| fip | title | author | discussions-to | status | type | created |
|---|---|---|---|---|---|---|
0028 |
Remove DataCap and verified client status from client address |
Jiaying Wang (@jennijuju), Deep (@dkkapur), Fil+ Governance Community |
Final |
Technical |
2021-12-13 |
In the case of inactivity from a verified client or abuse of the Filecoin Plus system and incentives, notaries can remove partial or all DataCap from a client address. When clients's datacap is less or equal to zero, it means the verified client status for that address is revoked as well.
Today, DataCap is granted to notaries (verifiers on chain) which they can then allocate it to client addresses as a one-time-use credit. As clients make verified deals on chain, DataCap is used. Clients will need additional DataCap from notaries if they used up all DataCap that was allocated to them. Notaries will have to re-allocated more DataCap for these clients to re-earn verified client status and make verified deals. This flow is the only way in which DataCap is used and deducted from the network. DataCap is a valuable resource and the Fil+ system is still evolving quite a bit with regards to better identification of trustworthy clients. Recently, the program has been trending towards more rapid iteration with higher risk taking appetite in an effort to improve the client UX and get more data on ways in which DataCap can be used as a useful level. The option to remove DataCap would increase the odds of "success" of the program in making Filecoin as productive as possible and introduce an additional point of leverage to continue growing the Fil+ ecosystem without less risk of the system getting abused.
Note: this FIP is created based on the current state (Dec 2021) of Filecoin and the Fil+ program. It is under the assumption of the high level principles and the mechanism of the program will stay unchanged for the next 4-6 months, and does not account for changes that may occur due to the introduction of the FVM.
The program has recently hit the milestone of having 1000+ unique client addresses receive DataCap. DataCap utilization by clients historically has hovered between 30-40%. There are a lot of client addresses with DataCap on the network, many of which are not using the allocation they have recevied. The top level goal of Fil+ is to make Filecoin more productive, and adding an option to remove DataCap is useful in several ways:
- increasing the risk-taking ability for the program to achieve the next order of magnitude of scale
- provides a lever to ensure clients have consequences for violating trust / notaries have a mechanism to enforce dispute and audit results
- removing latent DataCap which could be used for future storage market manipulation or DataCap selling/buying
func (a Actor) RemoveVerifiedClientDatacap(rt runtime.Runtime, params * RemoveVerifiedClientDatacapParams) * RemoveVerifiedClientDatacapReturn {
...
}
type RemoveVerifiedClientDatacapParams struct {
Address addr.Address
Allowance DataCap
InitiatorSignature crypto.Signature
ApprovalSignature crypto.Signature
}
V1 of RemoveVerifiedClientDatacap will need 4 total signatures, two from any of the verifiers (notaries) and a root key holder multisig (f080) approval (threshold of 2). Every DataCap removal from a client must therefore have:
- 2 notaries approving
- 2 RKH approving
For the V1 design, neither of the notaries needs to have been the original verifier / granter of DataCap to the verified client.
If the requested amount of DataCap for removal is greater or equal than the remaining DataCap the client has, the client address' DataCap balance will be set to 0, and the client will be removed from the VerifiedClients map in verified_registry_state.
Having 2 notaries sign ensures notaries looking to remove a client's DataCap are communicating and sharing information with the community and other notaries.
Introducing the RKH signature in the process creates a need for documentation and public audit trail so that a root key holder can sign this proposal. This also provides a security check in case of malicious notary action.
Not applicable here - past DataCap allocations are eligible for removal in the future unless the DataCap has already been used in deals. Altering deal state is outside the scope of this proposal.
Testing is not blocking for this FIP, but could be good to ensure the combination of 2 notary + 1 RKH signer is safe.
This FIP introduces a new behavior in the network whereby unused DataCap can be removed from a client address. This increases the overall risk surface area for Fil+, whereby there may be an incentive for notary addresses + RKH addresses have another desirable power in the network. However, this is not really as lucrative or abusable as granting DataCap to a malicious client could be, and has the additional stopgap of requiring 3 signers, so overall, this FIP should not create any significant new threats/risks for the network.
As mentioned above, DataCap is a lucrative resource in the network, and having the ability to control / influence it is definitely desireable. This FIP does not meaningfully change the incentives for stakeholders in the Fil+ ecosystem since removing DataCap is a reversible action, i.e., if incorrectly removed, DataCap can be granted again to the client entity.
Based on how the Fil+ community supports DataCap removal for client inactivity, there is an additional incentive to use DataCap when clients receive it. However, this is in line with the programs goals to make the network more productive, and reduces risk of clients stockpiling unused DataCap.
For most trustworthy clients, this FIP does not directly change the product experience of the network.
However, this gives notaries, and the Fil+ community in general, leverage for further experimentation and risk taking that will have hopefully have a positive impact on future client experience.
TODO
Copyright and related rights waived via CC0.