Entros_docs
Roadmap

Medium-term

After mainnet—decentralization of the Anonymity Ring, validator economics, multi-chain reads.

The medium-term arc is decentralization. Today the protocol is operated by the team; the work in this window is making it stop needing the team.

Anonymity Ring decentralization

The validation engine that runs all four tiers of checks is implemented and live today. What's deferred is the multi-validator deployment topology around that engine. The decentralization plan:

  • Validator entry. Stake against the registry program, run the validator binary, sign verification outcomes.
  • Slashable stake. Validators that sign off on verifications later proven to be synthesized lose stake. Slashing conditions are defined in the registry program and enforced by an independent challenge process.
  • Aggregated signatures. A threshold of validator signatures is required for a verification to settle. The threshold and validator set size are configurable through the registry.
  • Economic incentives. A share of protocol fees flows to validators based on participation and accuracy.

The transition is gated on the external audit landing and on the check stack reaching a maturity bar where iteration can happen on a slower cadence than current operation supports.

The validator distribution question

How a third-party validator gets the check engine to run on their machine is a real architectural decision, not just an engineering one. Three patterns are on the table:

  • Open-source the engine. Anyone runs it. Maximum legitimacy; the cost is that the exact check thresholds and synthesis-detection signatures become public knowledge that adversaries can game.
  • Attestable binary in a TEE. Validators run a sealed binary inside Intel SGX, AWS Nitro, or similar; the chip's attestation vouches for "this is the official engine," and the check internals stay private. Operationally heavier but preserves the obscurity layer.
  • Permissioned ring. A curated set of operators each runs the private binary, with on-chain coordination but no permissionless entry. Cheapest path; familiar pattern (Wormhole guardians, Pyth publishers); least credentialed as "decentralized."

The choice is a tradeoff between trust assumption and adversarial cost. The protocol's current preference is the TEE path, with a permissioned ring as the practical fallback if attestation tooling adds too much operational friction at the validator-onboarding stage. The decision is finalized as part of the post-mainnet validator-economics rollout.

Validator economics

The fee waterfall has three eventual phases:

  • Bootstrap. Months 0–6 of post-mainnet operation. 100% of fees flow to the protocol treasury for ecosystem and security work.
  • Burn signal. Months 6–12. 70% to treasury, 30% burned as a deflationary signal on the Entros utility token, while validators are still being onboarded.
  • Steady state. Month 12+. 50% to treasury, 30% to validators, 20% burned. Validator share scales with the size and activity of the ring.

Numbers above are the current public plan. They are subject to the audit findings and the integrator-pilot data and may be updated through the RFC process before steady state begins.

Multi-chain reads

The Anchor PDA lives on Solana. Other chains can verify a wallet's status via cross-chain attestation relay (the same pattern as Wormhole-relayed price feeds). The work in this window: a documented relay path for the SAS attestation, a reference reader contract on a major EVM chain, and tooling for cross-chain protocols to gate on Entros without a Solana RPC integration.

Reputation portability

Reputation today is wallet-bound by default — users build Trust Score against a specific wallet through repeated verification. The migrate_identity instruction in the on-chain identity program lets a user move an established identity (Trust Score, verification history, recent timestamps) to a new wallet via a two-signer authorization pattern: the existing wallet authorizes the new one, then the new wallet completes the migration. This is shipped on devnet today.

The medium-term work is the policy layer around it — when to allow migration (cooldowns, score caps), how to prevent score-laundering attacks where one identity is reused to bootstrap multiple wallets, and how integrators surface migration status to users (e.g., "this score was transferred from wallet X on date Y"). The protocol-level discussion is balancing user mobility against attack resistance.

Scaling considerations

The Sybil registry today compares each new verification against every existing wallet's stored fingerprint with a single similarity threshold. This binary gate works correctly at the devnet pilot scale (hundreds to low thousands of wallets) and through the integrator pilots described in near-term.

At ecosystem scale (millions of wallets on mainnet) the underlying tradeoff every behavioral biometric system faces becomes load-bearing. Re-verifying the same person against the same stored fingerprint (1:1 match) is well-served by behavioral signals — that is how Trust Score's continuity check works today. Distinguishing one person from every other person in the population (1:N deduplication) requires discrimination orders of magnitude sharper than 1:1, and no published behavioral biometric system achieves that at planetary scale without supplementary signals.

The medium-term architectural shift is from binary gating to probabilistic scoring with ensemble signals:

  • Scoped comparison instead of universal — partition the registry by domain, recency, or integrator context so each verification compares against a relevant slice rather than all global state.
  • Multi-signal ensemble — combine the behavioral fingerprint with attestation history (SAS records), cross-protocol signals (existing identity systems on Solana and beyond), and Trust Score recency. No single signal carries the full discrimination weight.
  • Probabilistic outcomes — surface a confidence score to integrators rather than a binary pass/fail, letting different use cases pick their own discrimination point on the precision-recall curve.

This is the same direction every production identity system has converged on — Aadhaar uses iris and fingerprint plus demographics; Worldcoin uses iris plus the orb-network Sybil layer; behavioral systems supplement with device signals. Entros's contribution is occupying the behavioral temporal consistency slot in that ensemble, complementary to anatomical and document-based approaches rather than replacing them.

Calibration of the new scoring system depends on empirical fingerprint distributions across a substantially larger and more diverse user population than the current pilot. The work is gated on that data; the design publishes as it stabilizes.

Where to look next

Near-term

Active sprint—what ships next as the audit clears and integrator pilots come online.

Long-term

Identity as public infrastructure, cross-chain by default, openly maintained.

On this page

Anonymity Ring decentralizationThe validator distribution questionValidator economicsMulti-chain readsReputation portabilityScaling considerationsWhere to look next