In a recent address at the Ethereum Community Conference (EthCC), Vitalik Buterin, co-founder of Ethereum, introduced a series of practical tests that users and developers can use to assess whether crypto projects are truly secure, resilient, and decentralized—as they often claim to be. These frameworks go beyond marketing language, offering tangible ways to evaluate the structural integrity of blockchain-based systems.
The Wallaway Test: Can Users Escape If the Company Disappears?
The first and most fundamental test Buterin proposed is the "Wallaway Test." This evaluates what happens if a company—and all its servers—suddenly vanish. Would users still be able to access and control their assets?
👉 Discover how decentralized platforms empower user autonomy
The core idea is simple: in a truly decentralized system, user assets should not depend on any single company’s infrastructure. Instead, they should reside on-chain, where ownership is enforced by cryptographic proofs rather than centralized custody.
Buterin emphasized:
“This is like the baseline thing you should aim for—getting away from having assets locked on a server.”
He cited private embedded wallets as an example of good design. These wallets allow users to export their private keys and move them to another wallet provider. This capability ensures that even if the original service shuts down, users retain full control over their funds.
Similarly, he highlighted Farcaster, a decentralized social media protocol built on blockchain. On Farcaster, users link their social identity to an Ethereum account, which serves as a backup address. If the app disappears, users can still prove ownership and migrate their identity elsewhere.
“What’s impressive here is that decentralization isn’t just talk—it’s baked into the architecture,” Buterin noted.
The Insider Attack Test: What Happens When Trust Is Betrayed?
The second test—called the “Insider Attack Test”—asks a critical question: If a company’s insiders (founders, employees, or administrators) decide to act maliciously, how much damage could they cause?
Most security models focus on external threats like hackers or phishing attacks. Buterin argued that internal threats are equally dangerous and often overlooked. A truly robust system should limit the power any single insider holds—whether over smart contracts, user interfaces, oracles, or governance tokens.
For example:
- Can a developer push unreviewed code updates?
- Can an admin freeze user withdrawals?
- Can a governance token holder manipulate voting outcomes?
These vulnerabilities create central points of failure—even in projects marketed as “decentralized.”
Buterin acknowledged progress:
“Many projects in the ecosystem are already thinking seriously about these issues. But this needs to become a first-class priority across the board.”
Projects that pass this test typically implement multi-signature controls, time-locked upgrades, transparent governance processes, and open audits.
Trusted Computing Base (TCB): How Much Code Do You Trust?
Another crucial concept Buterin discussed is the Trusted Computing Base (TCB)—essentially, the amount of code users must trust for a system to function securely.
He challenged developers and users to ask:
“How many lines of code do you actually trust not to betray you?”
Ideally, this number should be small. The smaller the TCB, the easier it is to audit and verify. However, many modern systems run on millions of lines of code, making full verification nearly impossible.
Buterin clarified that large codebases aren’t inherently bad—if most of the code runs in isolated environments (like sandboxes) or doesn’t handle critical operations. The danger arises when the TCB becomes so bloated that no individual or team can reasonably review it.
“Even systems claiming to be ‘trustless’ end up being trust-based in practice if their TCB exceeds human auditability.”
This underscores the importance of modular design, formal verification, and minimizing privileged components.
Game Theory Analysis: Are Incentives Aligned With Decentralization?
Buterin’s final test involves analyzing the game-theoretic properties of a system—essentially asking: Do user incentives encourage decentralized behavior?
He warned that even well-designed protocols can become centralized in practice if convenience outweighs decentralization benefits. For instance:
- Users might prefer centralized exchanges for faster transactions.
- Developers may rely on centralized API providers instead of running their own nodes.
- Apps might depend on single-point oracle services for data feeds.
This mirrors how Web1 evolved into Web2: open protocols gave way to convenient but centralized platforms.
“Without viable decentralized alternatives, users will naturally drift toward centralized providers—undermining the entire purpose of decentralization.”
To counter this, builders must ensure that decentralized options are not only secure but also user-friendly and economically sustainable.
Frequently Asked Questions (FAQ)
Q: What is the Wallaway Test?
A: It assesses whether users can retain access to their assets if a company shuts down. Passing means assets are stored on-chain and keys are exportable.
Q: Why is insider risk important in crypto?
A: Because even decentralized projects may have admin keys or governance mechanisms that allow insiders to make unilateral changes—creating central points of failure.
Q: How does TCB affect security?
A: A large Trusted Computing Base increases attack surface and reduces transparency. Smaller, auditable codebases enhance trustlessness.
Q: Can a project be technically decentralized but practically centralized?
A: Yes. If user behavior or economic incentives favor centralized services (e.g., relying on one oracle or node provider), real-world centralization occurs despite technical decentralization.
Q: What role does game theory play in decentralization?
A: It helps predict how rational actors will behave. If convenience or cost drives users toward centralization, the system fails its decentralization goals—even with perfect code.
👉 Explore secure and scalable blockchain solutions today
Core Keywords
- Decentralization
- Blockchain security
- Trusted Computing Base (TCB)
- Insider attack resistance
- On-chain assets
- Game theory in crypto
- User autonomy
- Ethereum ecosystem
Conclusion
Vitalik Buterin’s proposed tests offer a much-needed framework for cutting through hype and evaluating crypto projects based on real resilience. Rather than accepting claims at face value, users and developers should apply these principles:
- Can you leave if the company vanishes? (Wallaway Test)
- How much damage can insiders do? (Insider Attack Test)
- How much code must you trust? (TCB)
- Do incentives support decentralization? (Game Theory)
👉 Learn how next-gen platforms are redefining trust and control
By adopting these evaluations, the crypto community can build systems that are not just called decentralized—but proven to be.