Cache hit
The client scores candidate nodes withrate_per_mb × rtt_ms × (1 / max(reputation, 0.1)²) — lower is better (network). After settling on a node, it opens a channel in an allowlisted ERC-20 and streams. Vouchers cover every byte delivered; the node can settle any voucher on-chain later.
Cache miss with pull-through
cdn/client/v1 is the only paid-delivery protocol. The same protocol is used client→node and node→node. Every byte of the node-to-node pull is paid by the serving node; the serving node amortizes that cost across many downstream client deliveries.
If pull_through is disabled in the node’s config, the node returns a redirect pointing to a peer’s NodeId (never an origin URL). The client opens a channel with that peer directly.
Payment channels in three lines
- Open — client calls
openChannel(nodeAddress, deposit)on-chain. Deposit is escrowed in thePaymentChannelcontract. - Vouchers — off-chain EIP-712 messages
{channelId, amount, nonce, token, signature}. Cadence is negotiable per stream (default 1 MB). - Close — either party calls
closeChannel(voucher)with the latest voucher. A dispute window (default 48 h, bounded 12 h–72 h) lets the counterparty submit a later-nonce voucher if the close is stale.
cdn/watchtower/v1 to cover the node-is-offline case during the dispute window.
What keeps the network honest
- BLAKE3 hashes. Clients verify every chunk against the known blob hash. A bad byte voids payment.
- Slash signatures. Protocol messages carry an optional secp256k1
slash_sigthat can be verified on-chain viaecrecoveras evidence of corrupted delivery, phantom announcements, rate manipulation, or blacklist violations (slashing). - Optimistic challenge-response. Submit evidence; the counterparty has 24 h to submit counter-evidence.
SlashJudgeadjudicates after the window. - Reputation. A 0.0–1.0 score derived 70% from local observation, 30% from gossip-propagated reports weighted by the reporter’s effective settled value (reputation).
- Content blacklist. Governance-managed on-chain hash blacklist with global and regional scoping. Serving a blacklisted hash after the compliance window is slashable (takedown).
Where the boundary sits
| Layer | Trust |
|---|---|
| Bytes delivered | Verified against known BLAKE3 hash |
| Node availability | Trusted — slashed if phantom-announced |
| Node rate honesty | Trusted — slashed if advertised rate contradicts charged rate |
| Origin backend correctness | Assumed — outside protocol scope (operator concern) |
| App server key custody | Assumed — compromise exposes all that provider’s content |
| L2 RPC provider honesty | Assumed — mitigated via multi-source bootstrap |