owned this note
owned this note
Published
Linked with GitHub
# Reviewing the Target Locked Supply
###### tags: `filecoin-pl` `Protocol Review`
*Date: 16 November 2022*
*Speaker: Danilo Lessa Bernardineli (BlockScience)*
## What is Target Locked Supply?
:::info
Up to date by November 2022
:::
`Target Locked Supply` (TLS) is a tunable parameter - as of now, 30% - that controls the intensity of the `Sector Initial Consensus Pledge` - one of the constituents of Minimum Miner Collateral required in order to onboard a new Sector, which is defined as:
$ICP(t) = TLS * CirculatingSupply(t) * \frac{SectorQAP}{max(BaselinePower(t), NetworkQAPEstimate(t))}$
___
An alternative way of expressing is through the following:
$$p_c = f_{s, \Pi} * \Omega_C * \tilde{f}_{L'}$$
Where $f_{s, \Pi}$ is the Sector QAP divided by the Network QAP, $\Omega_C$ is the Protocol Circulating Supply and $\tilde{f}_{L'}$ is the Effective Target Locked Supply Fraction, which is defined as follows:
$$\tilde{f}_{L'} = \tilde{f}_{L} * \min(1, n_\Pi)$$
On which $\tilde{f}_{L'}$ is the Effective Target Locked Supply, and $n_{\Pi}$ (The Relative Network QAP Advantage over Baseline) is defined by $\Pi = n_{\Pi} b_t$, where $\Pi$ is the Network QAP, $b_t$ is the baseline function.
What this makes clear is the fact that when the Network QAP is 50% of the Baseline function, then the Consensus Pledge will half than if the Network QAP is 100% or more, **assuming that the sector share remains the same**.
**In practice, given that sectors tends to have fixed sizes, the $min$ operator works by providing an ceiling for how much the Consensus Pledge per Sector should be** for a given amount of Circulating Supply.
*Example of Consensus Pledge calculations*
| $p_c$ | Baseline | Network QAP | Sector QAP | $f_{s, \Pi}$ | $\Omega_C$ | $\tilde{f}_{L'}$ |
| - | - | - | - | - | - | - |
| 0.3 | 100 | 100 | 1 | 0.01 | 100 | 0.3 |
| - | - | - | - | - | - | - |
| 0.3 | 100 | 99 | 1 | 0.0101 | 100 | 0.297 |
| 0.297 | 100 | 101 | 1 | 0.0099 | 100 | 0.3 |
| - | - | - | - | - | - | - |
| 0.1493 | 100 | 201 | 1 | 0.00498 | 100 | 0.3 |
| 0.15 | 100 | 200 | 1 | 0.005 | 100 | 0.3 |
| - | - | - | - | - | - | - |
| 0.3 | 100 | 51 | 1 | 0.0196 | 100 | 0.153 |
| 0.3 | 100 | 50 | 1 | 0.02 | 100 | 0.15 |
### Comments
This mechanism is notable on the concepts that it bridges together, making it relatively challenging to understand its emerging dynamics. Specifically:
- Understanding `CirculatingSupply(t)` requires describing the historical and current Token Dynamics in terms of Minting (which is linked to Baseline Minting), SAFT Vesting, Burning (linked to Gas & Slash Dynamics) and Locking (linked to Block Rewards while being self-referential)
- `SectorQAP` relates to Sector Onboarding, Renewal & Upgrade events.
- `max(BaselinePower, NetworkQAP)` is direcly associated with Baseline Crossing.
- `NetworkQAPEstimate(t)` makes uses of the Alpha-Beta Filter.
All of those together makes this mechanism challenging to intuit about in terms of scenarios. Any model for including it should be relatively comprehensive in order to be an serious attempt in being representative of the actual generated dynamics.
One important observation is that the `Target Locked Supply` terminology can be somewhat misleading, as the `Actual Locked Supply Fraction` measurement tends to be somewhat higher given enough time due to the `Locked Rewards` and the `Storage Pledge` if the Network QAP is higher than the Baseline and if the Marginal Circulating Supply per Onboarded Sector Rewards is relatively constant.
Also, there's a tricky aspect which is the fact that $ICP$ is only tested when onboarding, upgrading or renewing an sector. On practical terms, this means that if all of the `Block Rewards` were to be unlocked immediatly and there's no `Storage Pledge`, then the `Actual Locked Supply Fraction` would be lower than the `Target Locked Supply` on most scenarios.
It is important to make explicit that the ICP operates on the Network QAP estimator as generated by the [Alpha-Beta Filter](/IK2npgagSrejaygDkjf2iA).
If the Network QAP is way lower than the Baseline Power for an sustained duration, it is possible that the `Actual Locked Supply Fraction` will be lower than the `Target Locked Supply`.
The Collateral Fraction can have non-trivial dynamics as it feedbacks on three simultaneous inputs (Circulating Supply, Network QAP and Baseline function) that can be counter-cyclical to each other and can have distinct characteristic time-scales. Eg, If the Circulating Supply is fixed on time, then earlier miners tend to have an bigger collateral than the later ones. However, the gradual release of rewards tends to increase the circulating supply, which induces an bigger weight to later miners.
Relevant Links:
- [Qualitative Analysis for the initial pledge function based on a Total Circulating Supply](/sZIo83OmRSyaAsthoMdFLw)
___
| Critical Cost | Collateral Fraction | Locked Fraction |
| - | - | - |
| |  |  |
[Repo Link](https://github.com/BlockScience/filecoin/tree/61aa74ec4f0dc0854b244042be5142de5e1b5510/exports/grid_html)
## Why it is relevant
Its importance lies on the fact that this is the main economic lever to remove circulating FIL from the secondary market, which means on first-order that introducing TLS causes:
- Significantly increasing the Cost to Onboard 33% of the Filecoin QAP. This is related to Protocol Security.
- Additionally, the induced scarcity of FIL means that liquidity will not be as readily available depending on the volume.
- Additional economical protection for the network against slashes incurred by the Storage Provider.
- Significantly increasing the capital investments and FIL exposure required for onboarding new sectors.
On second-order, the interactions can be more complex than the first-order effects, although **capturing the marginal effects can be difficult and heavily dependent on assumptions**. Some (but non-exhaustive) cause-effect elements includes:
- Impacting the Valuation of Filecoin as based on fundamental metrics (eg. Total Value Locked)
- Favouring Sector Onboarding towards Token Holders
- Inducing Liquidity Scarcity on the Secondary Markets
It is also important to note that some of the cause-effect movements induced by the TLS can potentially go counter the desirable properties for Deal Marketplace Stakeholders, as it means that the global share of FIL available for Deal Making is diminished, and TLS can likely favour old Storage Providers vs new Storage Providers, which in some circumstances can mean less competition for Storing Deals.
Not surprisingly, this has been always the most challenging parameter to be decided given the impact of this parameter and the trade-offs involved.
___
*Importance of the Parameters on the "Combined Goals" KPI. Target Locked Supply is the most important parameter. [Filecoin Documentation, p. 40](https://drive.google.com/drive/u/1/folders/1myzlRSpkWP_iLLDLpkuTIC12PPtT4YWS)*
*Effects of the Protocol Cryptoecon Parameters on Design Goals. [Filecoin Documentation, p. 10](https://drive.google.com/drive/u/1/folders/1myzlRSpkWP_iLLDLpkuTIC12PPtT4YWS)*
## Historical Context
:::warning
In Progress
:::
The initial economic design of Filecoin didn't include Consensus Pledge as a factor. The sole reason for having Miner Collaterals was to make sure that Storage Providers would be desincentivized from dropping the sectors early.
___
*Initial Requirements for the Sector Collateral, June 2020. [Source](https://docs.google.com/document/d/1m9NU-NfaFqg8SdwMm9hf-1wzPHnFC-9PJSub8ho9R2E/edit#heading=h.5pel2rnb0cmh)*
___
The main development that did change this calculus was the introduction of the Quality Adjusted Power concept together with Verified Deals in early 2020, which meant two things:
- On an CC / RD dominated world, it would require an comparatively small share of the RB power to acquire an large amount of QA power. Eg. on an scenario where 95% of the RB power are Capacity Committers, and 5% are Verified Deals, the later would hold 34.4% of the Network QAP.
- Onboarding Deals can be comparatively faster than Onboarding Storage. The later is constrained by the Sealing Capacity, which is expensive in terms of hardware and predictable in terms of velocity.
Also, most Filecoin Cryptoecon mechanisms were being designed in 2019 and 2020, just before and during the DeFi summer. The wave of capital inflows and economical attacks that has started to appear had introduced Resilency to Economical Attacks as a key design goal. This has generated the rationale for introducing the Consensus Pledge mechanism.
It is important to note that the TLS was always one of the most controversial parts of Filecoin's Cryptoeconomics. For a long time, it was by far the main cost component for onboarding new sectors, especially considering the initial Liquidity Crunch that has happened because of an lack of Circulating FIL just after the Mainnet Launch.
When it was proposed on June 2020 (two months before Testnet), there was a lot of pushback from miner groups. Those were mitigated through the following measures:
- Allowing Testnet Sectors to remain on Mainnet without the need for collaterals. This has generated an controversy on April 2021 when an FIP allowing sector renewal was approved. See [The Impact of V1 Sector Expirations on Filecoin Storage and Cryptoeconomics](/XGL9Ip6dR9KySTSsJe8b2g)
- Removing the cliff duration for the Block Rewards. The initial proposal was an 2 month delay. It was reduced afterwards to 20 days, and then to 0 days when simulations did indicate that there was no benefit at all in having a delay.
- Rewarding 25% of all the earned Block Reward immediatly through [FIP0004](https://github.com/filecoin-project/FIPs/blob/master/FIPS/fip-0004.md)
The specific value of TLS=30% was defined through multiple iterations and feedback loops between BSci, PL and the miner groups. It is important to note that the optimal value of TLS did depend heavily on the set of design goals to be maximized, and it did had an synergistic interaction with other parameters (mainly the ones related to lock period). For instance, before Testnet, BSci's recommendation was to set it to 20% while keeping an cliff duration of 3mo. And our final recommendation before Mainnet, when minimizing for Liquidity Crunch became an design goal, our recommendation did become TLS=20%, no cliff duration, and reduced locked period (3mo rather than 6mo).
*Parameter Recommendations before Testnet. [Link](**https://**)*
*Final Recommendations before Mainnet. [Filecoin Documentation, p.1](https://drive.google.com/drive/u/1/folders/1myzlRSpkWP_iLLDLpkuTIC12PPtT4YWS)*
## Some Current Context
| Locked Components | Collateral Share of Locked | Collateral Discrepance |
| - | - | - |
|  |  |  |
*Source: [(link](https://docs.google.com/spreadsheets/d/1-1z5q3CPpUaOieoycEgpFG_SD7LZjlV4DiKu4BfROns/edit#gid=1265414632))*
- Available Supply = Circulating Supply + Locked Supply
- (Locked Rewards + Initial Pledge) is currently
- around 31.4% of Circulating Supply
- around 23.9% of Available Supply
- Locked Rewards is currently
- around 3.8% of Circulating Supply
- Initial Pledge is currently
- around 27% of the Circulating Supply
- around 21.1% of Available Supply
## Some Pitfalls
- During the design phase, the KPI associated with "Locked Supply" was defined as being two:
- Locked Fraction: `Locked(t) / Supply(t)`
- `LockedSupply(t) = LockedRewards(t) + Collateral(t)`
- Collateral Fraction: `Collateral(t) / Supply(t)`
- `Supply(t) = Minted(t) + Vested(t) - Burnt(t
- Source: https://github.com/BlockScience/filecoin/blob/master/src/sim/model/parts/fil_supply.py
- A KPI for proxying Network Security, the Critical Cost, was defined as:
- CriticalCost(t) = `ProfitableQAP(t) * (PledgeCost(t) + OnboardingOpEx(t))/3`
- $PledgeCost(t) = Price(t) * \frac{ICP(t)}{\Pi(t)}$
- $OnboardingOpEx(t) = OpEx(t) +CapEx(t)$
- `ProfitableQAP(t)` is an adjusted StorageQAP(t) such that the participants NPV are positive given their share of the network participation and their expectations.
- The rationale for that is the StorageQAP(t) being used were exogenous signals. In that sense, ProfitableQAP(t) would be an proxy for what would happen if the actors were rational and if the network didn't disincentivize them from dropping sectors and deals immediatly. It is an acceptable worst-case scenario for the realized StorageQAP(t)
- Source: https://github.com/BlockScience/filecoin/blob/9ce1ba051b78a1b223535073ec4e496a1708315d/src/functions/metrics_granular.py#L4
## Some Questions and Answers
**how the target can ‘miss’. What are the reasons, like max(baseline,qap) denominator, and what happens to lock % if onboarding stops for a while (possible). What’s responsible for the big variation from 80-45% recently etc**
As said before, the "Target Locked Supply" terminology is somewhat misleading, it doesn't even converge to the said number. An better naming would be something like "Reference Locked Supply".
---
The reason for the `max(baseline, QAP)` term is to diminish the collateral requirement on downturns, as $\frac{Sector QAP}{QAP} >= \frac{SectorQAP}{max(baseline, QAP)}$.
For instance, if QAP is 50% of the Baseline, you could think that the "effective TLS" is being 15% rather than 30%.
The rationale behind it are two:
- Baseline would only go down the QAP after a long time since launch, making any attacks by then relatively costly, therefore allowing us to get away with an lower "effective TLS"
- QAP below Baseline could be understood as an period of storage downturn, so this would be an dynamical way to incentivize more onboarding.
- This is specially relevant if we consider that the Baseline Function Target was supposed to be re-evaluated after some time.
---
If storage onboarding (and renewing / upgrading) stops for a while, then what happens depends really with what happens with the other factors: Is Circulating Supply going to change? Is QAP going to change? And also the perspective, is it on the Storage Provider lens or the Macro lens?
On the Storage Provider lens:
Assuming that the network continues operating as usual, we can expect the Circulating Supply to go up, and QAP going down.
Initially, this will induce an increase on the Consensus Pledge per 32GB Sector. However if the interruption is sustained for a long period, we can expect two things: QAP going below the Baseline, which is always increasing in time, and the Circulating Supply ceasing to increase.
This means that the Consensus Pledge will have an inflexion point and start decreasing after a while. Given that the Baseline Function is exponential, then we expect that the Consensus Pledge will start reducing at the roughly same rate than the Baseline Function Growth.
Note that if QAP is already way below the baseline, that inflexion point may not be as evident
On the Macro lens:
Except for the Deal Collateral, all token lock mechanisms are associated with Sector Onboarding and Rewards. The general trend is then to the collateral fraction go down as the sector expires and miners unlock their collaterals.
___
As for the responsible for the big variation recently from 80% to 45%:
:::warning
:::
___
**what the primary purpose of locking is in terms of economic vs slashing security. Although it serves as slashing security, the value exceeds this, indicating the main factor is econ security**
I'm assuming that we're refering specifically to "locking as required by the **Consensus Pledge**", as we still have the Sotrage Pledge Collateral, the Deal Collateral, the Locked Rewards and the Vesting Schedule as locking mechanisms, each one with a different purpose.
**The stated purpose**, as on the Filecoin Spec, of locking-in **is to provide "long-term security** guarantees to the network" by **making consensus takeovers "more costly** as the block reward decreases'. This is by far the most universal argument on why it is needed, as it affects all participating stakeholders.
It should be noted that this is not necessarily the strongest argument depending on the scenario and stakeholder being analyzed. The introduction of this mechanism was associated initially with decreased UX, mainly in regards to late-comers and small miners (which can be closely related to the developer group, given their experimental cross-link). For those, Network Security was lesser of an concern when compared to facilating their participation through reduced CapEx.
*Filecoin Spec, 2.6.3 - Miner Collaterals*
___
**why not 20% in the end. Or why not much larger? If much larger, what would have to change? Does the lowish economic security currently provided by pledge justify higher target?**
> Why not 20% or something larger?
The final numbers (30%) were decided through several feedback loops with different groups within PL. BSci's role was to make available the best possible recommendations based on different utilities while making usage of our scientific toolkit that was developed exclusively for the purposes of simulating a wide-range of counter-factual scenarios after Mainnet.
Why did we recommend 20% and not something else? First, it's important to pinpoint that our recommendations followed a structure of providing point-like estimates, point-like estimates for different goals, and range-like estimates for different goals. The exact weight of each goal was never explictly distinguished. In that sense, the specific numbers of the recommendations are to be interpreted more as being "ranges of sanity" rather than an end-all number.
The main stated goal of TLS was to bring Network Security, which was proxied by computing the cost in USD in order to onboard 33% of the network QAP. In that sense, the value of TLS should be lower bounded by an specific amount on which its feasible for an attacker to acquire capital (like 1 billion USD). For most FIL price and FIL QAP scenarios that we did explore, having 10% of TLS would suffice to add an robust layer of security.
One troubling aspect is the relationship between TLS and induced effects into the USD/FIL price. After all, having an more expensive FIL will make the system more resilent against consensus attackers perpretaded by external actors. Delineating the relationship between the two is not trivial. Higher TLS can induce scarcity on the supply, but it can also reduce the available supply that could be used for deal making. The prices are defined by the flows on the market.
In the end, the case for 20% or 30% was somewhat stronger than the case for 10%. More than 30% was vetoed because of opposition from network participants. Proposing the Consensus Pledge was already a hard sell. We got into 30% but several concessions on other fronts were made.
> What would need to change in order to make TLS larger?
:::warning
:::
> Does low Network Security Justify Higher Targets?
That's a risk and likelihood question. The main vector for an Consensus Attack would be an Storage Provider to acquire 33% of the QAP through either onboarding or deals. Given the increasing predominance of Verified Deals, most likely the attack would require having access to an large pool of those.
How easy is to get that volume of deals? What would be the total cost to do so? Are there miners or groups that are dangerously close to that? How likely is that someone does indeed achieves the required setup to have at least 33% of the QAP?
Also, what's the general risk-affinity by the ecossystem? Are they willing to risk a 5% probability of consensus attack being viable over the course of 10 years? Or is this unacceptably high?
If the answer is: "the risk is unacceptably high", then an action is required. Either TLS goes up, or a modification / new mechanism is developed to mitigate the specific condition on which that risk is realized.
It can be important to understand the relationship between TLS, the price, and the liquidity markets before-hand however. If TLS doubles in amount but the price halves, the capital cost in USD of attacking under some assumptions will be approximately similar.
___
**Should the target lock be dynamic?**
You could argue that the Consensus Pledge is already dynamic: it feedbacks on the Circulating Supply, Network QAP and Baseline Function. The TLS is the governance-defined scale for how strong that feedback is.
Making the TLS dynamic has been discussed at the beginning and that was dropped because of:
- There was no explicit optimization goals for it
- Would make easier for future governance to re-evalute and change it
- Introducing more feedbacks / complex forms could induce the system into hard to understand behaviours or even worse: unpredictable modes
- Getting rid of a degree of freedom by introducing another dynamical function can imply adding even more parameters and assumptions, even if is implict rather than explicit.
One past proposal was that the Consensus Pledge could operate as a PID controller using $e=ActualLockedSupply - TargetLockedSupply$ as an error. This was dropped not only because we would be still required to define TLS, but also we would introduce the hyperparameters and smoothing functions related to the controller.
___
Google Drive
Gist
Clipboard
Sign in with Wallet
