Compute Claim Protocol: A Protocol for Standardized Claims on Future Computation
Version 0.1-draft Date: 2026-06-30 Status: Research proposal
1. Abstract
This paper proposes the Compute Claim Protocol, abbreviated CCP, a blockchain protocol for issuing, trading, clearing, and redeeming standardized claims on future computational capacity. The protocol is based on a narrow thesis: as artificial intelligence increases the economic value of computation, compute becomes a financial commodity. A commodity is financeable when it can be measured, standardized, delivered, priced across time, and used as collateral. Computation already satisfies some of these conditions in cloud markets, but present cloud arrangements generally sell computation as a service at or near the moment of use. CCP generalizes this arrangement by defining a transferable right to future computation.
CCP does not tokenize graphics processing units, servers, data centers, or equity interests in infrastructure. It tokenizes standardized claims on future computational service. A participating compute provider reserves capacity, issues Standard Compute Credits, collateralizes its obligation, and commits to redemption rules. Buyers may redeem credits for compute, sell them in secondary markets, lend against them, use them as collateral, or combine them into derivatives. The economic primitive is therefore not ownership of hardware, but a redeemable right against a measurable unit of future computation.
The protocol specifies (i) compute units, (ii) claim classes, (iii) issuer admission, (iv) collateral and reserve requirements, (v) redemption and expiration, (vi) settlement, (vii) oracle inputs, (viii) dispute resolution, (ix) liquidation, (x) insurance, and (xi) governance. The protocol uses a blockchain because no single compute provider should control the ledger of claims, collateral, redemptions, defaults, and market prices. A blockchain provides a shared state machine for parties that may compete economically but must agree on ownership, obligations, settlement, and liquidation. CCP therefore treats the chain as a neutral settlement substrate while keeping actual computation, metering, and most commercial negotiation off-chain.
The paper presents formal definitions, state machines, pseudocode, economic models, attack analysis, and research problems. It argues that compute finance follows from first principles if four assumptions hold: demand for artificial intelligence computation continues to increase, computation remains scarce over economically relevant horizons, computation can be measured with sufficient precision for settlement, and measurable computation can be standardized into fungible or semi-fungible classes. Under these assumptions, forward claims on computation arise naturally because users want price certainty, providers want financing and capacity planning, and intermediaries want transferable risk. CCP is proposed as a settlement layer for that market.
2. Introduction
Agriculture made grain storable and transferable. Industrialization made steel, coal, electricity, and oil central inputs to production. Modern finance made capital itself tradable across time. Artificial intelligence makes computation a primary factor of production. The economic form of computation, however, is still immature. Most computation is purchased as a cloud service under provider-specific contracts, region-specific prices, opaque capacity constraints, and non-transferable account balances. This structure resembles a pre-financial commodity market: useful, large, and operationally sophisticated, but not yet standardized into portable claims.
The claim of this paper is not that every compute contract should be financialized. Many workloads are idiosyncratic. Data locality, compliance, model architecture, hardware generation, interconnect topology, and software stack matter. A compute unit cannot be perfectly homogeneous in the way a dollar of bank reserves is homogeneous. But commodity markets do not require physical identity. They require standard grades, settlement rules, delivery tolerances, and credible procedures for quality adjustment. Oil markets distinguish Brent and WTI. Electricity markets distinguish nodes and times. Cloud computing can analogously distinguish accelerator class, region, time window, memory, interconnect, reliability, software environment, and service level.
The central object of CCP is a tokenized claim called a Standard Compute Credit (SCC). An SCC is a bearer or account-based digital instrument representing the right to redeem a defined amount of future computation from an approved issuer, within a defined delivery class and time window, subject to protocol rules. The SCC is not a promise that a specific machine will be delivered. It is a promise that an issuer will provide computation meeting the class specification or settle according to a fallback rule. The issuer is a data center, cloud provider, decentralized compute network, broker of capacity, or other entity approved by governance and risk modules.
The problem CCP solves is not the execution of arbitrary workloads. Actual computation remains off-chain. CCP solves the financial and settlement problem around computation:
- How should future compute rights be standardized?
- How can providers issue claims without over-issuing?
- How can users redeem claims without revealing sensitive business plans?
- How can markets price compute across time?
- How can default risk, quality risk, and oracle risk be bounded?
- How can claims interoperate with derivatives, lending, and collateral markets?
The proposed answer is a protocol with two layers. The on-chain layer records claims, collateral, positions, margin, issuer obligations, proofs, dispute bonds, and governance decisions. The off-chain layer performs actual compute delivery, metering, attestation, benchmarking, service-level monitoring, and confidential commercial negotiation. The boundary is deliberate. Computation is too large, too private, and too workload-specific to execute on a settlement chain. But rights to computation can be represented on-chain if their lifecycle is narrow and formally specified.
CCP is not specified for a particular chain. A compute-finance protocol resembles a derivatives and collateral system more than a simple payment application. It requires reliable settlement, programmable collateral, frequent margin updates, order matching or auction settlement, liquidation, oracle-responsive risk calculations, and privacy-preserving disclosure for institutional positions. These requirements can be implemented on any blockchain that provides sufficiently expressive smart contracts, credible finality, durable state, oracle integration, and a security model acceptable to claim holders and issuers. The paper therefore focuses on protocol logic rather than deployment branding.
This document should be read as a protocol specification and economic proposal, not as a claim that the protocol exists in production. The system requires implementation, testing, issuer onboarding, legal analysis, audits, oracle validation, and empirical calibration.
3. Background
3.1 Commodities and Forward Claims
A commodity becomes financeable when it can be represented by a contractual claim that market participants treat as sufficiently standardized. The claim need not transfer the underlying physical object at every trade. Grain receipts, warehouse warrants, oil futures, electricity forwards, freight derivatives, and carbon credits are all examples where the financial object abstracts over delivery, measurement, quality, location, and time.
Let \(x\) be a productive input. A financial claim on \(x\) requires at least:
where \(u\) is a unit of measure, \(q\) is a quality class, \(t\) is a delivery interval, \(l\) is a delivery location or access domain, \(s\) is a settlement rule, and \(r\) is a recourse rule if delivery fails. The more objective these parameters are, the more liquid the market can become.
Compute has historically lacked a single unit \(u\). Providers quote vCPU-hours, GPU-hours, token throughput, storage operations, memory, bandwidth, and managed service calls. For AI workloads, accelerator time is necessary but insufficient. A GPU-hour on an old accelerator is not equivalent to a GPU-hour on a newer accelerator. A GPU-hour without high-bandwidth memory is not equivalent to one with it. A cluster-hour with weak interconnect is not equivalent to one with NVLink-class topology. CCP therefore defines compute units as bundles of measurable attributes rather than a single physical dimension.
3.2 Cloud Markets
Cloud markets already contain primitive forward contracts. Reserved instances, savings plans, committed-use discounts, enterprise contracts, priority reservations, spot markets, and capacity blocks are all claims on future infrastructure under provider-specific rules. These contracts reduce cost uncertainty and help providers plan capacity. They are usually not portable, not composable, not transparent, and not usable as collateral outside the provider's own accounting system.
This limitation is not accidental. Cloud providers optimize for operational reliability and customer retention, not for external secondary-market liquidity. A transferable compute claim requires additional infrastructure: issuer risk disclosure, standardized delivery classes, independent metering, collateralization, dispute handling, and market-wide settlement.
3.3 Blockchain Settlement
Blockchains provide public state machines with programmable asset rules. They are useful where multiple parties require shared settlement without trusting a single operator. They are not useful for all aspects of compute delivery. Running AI workloads on-chain is not the objective. The useful blockchain function is the enforcement of claim ownership, transfer, collateral, liquidation, and redemption state.
A compute-finance blockchain protocol therefore needs:
- finality sufficient for collateral and margin;
- high throughput for order and position updates;
- privacy for institutional positions and redemption schedules;
- oracle integration;
- clear governance over claim standards and risk parameters.
No particular consensus mechanism is assumed. Proof-of-stake, proof-of-work, permissioned BFT, rollup-based execution, or app-specific chains may all be viable if their finality, liveness, censorship resistance, cost, and governance properties satisfy the risk requirements of the claims they settle. The protocol should treat chain selection as an implementation parameter, not as part of the economic primitive.
4. The Compute Economy
4.1 Compute as a Factor of Production
Artificial intelligence transforms computation from a back-office cost into a direct productive input. A model developer transforms data, parameters, energy, hardware time, engineering labor, and capital into a trained model. A user of inference transforms prompts, context, model weights, and accelerator time into decisions, text, code, images, or actions. In both cases, compute is consumed to produce an economically valuable output.
Let production be:
where \(Y\) is output, \(A\) is organizational productivity, \(K\) is capital, \(L\) is labor, \(D\) is data, and \(C\) is computation. If the marginal product of compute is positive and if compute cannot be elastically supplied at constant cost, then compute has scarcity rent. In such a case, future access to compute becomes valuable.
The relevant scarcity is not absolute scarcity of silicon alone. It includes:
- semiconductor fabrication lead times;
- packaging and high-bandwidth memory constraints;
- power availability;
- grid interconnection;
- cooling capacity;
- data center construction;
- network interconnect;
- hardware reliability;
- software stack maturity;
- operational expertise;
- regulatory and geographic constraints.
Thus a future compute claim is a claim on a bundle of physical and organizational capacity.
4.2 Demand Volatility
AI compute demand is lumpy. Training runs are large projects. Inference demand may spike with product launches, market events, or agentic workflows. Providers must decide whether to build capacity before demand is known. Users must decide whether to commit capital before workload value is known. This creates a natural forward market.
Let \(D_t\) be demand for a compute class at time \(t\), and \(S_t\) be available deliverable capacity. The spot price \(P_t\) can be modeled as:
where \(c_t\) is marginal operating cost, \(\phi > 0\) is scarcity sensitivity, and \(\gamma \geq 1\) captures convex price pressure under shortage. If \(D_t\) is volatile and \(S_t\) has slow adjustment, users face price risk and providers face utilization risk. A forward claim transfers some of this risk.
4.3 Time Structure
Computation is perishable in time. A GPU hour unused at noon cannot be stored and sold at midnight as the same hour. This makes compute similar to electricity, bandwidth, airline seats, and hotel rooms. However, future rights to time-bounded capacity can be stored as financial claims before the delivery window.
The value of compute is therefore indexed by:
where \(q\) is quality class, \(r\) is region/access domain, \(\tau\) is delivery start, \(\Delta\) is duration, \(\rho\) is reliability, and \(\alpha\) is issuer credit quality. CCP standardizes these variables sufficiently to make claims transferable.
5. Existing Cloud Markets
Existing cloud markets have three relevant features: centralization, non-transferability, and provider-defined metering.
First, cloud service rights usually exist inside a provider account. A customer may reserve instances or commit spend, but the claim is not generally a bearer asset. Transfer requires contractual consent. A secondary market, if any, is thin and provider-mediated.
Second, price discovery is fragmented. Providers publish list prices, discount programs, spot prices, and private enterprise terms. Market participants cannot easily observe the full forward curve for a standardized unit of compute.
Third, metering is internal. Providers measure usage and invoice customers. The customer can audit logs, but market-wide trust in the measurement system depends on provider reputation and contract enforcement rather than a shared protocol.
These features are acceptable for service procurement. They are insufficient for a capital market. A capital market requires external parties to hold, value, transfer, lend, hedge, insure, and settle claims without negotiating bilateral cloud contracts at each transfer.
CCP does not replace cloud providers. It creates a settlement layer above them. Providers remain responsible for physical delivery. CCP standardizes the financial object and enforces market rules.
6. Financialization of Compute
6.1 From Service Contract to Financial Instrument
A service contract becomes a financial instrument when the claim can be separated from the original buyer and priced independently. In CCP, the transformation has four steps:
- Define a standard compute class.
- Let an approved issuer reserve capacity and mint claims.
- Let claims transfer and collateralize under protocol rules.
- Let redemption or cash settlement extinguish the obligation.
The instrument is a right, not a machine. Its value depends on expected compute usefulness, issuer solvency, market liquidity, time to expiry, and substitute prices.
6.2 Standardization and Basis Risk
No standard compute unit can perfectly represent all workloads. Basis risk is the mismatch between the standardized claim and the user's actual workload need. If a user needs a specific accelerator topology but holds a broader compute credit, the redemption may be suboptimal. If a trader hedges cloud price exposure with a general AI compute index, the hedge may underperform.
CCP makes basis risk explicit. Each SCC has a class vector:
where \(a\) is accelerator benchmark class, \(m\) is minimum memory, \(i\) is interconnect class, \(n\) is network egress class, \(\sigma\) is software environment, \(r\) is region, \(e\) is energy/carbon attribute if specified, and \(\rho\) is service-level reliability.
Markets may prefer broad classes for liquidity and narrow classes for hedging precision. Governance should not force a single class. It should define admission and disclosure standards.
6.3 Financial Products
Once SCCs exist, standard financial products follow:
- spot SCC transfers;
- forwards for future SCC delivery;
- futures with daily margin;
- options on SCCs or compute indexes;
- swaps between fixed compute price and floating compute price;
- lending against SCC collateral;
- insurance against issuer default or delivery failure;
- compute bonds issued by providers;
- compute ETFs and indexes holding diversified SCC baskets;
- structured products combining compute exposure, collateral yield, and insurance.
These are not added because they are fashionable. They arise because different participants hold different risks. Providers have capacity risk. Users have price and availability risk. Speculators absorb risk for expected return. Insurers specialize in default and operational risk. Lenders transform collateral into liquidity.
7. Protocol Overview
CCP is a modular protocol composed of registries, vaults, markets, oracles, and state machines.
The main contracts are:
ComputeClassRegistry: defines approved compute classes.IssuerRegistry: admits providers, records risk limits, and manages slashing.CapacityVault: holds issuer collateral and tracks reserved capacity.SCC: token contract for compute claims.RedemptionRouter: burns or locks SCCs and routes redemption requests.OracleAggregator: receives price, capacity, delivery, and benchmark attestations.Clearinghouse: manages margin, derivatives positions, liquidations, and settlement.InsurancePool: pays valid claims when issuers default and receives premiums.Governance: updates parameters subject to delays and constraints.
7.1 On-Chain and Off-Chain Boundary
On-chain:
- claim issuance and burning;
- collateral deposits and withdrawals;
- issuer capacity limits;
- transfer and market settlement;
- margin accounting;
- liquidation;
- oracle commitments;
- dispute bonds and rulings;
- insurance pool balances;
- governance decisions;
- cryptographic commitments to off-chain evidence.
Off-chain:
- workload execution;
- provider scheduling;
- detailed telemetry;
- encrypted order preprocessing if required;
- physical audits;
- benchmark execution;
- customer support;
- legal contracting;
- private negotiation of enterprise redemptions.
The off-chain components are not trusted blindly. They produce attestations, signed logs, zero-knowledge proofs where feasible, and challengeable commitments.
8. Standard Compute Units
8.1 Compute Unit
Definition 1. A Compute Unit (CU) is a normalized measure of computational service over a time interval for a specified class of hardware and software environment.
CCP defines:
where \(B(\kappa)\) is the benchmark throughput of compute class \(\kappa\), \(\Delta\) is delivered time, and \(\eta \in [0,1]\) is the realized service-quality multiplier after accounting for downtime, throttling, and benchmark deviation.
The benchmark \(B(\kappa)\) is not a universal physical constant. It is a governance-approved reference score derived from reproducible workloads. For AI accelerators, benchmark suites may include matrix multiplication throughput, transformer training throughput, inference tokens per second under standard models, memory bandwidth, collective communication performance, and failure rate.
8.2 Standard Compute Credit
Definition 2. A Standard Compute Credit (SCC) is a tokenized claim redeemable for \(N\) Compute Units of class \(\kappa\) during delivery window \(W = [t_0, t_1]\), issued by provider \(p\), subject to collateral and settlement rule \(s\).
An SCC is represented as:
where \(id\) is the claim identifier, \(p\) is issuer, \(N\) is units, \(s\) is settlement mode, \(c\) is collateral class, and \(\epsilon\) is expiration rule.
CCP supports three fungibility levels:
- Issuer-specific SCCs: redeemable only against one provider.
- Pool SCCs: redeemable against a pool of providers in the same class.
- Index SCCs: economically settled against a price index, not directly redeemable for compute unless converted.
Issuer-specific SCCs have higher credit risk and stronger delivery specificity. Pool SCCs reduce issuer risk but require allocation rules. Index SCCs are useful for derivatives and hedging.
8.3 Quality Adjustment
If delivered compute deviates from class specification, settlement applies a quality multiplier:
where \(x_j\) are observed performance metrics, \(x_j^\ast\) are required metrics, \(w_j\) are weights, and \(\delta\) is penalty for downtime or breach. The delivered CU is \(N \eta\). If \(\eta < \eta_{\min}\), the redemption is invalid and the issuer enters cure or default state.
9. Tokenized Compute Claims
9.1 Claim Lifecycle
The lifecycle is intentionally conservative. A claim cannot be redeemed unless it is locked. A locked claim cannot be traded unless released. A provider cannot withdraw collateral if outstanding claims would breach reserve requirements. An expired claim cannot be newly redeemed unless governance has activated an emergency extension.
9.2 Transfer Restrictions
CCP aims for composability, but not all SCCs should be freely transferable in all contexts. Transfer restrictions may apply where:
- legal jurisdiction requires permissioned holders;
- issuer terms require KYC for direct redemption;
- export-control rules apply to compute class or region;
- claim is private and holder identity is hidden from public but known to a compliance module;
- claim is pledged as collateral.
Restrictions must be encoded in the claim metadata and enforced by transfer hooks. Markets can price restricted claims separately.
9.3 Expiration
Compute is perishable. Claims must expire. Expiration rule \(\epsilon\) defines:
- last redemption request time;
- grace period;
- cash settlement fallback;
- penalty if issuer fails to provide slots;
- holder forfeiture rule if holder never requests redemption.
A simple expiration rule is:
For retail products, governance may require a minimum cash fallback to prevent confusing instruments. For institutional forwards, parties may choose stricter expiry.
10. Participants
10.1 Compute Providers
Compute providers are issuers of SCCs. They reserve capacity, post collateral, disclose operational metrics, accept redemption requests, and deliver compute. They earn issuance fees, redemption fees, and potentially financing benefits from selling future capacity.
Providers resemble commercial banks only in the limited sense that they issue claims against future service capacity and create market liquidity. The analogy should not be forced. A bank issues monetary liabilities against assets. A compute provider issues computational liabilities against operational capacity. The risk is not a bank run on money but a shortage of deliverable compute during a redemption window.
10.2 Users
Users buy SCCs to secure future compute, hedge price risk, or gain exposure to compute prices. Users may be AI labs, enterprises, application developers, rendering studios, research institutions, agents, or individuals.
10.3 Traders and Market Makers
Traders provide liquidity and absorb price risk. Market makers quote SCCs across maturities, regions, and classes. Their role is economically useful if they reduce spreads and transfer risk from hedgers to risk-takers. Their role is harmful if they manipulate thin markets, exploit oracle delays, or cause liquidation cascades. The protocol therefore uses margin rules, position limits, and oracle controls.
10.4 Oracle Operators
Oracle operators report prices, capacity, delivery, benchmark results, and provider events. CCP uses multiple oracle types because compute finance has multiple facts:
- spot compute price;
- forward curve;
- provider available capacity;
- actual delivered performance;
- downtime;
- benchmark class changes;
- issuer credit events.
10.5 Validators and Blockchain Infrastructure
Validators, miners, sequencers, or ordering nodes maintain the blockchain state machine, depending on the chosen implementation. They order transactions, finalize state transitions, and secure the ledger that records claims, collateral, markets, oracle submissions, and disputes. CCP should not assume that chain validators know compute truth. Consensus participants provide chain security, not physical delivery assurance. Compute-specific truth requires additional oracle committees, audits, metering systems, and dispute mechanisms.
10.6 Governance
Governance manages parameters that cannot be fixed permanently:
- compute class admission;
- benchmark suites;
- issuer risk weights;
- collateral ratios;
- oracle membership;
- dispute juror selection;
- emergency shutdown;
- treasury allocation;
- insurance premiums;
- protocol fees.
Governance must be constrained by timelocks and risk limits. A compute-finance protocol can damage users if governance changes redemption rules after issuance.
11. Issuance
11.1 Admission
An issuer must submit:
- legal identity or approved decentralized identity;
- data center locations or access domains;
- hardware inventory commitments;
- power and cooling attestations;
- historical uptime;
- benchmark results;
- insurance coverage if any;
- collateral assets;
- signing keys;
- redemption API endpoints;
- dispute contact and escalation process.
Governance or a delegated risk committee assigns:
where \(Limit_p\) is maximum outstanding SCC issuance for provider \(p\), class \(\kappa\), and window \(W\).
11.2 Reserve Accounting
Let \(Q_{p,\kappa,W}\) be provider \(p\)'s committed deliverable capacity, and \(O_{p,\kappa,W}\) be outstanding SCC obligations. Define reserve ratio:
The protocol requires:
For perishable compute, over-reservation may be necessary because redemption requests are uncertain and workloads may not perfectly pack into available slots. If users do not redeem, providers may sell unused capacity elsewhere. If too many users redeem simultaneously, providers must allocate fairly or buy replacement capacity.
11.3 Collateralization
Issuer collateral protects holders against default. Let \(P_{\kappa,W}\) be oracle price per CU for the delivery class and window, and \(O\) be outstanding units. Required collateral is:
where \(\lambda_p \geq 0\) is risk weight. Low-risk issuers may have lower collateral; new issuers require higher collateral. Collateral may be stablecoins, governance tokens, liquid staking tokens, tokenized treasuries, or high-quality SCCs with haircuts. Because collateral volatility can amplify defaults, the risk engine uses conservative haircuts:
11.4 Minting
Minting is permitted only when both reserve and collateral constraints hold.
function mintSCC(provider, class, window, units, recipient):
require IssuerRegistry.status(provider) == ACTIVE
require ComputeClassRegistry.status(class) == APPROVED
newOutstanding = outstanding(provider,class,window) + units
require committedCapacity(provider,class,window) / newOutstanding >= minReserve(provider,class)
required = collateralRequirement(provider,class,window,newOutstanding)
require riskValue(collateral(provider)) >= required
sccId = SCC.mint(provider,class,window,units,recipient)
outstanding(provider,class,window) = newOutstanding
emit Mint(provider,class,window,units,sccId)
11.5 Issuer Balance Sheet
An issuer that sells SCCs creates a liability. The liability is not denominated primarily in money; it is denominated in future compute. A simplified balance sheet after issuance is:
| Issuer asset | Issuer liability |
|---|---|
| Cash or stablecoins received from SCC sale | Outstanding SCC redemption obligation |
| Reserved accelerator capacity | Delivery obligation during window |
| Posted protocol collateral | Potential slashing and compensation claim |
| Reputation capital | Future issuance franchise value |
Suppose a provider sells 10,000 SCCs for a class representing one CU each at 8 stablecoins per CU. It receives 80,000 stablecoins. If required collateral is 40% of notional, it posts 32,000 stablecoins or equivalent. It must preserve enough future capacity to satisfy redemptions. If only 60% of holders are expected to redeem, the provider may economically believe that 6,000 CU of reserved capacity is sufficient. The protocol may nevertheless require more, because redemption behavior is endogenous. If holders become concerned about provider solvency, redemption demand can increase. This is analogous to but not identical with a run: the scarce object is not money but time-bounded compute availability.
The balance sheet treatment of unused capacity is important. If the redemption window passes and holders do not redeem, the provider may keep the sale proceeds and sell unused physical capacity elsewhere, depending on the claim terms. This is not necessarily unfair; it is the economic compensation for reserving capacity. However, if terms include cash settlement for non-redemption, the liability persists until the fallback payment is made.
11.6 Issuance Auctions
Providers may issue SCCs by fixed-price sale, continuous minting, Dutch auction, sealed-bid auction, or negotiated block issuance. CCP should support multiple issuance methods but require a public record of issued supply and terms.
For standard public issuance, a sealed-bid uniform-price auction reduces information leakage and discourages simple front-running. Bidders submit commitments:
After the commit phase, bidders reveal. Valid bids are sorted by price, and all winning bidders pay the clearing price. Unsold capacity remains unissued. The auction contract mints SCCs only after collateral and reserve checks pass.
algorithm UniformPriceSCCAuction(provider, class, window, offeredUnits):
require issuerActive(provider)
require issuanceCapacity(provider,class,window) >= offeredUnits
collect sealed commitments until commitEnd
collect reveals until revealEnd
validBids = verifyReveals()
sort validBids by price descending
clearingPrice = price of marginal winning bid
for bid in winners:
collect bid.quantity * clearingPrice
mintSCC(provider,class,window,bid.quantity,bid.bidder)
return unsoldUnits
Auction design matters because issuance price becomes a reference for secondary markets and collateral valuation. A manipulated issuance auction can create false marks. Therefore self-bids by issuer-related accounts should either be prohibited or disclosed and excluded from oracle formation.
11.7 Dynamic Issuance Limits
Static limits are insufficient because capacity and collateral change. CCP computes dynamic issuance capacity:
where \(Q_{risk}\) is risk-adjusted capacity. If audits show degraded hardware availability, \(Q_{risk}\) falls. If collateral price falls, \(Collateral_{risk}\) falls. If compute price rises, notional exposure rises and required collateral rises. A provider can therefore become unable to mint new SCCs without being in default. This is a normal risk-control state.
11.8 Provider Competition
Issuer competition should occur through price, reliability, collateral quality, redemption experience, and class specialization. The protocol should not equalize all issuers into a single undifferentiated pool unless holders explicitly buy pooled claims. If a weak issuer and strong issuer issue identical-looking SCCs, the market cannot price credit risk. CCP therefore makes issuer identity part of the claim unless a pool wrapper assumes and prices the credit risk.
The market price of issuer-specific SCCs can be decomposed:
where \(CDS_p\) is implied default discount. This gives providers an incentive to improve operational reliability because lower credit spreads reduce their cost of forward capacity financing.
12. Redemption
12.1 Redemption Request
To redeem, a holder locks SCCs and submits a request:
where \(W^\prime \subseteq W\) is preferred time, constraints include region or software requirements within class tolerance, and commitment hides sensitive workload details. The workload itself is not placed on-chain.
If the implementation supports account privacy, the redemption transaction can use stealth addresses, encrypted metadata, or confidential transfer mechanisms so that public observers cannot infer the holder's future compute demand. This matters because redemption schedules may reveal product launches, model training plans, trading strategies, or research priorities.
12.2 Allocation
If requested redemptions exceed immediately schedulable capacity, allocation follows a deterministic rule:
- valid requests before invalid requests;
- earlier lock time before later lock time;
- priority class if explicitly purchased;
- pro-rata allocation among equal priority;
- fallback to substitute provider pool if enabled;
- cash settlement if delivery failure remains.
The allocation rule prevents providers from favoring related parties after claims have been issued.
12.3 Delivery and Attestation
A successful redemption produces:
- provider signed delivery receipt;
- user signed acceptance or timeout;
- metering log commitment;
- benchmark sample commitment;
- oracle attestation;
- optional zero-knowledge proof that delivered metrics met thresholds without revealing workload contents.
The on-chain state transition is:
if the proof validates and no dispute is filed within the challenge period.
12.4 Confidential Redemption
Confidential redemption requires hiding at least four values: holder identity, workload metadata, quantity, and schedule. A privacy-preserving blockchain implementation can hide public linkage between primary accounts and redemption addresses. CCP adds encrypted redemption tickets:
The provider decrypts the ticket to schedule capacity. The chain stores only a commitment:
Oracle and dispute systems can later verify selective disclosures without making the workload public.
12.5 Redemption Queues
Redemption is not merely a token burn. It is a scheduling problem. Compute capacity has time, topology, and setup constraints. A provider may be able to deliver 1,000 independent inference CU but not a single 1,000 CU tightly coupled training run. CCP therefore separates claim validity from scheduling feasibility.
Each compute class defines a minimum schedulable lot and maximum fragmentation tolerance. A redemption request may specify:
- minimum continuous duration;
- maximum start-time delay;
- parallelism requirement;
- interconnect requirement within class;
- accepted substitute classes;
- confidentiality level;
- region and compliance restrictions.
The provider's scheduler returns either an allocation or a rejection reason. A rejection is valid only if it is consistent with claim terms. For example, a holder cannot demand a narrower topology than the SCC class provides. Conversely, a provider cannot reject a request that falls within class terms merely because spot prices have risen.
12.6 Partial Redemption
SCCs may be partially redeemed. Partial redemption reduces friction for holders whose workload is smaller than the claim. It also introduces accounting risk. The token contract must track remaining units:
Partial redemption should preserve metadata. A residual SCC remains tied to the same issuer, class, window, and settlement rule. If the residual amount falls below a dust threshold, the protocol may force cash settlement or merge residuals through a consolidation function.
12.7 Redemption Failure Taxonomy
Failures must be classified because penalties differ:
- Holder fault: invalid workload, missed schedule, failure to provide required credentials, or withdrawal after allocation.
- Provider operational fault: hardware unavailable, scheduling failure, downtime, inadequate performance.
- External fault: force majeure, legal prohibition, grid outage, network partition.
- Oracle fault: delivery occurred but oracle failed to attest, or non-delivery was incorrectly attested.
- Protocol fault: contract bug or chain outage.
The default rule should not punish providers for holder fault. It should not excuse providers for ordinary operational risk. External fault requires predefined treatment because otherwise every default invites discretionary governance.
13. Settlement
13.1 Physical Settlement
Physical settlement means the holder receives compute service. The claim is extinguished by delivery:
Physical settlement is preferred for users who need compute. It requires issuer operational reliability and robust metering.
13.2 Cash Settlement
Cash settlement pays the holder based on a compute price index:
where \(\chi\) is penalty multiplier. If the issuer defaults, \(\chi\) may exceed 1 to compensate for replacement cost and inconvenience. If the holder elects cash settlement voluntarily, \(\chi = 1\) or lower.
13.3 Substitution
A provider may satisfy redemption through substitute capacity if:
- substitute class dominates or equals required class;
- region and compliance constraints are satisfied;
- user has not opted out;
- oracle attests equivalence;
- price adjustment is applied if quality differs.
Substitution reduces default probability but increases basis risk. The protocol must make substitution rights explicit at issuance.
13.4 Netting
The clearinghouse nets obligations where legally and technically valid. If user \(A\) is long 100 SCCs and short 40 equivalent SCC futures in the same account, margin may recognize net exposure. Netting reduces collateral needs but introduces model risk. CCP permits netting only within approved equivalence classes.
13.5 Clearinghouse Waterfall
If a cleared market participant defaults, losses are allocated through a waterfall:
- defaulter margin;
- defaulter additional collateral;
- liquidation proceeds;
- defaulter insurance contribution if any;
- clearinghouse reserve;
- mutualized insurance pool;
- protocol treasury backstop if governance has authorized it;
- socialized loss or settlement haircut as last resort.
Socialized loss must be exceptional and rule-bound. A protocol that casually socializes losses creates moral hazard. Market participants will take excessive leverage if they expect profitable trades to remain private while losses are shared.
13.6 Settlement Finality for Institutions
Institutional participants need clarity on when a claim is final. CCP defines three levels:
- execution finality: trade accepted by the matching engine or AMM;
- chain finality: transaction finalized by the underlying blockchain;
- economic finality: challenge periods, oracle update windows, and dispute rights have expired.
An SCC transfer may be chain-final before it is economically final if it is subject to clawback for proven fraud. Derivatives settlement may be chain-final while oracle dispute windows remain open. The protocol should expose these distinctions in interfaces so risk systems do not treat all confirmations as equal.
14. Oracle Network
14.1 Oracle Facts
CCP requires five oracle feeds:
PriceOracle: spot and forward prices for compute classes.CapacityOracle: provider committed and available capacity.DeliveryOracle: whether compute was delivered.BenchmarkOracle: performance and quality metrics.CreditOracle: issuer risk events and reputation scores.
These facts differ in observability. Price can be sampled from markets and cloud listings. Capacity is partly private and requires audits. Delivery is bilateral and may require logs. Benchmarking is measurable but can be gamed. Credit risk is inferential.
14.2 Aggregation
For numerical feeds, CCP uses a stake-weighted median with outlier trimming:
where \(w_i\) is oracle stake or reputation weight. For binary delivery disputes, CCP uses threshold signatures from an oracle committee after reviewing commitments.
Weighted medians are used because they reduce sensitivity to outliers relative to means and are simple enough for on-chain verification. CCP extends this familiar oracle pattern beyond asset prices into compute-specific measurements.
14.3 Oracle Incentives
Oracle operators stake assets and earn fees. They can be slashed for:
- signing contradictory reports;
- reporting outside tolerated deviation without evidence;
- failing liveness requirements;
- colluding in delivery fraud;
- withholding reports during liquidation windows.
The slashing function is:
where \(S_i\) is stake, \(Damage_i\) is estimated harm, and \(Fee_i\) is oracle compensation.
14.4 Oracle Manipulation Resistance
Compute prices may be thin. Manipulators may wash trade SCCs to influence index settlement. CCP mitigates this by:
- using multiple venues and provider quotes;
- excluding self-trades and low-depth markets;
- requiring minimum volume;
- applying time-weighted averages;
- using fallback fundamental pricing from cloud list prices and observed utilization;
- delaying settlement if oracle confidence drops;
- increasing margin during low-confidence periods.
14.5 Capacity Attestation
Capacity is harder to observe than price. A provider can show hardware inventory without proving future availability. CCP uses layered evidence:
- static audit of hardware and facility;
- periodic benchmark proofs;
- signed reservation commitments;
- random liveness challenges;
- redemption success history;
- independent customer confirmations;
- power and network telemetry commitments where available.
No single evidence type is sufficient. Hardware can be double-pledged. Benchmarks can be optimized for. Customer confirmations can be fabricated. The protocol therefore weights evidence and requires collateral for the residual uncertainty.
14.6 Benchmark Governance
Benchmarks create incentives. If a compute class is defined by a narrow benchmark, providers may optimize for that benchmark while delivering poor real-world utility. If the benchmark is too broad, measurement becomes expensive and ambiguous. CCP benchmark governance should follow five principles:
- workloads should be reproducible;
- benchmark suites should rotate slowly and with notice;
- no issuer should know all random challenge parameters in advance;
- benchmark results should include variance, not only mean performance;
- class upgrades should not silently change outstanding claim meaning.
When a new accelerator generation appears, governance may define a new class rather than redefine an old class. Redefining old classes can transfer value between holders and issuers.
14.7 Oracle Confidence and Risk Parameters
Each oracle output includes confidence:
Risk modules map confidence into margin and issuance constraints:
If confidence falls below a threshold, markets enter auction-only or settlement-only mode. This avoids pretending precision exists during data failure.
15. Consensus Interaction
CCP depends on an underlying blockchain for transaction ordering, finality, and execution. The protocol does not require a specific chain, but it does require a chain whose consensus and execution properties are compatible with financial settlement. The relevant question is not whether a chain is fashionable, but whether it can support the state transitions needed by compute claims without introducing unacceptable settlement risk.
15.1 Throughput and Latency
Compute-finance markets require higher update frequency than simple token transfers. Futures and options positions can become unsafe under fast price moves if margin cannot update. A suitable blockchain should support:
- frequent order placement and cancellation;
- liquidation auctions;
- oracle updates;
- collateral transfers;
- redemption ticket submission;
- market making and risk adjustment.
However, low latency does not itself guarantee economic safety. A fast chain can propagate bad prices quickly. Risk controls must be conservative during oracle faults, and high-frequency trading should not be allowed to outrun settlement guarantees. For thin SCC markets, batch auctions may be safer than continuous matching.
15.2 Validator Incentives
Consensus participants can influence ordering. In compute markets, ordering attacks include:
- front-running large redemptions;
- sandwiching SCC trades before oracle updates;
- delaying liquidation transactions;
- prioritizing related issuer withdrawals;
- censoring disputes.
CCP uses batch auctions for thin SCC markets, commit-reveal for sensitive redemptions, encrypted orders where supported, and liquidation keepers with priority rights. If the underlying blockchain has a proposer-builder architecture, sequencer model, or validator mempool, the implementation must analyze maximum extractable value and censorship risk explicitly.
15.3 Finality and Redemption
Redemption should not be scheduled from unfinalized state. Providers should wait for finality before allocating expensive capacity. If a chain provides fast pre-confirmations or soft confirmations, CCP may treat them as soft commitments for low-value requests but should require stronger confirmation for large institutional redemptions. The protocol interface should expose confirmation depth and settlement status rather than hiding these differences from users.
15.4 Cross-Chain Interaction
Cross-chain collateral and wrapped SCCs introduce an additional security domain. A bridge failure can impair collateral even when the compute issuer is solvent. CCP must therefore treat bridge security as separate from issuer credit risk and chain consensus risk. Cross-chain collateral should receive haircuts depending on bridge assumptions, withdrawal delay, signer concentration, proof verification, fraud-proof windows, and destination-chain finality.
15.5 Blockchain Execution Model
The proposed deployment should be understood as a settlement deployment, not as an assertion that the blockchain itself becomes the issuer, guarantor, or operator of compute claims. The chain records and enforces rights. Providers still deliver compute. Oracles still report facts about the off-chain world. Governance still defines standards. This separation is essential: the protocol financializes future compute access, but it does not make computation occur inside the ledger.
A blockchain deployment should divide responsibilities into four planes.
The first plane is the chain execution plane. It processes SCC transfers, margin updates, collateral movements, oracle publications, governance actions, and dispute state transitions. This plane should be deterministic and minimal. It should not attempt to run customer workloads, store large telemetry logs, or make subjective quality judgments.
The second plane is the market plane. It contains order books, AMMs, auctions, OTC settlement contracts, futures, options, swaps, and lending pools. The market plane must distinguish between ordinary price exposure and delivery exposure. A compute future that physically settles into SCCs has delivery risk even if its mark price is accurate.
The third plane is the compute assurance plane. It consists of provider APIs, metering systems, benchmark runners, audit firms, remote attestation services, and oracle committees. This plane is necessarily partly off-chain. Its output is not arbitrary trust; it is signed evidence, commitments, proofs, and challengeable attestations consumed by the chain execution plane.
The fourth plane is the governance and risk plane. It defines compute classes, issuer limits, oracle membership, margin parameters, benchmark upgrades, emergency procedures, and insurance rules. This plane should be deliberately slower than the market plane. Fast trading requires fast execution, but parameter changes affecting solvency should be slower and more public.
Transaction costs should be analyzed as part of market design. If base-layer fees are high, small SCC transfers and retail redemptions become uneconomic. If transactions are free or subsidized, protocol modules must introduce application-level anti-spam costs where actions consume scarce off-chain resources. Redemption requests, benchmark challenges, oracle disputes, and liquidation bids can impose real costs. CCP therefore uses bonds and refundable deposits for resource-consuming operations. A cheap transfer may be acceptable; a cheap fake redemption request is not.
A blockchain's privacy model also changes user experience. In a transparent chain, a lender can inspect collateral directly. In a private or confidential implementation, a lender or clearinghouse needs proofs, viewer permissions, or privileged audit views. CCP should therefore define standard disclosure objects: a holder can reveal a position to a lender without revealing it to the public; an issuer can reveal capacity evidence to an auditor without revealing all customer schedules; a regulator or court can receive a selective disclosure under applicable legal process without making the entire market transparent.
Finally, deployment should not make bridge liquidity the default assumption for solvency. Cross-chain collateral can improve capital efficiency, but compute claims should survive bridge stress. The most conservative configuration treats locally settled collateral as highest quality, bridged assets as haircut collateral, and remote-chain SCC wrappers as convenience instruments rather than core solvency assets. This conservative treatment is especially important because compute default can already be correlated with market stress. Adding bridge failure as an unpriced correlated risk would weaken the system.
16. Privacy Layer
16.1 Why Privacy Matters for Compute Finance
Compute positions reveal information. A large purchase of future training-class compute may reveal that an AI lab is preparing a model run. A large short position may reveal an expectation of capacity oversupply. A redemption schedule may reveal product launch timing. Lending positions may reveal distress.
Public transparency is useful for solvency. Full position transparency is harmful for market integrity and commercial confidentiality. CCP therefore separates public verifiability from public disclosure.
16.2 Privacy-Preserving Settlement Features
A blockchain implementation of CCP may be transparent, partially private, or confidential. The protocol does not require all positions to be hidden, but it should support privacy-preserving settlement where institutions or users require it. Useful features include encrypted orders, confidential balances, zero-knowledge verification, selective disclosure permissions, and stealth addresses for one-time transaction unlinkability. These features are directly relevant:
- encrypted SCC orders reduce front-running;
- stealth redemption addresses reduce linkage between claims and workload;
- viewer passes allow auditors, lenders, or regulators to inspect positions selectively;
- private lending positions prevent predatory liquidation attacks;
- private OTC settlements allow institutions to transfer compute exposure without broadcasting strategy.
16.3 Zero-Knowledge Proofs
CCP uses zero-knowledge proofs in four places:
- Proof of collateral adequacy without disclosing full portfolio.
- Proof that a redemption ticket corresponds to locked SCCs.
- Proof that metered compute exceeded minimum benchmark thresholds.
- Proof that an issuer's aggregate obligations do not exceed disclosed capacity commitments.
Example statement:
The proof reveals compliance but not workload contents.
16.4 Limits of Privacy
Privacy can hide insolvency if misused. CCP requires aggregate public metrics:
- total outstanding SCCs by class and window;
- issuer risk-weighted obligations;
- collateral risk value;
- insurance fund balance;
- oracle confidence;
- default events.
Individual positions can be private while aggregate solvency remains public.
17. Smart Contracts
17.1 Contract Architecture
17.2 Minimal State
The protocol state is:
Each transaction is a transition:
The transition must preserve invariants:
- no SCC exists without an approved compute class;
- no issuer exceeds issuance limit;
- no collateral withdrawal breaches requirements;
- locked SCCs cannot be transferred;
- redeemed SCCs cannot be redeemed again;
- derivatives positions satisfy margin requirements unless liquidated;
- oracle updates satisfy quorum rules;
- governance changes respect timelocks.
17.3 Upgradeability
Upgradeability is dangerous for financial claims. CCP uses a layered approach:
- immutable token accounting for issued claims where possible;
- upgradeable routers for new markets;
- timelocked parameter changes;
- emergency pause for new issuance but not arbitrary seizure;
- migration only by opt-in or supermajority under predefined conditions.
17.4 Contract Invariants
Each module exposes machine-checkable invariants. Examples:
invariant SCCSupply:
totalUnitsIssued == totalUnitsOutstanding + totalUnitsBurned + totalUnitsExpired
invariant LockedCannotTransfer:
for each tokenId:
transferableUnits(tokenId) + lockedUnits(tokenId) <= remainingUnits(tokenId)
invariant IssuerCollateral:
if issuer.status in {ACTIVE, WATCHLIST}:
riskValue(issuer.collateral) >= requiredCollateral(issuer)
invariant OracleFreshness:
market.canTrade implies now - oracle.latestTimestamp(market.feed) <= maxStaleness
These invariants should be tested with fuzzing and formally specified in a verification language appropriate for the target virtual machine.
17.5 Privacy-Preserving Accounting
Private balances complicate solvency proofs. CCP requires commitments to hidden balances:
The clearinghouse can prove:
without revealing individual balances. If a private account opens a derivatives position, it submits a proof that available margin exceeds initial margin. Liquidators need a way to act without seeing the full account. One method is a public liquidation eligibility proof:
The proof reveals that liquidation is valid but not the full portfolio. The liquidation auction can then reveal only the subset of collateral necessary for resolution.
17.6 Interface Stability
Financial contracts outlive software versions. CCP should define stable interfaces for SCC metadata, redemption status, oracle feeds, and collateral valuation. New products can be added around these interfaces without changing the meaning of existing claims. Interface versioning is therefore part of economic safety.
17.7 Failure Modes of Smart Contract Automation
Automation is useful but dangerous when it assumes accurate inputs. A liquidation bot that acts on a bad oracle can harm solvent accounts. A redemption router that automatically accepts delivery after timeout can harm holders if providers delay evidence. CCP should use automation for deterministic checks and require challenge windows for facts that originate off-chain.
18. Financial Products
CCP supports products by composing SCCs, collateral, and clearinghouse positions.
18.1 Spot SCCs
Spot SCC markets trade existing claims. Price reflects:
If the SCC is near redemption and issuer quality is high, the price approaches replacement compute cost. If issuer risk rises, the SCC trades at a discount.
18.2 Forwards
A forward is a bilateral or cleared agreement to exchange SCCs or cash at future date \(T\):
where \(P_T\) is settlement price and \(K\) is forward price. Forwards are useful for enterprise hedging but create counterparty risk if uncleared. CCP encourages clearing through margin.
18.3 Structured Products
Structured compute products combine SCCs with options, insurance, and lending. Example: a protected training-capacity note pays compute credits if prices rise but returns stablecoin principal if issuer defaults, funded by option premium and insurance. Such products must disclose payoff formulas and risks.
18.4 Compute Bonds
A compute bond is a fixed-income instrument issued by a provider and repayable in cash, SCCs, or a combination. The provider receives capital upfront to build or reserve capacity. Investors receive coupons funded by future compute revenue.
Let face value be \(F\), coupon \(c\), maturity \(T\), and optional compute conversion ratio \(\rho\). Payoff:
if the bond includes a compute conversion option. Compute bonds differ from SCCs because the primary obligation may be financial repayment rather than direct compute delivery. They should therefore be regulated and risk-weighted differently. A provider that issues both SCCs and compute bonds has two creditor classes. Governance must define priority. A conservative rule gives SCC redemption claims priority over unsecured compute bonds because SCC buyers purchased a specific service right.
18.5 Compute Indexes
A compute index aggregates prices across providers and venues:
Weights may be based on deliverable capacity, trading volume, issuer credit quality, or equal weighting. Capacity weighting reflects the replacement market. Volume weighting reflects tradable prices but can be manipulated. Credit weighting reduces exposure to weak issuers but may underrepresent distressed prices.
Index methodology must be public. Changes should be timelocked. Derivatives referencing an index depend on methodology stability; changing weights near expiry can transfer wealth.
18.6 Compute ETFs and Baskets
A compute basket holds SCCs from multiple issuers and classes. A tokenized basket may reduce issuer-specific risk:
The basket contract must handle expirations. Unlike equity ETFs, compute SCCs decay and expire. A passive basket therefore requires rolling rules:
- sell claims approaching expiry if not intended for redemption;
- buy next-window claims;
- rebalance issuer exposure;
- maintain insurance coverage;
- disclose realized roll yield.
Roll yield can be positive or negative depending on forward curve shape. Investors must understand that a compute ETF does not simply track "AI growth"; it tracks a specific strategy of holding and rolling compute claims.
18.7 OTC Markets
Institutions may prefer negotiated trades for large blocks. CCP supports private OTC settlement by allowing two parties to submit matching encrypted trade intents. The chain verifies signatures, collateral, and compliance without publishing all terms. A public commitment records that a valid transfer occurred.
OTC privacy must not bypass risk controls. If the trade creates a large derivatives exposure, the clearinghouse still requires margin. If the transferred SCC is restricted, transfer hooks still apply.
18.8 Prediction Markets
Prediction markets can reference compute events: whether a provider defaults, whether a compute index exceeds a threshold, whether a benchmark class becomes capacity constrained, or whether average inference cost falls below a value. These markets can improve information discovery, but they can also create incentives to cause adverse events. Markets on issuer default should be monitored for manipulation and may require position limits.
18.9 Retail Markets
Retail users may buy small SCC denominations for future inference, rendering, or application hosting. Retail products should avoid hidden leverage, obscure expiration, and complex fallback rules. The protocol can define a retail-safe claim profile:
- no leverage;
- clear expiration;
- cash fallback if provider fails;
- issuer or pool diversification;
- displayed risk grade;
- maximum loss equal to purchase price.
Retail access is valuable for broad participation but should not determine the design of institutional risk products.
19. Compute Futures
19.1 Contract Specification
A compute futures contract references a compute index:
where \(\kappa\) is compute class, \(W\) is delivery window, and \(M\) is maturity. The contract is cash-settled or physically deliverable into SCCs.
19.2 Margin
Initial margin:
Maintenance margin:
where \(\sigma_{\kappa}\) is realized volatility, \(z\) is confidence factor, and \(\theta < 1\).
19.3 Marking
The clearinghouse marks positions using oracle prices:
If account equity falls below maintenance margin, liquidation begins.
19.4 Delivery
Physically delivered futures settle into SCCs. The short must deliver approved SCCs. If the short cannot deliver, the clearinghouse buys SCCs in the market and charges the short, using collateral and insurance if necessary.
20. Compute Options
20.1 Calls and Puts
A call option gives the right to buy SCCs or compute index exposure at strike \(K\). A put gives the right to sell.
Compute options hedge capacity shortages. A startup can buy calls on future inference compute. A provider can buy puts to hedge price declines.
20.2 Pricing
Black-Scholes assumptions do not fully hold because compute prices can jump under capacity shortages and delivery windows are perishable. A simple model:
where \(J_t\) is jump size and \(N_t\) is a Poisson process representing shortage events. Option margin must account for jumps.
20.3 Exercise
Options may be European, American, or Bermudan. Physical exercise requires SCC delivery. Cash exercise uses index settlement. Private exercise is important because public exercise can reveal compute demand.
21. Compute Swaps
21.1 Fixed-for-Floating Compute Swap
Party A pays fixed price \(K\) per CU. Party B pays floating index \(P_t\):
The swap allows users to stabilize compute cost while providers or speculators absorb price risk.
21.2 Capacity Availability Swap
The floating leg is not price but availability:
where \(A_t\) is observed availability. This hedges shortage rather than price.
21.3 Credit Default Swap on Issuer
An insurance-like swap pays if issuer \(p\) defaults:
where \(LGD_p\) is loss given default. Such instruments can improve risk transfer but may create perverse incentives if buyers can profit from issuer failure. Governance may require insurable interest for certain default products.
22. Compute Lending
22.1 SCC as Collateral
SCCs can collateralize loans. The collateral value is:
where haircut depends on class, issuer, maturity, liquidity, and redemption restrictions.
Borrow limit:
22.2 Private Lending Positions
Public loan positions invite predatory trading. If a large borrower can be liquidated by moving an SCC price index, attackers may manipulate the market. Privacy-preserving accounting allows loan balances and collateral details to be hidden from public observers while proofs of solvency remain available.
22.3 Liquidation
If loan health factor falls below 1:
liquidators can repay debt and receive collateral at discount. To reduce manipulation, CCP uses:
- time-weighted oracle prices;
- partial liquidation;
- Dutch auctions;
- circuit breakers;
- hidden position details with public liquidation eligibility proofs.
22.4 Maturity Mismatch
Lending markets can create maturity mismatch. A borrower may pledge SCCs expiring in one month to borrow stablecoins due in six months. After expiry, collateral value collapses. CCP lending markets must enforce maturity constraints:
unless the borrower posts additional collateral. If the SCC has cash settlement fallback, the loan may extend to fallback payment date with haircut.
22.5 Rehypothecation
Rehypothecation occurs when collateral pledged by one user is reused by another. It increases liquidity but creates complex claims in default. CCP should disable rehypothecation by default for SCC collateral. If enabled, the chain must track encumbrances:
The protocol must never allow the same SCC unit to satisfy both a redemption and a lender claim.
22.6 Interest Rate Model
Borrow rates in SCC lending markets can follow utilization:
The kink \(u^\ast\) discourages full utilization, preserving withdrawal liquidity. For expiring SCCs, the curve should steepen as expiry approaches because liquidity risk rises.
23. Insurance
23.1 Insurance Pool
The insurance pool covers valid losses from issuer default, oracle failure under covered conditions, and clearinghouse insolvency. It is funded by:
- issuance fees;
- trading fees;
- insurance premiums;
- slashed collateral;
- treasury allocation;
- optional underwriter deposits.
23.2 Pricing Insurance
Premium for issuer \(p\):
where \(PD\) is default probability and \(LGD\) is loss given default.
23.3 Underwriter Incentives
Underwriters stake capital into risk tranches. Senior tranches earn lower yield and absorb losses later. Junior tranches earn higher yield and absorb first losses. This structure can attract different risk preferences but must avoid hiding correlated risk.
23.4 Correlated Losses
Compute insurance losses are correlated. A regional power issue, accelerator driver vulnerability, bridge failure, or market-wide shortage can affect many issuers simultaneously. Premiums based only on issuer-specific historical default will underprice systemic risk.
Let issuer losses be \(L_i\). Portfolio loss variance:
If covariance rises during stress, diversification fails when needed most. The insurance pool therefore applies concentration limits by region, hardware generation, power grid, cloud dependency, and bridge collateral type.
23.5 Claims Assessment
Insurance claims require objective triggers. A vague trigger such as "provider behaved unfairly" is unsuitable. Examples of objective triggers:
- valid redemption request not satisfied within cure period;
- oracle-confirmed delivery quality below threshold;
- issuer enters protocol default state;
- clearinghouse loss exceeds defaulter margin after liquidation;
- bridge asset used as approved collateral is frozen or invalidated.
Ambiguous events go through dispute resolution. Claim assessment should publish aggregate reasoning while preserving confidential workload data.
24. Liquidity
24.1 Liquidity Sources
Liquidity comes from:
- provider issuance;
- market makers;
- users selling unused SCCs;
- arbitrageurs between cloud prices and SCC prices;
- collateral lenders;
- structured product desks;
- protocol incentives.
24.2 Automated Market Makers and Order Books
SCC markets can use order books for active classes and AMMs for long-tail classes. Order books are efficient when market makers can quote continuously and update inventory. AMMs may be useful where liquidity is fragmented across maturities or where passive liquidity is more important than narrow spreads.
For an AMM between stablecoin \(X\) and SCC \(Y\):
is simple but poor for expiring assets because SCC value changes with time. A time-aware AMM uses:
inside its pricing curve.
24.3 Liquidity Incentives
Protocol incentives should reward useful depth, not wash volume. Rewards depend on:
- quoted spread;
- depth near oracle mid;
- uptime;
- adverse selection cost;
- actual fills;
- manipulation score.
25. Treasury
The treasury receives protocol revenue and funds public goods:
- audits;
- oracle subsidies;
- insurance backstop;
- benchmark research;
- issuer audits;
- formal verification;
- emergency liquidity.
Revenue sources:
Treasury spending must be transparent at aggregate level, even if individual market positions remain private.
26. Governance
26.1 Scope
Governance cannot arbitrarily rewrite outstanding claims. It can update future issuance parameters. For existing claims, it may act only under predefined emergency clauses.
26.2 Governance Process
26.3 Emergency Governance
Emergencies include oracle failure, bridge exploit, issuer fraud, validator censorship, benchmark compromise, or market insolvency. Emergency powers may pause new issuance and derivatives trading, increase margin, or freeze disputed withdrawals. They should not confiscate valid user claims except under legal compulsion or proven fraud.
26.4 Parameter Taxonomy
Governance parameters fall into risk classes:
| Parameter | Risk | Timelock |
|---|---|---|
| New compute class | basis and benchmark risk | long |
| Issuer collateral ratio | solvency risk | medium |
| Oracle membership | manipulation risk | long |
| Margin multiplier | liquidation risk | short in emergency |
| Fee rate | economic risk | medium |
| Insurance payout rule | solvency and fairness risk | long |
| Pause new issuance | protective | short |
High-risk parameter changes should not execute quickly. Emergency speed should be reserved for reducing risk, not increasing leverage or weakening collateral.
26.5 Delegated Risk Committees
Token voting is poorly suited to daily risk management. CCP can delegate limited authority to risk committees. Their authority is bounded:
- increase margin within predefined range;
- reduce issuer limits;
- put issuer on watchlist;
- pause a compromised oracle feed;
- recommend but not execute new claim classes.
Committees post bonds and publish signed reports. Governance can remove them. This balances speed and accountability.
27. Incentives
27.1 Provider Incentives
Providers benefit by selling future capacity before use. This improves capital planning. They earn:
- upfront sale proceeds;
- issuance fees;
- redemption fees;
- reputation benefits;
- lower financing cost if markets trust them.
They incur:
- collateral opportunity cost;
- slashing risk;
- operational obligations;
- audit cost;
- reputational cost of default.
The provider issues if:
27.2 Holder Incentives
Holders buy SCCs if:
Speculators buy if expected risk-adjusted return is positive. Hedgers buy even if expected return is negative when variance reduction is valuable.
27.3 Oracle Incentives
Oracles report honestly if:
The protocol increases honesty by increasing stake, detectability, and future fee value.
27.4 Validator Incentives
Validators earn chain rewards and fees. If they can profit from ordering attacks, protocol design must reduce extractable value. Encrypted orders, batch settlement, and slashing for censorship evidence help.
28. Tokenomics
28.1 Native Protocol Token
CCP may use a protocol governance and staking token, denoted \(gCCP\), distinct from SCCs. This paper does not prescribe a token sale.
Functions:
- governance voting;
- oracle staking;
- insurance staking;
- fee discounting;
- risk committee bonds;
- dispute juror bonds.
The token must not be necessary for holding SCCs unless required for spam prevention. Compute claims should be usable by institutions that prefer stable collateral and clear accounting.
28.2 Fee Model
Fees:
- issuance fee: paid by provider;
- trading fee: paid by taker and possibly maker rebates;
- redemption fee: paid by redeemer or issuer depending on product;
- oracle fee: embedded in markets;
- dispute fee: paid by challenger, refunded if valid;
- liquidation fee: paid from liquidated account.
28.3 Treasury and Burn
The protocol should prioritize solvency over token value accrual. Fee burn is inferior to insurance funding until the system has a large loss reserve. A conservative allocation:
Governance may later adjust based on empirical loss data.
29. Mathematical Models
29.1 Compute Forward Pricing
Let \(S_t\) be spot compute price, \(r\) risk-free rate, \(u\) storage-like convenience yield for guaranteed availability, \(c\) carrying cost of collateral, and \(\lambda\) issuer credit spread. A forward price:
For compute, \(u\) may be positive when future availability is valuable. Unlike storable commodities, unused current compute cannot be stored, so the analogy is partial. The forward curve can be in backwardation during expected shortages.
29.2 Issuer Default
Issuer default occurs when deliverable capacity plus replacement capacity plus collateral is insufficient:
where \(Q_p\) is own deliverable capacity, \(R_p\) is replacement capacity purchasable under agreements, \(K_p\) is collateral, and \(O_p\) is obligations.
29.3 Over-Issuance Probability
Let redemption demand \(X\) be random. Provider capacity is \(Q\). If outstanding claims are \(O\), default probability over a window is:
If \(X \sim Binomial(O, \pi)\), then:
This supports reserve ratios based on redemption probability. However, \(\pi\) is not stable under crisis: when market distrust rises, holders redeem more. Stress models must assume correlated redemption.
29.4 Margin Model
For portfolio \(j\), loss over horizon \(h\):
Initial margin is:
Expected shortfall may be preferable:
29.5 Reputation
Issuer reputation score:
where \(Score\) includes redemption success, dispute rate, uptime, benchmark variance, collateral adequacy, and oracle confidence. Reputation affects collateral requirements:
29.6 Convenience Yield of Compute
For storable commodities, convenience yield reflects the value of holding inventory. Compute cannot be stored, but guaranteed access has an analogous value. Let \(L\) be loss from not obtaining compute during a critical window and \(q\) be probability of shortage without SCC. The convenience yield \(u_c\) can be approximated:
This explains why future compute claims may trade at high prices even when expected average spot prices are lower. The buyer is not only buying expected compute; it is buying reduction in tail risk.
29.7 Basis Risk Model
Let user workload require class \(\kappa^\ast\) and hedge instrument reference class \(\kappa\). Basis risk is:
where \(\beta\) is hedge ratio minimizing:
The optimal hedge ratio is:
If classes are weakly correlated, SCC derivatives are poor hedges. This supports granular compute classes despite liquidity fragmentation.
29.8 Issuer Capital Optimization
An issuer chooses outstanding claims \(O\) to maximize:
where \(K(O)\) is issuance price, \(C(Q)\) is capacity cost, and unredeemed claims may create upside. The protocol's role is to make \(E[Penalty(O)]\) sufficiently convex that excessive issuance is unattractive:
Convex penalties reflect the increasing social harm of large defaults.
29.9 Liquidation Cascade Model
Let price impact from liquidation amount \(x\) be:
with \(\gamma > 1\) in stressed markets. Liquidations reduce prices, which may trigger more liquidations. Stability requires:
If this condition fails, the system enters a cascade. Circuit breakers reduce \(\frac{d Liquidations}{dP}\) by slowing liquidation. Auction design reduces \(\frac{dP}{d Liquidations}\) by improving execution.
29.10 Insurance Solvency
For insurance fund capital \(K_I\), target solvency at confidence \(\alpha\):
Because losses are fat-tailed, expected shortfall is better:
The protocol should publish stress scenarios: top issuer default, regional outage, bridge collateral impairment, oracle halt, and combined market price shock.
30. Security
30.1 Cryptographic Assumptions
CCP assumes:
- collision-resistant hash functions;
- existentially unforgeable signatures;
- sound zero-knowledge proof systems;
- secure encryption for redemption tickets;
- honest-majority or threshold assumptions for oracle committees;
- consensus safety and liveness of the underlying blockchain;
- bridge threshold signer security for cross-chain assets.
Failure of these assumptions can compromise assets or confidentiality.
30.2 Smart Contract Security
Risks:
- reentrancy in collateral withdrawals;
- rounding errors in SCC accounting;
- oracle stale price usage;
- incorrect margin netting;
- claim double redemption;
- unsafe upgrade;
- governance timelock bypass;
- integer overflow in risk calculations;
- inconsistent class metadata.
Mitigations:
- formal invariants;
- property-based testing;
- independent audits;
- differential testing against reference models;
- strict access control;
- emergency pause scoped to new risk, not user exits;
- immutable accounting modules where possible.
30.3 Operational Security
Provider keys, oracle keys, and governance keys are critical. CCP requires hardware security modules, threshold signing, rotation procedures, and incident reporting.
31. Economic Attacks
31.1 Oracle Manipulation
Attack: manipulate thin SCC spot markets before settlement.
Mitigation: time-weighted median, venue filters, volume thresholds, confidence scores, fallback pricing, delayed settlement, and higher margin during thin periods.
31.2 Fake Compute
Attack: provider simulates delivery logs without providing useful compute.
Mitigation: user acceptance signatures, benchmark probes, remote attestation, random challenge workloads, telemetry commitments, and dispute slashing.
31.3 Data Center Default
Attack or event: provider cannot deliver due to power outage, hardware failure, insolvency, sanctions, or overbooking.
Mitigation: collateral, insurance, substitute capacity, reserve ratios, concentration limits, dynamic reputation, and public default state.
31.4 Over-Issuance
Attack: provider issues more claims than capacity supports.
Mitigation: capacity audits, oracle monitoring, collateral requirements, issuance limits, and severe slashing. Because audits can be fooled, collateral remains necessary.
31.5 Liquidity Crisis
Event: holders rush to sell or redeem SCCs. Prices gap down, collateral value falls, and liquidations cascade.
Mitigation: conservative haircuts, circuit breakers, auction liquidations, insurance backstop, and stress-tested margin.
31.6 Bridge Attacks
Attack: bridged collateral is minted without valid backing or withdrawals are forged.
Mitigation: bridge haircuts, caps on bridged collateral, proof verification, delayed withdrawals for large amounts, insurance exclusions for known bridge risk, and rapid governance pause.
31.7 Validator Collusion
Attack: validators censor disputes, reorder liquidations, or manipulate bridge operations.
Mitigation: encrypted transactions where possible, forced-inclusion channels where supported, external monitoring, social slashing, bridge caps, and migration procedures.
31.8 Flash Loan Attacks
Attack: borrow capital, manipulate SCC price or collateral ratio, trigger liquidation, repay.
Mitigation: TWAP oracles, minimum observation windows, liquidity-adjusted prices, per-block withdrawal limits, and proof of external market depth.
31.9 Settlement Manipulation
Attack: create artificial shortage during settlement window, buy options, profit from index spike.
Mitigation: broad price indices, provider quote inclusion, anti-self-dealing rules, position limits near expiry, and surveillance.
31.10 Compute Reservation Fraud
Attack: provider claims capacity reserved but sells it elsewhere.
Mitigation: cryptographic reservation commitments, random audits, penalties for failed redemption, reputation loss, and required replacement purchase.
31.11 Benchmark Gaming
Attack: provider tunes hardware and software for the benchmark suite while delivering poor performance on real workloads.
Mitigation: benchmark diversity, random hidden challenge components, user-reported performance samples, long-term variance penalties, and class definitions based on multiple metrics.
31.12 Governance Capture
Attack: a coalition obtains governance power and weakens collateral rules for related issuers, changes index methodology, or admits low-quality capacity.
Mitigation: timelocks, veto councils with narrow authority, quorum requirements, delegated risk committees with bonds, public risk reports, and non-retroactivity for outstanding claims.
31.13 Insurance Pool Drain
Attack: malicious issuers buy insurance, issue excessive SCCs, intentionally default, and extract payouts through related holders.
Mitigation: insurable interest requirements, issuer exposure caps, waiting periods, related-party disclosure, claim investigation, and reduced coverage for newly admitted issuers.
31.14 Privacy Abuse
Attack: privacy features hide concentration, related-party trading, or self-dealing.
Mitigation: aggregate public exposure proofs, selective disclosure to auditors, zero-knowledge compliance proofs, and rules excluding related-party trades from oracle formation.
31.15 Redemption Griefing
Attack: holders submit redemption requests and fail to appear, wasting provider scheduling capacity.
Mitigation: redemption bonds, cancellation penalties, reputation for redeemers, and provider right to release reserved slot after grace period.
31.16 Provider Hold-Up
Attack: provider waits until a holder urgently needs compute and then offers off-chain priority only for extra payment.
Mitigation: deterministic allocation rules, evidence submission, slashing for discriminatory scheduling, and user option to route through substitute pools.
31.17 Cross-Market Manipulation
Attack: trader manipulates SCC spot prices to profit on futures, options, loans, or insurance.
Mitigation: surveillance across markets, oracle filters excluding suspect trades, position limits near expiry, and margin add-ons for accounts with correlated manipulation incentives.
32. Formal Analysis
32.1 Safety Invariants
Invariant 1: Conservation of SCC supply.
Invariant 2: Collateral adequacy.
unless provider is in liquidation or default.
Invariant 3: No double redemption.
Invariant 4: Governance non-retroactivity.
Claims use the rules active at issuance unless an explicit emergency clause is invoked.
32.2 Liveness
The system should guarantee that a valid holder can eventually:
- transfer an unlocked SCC;
- submit redemption;
- receive delivery, substitute delivery, or compensation;
- challenge invalid delivery;
- exit collateral if no obligations remain.
Liveness depends on blockchain availability, oracle liveness, and provider response.
32.3 Game-Theoretic Sketch
Consider provider \(p\) choosing honest delivery \(H\) or default/fraud \(D\). Honest payoff:
Default payoff:
Honesty is incentive-compatible if:
Thus small providers with low future franchise value require higher collateral. Large reputable providers can be safer with lower collateral because reputation loss is meaningful, but only if reputation is observable and future profit is real.
32.4 Holder Redemption Game
Holders choose whether to redeem, sell, or hold until expiry. If they believe other holders will redeem and capacity is limited, redeeming early may dominate waiting. This can create a coordination problem.
Let payoff from early redemption be \(U_E\), waiting be \(U_W\), and selling be \(U_S\). If expected default probability increases with aggregate redemption \(R\):
then each holder's redemption increases stress on the issuer. The protocol reduces this by making allocation deterministic and by collateralizing non-delivery. If holders expect compensation to be credible, panic redemption is less attractive.
32.5 Oracle Bribery Condition
An attacker bribes oracle set \(B\) to report false value. Attack succeeds if corrupted weight exceeds threshold \(q\). Let bribe cost be:
Attack is deterred if:
This inequality must be evaluated under stress, not normal conditions. If token prices fall, stake value falls, reducing security. Oracle stake should therefore include stable or diversified collateral, not only volatile governance tokens.
32.6 Clearinghouse Solvency Sketch
Assume oracle prices are bounded within error \(\epsilon\), liquidation price impact is bounded by \(I(x)\), and margin equals worst-case loss over liquidation horizon plus buffer:
Then, for independent defaults whose aggregate liquidation amount is below stress bound \(X^\ast\), clearinghouse losses are covered by defaulter margin. If aggregate defaults exceed \(X^\ast\), insurance is required. This shows why margin cannot be calibrated only to ordinary volatility; it must include liquidation depth.
32.7 Non-Retroactivity Principle
Let claim \(c\) be issued under rule set \(R_t\). Governance later adopts \(R_{t+1}\). Economic safety requires:
unless \(c\)'s original terms include a state-contingent emergency clause \(E\) and \(E\) is activated under its own threshold. This prevents governance from expropriating holders or issuers after prices move.
33. Regulatory Considerations
CCP instruments may be treated differently across jurisdictions. Possible classifications include commodity forwards, derivatives, securities, prepaid service credits, stored value, insurance, or lending products. The protocol cannot assume uniform treatment.
Design implications:
- permissioned claim classes may be necessary;
- issuer disclosures should be standardized;
- retail leverage may require limits;
- options and swaps may require regulated venues;
- insurance pools may require licensing;
- cross-border compute may implicate export controls;
- privacy features must support lawful selective disclosure without making all activity public.
This paper does not provide legal advice. It specifies protocol mechanisms that can support compliant deployments.
33.1 Service Credit Versus Derivative
An SCC redeemable only for compute may resemble a prepaid service credit. A cash-settled future on a compute index may resemble a derivative. A tokenized basket of SCCs may resemble a fund interest. The protocol should not assume one legal classification. Instead, product modules should declare:
- redemption rights;
- cash settlement rights;
- leverage;
- transfer restrictions;
- eligible holders;
- issuer disclosures;
- dispute forum;
- governing law if applicable.
33.2 Privacy and Compliance
Confidential settlement does not imply absence of compliance. Viewer passes and selective disclosure can allow auditors, counterparties, or regulators to inspect relevant activity. The design goal is data minimization: reveal what is necessary to authorized parties, not all positions to the public.
33.3 Export Controls and Restricted Compute
High-end compute may be subject to export controls or customer restrictions. Compute class metadata may need jurisdiction tags. Transfer hooks can prevent restricted SCCs from moving to ineligible accounts. This is a limitation on fungibility, but ignoring it would make real issuer participation less likely.
34. Open Research Problems
- Benchmark design for AI compute classes without encouraging overfitting.
- ZK proofs for workload-independent performance without excessive overhead.
- Privacy-preserving capacity audits.
- Pricing models for perishable compute under correlated demand shocks.
- Oracle design for private provider capacity.
- Regulatory treatment of transferable compute credits.
- Cross-chain collateral risk quantification.
- Market design for expiring semi-fungible assets.
- Mechanisms preventing providers from selling reserved capacity twice.
- Formal verification of clearinghouse netting across SCC classes.
- Efficient validity proofs for private liquidation without revealing full portfolios.
- Mechanism design for redemption queues under strategic holder behavior.
- Measurement of compute class correlation for cross-margining.
- Insurance pricing under correlated provider defaults.
- Governance structures that preserve non-retroactivity while allowing emergency action.
- Bridge-independent collateral models for institutions unwilling to accept cross-chain signer risk.
- Reliable detection of related-party trades in privacy-preserving markets.
- Standard accounting treatment for tokenized compute claims.
35. Future Extensions
Future versions may add:
- compute indexes by region, accelerator class, and model workload;
- exchange-traded compute funds;
- structured notes;
- real-time inference capacity markets;
- decentralized broker routing across providers;
- integration with model training schedulers;
- automated agents that procure compute based on budgets;
- renewable-energy-tagged compute credits;
- confidential institutional block trading;
- cross-chain SCC wrappers with risk-aware haircuts.
Another extension is machine-to-machine procurement. Autonomous agents may hold budgets and buy SCCs when expected workload value exceeds price. This requires spending limits, identity controls, and policy engines so agents cannot create unbounded obligations.
The protocol may also support compute-to-data co-settlement. Some workloads need both compute and licensed data access. A future claim could bundle SCCs with data-use rights, but this introduces intellectual property and privacy issues beyond the current scope.
Finally, CCP could interoperate with energy markets. Since compute delivery depends on electricity, providers may hedge power costs and attach renewable-energy attributes to compute classes. This should be treated carefully. A renewable compute credit is only meaningful if energy attributes are independently verified and not double-counted.
36. Conclusion
Compute finance follows if computation is scarce, measurable, standardized, and demanded across time. AI strengthens each condition. Users want future availability and price certainty. Providers want financing and utilization planning. Traders and insurers can intermediate risk. A protocol can make these claims transferable if it defines the unit, lifecycle, collateral, oracle, redemption, and default procedures.
CCP proposes such a protocol. It does not claim that compute is homogeneous or that all workloads can be reduced to a single metric. It instead defines a class-based system where basis risk is explicit, issuer risk is collateralized, and delivery is governed by transparent rules. Blockchain settlement can enforce ownership, collateral, liquidation, and redemption state, but it does not remove the hard problems. The core risks remain physical delivery, oracle truth, issuer solvency, bridge security, governance discipline, and legal classification.
If the protocol is correct, compute markets can evolve from provider-specific cloud contracts into a layered capital market: spot credits, futures, options, swaps, lending, insurance, and indexes. This is not a claim of inevitability in timing or implementation. It is a claim about economic structure. When a scarce productive input can be measured and delivered under standard rules, financial claims on that input tend to emerge. CCP is a proposed settlement layer for that emergence.
Appendix A — Algorithms
A.1 Issuer Admission
algorithm AdmitIssuer(application):
verify identity(application.provider)
verify signingKeys(application.keys)
auditReport = requestAudit(application.capacity)
benchmarkReport = runBenchmarks(application.hardware)
riskScore = RiskCommittee.score(
auditReport,
benchmarkReport,
financials=application.financials,
history=application.history
)
if riskScore < MIN_SCORE:
reject
limit = computeIssuerLimit(riskScore, auditReport.capacity)
collateralRatio = computeCollateralRatio(riskScore)
IssuerRegistry.add(provider, limit, collateralRatio, ACTIVE)
A.2 Redemption
algorithm Redeem(holder, sccId, units, window, encryptedTicket):
require SCC.ownerOrApproved(holder, sccId)
require SCC.availableUnits(sccId) >= units
require now <= SCC.lastRedeemTime(sccId)
SCC.lock(holder, sccId, units)
requestId = hash(holder, sccId, units, encryptedTicket, nonce)
RedemptionRouter.store(requestId, LOCKED)
notifyIssuer(SCC.issuer(sccId), requestId, encryptedTicket)
return requestId
A.3 Delivery Finalization
algorithm FinalizeDelivery(requestId, deliveryProof):
req = RedemptionRouter.get(requestId)
require req.state == LOCKED
require OracleAggregator.verifyDelivery(req, deliveryProof)
if challengePeriodOpen(requestId):
req.state = PENDING_FINALITY
else:
SCC.burnLocked(req.sccId, req.units)
decrementOutstanding(req.issuer, req.class, req.window, req.units)
req.state = REDEEMED
A.4 Liquidation
algorithm Liquidate(account):
equity = Clearinghouse.equity(account)
maintenance = RiskEngine.maintenanceMargin(account)
if equity >= maintenance:
return NOT_LIQUIDATABLE
lot = RiskEngine.partialLiquidationLot(account)
auction = LiquidationEngine.startDutchAuction(account, lot)
while auction.open:
bid = receiveBid()
if bid.price >= auction.currentPrice():
executeBid(bid)
updateAccount(account)
if Clearinghouse.equity(account) >= maintenance:
stop
A.5 Oracle Aggregation
algorithm Aggregate(feed, reports):
valid = []
for report in reports:
if verifySignature(report.oracle, report.value, report.time):
if not stale(report.time):
valid.append(report)
median = weightedMedian(valid.values, valid.weights)
trimmed = [r for r in valid if abs(r.value - median) <= THETA(feed)]
output = weightedMedian(trimmed.values, trimmed.weights)
confidence = computeConfidence(trimmed, valid)
OracleAggregator.publish(feed, output, confidence)
Appendix B — Mathematical Definitions
Definition B.1. Compute Class. A compute class is a tuple:
with accelerator benchmark \(a\), memory \(m\), interconnect \(i\), network \(n\), software environment \(\sigma\), region \(r\), energy attribute \(e\), and reliability \(\rho\).
Definition B.2. Claim. A claim is:
Definition B.3. Valid Issuance. An issuance is valid iff:
Definition B.4. Default. A provider is in default for class \(\kappa\) and window \(W\) if it fails to deliver, substitute, or cash settle valid locked claims after cure period \(g\).
Definition B.5. Solvent Clearinghouse. The clearinghouse is solvent if:
under conservative oracle prices.
Appendix C — State Machines
C.1 Issuer State Machine
C.2 Market State Machine
C.3 Dispute State Machine
Appendix D — Economic Proof Sketches
D.1 Why Standardization Creates Liquidity
Suppose there are \(n\) bilateral compute contracts, each with unique terms. A market maker must price \(n\) instruments and cannot net inventory. If contracts are standardized into \(k \ll n\) classes, inventory can be netted within each class. Required capital falls with netting:
instead of:
If positions are imperfectly correlated but nettable, the standardized market supports tighter spreads.
D.2 Why Providers Issue
A provider with fixed capacity cost \(F\), marginal operating cost \(c\), and uncertain future spot price \(P_T\) can sell SCCs today at price \(K\). Issuance is rational if:
Risk-averse providers may issue even below expected spot price because they reduce utilization uncertainty.
D.3 Why Users Buy
A user with compute-dependent project payoff \(Y(C)\) and budget constraint values availability. If failure to obtain compute causes loss \(L\), willingness to pay includes insurance value:
Thus forward compute claims can trade above expected spot cost during shortage-prone periods.
D.4 Why Collateral Cannot Be Eliminated
Reputation alone fails for issuers whose one-time fraud payoff exceeds future profit. Let fraud payoff be \(B\), future reputation value \(R\), and legal cost \(L\). Reputation deters fraud only if:
For new or thinly capitalized issuers, \(R\) may be low. Collateral adds immediate loss \(K\):
Therefore collateral is necessary for permissionless or semi-permissionless issuer expansion.
Appendix E — Smart Contract Interfaces
interface IComputeClassRegistry {
struct ComputeClass {
bytes32 classId;
bytes acceleratorClass;
uint256 minMemoryGb;
bytes interconnectClass;
bytes softwareCommitment;
bytes region;
uint256 reliabilityBps;
bool active;
}
function registerClass(ComputeClass calldata cls) external returns (bytes32);
function setClassStatus(bytes32 classId, bool active) external;
function getClass(bytes32 classId) external view returns (ComputeClass memory);
}
interface IIssuerRegistry {
enum Status { NONE, APPLICANT, ACTIVE, WATCHLIST, SUSPENDED, DEFAULTED, REMOVED }
function admitIssuer(address issuer, bytes32[] calldata classIds) external;
function setIssuerLimit(address issuer, bytes32 classId, uint256 units) external;
function setStatus(address issuer, Status status) external;
function issuerStatus(address issuer) external view returns (Status);
function issuerLimit(address issuer, bytes32 classId, uint64 window) external view returns (uint256);
}
interface ISCC {
function mint(
address issuer,
address to,
bytes32 classId,
uint64 window,
uint256 units,
bytes calldata terms
) external returns (uint256 tokenId);
function lockForRedemption(uint256 tokenId, uint256 units, bytes32 requestId) external;
function burnRedeemed(uint256 tokenId, uint256 units) external;
function unitsOf(uint256 tokenId) external view returns (uint256);
}
interface IRedemptionRouter {
enum RedemptionState { NONE, LOCKED, SCHEDULED, DELIVERED, DISPUTED, REDEEMED, DEFAULTED, CASH_SETTLED }
function requestRedemption(
uint256 tokenId,
uint256 units,
uint64 preferredStart,
uint64 preferredEnd,
bytes calldata encryptedTicket
) external returns (bytes32 requestId);
function submitDeliveryProof(bytes32 requestId, bytes calldata proof) external;
function dispute(bytes32 requestId, bytes calldata evidenceCommitment) external payable;
function finalize(bytes32 requestId) external;
}
interface IOracleAggregator {
enum FeedType { PRICE, CAPACITY, DELIVERY, BENCHMARK, CREDIT }
function submitReport(
FeedType feedType,
bytes32 subject,
uint256 value,
uint64 timestamp,
bytes calldata signature
) external;
function latest(FeedType feedType, bytes32 subject)
external
view
returns (uint256 value, uint64 timestamp, uint256 confidenceBps);
}
interface IClearinghouse {
function depositCollateral(address asset, uint256 amount) external;
function withdrawCollateral(address asset, uint256 amount) external;
function openPosition(bytes32 marketId, int256 size, uint256 limitPrice) external;
function closePosition(bytes32 marketId, int256 size, uint256 limitPrice) external;
function accountEquity(address account) external view returns (int256);
function maintenanceMargin(address account) external view returns (uint256);
function liquidate(address account) external;
}
interface IInsurancePool {
function payPremium(bytes32 riskId, uint256 amount) external;
function fileClaim(bytes32 riskId, bytes calldata evidence) external returns (bytes32 claimId);
function approveClaim(bytes32 claimId, uint256 payout) external;
function poolSolvency() external view returns (uint256);
}
References
- Satoshi Nakamoto, "Bitcoin: A Peer-to-Peer Electronic Cash System", 2008.
- Vitalik Buterin, "Ethereum: A Next-Generation Smart Contract and Decentralized Application Platform", 2014.
- MakerDAO, "The Dai Stablecoin System", whitepaper and documentation.
- Jae Kwon and Ethan Buchman, "Cosmos: A Network of Distributed Ledgers", 2016.
- Gavin Wood, "Polkadot: Vision for a Heterogeneous Multi-Chain Framework", 2016.
- Hayden Adams, "Uniswap v2 Core", 2020.
- Aave Protocol documentation and risk framework.
- EigenLayer, "The EigenLayer Whitepaper", 2023.
- Black, Fischer and Myron Scholes, "The Pricing of Options and Corporate Liabilities", Journal of Political Economy, 1973.
- John C. Hull, "Options, Futures, and Other Derivatives".
- Darrell Duffie, "Dynamic Asset Pricing Theory".
- Paul Milgrom and Robert Weber, "A Theory of Auctions and Competitive Bidding", Econometrica, 1982.