Blockchains are defined by two qualities—they're sovereign, and they're permissionless. But are they mutually exclusive?
The year is 2012, and you are doomed to be an oracle, heckled by the present, vindicated by a future nobody else can see. See, you’re trying to compete for attention with your roommate’s bong to explain that you’ve glimpsed the future, and it is a gilded, wondrous Beacon of Truth, a technology with the very power to deify the Everyman—you disconcertingly notice your roommate eying the bong—known as “Bitcoin.”
“Whoa,” says your roommate, Trey, helping himself to a massive rip. “What?”
Occupy Wall Street, you say. The Arab Spring. Yeats was right—the center cannot hold. Populism has been loosed upon the world, our news is user-generated from Facebook, the “experts” are already being swallowed by the 4chan mobs, and the American Empire is in inveterate decline. What Napster did to music—now imagine a currency doing that to the nation-state.
This would be Bitcoin, you let out an inadvertent whistle: an internet-native global p2p currency for the people, by the people. It’s going to be bigger than the printing press: just as Gutenberg democratized the knowledge that was only available to the literate elite, Bitcoin lets us democratize money itself as something we print, port, and use. It’s user-generated money. It’s the populist currency for an era that will devour the elites.
“Whoa,” says Trey, dumbstruck by your thunderous prophecy. “My guy, it’s just like… dude.”
Trey, you realize, is not a deserving pupil of the tutelage you have to impart. Then again, it’s not Trey’s fault that he’s dumb as shit, you tell yourself. It’s simply his era that has made him so.
And suddenly, you realize how to get through to him.
“Trey,” you say softly, as he sheepishly drags his eyes from the bong. “What if I told you there was a new form of digital money you could use to buy hard fucking drugs on the internet—without any risk of getting caught?”
Sure, whatever, you explain. Like Craigslist, but money. Money anyone can use for anything. Anyone anywhere around the world can buy it and use it online. And it’s theirs to transact with, outside the KYC demands of legacy financial institutions tied to the state.
As Trey’s eyes betray the haziest of glimmers, you realize you’ve hit the magic formula. Bitcoin is two things. It’s permissionless: anyone can use it without needing to belong to a certain nation-state. And it’s sovereign: they can use it for any purpose because it’s theirs to use as they please. Bitcoin lets anyone use money however they like.
Permissionless and sovereign. You sigh a sigh of relief. You’ve figured out the principles of crypto.
The years pass, and nary a day goes by that you are not jiggling your index finger at some stranger to explain your newfound framework.
In 2014, you explain the Ethereum Whitepaper to a growing group of acolytes you’ve met on BitcoinTalk. It’s permissionless and it’s sovereign: Ethereum lets anyone create money (permissionless) that they can manage however they like (sovereign).
In 2016, it is Cosmos’ turn. Cosmos, “the internet of blockchains,” is—surprise, surprise—permissionless and sovereign: it lets anyone create their own blockchain (permissionless) that they can manage however they like (sovereign).
Your acolytes are happy. But something nags at you a bit in this reduction. Because the truth is that Ethereum is not really sovereign in the way that Cosmos is sovereign. If there’s a hack on your protocol on Ethereum, you’re, well, pretty much fucked. The entire Ethereum ecosystem would have to decide to fork the chain to rollback the hack and restore funds, and you’d need social consensus from the entire network to support you (this happened, of course, with The DAO).
But on Cosmos, you’d have your own chain, so you’d just need to get the validators in your local system to agree to rollback the hack—because you control your own financial system. If your community has any dispute about tokenomics, infrastructure, and what constitutes a valid transaction, they can always just fork your chain while preserving all past transactions.
On Cosmos, you have sovereignty.
There is a tradeoff, however, and that tradeoff is that you’re on your own. You need to bootstrap your own validator set to ensure the security of your chain, and this is no small task—ideally you want node-runners all around the world to be ordering and validating transactions while ensuring they’re not hiding any transactions from you. That means paying them in your native token, and that in turn puts you in a bind: the token needs to be worth something to draw validators, but without validators, it’s not worth much at all. Worse, a cheap token could incentivize nodes to attack the system since the costs of being slashed are likely far less than the gains from corruption.
And then there’s the issue of composability. On Ethereum, you could take out a flash loan from Aave to purchase tokens on Uniswap, sell them for profit on SushiSwap, and return the loan to Aave, all in a single transaction (aka atomic composability). Likewise, you could invest your money in a Yearn pool that automatically reinvests it in different protocols to maximize yield, and it’s able to do so because all these protocols support the same token because they settle to the same chain—Ethereum—and derive their security from it as well.
In other words, Ethereum is truly permissionless in a far more meaningful way than simply letting anyone copy each other’s code: it lets any protocol interact with any other protocol in an interconnected web of financial applications that enable each other’s opportunities and even successes. Every app can draw on the shared security and transactions of each other without asking permission.
But permissionless and sovereign start to look less like compatriots than contenders. You can have full interoperability to plug into applications however you like in an open network—or you can have your own network that you control. (This is, in fact, the central challenge for Cosmos that they are making huge strides to confront—but more on that in a bit.)
The point for now is that this is a very real challenge. Having your own chain also means bootstrapping your own validator set—but deploying to someone else’s chain means relying on their system of validation. In a way, this feels obvious to the point of idiocy. Of course, having your own chain means running your own validators, and using someone else’s chain means using theirs. Right? Right?
The promise of crypto begins to feel mutually exclusive: permissionless or sovereign. One or the other. But what if there were a way… to get both?
Let’s pause here to define our terms—the terms of the modular stack.
First, we are talking about two types of permissionlessness: permissionless security and permissionless composability. And in fact, each of these maps neatly onto two of the three modular functions of a blockchain, Data Availability and Settlement. These are, if you like, the “permissionless” parts of the stack, while the third layer, Execution—the actual transaction that updates the state of all accounts—is arguably the “sovereign” module. Note that I am contentiously neglecting Consensus, because every layer requires Consensus to order transactions properly.
Let’s focus on the permissionless pieces, Data Availability and Settlement. We can define each of those by way of analogy. Imagine, for a moment, that you’ve received a resume from a prospective candidate for a job. You have three jobs here: making sure the resume isn’t hiding anything, making sure the resume isn’t wrong, and hiring the candidate. Not quite in that order.
Step one is Data Availability: the resume looks good, so you run a background check to see if there’s anything that the candidate is withholding. You are ensuring that all the data is available, in other words—that nothing is hidden. (In blockchains, Data Availability tests that all data is visible, that nothing is being withheld.) Data Availability is our security layer: it ensures we’re being told not just the truth, but the whole truth, so that we can do business.
Step two is Execution: you hire the candidate. In technical terms, you execute a transaction that updates state, aka the state of all accounts—in other words, you’ve updated the candidate’s resume.
But while everyone is signing the paperwork, you have a period to perform some last reference checks and ensure that the candidate hasn’t lied about anything. This is step three, Settlement: even though you’ve optimistically updated the candidate’s resume with a new position, any fraud you find would invalidate that update. Settlement is where we perform fraud proofs to confirm new transactions, to make sure we’re telling nothing but the truth.
For optimistic rollups, which assume transactions are valid until proven fraudulent, Settlement is the insurance layer: while the ostensible point is to catch fraud, the fact that you will catch and penalize fraud deters it from being committed in the first place. Settlement is insurance against fraud being committed at all.
So if you like:
Execution = Truth
Data Availability = Whole Truth
Settlement = Nothing But The Truth
But there is another function of Settlement as well. Remember that Execution was updating the candidate’s resume to add their new position. In blockchains, though, this is a global change; that is, you broadcast it globally for everyone to see. So imagine that every time you updated a resume, it was updated across a global database—and that this global database was a kind of permissionless, decentrally validated LinkedIn, letting anyone commission the candidate for work based on their new job and salary.
The job of Settlement is to ensure that global database is accurate and finalized, so that if one company updates a candidate’s resume, another can trust the update and hire them as well. Our analogy is faltering here as we have to imagine some future where DAOs automatically update candidates’ resumes, so to put this in practical terms, the function of Settlement is to ensure that separate chains can trustfully transfer assets between themselves without fraud.
In that sense, Settlement is not just our Insurance or Arbitration Layer. It is also our Composability Layer. If you have an rollup—a chain whose whole job is to execute transactions for cheap and batch post the proofs to a settlement layer like Ethereum—then the settlement layer enables you to interact with other execution rollups. In that sense, it enables cross-chain transactions, provided each chain is settling to the same layer.
Go back to our earlier example. Now imagine a world where Uniswap had its own app-specific rollup and Aave had its own app-specific rollup to maximize execution: in theory, you could perform a flash loan on Aave to purchase tokens on Uniswap, provided they settled in the same settlement layer block so that each chain could verify that transactions on the other were valid. In practice, doing this instantaneously will be fairly impossible until we have ZK-bridges like Polymer, and even then, they may not settle in the same block. But the point is that Settlement Layers operate as a kind of trust-minimized bridge between rollups. They enable composability—async composability, yes, but composability nonetheless.
There are nuances here.
The “enshrined rollup” maxis will tell you that Data Availability and Settlement should be the same layer to optimize use of a single-token and aggregate its liquidity in order to offer better security.
The Ethereum maxis will tell you that you should just settle on Ethereum since that’s the one thing at which it currently excels, and that long term, once it adds functionality for Data Availability Sampling, Ethereum will be your go-to for Data Availability as well.
And the ZK-rollup maxis? Well, yes, as is their wont, the ZK-rollup maxis will tell you none of this Settlement shit matters anyway because validity proofs will negate any need for posting fraud proofs or aggregating liquidity—rollups will be able to exchange tokens immediately with full composability.
But cut through the noise to see the bigger point. You can have sovereignty of your own app-specific Execution rollup while also having the permissionless security and composability of independent Data Availability and Settlement Layers. This is the promise of the modular stack. The fact that modularizing each of these layers can also bring benefits to each of them—light client sampling enabling greater decentralization, scalability, and security on the Data Availability layer, for example—is a sidepoint.
The promise of the modular stack is giving us the full benefits of being sovereign and permissionless. Combined.
A word here for Cosmos.
For my (magical internet) money, there’s probably no 21st Century technological experiment more exciting than Cosmos. Cosmos’ vision of applications having their own chain groks Bitcoin’s original promise that we can transact however we please and Ethereum’s that we can print currency however we please—only to respond, nah, we can create our own damn financial system however we please.
Cosmos lets you whip up a blockchain the way Wordpress lets you whip up a website: the Cosmos-SDK is your Wordpress panel, the Tendermint Consensus Engine is the backend code powering it, and IBC is the internet, the network of other sites you link to. And the fact that the Cosmos-SDK and Tendermint have birthed everything from Polygon (actually) to Celestia to Terra (RIP), not to mention protocols like Osmosis, Kyve, Agoric, Axelar, and Akash, is arguably secondary to the IBC’s position right now as likely the most secure cross-chain messaging protocol to date.
There is another reason I love Cosmos, though, besides Tendermint, IBC, and the Cosmos SDK, and that’s that Cosmos knows it has a really fucking hard problem to solve. It’s our favorite problem, of course—the problem of sovereignty vs. permissionlessness, or as founder Ethan Buchman has repeatedly articulated Cosmos’ mission, being locally sovereign and globally interoperable.
There is simply no other protocol that has worked as assiduously as Cosmos has to give us both. And this has particularly been the goal in the Cosmos ecosystem for the past year: give sovereign chains the same composability and security that rollups enjoy on Ethereum.
First, Cosmos is developing Interchain Accounts, which will let smart contracts on different chains read and write state to one another—enabling async, cross-chain composability.
Second, Osmosis, Cosmos’ decentralized exchange of choice, not only pools liquidity across Cosmos chains but has enabled swaps to Polkadot and Ethereum as well using Axelar—in effect becoming the liquidity layer for Cosmos to power cross-chain transactions, somewhat akin to a traditional Settlement Layer (work with me here).
And third, most importantly, Cosmos has been working towards Interchain Security, in which one chain’s validator nodes could effectively be lent out to another by collateralizing $ATOM, to create a cross-chain proof-of-stake network.
Will any of this be fully permissionless? Well, no: a sovereignty-first approach means that these are opt-in systems requiring the mutual consent of participants, as it damn well should. And longterm, Cosmos could face the same issues Ethereum faced in its previous shard-focused roadmap. Without a shared Execution or Settlement Layer, atomic composability is likely to be a challenge; without a shared Data Availability Layer, security could become an issue as many chains rely on the same central set of expensive, hefty validators. (If you’ve seen me getting excited about Radix in the past, this is why.)
But the good news for the Cosmos ecosystem is that it’s at the forefront of the modular stack on both the sovereign side (Execution) and the permissionless side (Data Availability and Settlement). Want to deploy your own execution chain that your community can control? It’s not hard to imagine Cosmos chains like Osmosis becoming rollups on top of shared Data Availability Layers like Celestia. Celestia itself is, in some ways, a next-gen iteration of Cosmos, as well as a next-gen iteration of Cosmos Interchain Security, built with the Cosmos SDK.
There is just one missing piece for the moment, and that is permissionless composability from a Settlement Layer. Short-term, the Cosmos Hub, backed by $ATOM, might be the closest thing. Long-term, we can imagine worlds in which Ethereum becomes the global Settlement Layer, in which settlement is made obsolete by ZK-chains, or in which there is a massive opportunity for a new Settlement Layer for non-Ethereum chains. Stay tuned.
The only point for now is that Cosmos, which we originally relegated to the detritus of our chart’s lower right, turns out to also give us our solution.
Because the simplest way to describe the modular stack is that it gives you the sovereignty of Cosmos with the permissionlessness of Ethereum: it lets you bootstrap your own chain with the full backing of an outside validator set. It makes it as “easy to deploy your own chain as to deploy a smart contract.”
And this is, in short, the promise of the modular stack: decentralization-as-a-service.
What’s the promise of letting anyone deploy their own blockchain? Remember that blockchains won’t just be financial chains, but chains for any kind of decentralized data, and you’ll see the kind of opportunity that the modular stack is enabling.
It is, for that matter, the culmination of the Cosmos vision.
Our case is closed, and we’ve found the solution to reconciling these dueling crypto values of permissionlessness and sovereignty, right? Right?
Earlier, I left out one other case against Settlement, or rather Enshrined Settlement. I know we are down rabbitholes of rabbitholes, and you are probably wondering to what weird potato salad of words I am now holding you hostage. But spare me one final detour, because I promise it will cement the point of why we’re here.
That case, made recently by Celestia, is that we might not want someone else in charge of Settlement if we want to decide what constitutes a valid transaction. The whole point of Settlement, after all, is to provide a global, objective standard for fraud and validity—until we remember that law and money are only true because we decided to accept them as true, that validity is itself a social construct determined by social consensus.
Say, for example, that your community notices your blockchain is being used by oligarchs to pay hitmen to kill dissidents. Needless to say, your community might reach social consensus to decide not to settle that transaction—to classify it as fraud. And you are now in the funhouse of subjective sovereign blockchains where people, not algorithms, decide what’s valid. The implications are massive for sovereign rollups—that is, rollups where the community is in charge of settlement—as it is governance, not algorithms, that rules.
Oh reader, to get you here, what a strange path I had to take. For you probably see the conundrum in which we’re sunk. Being sovereign lets your community decide what’s true, but there is the usual cost—being permissionless as well. What happens if your local laws break international treaties? To determine your own code of justice can mean forfeiting everyone else’s, and sovereign chains may well face the challenge of global interoperability without a settlement layer that other chains can rely on.
But isn’t that the point of crypto, to determine the rules of our own society? Or wait, is it to create a complete global network letting all humans interact?
We are back to our fundamental dilemma. That’s not to say that ZK-bridges won’t ultimately solve these issues, but that these are tradeoffs in the battle for independent sovereignty or global inclusion that each project will need to make. I personally am excited about the possibilities for both paths, for being globally permissionless and locally sovereign, and I suspect the modular stack gives us our best hopes for both.
But there is no escaping a deeper suspicion, too—that the battle between them defines both the technical and ideological battles overtaking every layer of crypto today.
This piece owes a deep debt of gratitude to the writing of Mustafa Al-Bassam, Jon Charbonneau, and Polynya. I am also extremely grateful for conversations with Josh Bowen and Aditi Sriram that were often responsible for a great deal of the argument above.
Finally, I want to give special thanks to everyone who read and gave feedback on this piece, including Ekram Ahmed, Alex Beckett, Jim Chang, Jon Charbonneau, Yuan Han Li, Kinjal Shah, Aditi Sriram, and Jack Zampolin.
Subscribe to receive new posts.