Common Knowledge of Blockchains

Today, we will examine what replacing the EVM with a RISC-V VM could mean for Ethereum, particularly in context of Layer 2 scalability. In his proposal, Vitalik highlighted one big benefit from a switch to RISC-V—namely, that ZK provers could become up to 100x more efficient

Our last post explained how blockchain oracles work using @chainlink as an example. Specifically, how DeFi apps fetch price data through Chainlink’s data feeds. Today, we’ll go beyond simple price data and explore how oracles can resolve subjective, human-verifiable truths 🧵👇 Most oracles, like Chainlink, continuously push verified data onchain—e.g., ETH/USD prices—so DeFi apps can fetch it at will whenever they need it. That’s great for objective data that can be pulled from APIs, but what about subjective data that requires human judgment? This is precisely the type of data that enables innovative decentralized protocols, including onchain prediction markets and RWA and insurance protocols. Onchain prediction markets like @Polymarket let users bet on real-world outcomes, such as which candidate won a mayoral election or which team won a soccer match. DeFi protocols like @MakerDAO, @centrifuge, @goldfinch_fi , and @maplefinance tokenize off-chain assets such as T-bills, invoices, and loans. This means they need to verify human-reported facts, such as whether an offchain loan payment was made or how a diversified T-bill portfolio is performing. These facts can’t be fetched via an API in real time; instead, they rely on attestations, audits, and other forms of human verification. In these cases, @UMAprotocol's optimistic oracle comes into play. Instead of constantly pushing verified data onchain like Chainlink does, UMA flips the model: It assumes most people act honestly and that disputes are rare, hence the name “optimistic.” Here’s how it works 👇 When a piece of data needs to be verified—say, “Who won the NYC mayoral election?” or “Did the borrower repay their loan this week?”—anyone can propose an answer to UMA’s oracle. This proposer must stake collateral (usually $UMA tokens) as a bond with their submission. This stake acts as skin in the game: if they lie, they lose it. Once the proposal is submitted, a short challenge window—typically 24 to 48 hours—opens. If no one disputes the answer, it’s automatically accepted as true, pushed onchain, and the issue is settled. However, if someone believes that the initially proposed answer is wrong, they can dispute it by posting their own bond as collateral. If this happens, UMA escalates the dispute to its Data Verification Mechanism (DVM)—a decentralized onchain voting system. The DVM is composed of $UMA stakers who independently review off-chain evidence, including news, reports, or transaction data, and vote on what’s true. These votes aren’t coin flips—they require informed judgment. For instance, to resolve the “Who won the NYC mayoral election?” market on Polymarket, DVM voters check the official election results from the NYC Board of Elections and vote accordingly. That’s where Schelling-point game theory kicks in. Voters are rewarded for aligning with the answer they believe most other voters will consider correct. Since everyone expects the majority to rely on official sources, the safest (and most profitable) move is to vote for the objectively true outcome. This makes the system self-stabilizing: honest proposers earn rewards, dishonest ones lose their bond, and disputers are rewarded for catching lies but penalized for false challenges. In short, UMA replaces continuous data feeds with incentive-driven truth discovery. For prediction markets, it means events can resolve transparently and cheaply. For RWA and insurance protocols, it means real-world data can be verified without relying on a single trusted intermediary.

Our previous thread explained what blockchain oracles are and why they’re an essential piece of infrastructure for smart contract-enabled chains. In this one, we’ll dive deeper into how they’re architected to ensure data accuracy and the integrity of onchain data delivery. 🧵👇 First and foremost, it's important to recognize that not all blockchain oracles are created equal or serve the same purpose. There are considerable design differences among various oracles, such as @chainlink, @UMAprotocol, @BandProtocol, and @. However, for the sake of simplicity, we will focus on Chainlink—the largest blockchain oracle provider—as our primary example to illustrate how blockchain oracles function. In our previous thread, we explained why DeFi protocols like @aave can’t rely on a single onchain source such as Uniswap for price feeds. If they do, they expose themselves to manipulation. Asset prices on decentralized exchanges are determined by liquidity-pool ratios, which can be distorted by malicious traders making large swaps using flash loans or their own capital. That’s why protocols like Aave turn to oracle providers such as Chainlink, which—at first glance—seem to solve this problem entirely. After all, Chainlink doesn’t rely on a single exchange like Uniswap; it aggregates price data from many venues, filters it, and delivers the median value onchain. But there’s a deeper layer of risk many people overlook. Even if the underlying data—be it asset prices, weather data, or anything else—is aggregated from dozens of sources, it’s all for nothing if it’s delivered by a single oracle. Trusting a single offchain actor to behave honestly and remain online reintroduces the same single point of failure as relying on a single data source in the first place. If that oracle goes down, gets compromised, or acts maliciously, every onchain protocol depending on it is instantly exposed. This is why Chainlink and most other blockchain oracle providers are designed with decentralization in mind. More specifically, Chainlink isn’t a single oracle but a heterogeneous network of many decentralized oracle networks (DONs). Each DON provides a unique oracle service tailored to its users’ needs. For instance, one DON may provide the ETH/USD price to the Ethereum blockchain, another may provide price feeds for Liquid Staking Tokens (LSTs) to Arbitrum, and a third may transfer tokens cross-chain between Polygon and Solana. Furthermore, each DON comprises multiple nodes run by different operators, often using their own infrastructure and data sources. These may include Web2 telecommunications providers such as Vodafone, leading data providers, and Web3 infrastructure providers such as Infura. These nodes independently fetch, sign, and report data before it’s aggregated into a single, consensus-verified value. For example, a DON consisting of 31 nodes may have each node independently fetch the price data for ETH in USD across multiple centralized and decentralized exchanges and generate its own median value. Then, all the nodes’ medianized price data is aggregated into a single data point (an oracle report) and delivered by the DON to the intended recipient—e.g., a blockchain app like Aave. To aggregate the data from multiple nodes into a single data point, Chainlink uses a protocol called Off-Chain Reporting (OCR). OCR is a system that allows nodes to reach consensus offchain on a single data point. Here’s how it works: First, each node in a DON independently fetches data from its chosen sources and shares its signed report with the rest of the network through a peer-to-peer communication layer. For instance, Node A may report that the price of ETH is $3,120, Node B may say it’s $3,125, Node C may say it’s $3,118, etc. Once enough reports are collected, the nodes use a consensus algorithm to agree on a single aggregated price of ETH—typically a median of all submissions. Only one compact report, containing the final result (a single price for ETH in USD) and the aggregated signatures of the participating nodes, is then published onchain. Once the report is submitted, smart contracts verify its authenticity using those aggregated signatures before accepting it as valid input. This closes the loop, ensuring that no unsigned or tampered data can ever be injected into the blockchain. This design drastically reduces gas costs and improves scalability while maintaining full decentralization and verifiability. Of course, decentralization only works if the nodes within a DON can’t easily collude to manipulate the results. If a handful of them could coordinate to submit false data, all of this would be for nothing. To prevent this, Chainlink relies on a combination of cryptographic guarantees, economic incentives, and transparency mechanisms. 👉Each node cryptographically signs its response, making every submission verifiable and publicly auditable onchain. This ensures that any deviation from expected behavior can be traced back to the responsible operator. 👉On top of that, nodes are economically incentivized to report accurately. They stake LINK tokens and earn fees for good performance, but also risk losing revenue, reputation, and potentially staked assets if they behave dishonestly. Finally, all oracle activity—data updates, node identities, feed parameters, and historical performance—is fully transparent. Anyone can inspect the onchain reports to verify which nodes participated, when updates occurred, and how results were aggregated. If certain nodes misbehave or don’t function properly, their reputation (and potentially their revenue) will take a hit, and nobody will rely on them in the future. In essence, Chainlink’s architecture replaces trust with verification. By decentralizing data sourcing, aggregation, and delivery—and securing each layer with cryptographic proofs, economic incentives, and full transparency—it ensures that blockchain apps can interact with the real world without sacrificing security or reliability.

Our previous thread gave a bird's-eye overview of onchain prediction markets, focusing on the most popular one, Polymarket. This one will examine oracles—a critical piece of blockchain infrastructure that makes prediction markets and many other decentralized apps possible. 🧵👇 Let’s start with the basics. 📖 A blockchain oracle is a secure piece of middleware that connects blockchains with off-chain systems, including web APIs, cloud and data providers, enterprise backends, payment systems, and even other blockchains. They’re a valuable piece of tech because, without them, blockchains can’t access external data on their own. They’re self-contained, deterministic systems designed for security. Certain blockchains that are primarily focused on payments, like Bitcoin, don’t need them, but smart contract platforms that strive to build expansive DeFi ecosystems can’t really exist without them. The best way to understand the utility of blockchain oracles is through a practical example. 👇 Imagine you want to borrow 1,000 USDC onchain, using the decentralized money market Aave. To do this, you need to post some form and amount of collateral. Aave requires over-collateralization because crypto assets are volatile, and there’s no traditional credit system or credit checks. It can’t know whether you have the money to pay the loan back, so it requires you to lock up an asset worth more money than you’re borrowing up front. The protocol does this to protect itself from loans becoming under-collateralized if prices fall—ensuring lenders’ funds remain secure despite market swings. Now, suppose you only have 1 ETH in your wallet and use it as collateral. To protect the USDC lenders, Aave must constantly track your loan-to-value (LTV) ratio and make sure the value of your ETH never drops below the safety threshold before liquidation kicks in. For this to work, Aave obviously needs to know the market price of ETH. This may sound like a trivial task until you realize that blockchains don’t have a built-in mechanism to know “the price of ETH in USD.” On Ethereum, ETH is just a native token; the chain itself doesn’t have a concept of “dollars” or “price.” Like any other asset, ETH’s price is derived from exchange rates on various venues, including off-chain centralized exchanges like Coinbase, Kraken, and Binance, as well as on-chain decentralized exchanges like Uniswap. Moreover, depending on the liquidity, trading volumes, and other factors, the price of ETH in USD always slightly (or, sometimes, not so slightly) varies between different exchanges. Now, we already said that blockchains can’t access external data—like the price of ETH on centralized exchanges—on their own, but what about data that’s already onchain, like the price of ETH on Uniswap? This is indeed possible, but relying solely on the price of ETH on Uniswap is a bad idea for several reasons, including: 1️⃣The price on Uniswap doesn’t reflect the broad market price of ETH, and 2️⃣Uniswap’s price reflects the ratio of tokens in its ETH:USDC liquidity pool (LP), which makes it susceptible to price manipulations. The second point is especially important. A trader could, for example, distort the LP’s ratio by swapping a large amount of tokens (relative to the pool’s liquidity), making ETH appear far more or less valuable than it really is. A malicious borrower could exploit this by artificially pushing ETH’s price on Uniswap, borrowing more USDC from Aave using ETH as collateral, and then letting the pool revert once the transaction is done. This kind of flash-loan-based price manipulation has caused major exploits in DeFi, and is precisely why Aave doesn’t rely on a single on-chain DEX for prices. Instead, it uses oracle providers like @chainlink, which aggregate data from many exchanges and data sources, apply outlier filtering and time-weighted averaging, and then deliver a tamper-resistant, consensus-secured price feed to the protocol. As we’ve seen, both the accuracy of the data and the integrity of how it’s delivered onchain are vital to keeping protocols like Aave securely functional. In fact, DeFi protocols like Aave are only as secure as the oracles they rely on, which means oracles have a huge responsibility to perform flawlessly. In the next thread, we’ll break down how oracle are designed to handle that responsibility and deliver trustworthy data onchain.

1/ As part of my work I like to test out privacy products and figure out what works and what doesn’t so I can abuse any design flaws for my investigations. With the recent hype around Zashi & its Near Intents integration I tested it for Zcash.

The rise of prediction markets might be the clearest sign of product-market fit crypto has had since DeFi. Where else should the wisdom of the crowd live, if not on open, transparent ledgers? It’s a match made in heaven. Yet, many still don’t get what all the fuss is about 🧵👇 Prediction markets are where information meets incentives. Instead of arguing about what will happen, you bet on it, and prices reveal what the crowd truly believes. It’s the purest expression of the “put your money where your mouth is” principle. Oh, you’re sure Powell won’t lower rates at the next Fed meeting? 🤔 There’s an onchain market for it. Bet on it. 🫵 You want to know the odds of something happening? You can safely ignore the “experts,” the polls, and the biased pundits—prediction markets are where it's at. The aggregate bets of many people with skin in the game tend to reflect real-world probabilities more accurately than any single expert. Unlike polls, which capture a static snapshot of sentiment, prediction markets update in real time as events unfold, offering a continuous and more dynamic view of public opinion. Moreover, people often lie to pollsters, whereas on prediction markets, there’s real money at risk, meaning they’re only expressing high-conviction opinions. Can the crowd be wrong? Of course, but the point is, it’s statistically way less likely than single experts. Now, how do onchain prediction markets work? Obviously, @Polymarket is currently the most popular and liquid onchain prediction market, so we’ll use it as an example. On Polymarket, each market corresponds to a Yes/No question with a future outcome. For example: “What will the Fed’s decision regarding interest rates be in October?” Outcomes: a) 50+ bps decrease b) 25 bps decrease c) No change d) 25+ bps increase For each outcome, you can buy “Yes” shares (if you think it will happen) or “No” shares (if you think it won’t). Each “Yes” share trades between $0 and $1, where the price reflects the implied probability of that outcome. Moreover, each share in the market represents a claim that pays $1 if true, and $0 if false. For example, the market is currently pricing the “Yes” shares for the “25 bps decrease” outcome at 95 cents, implying the crowd believes there’s a 95% chance the Fed cuts rates by 25 bps in October. If you think the crowd is wrong, you could, for example, buy 20,000 “No” shares at 5¢ each with $1000. If the Fed doesn’t cut rates by 25 bps, those “No” shares will each pay out $1, turning your $1,000 into $20,000. The cool part? There’s no bookie, no middleman, no back office tracking who owes what; it’s all handled by smart contracts on the Polygon blockchain. And instead of an order book, Polymarket uses a special automated market maker (AMM) built specifically for binary outcomes, powered by the Logarithmic Market Scoring Rule (LMSR) formula. Think of it as Uniswap for Yes/No shares. 🙂 Under the hood, each market starts with a pool of USDC collateral. As traders buy and sell, the AMM automatically adjusts prices so the total probabilities hover around 100%. More “Yes” buyers → price goes up → higher implied probability. More “No” sellers → price goes down → lower implied probability. This ensures two things: 👉Dynamic probabilities: Prices instantly reflect new information. 👉Continuous liquidity: You can enter or exit anytime, no need to wait for the market to resolve. Perhaps more importantly, you’re not betting against the “house” like in traditional sports betting, but against other people. Meaning, there’s no “house” to ban you for winning too big. 😉 However, if there’s no house, then who decides which outcome actually happened? Using our earlier example, once the Fed announces its decision, the Polymarket question needs to be resolved so the smart contract knows which outcome came true and how to settle the shares. That’s where @UMAprotocol's Optimistic Oracle comes in. On Polymarket, anyone can propose an outcome (e.g. “The Fed raised rates by 25 bps”) by putting up a bond in USDC. If the proposal is wrong or dishonest, that bond is forfeited—a built-in deterrent against bad actors. If nobody disputes the proposal during a short challenge window, the oracle accepts it as truth, and the smart contract automatically pays out the winning shares. But if someone does dispute it (also by posting a bond), UMA’s dispute-resolution layer steps in. Here, UMA tokenholders who’ve staked their tokens vote on which side—proposer or disputer—was correct. After voting ends, the majority decision becomes the onchain “truth.” As you might’ve noticed, UMA plays a key role in Polymarket, turning real-world facts into onchain truth. And it’s not just prediction markets; oracles like @chainlink and UMA are at the heart of the entire DeFi ecosystem. That’s why our next deep dive will focus on how oracles work and why they matter. ⚙️

@ckbsamurai @CommonKnowledg_ Every time the chart mentions anonymity sets in the Zcash context, it's wrong. Once you enter the shielded pool, your anonymity set becomes 1 in 3 million. Doesn't matter how many people use the network around the same time.

@vladcostea @ckbsamurai Thanks for correcting us Vlad :)

With $ZEC pumping 140% in a week, you're probably wondering why? And perhaps, why not Monero? What are the differences between the two? Here's a quick comparison 👇

Welcome to Part 6️⃣ of our Onchain Privacy series! 🥷💰 After covering Bitcoin and Ethereum privacy protocols, then diving into Zcash, we now turn to another privacy-first blockchain: Monero. It’s the original privacy coin, and remains king among the category for good reasons 👇 Launched in 2014—two and a half years before Zcash—Monero was the first privacy-focused blockchain to gain real traction. A decade later, despite growing competition, it remains the most widely adopted privacy coin. Unlike its biggest rival, Zcash, which comes with opt-in privacy, Monero has full-on privacy by default. To achieve this, it uses several cryptographic primitives: 👉 Ring signatures hide the sender; 👉 Stealth addresses hide the receiver; 👉 Confidential transactions hide the amounts; 👉 The Dandelion++ protocol obscures the IP address of the devices producing the transactions. Here’s how each component works 👇 ⭕🖊️ Ring signatures are a cryptographic technique that let someone authorize a transaction without revealing which key they actually used. Instead of pointing directly to a single past output, like Bitcoin does, Monero transactions reference a “ring” — a group of possible outputs consisting of the real one plus several decoys pulled from the blockchain. All outputs in the ring appear equally likely to be the real spend to outsiders. To spend the output, the sender produces a linkable ring signature that proves two things: 1️⃣ They control one of the outputs in the ring. 2️⃣ That output has not been spent before (enforced via a unique “key image” fingerprint). Result: Outsiders can’t tell which output was real and which were decoys, ensuring the sender’s anonymity. 🥷📨 Stealth addresses are a clever cryptographic construction that ensures that a recipient’s true wallet address never appears on the blockchain. Unlike Bitcoin, where an address corresponds to a single public–private key pair, a Monero address is made of two public keys: 1️⃣the view key, which allows the owner to scan the blockchain for payments, and 2️⃣the spend key, which is required to actually spend those funds. When a sender transfers XMR, they don’t post the recipient’s address directly. Instead, they generate a random value (an ephemeral scalar) and use it with the recipient’s public view key to derive a transaction public key, which is included in the transaction. From this, they create a one-time destination key that looks like a completely unrelated, random address on the blockchain. Then, the receiver can scan the chain with their private view key and recognize that this one-time output belongs to them. Once identified, they use their private spend key to calculate the matching one-time private key that unlocks the funds. Result: To outsiders, each output looks like it belongs to a brand-new random address, making it impossible to link payments to the recipient’s actual wallet. 💰🔒 Confidential transactions hide the amounts being transferred while still allowing the network to verify that no coins are being created or destroyed. Unlike Bitcoin, where every output clearly states the number of coins it holds, the coin amounts in Monero are hidden inside commitments. You can think of these cryptographic commitments as tamper-proof envelopes: everyone can see the envelope onchain, but nobody can peek inside. A cool feature of these envelopes is that they’re mathematically verifiable: if you add all the “input envelopes” and subtract all the “output envelopes” plus the fee, the math balances. This means that the network can verify that the transaction isn’t creating coins out of thin air, even though it can’t see the actual XMR amounts hidden inside the commitments. To outsiders, every transaction amount looks like a random blob of data—nobody can tell whether the transaction is sending 10 or 50 XMR. 🥷🛜 Dandelion++ changes how transactions are broadcast across Monero’s network, making it far more difficult to trace them back to the IP address of the sender. In Bitcoin and many other cryptocurrencies, wallets immediately broadcast new transactions to all their peers, which potentially allows network observers to correlate timing and link it back to its origin. Monero avoids this by first sending the transaction along a random, single-node “stem” path, where it quietly or stealthily hops between a few nodes—and only then is it broadcast widely to the entire network. This two-stage process further breaks the direct link between a transaction and its source, adding another strong layer of anonymity on top of Monero’s on-chain privacy features. The ultimate result? A cryptocurrency where every transaction is unlinkable, untraceable, and confidential, offering the strongest privacy guarantees of any blockchain in use today.

Enter Part 5️⃣of our Onchain Privacy series! 🥷 In our previous posts, we covered Bitcoin's CoinJoin and Ethereum's TornadoCash and RAILGUN privacy protocols. Today, we’ll dig into Zcash—an L1 chain built for privacy from the ground up. Let's jump right in 👇 Launched in October 2016, Zcash is a privacy-focused cryptocurrency that has undergone several protocol updates since its inception and still remains under continuous development. Fun trivia 👇 Zcash originally required a trusted setup because its zk-SNARK proving system needed public cryptographic parameters derived from a secret random value. If that value survived, it could let someone forge proofs and mint counterfeit $ZEC undetectably. To prevent this, Zcash held a global multi-party ceremony where participants each contributed randomness and destroyed their share of the secret. The idea was that, as long as one person was honest, the secret could never be reconstructed. The event became legendary, with Edward Snowden revealing in 2022 that he was one of the participants. For all of you nerds out there, this podcast on The Ceremony is an awesome listen: radiolab.org/podcast/ceremo… Now, the tech 👇 In 2022, Zcash introduced Orchard, its latest shielded pool, which utilizes the Halo 2 proof system to facilitate private transactions without requiring a trusted setup. Because Zcash started as a fork of Bitcoin, the easiest way to understand it is by comparing it to Bitcoin. In Bitcoin, coins are represented as unspent transaction outputs or UTXOs. Each UTXO is locked to a public key (an address). To spend one, you present a valid signature proving you own the corresponding private key. A Bitcoin transaction is a list of inputs (spent UTXOs) and outputs (new UTXOs). Because the entire Bitcoin ledger is public, everyone can see: → Which inputs are being spent, → Which addresses receive the new outputs, → And how many satoshis are transferred. This transparency makes Bitcoin easy to audit, but it also means anyone can trace your transaction history. Zcash differs in that it has two types of addresses: → T-addresses, which are public, and work exactly like in Bitcoin (UTXOs) → Z-addresses, also known as shielded addresses, which are entirely private and hide the sender, the recipient, and the amount of ZEC transferred. So, if all coins in Bitcoin exist in a single transparent value pool, in Zcash, coins exist in two value pools: one transparent (UTXOs) and one private (notes and commitments). You can think of the value pools as bookkeeping categories at the consensus level that the chain uses to enforce supply balance or keep track of the total coin supply. This means that every transaction moves $ZEC either: → Inside the same pool (transparent to transparent, or shielded to shielded), or → Transfers between pools (transparent to shielded, and vice versa). When coins are transferred between different pools, the amount transferred is revealed, allowing the chain to track the coin supply. Inside shielded pools, value is carried as notes rather than UTXOs. A note is like a locked envelope containing: → The amount of $ZEC being transferred → The destination z-address (shielded payment address) → Random data to ensure uniqueness Notes are created as outputs (think private UTXOs) of shielded transactions every time you send ZEC to a shielded address. And every time one is created, a note commitment—a cryptographic fingerprint derived from the note’s contents (amount, recipient, randomness)—is published onchain. The note commitment is essentially a verifiable public marker that says, “this note is real and part of the ledger,” without disclosing its contents. Then, when you spend a note (send your $ZEC to a z-address), you don’t directly reference the commitment (like Bitcoin consumes inputs to create outputs with UTXOs), but instead publish a nullifier. The nullifier is a one-time, serial-number-like value derived from the note and your secret key. Once revealed, the nullifier marks that note as “spent.” Crucially, no one can link the nullifier back to the original note commitment, which prevents double-spending without compromising privacy. Besides the note commitment and the nullifier, every shielded transaction also contains a zk-SNARK proof that ties everything together. This proof, published onchain as part of the transaction data, convinces all network nodes that: → The inputs you’re spending really exist in the shielded pool. → You actually own them (you know the right keys). → You haven’t spent them before. → The total inputs equal total outputs (no money creation). Obviously, the zk-SNARK proof does this without revealing which notes you spent, who you’re paying, or how much you’re transferring. What makes Zcash unique, especially compared to Monero, is that its privacy is optional and flexible. You can choose to send transactions transparently, just like on Bitcoin, or you can transact entirely in the shielded pool, where amounts and addresses remain private. Even when you opt for full privacy, Zcash gives you the ability to selectively share information later. With viewing keys, you can grant someone access to see only your incoming deposits, or both your deposits and withdrawals. This feature enables auditability and regulatory compliance when needed—without sacrificing privacy as the default. 🧵🔚 Stay tuned for our next explainer on Monero!