Questions, answered substantively.

Bittensor is a marketplace of subnets where each subnet defines its own scoring rubric; the work being scored is whatever the subnet owner says it is, mediated by validator preferences and dTAO alpha-token AMM dynamics. Orogen is one network, one token, one product (verifiable LLM inference + LoRA + later RL). Emission share is tied to physical replay of inference jobs, not to subnet-defined evaluator scores. We do not have subnet owners; we do not have alpha tokens; emission share is allocated by on-chain revenue measurement, not by stake-AMM pricing.

io.net, Render, and Akash are GPU leasing markets. The customer rents a box and operates it; the network coordinates supply and pricing but does not verify what runs. Orogen is a verifiable inference network: the protocol owns the model registry, the verification stack, and the receipt flow. The customer never has to trust the operator, because every response carries a chain-anchored receipt. Akash's post-BME loop is the economic pattern we adopt, and we add the verification stack Akash deliberately leaves out.

Aethir's checker-node licence sale created a multi-year debt-like obligation: about 15% of supply paid to licence holders over 4 years regardless of revenue. Orogen does not pre-sell node licences. Operators are paid for completed, verified work, and what they earn tracks the jobs they serve and the demand that real customers create rather than a licence they bought up front.

LibertAI and Pearl are the closest neighbours in the design space. Pearl in particular pioneered the vLLM-plugin pattern for TEE-attested inference that Orogen workers reuse. The economic differentiation is the BME loop and the validator replay sampling layer; Pearl currently operates without burn-rate-anchored emission and without replay-anchored verification. The foundation maintains active integration tracks for both projects so customers can route across networks via LiteLLM where their requirements differ.

Two reasons. First, the BME engine requires near-realtime oracle feeds and pallet-level mint enforcement; an Ethereum L2 puts the BME logic in a smart contract with worse latency and worse upgrade ergonomics. Second, the validator replay sampling and opML challenge games benefit from native Substrate weight scheduling and a custom slashing pallet. We bridge to Ethereum via Snowbridge (or equivalent) for token transfer and gateway settlement; the inference work itself stays on the L1.

The Forge testnet is live today and the token is the last step of the bootstrap, not the first. Mainnet follows the multi-firm chain audit and depends on a handful of real conditions: a sustained gateway revenue baseline over a 90-day window, AMD and Blackwell B200 confidential-compute operators in production alongside NVIDIA, three regional gateways live, and the foundation legal entity in place. These are conditions on real progress rather than dates, so if the second hardware vendor takes longer, mainnet waits for it.

Customer prompts and responses are processed inside the operator's TEE (NVTrust H100/H200/B200 CC + Intel TDX or AMD SEV-SNP). The plaintext is not accessible to the operator's host OS, the cloud provider, or the foundation. Side-channel attacks on TEEs are a known risk class, and fault injection, cache timing, and rowhammer-style attacks are tracked in the public verifiability RFCs. The protocol's posture: multi-vendor TEE, regular re-attestation, and public disclosure of any successful side-channel attack within 30 days. We do not claim 'HIPAA-compliant' or equivalent regulatory certifications; specific compliance tiers are scoped per-customer.

Base posture is ~$0.40 per 1M output tokens for Llama-3.1-70B FP8 at the dc-standard tier (0.6× base multiplier). dc-premium runs at 1.0× base for frontier MoE on B200/H200. Edge and embed-only tiers run 0.10–0.15× base. By comparison, GPT-4o-class output tokens sit around $10–15 per 1M; Claude Sonnet-class similar. Orogen is positioned for the open-model 7B to 70B band rather than closed frontier models, so your value comes from a lower price floor, a tier you can pick, and a receipt you can verify.

Every response carries a receipt (the RFC-0001 record). The SDK can run a client-side check for you, or you can call the verify helper directly with the receipt and the expected nonce. The result reports whether the signature is valid, the attestation is fresh, the nonce is unique, the model is in the registry, and whether the receipt passes overall. Client-side verification is best-effort, while authoritative verification is on-chain by validators through replay sampling. You can browse submitted attestation reports at attestation.orogen.network.

Base models and LoRA adapters are content-addressed (Merkle root over the tensor files). Roots are pinned on-chain via pallet-model-registry; the bits live on a multi-mirror CDN (S3 + R2 + IPFS + optional Filecoin). Operators subscribe to register_adapter events and auto-pull when an adapter targets a base model they serve. The propagation SLO is: a new adapter dropped at noon must be servable by N operators by 12:05. Adapter authors set a royalty in basis points; royalty flows back to the author from each job that uses the adapter.

Cross-operator KV sharing is not solved in v1, and we deliberately defer it (see RFC-0011). Within a single operator, KV is hot via vLLM V1 prefix cache plus LMCache and PD-disaggregation. Across operators, we use session pinning (session_id to operator_id) for multi-turn conversations, and Bloom-filter prefix hints in heartbeats as a soft routing signal. Accepting re-prefill on short prompts (roughly 50 to 80ms at 4K on H100) is cheaper than the engineering cost of cross-operator KV state sharing. A MoonCake-style shared KV-cache object store is a v2 or v3 direction.

Your operator record stops emitting heartbeats. After ~3 missed heartbeats (~3 minutes), the router stops routing new traffic to you. After 24 hours of continuous downtime, your reputation decays and tier is reviewed. Stake is not slashed for offline events alone, only for fraud (coldkey duplication, fraudulent attestation, signed-receipt forgery) and for sampling mismatches above the soft-fault threshold. Stake unlocks 14 days after deregistration, once no challenges remain open.

Yes, via the edge tier (Mac Studio Ultra, dual 3090, prosumer 4090/5090) and the embed-only tier (CPU AVX-512, Apple M-series). Edge and embed-only are stake-only verification, so you accept lower pricing and the customer accepts a weaker verification posture. The prosumer tier (1 to 2x RTX 5090 / PRO 6000) requires deterministic-kernel mode and replay sampling at 10% or more. Apple Silicon TEE is not currently supported (no NVTrust equivalent in 2026).

Eight layers (L1–L8) of the verification stack, each composable: stake-and-identity (L1), multi-vendor TEE attestation (L2), deterministic kernels (L3), validator replay sampling (L4), opML challenge windows (L5), zkML option (L6), content-addressed model commitment (L7), and signed customer receipts (L8). On the protocol side: multi-firm chain audits before mainnet, multi-vendor TEE substrate (NVTrust + Intel TDX + AMD SEV-SNP) at launch, foundation-and-DAO-run dispute panel for L5 arbitration, on-chain audit trail for every slashing event.

Validators are permissionless, stake-bonded, and eligible for the verification slice after launch when they perform replays. Validator-watchers are a smaller, foundation-and-DAO-operated set that runs the opML bisection game and serves the dispute panel. Watchers bond more (50,000 OROG at-launch) and rotate by governance. The separation prevents validators from being judge-and-jury over each other. The watcher set opens to permissionless entry on the post-mainnet roadmap (see /roadmap), with a 6-month observation period before receiving the full verification slice. Full details on /validators.

Two prerequisites. First, the operator runs in deterministic-kernel mode (SGLang determinism mode or batch-invariant kernels), which is mandatory for dc-premium, dc-standard, cloud-rented, and prosumer. Second, the validator runs the same base model and adapter at the same numeric precision on equivalent hardware. The kernels fix the reduction order and the tile scheduler. Throughput cost is roughly 3 to 8% versus stock FP8 on H100 (Llama-3.1-70B; numbers in docs). On edge and embed-only tiers determinism is not achievable, so those tiers fall back to stake-only verification.

The nonce is a per-job random value, generated by the gateway at job assignment, embedded into the operator's signed response receipt, and committed to the chain. It binds the receipt to a specific job, customer, and epoch, which stops an operator from re-signing a stale receipt and stops a different operator from substituting a known-good response from a prior job. The full specification is RFC-0007.

Email security@orogen.network for coordinated disclosure. The foundation runs a public bug-bounty program for the Forge testnet; critical attestation, slashing-pallet, and gateway-burn issues are eligible for an emergency bounty path. Findings reported during Forge are eligible for retroactive uplift at mainnet TGE. Do not file security issues in GitHub Issues.