The New Architecture for Ethereum Privacy: Introducing RAILGUN v3
As the saying goes, good things come in threes. Soon, there will be another thing to add to the list of things which are good and that there are three of. After many months of hard work, RAILGUN v3 is around the corner (assuming the proposed upgrades pass governance vote). With RAILGUN v3, contributors continue the tradition of relentlessly shipping groundbreaking on-chain privacy tech. V3 is a ground up reshaping of RAILGUN architecture which will propel RAILGUN further as the best (and only) choice for truly decentralized private DeFi on Ethereum and EVM.
The headline changes in v3:
- Contract modularization & gas savings
- Broadcaster alternatives
- Private intents
- New DeFi possibilities with Access Card NFTs
Let’s dive into each of these upgrades and what they mean for the RAILGUN privacy system and some important information around migration.
TLDR: RAILGUN is about to become massively more useful, cheaper, and resilient, once and for all solving Ethereum’s privacy problem.
1. Modularization & Gas Savings
The biggest change to come in v3 will be a reduction in gas costs. Making RAILGUN cheaper to use has been a goal of contributors since the very beginning of the protocol. Arguably, the only reason that RAILGUN was feasible in the first place is because contributors were, after extensive research, able to optimize on-chain Zero-Knowledge verification to a usable transaction cost. This is also the main reason there are no real alternatives to RAILGUN, the protocol’s gas optimizations are an extremely wide competitive moat, a moat which is about to get even wider in v3.
Gas costs of RAILGUN transactions will come down significantly thanks to some clever protocol design. The RAILGUN contracts are currently monolithic, meaning the core privacy system is contained in one contract with the AdaptRelay contract acting as an external interface. Ethereum/EVM has a contract size limit (each contract can hold ~24.5 kilobytes of code) and RAILGUN v2 is approaching this limit. RAILGUN v3 will split the privacy system into multiple contracts. This modular design improves flexibility and overcomes the contract size limit.
Individual components in v3 can be upgraded without needing to change the whole system and protocol design can be tailored to specific use cases.
The new modularized contracts are:
- TokenVault — Handles shielded funds.
- Accumulator — Maintains shielded token states and ledger of 0zk addresses.
- Verifier — SNARK proof verification, can now have multiple verifiers for specific purposes.
- Registry — Track the contracts that have been accepted by governance.
Cross-Contract Gas Savings
Currently, RAILGUN users have access to a robust suite of private DeFi features, including private swaps, yield, and LP provisioning with more being built out by a community of builders all around the world who use the RAILGUN SDKs. In v3, these transactions will be cheaper by around 50–60%. Lowering transaction cost will increase adoption as users of all portfolio sizes can more easily trade privately on-chain. This in turn boosts protocol privacy as complex DeFi transactions add extra noise to the overall RAILGUN anonymity set, creating a positive flywheel where lower gas results in more users which boost anonymity, attracting more capital.
Private DeFi calls external contracts and these transactions are known as cross-contract calls. In the v2 architecture, a DeFi transaction begins by unshielding to the AdaptRelay contract which then executes the external contract logic and reshields the result. The parameters of these transactions are bound into the SNARK proof and verified, such that a transaction is only valid if the desired result is met.
For example, a swap of 1 WETH for 5,000 RAIL would occur in this way:
- 1 WETH is unshielded to the AdaptRelay contract.
- AdaptRelay contract calls an external swapping contract, such as the Uniswap Router, to receive 5,000 RAIL.
- The resulting 5,000 RAIL is reshielded into the original 0zk address.
To do this, the internal state of RAILGUN must be updated twice (once on the unshield and another time on the reshield of the transaction outcome), which incurs computation and gas costs on both ends of the transaction. This is because in v2, the RAILGUN contract cannot guarantee it will be called the second time to commit updates.
In v3, this state update is performed only at the end of the transaction, halving the gas cost of this task. As the Verifier (which checks the transaction results) is now its own contract, it can handle new complex logic like setting token spend allowances or ensuring its own execution after the completion of the external contract calls.
Modularization also opens the possibility for multiple Verifier contracts, tailored to the transaction type leading to even more gas savings. For example, there could be a Verifier specifically for 0zk-to-0zk transfers, one for cross-contract calls, or even one for a specific protocol’s cross-contract calls, each with bespoke logic to save as much gas as possible. As not every transaction type requires all actions (private 0zk to 0zk transfers don’t require storage to set allowances for example), having tailored Verifier contracts only updates necessary state, saving additional cost.
Accumulator Updates (and even more gas savings)
When a user spends tokens from or shields tokens into a 0zk address, the Accumulator records this in the spending system’s ledger so that UTXOs and balances can only be spent by the rightful owner and that there are no double spends. This encrypted accounting of balances can sometimes have a high storage cost.
Right now, this data is organized (accumulated) into an encrypted Merkle Tree, and thanks to the modularity of v3, Accumulators can be swapped and added to, such as moving to a KZG commitment scheme or having multiple Accumulators. KZG commitments are a type of polynomial commitment with a consistent proof size and are significantly cheaper to update for large data sets like the RAILGUN Accumulator.
KZG commitments will further reduce gas costs for all RAILGUN transactions (not just cross-contract calls but shielding, unshielding, and transfers too) by at least 30% and up to 70%. This is because the number of storage slots needed drops from up to 17 to 1 and updating KZG commitments is a much lighter operation than updating a Merkle Tree (which requires 16 hashes from a SNARK friendly function like Poseidon).
KZG will be an update coming after the initial deployment of v3 and will further extend RAILGUN as the cheapest on-chain protocol by far, bringing a RAILGUN transaction cost down to be comparable with a regular Ethereum transaction.
2. Broadcaster Alternatives
RAILGUN v3 enables the introduction of new options to the Community Broadcaster system. Community Broadcasters play an important role in RAILGUN as they submit and pay gas for users, meaning that when viewed on a block explorer, the transaction appears to originate from a Broadcaster. This hides the sender’s 0x address, with users also having the option of self-Broadcasting transactions with any 0x wallet they own.
Sometime after the deployment of v3, RAILGUN transactions can move to their own dedicated ERC-4337 alt-mempool (the pool of pending transactions before confirmation). A new kind of actor gaining prominence in the transaction supply chain is the solver, bots which find the best path to execute a user’s transaction or intent (more on intents below). Solvers are exciting as they can provide better execution (for example less price slippage on a large trade) and perform complex actions like advanced limit orders as they are route agnostic.
Having a RAILGUN dedicated alt-mempool will enable the wider network of solvers to also Broadcas transactions for users, expanding the Broadcaster network. Solvers would compete on their fees and ability to guarantee the execution of RAILGUN transactions, leading to cheaper and more reliable RAILGUN transactions thanks to increased Broadcaster supply. To qualify, this change to Broadcasters is only in the early research stages, but it will be possible after contract modularization as it will be possible to tailor Verifiers.
3. Turning up the Intents-ity
Another new feature enabled by v3 is support for intent-like designs. Instead of individual isolated transactions executed on a single protocol or maybe an aggregator, intents are signed messages that only specify a user’s desired outcome. Unlike transactions which must have their execution path defined beforehand, intents can take any route that gives the best execution, regardless of where the liquidity is or how many pools the transaction needs to go through. Users specify an intent (e.g., swap 100 ETH for 100,000 RAIL) and solvers will find the best path, through all on-chain liquidity, or through finding a coincidence of wants. A solver might break up that 100 ETH, sending some of it to Uniswap v3, another portion to SushiSwap, and the final portion gets matched with another trader’s intent to sell some RAIL on CoW Swap. All the user wants is to get their 100,000 RAIL with the lowest price impact, the intermediate steps are unimportant.
Intents are quickly gaining prominence as an improvement of user experience in DeFi as they offer objectively better prices for trades and guard against MEV. The success of protocols like CoW Swap and Uniswap X show how this new kind of design is taking hold in DeFi with more and more volume flowing through solvers every day. Swaps are just the beginning of what’s possible with intents and they are only beginning to be explored. No matter what form intents take, it will be possible to privatize your intents using RAILGUN.
V3 enables support for this new and exciting form of on-chain transaction as the core contracts can now set token spend allowances and have intent-specific Verifiers (enabling valid non-atomic proofs). As RAILGUN is compatible with basically everything else on-chain, it will likely be the first protocol to support private intents.
4. Access Card NFTs & New DeFi
Another key upgrade in v3 is support for leverage based DeFi in the AdaptRelay contracts. This means, through Cookbook SDK integrations, users will be able to access DeFi sectors like perps, lending, and collateral based stablecoin minting, removing limits on the economic activity RAILGUN can privatize. After v3, users will be closer to the reality of remaining shielded for all their DeFi activity, enjoying full wallet-side privacy whilst being able to interact with the entirety of Ethereum.
v3 Updates — Access Card NFTs
DeFi protocols with margin, such as a lending protocol like Aave, require the tracking of collateral health to ensure liquidation, otherwise the protocol cannot compel users to repay their loans, leading to bad debt. In public DeFi, this is easy as positions are tied to an easily tracked 0x address. This is harder in private DeFi as 0zk addresses are never exposed and the protocol cannot track position health. Each individual user on these platforms will have different margin levels, liquidation prices, or collateral health. As these points are unique to each wallet, positions can be represented as NFTs. To enable interactions with leverage protocols from 0zk addresses, v3 will include the ability to shield NFTs through the AdaptRelay.
For example, Alice might deposit 1 WETH into a lending protocol and borrow 1,000 USDC with a liquidation price of 1,200 USDC per WETH. On the other hand, Bob might deposit 1 WETH as well but borrow only 800 USDC, leaving his liquidation price at 1,400. Alice and Bob’s loan conditions are both different and can thus be wrapped as an NFT, both with a different token ID. Through this NFT backpack system, Alice and Bob would be able to enter, exit, and payback these borrow positions from their 0zk addresses.
These NFTs are known as Access Cards and will also support ERC-6551, which is a standard for an NFT to own a 0x account, enabling further DeFi functionality such as 1-click trading on perpetual futures platforms.
Access Cards also have some cool extra properties such as being able to deploy and modify a smart contract such that a user can control a smart contract from their shielded 0zk address.
Post v3 Updates — RAILGUN Connect
Following v3, contributors will be working on RAILGUN Connect, a similar tool to WalletConnect that enables injecting into most dApps WITHOUT an integration. RAILGUN Connect will remove most limits to what you can do from a 0zk address, bringing private functionality of Ethereum up to a similar level as that of public use. This fact, combined with cheaper gas will further accelerate RAILGUN adoption such that anyone can use Ethereum privately without incurring high costs or losing out on their ability to participate in the wonderful world of decentralized finance.
RAILGUN Connect changes the value proposition of RAILGUN completely, as instead of the heavy dev hours required for an integration per dApp, 0zk addresses can simply connect to most frontends for private use, removing all barriers to privacy. Whilst this upgrade is multiple months away, contributors have a path forward to building this out and will begin working on the architecture after v3.
5. Wen? After Audit & Proposals
As RAILGUN v3 is critical financial technology that will eventually be used by hundreds of thousands of people per day, contributors are taking time to ensure the codebase is secure and private. Following completion of contract development, the code will go to an elite-tier audit firm for a comprehensive security audit. This firm is well known as one of the best smart contract security firms out there who will publish the audit publicly upon completion.
Like all RAILGUN protocol smart contract changes, v3 will then go through the governance process. Stakers and participants in the RAILGUN governance system can examine the code for themselves and express their views through voting on the deployment of v3. As there are 4 RAILGUNs (Ethereum & Arbitrum — RAIL, Polygon — RAILPOLY, and BSC — RAILBSC), it is very unlikely that all will upgrade at the same time (some may not upgrade at all) so it’s important for active governors to take time to educate themselves. If you are an active governor, please keep an eye on @RAILGUN_Project on Twitter and the governance discussion Discord for announcements on the leadup to the v3 release.
Following the deployment of v3, users will have the option of migrating their v2 assets as the 2 architectures whilst different are completely backwards compatible with a shared anonymity set. After v3,
6. RAILGUN Solves Ethereum Privacy
With v3 and the slated upgrades to come after it, RAILGUN will accelerate as the best form of privacy on Ethereum and EVM. It will be the cheapest and most functional privacy protocol that is entirely on-chain with robust assurance features. What’s more, it will be the first privacy protocol to achieve what was previously only possible in theory, that of a completely generalized privacy functions in the form of RAILGUN Connect.
Adoption of the RAILGUN system in 2023 has been massive, TVL and volume have continued to trend upwards with most months seeing at a minimum $50 million in volume. For context, monthly volume numbers are now similar to the total volume of the contracts in the first year of RAILGUN. This exponential growth is due to continue in 2024, especially after the release of v3, so strap in and join the discussion in Telegram, Discord, or on Twitter.