← Back to Blog

The Road to Public Testnet: A Recap of Shell Chain M0–M17

·Shell Chain Team
releasemilestoneroadmappost-quantum

Why we are publishing this recap

Shell Chain has shipped seventeen tagged milestones in twelve months, from the empty cargo new workspace at M0 to the Security & Efficiency Hardening release at v0.17.0. Each milestone closed a specific engineering problem; each release passed CI green and ran a multi-node integration soak before tagging.

This post is the consolidated map. If you are an investor or researcher looking to verify the project's trajectory, you can cross-check every claim against the public commit history at github.com/ShellDAO/shell-chain.

The numbers as of v0.17.0

Metric Value Where to verify
Crates in workspace 19 Cargo.toml workspace members
Tests passing 1,200+ cargo test --workspace in CI
Audit findings resolved 69 docs/AUDIT_FIXES.md
EVM spec Cancun shell-evm/src/spec.rs
Signature scheme (default) CRYSTALS-Dilithium3 / ML-DSA-65 (NIST Level 3) shell-crypto
Fallback scheme SPHINCS+ / SLH-DSA shell-crypto
End-to-end block compression ~18× (raw → pruned) docs/BENCHMARKS.md
STARK signature aggregation 7.1× peak (5-tx batch), 157 proofs/sec sustained docs/BENCHMARKS.md#a3
License MIT LICENSE

Milestone by milestone

M0–M1: Skeleton and crypto foundation

The first two months established the development discipline that the rest of the project would inherit. Feature-Driven Development (FDD) was adopted as the default workflow: every milestone produces a written feature spec, an implementation, integration tests, and a review record before merge.

M1 implemented shell-crypto — Dilithium3, SPHINCS+, Kyber, hash primitives and the Bech32m address scheme — with 62 cryptographic test vectors validated against NIST reference implementations.

M1a–M1b: From single node to networked chain

M1a delivered the first block produced by a Shell node — a single binary running an executor, state manager and a deterministic block builder. M1b introduced libp2p for peer discovery, gossipsub for block propagation, and the shape of the mempool. The test suite reached 231.

M2: Usable chain — JSON-RPC and EVM tooling parity

M2 was the moment Shell Chain became usable by an outside developer. The eth_*, web3_* and net_* JSON-RPC namespaces went green; Hardhat, ethers.js and MetaMask all worked unmodified against a local node. Receipts, event logs and tx-gossip closed the loop. Test count: 296.

M3: Production hardening

The focus shifted from features to durability. Kademlia DHT replaced the static peer list, on-chain governance moved validator management into the state, dynamic fee markets (EIP-1559-style) were wired in, and we ran the first adversarial property tests against malformed transactions and byzantine peers. 450 tests.

M4: Finality, snapshots, observability

Probabilistic finality tracking, state snapshots for fast sync, the debug_* RPC namespace, and a Prometheus metrics surface across all subsystems. 659 tests.

M5: EVM hardening + first external audit

M5 brought the EVM to full Cancun specification — EIP-4844 blob transactions, EIP-1153 transient storage, EIP-6780 SELFDESTRUCT semantics — and ran a comprehensive external audit that surfaced 69 findings. Every single one was resolved before tagging v0.6.0. Post-quantum signature verification was added as a precompile pair (Dilithium3 at 0x0a, SPHINCS+ at 0x0b). 853 tests.

M6–M11: Performance, multi-node soak, EVM-spec re-test

The middle band of the project was deliberately quiet. We ran a multi-node testnet inside a private CI cluster for eight uninterrupted weeks, reproduced the full Ethereum execution-layer test suite against our EVM, fixed the long tail of correctness gaps, and tightened gas accounting. The fork choice rule was re-implemented to handle the long-range pathologies that surfaced under load.

M12: Account Abstraction at the protocol layer

Rather than ship ERC-4337, we made every account a smart account. The AccountManager system contract at 0x02 exposes rotateKey, setValidationCode and the policy hooks; addresses are blake3(version || algo_id || pubkey)[..20] so a key rotation does not change the address. Custom validation is sandboxed (writes discarded) and gas-capped at 500k. See the dedicated AA post for the reasoning.

M13: STARK signature aggregation (Winterfell)

SigBatchCircuit on Winterfell reduces a batch of Dilithium3 signatures to a single ~15 KB STARK proof. Peak compression is 7.1× on a 5-tx batch; sustained throughput on a single prover node is 157 proofs/sec with a 6.4 ms mean latency. A 6-hour soak generated 3.4 M proofs with zero failures. See the STARK post for why we picked STARKs over SNARKs.

M14: Native account abstraction productionisation

Tooling — JSON-RPC for aa_simulateValidation, gas-sponsorship hooks, and multi-sig validator templates published with audited Solidity. The pq1… Bech32m address format became the default in the SDK.

M15: Three-way block-storage pruning

The headline efficiency win. Block storage is now hot / warm / cold tiered:

  • Hot — recent N blocks, kept fully (block, witness, proof)
  • WarmWitnessBundle shed once ProofAmendment arrives
  • Cold — Zstd-compressed segments, addressable by block range

Combined with the A2 public-key-dedup layer (~34% saving at 95% sender repeat rate) and A1 Zstd at the column-family level (8–15%), the pipeline takes a worst-case 7.76 MB raw block to ~425 KB pruned — a ~18× end-to-end reduction. See BENCHMARKS.md.

M16: Storage profiles (archive / full / light)

A single CLI flag (--storage-profile) selects the node's role. StorageCapability is advertised over the wire so peers know what historical range each neighbour can serve, and a back-fill protocol pulls bodies on demand without disturbing the hot path.

M17: Security & efficiency hardening (current — v0.17.0)

The most recent release tightened operations, not features:

  • Architecture re-splitshell-network, shell-consensus and shell-mempool were further decomposed; cyclic dependencies removed; workspace grew to 19 crates.
  • Consensus slashing wired in — the punishment paths that the M3 governance contract declared are now actually executed.
  • Network amplification fix — closed a multiplier in gossipsub message fan-out that an adversary could have used to extract bandwidth.
  • Bounded mempool channels — every tokio::mpsc in the mempool now has a configurable, observable bound; back-pressure is a metric, not a panic.
  • Supply-chain CIcargo audit, cargo deny, SBOM generation and signed releases via Sigstore are now blocking checks.

Full notes: v0.17.0 release.

What v0.17 is not yet

We are deliberately conservative about what we claim. Three things are explicitly not yet shipped:

  1. Public incentivised testnet — local Docker testnet is operational and documented; the public faucet, explorer and validator onboarding portal are in build (M14 launch on the public timeline). Public RPC will be https://testnet.shell.org.
  2. Recursive STARK aggregation — single-block proving is in production; recursive cross-block aggregation is research-stage.
  3. L3 trie pruning — refcount infrastructure is in place (refs/<node_hash>); enabling it at scale waits on the proof chain maturing.

What investors and researchers should look at next

  • The benchmarks: docs/BENCHMARKS.md — every metric on the marketing site is generated from this file.
  • The audit fixes: docs/AUDIT_FIXES.md — 69 findings, each with severity, root cause and the commit that closed it.
  • The release notes: CHANGELOG.md — every tagged version with a one-line summary and a PR link.
  • The investor brief: Investors — financials, threat exposure, competitive matrix, and the technical defence of every number.

The next operational milestone is the public incentivised testnet. Until then, you can run the full v0.17.0 stack locally:

git clone https://github.com/ShellDAO/shell-chain
cd shell-chain
docker compose -f docker-compose.alpha.yml up -d

We build in the open because post-quantum security is too important to develop behind closed doors.