No repay debt requirement for DeclareFaultsRecovered

[momack2]

No repay debt requirement for DeclareFaultsRecovered

• Read the Draft FIP

Abstract

Filecoin miners are subject to pay storage fault and consensus fault fees. These are paid using locked funds (ie, unvested block rewards) and then the miner’s available balance. If these two are not enough to cover the total fee amount, the remaining part to pay is recorded in a variable (FeeDebt) in the miner’s state and the miner is declared “in fee debt”.

For a miner in debt, the call to the methods PreCommit, DeclareFaultsRecovered and WithdrawBalance fails. Moreover this miner can not mine blocks. The fact that a miner in debt can not recover faults creates an undesired loop situation, in which a miner with faulted partitions can not recover, keep increasing its debt (note that continued faults cause more fees), eventually leading to sector termination if the miner does not repay their debt after 14 days. This is especially bad for small miners with little balance. To avoid this we propose to allow recovery of faults for miners in debt.

[spacetimedevx]

Thank you very much for the official understanding. In many cases, it is not that miner do not want to restore the power, but it may be impossible to restore it due to various problems in the program and hardware etc.
And the next time recovery needs to pay penalty, but in the case of no definite problem and relatively small power, we will prefer the latter in the choice of whether to continue to pay the penalty or to build a new miner. As a result, the restoration of storage is not active. This feels that it violates the original intention of Filecoin. We should do our best to repair the storage and ensure the integrity of the storage.
I support this proposal very much, and it can help us to make our best efforts to solve the problem and restore storage.

[tomasd2020]

LGTM.

[nicola]

After careful analysis, we reviewed more the security considerations written in the here and we believe that we could temporarily pause this FIP and try to mitigate the issue presented.

Problem: When a miner in-debt recovers sectors via FIP0006, these will count towards the total network QA power - however the miner won't be able to mine since they are still in debt.

Temporary patch: When a miner recovers a sector, this does not count towards total network QA power (e.g. is added to a special list called "recovered sectors") and it will start counting after the miner is out of debt

Final fix: However, this is just patch to the total network QA power inflation and the actual fix that should happen is (1) to refactor eligibility checks to remove power from the power table, rather than checking it at block verification time, (2) apply the above patch. This fix should help the problem above and solve other relevant problems that the temporary patch won't fix.

Ways forward:

• Ship FIP0006 as it is but with a commitment to the patch or the fix soon (not ideal)
  • Pros: To avoid miners running into more debt
  • Cons: See proposal security considerations
• Don't ship FIP0006 until temporary patch is shipped and later ship the final fix
  • Pros: Mitigate proposal consideration
  • Cons: Will require a new update eventually with the final fix and it may be a lot of code rewriting
• Don't ship FIP0006 until the final fix is shipped
  • Pros: GOOD
  • Cons: Might take too long

@nicola @irenegia @zixuanzh, @davidad

[jennijuju]

This FIP was deferred.