Step 1 / 5 — Context
Distributed markets overcommit under partition.
Every known failure in distributed capacity markets traces to the same root: state diverges during partition, then reconciles additively. The system trusts local views. The system lies.
🏦
FTX — Balance Sheet Illusion
Customer deposits treated as liquid capacity. Merge semantics were additive. $8B overcommit, invisible until partition (withdrawal) exposed it.
🌡
Celsius Network — Liquidity Mismatch
Committed yields from future yield. Two claims on the same capacity. No conservation invariant. Converged to bankruptcy.
☁️
AWS Regional Outages — Cascading Dependency
Capacity reservation graph had no monotone merge. Reconnect events triggered thundering herd. Safety was policy, not structure.
The invariant we enforce
∀t, ∀network conditions:
Σ allocation ≤ CAP
Not by policy.
By construction.
Step 2 / 5 — Normal Operation
Contractive by design. Stable without coordination.
Start the simulation. Three shards accept excitation. Watch energy decay between injections. The system finds its equilibrium without any central arbiter.
1
Click
Start to begin simulation
2
Watch Energy E(t) graph decay toward zero
3
Note: contraction constant c < 1 always
This is contractive, so it stabilizes.
Why it stabilizes
Weight normalization: w = raw / (Σraw + δ)
ε = δ / (Σraw + δ) > 0 by construction
c = 1 − ε < 1 → Banach fixed point
→ Unique equilibrium in O(log 1/ε) steps
Step 3 / 5 — Stress Test
Push it to the cap. It cannot cross.
Raise injection rate to maximum. Watch partial injections trigger as the system approaches 100. Notice the hard rejection messages in the event log.
1
Drag
Injection Rate slider to max (20)
2
Watch total allocation approach 100
3
Log shows:
"Injection rejected: at capacity"
It cannot exceed 100. The cap is structural.
Conservation check
if (total + amount > CAP):
amount = max(0, CAP - total)
// not policy — enforced at inject()
// before tokens are consumed
Step 4 / 5 — Partition Attack
In isolation, it can lie to itself.
Partition Shard C. Then inject adversarially — maximum pressure into the isolated node. Watch it inflate locally. This is the attack scenario. The question is what happens at reconnect.
2
Click
Adversarial Inject several times
3
Watch C's allocation inflate toward local cap
4
Note: A+B remain bounded globally
In isolation, it can lie to itself.
Local cap during partition
localCap = CAP / numShards
// C can reach 33.3, not 100
// Merge cannot double-count
// because join ≠ sum
Step 5 / 5 — Convergence
Reconciliation without double-spend.
Reconnect C. The merge fires. Energy spikes briefly — then contracts. The total allocation stays below 100. Invariants remain green. This is the moment.
1
Click
Reconnect + Merge2
Watch energy chart — spike then decay
3
Total allocation stays ≤ 100
4
All invariants remain satisfied
Provably Non-Overcommitting
Distributed Capacity Layer
Production-grade substrate for any market with hard capacity bounds
Cloud Compute Clearing
AI Inference Markets
Microgrid Balancing
In most distributed markets,
safety is a policy.
Here, safety is an invariant.