To address the lack of formal incentive-compatibility analysis in decentralized storage networks—which undermines the achievement of decentralization objectives—this paper introduces the first game-theoretic model of the Shelby protocol. We rigorously prove that, under natural parameter settings, Shelby achieves incentive compatibility via a dual mechanism of “peer-to-peer auditing + on-chain verification,” effectively deterring lazy behavior by storage nodes. Furthermore, we expose the fundamental insecurity of purely offline auditing in collusion-prone settings and propose a lightweight protocol enhancement that significantly improves collusion resistance. Our main contributions are: (1) the first formal proof of Shelby’s incentive compatibility; (2) a novel modeling framework for collusive behavior and its associated security analysis; and (3) a mechanism optimization that balances theoretical rigor with practical deployability. The results advance both the foundational understanding and real-world robustness of incentive mechanisms in decentralized storage systems.

Decentralized storage is one of the most natural applications built on blockchains and a central component of the Web3 ecosystem. Yet despite a decade of active development -- from IPFS and Filecoin to more recent entrants -- most of these storage protocols have received limited formal analysis of their incentive properties. Claims of incentive compatibility are sometimes made, but rarely proven. This gap matters: without well-designed incentives, a system may distribute storage but fail to truly decentralize it. We analyze Shelby -- a storage network protocol recently proposed by Aptos Labs and Jump Crypto -- and provide the first formal proof of its incentive properties. Our game-theoretic model shows that while off-chain audits alone collapse to universal shirking, Shelby's combination of peer audits with occasional on-chain verification yields incentive compatibility under natural parameter settings. We also examine coalition behavior and outline a simple modification that strengthens the protocol's collusion-resilience.