes rather than (unknown) deal bytes is simple and answers many questions. I appreciate the simplicity. Apologies for not thinking fully through that before re-posting these questions.
Is it tracked explicitly in the
Sorry, I should have clarified so that another party "is directly incentivised to pay the gas fees to" slash. Agree the auction model is a distinct issue. I understand that at present the reward is destined fully to the deal client. |
It should be more clearly stated in the spec, easy thing to miss.
Looking at this more closely, this is not quite right in the spec right now. The collateral field seems to be tracking free collateral, but we can more simply use the miners account balance, removing the Collateral field entirely. This simplifies a few things, I will make the change tomorrow. |
|
Thanks for improvements in #312. When you're finishing this off, can I request renaming the It's also worth highlighting that the consensus collateral requirement may change with time, independent of any miner action, if the general collateral function ( @laser suggested a check for sufficient collateral for an additional sector like This might mean that pledge collateral must always computed, not looked up. If storage collateral is also a simple function of proving set, maybe no state variables are needed? But we do still need some withdrawal delay mechanism like |
|
@anorth -
The spec, in its current form, shows that the required collateral (in this context) for a sector is a function of that sector's size. What informs your understanding that the |
|
Yeah, not having any state variables and always recomputing here is the
right thing. It's annoying, because we have to pay that every time and it
makes our most common chain operation more expensive, but the alternatives
aren't great. (And it's probably not *that* much more expensive)
We could also only update collateral every X blocks, and do it lazily on
certain miner calls. That would save us having to recompute every time, but
I doubt the complexity is worth it.
…On Thu, May 30, 2019, 10:56 PM Alex North ***@***.***> wrote:
Thanks for improvements in #312
<#312>.
When you're finishing this off, can I request renaming the
ActiveCollateral state variable to better describe it's role? I can't
tell whether it's intended as the consensus collateral or storage
collateral (or both).
It's also worth highlighting that the consensus collateral requirement may
change with time, independent of any miner action, if the general
collateral function (CollateralForSectors) depends on
time/blockheight/FIL circulation, which I think we need to allow for. This
means that a PledgeCollateral state variable is always out of date.
@laser <https://github.com/laser> suggested a check for sufficient
collateral for an additional sector like
CollateralForSector(miner.SectorSize) < vm.MyBalance() -
miner.ActiveCollateral - miner.ConsensusCollateral
but I think it needs to be something like
miner.StorageCollateral + PledgeCollateralForSectors(miner.SectorSize *
(miner.ProvingSet.Len() + 1), vm.BlockHeight) <= vm.MyBalance()
This might mean that pledge collateral must always computed, not looked
up. If storage collateral is also a simple function of proving set, maybe
no state variables are needed? But we do still need some withdrawal delay
mechanism like DePledge.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#60?email_source=notifications&email_token=AAJPQHGVWHUBMISW6GHFXKTPYC42TA5CNFSM4GPRASDKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWUI5JY#issuecomment-497585831>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAJPQHCMEFIPJSUEARH4CI3PYC42TANCNFSM4GPRASDA>
.
|
See context in #60. Thanks to @whyrusleeping for help translating this into spec.
See context in #60. Thanks to @whyrusleeping for help translating this into spec.
See context in #60. Thanks to @whyrusleeping for help translating this into spec.
See context in #60. Thanks to @whyrusleeping for help translating this into spec.
See context in #60. Thanks to @whyrusleeping for help translating this into spec.
|
Note from a discussion in Slack that:
|
No description provided.
The text was updated successfully, but these errors were encountered: