[RFC] Xi'an: Delivering Hyperscale for Radix

Posting for community discussion: a proposal to deliver Xi’an - a production-ready, linearly scalable, post-quantum-ready implementation of Radix - building from the existing hyperscale-rs prototype through to a mainnet-ready build.

Headline terms:

• 18 months to mainnet-ready delivery, plus a 12-month post-launch support window

• $300,000 USD-equivalent across acceptance and five delivery milestones, paid in XRD (30-day TWAP per payment)

• Apache 2.0 licensing of the existing hyperscale-rs codebase on proposal acceptance - becoming a community public good from day one of the project

• Milestones signed off by the Radix Accountability Council, disputes arbitrated by a mutually-agreed neutral third party

• A high-level staking and topology model is put forward for ratification alongside the proposal, so development can begin on day one rather than waiting on open debate of the consensus-seat rules

Full proposal: https://hyperscale.rs/xian_proposal.pdf

Motivation, milestone detail, scope, risks, and a technical appendix on staking are all in the PDF. Happy to take questions and feedback in-thread, or on Telegram.

Let’s ship Xi’an!

Thank you @flightofthefox for this proposal, to me you have already proven your worth with HS-RS, do I’m supportive of your proposal. Though I have several questions I want to clarify first:

• Do you foresee any dependencies that are out of scope in your proposal, but still mandatory to have a functional Xi’an mainnet ?
• Right now, liquidity is extremely thin on radix, any few mil dump can easily tank the price. I would be more confortable if there are some mitigation in place to avoid having you dump a large amount of XRD when in low liquidity
• Validator Jailing
  • at which milestone will it be implemented ?
• Re milestone 4
  • “Alpha desktop validator application (cross-platform desktop framework)” can you list which platforms you plan ?
• Re milestone 6
  • “success of mainnet” you have defined success measurement on “whether the developer fulfilled the support role”. I think we also need to define the reasonable and minimum expected performance of the main net (ie: tps, finality etc.). As you can technically deliver one, but not on that can realistically do the job
• This is a large project with a substantial payment. Will you KYC (not necessarily publicly, but to RAC at least ?)

Regarding on who shall fund this proposal, obviously the DAO will be the major contributor. But I would really want to see some support from RDXW here.

Thanks for the kind words and the questions, taking them in order:

1. Dependencies out of scope but mandatory for a functional Xi’an mainnet?

Yes, a few:

• Wallet updates if M2 adaptations force any breaking API changes at the gateway layer.
• Readiness of third-party integrations.
• Validator participation on Stokenet before mainnet. Can’t test at scale without people running nodes.
• Any third-party audit between M4 and M5, if the community and/or validators think it’s needed before enacting.

Other than that - the work is fairly self-contained given that Gateway rewrite is already a part of it.

2. XRD dump mitigation

Fair concern, but I’d note most of it is already handled by the structure of the proposal:

• The $300K is split into six USD-denominated payments across 18+ months, not a lump sum.
• Each payment is TWAP’d at conversion, which already smooths single-day volatility at receipt.
• The 50M XRD bonus at M6 is denominated in XRD rather than USD, which means my long-term interest is structurally aligned with a healthy price. Dumping would work against both me and the project.

On the bigger picture: taking payment in XRD rather than USD is as much about having a tangible stake in the network’s success as it is about funding the work. Handling disposals thoughtfully follows from that; it’s as much in my own interest as anyone’s.

Also, I hope (though can’t guarantee), that interest leading up to the Xi’an release will drive net new interest in XRD over and above the proposal amount.

3. Validator Jailing, which milestone?

The jailing machinery (performance rating, removal from consensus on sustained failure) is part of M1’s validator lifecycle work. It’s consensus-level, not application-level. Any integration with the rewritten staking contract lands in M2, but the mechanism itself is M1.

Worth flagging in case it’s the motivation for the question: in Xi’an, validator registration is handled by the global consensus process (beacon-chain-like), not owned directly by the Radix Engine’s ConsensusManager which is tied to a single shard. So the Xi’an jailing feature wouldn’t be back-portable to Babylon.

4. M4, which platforms for the desktop validator app?

macOS, Windows, and Linux. Likely it’ll be done with either Electron (more battle-tested) or Tauri (to really double-down on Rust in the stack) - both options support all three.

5. M6, minimum expected mainnet performance

Fair point. My current indicative targets - to give you a shape: ~1,000 TPS per shard and around ~5s finalisation on uncontended state. All current simulations indicate this should be achievable.

Total network TPS scales with the number of shards running, which is itself emergent; shards split when demand calls for it and enough validators are available to populate another one, not something fixed in place.

Also, finalisation will depend a lot on the composition of validator hardware and network links across each active committee set. And one honest unknown worth flagging up front: post-quantum primitives are inherently more computationally and bandwidth-expensive than their classical counterparts, and the final PQ selections in M5 may shift the calculus on finalisation numbers somewhat.

I should stress, that even though there’s a lot of factors which make giving hard commitments difficult this early before mainnet - all possible efforts will be made to hit the indicated numbers. If there are more performant ways to do things (without just requiring validators to throw more hardware at the problem) - they will be persued relentlessly. I won’t give up any seconds of finalisation without exhausting every possible solution.

That all said - I think it should be possible for the RAC and I to agree a minimum performance envelope (per-shard TPS floor, finality bound, shard availability, etc.) calibrated to the specific network parameters and PQ primitives, during stokenet, before actually going live at mainnet. Then it can be clear that missing that envelope for a sustained period, where the cause is attributable to the Xi’an codebase, folds into the M6 failure condition.

6. KYC?

Yes, happy to KYC with the RAC.

7. RDXH co-funding

Out of my hands, but I’d welcome it. IMHO - a shared funding signal from RDXH and the DAO would be meaningful, both for the DAO treasury - and as a vote of continued confidence in the network itself.

Great proposal @flightofthefox!

A question on the validator reward model:
Jailing is described as the sole penalty mechanism, triggered by sustained underperformance crossing a rating threshold. What about reward behaviour within an epoch, above that threshold?
If a validator holds an active seat for an epoch but underperforms during it — e.g. missed proposals — without getting jailed, do they still receive the full base reward, or is there a proportional component tied to actual per-epoch performance (e.g. share of blocks proposed)?

Rating deltas are explicitly governance-set, but the shape of the reward function (binary-while-active vs. proportional-within-epoch) feels more like a model-level decision. Does the proposal take a position on this, or is it also left to governance?

Great question!

Yes - technically there will also be the reliability gate to earning emissions which can be considered a light form of penalty (though ephemeral). I see no reason why we’d want to change that model from what Babylon currently does.

Currently the Babylon emissions earned is calculated such:

emissions_factor = max(0, (reliability - min_required) / (1 - min_required))
# Where:
# reliability:  your rate of successful proposals (I.E. proposals that were
#               enacted rather than just timing out - causing a view change.)
#
# min_required: the minimum rate you need to get any emissions (updatable
#               with protocol upgrade).

So a min_required of 96% means if your reliability is 96% (or less) you get zero emissions. At 98% you get half the normal amount. At 100% you get full emissions.

Worth noting that in Bablylon the min_required is currently 100% I believe - so it’s more of a binary outcome. However in Xi’an epochs may be longer* as they’ll be driven from a slower-tick global consensus process (which ingests the reliability measures from each shard regularly).

Since the epochs will be longer - it may be logical to make the min_required slightly more lenient (less than 100% but still high).

*The target global epoch length will need to be worked through, in the math, as a matter of total network overhead. Since the committee set for that process will be all active nodes compared to the smaller shard group committees of ~100.

Your proposal is fantastic, awesome and errr,…unique. I have one request. Let’s see you and the work you have done in action.

Whilst I’d hate to send a battalion of fire crews out to an imaginary fire, as a non coding, technical desert I am relying purely upon your apparent brilliance and bonhomie as a matter of trust.

You are, in short taking over the crown, which is fine, but the last King was the reason I spanked too much money into this project. He was visible and public facing and sold me his dream, by being visible. As of yet I only know you as a reformed shithouser with a long, respected reputation of technical ability, labelled by other community members .

Genuine thanks for stepping up and apparently producing some amazing work these last 6 months .Your (both real and potential) financial rewards deserve to be life changing, but I am left thinking my investment is in the hands of a Puppy Fox who still lives on the family sheep farm in Karngarua under the shadows of the Fox Glacier and whose Mum drives a submarine across the Pacific bi annually so that she can pilfer a few grams to help feed her son’s habit.

My only negotiating point to your excellent proposal is :

Would love to see you do a video link Q + A session with community members with a cheeky addition that you start off sober and we all play a drinking game and you prove that you don’t get pissed up on 2 pints of Speights.

Hi.
This is my personal opinion on this proposal.
Congratulations with a brilliant proposal. Love it. And I will most likely support it.
The 300K in XRD is a good and strong commitment to Radix. I support it.

There are some aspects of the proposal that I would like you to comment and/or reconsider.

1. The Milestone 6 is to me the weakest part of this proposal. And I would like to see it removed.
   It’s great to signal that you will stay and support. But you swap it to a success bonus of 50 Mill XRD at a time where this is not a one-man-band anymore. It will take a lot of effort from many to run that migration and go live. Your bonus may be seen as a limitation and set precedence on what others may demand to support the same mission. It is way to far out in time to set the criteria for such a bonus to a single person. And the description is also weak of the same reason.

2. The proposal should be strengthen on the Continuity aspect. What happens if a milestone is delayed. What if… We all know how delays or unplanned events can freak out anyone in this community. There must be built some security net around this proposal. Maybe the best thing would be to establish a Working Group alongside this proposal. With more ppl around you doing different things on different proposals and led by a WG Lead.

3. I would like to see a stronger test plan (private or public) and define what is in your responsibility and what not. Milestone 4 mention Stokenet test. What role do you play and what do you not cover. And so on.

• Daffy

Absolutely great and massive work in the repo !

I think the only thing missing is the details, but overall, everything is there.

I thought about Xi’an but this proposal contains also the Engine to fit in and also the gateway rewrite, more, also a desktop GUI for each new validator that will be setup at home.

Validator model per-seat is great and also preparations for post-quantum

I simply wonder which of the well-know DLT could compete with this

btw, also for anyone non-dev wondering if this is for real here it is a simulation with 3 shard, 4 validators each

image1920×837 145 KB

I would like to begin moving this forward towards a vote. The current plan is to announce a vote for next week and finish discussion this week. See the Hyperscale telegram chat for more info or respond here with any important information if you are one of the people closely involved in completing this process. Thank you!

Thanks for taking the time to create and submit the proposal Foxy and also for your work to date on the hyperscale-rs repo. It’s much appreciated.

Couple of questions and comments from me.

Comments
re the Milestones signed off by the RAC. Personally I feel this should be a community governance decision and not a RAC one. The community should decide if a milestone has been achieved. The RAC might not be here in 18 months, the community will be.

Questions
How much of the work done to-date can be attributed to each of the development milestones. ie. How far along are you already on these milestones? 0%, 20%, 50%?

Does the warranty period also extend to cover the findings from an audit if and when it happens? eg. a number of Critical findings are found, who would be responsible for remediating those?

My understanding of post-quantum cryptography is that it is computationally more complex and therefore expensive and slower. Does the task of making the protocol post-quantum secure an all-or-nothing decision. Can the sig scheme start with standard crypto and then swap out later for post quantum when it’s actually needed?

Does the proposal include all the supporting documentation for downstream tasks like audits, integrations, developer and validator guides and onboarding? I would maybe like to see a task for the relevant documentation to be created as part of the milestone sign-off

Will you be adding or needing to add any of the outstanding features that are on the roadmap, but not implemented?

Will you be using AI for any aspect of the work; core dev, documentation, testing, design, etc?

That’s it for the moment, but no doubt I will think of more in the coming days

Thanks for the questions! Answers below:

RAC sign-off vs community governance

The RAC+Arbitrator structure exists specifically so that milestone sign-off is an objective technical call rather than a community vote. The intent is that completions are largely procedural: deliverable shipped, criteria met, payment released. Where there’s genuine ambiguity, you want it resolved by the arbitrator with the technical context to reach an objective conclusion, not by a vote that ends up turning on vibes or partial information.

The risk of putting milestone sign-off into community governance directly is that completion becomes subjective. That cuts both ways: it could mean payments get withheld on milestones that have actually been delivered, or released on milestones that haven’t been. Either failure mode is bad for the project and for the community. The RAC+Arbitrator layer is meant to take that ambiguity off the table.

If the concern is RAC continuity (the RAC may not exist in 18 months), that’s a fair worry and worth handling explicitly. The proposal can carry a fallback clause: if no RAC equivalent exists at the time a milestone is up for sign-off, the community votes. But the default should remain “objective technical review by a delegated body” rather than “vote on each milestone.”

How much of each milestone is already done?

Zero percent on the milestones themselves. This is all net new work.

There’s some basic integration between Radix Engine and hyperscale-rs already, but it’s the duct-taped path called out in the proposal. Not production-ready: the fundamental data models and data prerequisites aren’t aligned yet, and that alignment is exactly what M2 exists to do.

The work to date is the foundation that makes the milestones tractable: the consensus engine, the simulation harness, the architectural decisions, the prototype that proves the path is viable. None of it is a milestone deliverable in its own right.

Audit findings and the warranty period

Yes. If a third party audit gets commissioned and finds critical or high severity issues attributable to the Xi’an codebase, remediating those falls into scope.

Post-quantum: all or nothing, or swap later?

Two sides to this, and they’re somewhat independent.

On the infrastructure side, the goal is to build it so the system supports both classical (BLS, as currently used) and the future PQ scheme side by side. This will be feature-flagged so PQ enactment can be trivially toggled via a setting in a protocol upgrade later, if the call is made that it should be deferred from immediate enactment at Xi’an. Either way, the protocol is ready for it.

On the signing scheme side, the wallet account types are the other half. The PQ scheme will be added as a third signing type alongside the existing ECDSA Secp256k1 and Ed25519 types. The wallet then needs to implement signing support for the new account type, which is a separate piece of work and can happen independently of the Xi’an timeline. Users would then manually transfer assets from non-PQ-safe account types to PQ-safe ones over time.

The community may also want to explore “freezing” non-PQ account types after some publicised end date, which would be a governance decision rather than a protocol one. That’s the same sort of discussion that’s been happening in Bitcoin recently along the same lines, and worth having here at some point too.

So: not all or nothing on the protocol side, and the migration story for users has a clean path that doesn’t require everyone to coordinate on day one.

Documentation as part of milestone sign-off

Reasonable. The soft deliverables section covers a lot of this in principle, but you’re right that having documentation explicitly tied to milestone sign-off, rather than treated as a parallel stream, is cleaner.

Happy to make documentation a sign-off criterion per milestone where it makes sense. Concretely: M3 should require gateway integration docs, M4 should require validator setup guides, M5 should require crypto migration notes for integrators, M6 should require onboarding material for downstream teams. Easy to bake into the milestone definitions.

Outstanding roadmap features?

Depends which ones you have in mind. Xi’an as scoped here is the consensus, sharding, and PQ work, with Engine-level feature parity to Babylon. New features beyond Babylon-equivalent (smart accounts changes, new asset primitives, tokenomics adjustments, etc.) aren’t in scope for v1 but the architecture should support adding them post-launch.

If there are specific features you’re thinking of, drop them in and I can give a concrete answer per feature on whether it’s compatible with the Xi’an design and what implementing it would look like.

AI use

Yes, honestly. Same as any modern developer at this point. AI tools come into play for boilerplate and pure mechanical implementation work, exploring API surface options, drafting documentation, and sometimes as a second pair of eyes on code review. Where they don’t come into play is the load-bearing protocol design and the consensus logic itself. That’s human-authored and held to the same standard regardless of whether AI was involved in any earlier draft.

Although I cannot read the proposal (currently offshore and website where proposal is hosted is blocked by the company’s stupid IT department), I support it, the pricing is fair and Foxy has been acting with the greater good of community in mind. Details here and there may need to be polished, but as a TC I support it.