Friday September 13

Monday September 9

  • On our testnet, we enabled “mutable globals” and “sloppyGlobals” in the gallery demo. This allows direct assignment to unreferenced global variables such as “myvar = 123” assigning to the global “myvar”.

  • We made a number of updates to SES, including fixing the “override mistake.” In the “override mistake,” any instance that tries to shadow a prototype definition (i.e. override it) will fail if the prototype is frozen. For instance, if Object.prototype is frozen, trying to set myObject.toString will fail. For security purposes, we want to be able to freeze the JavaScript prototypes, so this was a necessary fix for usability.

Friday August 30

  • Agoric and the Cosmos team started the review of IBC specification (release candidate 2). (PDF, comments)

  • MetaMask executed their first test transaction that uses our secure runtime for JavaScript, SES, to secure their JavaScript dependencies.

Friday August 23

  • The beginnings of a publically-accessible testnet dashboard are now available.

  • Our Testnet logs are now being stored in bulk, and we’re working on making it more available as well as improving it to make it part of a block explorer.

  • On ERTP, we’ve made it even easier to configure a custom Mint by extracting the custom logic for adding and subtracting balances. We’re calling this custom logic a Strategy, and it works for both fungible and non-fungible tokens.

Friday August 16

Friday August 9

  • We upgraded our private testnet with new performance enhancements, making persistence much more efficient.

  • We created a reusable abstraction for revocable property rights for our pixel demo, where users are able to buy, sell, and color pixels on a website on our private testnet. We wanted to represent owner, tenant, and subtenant relationships for owning a pixel. In this world, “ownership” means having the ability to give other people the right to color the pixel. This access can be revoked by anyone “higher up” in the hierarchy, so tenants can kick out subtenants, owners can kick out tenants, etc. This pattern of separating use from ownership shows up again and again in property rights of various sorts, so we expect it to be helpful going forward.

Friday August 2

  • We built a parser from our existing Javascript PEG (Parsing Expression Grammar) library, and verified that the Assay, Issuer, and Contract Host Chainmail IDL produced legitimate ASTs. The IDL is based on Cap’n Proto and we plan to use the ASTs for things such as enforcing types at the CapTP level,for TypeScript style type checking, for generating documentation, or for generating stubs for calling from other languages.

  • We’ve made revisions to how users can check the terms of a contract, and refactored our makeMint function to be more readable.

  • We released new versions of SwingSet and cosmic-swingset.

Friday July 26

  • We hosted a very successful token design workshop last weekend. A big thanks to all of the guests willing to share their knowledge.

  • We analyzed performance issues on our testnet and came up with some concrete solutions.

  • We designed and documented a new SwingSet kernel API.

  • Mark, Dean, and Aaron Davis (kumavis) from Metamask presented at TC39 (the JavaScript standards committee) on SES, sesify, and “infix bang”, i.e., distributed object programming in js with promise pipelining.

Friday July 12

Friday June 28

  • We began work on an experimental Rust port of our Node.js-based “SwingSet” vat-execution platform, to refine the API and interface types used at the vat/kernel boundary.

  • Kate spoke at QCon New York on using SES and Realms to make ‘npm install’ safe (article here). Many of the solutions to attacks like the event-stream incident have focused on the open source developer community, but SES and Realms focus on eliminating the unnecessary authority (like access to the file system and access to the network) that were required for the attack.

Friday June 21

  • We are excited to announce Agoric’s partnership with Cosmos and Cosmos’ Interchain Foundation. Agoric and Cosmos are jointly creating the IBC (Inter­Blockchain Communication) protocol. IBC will provide true interoperability across multiple blockchains, and expand the market available to millions of current and future smart contracts developers worldwide.

  • Dean spoke at Zcon1 (video here) with an update on what we’ve accomplished since last year’s Zcon0, including the creation of a secure runtime for JavaScript (SES), a running end-to-end Cosmos-based testnet, the Cosmos IBC collaboration, and further work on our smart contract framework and components.

Friday June 14

  • We had a blast working with Cosmos this week in Berlin at the Interchain Conversations conference and their hackathon. Two Agoric-related entries won at the hackathon:
    • Aaron Davis (kumavis) of MetaMask has created a plugin for browserify using Agoric’s SES that reduces the risk of using third-party packages. At the hackathon, he additionally built a visualizer for JavaScript package dependencies that colors each module node based on the level of security exposure.

    • We demoed our integration with Cosmos, running “Swingset” on a cosmos chain. In order to show our full stack, we built a simple pixel marketplace (think Million Dollar Homepage or Reddit’s /r/Place) that uses our Electronic Rights Protocol and provides the ability to color, buy, and sell pixels as well as create further abstractions.

Friday June 7

  • The team has been hard at work getting the Swingset demo ready for Berlin.

Friday May 31

  • We’ve been continuing progress towards our upcoming initial testnet, including new releases of our Swingset environment. The new features include a different way of handling the state of our “nanokernel”, merging Mark’s higher order contracts onto trunk, and adding new devices to enable interaction with HTTP requests.

  • We’ll be joining Cosmos in Berlin next week at their Interchain Conversations unconference and their HackAtom hackathon. Mark will be participating in the Interoperability panel and Brian and Dean will be presenting on our integration with Cosmos. Hope to see you there

Friday May 24

  • This week Mark successfully implemented a particular example of higher order contracts. “Higher order” contracts allow you to effectively tokenize positions in contracts. In this particular scenario, Bob writes a covered call giving Alice the option to buy Bob’s stock shares. Alice makes a new escrow agent that allows her to trade this seat at the table to Fred, and Fred is able to verify that these are the rights he is interested in. The escrow agent code is able to treat the “seat at the table” as if it were a straightforward token, allowing us to use these “higher order” tokens in any smart contract component that accepts tokens.

Friday May 17

  • Our team grew! We’d like to welcome four new hires: Michael Fig, Chris Hibbert, Tatyana Roberts, and Paul Walton. They will be contributing in engineering, operations, and business development.

  • We’ve been hard at work on our testnet, building on our “SwingSet” environment.

Friday May 10

  • We’re very pleased to announce that we’ve secured $4 million in new funding from Ripple’s Xpring, gumi Cryptos Capital, Kilowatt Capital, MetaStable Capital, Outlier Ventures, Lemniscap, Rockaway Blockchain and the Interchain Foundation, as well as additional funding from the Electric Coin Company (sometimes referred to as the Zcash Company, the for-profit institution behind the privacy-focused cryptocurrency zcash), Naval Ravikant and Polychain.

  • Dean gave an impassioned speech on smart contracts at the Blockchain in Transport Alliance (BiTA) Spring Symposium. Dean explained that the ultimate vision for smart contracts is to bring the entire economy of the world online. “The diverse, vibrant world economy”, he said, “needs high integrity computation, a security model that works for software components, broad scope and interoperability with other chains.”

Friday May 3

  • On our Electronic Rights Transfer Protocol (ERTP) branch, Mark has made some major advances. We’ve split our purse abstraction into ‘purses’ and ‘payments,’ where payments represent digital assets in transit, with the transfer rights locked up. We’ve also added a way to generalize kinds of digital assets (fungible, non-fungible) and valid operations on them. Lastly, our contracts now have a flexible API for representing a particular position in an ongoing smart contract, which can itself be bought and sold. Someone who buys a position in a smart contract can verify with the contract host to see what they would be joining.

  • We implemented a new device model for their “SwingSet” environment, in which external functions are made available as capability-oriented “device nodes”, allowing them to be shared between vats and managed just like normal objects. This will support inter-machine and inter-chain communication links in the next few weeks.

  • We’ve added a “Comms” vat to our SwingSet environment, which is responsible for sending and receiving messages from external machines and translating and relaying them to other vats on the same machine.

Friday April 26

Friday April 19

  • At our SES meeting this week (recording here), we reviewed the proposed minimal translation from modules to evaluable scripts (a step towards being able to use SES with JavaScript packages), and got agreement from key stakeholders, including John-David Dalton, creator of the lodash and esm packages, who has joined the Salesforce team working with SES.

  • We released @agoric/make-hardener-0.0.6 to NPM, a library to make defensible API surfaces by transitively freezing JavaScript objects in-place.

  • We’ve continued work on the “SwingSet” environment, which contains a JS “exo-kernel” and messaging/execution framework inspired by the KeyKOS operating system, extended with asynchronous messaging.

Friday April 12

  • We merged in a number of small pull requests this week and have been working on better tutorials for our “SwingSet” vat platform for testing out smart contracts. Some of the pull requests included:
    • Using the realms-shim repo in SES rather than the TC39 Realms proposal specification repo.
    • Deleting a property called “domain” that the Node.js REPL adds to promises. When SES tries to harden (deep freeze) all of the objects provided by Node.js, it notices that it didn’t expect the “domain” property and purposefully errors to avoid a potential vulnerability.

Friday April 5

  • Agoric released version 0.5.0 of SES, “Secure ECMAScript”, a library for safely executing and interacting with potentially-hostile JavaScript code. This release improves bundling for use in web browser contexts (UMD), Node.js environments (CommonJS), and as ES6 Module imports. It also fixes incompatibilities with Chrome-73 and Browserify.

Friday March 29

  • Agoric’s “SwingSet” vat platform now supports evaluation of contract code outside of SES, providing a fallback for use in typical standard JS development tools, to preserve line numbers and stack traces.
  • The shim which implements the proposed Javascript “Realms” API is being moved out of the TC39 proposal repository into a dedicated repository. The TC39 repo will continue to host the specification text itself.

Friday March 22

  • Mark wrote the draft specification for a standalone SES engine. Rather than taking an existing JavaScript engine and creating a SES runtime within it, this would be SES compliant from the beginning, meaning that many of the problematic and non-deterministic parts of JavaScript just wouldn’t exist in the first place.

  • Agoric’s new “SwingSet” vat implementation is now feature complete and passes all tests, including the ERTP contract host examples (Mint, Purse, ContractHost, and Escrow Agent).

Friday March 15

Friday March 8

Friday March 1

  • Mark Miller gave a presentation to TC53, the standards committee for JavaScript applications on wearable devices/IoT, on SES and Jessie. Peter Hoddie of Moddable described it as an “amazing talk about a future where JavaScript code from multiple parties securely co-exists, where program logic is exchanged as easily as JSON data, and standard JavaScript works even better on constrained devices.”
  • Metamask presented their browserify plugin, sesify, at our weekly meeting on SES. Recording here.
  • We’ve been working on making our utility libraries usable as CommonJS modules, ES6 modules, and UMD files, so that they can easily be used in Node.js, the browser, and bundlers.

Friday Feb 22

  • We released a new version of the “SES” Secure EcmaScript library (0.4.0). This version adds a limited form of require() to the confined code, allowing it to perform a few specific module imports, fully controlled by the enclosing realm.
  • We also released new utility libraries (@agoric/nat, @agoric/make-hardener, and @agoric/harden), which used to be part of SES. By splitting these out into external modules, application code which uses them can be unit-tested either inside or outside of a SES environment. “Harden” performs a deep Object.freeze, to protect an API object from external tampering, facilitating safe interaction between mutually suspicious code.

Friday Feb 15

  • We’ve moved a couple of libraries out of SES so that they can be used outside of a SES environment.
  • One of them is Nat. Nat() can be used to check that a value is a safe integer and should be used on things like account balances and any kind of manipulation of value represented in JavaScript numbers.
  • Another library is makeHardener, which creates a function (harden) that performs a full “deep freeze” on JavaScript objects. More information on why you might want to “harden” an object here.

Friday Feb 8

  • SES-0.3.0 is released and up on npm. This release improves security and functionality and fixes all known confinement leaks. It also improves usability by allowing the user to turn on console.log and display uncaught exceptions.

  • This week we had a lot of great activity on, the community forum for discussing object capabilities in JavaScript.

Friday Feb 1

Friday Jan 25

  • Mark Miller will be speaking at the Stanford Blockchain Conference on Agoric’s smart contract platform, including eventual-sends. Eventual-sends provide a solution to the reentrancy vulnerabilities that have been plaguing smart contracts.

  • Bill and Kate had a blast connecting with the larger JavaScript world at the ForwardJS Conference in San Francisco

  • We made good progress on one of the remaining security bugs for SES.

Friday Jan 18

  • This week was all about SES. In SES, you can run code in a featherweight compartment that has no access to things like window or document, keeping the data on your page safe from exfiltration. SES also can keep third party code from accessing other third party code, making it perfect for a plugin or module architecture. This week we:

  • Released 0.2.0 on npm

  • fixed a confinement bypass found by Matt Austin which enabled access to and other forms of unsanctioned nondeterminism

  • fixed a security failure in the confined Function constructor, also found by Matt Austin

  • improved confinement of RegExp and platform-specific debugging functions

  • added options to control access to Math.random() and i18n nondeterminism

  • Also, we wanted to highlight an awesome MetaMask project that is in process. Sesify applies SES to browserify, keeping your code safe from the modules you might want to import.

Friday Jan 11

  • We’re doing a major overhaul of our planning document for Safe JavaScript Modules, adding a concrete example throughout the document.  It’s a great overview of how Realms and SES can load modules securely, and actually prevent incidents like the event-stream exploit. Feel free to check it out and add comments. We’re also discussing it on

  • This week we got the first version of our security kernel running on the XS JavaScript engine. This is huge because it means that the features of JavaScript that our security kernel and smart contract platform rely on are implemented in XS.

Friday Jan 4

  • Happy New Year! This week we worked with RMIT to release a medium post by economists Chris Berg, Sinclair Davidson, Jason Potts and our very own Bill Tulloh. It’s on “nanoeconomics,” meaning a layer below microeconomics, including a market in computational resources. This builds on the concepts in the original Agoric papers by Mark S. Miller and K. Eric Drexler.

  • We’ve just launched a new site for discussing object capabilities in JavaScript at We were noticing a lot of people were exploring solutions for safe module loading, and we wanted a place to be able to discuss it. Feel free to join the discussion!

  • We wanted to give a shoutout to two members of the community:

  • Michael Fig has started to build an amazing tool called Jessica, which is a Jessie (one of our subsets of JavaScript) runtime environment created using only Jessie modules, containing also translators from Jessie to other languages.

  • Bradley Farias has done a significant amount of work on a tool that analyzes the use of authority in JavaScript packages. He says that the tool will include “listing all potential resource authority usages. This is the full set of all free variables and dependencies a resource can obtain directly.”

Friday Dec 21

  • We got the XS JavaScript engine compiled to WASM and got “hello world” running on XS on WASM on Node.js. This is super exciting because it’s the first step to run our smart contracts on chains that support WASM.

  • Our least authority module system for JavaScript now has a planning document that is in progress. It’s a great overview of how Realms and SES can load modules securely. Feel free to check it out and add comments. We will be making some major changes in the near future to the later sections of the document.

Friday Dec 14

  • This week, we continued work on the least authority module system for JavaScript with partners from academia and industry.

  • We also continued work on compiling XS (Moddable’s JavaScript engine) into WASM for use with the Substrate runtime system.

  • We updated our eslint config package for Jessie (our subset of JavaScript for smart contracts) to include better error messages and tests. We also built a testing utility for eslint configs that can be used separately.

Friday Dec 7

  • We are working with the Moddable team to retarget their XS JavaScript engine to WASM. We can use this tiny and reliable embedded JS engine for smart contracts!

  • We are working with partners at Salesforce, Node.js, Carnegie Mellon, and others to design a module system for JavaScript that enables bringing in third party code safely.

Friday Nov 30

  • We published a piece on the recent npm package event-stream incident. At Agoric, we think that the incident was entirely preventable - if you enforce the principle of least authority (POLA), which says that code should be granted only the authority it needs and no more. Read about how enforcing POLA would change Node.js and prevent these kinds of attacks here.  

  • TC39, the JavaScript Standards committee, had their November meeting, which Mark Miller of Agoric presented at.

  • Given the recent event-stream exploit, Mark presented on a module system that would have granted modules least authority and would have prevented the exploit.

  • Mark presented on Jessie, our secure subset of JavaScript for smart contracts

  • Mark and Alan Schmitt of JSCert planned how to proceed towards a mechanized formalization of Jessie.

  • Dean and Mark and Till Schneidereit of Mozilla refined the weak references API.

Friday Nov 16

  • We’ve added updated versions of the Agoric Open Systems papers to the website, including pdfs and the full text of each of the three papers! These papers are listed as part of Andreessen Horowitz’s Crypto Canon, so we’re glad to get them updated.

  • We’re continuing to make progress on hardening our proof of concept, exploring use cases and talking with entrepreneurs looking to write smart contracts, and building developer tools.

Friday Nov 9

Friday Nov 2

  • Our Chief Scientist, Mark Miller, is the co-author on a new paper, “Abstract and Concrete Data Types vs Object Capabilities.” The paper explores how abstract data types can be implemented in an object-capability language. A number of the examples in the paper involve the exchange of digital assets. Download here.

  • We’ve released an eslint package for Jessie, a Turing complete minimal subset of JavaScript designed for smart contract programming. Jessie is designed to yield small programs that are easy to review both formally and informally, enabling programmers to write non-trivial, non-exploitable smart contracts.

  • We are making steady progress on integrating with Parity Substrate.

Friday Oct 26

  • Our in-house economist, Bill Tulloh, will be presenting at Research and Practice on Blockchain October 27th, on “A Principal-Agent Approach to Securing Smart Contracts.”

  • Mark Miller and Bill Tulloh are organizing this year’s OCAP Workshop during SPLASH in Boston on November 6th. The workshop is designed to explore the latest developments in the theory and practice of the object-capability approach, and provide a forum for knowledge exchange and collaboration.

Friday Oct 19

  • We made progress towards parachain design, specifically in terms of serializing our JavaScript contract objects as merklized data structures.

  • Dean will be speaking on “The Duality of Smart Contracts and Electronic Rights” at the Web3 Summit on Tuesday October 23rd at 14:15.

  • Our in-house economist, Bill Tulloh, will be presenting at Research and Practice on Blockchain October 27th, on “A Principal-Agent Approach to Securing Smart Contracts.” You can see more upcoming events on our events page.

Friday Oct 12

  • We had a blast meeting everyone during SFBW. Mark Miller has uploaded a recording of his talk about secure smart contracts to the SF Cryptocurrency Devs which can be listened to here. Video coming soon!

Friday Oct 5

  • Mark has been writing smart contracts using our proof of concept. We are particularly excited about the covered call option contract, which demonstrates the ability of our smart contract framework to allow access to contracts to be traded as easily as native tokens. This ability to derive new rights from positions in contracts and use them in other contracts will be necessary for a vibrant crypto-economy. The code is still a work in progress, but feel free to take a look!

  • We have two events during SF Blockchain Week: Dean is talking about Authority in Smart Contracts at SFBW Epicenter on October 8th at 2:20pm and Mark is presenting on the Agoric platform and framework on October 10th at 7pm. For more information, see our events page. Hope to see you there!

Friday Sept 28

  • We sent out our first newsletter this week! Sign up here to get on our email list.

  • We have a number of events coming up during SF Blockchain Week:

  • Dean is giving a talk on “Authority in Smart Contracts” at the Titans of Tech stage at SFBW Epicenter on October 8th at 2:20pm

  • Mark is speaking about the Agoric approach to smart contracts at the SF Cryptocurrency Devs Meetup October 10th at 7pm. There are only 8 spots left, so RSVP today!

Friday Sept 21

Friday Sept 14

  • We continued to improve our proof-of-concept, and hope to release it to the public next week.

  • To let people know where we’ll be headed and where we will be speaking, we’ve created a new upcoming events page on our website. Check back after events for links to recordings and slides!

  • As part of SF Blockchain week, we will be doing an overview of the Agoric platform and approach to smart contracts at the SF Cryptocurrency Devs meetup on October 10th at 7pm in San Francisco. Additionally, Dean will be giving a talk during Epicenter (Oct 8th 2:20PM - 2:45PM) on “Authority in Smart Contracts” and the problems of identity-based access control in smart contracts.

Friday Sept 7

  • The first proof-of-concept implementation of our smart contract execution engine (the “Vat”) is now feature-complete. It exercises secure libp2p-based messaging between both solo and quorum (replicated) Vats, durable state checkpointing via deterministic replay of inbound messages, small-scale distributed consensus about message delivery order, and downstream enforcement of the consensus rules for messages emitted by quorum Vats.

  • Based on a previous conversation between Mark Miller and the Node Security Workgroup, Bradley Meck has put together a draft document that “proposes a way to introduce a set of features to Node.js in order to achieve a reasonable security model based upon the Object-Capability Model and verification of resources loaded by Node.js”

Friday Sept 2

  • We’ve been working hard on the end-to-end proof of concept. In addition to porting over all of the contracts from Distributed Electronic Rights In Javascript, the proof of concept includes communication between “vats”, a term that comes from the influential programming language E and refers to separate computational subworlds that can proceed forward simultaneously. More on this to come.

  • If you’re attending ETHBerlin or live in the area, be on the lookout for Kate and Dean this upcoming week. You can reach them on Twitter

Fri Aug 24

  • Mark gave a talk to the Node.js Security Workgroup about SES (Secure ECMAScript, the secure subset of JavaScript) and the membrane programming pattern.

  • Agoric released a new version of SES. SES-0.1.3 adds utility functions and fixes an accidental vulnerability in the web-based demonstration code.

Fri Aug 17

Fri Aug 10

Fri Aug 3

Fri Jul 27

  • We announced the release of SES, a secure subset of JavaScript. SES enables untrusted JavaScript programs to execute in the same environment safely.

  • To showcase SES’s ability, we’ve released a SES Challenge. A random code is generated, and we invite you to put SES to the test with various attacks and guess the code! Any security-sensitive issues can be reported using our vulnerability disclosure process.

  • At the TC39 meeting, Mark Miller of Agoric presented on the results of the Realms shim security review. Realms is a standards track proposal for JavaScript that SES builds on.

  • Brian Warner of Agoric will be speaking at the Decentralized Web Summit. Hope to see you there!

Fri Jul 20

  • Set a goal of 100% code coverage of the Realms shim code

  • Passed 90% coverage of the Realms shim code

Fri Jul 13

  • Announced that Agoric has officially joined TC39, the JavaScript standards working group.

  • Filed all issues from the Realms shim security review for reconciliation with the proposed specification.

Fri Jul 6

  • Worked with Salesforce to do a careful line-by-line security review and revision of the Realms shim, which is our security kernel in modern JavaScript.

  • Led a workshop on secure smart contracts and object capabilities at Zcon0