Justin’s Orb

I don't feel well equipped to comment on AI. As an armchair observer, fundamental research and innovation seems to be extremely concentrated in megacorps—think NVDIA, Microsoft, Google, OpenAI. Startups using AI as a tool to build products are in a somewhat shaky position, at the mercy of some overlord that controls the underlying infra. With blockchains it's the opposite: research and innovation is distributed across many small and medium teams, and startups using blockchains as a tool to build products can enjoy sovereignty from the platform they build upon.

Now to answer your question about "the top 3 places", the number 1 place for startups and innovation is clearly Ethereum. Back when I joined the blockchain space 10 years ago that top place was Bitcoin. Unfortunately Bitcoin has since dropped the ball and is probably not in the top 3, even with recent innovation like BitVM. I'd probably give second place to "advanced applied cryptography"—SNARKs are an absolute revolution and blockchains are at the epicentre of it. An amazingly bullish fact is that advanced applied cryptography will extend far beyond SNARKs to include FHE, MPC, witness encryption, functional encryption, iO, one-shot signatures. Moon math has a bright future IMO in terms of research and innovation, with blockchains being the primary underlying motivator and driver. In position 3 I would go with "restaking" as another general category. Platforms like EigenLayer (see invocation #5 for an extended disclosure) seem to open up a whole new blockchain design space. It feels like there's significant low-hanging fruit and excitement for infrastructure that goes beyond vanilla smart contract-based dapps. Of course there is a risk that the hype won't stand the test of time which is why it's in a distant position 3. As a side note my state of mind as a restaking alignment researcher is to assume that restaking will be wildly successful so as to motivate exploring mitigations to systemic risks that this success could bring to Ethereum.

Extended disclosure: As mentioned in my last response I am now an advisor to the EigenFoundation. I feel the community deserves transparency so here we go :)

1. The advisorship comes with a significant EIGEN token incentive which could easily be worth more than the combined value of all my other assets (mostly ETH). We're talking millions of dollars of tokens vesting over 3 years.
2. I pledge to reinject all advisorship proceeds towards worthy projects within the Ethereum ecosystem, either as investments or donations. I also stand ready to end the advisorship at any time, e.g. should EigenLayer go in a direction I deem to be against Ethereum's interests.
3. I am picky with advisorships (having likely turned down over 100 so far) and I didn't accept the EigenFoundation advisorship lightly. Sreeram first talked about an advisorship in March 2023 and the whole process took discussions over one year.
4. The advisorship happened on the condition that my mandate be limited to researching restaking risks and that I not be included on marketing material.
5. Given my focus on restaking risks you can expect my default public stance to continue to lean critical of EigenLayer. I will try to make my criticism constructive, advocating for mitigations to risks like the erosion of solo validators and the intersubjective overloading of Ethereum consensus.
6. By being an advisor I hope to have a front-row seat to restaking issues and steer EigenLayer from within. As a researcher I feel I did too little too late with regard to liquid staking. This is an opportunity to not repeat the mistake with restaking.
7. Competing restaking platforms provide healthy diversity and I will gladly share insights and bounce ideas with competitors like Karak and Symbiotic.
8. Some people may ask if EigenLayer is trying to systematically "bribe" or "corrupt" the EF. Nowadays the EF is a large organisation with 300+ people. To my knowledge 3 EFers have a formal relationship with EigenLayer entities: one as an early EigenLabs investor, and two as recent EigenFoundation advisors. EFers are some of the highest integrity people I know and I don't see the 1% of EFers formally involved with EigenLayer compromising their morals.
9. Having interacted a bunch with Sreeram I believe he is in our space for all the goods reasons. He has a razor sharp mind and a genuine desire to build something meaningful—what he calls the "Open Verifiable Digital Commons". Sreeram's outstanding character was key to accepting the advisorship.
10. I want to highlight that I'm advising in an individual capacity. This is more than just a legal detail: I live my work life first and foremost as an Ethereum researcher, not as an EF researcher. I try to stay a free and independent thinker and serve the interests of Ethereum even if it sometimes means breaking the mould of expectations that comes with being an EF researcher.
11. I do acknowledge that accepting the EigenFoundation advisorship inevitably comes with downside risk beyond my personal reputation. I hope the above shows that it is at least a considered move with calculated risks.

Can you give your thoughts on EigenLayer?

Restaking plausibly is to Ethereum what AI is to humanity: a wonderful paradigm-changing tool in the short- and medium-term which may be powerful enough to introduce systemic risks that ultimately lead to our demise. My research interest is in better understanding those risks and searching for mitigations—the equivalent of AI alignment for restaking. How do we ensure restaking sustainably supercharges Ethereum without undermining it?

I see two categories of restaking risks: chronic and acute. Chronic is the slow but pernicious type, exemplified by a potential erosion of the solo validators. In AI-land this would be the equivalent of resourceful corporations—with zettabytes of training data and gigawatts of compute—slowly but surely using their AI edge to entrench themselves within society and erode meaningful individual sovereignty. Acute is the fast yet catastrophic type, exemplified by a major infrastructure breakage or market meltdown large enough to tear the social fabric—think of The DAO but involving $5T not $50M. In AI-land the equivalent could be having a rogue AI getting access to nuclear launch codes and starting WW3.

One direction I'm excited about is fully decoupling execution proposing from validation. This means having Ethereum validators no longer propose EVM blocks, an extreme form of proposer-builder separation (PBS). Until recently the leading proposal was execution tickets (ETs) but Barnabé may have discovered an even better design I call execution auctions (EAs). By decoupling proposing from validation it is no longer possible for native restaking to overload proposing. All proposing duties and yield (including MEV) is quarantined. Ideas like based preconfirmations which overload L1 proposing would no longer require validators to be involved and are fundamentally safer with ETs or EAs.

Another direction I'm excited about is economic stake capping, e.g. discouraging (or preventing) more than 1/4 of all ETH to be staked by having an issuance curve that goes to zero (or negative) as the amount of ETH staked approaches the cap. This will obviously limit the size of the natively restaked economy and the corresponding blast radius if things blow up. Maybe more importantly, stake capping lowers the cost of money to a minimum and prevents the chronic overcompensation of staking. If staking is by default at best financially net neutral, stakers will need to provide more than just brute force economic security for staking to be rational. The good news is that stake decentralisation is one of the most promising potential staking differentiators. Solo validators that provide "refined stake" have already done extremely well relative to institutional "crude stake" thanks to airdrops that disproportionately reward solo validators. I hope we can develop more tools to identify, engage, and reward decentralised stake. See for example proof of location ideas by Witness Chain.

A third direction I want to highlight is intersubjective slashing. The EIGEN token design is all about offering a solution to the problem of overloading "objective" tokens like ETH with intersubjective risk. The EIGEN token is a sponge that promises to mop up intersubjective risk. Intersubjective tokens are a great match for fundamentally intersubjective services like DA and oracles, and act as pressure valves in case of 51% attacks. I could also see intersubjective tokens being valuable to derisk objective AVSs while bugs are being rooted out: if unintended slashing happens (either accidentally or maliciously) the social layer can simply fork the intersubjective token. Maybe we should encourage AVSes to cap their usage of ETH collateral (say, at 1M ETH) until they have formally verified slashing conditions and clients. On that note, I am increasingly bullish on formal verification tools like Lean soon reaching a maturity inflection point. The EF is launching a $20M zkEVM formal verification competition this year and I hope it can serve as a template for the wider Ethereum ecosystem.

A final direction I've been thinking about is generalised PBS to increase the decentralisation of AVS operators. The goal is to limit the need for trusted delegation and instead make use of trustless generalised builders. Such builders would do the sophisticated heavy lifting (e.g. devops and algorithms) yet compete in a ruthless permissionless market which drives the mast majority of restaking rewards to unsophisticated AVS operators.

Can you provide an overview of the current state of fragmentation in the ethereum ecosystem between L2s?

For me an L2 is a chain that settles on Ethereum. This means that everything that characterises an L2, with the exception of the choice of settlement layer, can be idiosyncratic. This idiosyncrasy naturally leads to fragmentation: L2s can have different data availability, VM, proof system, Merkleisation, rate limiting, fee mechanism, sequencing, governance—the list goes on.

Most of the above fragmentation vectors yield beautiful experimentation and diversity that is typical to Ethereum. It's a great thing that Ethereum can permissionlessly run the EVM, the SVM, WASM, RICS-V, that we can experiment with Optimism-style public goods funding, and that hundreds of devs across dozens of L2s are incentivised to engineer zkVMs and grow platforms and communities.

If I were to pick one pain point with the current state of L2s it would be sequencer fragmentation. The reason is that sequencer fragmentation is often a lose-lose game that breaks down network effects. We don't have cross-L2 aggregators like 1inch or Matcha because of sequencer fragmentation: we have lost unified liquidity. Each sequencing zone is a silo that is only loosely connected to other sequencing zones through asynchronous message passing and asset bridging.

Sequencer fragmentation is not just about breaking down liquidity network effects. It makes bootstrapping L2s extremely expensive because L2s have to start from scratch: no apps, no liquidity, no users, no oracle integrations. A new L2 can't easily plug into existing network effects without shared sequencing.

Sequencer fragmentation also makes building complex dapps that span k sequencing zones brittle. For example, if one of the k zones is censoring (even if only censoring preconfirmations and delaying inclusion) then the whole application is censored. Liveness degrades to the weakest sequencing zone.

Last but not least, sequencer fragmentation breaks opportunities for synchronous composability which unlock significantly more fluid UX and DevX. I attribute most of Solana's current success to its synchronous execution—there's no reason Ethereum can't match Solana on synchrony!

How can it be improved?

IMO there is a compelling solution to sequencer fragmentation: shared Ethereum sequencing. The idea is that most L2s opt into using a credibly-neutral and secure shared sequencer, thereby fixing ~80% of the downsides of L2 fragmentation.

My personal thesis is that we ought to use L1 proposers as the sequencing substrate for L2s, with the shared sequencing mechanism inheriting the credible neutrality, security, and network effects of Ethereum L1. That is to say, the shared sequencer ought to be L1-driven, or "based".

Credible neutrality is particularly important to solve the coordination game. Would Arbitrum want to use Optimism's shared sequencer? Would Optimism want to use Arbitrum's shared sequencer? We need to find common neutral ground and Ethereum itself is maximally neutral.

Security is critical for liveness and censorship resistance, and based sequencing is the only way to get a sequencer which fully inherits Ethereum L1 security, without introducing a new 51% attack vector.

Finally based sequencing allows for synchronous composability between L1 and L2 execution environments, something non-based sequencers can't provide. This means that L1 TVL (~$0.5T) which hasn't (and possibly will never) migrate to L2 continue driving the network effects that make Ethereum an unstoppable force.

If you're interested in more details here are some resources:

• Bankless on Fixing Fragmentation https://youtu.be/MnsjUZo7RRI
• Bankless on Shared Sequencing https://youtu.be/k8OGmcOaas4
• RollCall on Shared Sequencing https://youtu.be/eycLQCaqDsk
• sequencing call #0 https://youtu.be/8xFVC9T9LR4
• sequencing call #1 https://youtu.be/2IK136vz-PM
• sequencing call #2 https://youtu.be/mAGGdPRmhsc
• sequencing call #3 https://youtu.be/XSsKFINj710

Apologies for the slight delay—I included some BitVM alpha which hopefully makes up for it :)

Do you think we will ever see a major non-USD based stablecoin?

As a good enough first approximation I expect all assets that can be digited to eventually make it onchain. In particular, any non-USD fiat currency you may consider major (e.g. CNY or EUR) will eventually be a stablecoin, either via a directly-issued CBDC or a third-party wrapper.

What's the best possible collateral for it in principle? USD certainly isn't

The best possible collateral for a CNY stablecoin would be central bank money directly issued by the central bank of China. In this CBDC model there is arguably no collateral: the stablecoin is central bank money itself, 1-to-1.

For Liquity- and Maker-style overcollateralised decentralised stablecoins my favourite form of collateral is maximally trustless money like ETH or BTC. Unfortunately neither ETH nor BTC have accrued enough monetary premium to provide enough economic bandwidth for tens of trillions of dollars of stablecoins.

For the sake of argument, let's assume that both ETH and BTC will eventually achieve $100T marketcaps—what would be required to build a successful over-collateralised stablecoin? The three key ingredients are:

1. Full programmability: unfortunately BTC doesn't really fit the bill. For a couple weeks I was excited about BitVM to provide two-way-pegged fully-programmable rollups on Bitcoin. Unfortunately there's an awkward list of caveats associated with BitVM:
   a) 1-of-N whitelisted challengers (no usual 1-of-∞ assumption)
   b) optimistic rollups only (no zk-rollups)
   c) log-round fraud proving (no one-round fraud proving)
   d) drawn-out fixed-time challenge rounds (no chess clock time keeping)
   e) only 4MB/10min of L1 DA

It is possible to do zk-rollups on Bitcoin with fancy cryptography like functional signatures and indistinguishability obfusction but it will likely take decades for the cryptography to become practical.
2) Better oracles: my favourite design here is restaking-based oracles that take the median across consensus participants, in some sense reusing the honest majority assumption of the L1. Zahary Karadjov is working on an oracle platform called Blocksense which has a bunch of interesting ideas to use MACI and other fancy tools to mitigate collusion 51% attacks.
3) Cheaper cost of money: ETH today has a high cost of money (~5%/year) which makes it almost untenable for a scalable decentralised stablecoin. One could use an LST like stETH as collateral instead but you'd lose the high-grade pristineness of ETH, defeating the point of a decentralised stablecoin. My favourite solution to the opportunity of cost of ETH is stake capping. The idea is to have an issuance curve which tends to zero (or, even better, negative infinity) as the total stake approaches the cap (say, 25% of all ETH).

Ok, privacy thoughts below! Disclaimer: I haven't spent much time thinking about privacy so take the following with a grain of salt :)

1. As a technical side note, Vitalik's roadmap diagram does have in-flight privacy in a couple places: "Secret leader election" under The Merge, and "encrypted mempools" under The Splurge. These provide transient privacy for proposers and users respectively, and are important for robustness in the context of censorship and MEV.
2. I'd say there's rough consensus within EF research that privacy is best handled at L2, not L1. L1 provides enough programmability for L2s to eventually host private applications. One of the design philosophies of L1 is to provide basic building blocks (such as BN254 pairing checks) upon which fancy apps can be built. The L1 is also too expensive to use—the future of privacy lies within L2s such as rollups and validiums.
3. While we definitely need privacy in the long term, the lack of privacy in the short term does have advantages—we might as well embrace those :) Transparency makes it easier to detect bugs (including supply inflation bugs), makes a bunch of tradworld folks (regulators, tradfi, law enforcement, boomers) more comfortable, and allows entrepreneurs to build cryptography-light apps and experiment faster.
4. Being transparent in the early days may be a strategic move to penetrate society, a sort of Trojan horse. Look at Zcash getting deplatformed from exchanges: maybe Ethereum needs to grow "too big to deplatform" before the fight for privacy can start in earnest.
5. If I were to choose a priority list for solving blockchain problems I'd probably choose security first, then scalability, then privacy. Scalability is not super meaningful without security, and similarly privacy without scalability is just a luxury for the rich. We're doing extremely well from a security standpoint (10x more economic security than Bitcoin) and IMO now is the time to nail scalability.
6. I believe the industry is still a little immature to properly tackle privacy. We struggle to even build bug-free and usable transparent apps, and private applications are 10x more complex. The cryptography is evolving extremely fast but IMO still not mature enough. There may also be a lack of demand from users: the majority of users still just want to speculate, with privacy as an afterthought.
7. True privacy is extremely hard to pull off because a single accidental leak is enough to compromise it. Don't have a good Tor or VPN setup? 💀 Accidentally reused an address? 💀 Subtle cryptographic or design bug? 💀 Just like bridges blow up and lead to mass hacks, I worry that when a privacy app or platform messes up mass leakage of sensitive information will ensue. Users having the illusion of privacy is probably worse than users knowing full well they have no privacy.
8. One of the recent concerns is that Aztec may wholesale be added to the OFAC SDN list, with builders and relays censoring Aztec blobs. Roughly 2/3 of blocks are built by censoring builders, so if Aztec (as a rollup) was to go on the SDN list that would reduce its max capacity (and increase settlement latency) by 3 relative to other rollups. I believe builder and relay censorship is something we should fix ASAP and is definitely one of my priorities.
9. In summary, I agree with you that privacy is extremely important as Ethereum adoption grows and I'm optimistic we will eventually enjoy widespread high-grade privacy. Having said that, I don't think tackling it at L1 is the right move and from a timing perspective it may even be too early for L2s to tackle.