Mục tiêu: Xây dựng nền tảng marketplace cho phép chủ sở hữu LoRA (AI model) cho thuê model của mình cho doanh nghiệp một cách an toàn, sử dụng blockchain Sui để quản lý hợp đồng và thanh toán, Walrus để lưu trữ phi tập trung với kiểm soát truy cập.
Thời gian dự kiến: 3 tháng MVP
Công nghệ chính:
- Blockchain: Sui (Move smart contracts)
- Storage: Walrus (decentralized storage với Seal access control)
- AI Backend: Stable Diffusion / ComfyUI
- Frontend: Web3-enabled web application
┌─────────────────┐
│ Web Frontend │
│ (React/Next.js)│
│ + Sui Wallet │
└────────┬────────┘
│
┌────┴────┐
│ │
┌───▼───┐ ┌──▼───────┐
│ Sui │ │ Walrus │
│Blockchain│ │ Storage │
│(Smart │ │ (Seal │
│Contract)│ │ Control) │
└───┬───┘ └──┬───────┘
│ │
└────┬────┘
│
┌────────▼────────┐
│ AI Backend │
│(Stable Diffusion│
│ /ComfyUI) │
└─────────────────┘
Chức năng:
- Quản lý quyền sở hữu LoRA (LoRA ownership objects)
- Xử lý smart contracts cho thuê (rental contracts)
- Thanh toán và phân phối doanh thu
- Quản lý license tokens (NFT hoặc fungible tokens)
- Kiểm soát access control policies cho Walrus
Data structures (Move objects):
LoRAAsset: Object đại diện cho LoRARentalPolicy: Chính sách cho thuê (giá, thời hạn, điều khoản)RentalLicense: Token cấp cho người thuê (có thời hạn)PaymentRecord: Lịch sử thanh toán
Chức năng:
- Lưu trữ file .safetensors (LoRA weights) dưới dạng encrypted blobs
- Phân mảnh dữ liệu (erasure coding) để đảm bảo availability
- Áp dụng Seal protocol cho access control
- Tích hợp với Sui để verify quyền truy cập
Workflow:
- Upload: File được mã hóa client-side → upload → chia thành slivers → phân tán
- Access: Request blob → Verify on-chain license → Aggregate slivers → Decrypt → Return
Chức năng:
- Load LoRA từ Walrus (sau khi verify license)
- Chạy inference (Stable Diffusion/ComfyUI)
- Áp dụng watermark cho output images
- Log tất cả inference requests
- Không cho phép export model files
Security measures:
- Isolated containers (Docker/Kubernetes)
- No file download APIs
- Runtime-only decryption keys
- Rate limiting và monitoring
Chức năng:
- Wallet integration (Sui Wallet, Mysten Wallet)
- UI cho owners: Upload, pricing, management
- UI cho renters: Browse, rent, inference
- Dashboard cho tracking và analytics
Mục đích: Quản lý tài sản LoRA
Structs:
struct LoRAAsset has key, store {
id: UID,
name: String,
description: String,
owner: address,
walrus_blob_id: vector<u8>, // Reference to Walrus storage
created_at: u64,
model_type: String, // influencer name/category
is_active: bool
}
struct LoRARegistry has key {
id: UID,
loras: Table<ID, LoRAAsset>,
total_count: u64
}Functions:
create_lora(): Đăng ký LoRA mớiupdate_lora_info(): Cập nhật metadatadeactivate_lora(): Tạm ngưng cho thuêtransfer_ownership(): Chuyển quyền sở hữu
Mục đích: Quản lý hệ thống cho thuê (tham khảo NFT Rental Example của Sui)
Structs:
struct RentalPolicy has key, store {
id: UID,
lora_id: ID,
price_per_day: u64, // in SUI or stablecoin
min_duration: u64, // minimum rental days
max_duration: u64,
max_concurrent_rentals: u64,
is_active: bool
}
struct RentalLicense has key, store {
id: UID,
lora_id: ID,
renter: address,
start_time: u64,
end_time: u64,
payment_amount: u64,
usage_count: u64, // inference request counter
is_active: bool
}
struct RentalMarketplace has key {
id: UID,
policies: Table<ID, RentalPolicy>,
active_rentals: Table<ID, RentalLicense>,
revenue_pool: Balance<SUI>
}Functions:
create_rental_policy(): Owner tạo chính sách cho thuêrent_lora(): Renter thuê LoRA (thanh toán + mint license)check_license_validity(): Kiểm tra license còn hiệu lựcrevoke_license(): Thu hồi license (hết hạn hoặc vi phạm)renew_rental(): Gia hạn thời gian thuêclaim_revenue(): Owner rút tiền từ cho thuê
Logic flow cho thuê:
- Renter gọi
rent_lora(lora_id, duration) - Contract kiểm tra RentalPolicy (giá, thời hạn hợp lệ)
- Transfer payment từ renter → marketplace
- Mint RentalLicense NFT cho renter
- Emit event để update Walrus Seal policy
- Trả license object cho renter
Mục đích: Xử lý thanh toán và phân phối doanh thu
Structs:
struct PaymentRecord has key, store {
id: UID,
license_id: ID,
payer: address,
amount: u64,
currency: String, // SUI, USDC, etc.
timestamp: u64,
revenue_split: RevenueDistribution
}
struct RevenueDistribution has store {
owner_share: u64, // e.g., 90%
platform_fee: u64, // e.g., 10%
referral_bonus: u64 // e.g., optional
}Functions:
process_payment(): Xử lý thanh toán cho thuêdistribute_revenue(): Phân phối tiền cho owner và platformrefund_payment(): Hoàn tiền (nếu có issue)get_payment_history(): Query lịch sử thanh toán
Mục đích: Tích hợp với Walrus Seal để quản lý access control
Structs:
struct SealPolicy has key, store {
id: UID,
walrus_blob_id: vector<u8>,
authorized_addresses: Table<address, AccessGrant>,
policy_type: u8 // time-lock, token-gating, etc.
}
struct AccessGrant has store {
grantee: address,
expiration: u64,
max_access_count: u64,
current_count: u64
}Functions:
create_seal_policy(): Tạo policy mới khi upload LoRAgrant_access(): Cấp quyền truy cập khi thuê thành côngrevoke_access(): Thu hồi quyền khi hết hạnverify_access(): AI backend gọi để check quyền
Integration với Walrus:
- Khi RentalLicense được mint → gọi
grant_access() - Walrus nodes query Sui để verify SealPolicy
- Khi license expire → smart contract emit event → Walrus revoke key
Bước 1: Client-side Encryption
Sequence:
1. Owner chọn file .safetensors trên UI
2. Frontend tạo encryption key (AES-256)
3. Encrypt file locally
4. Upload encrypted file + metadata to Walrus via CLI/SDK
Implementation steps:
- Sử dụng Walrus CLI hoặc SDK để upload:
walrus store <encrypted_file> --epochs 100
- Nhận về
blob_idvàseal_id - Lưu mapping:
blob_id→lora_idtrên Sui
Bước 2: Create Seal Policy
Sequence:
1. Upload thành công → có blob_id
2. Call Sui smart contract: create_lora(name, blob_id, ...)
3. Smart contract tạo LoRAAsset object
4. Smart contract tạo SealPolicy cho blob
5. Initial policy: chỉ owner có quyền truy cập
Bước 1: Rent và Grant Access
Sequence:
1. Renter thanh toán qua UI → call rent_lora()
2. Smart contract mint RentalLicense
3. Smart contract update SealPolicy: add renter address với expiration
4. Emit event: AccessGranted(renter, lora_id, end_time)
Bước 2: AI Backend Requests Access
Sequence:
1. Renter submit inference request từ UI
2. Backend verify RentalLicense on Sui
3. If valid → Backend request blob từ Walrus
4. Walrus nodes check SealPolicy on Sui
5. If authorized → Walrus aggregate slivers → decrypt → return data
6. Backend load LoRA weights vào memory (không lưu disk)
7. Run inference → return image
Bước 3: Revoke Access (Auto-expiration)
Sequence:
1. Sui smart contract có automated task (hoặc keeper bot)
2. Định kỳ scan RentalLicense hết hạn
3. Call revoke_access() → update SealPolicy
4. Walrus nodes sync policy → refuse subsequent requests
Erasure Coding:
- File được chia thành N shards, chỉ cần M shards để recover (M < N)
- Chịu lỗi đến 2/3 storage nodes
- Data integrity via Merkle proofs
Seal Protocol Features:
- Time-lock: Tự động revoke sau expiration
- Token-gating: Chỉ cho phép address có RentalLicense NFT
- Usage quotas: Giới hạn số lần truy cập (tích hợp với usage_count)
Backup Strategy:
- Primary: Walrus mainnet
- Fallback: Mirror quan trọng blobs sang IPFS hoặc Arweave (optional)
- Owner có thể export encrypted backup (encrypted key không share)
Tech stack:
- Framework: ComfyUI (hoặc Stable Diffusion WebUI)
- Container: Docker with isolated environment
- Orchestration: Kubernetes (for scaling)
- API Gateway: FastAPI hoặc Express.js
Components:
┌─────────────────────────────────┐
│ API Gateway │
│ (Authentication & Rate Limit) │
└─────────────┬───────────────────┘
│
┌─────────────▼───────────────────┐
│ Inference Service │
│ - Load LoRA from Walrus │
│ - Run ComfyUI workflow │
│ - Apply watermark │
│ - Return image │
└─────────────┬───────────────────┘
│
┌─────────────▼───────────────────┐
│ LoRA Loader Module │
│ - Verify license on Sui │
│ - Fetch from Walrus │
│ - Decrypt in memory │
│ - Load weights (no disk save) │
└─────────────────────────────────┘
Module 1: License Verifier
# Pseudo-code
def verify_rental_license(user_address, lora_id):
# Query Sui smart contract
license = sui_client.get_rental_license(user_address, lora_id)
if not license:
raise Unauthorized("No valid license found")
if license.end_time < current_timestamp():
raise Expired("License expired")
if license.usage_count >= license.max_usage:
raise QuotaExceeded("Usage limit reached")
return license
def increment_usage(license_id):
# Update usage counter on Sui
sui_client.increment_license_usage(license_id)Module 2: LoRA Loader
# Pseudo-code
def load_lora_from_walrus(blob_id, license):
# Request blob từ Walrus
encrypted_data = walrus_client.fetch_blob(
blob_id,
auth_token=license.id
)
# Decrypt in-memory (không lưu file)
decryption_key = get_decryption_key(license)
lora_weights = decrypt_aes(encrypted_data, decryption_key)
# Load vào model (safetensors format)
lora_model = load_safetensors(lora_weights)
# Clear decryption key từ memory
del decryption_key
return lora_modelModule 3: Inference Endpoint
# Pseudo-code
@app.post("/api/inference")
def generate_image(request: InferenceRequest):
# 1. Authenticate user
user = authenticate_wallet(request.wallet_signature)
# 2. Verify license
license = verify_rental_license(user.address, request.lora_id)
# 3. Load LoRA
lora = load_lora_from_walrus(request.lora_blob_id, license)
# 4. Run ComfyUI workflow
image = comfyui_inference(
prompt=request.prompt,
lora=lora,
settings=request.settings
)
# 5. Apply watermark
watermarked_image = apply_watermark(image, license.id)
# 6. Update usage
increment_usage(license.id)
# 7. Log request
log_inference(user, license, request.prompt)
# 8. Cleanup memory
del lora
return watermarked_imageContainer Isolation:
# Dockerfile example
FROM nvidia/cuda:11.8-runtime
# Không cài tools nguy hiểm
RUN apt-get update && apt-get install -y \
python3 python3-pip \
&& rm -rf /var/lib/apt/lists/*
# Tạo non-root user
RUN useradd -m -u 1000 inference
USER inference
# Copy code
COPY --chown=inference:inference . /app
WORKDIR /app
# No shell access
ENTRYPOINT ["python3", "inference_server.py"]API Security:
- Rate limiting: Max 100 requests/day per license
- Request signing: Wallet signature cho mỗi request
- IP whitelisting: Optional cho enterprise clients
- DDoS protection: CloudFlare hoặc AWS Shield
Model Security:
- No file write permissions trong container
- Memory-only operations
- Auto-cleanup sau mỗi inference
- Monitoring cho suspicious activity (e.g., nhiều requests cùng pattern)
Invisible Watermark:
- Sử dụng thư viện như
invisible-watermarkhoặcPhotoGuard - Embed:
license_id + timestamp + lora_id - Có thể detect và trace nguồn gốc nếu bị leak
Visible Watermark (optional):
- Logo nhỏ ở góc ảnh
- Text: "Generated with LoRA [name] - License [id]"
- Framework: Next.js 14 (React)
- Wallet: Sui Wallet Kit / Mysten Wallet SDK
- State Management: Zustand hoặc Redux
- UI Library: TailwindCSS + Shadcn/ui
- API Client: Axios + React Query
Page 1: Landing / Marketplace
Components:
- NavBar (wallet connect button)
- LoRAGrid (display all available LoRAs)
- LoRACard (thumbnail, name, price, rating)
- FilterBar (category, price range, availability)
- SearchBar
Page 2: LoRA Detail
Components:
- LoRAInfo (name, description, owner, samples)
- PricingTable (duration options, prices)
- RentButton → modal với wallet signature
- SampleGallery (ảnh demo tạo bởi LoRA)
Page 3: Owner Dashboard
Components:
- UploadLoRA form:
- File picker (.safetensors)
- Name, description, category
- Pricing settings (price per day, min/max duration)
- Preview và confirm
- MyLoRAs list:
- Active/Inactive status
- Current rentals count
- Revenue earned
- Edit/Deactivate buttons
Page 4: Renter Dashboard
Components:
- MyRentals list:
- Rented LoRAs với expiration countdown
- Usage stats (inference count)
- Renew button
- InferenceStudio:
- Select rented LoRA
- Prompt input
- Advanced settings (steps, CFG, size)
- Generate button → display result
- Download button (for generated images)
Page 5: Inference Studio
Components:
- LoRASelector dropdown (chỉ show rented LoRAs)
- PromptEditor (textarea với suggestions)
- SettingsPanel (sliders cho parameters)
- PreviewCanvas (hiển thị ảnh generated)
- HistoryPanel (lịch sử generation)
Setup Sui Wallet Kit:
// app/providers.tsx
import { SuiClientProvider, WalletProvider } from '@mysten/dapp-kit';
export function Providers({ children }) {
return (
<SuiClientProvider networks={{ testnet: { url: 'https://fullnode.testnet.sui.io' } }}>
<WalletProvider autoConnect>
{children}
</WalletProvider>
</SuiClientProvider>
);
}Connect Wallet Flow:
// components/ConnectWallet.tsx
import { ConnectButton, useWallet } from '@mysten/dapp-kit';
export function ConnectWallet() {
const { connected, address } = useWallet();
return (
<div>
<ConnectButton />
{connected && <p>Connected: {address}</p>}
</div>
);
}Sign Transaction (rent LoRA):
// hooks/useRentLora.ts
import { useSignAndExecuteTransactionBlock } from '@mysten/dapp-kit';
export function useRentLora() {
const { mutate: signAndExecute } = useSignAndExecuteTransactionBlock();
const rentLora = async (loraId: string, duration: number) => {
const txb = new TransactionBlock();
// Call smart contract
txb.moveCall({
target: `${PACKAGE_ID}::rental_system::rent_lora`,
arguments: [
txb.object(MARKETPLACE_ID),
txb.pure(loraId),
txb.pure(duration),
],
});
signAndExecute(
{ transactionBlock: txb },
{
onSuccess: (result) => {
console.log('Rental successful', result);
},
}
);
};
return { rentLora };
}Step-by-step:
- Owner chọn file .safetensors
- Frontend validate file (check format, size < 500MB)
- Client-side encryption:
const encryptedFile = await encryptFile(file, generatedKey);
- Upload lên Walrus:
const blobId = await walrusClient.upload(encryptedFile);
- Call Sui smart contract để tạo LoRAAsset:
const txb = new TransactionBlock(); txb.moveCall({ target: `${PACKAGE_ID}::lora_asset::create_lora`, arguments: [ txb.pure(name), txb.pure(description), txb.pure(blobId), // ... other metadata ], }); await signAndExecute(txb);
- Success → redirect to owner dashboard
Tasks:
-
Environment Setup
- Tạo Sui testnet accounts (dev, owner, renter test accounts)
- Setup Sui CLI và Walrus CLI
- Install Move compiler và dependencies
- Setup Git repo với monorepo structure:
/contracts (Move smart contracts) /frontend (Next.js) /backend (AI inference server) /sdk (shared utilities)
-
Smart Contract Development - Phase 1
- Implement
lora_asset.move:- Create LoRAAsset struct
- Implement create_lora(), update_lora_info()
- Test với Sui CLI
- Implement
rental_system.move(basic version):- Create RentalPolicy và RentalLicense structs
- Implement create_rental_policy()
- Implement rent_lora() với simple payment
- Test cho thuê cơ bản
- Implement
-
Testing
- Viết unit tests cho smart contracts (Move testing framework)
- Deploy lên Sui testnet
- Manual test transactions qua Sui CLI
- Document các contract addresses và function signatures
Deliverables:
- Sui testnet environment hoàn chỉnh
- Basic smart contracts deployed và tested
- Documentation cho contract interfaces
Tasks:
-
Frontend Setup
- Initialize Next.js project với TypeScript
- Setup TailwindCSS và component library
- Integrate Sui Wallet Kit
- Implement wallet connection flow
- Test wallet connection trên testnet
-
Basic UI Components
- NavBar với wallet connect button
- Landing page layout
- LoRA card component (mockup data)
- Owner dashboard layout (no functionality yet)
-
Sui Integration Layer
- Create SDK folder với:
suiClient.ts: Wrapper cho Sui RPC callscontractInteraction.ts: Functions để gọi smart contractswalletUtils.ts: Helper functions cho wallet operations
- Implement queries:
- Get all LoRAs
- Get rental policies
- Get user's licenses
- Create SDK folder với:
Deliverables:
- Frontend app với wallet integration
- UI mockups cho main pages
- SDK layer cho Sui interactions
- Test: User có thể connect wallet và query test data
Tasks:
-
Walrus Setup
- Setup Walrus testnet access
- Install và configure Walrus CLI
- Test upload/download basic files
- Study Seal protocol documentation
-
Upload Pipeline
- Frontend: Implement file upload UI
- Implement client-side encryption:
// utils/encryption.ts async function encryptFile(file: File): Promise<EncryptedData> { const key = generateAESKey(); const encrypted = await aesEncrypt(file, key); return { encrypted, key }; }
- Integrate Walrus SDK/API:
// sdk/walrusClient.ts async function uploadToWalrus(encryptedFile: Blob): Promise<string> { // Call Walrus API const response = await walrusAPI.store(encryptedFile); return response.blobId; }
- Connect upload → smart contract:
- Upload file → get blob_id
- Call create_lora() với blob_id
- Store mapping on-chain
-
Seal Integration - Phase 1
- Implement
seal_bridge.move:- Create SealPolicy struct
- Implement create_seal_policy()
- Implement grant_access() và revoke_access()
- Test: Create policy khi upload LoRA
- Test: Grant access khi rent successfully
- Implement
-
Download & Access Control
- Implement access check trên backend:
def verify_access(user_address, blob_id): # Query Sui cho SealPolicy policy = sui.query_seal_policy(blob_id) # Check nếu user_address trong authorized list return user_address in policy.authorized_addresses
- Implement fetch từ Walrus với auth:
def fetch_lora(blob_id, license_token): # Verify license token on Sui # Fetch từ Walrus encrypted_data = walrus.fetch_blob(blob_id) # Decrypt return decrypt(encrypted_data, license_token.key)
- Implement access check trên backend:
Deliverables:
- Complete upload flow: Frontend → Walrus → Sui
- Seal policies được tạo và enforced
- Access control hoạt động (authorized users fetch được, others không)
Tasks:
-
Infrastructure Setup
- Setup cloud VM với GPU (AWS EC2 g4dn, GCP A100, hoặc RunPod)
- Install CUDA, PyTorch, Stable Diffusion dependencies
- Install ComfyUI:
git clone https://github.com/comfyanonymous/ComfyUI cd ComfyUI && pip install -r requirements.txt
- Test ComfyUI với sample LoRA
-
API Server Development
- Create FastAPI server:
# main.py from fastapi import FastAPI app = FastAPI() @app.post("/inference") async def generate_image(request: InferenceRequest): # Verify license # Load LoRA # Run inference # Return image
- Implement modules:
license_verifier.py: Query Sui cho license validationlora_loader.py: Fetch và decrypt LoRA từ Walrusinference_engine.py: Wrapper cho ComfyUI workflowwatermark_processor.py: Apply watermark lên output
- Create FastAPI server:
-
ComfyUI Integration
- Create custom ComfyUI workflow JSON cho LoRA inference
- Implement API để load workflow dynamically:
def create_comfy_workflow(lora_path, prompt, settings): workflow = { "nodes": [ {"type": "CheckpointLoaderSimple", ...}, {"type": "LoraLoader", "inputs": {"lora_name": lora_path}}, {"type": "CLIPTextEncode", "inputs": {"text": prompt}}, {"type": "KSampler", ...}, {"type": "SaveImage", ...} ] } return workflow def execute_workflow(workflow): # Submit to ComfyUI API result = comfy_client.queue_prompt(workflow) return result.image
-
Security Implementation
- Containerize với Docker:
FROM nvidia/cuda:11.8-runtime USER 1000 # No shell, no unnecessary tools ENTRYPOINT ["python", "main.py"]
- Disable file output trong ComfyUI config:
# Override SaveImage node để chỉ return bytes, không lưu file class SecureSaveImage(SaveImage): def save(self, images): return images_to_bytes(images)
- Memory-only LoRA loading:
def load_lora_memory_only(encrypted_data, key): decrypted = decrypt(encrypted_data, key) # Load vào RAM, không touch disk lora_state = load_safetensors_from_bytes(decrypted) return lora_state
- Containerize với Docker:
-
Frontend Integration
- Create Inference Studio page
- Implement API client:
// sdk/inferenceClient.ts async function generateImage( loraId: string, prompt: string, settings: Settings ): Promise<Blob> { const license = await getLicense(loraId); const response = await fetch('/api/inference', { method: 'POST', body: JSON.stringify({ loraId, prompt, settings, license }), }); return response.blob(); }
- UI: Prompt input → call API → display image
Deliverables:
- AI backend running on GPU server
- ComfyUI integration working
- Inference API tested end-to-end
- Frontend có thể call inference và hiển thị kết quả
- Security measures implemented
Tasks:
-
Smart Contract Enhancements
- Implement
payment_manager.move:- Revenue distribution logic
- Multi-currency support (SUI, USDC)
- Refund mechanism
- Enhance
rental_system.move:- Concurrent rentals support
- Renewal functionality
- Auto-expiration với Sui programmable transactions
- Add events cho tất cả major actions:
struct LoRARented has copy, drop { lora_id: ID, renter: address, duration: u64, payment: u64 }
- Implement
-
Owner Dashboard - Full Implementation
- Upload LoRA flow hoàn chỉnh (đã làm ở tháng 2)
- Management features:
- View all owned LoRAs
- Edit pricing và rental terms
- Deactivate/reactivate LoRAs
- View rental history
- Revenue analytics (charts, total earnings)
- Integrate với smart contracts:
// Owner actions await updateRentalPolicy(loraId, newPrice, newDuration); await deactivateLora(loraId); await claimRevenue(loraId);
-
Renter Dashboard - Full Implementation
- Browse marketplace:
- Grid view với filters (category, price, rating)
- Search functionality
- Sort options (price, popularity, newest)
- Detail page:
- View LoRA info, samples, pricing
- Rent button → payment flow
- My Rentals:
- List active rentals với countdown
- Renewal option
- Usage stats
- Inference Studio (đã có base ở tháng 2):
- Advanced settings panel
- History của generations
- Batch generation support
- Browse marketplace:
-
Payment Flow Polish
- Smooth wallet transaction UX:
- Loading states
- Transaction confirmation modal
- Error handling (insufficient funds, etc.)
- Receipt generation (on-chain + UI)
- Email notifications (optional, via backend webhook)
- Smooth wallet transaction UX:
Deliverables:
- Complete owner và renter workflows
- All smart contract features implemented
- Polished UI/UX
Tasks:
-
Security Audit
-
Smart Contract Audit:
- Self-review code for common vulnerabilities:
- Reentrancy (không ảnh hưởng nhiều trong Move)
- Integer overflow/underflow
- Access control issues
- Logic bugs trong payment/rental
- Test edge cases:
- Rent với 0 duration
- Revoke license đã expired
- Concurrent rents vượt max_concurrent_rentals
- Payment với insufficient balance
- (Ideal: Hire external auditor, nhưng có thể skip cho MVP)
- Self-review code for common vulnerabilities:
-
Backend Security Review:
- Penetration testing:
- Thử bypass license verification
- Thử extract model files
- Thử SQL injection / XSS (nếu có database)
- Container security scan (với Trivy hoặc Snyk)
- Review network policies (firewall, no unnecessary ports)
- Penetration testing:
-
Frontend Security:
- XSS protection (React default safe, nhưng check dangerouslySetInnerHTML)
- CSRF tokens nếu có stateful sessions
- Secure wallet integration (verify signatures properly)
-
-
Testing - Comprehensive
-
Unit Tests:
- Smart contracts: Move test framework
- Backend: pytest cho Python modules
- Frontend: Jest/Vitest cho utilities
-
Integration Tests:
- End-to-end scenarios:
- Owner uploads LoRA → Renter rents → Renter generates image → License expires
- Concurrent rentals
- Renewal flow
- Payment failure handling
- Tools: Playwright hoặc Cypress cho E2E
- End-to-end scenarios:
-
Load Testing:
- Test AI backend throughput:
- Concurrent inference requests
- Memory usage under load
- Response time benchmarks
- Tools: Locust hoặc k6
- Test AI backend throughput:
-
User Acceptance Testing (UAT):
- Invite beta testers (5-10 people)
- Test trên testnet với real wallet interactions
- Collect feedback
-
-
Bug Fixes & Optimizations
- Fix bugs discovered từ testing
- Optimize inference speed (model caching, batch processing)
- Optimize frontend performance (code splitting, lazy loading)
- Optimize Sui transactions (batch calls nếu có thể)
Deliverables:
- Security audit report
- Test coverage > 80% (unit tests)
- E2E test suite passing
- Performance benchmarks documented
Tasks:
-
Documentation
- User Docs:
- Owner guide: How to upload LoRA, set pricing, manage rentals
- Renter guide: How to browse, rent, use Inference Studio
- FAQ: Common issues, troubleshooting
- Developer Docs:
- Smart contract API reference
- Backend API documentation (OpenAPI/Swagger)
- SDK documentation
- Architecture diagrams
- Deployment Docs:
- Infrastructure setup guide
- Environment variables và config
- Monitoring và logging setup
- User Docs:
-
Monitoring & Logging Setup
- Smart Contract Monitoring:
- Setup event indexer (Sui GraphQL hoặc custom indexer)
- Dashboard cho on-chain metrics:
- Total LoRAs registered
- Active rentals
- Revenue generated
- Backend Monitoring:
- Setup logging (ELK stack hoặc CloudWatch)
- Metrics dashboard (Prometheus + Grafana):
- Inference requests/min
- Error rate
- GPU utilization
- Response time percentiles
- Alerts:
- Smart contract errors
- Backend downtime
- High error rate
- Storage issues
- Smart Contract Monitoring:
-
Deployment to Mainnet (Staging First)
-
Testnet → Staging:
- Deploy contracts lên Sui devnet/testnet final
- Deploy backend lên staging environment
- Deploy frontend lên staging domain
- Test với real-world scenarios
-
Mainnet Preparation (nếu ready):
- Audit passed → deploy contracts to Sui mainnet
- Setup production infrastructure (redundancy, backups)
- Configure CDN cho frontend (Vercel/CloudFlare)
- Setup production Walrus storage
-
-
Marketing & Community
- Create landing page với demo video
- Write launch blog post
- Prepare social media content (Twitter, Discord)
- Reach out đến potential early users (influencers, AI communities)
- Submit to Sui ecosystem directory
-
Launch
- Soft launch: Announce to small community first
- Monitor closely for issues
- Collect feedback
- Iterate quickly
- Full public launch sau 1-2 tuần
Deliverables:
- Complete documentation
- Monitoring dashboard live
- MVP deployed to production
- Launch materials ready
Rủi ro: Lỗi logic trong contract dẫn đến mất tiền hoặc lock assets
Giảm thiểu:
- Extensive testing trước khi deploy mainnet
- Sử dụng audited libraries và patterns từ Sui examples
- Implement emergency pause mechanism:
struct EmergencyPause has key { id: UID, is_paused: bool, admin: address } public fun pause_marketplace(admin_cap: &AdminCap, pause: &mut EmergencyPause) { pause.is_paused = true; }
- Time-lock cho critical function changes
- Multi-sig wallet cho contract upgrades
Rủi ro: Data loss hoặc unavailability
Giảm thiểu:
- Erasure coding cho fault tolerance (built-in Walrus)
- Monitor storage node health
- Backup critical LoRAs sang secondary storage
- Implement retry logic với exponential backoff
- SLA monitoring và alerts
Rủi ro: Slow inference, high costs, downtime
Giảm thiểu:
- Horizontal scaling với Kubernetes
- Model caching để tránh reload liên tục:
lora_cache = LRUCache(max_size=10) # Cache 10 most used LoRAs
- Queue system (Redis/RabbitMQ) để handle spikes
- Auto-scaling based on GPU utilization
- Implement request prioritization (paid users first)
- Cost monitoring và budget alerts
Rủi ro: Attacker cố gắng steal LoRA weights
Giảm thiểu:
- Memory-only loading (đã implement)
- Container isolation (no shell access, read-only filesystem)
- Network policies (block outbound connections từ inference container)
- Watermarking output để trace leaks
- Rate limiting aggressive (detect scraping patterns)
- Monitoring unusual access patterns:
def detect_suspicious_activity(user, requests): if len(requests) > 1000 / day: alert_admin(f"Possible scraping: {user}") if requests_from_multiple_ips(user): alert_admin(f"Credential sharing: {user}")
Rủi ro: Unauthorized access đến LoRA files
Giảm thiểu:
- Multi-layer verification:
- Frontend check (basic UX)
- Backend verify license on Sui
- Walrus verify Seal policy
- Cryptographic signatures cho mọi request
- Short-lived access tokens (không reusable)
- Audit logs cho tất cả access attempts
Rủi ro: Double-spending, fake payments
Giảm thiểu:
- Sui blockchain immutability (không thể double-spend)
- Verify transaction finality before granting access:
async function verifyPayment(txDigest: string): Promise<boolean> { const tx = await suiClient.getTransactionBlock({ digest: txDigest }); // Check confirmed if (tx.effects.status !== 'success') return false; // Check đúng recipient và amount const payment = extractPayment(tx); return payment.recipient === MARKETPLACE_ADDRESS && payment.amount >= expectedAmount; }
- Idempotency keys để tránh duplicate processing
Rủi ro: LoRA của người nổi tiếng chưa có quyền
Giảm thiểu:
- Terms of Service rõ ràng: Owner phải có quyền upload
- Verification process cho high-profile individuals:
- Identity verification (KYC lite)
- Proof of rights (hợp đồng model release)
- DMCA takedown process
- Insurance cho platform liability (nếu scale lớn)
Rủi ro: Vi phạm GDPR, CCPA nếu có user data
Giảm thiểu:
- Minimize data collection (chỉ wallet address, no personal info)
- Privacy policy compliance
- Right to deletion implementation
- Data encryption at rest và in transit
- No tracking cookies without consent
Rủi ro: Không có owner upload hoặc renter thuê
Giảm thiểu:
- Early adopter strategy:
- Tìm 5-10 influencers/models sẵn sàng thử nghiệm
- Offer miễn phí platform fee ban đầu (100% revenue cho owner)
- Provide onboarding support
- Demand generation:
- Showcase use cases (marketing agencies, e-commerce)
- Free trial cho renters (limited inference credits)
- Referral program
- Pricing strategy:
- Competitive vs. hiring real model
- Tiered pricing (hourly, daily, monthly)
Rủi ro: Competitor với product tương tự
Giảm thiểu:
- Differentiation:
- Blockchain transparency (provable ownership, revenue tracking)
- Decentralized (không depend on single company)
- Lower fees than centralized alternatives
- Better security (Walrus + Seal)
- Network effects:
- Early LoRAs attract renters → more renters attract more owners
- Community building:
- Open-source parts of stack
- Developer ecosystem (SDK, plugins)
Rủi ro: Crypto regulations ảnh hưởng Sui/Walrus
Giảm thiểu:
- Compliance first:
- Không launch ở jurisdictions cấm crypto
- Partner với legal advisors
- Implement AML/KYC nếu cần (for large transactions)
- Backup plan:
- Architecture có thể adapt sang traditional payment (Stripe)
- Core technology (LoRA security) không depend hoàn toàn vào blockchain
Rủi ro: Thiếu kỹ năng hoặc burnout
Giảm thiểu:
- Realistic scope: MVP 3 tháng phải feasible với team size
- Outsource nếu cần: Smart contract audit, UI/UX design
- Documentation: Knowledge sharing để không depend on 1 người
- Milestones: Weekly check-ins để catch issues sớm
Rủi ro: GPU costs quá cao, không sustainable
Giảm thiểu:
- Cost optimization:
- Use spot instances (AWS EC2 Spot, GCP Preemptible)
- Auto-scale down khi idle
- Cold storage cho ít used LoRAs
- Pricing model: Pass costs to users (price per inference)
- Freemium limits: Free tier với quotas, paid for unlimited
Technical Metrics:
- Smart contracts deployed to mainnet without critical bugs
- 99% uptime cho AI backend
- Average inference time < 10 seconds
- Zero data loss incidents
Product Metrics:
- 10+ LoRAs uploaded bởi 5+ unique owners
- 20+ rentals completed
- 100+ inference requests processed successfully
- 3+ concurrent active rentals
User Metrics:
- 50+ registered users (wallet connections)
- 80% user satisfaction (survey) - nếu có feedback
- < 5% churn rate trong tháng đầu
Business Metrics:
- $1,000+ total transaction volume (testnet or mainnet)
- Average rental duration > 3 days
- Platform fee revenue > $100 (if applicable)
Features to Add:
-
Social Features:
- Reviews và ratings cho LoRAs
- Owner profiles
- Leaderboards (top-earning LoRAs)
-
Advanced Rental Options:
- Subscription model (monthly unlimited)
- Bulk licensing (nhiều LoRAs bundle)
- Exclusive rentals (chỉ 1 renter tại 1 thời điểm)
-
Creator Tools:
- LoRA training service (integrated)
- Analytics dashboard cho owners
- A/B testing pricing
-
Enterprise Features:
- API access cho integration
- White-label solution
- Custom SLA agreements
-
Mobile App:
- iOS/Android app với wallet integration
- On-the-go inference
Core Team (Minimum):
-
1x Blockchain Developer (Move/Sui expert)
- Responsibilities: Smart contracts, Sui integration
- Skills: Move, Rust, blockchain concepts
-
1x Backend Developer (AI/Python)
- Responsibilities: AI inference server, Walrus integration
- Skills: Python, PyTorch, FastAPI, DevOps
-
1x Frontend Developer (Web3)
- Responsibilities: UI/UX, wallet integration
- Skills: React/Next.js, TypeScript, Web3 libraries
-
1x Full-Stack/DevOps (optional nhưng helpful)
- Responsibilities: Infrastructure, monitoring, deployment
- Skills: Docker, Kubernetes, CI/CD, cloud platforms
Extended Team (nếu có budget):
- 1x Smart Contract Auditor (external contractor)
- 1x UI/UX Designer
- 1x Marketing/Community Manager
Must-have:
- Move programming language (học từ Sui docs)
- Sui blockchain (RPC, transactions, objects)
- React/Next.js
- Python (AI frameworks)
- Docker và basic DevOps
Good-to-have:
- Walrus protocol knowledge
- Stable Diffusion / ComfyUI experience
- Web3 wallet integration experience
- Smart contract security best practices
Development:
- IDE: VSCode với Move extension
- Version control: Git + GitHub
- Project management: Linear hoặc Notion
- Communication: Discord/Slack
Infrastructure:
- Cloud: AWS/GCP/RunPod (GPU instances)
- Hosting: Vercel (frontend), Railway/Fly.io (backend)
- Monitoring: Sentry, Datadog, hoặc Grafana Cloud
- Database: PostgreSQL (nếu cần off-chain indexing)
Blockchain:
- Sui RPC: Mysten Labs RPC nodes
- Wallet: Mysten Wallet SDK
- Indexer: Sui GraphQL hoặc custom indexer
AI:
- Models: Stable Diffusion XL, custom LoRAs
- Framework: Diffusers hoặc ComfyUI
- Watermarking: invisible-watermark library
Personnel (assuming contractors):
- 3 developers × $5k/month × 3 months = $45,000
Infrastructure:
- GPU server (AWS g4dn.xlarge): $500/month × 3 = $1,500
- Hosting (frontend + backend): $100/month × 3 = $300
- Walrus storage: ~$50/month × 3 = $150
- Sui gas fees (testnet free, mainnet minimal): $100
Services:
- Smart contract audit: $5,000 (one-time)
- Domain + SSL: $50
- Monitoring tools: $100/month × 3 = $300
- Miscellaneous (APIs, tools): $500
Total: ~$52,000 (có thể giảm nếu team có equity/passion)
Lean alternative (bootstrapped):
- 2 developers doing multi-role
- Use cheaper GPU options (RunPod, Lambda Labs): $200/month
- Skip audit cho MVP (self-review only)
- Free tier services (Vercel, Railway free tier)
- Total: ~$5,000 (mostly time investment)
Unit Tests (Move test framework):
#[test]
fun test_rent_lora() {
let scenario = test_scenario::begin(@owner);
// Setup
rental_system::create_rental_policy(
test_scenario::ctx(&mut scenario),
lora_id,
price,
duration
);
// Test rent
test_scenario::next_tx(&mut scenario, @renter);
let payment = coin::mint_for_testing<SUI>(price);
rental_system::rent_lora(
&mut marketplace,
lora_id,
payment,
test_scenario::ctx(&mut scenario)
);
// Assert license created
assert!(rental_system::has_active_license(@renter, lora_id), 0);
test_scenario::end(scenario);
}Test cases:
- ✅ Create LoRA successfully
- ✅ Rent with valid payment
- ❌ Rent with insufficient payment
- ❌ Rent expired LoRA
- ✅ Revoke expired license
- ❌ Double-rent prevention (if exclusive)
- ✅ Revenue distribution correct
Unit Tests (pytest):
def test_verify_license_valid():
license = RentalLicense(end_time=future_timestamp)
assert verify_license(license) == True
def test_verify_license_expired():
license = RentalLicense(end_time=past_timestamp)
with pytest.raises(ExpiredLicense):
verify_license(license)
def test_lora_loader_memory_only(tmp_path):
# Ensure no files written to disk
load_lora(blob_id, license)
assert len(list(tmp_path.iterdir())) == 0Integration Tests:
@pytest.mark.integration
async def test_full_inference_flow():
# 1. Mock Sui license
mock_license = create_mock_license()
# 2. Mock Walrus data
mock_walrus.set_blob(blob_id, encrypted_lora)
# 3. Call inference API
response = await client.post('/inference', json={
'lora_id': lora_id,
'prompt': 'test prompt',
'license_token': mock_license.token
})
# 4. Assert success
assert response.status_code == 200
assert response.content_type == 'image/png'Unit Tests (Jest/Vitest):
describe('useRentLora', () => {
it('should rent LoRA successfully', async () => {
const { result } = renderHook(() => useRentLora());
await act(async () => {
await result.current.rentLora('lora_id', 7);
});
expect(mockSignAndExecute).toHaveBeenCalled();
});
});E2E Tests (Playwright):
test('complete rental flow', async ({ page }) => {
// 1. Connect wallet
await page.goto('/');
await page.click('button:has-text("Connect Wallet")');
await page.click('text=Mysten Wallet');
// 2. Browse LoRA
await page.goto('/marketplace');
await page.click('.lora-card:first-child');
// 3. Rent
await page.click('button:has-text("Rent")');
await page.selectOption('select[name=duration]', '7');
await page.click('button:has-text("Confirm")');
// 4. Wait for transaction
await page.waitForSelector('text=Rental successful');
// 5. Go to inference
await page.goto('/inference');
await page.selectOption('select[name=lora]', 'lora_id');
await page.fill('textarea[name=prompt]', 'portrait photo');
await page.click('button:has-text("Generate")');
// 6. Assert image displayed
await page.waitForSelector('img.generated-image');
});AI Backend Load Test (Locust):
from locust import HttpUser, task, between
class InferenceUser(HttpUser):
wait_time = between(5, 15)
@task
def generate_image(self):
self.client.post('/inference', json={
'lora_id': 'test_lora',
'prompt': 'test prompt',
'license_token': 'valid_token'
})
# Run: locust -f load_test.py --users 100 --spawn-rate 10Target benchmarks:
- 50 concurrent users → < 15s response time
- 100 requests/min sustained
- < 1% error rate
Penetration Testing Checklist:
- Try access LoRA without license
- Try forge license token
- Try SQL injection in API endpoints
- Try XSS in prompt input
- Try CSRF attacks
- Try DDoS inference endpoint
- Try extract model via memory dump (should fail)
- Try replay old transactions
Tools:
- OWASP ZAP for web vulnerabilities
- Burp Suite for API testing
- Custom scripts cho blockchain-specific tests
Testnet Deployment:
# Build contracts
cd contracts
sui move build
# Deploy to testnet
sui client publish --gas-budget 100000000
# Save package ID
export PACKAGE_ID="0x..."
# Initialize marketplace
sui client call \
--package $PACKAGE_ID \
--module rental_system \
--function init_marketplace \
--gas-budget 10000000Mainnet Deployment:
⚠️ Audit contracts trước- Sử dụng multi-sig wallet cho ownership
- Deploy với higher gas budget
- Verify source code on Sui Explorer
Docker Build:
FROM nvidia/cuda:11.8-runtime
WORKDIR /app
COPY requirements.txt .
RUN pip install -r requirements.txt
COPY . .
EXPOSE 8000
CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000"]Kubernetes Deployment:
apiVersion: apps/v1
kind: Deployment
metadata:
name: inference-backend
spec:
replicas: 2
selector:
matchLabels:
app: inference
template:
metadata:
labels:
app: inference
spec:
containers:
- name: inference
image: your-registry/inference-backend:latest
resources:
limits:
nvidia.com/gpu: 1
env:
- name: SUI_RPC_URL
valueFrom:
configMapKeyRef:
name: config
key: sui_rpc_url
- name: WALRUS_API_KEY
valueFrom:
secretKeyRef:
name: secrets
key: walrus_api_keyEnvironment Variables:
# .env
SUI_RPC_URL=https://fullnode.mainnet.sui.io
WALRUS_API_URL=https://api.walrus.xyz
PACKAGE_ID=0x...
MARKETPLACE_ID=0x...
ENCRYPTION_KEY=...
ADMIN_WALLET=...Vercel Deployment:
# Install Vercel CLI
npm i -g vercel
# Deploy
cd frontend
vercel --prodEnvironment Variables (Vercel dashboard):
NEXT_PUBLIC_SUI_NETWORK=mainnet
NEXT_PUBLIC_PACKAGE_ID=0x...
NEXT_PUBLIC_MARKETPLACE_ID=0x...
NEXT_PUBLIC_BACKEND_URL=https://api.yourproject.com
Prometheus + Grafana:
# prometheus.yml
scrape_configs:
- job_name: 'inference-backend'
static_configs:
- targets: ['backend:8000']Dashboard Metrics:
- Request rate
- Error rate
- Inference latency (p50, p95, p99)
- GPU utilization
- Active licenses count
- Revenue per day
Alerts (Alertmanager):
alerts:
- name: HighErrorRate
condition: error_rate > 5%
action: notify_slack
- name: SlowInference
condition: p95_latency > 30s
action: notify_oncallKế hoạch triển khai này cung cấp lộ trình chi tiết từ A-Z để xây dựng MVP hệ thống cho thuê LoRA trong 3 tháng.
Key Success Factors:
- Security First: Mọi quyết định thiết kế ưu tiên bảo mật LoRA
- Blockchain Integration: Leverage Sui và Walrus để giải quyết trust và access control
- User Experience: Smooth wallet integration, intuitive UI
- Scalability: Kiến trúc có thể scale khi có nhiều users
Next Steps:
- Review plan với team
- Finalize tech stack decisions
- Setup development environment (Week 1)
- Start Sprint 1: Smart contracts foundation
References:
- Sui Documentation: https://docs.sui.io
- Walrus Documentation: http://docs.wal.app
- Seal Protocol: https://seal.mystenlabs.com
- ComfyUI: https://docs.comfy.org
Plan được viết: 2025-10-07 Version: 1.0 - MVP Plan