Skip to main content
Cryptographic security ensures that only authorized parties can perform certain operations—you cannot spend someone else’s Bitcoin without their private key. Economic security goes further: it ensures that even authorized parties who could misbehave choose not to, because doing so is unprofitable. In Kontor’s storage protocol, nodes have possession of file data and could theoretically delete it, store only partial copies, or collude with others to manipulate rewards. The protocol cannot cryptographically prevent these actions. Instead, it makes them economically irrational. This approach relies on a fundamental assumption: storage nodes are profit-maximizing agents who respond to incentives. They will take any action that increases expected profit and avoid any action that decreases it. The protocol’s security derives from structuring costs and rewards such that honest behavior—actually storing files, responding to challenges, and maintaining availability—yields higher expected returns than any alternative strategy. When this condition holds, rational operators naturally behave honestly even without surveillance or enforcement beyond what the protocol itself provides. The security analysis examines potential attacks not by asking whether they are technically possible, but whether they are economically viable. For each attack vector, the protocol must ensure that expected costs exceed expected benefits. This often involves making capital requirements dominate operational costs, ensuring penalties exceed gains, or structuring rewards so that cooperative behavior pays better than defection. The result is a system where security emerges from aligned incentives rather than imposed restrictions.

Capital Cost Dominance

The protocol’s security fundamentally depends on capital costs exceeding storage costs. Each node must stake KOR proportional to its commitments: kreq(n)=(fkf)λstake(n)k_{req}(n) = (\sum_f k_f) \cdot \lambda_{stake}(n), where the sum is over all stored files and λstake\lambda_{stake} is the dynamic stake factor. This staked capital cannot be used for other purposes, creating an opportunity cost kreqρk_{req} \cdot \rho where ρ\rho is the operator’s discount rate. With realistic parameters, this opportunity cost dwarfs the physical cost of storing data. This asymmetry is what enables economic security. Many attacks attempt to reduce costs while maintaining revenues: storing partial files and gambling on challenges, running many identity nodes on shared storage, or claiming to store files without actually possessing the data. All these attacks save on storage costs, which are linear in data size and relatively cheap (fractions of a cent per gigabyte-month). However, they cannot avoid capital costs. To earn rewards, a node must maintain adequate stake regardless of whether it actually stores the data. Since capital costs dominate by orders of magnitude, the savings from not storing data are negligible compared to the capital that must still be committed. The dominance relationship must hold across the full range of file sizes the protocol supports. For small files, physical storage costs approach zero, so capital costs obviously dominate. For large files, physical costs rise but remain sublinear relative to rewards due to logarithmic emission scaling. The protocol enforces a maximum file size smaxs_{max} partly to ensure this relationship remains valid—extremely large files could potentially reverse the dominance if storage costs grew large enough relative to emission-driven rewards. Within the bounded size range, honest storage remains the most capital-efficient strategy.

Sybil Resistance via Dynamic Staking

A Sybil attack involves creating multiple node identities to game the protocol. The naive version attempts to collect multiple reward streams while storing only one physical copy of the data—creating, say, ten node identities that all claim to store a file, earning ten times the rewards while paying only once for storage. This fails immediately due to capital cost dominance: the attacker must post full stake for each identity, paying ten times the capital cost to save on storage costs that are already negligible. The attack is obviously unprofitable. A more sophisticated version uses Sybil identities not to save storage costs but to compartmentalize risk. Large operators face correlated failure risks—a data center fire, network outage, or software bug could cause them to fail challenges on many files simultaneously. If all files are stored under one identity, such an event could lead to complete stake forfeiture via the cascading insufficient-stake mechanism. By fragmenting their portfolio across many small identities, operators can limit the damage from any single failure event, preserving most of their stake even if some identities are slashed. The protocol counters this through the dynamic stake factor λstake(n)=1+λslash/ln(2+Fn)\lambda_{stake}(n) = 1 + \lambda_{slash} / \ln(2 + |F_n|), which imposes a capital penalty on nodes storing few files. A node storing a single file must stake kfλstakek_f \cdot \lambda_{stake} where λstake\lambda_{stake} can be 20-30× higher than for a large diversified node. To fragment a 100,000-file portfolio into individual single-file nodes would require roughly 20-30× more total capital than operating as a single large node. This makes risk compartmentalization prohibitively expensive—operators save more capital through consolidation than they gain through risk isolation. The logarithmic scaling of λstake\lambda_{stake} means the penalty decreases smoothly as portfolio size grows. A node with ten files faces a moderate penalty; a node with a hundred files faces a small penalty; a node with thousands faces essentially no penalty. This creates the right incentive gradient: small-scale operators can still participate profitably (the penalty isn’t infinite), but large-scale operators are strongly incentivized to consolidate rather than fragment. The system achieves Sybil resistance without completely excluding small participants.

Wash-Trading Prevention

Wash-trading involves storing your own data to farm rewards: create a file agreement, run storage nodes to store it, collect emissions, and hope the rewards exceed the fees paid. This attack would allow users to mint KOR through self-dealing rather than providing genuine storage services to others. The protocol prevents this through the relationship between user fees and emission values. The user fee is υf=χfeekf\upsilon_f = \chi_{fee} \cdot k_f, where kfk_f is the per-node base stake requirement and χfee0.003\chi_{fee} \approx 0.003 is a protocol parameter. This fee is paid once and burned immediately. The attacker’s revenue comes from emissions εf(t)\varepsilon_f(t) distributed over time and divided among all nodes storing the file. For the attack to be profitable, the net present value of future emissions must exceed the upfront fee. The key parameter that prevents profitability is χfee\chi_{fee}. Consider the simplified case where an attacker controls all nodes storing their own file. The file’s emissions are εf(t)=ε(t)(ωf/Ω(t))\varepsilon_f(t) = \varepsilon(t) \cdot (\omega_f / \Omega(t)), and the attacker captures all of this. Over a planning horizon hh with discount rate ρ\rho, the NPV is approximately εf(1(1+ρ)h)/ρ\varepsilon_f \cdot (1 - (1+\rho)^{-h}) / \rho. For the attack to fail, we need υf>NPV\upsilon_f > \text{NPV}, which after substitution and simplification yields a condition on χfee\chi_{fee} relative to the emission-to-stake ratio and discount rate. With χfee=0.003\chi_{fee} = 0.003 and realistic parameters (20% annual discount rate, typical emission levels), the upfront fee exceeds the recoverable emissions even over multi-year horizons. The attacker loses money on each wash-traded file. Furthermore, the attacker still faces ongoing costs—proving costs when challenged, opportunity costs on staked capital—that further reduce profitability. The mechanism doesn’t rely on detecting wash-trading; it simply makes the economics unfavorable regardless of the attacker’s intent.

Collusion and Redistribution

Storage nodes might collude to manipulate reward distributions. One scenario involves intentional slashing: multiple nodes storing the same file agree that one will deliberately fail a challenge, getting slashed, with the redistributed stake benefiting the co-conspirators. The question is whether the group profits collectively from this coordinated action. When a node is slashed an amount S=kfλslashS = k_f \cdot \lambda_{slash}, a fraction βslash\beta_{slash} is burned and the remainder (1βslash)S(1 - \beta_{slash}) \cdot S is distributed equally among the other (Nf1)(|N_f| - 1) nodes storing that file. For a colluding group of size kk out of nn total nodes, the group’s net change is S+(k1)/(n1)(1βslash)S-S + (k-1)/(n-1) \cdot (1-\beta_{slash}) \cdot S. This is positive—the group profits—only if (k1)/(n1)(1βslash)>1(k-1)/(n-1) \cdot (1-\beta_{slash}) > 1. Since both (k1)/(n1)1(k-1)/(n-1) \leq 1 and (1βslash)<1(1-\beta_{slash}) < 1, their product is always less than 1. The group always loses money on net. The burn fraction ensures that redistributed amounts are always smaller than slashed amounts, and the equal division among many nodes means even a large colluding group captures only a fraction of the redistribution. The collusion is strictly unprofitable—the group would be better off not executing the attack and avoiding the slashing entirely. Other collusion scenarios face similar structural barriers. Attempts to coordinate exits to trigger leave fees fail because fees are burned, not redistributed. Attempts to form cartels to monopolize files and extract rents fail because the sponsorship market allows any member to profitably defect. The protocol systematically avoids creating situations where coordinated misbehavior yields higher returns than independent honest behavior.

Detection Economics

The challenge mechanism provides probabilistic guarantees for detecting data loss. Each file expects Ctarget=12C_{target} = 12 challenges per year regardless of network size. When challenged, a node must prove knowledge of schal=100s_{chal} = 100 randomly selected sectors from the file. The probability of detecting missing data depends only on the fraction lost, not the absolute file size. For a node that has lost fraction μ\mu of its data, the probability of detection per challenge is approximately 1(1μ)schal1 - (1-\mu)^{s_{chal}}. With schal=100s_{chal} = 100, even 10% data loss yields 99.997% detection probability per challenge. Given 12 challenges per year, the expected time to detection is measured in months, not years. For complete data loss (μ=1\mu = 1), detection is nearly certain on the first challenge—the annual detection probability is 1eCtarget99.9994%1 - e^{-C_{target}} \approx 99.9994\%. The economic implication is that selective storage—keeping only part of a file to reduce costs—carries enormous risk. The node saves marginal storage costs (already small relative to capital costs) but faces near-certain detection within a short timeframe. When detected, the node loses its stake kfλslashk_f \cdot \lambda_{slash} plus all future earning potential from that file. The expected value calculation is decisively negative: tiny savings versus large probable losses. This detection probability is what makes the capital requirements effective. Without reliable detection, nodes could safely store nothing and gamble on not being checked. With high detection probability, storing less than the full file is a losing bet. The challenge rate CtargetC_{target} is calibrated to make the risk unacceptable—12 challenges per year provides multiple opportunities for detection within reasonable timeframes, ensuring that data loss is caught before files degrade beyond recovery thresholds (the protocol assumes erasure coding provides 10% fault tolerance).