Cowboy: A Layer‑1 Blockchain for Autonomous Agents

Note: This document provides complete technical specifications for Cowboy. For architectural rationale and design decisions, see the Design Decisions Overview. Changelog 2026‑06‑11 — consensus randomness and the runner‑selection seed are specified by the absolute‑round commonware threshold‑VRF Seed model (§Randomness, Part II §3.4, §5.3); normative selection algorithm: CIP-11 §9.2 as finalized by CIP-11 r1.3 (COW-2198 / cowboyinc/cowboy#152, in flight at the time of this erratum; until it lands, this erratum supersedes the pre‑r1.3 CIP-11 §9.2 v2 seed) (COW-2200).

​

Abstract

​

Introduction

​

Architectural Overview

​

Terminology

• Actor: A Python program with persistent key/value state and a mailbox.
• Message: A datagram delivered to an actor handler.
• Cycle: Unit of metered on‑chain compute.
• Cell: Unit of metered bytes (1 cell = 1 byte).
• Runner: Off‑chain worker that executes a job and returns an attested result.
• CBFS (Cowboy File System) / attachable volume: Distributed encrypted object storage: Runners read and write volumes via a client library (FUSE + QUIC); storage nodes see ciphertext only. CapTokens bind mount rights to a Runner address; manifest roots are anchored on-chain at the Storage Manager system actor (0x0A, §9).
• CBSS (Cowboy Secret Service): Threshold-encryption service that releases an account’s secrets to authorized Runners without ever exposing plaintext on-chain (Secrets Manager system actor, 0x04, §9).
• Entitlement: A permission governing an actor’s or runner’s capabilities.
• GBA: Gas Bidding Agent — an actor that dynamically bids for timer execution on behalf of another actor.

​

Key Features

• Deterministic Python Actors. Smart contracts on Cowboy are actors: Python programs with private state, a mailbox for asynchronous messages, and chain‑native timers. Actors execute in a sandboxed Python VM (PVM) pinned to Python 3.11.8 with deterministic floating‑point (softfloat), disabled GC, fixed hash seed, and a whitelisted module set. Reentrancy is depth‑capped to 32; per‑call memory is bounded at 10 MiB.
• Native Timers & Scheduler. Actors schedule their own future execution via set_timer and set_interval without external keeper infrastructure. The scheduler indexes timers by their target block height (FIFO within a bucket) and uses a per-fire fee_payer model that pre-charges gas at fire time and refunds the unused remainder. A future EIP-1559 hybrid (Tier-3 governance-activated) layers a timer-lane basefee, a priority tip, and a per-actor fairness weight on top. Anti-DoS measures include the per-fire pre-charge, a non-refundable per-timer scheduling cost, a max_timers_per_actor = 1,024 cap, and a dedicated 20%-of-block timer execution lane.
• Verifiable Off‑Chain Compute. A decentralized Runner marketplace executes jobs (LLM inference, HTTP fetches, MCP tools, custom compute, container batch jobs) off‑chain. Jobs MAY mount encrypted volumes backed by CBFS. Runners stake CBY and are selected via VRF. Results are verified under developer‑selected trust models: N‑of‑M quorum, economic bond, TEE attestation, structured matching, semantic similarity, or ZK‑proofs (planned). A commit‑reveal protocol with a 15‑minute challenge window and slashing enforces honesty. Container images MUST appear in the on-chain Container Image Registry unless a governed TEE exception applies.
• Dual‑Metered Gas. Two independent fee markets price computation (Cycles) and data (Cells) separately. Each meter uses a basefee that adjusts dynamically with demand and is burned; tips go to proposers. This prevents cross‑subsidization between compute‑heavy and storage‑heavy workloads.

​

Differences vs. Ethereum

​

Accounts and State

• External Accounts (EOAs): Controlled by private keys. They initiate transactions and hold balances of CBY and other assets. Key management may be abstracted via passkeys or other WebAuthn‑compatible mechanisms in a future revision.
• Actors: Autonomous Python programs executed in the PVM. Actors own storage, receive messages, and can send messages to other actors.

​

Transactions and Message Passing

​

Native Timers and the Actor Scheduler

​

5.1a Currently Implemented

• Storage: timers are indexed by height; same-height bucket is FIFO by insertion order (no priority queue, no tiered calendar).
• Per-fire fee_payer model. Each timer records who pays (fee_payer), how much gas per fire (gas_limit_per_fire), and when it gives up (expires_at). At end-of-block the protocol pre-charges max_cost = gas_limit_per_fire × cycle_basefee + max_cells × cell_basefee from fee_payer, executes the handler, refunds unused gas, and removes the timer. Insufficient-funds or TTL-expired timers self-destruct without firing.
• Three-path lifecycle: natural fire / TTL expiry / insufficient-funds self-destruct, plus explicit cancel_timer and validator-set SYS_CANCEL_TIMER.
• Lane separation: LANE_TIMER_CYCLES = 8,888,890 (execution lane, ~11% of the block cap) is separate from TIMER_GC_CYCLES (cleanup lane) so a TTL-expiry storm cannot starve live execution.
• Per-actor limit: max_timers_per_actor = 1,024 active timers (default, governance-tunable).
• Per-fire caps: max_cycles_per_fire = 550,000, max_cells_per_fire = 550,000.
• Same-block prohibition: timers created in the current block MUST NOT fire in the same block.

​

5.1b Target Design (EIP-1559 hybrid)

• Timer-lane EIP-1559 basefee. A per-block basefee is maintained against LANE_TIMER_CYCLES utilisation; target 50%, max change ±12.5% per block; 100% of the lane basefee is burned.
• Priority tip. Each schedule_timer call accepts (max_fee_per_cycle, max_priority_fee_per_cycle). The effective priority is min(max_priority_fee_per_cycle, max_fee_per_cycle − lane_basefee). Tips go to the block proposer.
• Per-actor fairness weight W(actor) ∈ [1, 2] computed over a 1,000-block rolling window: actors at or below the network-median fire rate get W = 2 (maximum boost); actors at 2× median or above get W = 1. Inclusion ordering: priority_per_cycle × W(actor).
• Per-timer cycle cap during auction phase: MAX_CYCLES_PER_FIRE_AUCTION_PHASE = 250,000 (= 12.5% of the lane), preventing any single timer from monopolising. The 550k FIFO-phase cap remains in force during the FIFO phase.
• Default GBA: max_fee_per_cycle = 2 × lane_basefee; max_priority_fee_per_cycle = previous_block_p50_priority_tip_per_cycle. SDKs expose a priority_tier_hint ∈ {economy, standard, fast, urgent} mapping to multipliers {0.8×, 1.0×, 1.5×, 2.5×} on the priority fee.
• Lane fee multiplier: 1.0× at genesis (no subsidy), Tier-0 tunable.
• All FIFO-phase invariants retained: Tx-then-Timer block ordering, per-fire fee_payer pre-charge + refund (the priority tip extends max_cost but does not change the mechanics), three-path lifecycle, lane separation, system-instruction opcodes 48/49/50, same-block prohibition.

​

DoS Prevention (both phases)

​

Asynchronous Execution and Multi‑Block Semantics

​

Single‑Block Atomicity

​

Why No Cross‑Block Transactions

​

Message‑Passing Continuation Model

​

The Cowboy Actor VM (PVM)

​

Determinism Guarantees

• No JIT compilation — pure interpretation mode only.
• Deterministic memory management via reference counting. The cyclic garbage collector is disabled; creating reference cycles MUST raise DeterminismError.
• Fixed recursion limit: 256 (integrated with cycle metering).

• All floating‑point operations use a cross‑platform software math library (softfloat), not the host FPU.
• Transcendental functions (sin, cos, log, exp, etc.) use deterministic softfloat implementations.
• If the decimal module is used, it MUST use fixed rounding mode (ROUND_HALF_EVEN) and fixed precision.

• PYTHONHASHSEED fixed to 0.
• dict iteration is insertion‑ordered (deterministic per Python 3.7+).
• Built‑in set and frozenset are replaced with ordered_set from cowboy_sdk.collections (transparent to user code).

• All data crossing a trust boundary MUST use its declared canonical encoding (deterministic: one value ⇒ exactly one byte string, strict decode), per that boundary’s specification:
  • Chain consensus types (transactions, blocks, instructions, account/actor/mailbox state, receipts) use the canonical commonware‑codec binary encoding (§2.5, Appendix A) — ordered fields, minimal varints, strict decoders. (This is the normative encoding for everything hashed into a block/state/receipt root.)
  • SDK ↔ runtime CBOR uses the CIP‑6 §11.5 profile; connectivity uses the CIP‑11 §4.2.1 profile. Where a sub‑spec pins a CBOR profile, that profile governs that boundary.
• Indefinite‑length containers, non‑minimal integers, and floats are forbidden in any canonical encoding. pickle is forbidden. JSON output (non‑canonical surfaces only) MUST use sort_keys=True, separators=(',', ':').

​

Storage and State Persistence

1. The Ledger: Append‑only log of blocks — the sequential, historical source of truth.
2. The Triedb: An authenticated Merkle trie (QMDB) generating a verifiable state_root per block via blake3, holding all account, code, and storage state. (Transaction and receipt roots use keccak256.)
3. Auxiliary Indexes: Rebuildable, read‑optimized tables for transaction hashes, event topics, etc. Not part of the consensus‑critical state root.

​

Pricing: Cycles and Cells

• Cycles measure compute: Python operations and host calls each have a fixed cost defined in a consensus‑critical cost table. Cycles resemble Erlang reductions — a budget of discrete steps bounding handler execution.
• Cells measure bytes: calldata, return data, blobs, and storage writes all consume cells (1 cell = 1 byte).

​

Off‑Chain Compute: The Runner Marketplace

1. Post: Actor submits a job with escrowed price, resource bounds, and trust model.
2. Assign: A committee of M runners is selected via VRF from eligible (staked, healthy) runners.
3. Commit: Runners return commit = keccak256(output || salt).
4. Reveal: Runners reveal {output, salt, proof?}.
5. Challenge: A 15‑minute window opens; challengers post a 100 CBY bond.
6. Resolve: Proven dishonesty triggers slashing; operational failures result in reputation penalties only.
7. Payout: 89% of job payment to runner(s), 10% burned, 1% to Treasury.

​

Runner Resource Accounting

​

LLM Result Verification

​

External Data and Oracle Semantics

​

Randomness

​

Consensus and Networking

1. Propose: Current proposer (selected by VRF, weighted by stake) broadcasts a block.
2. Vote: Validators vote; signatures are buffered and batch‑verified at quorum (2f+1).
3. Certify: A Quorum Certificate (QC) is formed from 2f+1 votes.
4. Finalize: A block is final when its direct child has a QC (two‑chain commit).

​

Validator Set

​

Staking and Rewards

​

Slashing

​

Network Layer

​

Dedicated Lanes

​

MEV Reduction

​

Data Availability, State Rent, and Storage

​

Inline Data vs. Blobs

​

State Rent

​

Grace Period and Eviction

• Grace period (7 rent‑epochs): Actor remains fully functional; flagged as “rent overdue”; catch‑up fee accumulates (10% of missed rent).
• Warning period (3 rent‑epochs): Actor flagged as “eviction imminent”; events emitted to alert dependent actors.
• Eviction (after 10 rent‑epochs of unpaid rent — 7 grace + 3 warning): Actor storage and active timers are pruned. Code, address, balance, and storage root hash are preserved. The actor enters a “dormant” state.

​

Storage Quotas

​

The State Transition Function

1. Header/Proposer: Determined by Simplex; R derives from the parent QC.
2. Execute Transactions: Per‑lane selection, then VRF ordering. Lane selection applies the dedicated per‑lane budgets defined in §6.3, with each lane’s basefee scaled by its governance‑tunable lane_fee_multiplier. For each transaction: validate signature, nonce, and balance; initialize meters; dispatch to target (fanout ≤ 1,024, reentrancy depth ≤ 32); enforce memory (10 MiB), mailbox (≤ 1,000,000 bytes), and storage quotas; deduct fees and burn basefees.
3. Deliver Timers: Inject due timers at height(B).
4. Resolve Jobs: Process commitments, reveals, challenges, and payouts.
5. Adjust Basefees: Update (bf_c, bf_b) based on block utilization.
6. Mint Rewards: Distribute per‑block inflation to validators.

​

Normative Conventions

​

1. Accounts, Addresses, and Keys

​

2. Transaction Types & Encoding

• chain_id is bound into the signing hash (replay protection); a node MUST reject a tx whose chain_id does not match its own.
• from is the 20‑byte sender; additional_signers is a (possibly empty) list of (address, signature) pairs that MUST be strictly ascending by address (no duplicates).
• origin_tx_hash/origin_remaining_* are present only on system‑injected deferred txs (which are not signature‑verified); they are absent on ordinary signed txs.
• access_list is optional and reserved (v1: always absent / null, not enforced; reserved for future parallel‑scheduling/prefetch). metadata is caller‑attached bytes (bound into the signing hash).

• Scalar u64 fields (chain_id, nonce, the gas/fee fields) use a minimal varint (UInt); collection lengths use a varint length prefix. Fixed‑width values (the 20‑byte from/addresses, the 65‑byte signature = r‖s‖v, 32‑byte digests) are raw bytes. Option<T> is a 1‑byte tag (0x00 = absent, 0x01 = present, followed by the value). Vec<T> / byte strings are a varint length prefix followed by the elements. Instruction is [category, sub_type, body] (e.g. Transfer = System(0) Transfer(1) to(20B) amount(8‑byte big‑endian u64)).
• The encoding is canonical: every transaction has exactly one valid byte encoding. Decoders MUST be strict — reject non‑minimal varints, non‑{0,1} option/bool tags, unknown enum discriminants, and trailing bytes — so decode(encode(tx)) = tx and encode(decode(b)) = b.
• The signing hash MUST be keccak256(canonical_encode(Tx_without_signatures)) — the canonical encoding with the primary signature and every additional_signers signature zeroed (signer addresses retained). The transaction digest (its identity / BMT leaf) is the same value, so the identity is signature‑independent. Every signer signs this hash.

​

3. Execution Model (Actors)

• Official SDKs: Python SDK. The runtime MUST enforce determinism:
  • Allowed operations: Standard Python operations, file I/O limited to /tmp; async/await is syntax sugar only and does not suspend across blocks.
  • Forbidden: sys.exit(), random module (except chain VRF), time.time()/datetime.now(), os.environ access, socket/network operations, subprocess calls, path traversal outside /tmp.
  • Floating point: Permitted; Cowboy provides a deterministic math library.
  • Scratch space: /tmp MUST be per‑invocation, capped at 256 KiB (counts toward cells_used), wiped post‑handler.

• Per‑call memory limit: 10 MiB heap memory.
• Per‑actor persistent storage quota: 1 MiB (governance‑tunable) with state rent (§4.4).
• Quota extensions: An actor MAY post a storage bond up to 8 MiB total; rent applies to the full allocated quota.

• Delivery: Exactly‑once after finality (before finality: at‑least‑once). Each message ID MUST be keccak256(sender||nonce||msg_hash) and recorded in a per‑actor dedup set (counts toward actor storage or a separate metered mailbox store). Dedup entries MUST be retained for at least dedup_window after finality.
• Mailbox: Capacity 1,000,000 bytes (or equivalent cell‑metered limit); enqueue beyond the limit MUST revert.
• Per‑tx fanout: A transaction (including all nested sends) MUST NOT enqueue more than 1,024 messages.
• Reentrancy: Allowed within a single block only; there is no synchronous call/return across blocks. Recursion/await depth cap = 32.
• Timers (chain‑native): The following timer primitives are provided:
  • timer_id = set_timer(height, handler, data) — Schedule a one-time timer for the specified block height. Returns a unique timer_id.
  • timer_id = set_interval(every_n_blocks, handler, data) — Schedule a recurring timer. Returns a unique timer_id.
  • cancel_timer(timer_id) — Cancel a pending timer by its ID. Returns the deposit if successful.
  • Timer delivery is best‑effort; execution depends on the timer scheduler (see §5.1a for current rules and the same-block-prohibition rule).

• Consensus MUST produce a threshold‑BLS VRF seed per round: Seed { round: Round(epoch, view), signature }, where signature is the epoch threshold signature over the absolute round encoding (commonware’s canonical Round codec; see CIP-11 §9.2), verifiable against the epoch’s threshold public key. Exactly one valid seed exists per absolute round (notarized, finalized, or nullified). Seeds are identified by absolute Round(epoch, view); implementations MUST NOT address a seed by block height and MUST NOT derive the beacon from a parent QC.
• Actors MAY call an API which returns HKDF(R, label), where R is the execution‑readable parent beacon of the executing block — the verified seed of the absolute round immediately preceding the executing block’s proposal round. A round’s own seed MUST NOT affect execution in that same round.

• Exact metering is consensus‑critical; implementers MUST match the reference cost table.

​

4. Fees, Metering, and Basefee Adjustment

• Cycles: Deterministic step count over Python operations + host calls.
• Cells: Bytes used by calldata, return data, inline blobs (≤ 64 KiB), and /tmp.

• T_c (cycles target): 20,000,000 cycles; the per-block hard cap is 80,000,000 (the sum of the four lane budgets, §6.3).
• T_b (cells target): 4,000,000 bytes.

​

5. Off‑Chain Compute

1. Post: Actor posts a job with escrowed price.
2. Assign: A committee of M runners is sampled. The committee is sized adaptively: M = clip(ceil(2·log₂(N_active) / max(HHI, 0.01)), 3, 9), N = ceil(2M/3), recomputed per epoch (M=5, N=3 was the initial fixed fallback). LLM jobs MAY use committees or single-runner. Selection is stake‑weighted Fisher‑Yates VRF with weight w = stake · sqrt(reputation). Aggregator is uniformly drawn from committee members with reputation ≥ p50 (target). Aggregator receives 1.5% of gross job payment from the runner share on successful settlement. The selection draw is seeded by the verified commonware threshold seed of a named absolute round under domain cowboy-runner-select-v3: (never a block hash or height‑anchored beacon): single‑runner jobs select immediately in the submission block from the parent beacon; multi‑runner committees bind in the submission block and select from the seed of the absolute future round advance_round(r_submit, K) (commit‑then‑reveal; CIP-11 §9.2).
3. Commit: Runner returns commit = keccak256(output||salt).
4. Reveal: Runner reveals {output, salt, proof?}.
5. Challenge: A challenge window of 15 min is opened, requiring a 100 CBY bond.
6. Resolve: Proven dishonesty ⇒ stake slashing via challenge mechanism. Operational failures (timeouts, crashes) result in reputation penalties only.
7. Payout: On finalization, 89% of job payment to runner(s), 10% burned, 1% to Treasury.

​

6. Consensus, Randomness, and Networking

• Timer and runner lanes prevent user transaction spam from blocking autonomous actor execution
• Unused capacity in higher-priority lanes cascades to lower-priority lanes
• Each lane’s basefee is lane_basefee = global_basefee × lane_fee_multiplier. All four multipliers default to 1.0× at genesis (no subsidy, no surcharge) and are Tier-0 governance-tunable.

order_key = VRF(proposer_key, tx_hash, block_height)

• Front-running (limited observation time)
• Sandwich attacks (high risk of failed execution)
• Time-bandit attacks (chain never reorgs past finality)

​

7. Data Availability & Blobs

• Inline blobs (≤ 64 KiB, stored in the state trie) live as part of the owning actor’s storage and are subject to the same state rent as any other state (§4.4 / the State Rent section); they disappear only when the owner overwrites/deletes the value or the owning actor is evicted for unpaid rent.
• CBFS‑stored blobs (the off‑chain shard layer) persist until the owner explicitly deletes them or the owning account is evicted. There is no background expiry sweep over live blobs.
• Orphaned shards — previous shard versions left behind after a new manifest commits (CIP‑9’s write_id keeps old shards retrievable for rollback) — are the one garbage‑collected class: relay nodes prune them after ORPHAN_SHARD_TTL (86,400 blocks, ~24 h at 1s blocks; CIP‑9 §14).

​

8. Economics, Inflation, and Fees

​

9. System Actors & Precompiles

Note (normative — allocation rules):

1. The implementation’s system-actor registry (node, runner/src/system_actors.rs) is the source of truth for every address with code-deployed or code-reserved status; this table MUST track it.
2. On a collision between specification claims, a deployed claim wins. Among undeployed claims, the earlier (lowest-numbered) specification’s claim wins; the losing specification MUST renumber to the next free slot.
3. A specification that introduces a new system actor MUST claim the next free address in the dense sequence (0x14 next, as of this revision) and MUST update this table in the same change.
4. The full low-address space below 0x100 is reserved in the sense of state-rent exemption (RESERVED_SYSTEM_ADDRESS_LIMIT): actors below it are exempt from rent. User actors cannot land there because deployed addresses are CREATE2-derived from (deployer, salt, code_hash) — the band is unreachable by construction rather than actively rejected. The PVM separately rejects the dense system band 0x01–0x0F for fee_payer overrides; 0x1D sits deliberately outside that enforced band (see its row).

Field-level instruction schemas, registry semantics, and on-chain encodings for each system actor are elaborated in the CIP series.

​

10. Developer Experience (DX)

• SDKs: A primary Python SDK (cowboy-py) is provided.
• Local dev: A suite of tools including a single-node devnet (cowboyd), runner simulator, faucet, and explorer will be available.
• Best practices: Reentrancy guards, capability-scoped handles, and idempotent message handling are encouraged via the SDK.

​

11. Governance & Upgrades

• Model: Token‑weighted on‑chain governance from genesis (bicameral: staked CBY + validator one‑vote). A permanent Security Council 7‑of‑9 holds narrow emergency authority (cancel queued proposals during timelock, fast‑track Tier‑3 upgrades, circuit‑break a system actor with mandatory retroactive ratification). Tier values, quorums, deposits, voting windows, and Council scope will be elaborated in a future CIP.
• Timelocks: Standard actions 7 days; emergency fast‑track 6 hours.
• Upgrades: Hot‑code upgrades coordinated by governance.

​

12. Security Considerations

• max_tx_size = 128 KiB
• max_message_depth_per_tx = 32
• per_actor_per_block_cycles = 1,000,000 (burstable)

​

13. Parameters (Genesis Defaults)

​

13.1 Parameter Governance Registry

​

14. Differences vs. Ethereum

• Execution: Python actors vs. EVM contracts.
• Fees: Dual meters (cycles/cells) vs. single gas scalar.
• Timers: Native timers vs. external keepers.
• Off‑chain compute: Native verifiable Runner market (encrypted CBFS volumes, container jobs) vs. external oracles only.
• State: Rent with eviction vs. indefinite storage.

​

15. Entitlements

• Least privilege by default.
• Deterministic enforcement.
• Declarative & composable.
• Auditable on-chain.

• Actor Entitlements: Permissions the actor requires.
• Runner Entitlements: Capabilities the runner provides.

1. MUST: Actors require entitlements; runners provide them.
2. MUST: Scheduler matches only if requires ⊆ provides.
3. MUST: Syscalls fail if the corresponding entitlement is missing.
4. MUST: Child actors only inherit entitlements marked inheritable:true.

​

16. Ethereum Interoperability

​

16.1. Account Unification

• Cowboy external accounts (EOAs) MUST use the same secp256k1 elliptic curve for signatures as Ethereum. This allows a single private key to control accounts on both networks, simplifying key management for users and agents.
• An actor, through a host call, MAY verify an EIP-712 signed data structure against a given Ethereum address, enabling actors to validate off-chain authorizations from Ethereum users.

​

16.2. Bridge Infrastructure

• The bridge MUST support the locking of native ETH and ERC-20 tokens on Ethereum to mint a corresponding wrapped representation on Cowboy (wETH, wERC-20), and the reverse burn‑to‑unlock flow.
• The bridge MUST support generic message passing: a transaction on one chain triggering a message call to a designated recipient on the other.
• Bridge selection and integration are determined by governance. The protocol does not implement its own bridge validator set.

​

16.3. Event Subscription (Ethereum to Cowboy)

• Cowboy actors MAY subscribe to event logs emitted by specific contracts on the Ethereum blockchain.
• A system actor on Cowboy, EventListener (deferred; address to be assigned from the next free slot per the §9 allocation rules — 0x14 as of this revision), SHALL manage these subscriptions when implemented. This actor relies on the bridge validator set to act as a decentralized oracle, monitoring the Ethereum chain for specified events.
• When a subscribed event is confirmed (i.e., finalized on Ethereum), the EventListener actor MUST enqueue a message to the subscribing Cowboy actor, delivering the event’s topic and data as the message payload.
• The cost of this subscription service SHALL be paid by the actor in CBY, covering the gas fees incurred by the oracle validators on Ethereum.

​

16.4. Policy and Security

• All interoperability functions available to an actor, such as bridge_asset or subscribe_event, MUST be governed by the Entitlements system (§15).
• An actor’s deployment manifest MUST declare the specific Ethereum contracts it is permitted to interact with and the types of assets it is allowed to bridge, enforcing the principle of least privilege.

​

17. Fee Model Specification

​

17.1. Overview

1. On-chain execution — Cycles consumed by transaction processing
2. On-chain storage — Cells consumed by state writes + ongoing state rent
3. Off-chain services — Direct CBY payments to Runners (LLM, HTTP, MCP, containers, etc.) and Providers (blob storage)

​

17.2. Transaction Intrinsic Costs

Note: Intrinsic costs for other runner-related txs (e.g. JobSubmit payloads for HTTP, MCP, Container, VolumeAnchorManifest) will be enumerated in future CIPs as those transaction types are formalized.

​

17.3. Execution Costs (Cycles)

​

Opcode Costs

​

Actor API Costs

The authoritative per-opcode cost schedule and its update procedure will be elaborated in a future CIP.

​

Platform Token Costs

​

17.4. On-Chain Storage Costs (Cells)

​

17.5. State Rent

rent_per_rent_epoch = max(0, account_size - grace_threshold) × rent_rate

Parameters:
  grace_threshold           = 10,240 bytes (10 KB)
  rent_rate                 = 0.001 CBY/byte/year (Tier-0 tunable)
  rent_epoch_length         = 86,400 blocks (~1 day at 1s blocks)
  eviction_threshold_epochs = 10
  rent_catchup_bps          = 1,000 (= 10% catch-up penalty)

• Accounts ≤10 KB: No rent charged
• Accounts >10 KB: Rent charged on excess bytes only
• Unpaid rent accumulates as debt against the account (rate-stamped to the epoch the debt was incurred; rate hikes apply prospectively only)
• Eviction after 10 rent-epochs of accumulated debt (state archived; recoverable on debt repayment plus 10% catch-up fee)

​

17.6. Off-Chain Blob Storage

​

17.7. Off-Chain Compute (Runner Marketplace)

Field-level JobSpec / RateCard / verification-mode schemas, and the full runner-marketplace state machine, will be elaborated in future CIPs.

​

17.8. Fee Adjustment (EIP-1559 Style)

basefee_{x,i+1} = max(MIN_BASEFEE, basefee_{x,i} × (1 + clamp((U_x - T_x) / (T_x × α), -δ, +δ)))

• α = 96 (BASEFEE_ALPHA — calibrated for 1-second blocks, vs Ethereum’s 8 for 12-second blocks)
• max change = ±1/96 (~1.04%) per block (BASEFEE_MAX_CHANGE_DENOM = 96)
• MIN_BASEFEE = 10,000 (floor; keeps the basefee in the geometric-update regime)
• clamp(v, -1/96, +1/96) caps the per-block adjustment

​

17.9. Reserved Capacity (Execution Lanes)

• Unused capacity in reserved lanes spills to User lane
• User lane cannot borrow from reserved lanes
• Timer lane has highest priority within its reserved capacity; execution is still subject to GBA bidding and per‑block limits
• Per‑lane Fee Multiplier scales the lane’s effective basefee (lane_basefee = global_basefee × lane_fee_multiplier); all four lanes default to 1.0× (no subsidy, no surcharge). Tier-0 governance-tunable.

​

17.10. Fee Estimation

def estimate_fee(tx):
    intrinsic_cycles = INTRINSIC_COSTS[tx.type]
    intrinsic_cells = len(tx.calldata)

    # Estimate execution cost (via simulation or heuristics)
    execution_cycles = simulate_execution(tx)
    execution_cells = estimate_storage_writes(tx)

    total_cycles = intrinsic_cycles + execution_cycles
    total_cells = intrinsic_cells + execution_cells

    # Apply current basefees
    cycle_fee = total_cycles * cycle_basefee
    cell_fee = total_cells * cell_basefee

    # Add priority tip
    priority_fee = (total_cycles * tip_per_cycle) + (total_cells * tip_per_cell)

    return cycle_fee + cell_fee + priority_fee

​

Appendix A. Transaction Encoding Test Vectors (Normative)

2a00000122222222222222222222222222222222222222220000000000000001d08603d086030101000019e7e376e7c213b7e7e7e46cc70a5dd086daff2a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

2a00000122222222222222222222222222222222222222220000000000000001d08603d086030101000019e7e376e7c213b7e7e7e46cc70a5dd086daff2a0000000000f0dc586dcb01db4f7507163068728c49d112610bfbcf3516ed32bd0fa05a45553f8e8a695b94f6d9aa7d34657002746f30ce22cadc141bceea3129610de3035b0100