At the beginning of this month, at the EthCC conference in France, Vitalik Buterin raised a warning that sounded somewhat alarmist: 'If Ethereum cannot truly achieve decentralization, its future will face a survival crisis.'
To this end, he proposed three key testing standards to measure whether a protocol possesses sustainable decentralization capabilities: exit test (Walk-Away Test), internal attack test (Insider Attack Test), and trusted computing base test (Trusted Base Test).
Among them, the 'exit test' is the most fundamental and important part, directly addressing a core issue: If the project team disbands or the platform goes missing, can users still safely withdraw assets and complete interactions?
01. What is the 'exit test'?
In simple terms, the essence of the exit test is whether the project allows users to self-exit, withdraw assets, and interact on-chain, even if the development team is completely 'missing in action'.
From this perspective, it is more like a safety net clause. It does not emphasize the completeness of daily functionalities but tests whether a protocol can truly be 'trust-free' under the most extreme conditions.
In fact, as early as 2022, Vitalik criticized the majority of Rollup's Training Wheels architecture in his blog, stating that it relies on centralized operations and manual intervention for safety. Users familiar with L2Beat frequently see a related key metric on its homepage—Stage:
This is an evaluation framework that divides Rollup into three stages of decentralization, including 'Stage 0,' which relies entirely on centralized control, 'Stage 1,' which has limited reliance, and 'Stage 2,' which is fully decentralized. This also reflects the degree of dependency of Rollup on artificial intervention.
?Image source: L2Beat
One of the most critical indicators for evaluating the Stage phase is whether users can independently complete fund withdrawals without the cooperation of operators.
This question seems simple, but it is, in fact, a fatal issue.
For example, in the case of currently mainstream Rollups, although many have mechanisms like 'escape pods,' a large number of projects still retain 'upgradeable contracts' or even 'super administrator' privileges. While this appears to be an emergency design, it is, in fact, a potential risk window.
For instance, the team can control the change address of the logic contract through multi-signature. Even if it superficially emphasizes immutability, as long as a backdoor exists, once malicious logic is injected into the upgrade contract, user assets can also be legally transferred.
This means that if users' funds are frozen, it becomes difficult to bypass the project party for recovery. The real exit test requires the complete elimination of dependencies and intervention paths, ensuring that users can operate independently and maintain control at all times, even if the core team disappears or the platform suddenly shuts down. Users must still have complete control, and their assets will not be locked or held hostage by a third party.
In short, the exit test is a touchstone for verifying whether a protocol can truly be decentralized; it concerns not only censorship resistance but also whether users still possess asset sovereignty in extreme situations.
02. The end of decentralization is 'exit capability'.
Why BTC and ETH are the first choices for new users and institutions.
Because even without Satoshi Nakamoto and Vitalik, Bitcoin and Ethereum can still operate smoothly, it is objectively true that for incremental users or institutional players, the most critical Web3 entry decision consideration is 'Can I withdraw my money at any time?'
The exit test is a direct answer to this issue; it is the 'last mile' for blockchain to achieve decentralization and a practical test of the idea 'Not your keys, not your coins'.
After all, if users must rely on a specific front-end interface or a certain development team to withdraw assets or interact, it essentially remains a centralized trust relationship. However, a protocol that passes the exit test allows users to independently perform operations using on-chain tools and third-party front-ends, even if all nodes go offline and all operators run away.
This is not only a technical issue but also a matter of adhering to the Web3 philosophy.
It is precisely for this reason that Vitalik has repeatedly emphasized that many seemingly decentralized DeFi or L2 projects actually harbor centralized channels such as upgrade keys, backdoor logic, and freezing mechanisms. If these mechanisms are abused, user assets will be completely at the mercy of others.
The exit test is precisely to verify whether these mechanisms exist and to demand their thorough removal. Only when users' exit paths do not depend on any party can the protocol truly be trusted.
03. The 'exit test': a watershed moment for decentralization to become reality.
Moreover, if we understand it from a different perspective, we will find that while the 'exit test' is a core evaluation standard for the security design of Ethereum, especially Rollups, it has actually been widely practiced in other areas of Web3.
Taking wallets as an example, as the core tool for asset management, they must have high security and transparency, which includes the randomness of mnemonic and private key generation (true random number generation), firmware security, open source, and other key factors. Moreover, mainstream Web3 wallets (like imToken, etc.) almost all allow the export of private keys/mnemonic phrases, allowing users to easily migrate assets to any wallet software or hardware device.
This can be described as a natural 'exit design': users can always control their funds without needing to trust the wallet company itself, transforming users from mere 'experiencers' of Web3 product services into true 'owners' with asset sovereignty.
From this perspective, the three core tests proposed by Vitalik represent a complete closed loop.
Exit test: Ensuring users can self-redeem after the project ceases operations.
Internal attack test: Can the system resist internal malice or collusive attacks from developers?
Trusted computing base test: Is the amount of code that users need to trust sufficiently small and auditable?
These three tests together constitute the decentralized 'foundation framework' for Ethereum's long-term sustainable development, truly achieving 'Don't Trust, Verify'.
Simply put, in the Web3 world, the 'trust' that doesn’t require trust essentially stems from verifiability; only through transparent mathematics and algorithms can users feel assured by being able to 'Verify' at any time, without worrying about external factors like the moral integrity of the project team.
?Image source: CoinDesk
As Vitalik said in the end:
“If we cannot achieve this, Ethereum will ultimately become a generational memory, forgotten by history like many things that were once briefly glorious but ultimately faded into mediocrity.”
