ethereum-reports
← Index Ethereum

The Sanctuary Thesis

There is a number that tells you almost nothing and almost everything at once. In late February 2026, the Crypto Fear & Greed Index sat at 11 – deep in the territory labeled “Extreme Fear.” DeFi’s total value locked had bled to somewhere between $91.8 billion and $140 billion depending on whose methodology you trust. ETH was down. Sentiment was down. The timeline was dark.

And yet.

Aave had just crossed $1 trillion in cumulative loans processed. BlackRock’s BUIDL fund – a tokenized U.S. Treasury product – was listed on Uniswap, with $2.2-2.5 billion in on-chain assets. The derivatives DEX market had exploded by 1,388% over three years. Private credit tokenization had quietly amassed $18.91 billion in active on-chain loans. And Ethereum’s roadmap, once a sprawling wish list of acronyms and EIP numbers, had sharpened into a legible sequence: Glamsterdam in H1 2026, Hegota in H2, and beyond that a trajectory toward something genuinely new.

There is this thing that happens in crypto where the sentiment layer and the infrastructure layer completely decouple. You can have extreme fear in the market while the most consequential engineering work is happening underneath, almost unnoticed. This essay is an attempt to pay attention to the infrastructure layer – to trace how the Ethereum ecosystem is evolving across its most consequential domains, and to develop a specific argument about what it is becoming.

The argument is not that Ethereum will “win” some imagined competition between chains. It is something more specific and, I think, more interesting: that Ethereum is in the process of becoming what Vitalik Buterin has called a “sanctuary technology” – infrastructure that creates persistent digital space robust to outside pressures, where no single winner gains total control over your financial life and no single loser suffers total financial defeat.

I am calling this the sanctuary thesis. And I want to be honest from the outset: I am not sure it holds. The data we have – messy, incomplete, contradictory in places – tells a complicated story. There are moments where the thesis looks remarkably well-supported, and there are moments where it looks like it might be describing a system that does not yet exist and may never fully arrive. I want to sit with that tension rather than resolve it prematurely.

The concept of de-totalization is the philosophical backbone. In political philosophy, totalization refers to a system where one set of winners captures everything – regulatory power, economic surplus, information asymmetry – and everyone else is subordinated. De-totalization is the structural prevention of this outcome. Not through ideology or goodwill, but through mechanism design. Through systems where the walkaway test holds: if any single actor leaves, the system keeps functioning. If any single actor turns adversarial, the system constrains their impact.

Every piece of Ethereum’s current evolution – from FOCIL to encrypted mempools to intent-based trading to privacy-preserving CDPs – can be understood through this lens. The question is whether the engineering is keeping pace with the aspiration. I am genuinely not sure. Let us find out.

I. The DEX Transition: From Automated Market Makers to Intent Architectures

The Architecture of the Shift

Here is the question I keep coming back to when I look at DEX infrastructure: why did the aggregation layer grow by two orders of magnitude?

Total DEX spot trading volume went from $1.38 trillion in 2022 to $4.83 trillion in 2025 – a 250% increase, substantial but comprehensible. Derivatives went from $534 billion to $7.95 trillion, a 1,388% increase, which tells you sophisticated traders found on-chain venues trustworthy enough for leveraged positions. But the aggregator layer – the middleware that routes trades across protocols – grew from $19 billion in 2022 to $1.62 trillion in 2025. That is not a linear scaling of existing behavior. That is the market discovering, through competitive pressure and user demand, something about the correct long-term architecture for on-chain trading.

What it discovered, I think, is that the right abstraction for interacting with DeFi is not transaction construction. It is intent expression.

An intent says: “I want to swap 1,000 USDC for ETH at no worse than X price.” The user does not specify how this should happen – which pools to route through, what slippage to tolerate, how to optimize gas, or how to protect against MEV. A solver network competes to fulfill this intent optimally, and the user receives the result verified against their specification.

You can see this shift happening in real time. CoW Protocol processed $87 billion in trading volume in 2025 alone, up from $40.2 billion in 2024, with solvers finding $441 million in surplus for users over the protocol’s lifetime. 1inch Fusion and UniswapX have similarly grown their intent-based and auction-based execution volumes. The aggregator layer’s explosive growth is, in large part, the growth of intent-based trading itself.

This connects to a deeper principle about how good systems work: they have users specifying their desires in multiple overlapping ways, and the system only acts when specifications align. The user’s intent is the specification. The solver’s execution is verified against it. The AMM serves as the always-available, permissionless backstop that ensures price discovery cannot be captured or censored.

And this is where something interesting happens with the sanctuary thesis – because intent-based trading architectures require something very specific from their settlement layer.

Why Intents Need Sanctuary Infrastructure

Solvers compete to fulfill intents, but someone must verify fulfillment and settle the result. That settlement layer must be censorship-resistant, manipulation-resistant, and trust-minimized. And the current state of Ethereum’s settlement layer is… complicated.

As of early March 2026, approximately 92-93% of Ethereum blocks are sourced from external builders via MEV-Boost. Three builders – Titan at approximately 52.74%, BuilderNet at approximately 28.55%, and Quasar at approximately 15.21% – collectively produce roughly 96% of all blocks. This is an oligopoly mediating the settlement of every intent, every trade, every interaction that touches the Ethereum base layer. The relay layer that connects builders to proposers is an informal trust arrangement that has calcified into critical infrastructure.

So you have this beautiful intent architecture at the application layer sitting on top of a settlement layer that is, right now, structurally fragile. That gap is what the roadmap is trying to close.

Glamsterdam’s ePBS (EIP-7732) moves proposer-builder separation into the protocol itself, replacing the out-of-protocol relay system. Hegota’s FOCIL (EIP-7805) goes further: 16 randomly-selected includers plus 1 block proposer form an inclusion list committee each slot, each includer independently choosing transactions for forced inclusion. Even if the block builder is maximally adversarial, your transaction gets included within one to two slots. This is not a soft guarantee backed by reputation. It is protocol-enforced.

Now add encrypted mempools – the LUCID proposal targeted for Hegota. Your swap intent is encrypted, validated via ZK proof, force-included via FOCIL, and only decrypted after inclusion is guaranteed. The sandwich attacker cannot see your transaction before it is too late to exploit it.

This stack – intent expression, solver competition, encrypted submission, forced inclusion, verified settlement – is what fully realized intent-based trading looks like. Each piece has an EIP number and a fork target, which is not nothing. But I want to note honestly that these are proposals subject to community consensus and implementation timelines. They represent the current trajectory, not guaranteed outcomes. The distance between “has an EIP number” and “shipped and working in production” can be measured in years.

The Changing Competitive Landscape

The chain-level picture adds important nuance, and I think it actually stress-tests the sanctuary thesis in useful ways.

Solana emerged as the highest-volume DEX chain in late 2024-2025, driven by memecoin activity, sub-second block times, and low fees. Raydium processed $368 billion on Solana in 2025, and the broader Solana DEX ecosystem – including Jupiter, Meteora, and others – saw dramatic growth fueled by the meme coin supercycle and Solana’s inherent advantages in transaction speed and cost. Hyperliquid came to dominate perpetual DEXs with over 60% market share. Base, the Coinbase-incubated L2, saw rapid growth in DEX activity through Aerodrome’s ve(3,3) model.

These developments are real and important. But look at what happened on Solana without protocol-level MEV protections: $370-500 million extracted from users via sandwich attacks between January 2024 and May 2025, according to sandwiched.me data. The ecosystem responded with ad hoc enforcement – the Solana Foundation removed 30+ validators from its delegation program, Marinade blacklisted 50+, Jito banned 15+ – but these are social solutions to a structural problem. They require ongoing vigilance and centralized enforcement. They do not pass the walkaway test. If the Solana Foundation stopped actively policing validator behavior, the protections evaporate.

This is actually one of the clearest cases for the sanctuary thesis: the difference between a system where fairness depends on ongoing institutional intervention and one where fairness is a property of the protocol itself.

Uniswap v4’s hook architecture represents another thread worth pulling on. Hooks allow developers to attach custom logic to pool operations – dynamic fees, custom oracles, limit orders – creating a more programmable AMM layer. This is the AMM becoming infrastructure rather than endpoint: the liquidity of last resort that professional market makers and solvers build on top of, ensuring that anyone can always trade regardless of whether the solver network is functioning.

The walkaway test applied to market microstructure: the system keeps working even if every solver disappears, because the AMM is always there. Solvers provide better execution most of the time. The AMM guarantees that no one can be excluded from trading, ever.

II. Lending and Credit Markets: The Quiet Revolution

The Concentration Problem

The question I want to start with here is not “how big is DeFi lending?” but “what does the structure of DeFi lending tell us about the sanctuary thesis?” Because the answer is genuinely uncomfortable.

On-chain lending has grown from a bear market trough of roughly $10.5 billion in TVL in January 2023 to approximately $55 billion by March 2026 – a roughly 75% compound annual growth rate, measured trough to current. Even using a more normalized starting point of mid-2023 ($12 billion), the CAGR is approximately 67%. These are exceptional growth rates for infrastructure managing billions of dollars of other people’s money.

But here is the tension that most commentary skips over, and it is a tension that puts real pressure on the de-totalization thesis: Aave commands $26-27 billion in TVL, representing 51-62% of the total DeFi lending market. That is an unprecedented level of dominance for a single protocol in a system that is supposed to resist exactly this kind of concentration. Aave crossed $1 trillion in cumulative loans processed in February 2026, with fee revenue growing from $5.2 million in 2022 to $22.5 million in 2023, $90.2 million in 2024, and $141.8 million in 2025. By any measure, it is the systemically important institution of DeFi lending.

And systemically important institutions are exactly what the sanctuary thesis says should not exist.

Aave’s $26-27 billion in TVL is backstopped by a safety module of approximately $460 million. That is a coverage ratio of roughly 1.7%. The safety module’s structure is more complex than a simple insurance fund – it includes staked AAVE, staked GHO, and other components, and its real coverage depends on the AAVE token price, which can decline precisely during the kind of crisis when the backstop is needed most. This reflexivity risk means the effective coverage ratio could shrink precisely when it matters most.

The counterpoint, and it is a genuine one, is that Aave has weathered extraordinary stress. The January-February 2026 selloff saw $429 million in liquidations across six days (January 31 to February 5), with over 12,500 liquidation transactions, and produced no protocol insolvency. The system works under stress. But working under stress and being unconcentrated are different properties, and the sanctuary thesis requires both. Morpho sits at roughly $5.8 billion, Spark at $5.4 billion, Maple at $3.2 billion, Compound at $2.0 billion, and Fluid at $1.9 billion. The alternatives exist. They are just much smaller.

I keep going back and forth on how much to worry about this. On one hand, concentration is the natural outcome of liquidity network effects – depositors go where borrowers go, and vice versa. On the other hand, a system where 51-62% of lending activity flows through a single protocol with a 1.7% backstop ratio is a system that has not achieved de-totalization at the application layer, regardless of how decentralized the protocol layer is.

The Vault Standard and Modular Lending

One of the quieter but potentially most consequential developments in DeFi lending is the maturation of the ERC-4626 vault standard. By late 2025, ERC-4626-compliant vaults held over $15 billion in TVL across more than 1,300 tracked stablecoin vaults alone, with USDC vaults accounting for $3 billion. (A caveat: these figures are sourced from a single analysis and have not been independently verified across multiple data providers.)

What makes ERC-4626 significant is not the number but the composability. A standardized vault interface means any protocol can integrate any vault without custom adapter logic. When Aave V4 – currently in development – adopts ERC-4626 as its vault standard, replacing the rebasing aToken model with yield accrual through rising token value, it will bring the largest lending protocol’s entire deposit base into the standardized vault ecosystem. That alone could add $20 billion or more to ERC-4626-compliant TVL once migration is complete.

Morpho’s modular approach is instructive here. Rather than building a monolithic lending protocol, Morpho Blue provides primitive lending markets – simple, auditable, and composable. MetaMorpho vaults sit on top, offering curated risk strategies that deposit into multiple Morpho Blue markets. This separation of concerns – markets versus risk management – is architecturally cleaner than the all-in-one approach and creates space for specialized risk managers to compete on strategy without needing to build an entire protocol.

The practical implication is that the lending market is evolving from a few monolithic protocols toward a layered architecture: primitive lending markets at the bottom (Morpho Blue, Euler V2), risk management and curation in the middle (MetaMorpho vaults, curated Euler markets), and aggregation and optimization at the top (yield aggregators, AI-managed vaults). Whether this layering actually reduces systemic concentration or just reshuffles it – whether the vault layer ends up as concentrated as the protocol layer – is an open question. But the architectural direction is toward the kind of separation of concerns that at least makes de-totalization possible.

RWA: Bringing the World’s Assets Under the Umbrella

The real-world asset tokenization numbers are becoming difficult to ignore. Total tokenized RWAs (excluding stablecoins) have reached approximately $20-22 billion, with tokenized U.S. Treasuries at roughly $8.7 billion. Active on-chain private credit stands at $18.91 billion with cumulative originations of $33.66 billion. BlackRock’s BUIDL fund, now listed on Uniswap, represents $2.2-2.5 billion in on-chain tokenized assets. Aave Horizon crossed $1 billion in RWA deposits by February 20, 2026, doubling from $600 million in January, with launch collateral partners including Superstate (USTB/USCC) and Centrifuge (JRTSY/JAAA) and network partners spanning Circle, Ripple, Securitize, and Ethena.

These numbers represent something philosophically significant: real-world assets being brought under the umbrella of what sanctuary technology can protect. A tokenized treasury bond is a persistent shared object representing a claim on government debt, accessible to anyone with an Ethereum address, tradeable 24/7, composable with other DeFi primitives.

But I want to be careful and precise here, because RWA tokenization is not inherently sanctuary technology. And this is maybe the most important distinction in this entire essay. If tokenized assets require KYC/AML whitelisting at the protocol level, if they can be frozen by issuers, if they depend on single custodians, then they are just traditional finance with blockchain plumbing. The efficiency gains are real – smart contract automation reduces operational costs by 30-40%, and 24/7 trading with T+0 settlement is genuinely better than traditional T+2 settlement. But efficiency is not sanctuary. Faster rails through the same chokepoints do not create persistent digital space.

The sanctuary technology version of RWA looks different. Tokenized assets held in privacy-preserving collateralized debt positions using ZK-SNARKs. Collateralization verified on-chain without revealing the borrower’s identity. Liquidation mechanisms that are permissionless and decentralized. The underlying asset portfolio sufficiently diversified – across geographies, across issuers, across asset classes – that no single jurisdiction can freeze all of it.

This connects to one of the most underappreciated tensions in institutional DeFi, and it is a tension I do not think has a clean resolution. Institutions want three things simultaneously: privacy (competitors should not see their positions), compliance (regulators should be able to audit), and permissionlessness (the protocol should not require permission from a gatekeeper). Current solutions force a choice. Aave Horizon requires whitelisting. Maple requires institutional verification. These mechanisms work pragmatically, but they reintroduce the centralized chokepoints that DeFi was ostensibly built to eliminate.

The proposed resolution lies in cryptography rather than institutional design. A ZK-SNARK paymaster can verify that a borrower’s identity satisfies regulatory requirements – they are on a whitelist, they hold a certain credential – without revealing which specific identity they are. EIP-8141 Frame Transactions, targeted for Hegota, enable exactly this: a lending protocol transaction paid for by a paymaster that verifies a ZK proof of the borrower’s compliance status without revealing the borrower. Privacy and compliance, simultaneously. Not through compromise, but through mathematics. Whether regulators actually accept this – whether “I can prove I am compliant without showing you who I am” satisfies the people who write the rules – is a very different question from whether it is technically sound. I suspect the technical answer arrives well before the legal one.

The Galaxy tokenized CLO (collateralized loan obligation) is an interesting early example of how this convergence might play out. Galaxy closed a $75 million CLO on Avalanche in early 2026, with a $200 million maximum capacity, a senior tranche yielding SOFR plus 570 basis points, and Grove (from the Sky/MakerDAO ecosystem) as the anchor investor at roughly $50 million. This is a structured credit instrument – the kind of product that traditionally requires investment banks, custodians, transfer agents, and layers of intermediaries – tokenized and accessible on-chain. The first of many, if the infrastructure holds.

The convergence of DeFi lending rates with the Secured Overnight Financing Rate (SOFR) is another signal worth noting. The spread between DeFi lending rates and SOFR has compressed to near zero for stablecoins, meaning on-chain lending markets are pricing risk comparably to traditional money markets. This is not a sign that DeFi is becoming boring. It is a sign that DeFi is becoming efficient – and that traditional capital is beginning to treat on-chain markets as a legitimate venue for yield.

III. MEV’s Transformation: From Dark Forest to Enshrined Fairness

The Empirical Landscape

The MEV ecosystem as of early 2026 is richly documented enough that we can be precise about what is actually happening rather than relying on narratives. And what is actually happening is more interesting than most narratives capture.

Start with the builder market, because its structure tells you something important about how value flows through the system. Titan holds approximately 52.74% of block production, earning 764.94 ETH per week in profit at approximately 0.0317 ETH per block. BuilderNet – the collaborative builder formed when Beaverbuild migrated from its centralized builder to the Flashbots/Beaverbuild/Nethermind collaboration in May 2025 – holds 28.55% with 106.01 ETH per week at 0.0080 ETH per block. Quasar sits at 15.21% with 13.38 ETH per week. Three builders, roughly 96% of blocks. MEV-Boost adoption among validators is approximately 92-93%.

The profit asymmetry between Titan and BuilderNet – nearly 4x per block despite comparable technology – tells a specific story about what drives builder competitiveness. It is not primarily about better algorithms or faster hardware. It is about exclusive orderflow. Private orderflow contributes 89% of total builder income despite representing only roughly 12% of transaction count. The exclusive orderflow reinforcement loop – dominant builders attract more flow, more flow makes them more dominant – explains why the builder market converged to an oligopoly without any explicit coordination. Nobody designed this outcome. The game-theoretic equilibrium produced it.

On the strategy side, the picture has shifted in ways that matter. Sandwich attacks have declined sharply. By October 2025, sandwich searcher revenue had fallen to approximately $2.5 million per month – a 75% decline from peak levels. Total user losses from sandwich attacks were approximately $40 million for 2025. Average net profit per sandwich attack dropped to approximately $3. Only about 100 distinct sandwich bots operate in a typical month, with a single entity (jaredfromsubway.eth) controlling roughly 70% of attacks. Block builders capture the majority of extracted value through gas fees, leaving sandwich attackers with a profit margin of roughly 5%.

Brontes on-chain data from June 2024 provides a complementary empirical baseline. Across roughly 50,400 blocks (about seven days), Brontes classified the MEV landscape as: CexDex trades at approximately $3.7 million per month, atomic arbitrage at $3.7 million per month, sandwich attacks at $1.4 million per month, with JIT liquidity actually showing negative profitability at negative $513,000 per month. The total across all classified strategies extrapolated to approximately $10.9 million per month. That was June 2024; by late 2025, the annualized figure had grown to roughly $250-300 million per year in MEV profit on Ethereum, varying significantly with market conditions.

CEX-DEX arbitrage has emerged as the dominant single-strategy MEV type by documented extraction value. Across 19 major searchers from August 2023 to March 2025, $233.8 million was extracted from 7.2 million identified CEX-DEX arbitrage transactions. Three searchers – Wintermute, SCP, and Kayle – collectively captured $170.8 million, approximately 73% of the total. By Q1 2025, the top three accounted for roughly 90% of CEX-DEX extracted value. This is an extremely concentrated market – capital-intensive, latency-sensitive, and structurally difficult to enter. (It is worth noting that concentration metrics vary by measurement methodology – the Brontes empirical data from June 2024, using a different approach and time window, shows substantially lower top-3 concentration for CEX-DEX arb, suggesting that the degree of concentration depends heavily on how you measure it.)

The Holy Trinity

Now here is where the roadmap gets concretely interesting, because each upgrade has differentiated effects on each MEV category. The implications are specific, not generic.

Glamsterdam’s ePBS replaces the relay layer. The trust assumption moves from “trust the relay” to “trust the protocol.” Builder competition continues but within a protocol-defined framework. The relay market – currently dominated by Ultra Sound Money at approximately 33%, Titan Relay at approximately 21.1%, bloXroute Max Profit at approximately 19.4% – faces structural disruption. Relays will not fully disappear (they may find new roles providing upfront capital or aggregating bids), but their role as trusted auctioneers is absorbed into the protocol.

Hegota’s FOCIL adds the inclusion guarantee. Sixteen randomly-selected includers plus the block proposer form the committee each slot. Each includer independently chooses transactions from their local mempool view for forced inclusion. The block proposer collects these inclusion lists and creates a deterministic aggregate. Attesters reject blocks that fail to include the nominated transactions. The mechanism relies on a one-out-of-N honesty assumption: only one committee member needs to be honest for the inclusion guarantee to hold. To censor a transaction, an attacker must compromise the entire committee – a far higher bar than bribing or colluding with a single builder.

Encrypted mempools – the LUCID proposal, with technical convergence from the Shutter Network’s EIP-8105 – add content privacy. Transactions are encrypted before submission and only decrypted after inclusion is guaranteed. Two-part transactions: a visible “envelope” containing gas parameters, nonce, and key provider ID, paired with a hidden “encrypted payload” containing recipient, calldata, and value. Encrypted transactions execute after all plaintext transactions in a block.

Let me trace what this stack does to each category.

For sandwich attacks: the combination of FOCIL plus encrypted mempools makes sandwich attacks structurally impossible for the vast majority of transactions. A sandwich requires seeing the victim’s transaction before inclusion and placing transactions around it. Encrypted mempools prevent seeing the transaction. FOCIL ensures inclusion without builder cooperation. The only remaining vector is transactions that opt out of encryption or that route through the builder rather than FOCIL includers. Under the expanded “Big FOCIL” proposal – published by Vitalik on March 2, 2026, where inclusion lists cover nearly all transactions in a block – even this vector largely disappears. Sandwich attacks, a category costing users approximately $40 million per year, approach elimination.

For CEX-DEX arbitrage: the dynamics are more nuanced, and this is where simplistic narratives break down. CEX-DEX arb exists because prices on centralized exchanges update faster than on-chain. Encrypted mempools do not eliminate this – the arbitrage opportunity exists regardless of transaction visibility. FOCIL does not help either, because CEX-DEX arb requires precise ordering within a block, not just inclusion. What changes CEX-DEX arb economics is fast finality. Justin Drake’s strawmap (February 2026) projects slot times decreasing from the current 12 seconds through 8, 6, 4, 3, to eventually 2 seconds, with finality moving from 16 minutes toward 8 seconds via Minimmit, a one-round finality protocol requiring an 80% honest supermajority (compared to standard BFT’s 67% threshold). Faster slots compress the time window for CEX-DEX price divergence, shrinking the per-opportunity value. CEX-DEX arb does not go to zero – there will always be some latency – but the remaining value increasingly accrues to the fastest, most integrated searchers who are market makers on both sides.

For atomic arbitrage – inter-pool arbitrage that keeps prices consistent across DEX pools – none of these changes eliminate it, nor should they. Atomic arb is beneficial MEV. It is a public service that improves price accuracy. Under the endgame architecture, it still flows through the builder auction, which is appropriate because it requires precise ordering.

For JIT (just-in-time) liquidity: the Brontes data already shows negative profitability for pure JIT. Only JIT-Sandwich composites were profitable. Under the Holy Trinity, JIT-Sandwich composites are eliminated (no sandwich possible), making JIT even less viable as a standalone strategy on L1.

The net effect is not “MEV going to zero.” It is MEV being civilized – or at least, that is the aspiration. Harmful MEV (sandwich, frontrunning) approaches elimination. Beneficial MEV (atomic arb, liquidations) continues because it provides a real service, with value captured through the builder auction and flowing to validators – and thus to ETH stakers. Latency-sensitive MEV (CEX-DEX arb) compresses as slot times decrease. Whether the remaining MEV is truly “civilized” or just better-distributed is a question I find genuinely hard to answer. The architecture seems sound. But we are describing a system that mostly does not exist yet.

Flashnet and the Anonymous Transaction Pipeline

One more piece completes the picture – or at least, this version of the picture. Flashbots announced Flashnet in February 2026 – an anonymous broadcast protocol based on secret sharing among servers with TEE-based liveness guarantees. Flashnet is complementary to but distinct from encrypted mempools. Encrypted mempools hide what the transaction does; Flashnet hides who sent the transaction.

Even with encrypted content and forced inclusion, a network observer can correlate transaction origins with IP addresses. Flashnet adds the network-layer privacy. Combined with encrypted content (LUCID), forced inclusion (FOCIL), and relay-free PBS (ePBS), the full stack creates a transaction pipeline where: the content is hidden, the sender is hidden, and inclusion is guaranteed. The progression from the “dark forest” of 2020-era MEV – where transactions in the public mempool were hunted by predatory bots – to this architecture is a genuine transformation. Not from danger to safety, but from an adversarial system that required user sophistication to navigate, to a system that provides structural protections by default.

The MEV Blocker data illustrates what even partial protection achieves: over $219 billion in protected volume across 62 million transactions, 4.5 million wallets, 6,177+ ETH in cumulative user rebates. MEV Blocker was transferred to Consensys SMG on January 23, 2026 – a governance change worth noting for anyone tracking the sustainability of MEV protection infrastructure. The demand for fair execution exists. The infrastructure to provide it at the protocol level is coming.

The OEV Recapture Movement

There is one more MEV thread worth tracing because it connects directly to the lending discussion: Oracle Extractable Value and its recapture.

The question here is interesting: what happens to MEV that serves a legitimate function (liquidations keep protocols solvent) but is captured entirely by third parties? Across Aave alone, $4.65 billion in collateral has been liquidated across 310,000+ transactions since 2020. On Ethereum alone, roughly $3 billion across 58,106 transactions. That liquidation activity is necessary – without it, lending protocols accumulate bad debt. But the value flowing to liquidation bots is value not flowing to the protocol or its users.

Chainlink’s Smart Value Recapture (SVR), launched in March 2025 on Aave’s Core Ethereum market, routes Chainlink price updates through a private mempool via MEV-Share. Searchers auction for the right to include a liquidation transaction immediately after the oracle update. In its first roughly nine months, SVR handled $675 million in liquidations and recaptured approximately $16 million in MEV revenue, split 65/35 between Aave DAO and Chainlink. The initial pilot achieved a 66.67% recapture rate (24 of 36 liquidations), with recent rates averaging 80%+ and some exceeding 90% – a trajectory of improving efficiency as the system matures.

This is the market self-correcting at the application layer, turning what was 100% bot capture into structured revenue sharing. Euler V2’s reverse Dutch auction and Morpho’s pre-liquidation contracts represent complementary approaches. The direction is clear: liquidation MEV, like sandwich MEV, is being systematically reduced through better mechanism design.

IV. The Developer Ecosystem: Human Infrastructure for Technical Architecture

The Walkaway Test, Applied to People

There is a dimension of the sanctuary thesis that discussions of protocol design and mechanism engineering tend to overlook, and I think it might be the most important one: the human infrastructure. Every EIP I have discussed in this essay – FOCIL, ePBS, encrypted mempools, binary trees, RISC-V – is designed by people, implemented by people, tested by people, and maintained by people. If those people leave, the sanctuary does not get built. It is that simple.

So the natural question is: how healthy is the developer ecosystem? And the answer, characteristically, is complicated.

The first thing to understand is the sheer scale. Ethereum maintains the largest blockchain development community in history, with 31,869 active developers worldwide – nearly double Solana’s 17,708. In 2025 alone, 16,181 new developers joined the ecosystem. Asia leads with 36.4% of global Web3 developer share, North America holds 29%, and Africa has emerged with explosive growth, with Nigeria ranking third globally for new Web3 developer growth.

But scale alone is misleading. The question that actually matters for the sanctuary thesis is depth, not breadth. Of developers who leave the ecosystem, 79% were part-time or one-time contributors – people who dipped in, tried it, and left. Only 15% make meaningful regular commits to Ethereum projects. Developer satisfaction sits at 68%, which is respectable but leaves a third of developers with unresolved frustrations. The ecosystem is wide but shallow in places where it needs to be deep.

The Compensation Gap and Its Consequences

The most alarming structural issue is economic, and I think it deserves more attention than it gets. Core Ethereum developers – the people writing the code for EIPs, maintaining client implementations, shipping the upgrades that the entire ecosystem depends on – are compensated approximately 33% below market rates. The Ecosystem Support Program has experienced funding pauses. Meanwhile, 40% of core developers receive external job offers from rival networks.

Apply the walkaway test here. What happens if the people building the sanctuary leave? If the Ethereum Foundation cannot retain the engineers implementing FOCIL, ePBS, and encrypted mempools at competitive compensation, then the roadmap timeline stretches, the security of implementations degrades, and the entire architecture I have described in this essay becomes aspirational rather than imminent. You cannot build a system that resists totalization if the builders can be poached by better-funded competitors.

Blockchain developers globally command $121,000 at entry level and $187,000 for experienced roles, with specialized positions like ZK engineers reaching $250,000+. There is a 6x compensation difference between US-based and emerging market developers, creating a global arbitrage that the ecosystem has not yet figured out how to leverage equitably.

Regional Divergence as Both Risk and Resilience

The geographic distribution of developers is itself relevant to the de-totalization thesis, and this is a thread that I think connects to the broader argument in a way that is not immediately obvious. If all Ethereum developers were concentrated in a single jurisdiction, the ecosystem would be vulnerable to regulatory pressure on that jurisdiction. The current distribution – Asia at 36.4%, North America at 29%, with growing ecosystems across Europe, Africa, and Latin America – provides natural geographic decentralization.

Singapore’s regulatory clarity has created a stable development environment. India offers cost-effective development talent. Nigeria’s explosive growth, despite infrastructure challenges including $20,000 spent on inverter systems at a single developer training facility (Web3Bridge), demonstrates that the desire to participate in this ecosystem transcends infrastructure limitations. This is maybe the most underappreciated form of resilience the ecosystem has: sheer geographic diversity making it impossible for any single jurisdiction to shut down development.

But regional divergence also creates coordination challenges. Weekly All Core Devs meetings bridge time zones, but the community has acknowledged the need for improved stakeholder input mechanisms. The framework divide – 43% of advanced teams now use both Hardhat and Foundry simultaneously, combining Foundry’s 20x faster test execution with Hardhat’s deployment infrastructure – reveals a tooling ecosystem that is powerful but fragmented.

The developer experience has improved meaningfully: 66.8% report improved developer experience, and the standardization of the React/Next.js/Wagmi/Viem stack for frontend development has reduced boilerplate code by 70%. But foundational pain points persist. Stack-too-deep errors affect 31.9% of developers. Automated security tools detect only 8-20% of exploitable bugs. The gap between what the tooling can do and what production security demands remains wide.

What gives me cautious optimism is the sheer scale of commitment. Over 40,000 blockchain-related repositories on GitHub, 35,000+ touching Ethereum. AI coding tools are being adopted aggressively – 80% of new developers use Copilot in their first week, and 1.1 million repositories now use LLM SDKs. The developer ecosystem is under strain but not in decline. It is growing, diversifying, and professionalizing, even as its most critical contributors remain undercompensated relative to their importance.

The sanctuary is only as strong as the people building it. And those people need to be retained, supported, and fairly compensated – not as a matter of idealism, but as a matter of engineering pragmatism.

V. The Regulatory Landscape: Clarity as Enabling Condition

From Enforcement to Legislation

This is going to be the section of the essay where I feel least certain about the analysis, because regulatory dynamics are genuinely hard to read from inside the crypto ecosystem. But a theme runs through institutional adoption, RWA tokenization, and the broader sanctuary thesis that requires engaging with it: the regulatory environment has shifted more dramatically than most crypto-native observers appreciate, and the direction of that shift matters for the thesis.

In the United States, the transition from “regulation by enforcement” to legislative clarity has produced concrete results. The GENIUS Act, focused on stablecoin regulation, has passed into law. The CLARITY Act, addressing broader market structure, has passed the House with federal implementation targeted for July 18, 2026. The SEC has introduced an “innovation exemption” framework for DeFi partnerships, creating a defined (if narrow) path for protocols to operate with regulatory acknowledgment rather than regulatory antagonism.

In Europe, MiCA (Markets in Crypto-Assets) has been in full effect since early 2025, providing harmonized stablecoin rules across the EU under a “Same Risk, Same Rule” principle, with DID requirements for advanced DeFi features. In the Asia-Pacific region, Hong Kong has enabled retail RWA trading, Singapore is deploying CBDCs for cross-border payments, and Dubai’s VARA framework offers zero-tax environments with AI/DAO licensing.

Why does this matter for the sanctuary thesis? Because regulatory clarity is an enabling condition for institutional adoption, and institutional adoption is an enabling condition for the kind of capital scale that makes sanctuary infrastructure economically sustainable. The $2.2-2.5 billion in BUIDL on Uniswap, the $1 billion in Aave Horizon, the Galaxy CLO – these exist because regulatory frameworks have evolved enough that institutional capital can flow into on-chain structures without placing institutions in legal jeopardy.

There is a tension here that I do not want to elide, because I think it is one of the genuinely unresolvable tensions in this entire space. Regulatory clarity and permissionlessness exist in genuine tension. The GENIUS Act requires stablecoin issuers to meet specific capital and reserve requirements. MiCA imposes compliance burdens that increase the cost of operating in the EU. The privacy-preserving compliance approach I described earlier – ZK proofs of regulatory status without identity revelation – is technically sound but legally unproven. There is a real risk that regulatory clarity calcifies into regulatory capture, where the rules are clear but favor incumbents and exclude the kind of permissionless innovation that makes the sanctuary thesis meaningful.

The path forward is narrow but maybe navigable: demonstrating that cryptographic compliance – proofs of status rather than revelation of identity – can satisfy regulatory requirements while preserving the permissionless properties that make this infrastructure worth building. This is as much a political and legal project as a technical one. And I am honestly not confident it succeeds. The path of least resistance – just do KYC at the protocol level – is much easier to implement and much easier for regulators to accept. Whether the crypto ecosystem has the collective will to insist on the harder, more elegant path is an open question.

VI. Blob Economics, L2 Scaling, and the L1 Revenue Question

The Paradox of Scaling Success

There is a genuine paradox at the heart of Ethereum’s scaling strategy, and I think it is worth sitting with rather than rushing to resolve.

Ethereum’s scaling strategy has always been centered on Layer 2 rollups – moving execution off L1 while using L1 for data availability and settlement. By most measures, this strategy is working. Over $9 billion in TVL is deployed across L2s, with Base leading at $3.7 billion. L2 transaction throughput exceeds 4,000 TPS compared to L1’s 15 TPS. The user experience on L2s is increasingly competitive with centralized alternatives.

But scaling success has created a problem for L1 economics. And the blob fee market tells the story clearly.

The capacity expansion has been dramatic. Dencun (March 2024) introduced blobs with a target of 3 per block. Pectra (May 2025) raised it to 6. Fusaka (December 2025) introduced PeerDAS and further expansions through parameter-only forks raised the target to 14 and max to 21 by January 2026. But actual utilization sits at roughly 29% of target capacity – a median of about 4 blobs per block against a target of 14.

The economic consequence: L2 fees paid to Ethereum L1 collapsed from approximately $113 million in 2024 to approximately $10 million in 2025 – a greater than 90% drop during what might be called the “free-blob era,” when blob base fees were effectively zero on 93% of days between Dencun and Fusaka.

EIP-7918, shipped with Fusaka, represents the most important blob fee market reform to date. It introduces a reserve price floor for blob gas tied to execution gas costs, setting the minimum blob data cost at 1/256 of the equivalent calldata cost. This ends the free-blob era. Post-Fusaka, blob base fees jumped approximately 15 million-fold due to the floor activation. Fidelity Digital Assets estimates the floor would have captured approximately $78.6 million in previously forgone revenue had it been active during 2024-2025.

This is the scaling paradox made concrete: Ethereum successfully made L2 data posting dramatically cheaper, which was the goal. But in doing so, it temporarily collapsed one of L1’s revenue streams to near zero. EIP-7918 does not reverse this – it sets a floor, not a ceiling. The floor ensures L2s contribute meaningfully to L1 security economics even during low-demand periods, without making data posting prohibitively expensive. Whether the floor is sufficient to sustain L1 security economics long-term is a question I do not think anyone can answer with confidence right now.

The L2 Ecosystem: Differentiated Approaches

The L2 ecosystem itself has evolved beyond simple rollup competition into something more interesting – a landscape of differentiated approaches to MEV, block production, and user experience that reveals how much design space actually exists.

Base, with $3.7 billion in TVL and leading L2 transaction volume, has pushed the frontier on block production through Flashblocks – a collaboration with Flashbots that reduces effective block times from 2 seconds to 200 milliseconds. Each 2-second L2 block is assembled from 10 sequential Flashblocks, each with its own transaction ordering. The 200ms granularity dramatically changes MEV dynamics: it reduces the window for latency-based MEV while enabling faster price discovery.

Arbitrum has taken a different path with TimeBoost, a modification to its sequencer ordering policy that creates a priority “express lane” for the highest bidder. TimeBoost has generated approximately $3 million in DAO revenue in its first three months, but the results are mixed: two entities win more than 90% of express lane auctions, and approximately 22% of time-boosted transactions revert, indicating the mechanism has not effectively mitigated spam.

Optimism is pursuing a different model entirely with the OP Superchain – a network of OP Stack chains sharing a common sequencing layer. Flashbots has partnered with Optimism to roll out Flashblocks to OP Mainnet and the rest of the Superchain, making it the default MEV-aware sequencing layer across the OP Stack ecosystem. Unichain, Uniswap’s OP Stack L2, adopted Flashblocks in August 2025, shortly after Base.

The cross-L2 interoperability challenge remains the ecosystem’s most significant unsolved problem. Academic research on L2 MEV patterns reveals a fundamentally different regime from L1: daily revert rates range from 5% to 40% across L2s, more than 80% of reverted transactions are swaps, and MEV bots favor duplicate transaction spam rather than priority fee bidding. This “revert-based MEV” paradigm is structurally different from Ethereum L1’s bundle-based approach and requires different solutions.

The shared sequencer thesis – that a common ordering layer across rollups could enable atomic cross-rollup transactions – has faced significant headwinds. Astria shut down despite $18 million in funding, demonstrating that market demand for dedicated shared sequencer infrastructure has not materialized. The surviving approach is integration-based: Flashbots building modular sequencing tools (Rollup-Boost, Flashblocks) that L2s voluntarily adopt, preserving L2 sovereignty while providing MEV-aware sequencing. This feels right to me – the practical, composable approach winning over the theoretically elegant one – but it means the cross-L2 atomicity problem remains unsolved for now.

VII. The Roadmap as Catalyst

The Sequencing Matters

There is a way to read Ethereum’s roadmap as a collection of independent upgrades, and there is a way to read it as a sequence where each piece enables the next. The second reading is more interesting and, I think, more accurate. The order of deployment determines what becomes possible when. Let me trace the key technical changes and their concrete DeFi implications. (A reminder: these roadmap items are proposals subject to community consensus, and implementation timelines may shift. What follows describes the current trajectory.)

Glamsterdam (H1 2026) delivers ePBS (EIP-7732) and block-level access lists (EIP-7928). ePBS is the foundation – it removes the trusted relay layer and creates protocol-defined builder-proposer interaction. Block-level access lists enable parallel state access declaration, changing gas cost structures. Together, they establish the infrastructure on which everything else builds. You cannot add FOCIL-style inclusion constraints on builders until the builder role is formally acknowledged by the protocol. You cannot regulate what you do not acknowledge exists.

A gas repricing package is under consideration (CFI status), including general repricing (EIP-7904), state creation cost increases (EIP-8037), state access cost increases (EIP-8038), and calldata floor cost increases (EIP-7976). This matters for DeFi because current gas pricing fails to reflect actual resource costs. A lending protocol’s liquidation transaction – computationally light but potentially creating new state entries – is priced the same as a computationally heavy but state-light operation. Multidimensional gas, separating state creation, execution, and calldata pricing with a “reservoir” mechanism, allows the EVM to price each dimension independently. Liquidation transactions that merely update existing state become cheaper. New position creation is priced to reflect its actual cost. Oracle update transactions (mostly calldata) are priced by their actual resource consumption.

Hegota (H2 2026) brings the Holy Trinity: FOCIL (EIP-7805), EIP-8141 Frame Transactions, and binary trees (EIP-7864).

FOCIL’s MEV implications I have already discussed. But its interaction with DeFi goes beyond MEV in ways I did not fully appreciate until working through the implications. For any DeFi protocol that requires timely transaction inclusion – liquidations, oracle updates, governance votes, emergency shutdowns – FOCIL provides a protocol-level guarantee that these transactions will be included regardless of builder incentives. A builder cannot selectively exclude a liquidation transaction to profit from delayed execution. A builder cannot censor a governance vote to manipulate a protocol’s parameters. These are not theoretical scenarios; they are real vectors that the current system’s reliance on builder goodwill leaves open.

EIP-8141 Frame Transactions deserve particular attention because they are less discussed than FOCIL or encrypted mempools but potentially equally transformative. Frame Transactions allow a single transaction to consist of N calls that can read each other’s calldata, with separate authorization for sender and gas payer.

For DeFi users, this means gas abstraction: a paymaster contract can pay your gas in USDC or DAI. No need to hold ETH to interact with a DeFi protocol. This sounds like a convenience feature but it is actually a structural change – it removes the “hold ETH” prerequisite that creates friction for institutional and cross-chain users entering DeFi.

More significantly, Frame Transactions enable privacy-preserving DeFi transactions. A ZK-SNARK paymaster can verify that a transaction is valid without revealing the sender. Combined with encrypted mempools, this means: a swap or a lending interaction can be submitted, encrypted, validated via ZK proof, force-included via FOCIL, and settled – with neither the sender’s identity nor the transaction’s content visible to any intermediary at any point.

The “2D nonces for multi-tenant accounts” feature of Frame Transactions enables multiple users to share a privacy pool for transactions. This is critical for institutional privacy: multiple institutional users can transact through a shared paymaster, and an observer cannot determine which institution submitted which transaction.

Binary trees (EIP-7864) improve state management. Current hexary keccak Merkle Patricia Tries produce proofs that are expensive to verify. Binary trees with efficient hash functions (the current EIP-7864 draft uses BLAKE3, with Keccak and Poseidon2 as candidates) give roughly 4x shorter Merkle branches and 3-4x proving efficiency. This represents a shift from the earlier Verkle tree approach – the community moved to binary trees because they offer better compatibility with ZK proving systems, a critical consideration as the roadmap converges with the privacy and scaling agenda.

For lending protocols specifically: light client verification of collateral positions becomes practical. A liquidator running on a mobile device or an L2 can verify the state of a lending position on Ethereum L1 without trusting a full node. This is foundational for cross-chain lending and for making liquidation truly decentralized. Lending protocols store user positions in adjacent storage slots; binary trees with page-based access reduce the cost of reading and updating related slots, directly reducing gas costs for deposits, withdrawals, and liquidations. And the metadata bits in binary trees are designed for future state expiry – old, inactive positions can be expired from active state while remaining provable, essential for protocols like Aave that accumulate millions of historical positions.

RISC-V: The Most Elegant Simplification

Beyond the near-term upgrades, the RISC-V VM transition represents something deeper – a philosophical commitment to simplicity as a security property.

The EVM has served Ethereum well for a decade, but it shows its age. The instruction set is idiosyncratic. Precompiles are a hack – special-purpose optimizations hard-coded into every client implementation. Gas costs are poorly calibrated to actual resource usage. RISC-V, by contrast, is a couple hundred lines of specification. It is the most well-studied open instruction set in the world, with extensive verification infrastructure from the hardware industry.

The deployment path preserves full backward compatibility: RISC-V is deployed first for precompiles, replacing hard-coded implementations with RISC-V programs that can be updated via governance. Users can then deploy RISC-V contracts alongside EVM contracts. Eventually, the EVM itself retires to a smart contract running on RISC-V.

For DeFi innovation, the implications are substantial. A lending protocol that wants to implement Basel III-style risk weighting on-chain currently faces prohibitive gas costs and instruction set limitations. In RISC-V, you write arbitrary computation in standard languages (Rust, C), compile to RISC-V, and deploy. The vectorized math precompile – described as “the GPU for the EVM” – enables 8-64x acceleration for operations like batch interest calculations, portfolio risk computations, and STARK validation for ZK proofs over lending positions.

Formal verification becomes dramatically easier. Proving properties of a RISC-V lending protocol contract is far more tractable than proving properties of EVM bytecode, because the instruction set is simpler and the verification tooling is more mature. For protocols managing tens of billions of dollars, the ability to mathematically prove correctness rather than merely hope for it is a fundamental security upgrade.

Client-side proving becomes practical: binary trees plus RISC-V plus efficient hash functions enable users to prove the correctness of their own transactions locally. A borrower can generate a proof that their position is solvent, submit it on-chain, and the protocol verifies the proof instead of re-executing the calculation. This reduces on-chain computation by orders of magnitude for complex lending operations.

Fast Finality and Its DeFi Impact

The trajectory from current 12-second slots with roughly 16-minute finality toward 2-second slots with single-digit-second finality (via Minimmit, a one-round finality protocol requiring an 80% honest supermajority compared to standard BFT’s 67% threshold) has cascading effects on DeFi. This trajectory comes from Justin Drake’s strawmap (February 2026) and represents a long-term aspiration rather than a confirmed schedule.

For DEX trading: faster finality reduces the time between trade submission and settlement certainty. At 2-second slots with 8-second finality, a DEX trade settles with economic finality roughly 100x faster than currently. This narrows the window for CEX-DEX arbitrage, compresses the value of latency advantages, and makes on-chain trading more competitive with centralized exchange execution speeds.

For lending: faster finality means faster liquidation execution. When a position becomes undercollateralized, the time to liquidate compresses from the current multi-minute window (considering block times plus finality) to seconds. This reduces the risk of bad debt from positions that decline further while waiting for liquidation, which in turn allows protocols to offer higher loan-to-value ratios with the same risk parameters. Efficiency gains cascade.

For cross-chain interactions: fast finality on L1 reduces the security delay for L2 state confirmations, improving the speed and reliability of cross-chain lending, cross-chain swaps, and cross-chain collateral management. The current $9 billion fragmented across L2s becomes more usable when cross-chain settlement is fast and certain.

Quantum Resistance: The Long Game

The quantum resistance roadmap deserves mention not because quantum computers are imminent, but because the transition planning reveals how seriously the Ethereum community takes long-term infrastructure resilience – and because the transition has dual-use benefits for DeFi.

The four vulnerable areas are: consensus BLS signatures, data availability KZG commitments, EOA ECDSA signatures, and application-layer ZK proofs. The first two are protocol-level changes transparent to DeFi applications. The third – migrating from ECDSA to quantum-resistant signatures – is where DeFi is directly affected, because every wallet holding DeFi positions needs to migrate. EIP-8141 Frame Transactions provide the infrastructure: users upgrade to smart wallets with quantum-resistant signature verification, and the vectorized math precompile accelerates lattice-based signatures by 8-64x, making them practical for on-chain verification.

The fourth area – transitioning application ZK proofs from elliptic curve-based systems (Groth16, PLONK) to hash-based systems (STARKs) – has a dual benefit. Protocol-layer recursive aggregation, developed for quantum resistance, allows multiple ZK proofs to be aggregated into a single verification. For privacy-preserving DeFi, this means multiple lending protocols’ ZK proofs over borrower positions can be aggregated and verified in a single on-chain operation, dramatically reducing costs. The quantum resistance infrastructure becomes privacy infrastructure by inheritance.

VIII. Synthesis: The Sanctuary and Its Tests

Threads Coming Together

Let me try to draw the threads together, though I want to resist the temptation to make this neater than it actually is.

DEX evolution: intent-based trading plus FOCIL plus encrypted mempools gives you a system where users can trade any asset, at any time, without anyone being able to censor, front-run, or manipulate their trade. That is the aspiration, anyway. In practice, you have an application layer (intents, solvers) that is already working and a protocol layer (FOCIL, encrypted mempools) that mostly has not shipped yet. The gap between “working” and “shipped” matters.

Lending and credit markets: privacy-preserving CDPs plus RWA tokenization plus permissionless liquidation gives you a system where people can access credit and manage risk without exposing themselves to surveillance or depending on any single institution’s goodwill. But the actual lending market today is dominated by a single protocol with a 1.7% backstop ratio, which is roughly the opposite of what the sanctuary thesis describes.

MEV transformation: the Holy Trinity gives you a transaction pipeline that is itself a sanctuary. Your economic actions flow through a system where no single actor can extract value from you, censor you, or even identify you. The shift from “trust the relay, trust the builder” to “trust the math” is real – but it has not happened yet. The math exists. The deployment does not.

Developer ecosystem: nearly 32,000 active developers across every continent, building across multiple client implementations, with improving but imperfect tools. The human sanctuary – not any single team or foundation, but a distributed community of builders whose geographic diversity and institutional pluralism provide resilience against centralized pressure. The developer layer must pass the walkaway test too, and the compensation gap is the most immediate threat to that test’s outcome.

Regulatory clarity: the shift from enforcement-by-ambiguity to legislative frameworks creates the conditions under which institutional capital can enter on-chain structures at scale, providing the economic resources that sustain sanctuary infrastructure. But regulatory clarity must be navigated carefully – it enables the sanctuary without becoming its captor. And I genuinely do not know which way this goes.

If this architecture delivers what it promises – and every piece has an EIP number, which is not nothing – then we are looking at a system where fairness is a property of the infrastructure rather than the goodwill of its operators. That is a genuinely different kind of thing. But “if” is doing a lot of work in that sentence.

The Risks Worth Naming

Intellectual honesty requires naming what could go wrong, and several of these risks are substantial enough that they could individually undermine the thesis.

Execution risk on the roadmap. The fork cadence of roughly six months is ambitious. If Glamsterdam slips significantly, the entire sequence shifts. The Ethereum Foundation’s track record on shipping upgrades is mixed – the Merge was years late but ultimately successful. The current “strawmap” represents a more disciplined approach, but it is untested at this pace.

Aave concentration risk. At 51-62% market share with a roughly $460 million backstop for $26-27 billion in TVL, Aave represents a systemic risk for the entire DeFi lending market. Binary trees and improved proving do not help if the application layer is too concentrated. The Morpho/Euler modular approach provides architectural diversity, but switching costs are real and Aave’s liquidity network effects are powerful. The market needs to solve for this at the application layer; the protocol cannot do it.

L1 revenue sustainability. The blob fee dynamics reveal a genuine tension. Ethereum’s scaling strategy succeeds by making L2 data posting cheap, but cheap data posting means less revenue flowing to L1 validators. EIP-7918’s fee floor is a partial answer, but the broader question – how does L1 security funding scale as more activity moves to L2s – remains open. If validator rewards decline significantly relative to the capital required to participate, the validator set could shrink, reducing the security that makes Ethereum a credible settlement layer in the first place.

Developer retention. The 33% compensation gap for core developers is not just an HR issue – it is a security issue. Underpaid developers leave. New developers take time to reach the level of competence required for protocol-critical code. Every departure represents institutional knowledge lost and every replacement represents risk introduced.

Regulatory capture of RWA. If tokenized RWAs require full KYC/AML at the protocol level and regulators mandate this globally, then the RWA boom could paradoxically make DeFi less permissionless. The privacy-preserving compliance approach is the answer, but it is technically and legally unproven. There is a real risk that the path of least resistance – traditional compliance layered onto blockchain plumbing – becomes the dominant model, and the sanctuary properties are lost.

Builder centralization persistence. Even after ePBS, the builder market could remain oligopolistic if solvers and market makers continue to send exclusive orderflow to dominant builders. The economic incentives for exclusive relationships are strong. FOCIL constrains the builder’s censorship power, but it does not prevent the builder from capturing the majority of ordering-related MEV. Big FOCIL is the more complete answer, but it is further out on the timeline.

L2 fragmentation. With over $9 billion in TVL fragmented across L2s and no comprehensive cross-L2 interoperability solution in production, DeFi liquidity remains balkanized. Cross-L2 arbitrage research shows that pre-positioned inventory settles in approximately 9 seconds while bridge-based arbitrage takes approximately 242 seconds – a 27x latency gap that fragments liquidity and concentrates MEV capture. The failure of shared sequencer projects like Astria suggests that the market is not yet ready for a unified cross-rollup ordering layer, and the practical solutions being adopted – Flashblocks, Rollup-Boost – preserve L2 sovereignty at the cost of cross-L2 atomicity.

Building During Extreme Fear

There is something clarifying about extreme fear, but I want to be careful not to romanticize it. The Fear & Greed Index at 11 does not mean the market is wrong and the builders are right. Sometimes the market is right and sentiment reflects genuine problems. What extreme fear does is strip away the noise layer – the narrative, the speculation, the vibes – and leave you looking at the things that are not driven by sentiment. The $55 billion still locked in lending protocols. The $18.91 billion in active on-chain private credit. The EIP numbers moving through the governance process. The Brontes classifier parsing every block, every transaction, building the empirical foundation for mechanism design improvements. The 31,869 developers, across six continents, writing the code that turns proposals into production infrastructure.

These things are not sentiment. They are structure. And structure is what you build on.

The AI acceleration dimension is worth noting here, though I want to hedge more than is probably comfortable, because the timeline implications are speculative. AI is accelerating coding productivity – that much seems clear. The recommended heuristic is to take half the gains in speed and half in security. For the Ethereum roadmap specifically: AI can generate comprehensive test suites for EIP implementations, catching edge cases that human reviewers miss. AI-coded machine-verifiable proofs of protocol properties could let us prove that FOCIL guarantees inclusion within K slots, that ePBS auction mechanics are incentive-compatible, that binary tree proofs are sound. AI could make it feasible to maintain three to four independent client implementations per layer, reducing the risk of correlated bugs.

But “could” is doing a lot of work in that paragraph. AI tools are genuinely good at generating tests and finding bugs. Whether they are good enough to compress a multi-year roadmap into something substantially shorter – I honestly do not know. The bottleneck in Ethereum’s development is often not code but coordination and social consensus, and I am not sure AI helps much with that. The expectation of “mathematically proven correct” code replacing “no known bugs” is a meaningful shift, but the timeline for that shift is uncertain.

The Walkaway Test

The walkaway test is perhaps the most useful lens I have for evaluating any piece of infrastructure. Can any single actor leave – or turn adversarial – without the system failing?

Current Ethereum block building fails the walkaway test. If Titan walked away, approximately 52.74% of blocks would need to find new builders overnight. MEV-Boost passes it somewhat better – if Flashbots walked away, other relays exist – but the relay layer itself is a fragile collection of underfunded public goods and vertically integrated businesses. Ultra Sound operates on roughly $240,000 per year with approximately two full-time people. Aestus is volunteer-run.

Post-Glamsterdam ePBS, the relay walkaway test becomes irrelevant because relays are no longer critical infrastructure. Post-Hegota FOCIL, the builder walkaway test improves dramatically: even if every builder walked away, FOCIL includers would ensure transactions are included. The builder’s value-add becomes purely about ordering, not about inclusion.

The developer ecosystem partially passes the walkaway test – no single team or foundation is solely responsible for Ethereum’s development, and multiple independent client implementations provide implementation diversity. But the compensation gap weakens this: if economic conditions push too many experienced developers to leave simultaneously, the coordination cost of replacing them could be severe.

Aave fails the walkaway test at the application layer – if Aave experienced a critical failure, 51-62% of DeFi lending would be disrupted, with cascading effects across the ecosystem. Morpho, Euler, and the modular lending stack are building the diversity that would eventually pass this test, but we are not there yet.

RWA tokenization partially fails the walkaway test because most tokenized assets ultimately depend on a single custodian or issuer. If BlackRock walked away from BUIDL, the $2.2-2.5 billion in tokenized assets would need to be unwound through traditional channels. Diversification across issuers and asset types is the path toward passing this test, and the emergence of Galaxy, Centrifuge, Ondo, and others suggests the market is moving in that direction.

What We Are Left With

Stepping back from the specific data points and EIP numbers, what I keep coming back to is this: there is a system being constructed from first principles. Not a system designed to be fast (though it is getting faster), or cheap (though costs are declining), or popular (sentiment is at extreme fear). A system designed to be fair – in the specific, structural sense of fairness that the walkaway test captures.

The Fear & Greed Index measures how people feel about the market. It tells you nothing about the architecture being built underneath the market. And the architecture is what will matter when the sentiment eventually turns – as it always does – and the question becomes not whether DeFi can attract capital, but whether the infrastructure is worthy of the capital it attracts.

The sanctuary thesis is not a prediction about price. It is a claim about design. Ethereum is being designed, upgrade by upgrade, EIP by EIP, to create digital space where economic activity can occur without dependence on any single actor’s permission or goodwill. The data shows the current system’s limitations in precise quantitative detail – the builder oligopoly, the lending concentration, the MEV extraction, the fragmented liquidity, the developer compensation gap. The roadmap addresses each limitation with concrete technical mechanisms. Whether the engineering keeps pace with the aspiration – whether we are actually building the thing we describe, or describing a thing we may never fully build – is a question I cannot answer with confidence.

What I can say is that the pieces are on the table. The EIP numbers exist. The fork targets are set. The developers are writing the code. And the walkaway test, applied honestly and unflinchingly across every layer – protocol, application, developer, regulatory – reveals both the system’s current fragility and the specific mechanisms designed to address it.

Whether that is enough depends on execution. It depends on things I cannot predict: whether Glamsterdam and Hegota ship on schedule, whether Aave’s concentration is addressed before it becomes a crisis, whether privacy-preserving compliance gains legal acceptance, whether cross-L2 interoperability catches up to the fragmentation of liquidity, whether the developers building all of this are retained and fairly compensated.

The design is sound. The engineering is progressing. But the gap between architecture and reality is where things actually get decided. And we are standing in that gap right now, looking in both directions, not sure yet which way it closes.