The Cosmos Endgame

Merge, Surge, Splurge…Converge? The Interchain Endgames of Cosmos and Ethereum

Convergent Evolution

Towards the end of the Silurian period 420 million years ago, jawed fish diverged into cartilaginous sharks (and rays), and their more rigid cousins, the bony fish.

These latter produced the amphibians, some of whom crawled out to conquer the land and the air as dinosaurs and proto-mammals. 375 million years later, a few of them returned to the sea, becoming dolphins and whales as they converged again on the familiar hydrodynamic strategies of a propulsive tail, flippers, and light bones, this time as warm-blooded, air-breathing mammals.

Divergence: In 2013-14, Cosmos and Ethereum split off from their common blockchain ancestor, Bitcoin, but as both projects have iterated on their roadmaps, particularly as Ethereum has become increasingly modular, their endgames have begun to converge on multiple, connected execution zones, though the the Cosmos design still favors sovereignty at the app level, while Ethereum prefers to trade this freedom for universal security and settlement.

Ethereum’s monolithic structure allowed composable smart contracts to be launched and iterated upon at great speed, the necessary preconditions for the first great flowering of DeFi applications. Its great success allowed it to develop solutions to many blockchain problems, and it has made considerable progress on two of the space’s most persistent problems: scaling and MEV. Ethereum devs have pushed the technological and definitional limits of single-chain scaling, and they have brought the dark forest of block producer transaction reordering into the light.

At the same time, Cosmos ceding the winner-take-most race of becoming the world’s financial AOL (siloed precursor to the world wide web), in order to instead develop a secure, flexible backbone for the internet of money. It pioneered 3 pluggable, adaptable technologies: a replicable state machine with Byzantine Fault Tolerant consensus (Tendermint), and a set of blockchain application modules (the Cosmos SDK) that interact with the consensus engine. Together these can be used to quickly spin up an immediately interoperable blockchain using the crown jewel of Cosmos: the Inter-Blockchain Communication Protocol.

IBC is both a trust-minimized data transport layer for communicating between chains, and an interchain app-layer built on top. The most obvious application is token transfers, but an increasing array of Interchain Standards is allowing more complex cross-chain interactions such as Interchain Queries, Interchain Accounts (allowing accounts on one chain to control accounts on others), and Interchain Security, the sharing of validator power between chains. These IBC functions are online and just coming into wide use, setting the stage for fully composable DeFi between chains.

Convergence: From these radically different approaches, Cosmos and Ethereum are now beginning to converge once more, as each adapts to the ever-changing crypto environment.

On one hand, Cosmos is superficially beginning to resemble Ethereum at the app-layer, which is a fulfillment of the Cosmos roadmap, rather than an architectural change. With IBC now connected to some 50 chains, and CosmWasm smart contracting spreading throughout the ecosystem, applications are proliferating: as single-use blockchains, as general smart-contracting zones, and as curated, multi-team application suites like the Osmosis decentralized exchange.

As interchain DeFi begins to flourish, it makes sense that many of the first applications have been ported over from the most successful Ethereum applications. But many chains are doing things only possible on a sovereign chain, and apps that start as clones do so largely as a bootstrapping mechanism, achieving product-market fit while developing improvements that are only possible on appchains.

On the other hand, Ethereum is looking decidedly more like Cosmos in its design. With the Merge complete, it is now Proof of Stake like Tendermint chains. More importantly, the original Ethereum 2.0 vision of sharded execution has long been de-prioritized in favor of rollups, quasi-appchains designed to move the majority of transactions off Ethereum’s main layer. The most recently announced parts of the Ethereum scaling roadmap–the surge (data sharding), verge (statelessness), purge (state expiry and cleanup), and splurge (account abstraction, proposer-builder separation, verifiable delay functions)–all support this rollup-centric model.

In his Endgame post late last year, Vitalik imagined three possible scaling futures for Ethereum: no rollups, a single dominant rollup, or a continuation of the current multi-rollup scenario, which I have circled in red.

Because they essentially act like appchains, it seems likely that many rollups will continue to thrive simultaneously. Since each rollup has attracted its own developers, apps, investors, and users, each has begun to develop its own community identity, its own business development. For now, each rollup is a tax-paying, protected commonwealth within the greater Ethereum state, but the most successful, having had a taste of the sovereign appchain experience, may eventually want more control of their protocols, at which time they could easily become full-fledged interconnected appchains with access to the entirety of the interchain.

The Cosmos Appchain Thesis

Why would an app or a rollup want to become an appchain instead? The fundamental value proposition is sovereign interoperability.

Because they are sovereign, appchains have precise control over their entire stack: execution, consensus, block size and timing, state and mempool logic, rollups, fees, the smart contract environment, validator requirements, governance rules, and any other area of blockchain structure and operations they might want to customize. And, unlike a rollup, an appchain can fork if it is exploited or attacked, restoring the previous state by social consensus and the rule of law.

Because they are interoperable, appchains can freely and composably interact with each other over IBC.

What do appchains do with all this power? They optimize for user experience, fine-tuning the access that front-ends and wallets like Keplr have to blockchain data and mechanisms, and adjusting protocol-level logic to make execution faster, easier, and more productive. They secure the chain as they see fit, recruiting their own validators to implement code, produce blocks, relay transactions, and more, or borrowing security from another validator set interchain security (Q1 2023). Ultimately, most appchains will choose to mix these two options: chains will share their validator sets with each other, and the entire interchain will become a shared defense zone, shielded with the armor of mesh security.

Many appchain innovations knit security and UX together. Osmosis, for instance, has developed “superfluid staking,” a substantial improvement to Proof-of-Stake that allows liquidity providers to stake the underlying tokens in their LP shares to help secure the chain, thereby also earning staking rewards in addition to LP rewards. Currently only the OSMO token benefits from this increased capital efficiency, but pending improvements to Tendermint (the BFT-tolerant state machine replication software at the heart of many Cosmos chains) will enable other appchains to opt in to superfluid-staking on Osmosis or allow OSMO to be superfluid-staked on their chain. Soon, the whole interchain will be able to put its staked assets to work in DeFi without incurring the centralization and chain security risks of traditional liquid staking derivatives.

Appchains also excel at handling MEV: the profits available to whoever has the power to decide transaction ordering and inclusion. MEV has plagued DeFi users across all ecosystems, but appchains can more quickly develop on-chain solutions that greatly reduce malicious MEV and redirect healthy arbitrage profits from third parties to themselves.

For example, Osmosis is developing a private mempool with threshold decryption. These private transactions cannot be seen by nodes until after they are executed, making front-running much more difficult as well as allowing limit orders and other future/contingent transactions to be put on-chain privately. Similarly, appchains can reserve the first slot in their blocks for protocol-controlled arbitrage and liquidations: a necessity for the health of lending and trading protocols, but which on monolithic chains tends to become an MEV game, leaking value from the app to third parties. Osmosis will instead be directing these healthy, non-user-harming arb profits back to the DAO. The remaining (much-reduced) MEV can also be partially captured in-app by auctioning off the second slot in the block to MEV searchers–like Flashbots, but on-chain. Alternatively, it may make sense for chains to let all these second-slot auctions be aggregated in one place, as the Cosmos Hub proposes to do, so that the cross-chain MEV market is transparent and not a dark forest.

Appchains allow for radical blockchain experiments to be carried out quickly. While Tendermint and the Cosmos SDK are amazing technologies that allow apps to quickly spin up IBC-ready blockchains, the whole Cosmos stack is not necessary to become an IBC-connected appchain. Many compelling Cosmos ecosystem projects are building or adopting alternative consensus or state-machines that better fit their needs, including Penumbra (private trading), Anoma (universal coincidence-of-wants coordination), and Nomic (Bitcoin on Cosmos).

Appchains are not definitionally different to monolithic chains; rather, appchain modularity is largely the philosophy of sovereign interoperability combined with the trust-minimized blockchain communication of IBC. Monolithic chains, by contrast, have generally adopted the so-called fat-protocol thesis, in which a single chain runs the vast majority of DeFi worldwide, and everything settles to one layer whose token accrues a monetary premium. Scaling such a protocol is very difficult, as we know, and heroic efforts continue to be put into exciting technologies that speed up and modularize execution, storage, data availability, and the like. Rollups, which are amazing technical achievements, have so far acted as enclaved appchains without sovereignty or interoperability, though they of course benefit from Ethereum’s massive security. By the same token, while appchains do not yet generally have the blockspace constraints of monolithic chains, they will be able to adopt modular solutions like rollups and data availability layers when it becomes necessary.

The Cosmos thesis predicted the appchain future, allowing it to shard execution into separate blockchains by design, giving app builders the freedom to develop their own products and to experiment freely with all layers of the stack to do so. At the same time, the appchain vision assumed the inevitability of cross-chain bridging years before everyone else and developed by far the most comprehensive and safest system for interchain communication in IBC.

The Safety of IBC

One of the potentially strongest arguments against the appchain thesis is that bridges are inherently unsafe. On one hand, it is true that no protocol or interchain messaging system is inherently and at all times safe, but this is as true of Ethereum contracts as it is of IBC. Any code can have bugs, and adversaries will always try to exploit them. On the other hand, we have gathered enough evidence since DeFi summer that users are simply never going to confine themselves to a single chain–they will use a hilariously exploitable multi-sig just to get cross-chain to the latest cookie-cutter EVM clone. How much more eager will they be to use the fully interoperable, UX optimized, composable DeFi of IBC and the interchain?

If bridges are inevitable, why is IBC the best? Why should it be considered safe enough to be the future of finance? The answer lies in the trust-minimized design.

Participating chains run light clients of each other, meaning that they each independently verify the block headers of the other chain. An attacker therefore cannot convince another chain with a lie about what happened on one blockchain unless they take over the whole chain. If that were to happen, the party controlling the chain could potentially infinite-mint its own chain’s tokens, pass them over IBC, and use them to steal funds on an AMM or through another DeFi mechanism.

This is in stark contrast to bridges whose tokens are held in an exploitable contract (multi-sig or otherwise), and which have not traditionally permitted generalized message-passing (though the Axelar appchain has made strides in improving non-IBC cross-chain communication).

It is therefore important that appchains establish IBC connections with reputable, secure chains. However, it is also true that the vulnerability window from an attacking IBC-connected chain is quite small. First, if a chain is taken over by economic or governance attack, or if it catastrophically fails, IBC connections can be immediately closed, meaning that it cannot siphon any value away. To cover the short amount of time before the IBC connection is closed, IBC rate-limiting will shortly be available. This will allow appchains to restrict the token flow over a given period, allowing normal activity while limiting the value that an attacking chain can take, making the economic calculus of any attack far less favorable.

IBC in Practice: This picture (live, interactive version here) shows IBC sends and receives between IBC-connected chains, with the icons sized proportionally by transaction volume. Even in this bear market, in the past 30 days, roughly 800k transactions and $264m worth of value have been sent over IBC. Note that this is only cross-chain activity; it does not count single-chain transactions.

Still, it is no secret that Cosmos does not yet have Ethereum-like adoption. Technical challenges remain, too, for interchain DeFi to reach its full potential–though we are starting to see their likely shape in the mesh of Interchain Security, encrypted mempools, protocol-controlled arbitrage, and synchronous blockspace auctions. As interchain adoption picks up, appchains that need to scale will also have access to the full array of rollup and other scaling solutions being developed on Ethereum, as well modularizing appchains like Celestia.

ATOM 2.0: Monolithic-chain Benefits for the Interchain

We discussed above how Ethereum has become more Cosmos-like over the years. In its recent ATOM 2.0 whitepaper, the Cosmos Hub–long without a use-case–proposed to offer several ecosystem-wide use cases that will allow it to become a full-fledged appchain.

The ‘Interchain Scheduler’ proposes an auction-house for tokenized blockspace from across the ecosystem, which, given enough participation, will enable synchronous future cross-chain blocks. The Interchain Allocator will allow the ATOM treasury to be used to invest across the ecosystem.

The Hub is also developing Interchain Security v1, the precursor to mesh security, but also an option for plug-and-play security for consumer chains that do not want the responsibility of recruiting and managing their own validators. In its final mesh security form, Interchain Security acts as another point of convergence between Cosmos and Ethereum, enabling the interchain to achieve a more flexible, self-sovereign version of the sort of monolithic, protocol-level security currently provided by Ethereum.

Appchains: Hubs and Outposts

For the moment, blockchain activity has settled into a number of semi-fluid ecosystems. These zones are loosely interconnected now with a patchwork of bridges and centralized exchanges, but IBC can safely interconnect them all–though developing cost-effective light clients for some chains is still a work in progress.

Both appchains and apps on monolithic chains have been positioning themselves for an increasingly interconnected future. With ad hoc cross-chain bridging now decidedly out of favor, it makes sense for most apps to adopt a hub and outpost model, rather than relying on name recognition or trying to establish a lasting technical moat while constrained by protocol-level decisions beyond their control.

This hub and outpost model can take different forms. In all its forms, the hub is the home of the appchain, running governance, holding the treasury, and coordinating among the outposts. One of the main questions going forward with IBC is how liquidity is best handled. For Osmosis, at least for the moment, it makes sense to house all of its liquidity at home and have its outposts route flows from other chains through the Osmosis blockchain. But Mars Protocol, which is working closely with Osmosis to launch its first lending outpost on Osmosis, plans for each of its outposts to have separate liquidity.

It is up to different appchains to weigh the trade-offs between splitting their liquidity, which may lead to poor execution, and the need for fully synchronous transactions, which power traders sometimes demand and which IBC cannot yet provide. That said, as the mesh security of the interchain grows, and as a market grows for synchronous blocks between chains, and as IBC develops in ways we cannot yet predict, fully synchronous interchain DeFi transactions will inevitably become available.

Conclusion

Cosmos and Ethereum have always been philosophically close, each drawing heavily on the original cypherpunk ethos for inspiration. While Ethereum set out to push the monolithic chain hypothesis as far as it would go, and Cosmos chose instead to maximize sovereign interoperability, it should perhaps not be surprising that many of their design choices have begun to converge again as they approach their Endgames.

The line between a rollup and an appchain is becoming increasingly thin, as evidenced by dYdX’s decision to move from one to the other–while holding out the possibility that they might move back to a rollup in the future. Other apps are likely to spin off their own appchains, possibly while retaining Ethereum as their premier outposts. Interoperability (of a limited, insecure sort) long ago came to Ethereum to stay: once a light client is available, Ethereum itself will be able to connect to the interchain more securely by using IBC, another sovereign, interoperable member of the broader ecosystem we all share.

Frontispiece to Hobbes’ Leviathan–seems fitting, though I don’t know where to put it. Is it maybe a Rorschach? Either apps subsumed into the sovereignty of the state a la Ethereum, or apps as a mesh of security…