Request for Grant Proposals: State Migration

We’re allocating US$60,000 to support 2-3 teams in researching and prototyping state migration approaches during upgrades of the network. The deadline for proposal submissions is 23rd January 2026

Overview

The Aztec network can only be upgraded through hard forks. While it is possible for an upgrade to copy the existing state of the network, we expect most (if not all) of the upgrades in the early days of the network not to. Instead, they will start with no state.

However, applications can always choose to migrate their state to new versions even when the network doesn’t do it automatically. This RFPG is a call for teams to research and prototype application-level state migration. The design space is large, with tradeoffs between trustlessness, user experience, and privacy.

Why start with no state

The Aztec network is complex. Independent of the number of audits or the amount of care demonstrated during development, it is very likely issues with the production network will be discovered, especially in the early days.

The impact of bugs can be especially large given Aztec’s privacy. Unlike fully transparent blockchains, a successful exploit may not ever be observable. A sophisticated attacker could maliciously and privately double spend or mint large amounts of an asset, but keep their exploit hidden forever.

Upgrades which do not carry over historical state act as a turnstile. It limits the potential impact historical exploits of bugs, giving stronger assurances to users of the latest version of the network that no bad state created during previous exploits still exists.

With time, we expect Aztec governance to get more confidence in the safety of the underlying code and cryptography, and gradually come to default to upgrades which do carry over state.

Below, we provide more context on Aztec’s roadmap, how governance-driven upgrades work, and what makes state migration an interesting design problem. If you’re already familiar with Aztec’s different phases and roll-up upgrades, skip ahead to 'State Migration During Alpha’.

What is Aztec

Aztec is an Ethereum Layer 2 that uses zero-knowledge proofs for scalability and to enable programmable privacy.

Unlike traditional rollups that operate entirely on public state, Aztec allows smart contracts to mix private and public state within the same application. Private state, such as balances, strategies, identities, or votes, is operated on and stored off-chain, with zero-knowledge proofs submitted on-chain to verify correctness. Public state and interactions, on the other hand, are directly stored and executed on-chain.

The Roadmap

The network will progress through the following phases: Ignition (current), Alpha, and Beta.

The key point is this: during Alpha, roll-up upgrades are expected to be proposed approximately every two months. Crucially, state will not be migrated automatically when these upgrades occur. These upgrades enable the community to exercise governance, build muscle for handling network changes, state migrations, and provide flexibility to ship improvements safely. If governance approves each upgrade, the network moves to new roll-up contracts on Ethereum. For more information on the governance process, please refer to the appendix.

State Migration During Alpha

If governance approves roll-up upgrades during Alpha, applications deployed on one version won’t automatically exist on the next. For stateless, “pass-through” use cases like private cross-chain bridging, this works great. For applications that benefit from persistent state (user positions, balances, app-specific data), migration becomes a design consideration.

How applications handle migration is ultimately up to them. Alpha is an early-stage network, and developers may make different tradeoffs depending on their priorities. For example, an application that prioritizes user experience during Alpha might choose to centralize certain components to simplify migration, while others might accept more friction in exchange for stronger trust assumptions. There’s no single “right” answer; it depends on the application and its users.

We’re allocating US$60,000 to support 2-3 teams in researching and prototyping state migration approaches. The goal is to showcase possible patterns that applications could adopt, not to prescribe how they must work. We’re looking for creative, generalizable solutions that help users and developers carry their state across roll-up upgrades while preserving Aztec’s privacy and security guarantees.

Submit your proposal by January 23rd, 2026 for a chance to receive funding and support.

Grant Details and Submission Format

We’re allocating up to US$60,000 split across 2-3 teams, with funding distributed flexibly based on proposal scope and complexity.

To ensure consistency, please follow this format:

• Title: Team/product name

• Contact Details: Signal, email, etc.

• Summary: In 300 words or fewer, describe your proposed approach to state migration

• Start and End Date: Recommended start end-of-January 2026, working prototype by February 27th, 2026

• About You: Team background, relevant experience, and why you’re well-positioned to tackle this

• Details you should cover:

  1. Which migration approach are you pursuing (see categories below)

  2. Technical architecture

  3. User flow from old roll-up to new roll-up

  4. Trust assumptions (be explicit!)

  5. How does your solution generalize across multiple applications

• Grant Milestones and Roadmap: 3-5 milestones to get to a working prototype, plus 2-3 items for potential future work

• Grant Amount Requested: Flexible based on scope. Justify your ask.

• Questions: Anything unclear?

Submissions should be created as a new post on the Aztec Forum, tagged state-migration and rfgp. Once posted, add the link as a comment on this RFPG.

Submission deadline: January 23rd, 2026

Team selection: January 27th, 2026

Delivery deadline: March 6th, 2026

Design Considerations & Potential Solutions

There is currently no canonically recognised notion of “you” for the purposes of state migration. The same private key, contract code, and salt will result in different public addresses on different rollup instances, meaning a simple “same address” migration approach does not work out of the box. As a result, any migration mechanism must answer a more fundamental question: who does this state belong to, and how can they prove it? Aztec does not currently define a canonical public key or identity primitive that persists across rollup instances, and proposals may need to consider how (or whether) to introduce one.

Private state: Migrating private state requires user interaction, since all private state is ultimately encrypted to a particular address.

Old state remains accessible: Previous roll-up state stays readable on L1. There may be opportunities to leverage the Inbox/Outbox messaging system to pass previous roll-up tree roots into the new roll-up. This is the kind of creative thinking we’d be excited to see.

Forced exits: Aztec plans to be a Stage 2 rollup, which means users can always exit via forced withdrawal mechanisms, even if all sequencers disappear.

Aztec is NOT EVM-compatible. It’s a Turing-complete smart contract environment using Noir as the smart contract programming language, supporting both public and private execution. Solutions should account for this. Don’t assume EVM patterns will translate directly.

Given these considerations, here are some potential solutions. Note that this is not a conclusive list.

Category A: Off-Chain Attestation

Applications may authorize state migration using trusted off-chain mechanisms. Practical approaches include exporting state to off-chain storage with encrypted user backups or through a trusted execution environment (e.g., SGX). While faster to implement, these approaches introduce explicit trust assumptions in off-chain infrastructure.

Category B: Purely Onchain, Self-Migration

Users migrate their own state using on-chain proofs. No external attestation required. Users prove their previous state and claim it on the new roll-up. This maximizes trust minimization but may involve more user friction.

Category C: Hybrid Approaches

A combination of on-chain and off-chain mechanisms. Be explicit about the tradeoffs.

Note: Teams can submit multiple approaches (e.g., “here’s a more centralized version optimized for UX AND here’s a fully on-chain version”). Showing the tradeoffs across different points on the spectrum is valuable.

Requirements

Must-Haves

• Generalizable patterns: We want reusable patterns, data structures, or standards that applications could adopt, rather than app-specific solutions. The goal is to showcase approaches, not mandate them. Think of: token balances, proven identities, NFTs, etc.

• Reasonable UX: Aim for no more than 3-4 transactions to complete a migration. Use common sense.

• Working prototype: Demonstrate on a local network with tests showing migration between two roll-ups.

• Design documentation: Clear write-up of the approach, trust assumptions, tradeoffs, and recommendations. Help future application developers understand when they might choose this approach.

Out of Scope

• Shared/multi-party private state: AMM liquidity pools, multi-user vaults, etc. These are tied to other contracts’ states (tokens, etc.) and are too complex for this initial research.

• Abandoned state handling: Users who never migrate can use forced exits on the old roll-up. We don’t need a solution for them.

• Foundation as trust anchor: Any solution requiring Aztec Foundation to be a centralized trust party will be rejected.

FAQs

Is Aztec EVM-compatible?

No. Aztec uses Noir for smart contracts and has both public and private execution environments.

Where do I build this?

Start with the local network, Aztec’s local development environment. Your tests should simulate two roll-ups to demonstrate migration.

Can users always withdraw their funds from the old roll-up?

Yes. Aztec is a Stage 2 L2 with forced exit mechanisms. Even if no sequencers remain on the old roll-up, users can withdraw via L1.

Do I need ALL requirements done by the deadline?

We require a working prototype that demonstrates the core mechanism. Design docs and recommendations for future work are also expected. Full production-readiness is not required.

Can one team submit multiple proposals?

Yes! You can propose different approaches (e.g., centralized AND decentralized versions).

How will proposals be evaluated?

We’re looking for feasibility and outside-of-the-box thinking. Creative approaches that address the core constraints will stand out.

What about the address derivation constraint?

This is a key design consideration. Aztec Labs and Wonderland are working on persistent identifier solutions separately, but your proposal should either work around this or propose its own approach.

Disclaimer

The published request for proposal and ideas herein are explicitly published as discussion points to invite community feedback in the community forums. Robust design and developer discussion is the best way for the community to collectively explore state migration patterns during Alpha.

The information set out herein is for discussion purposes only and does not represent any binding indication or commitment by Aztec Foundation and/or affiliates and their employees/consultants to take any action whatsoever, including relating to the structure and/or any potential operation of the Aztec protocol or the protocol roadmap. In particular: (i) nothing in this post (and any response to this post) is intended to create any contractual or other form of legal, investment, financial, tax or advisory relationship between Aztec Foundation or third parties who engage with such posts (including, without limitation, by submitting comments, a proposal and/or responding to posts including any medium such as X, Discord, etc), (ii) by engaging with any post, the relevant persons are consenting to Aztec Foundation’s use and publication of such engagement and related information on an open-source basis (and agree that Aztec Foundation will not treat such engagement and related information as confidential), and (iii) Aztec Foundation is not under any duty to consider any or all engagements, and that consideration of such engagements and any decision to award grants or other rewards for any such engagement is entirely at Aztec Foundation’s sole discretion. Please do not rely on any information on this forum for any purpose - the development, release, and timing of any products, features or functionality remains subject to change and is currently entirely hypothetical. Nothing on this forum post should be treated as an offer to sell any security or any other asset by Aztec Foundation or its affiliates, and you should not rely on any forum posts or content for advice of any kind, including legal, investment, financial, tax or other professional advice.

Appendix

How Governance Drives The Transitions

Every major network change goes through governance. Here’s the flow:

1. Proposal – A payload is submitted proposing new roll-up contracts

2. Signaling – Once 600 out of 1000 sequencers signal support for a payload, we move to the voting stage

3. Prep phase – A 3-day delay where no actions can be taken

4. Voting – Sequencers vote on whether to adopt the change. Voting lasts 7 days.

5. Execution delay – If passed, there’s a 7-day delay before the new rollup becomes the “canonical rollup”

6. Old roll-up winds down – The old rollup may still have leftover $AZTEC balance that it can distribute as inflation rewards, but it won’t be able to request additional tokens from the Reward Distributor. The previous rollup can keep running as long as there are enough sequencers to maintain liveness (at least 24 sequencers for Ignition’s target committee size). Some sequencers may choose stay temporarily to help users exit, or because of other community-driven incentives.

This is governance-driven. The community decides whether and when to upgrade. Our plan is to propose upgrades roughly every two months during Alpha, but ultimately it’s up to the sequencers and the governance process.

A potentially useful idea that recently came to mind, which might inspire prospective grantees:

Putting a new “migration public key” inside the preimage of an aztec address, to enable a user to migrate their state from one rollup version to the next.

This public key would be understood to be an alternative identifier for a user, for the sole purpose of proving their identity to smart contracts of the next rollup instance:

“I am Bob because I know the secret key of Bob’s ‘migration public key’, so please let me copy-over this state (which belonged to Bob on the old rollup), and let me ascribe ownership to my new address on this new rollup”.

Why does Bob need another public key to prove who he is to the next rollup instance?

Well, Aztec has account abstraction, which technically means there’s no enshrined public key to represent Bob. Bob is represented by his account contract, which means the way Bob proves “I am Bob” to a particular rollup instance is not “Here is a signature over some canonical public key”, but instead “A function of my account contract has successfully executed”. The network doesn’t care about the internals of that function: the function might actually validate a signature against some public key, but the network doesn’t see that; it only recognises the successful execution of a function of Bob’s account contract as evidence of “I am Bob”.

So if Bob wants to migrate his state from one (“old”) rollup to another (“new”) rollup, why can’t he provide a proof of execution of a function of his old account contract to functions of the new rollup? Well, whether that is a safe approach would depend on why a new rollup is being created. As mentioned in the original post above, it’s possible that the reason for a new rollup is due to a bug in the old rollup (because the network is in its Alpha phase). If there’s a bug in the proving system, for example, then Bob’s old account contract might contain a bug. In that case, the new rollup should not trust proofs from Bob’s old account contract. In that case, Bob’s mechanism for proving “I am Bob” – of furnishing a proof of successful execution of a function of his account contract – is broken. App developers who wish to design ways for users to migrate state between rollups should account for this possibility.

Hence, a new migration public key – which cannot be corrupted by any bugs in the Alpha phase of Aztec – is an attractive mechanism through which Bob could prove to functions of the new rollup “I was Bob on the old rollup, so please let me migrate Bob’s state over to this new rollup. I have generated a new address to be the owner of that state on this new rollup”.

Where should such a new “migration public key” live?

This is an advanced section for people familiar with the protocol

EDIT: we actually have an unused public key placeholder (currently dubbed “tagging public key”, but never used) which could be repurposed for this, if this idea is a good one. You can possibly ignore the rest of this message.

Ideally, the design of the preimage of an aztec address would be tweaked to include a new ‘migration public key’ field. Unfortunately, there probably isn’t enough engineering time to do this before Alpha. That’s not to say that some future network upgrade couldn’t tweak the design of an aztec address if the network chooses, but until then we’d need a cheekier way of storing this key.

Chatting with Palla, we realised the salt of a contract address could be abused to contain a public key: salt = h(actual_salt, migration_public_key).

But… we need to be forward-thinking with how this cheeky salt preimage is designed, because it could quickly proliferate to become an standardised layout across the ecosystem, and no one would be able to abuse it in other ways.

You might want to make it something like a hash chain: salt = h(actual_salt, root) , where root is itself h(some_value, some_root) and so on. (I think I’m stealing this idea off Palla from a couple of months ago). You end up with tiers of information being stored within the salt.

So initially, salt = h(actual_salt, h(migration_pubkey, root)) , where root is reserved for other future stuff. The actual salt lives at the 0th tier, and the migration public key lives at the 1st tier. Other stuff can live at lower tiers, if the community wants.

With this, Aztec smart contract devs (“app devs”) could design functions in their “new” smart contracts (smart contracts that will be deployed to future versions of the Aztec rollup) which enable a user to prove ownership of an “old” account, by proving knowledge of the secret key of that account’s ‘migration public key’.
I.e. “I am Bob. I wish to migrate my state from an app of the old rollup to the same app on the new rollup. The forward-thinking app devs have designed a function in the new smart contract which enables me to migrate my state.” The function will read the preimage of Bob’s address and extract the ‘migration public key’ from within the abused salt. The function will then demand proof of knowledge of the migration secret key. Such a proof of knowledge could be done with a signature, e.g. a schnorr signature. Bob can then provide to the function old notes that were owned by Bob on the old rollup, prove that Bob’s old address was the owner of those, and then provide a new address to become the owner of some corresponding new notes. Those new notes can then be inserted into the new rollup’s note_hash tree.

Danger: this migration approach will not always be safe!!! It will depend on the reason for the new rollup. E.g. if the old rollup contained a bug that would enable someone to insert arbitrary notes, or create notes of infinite value, then apps should not offer the ability to migrate notes, because then corrupted notes from the old app would be copied over and would corrupt the storage space of the new app. So whilst app teams might wish to explore the approach outlined in this message, and whilst they might want to go ahead and design migration functions, they will need to assess at the time of each new rollup instance whether it is safe to deploy those migration functions. I.e. they will need to understand the nature of any bugs that caused a new rollup to be deployed before offering migration.

Advanced technical note: ecosystem teams shouldn’t abuse the salt for their own custom use cases: the salt should only be abused for use cases that the whole ecosystem would benefit from. For custom use cases, you could abuse the constructor_args of the preimage of an address instead.

For anyone working on a proposal (or just curious about how all this works in practice): we’re hosting an Ecosystem Call this Wednesday, January 21st at 4 PM UTC where @amin will be doing a full session on Alpha, Roll-Up migrations, and App State Migration.

The goal is to give everyone running applications, infrastructure, or anything else during Alpha a clear picture of how the network lifecycle will look so you can make informed decisions on how your applications will handle upgrades.

Should be really helpful context for anyone thinking about submitting here.

Google Meet link: https://meet.google.com/rqs-ckcy-vyc
Time: January 21st @ 4 PM UTC

hey @ArnSch and @alejoamiras We’re looking forward to the ecosystem call. If the call would be essential for teams interested in this RFP on App state migration, it may make sense to move the deadline for submission, as the ecosystem call and the deadline are on the same day. If there would be no new info, then it’s fine like it is right now.

First thing is first. Kudos on the crowdsourcing and the grant. That spirit is missing a lot for many projects.

Second of all. Dont think im qualified enough to make a solution. But will throw some points to consider for those that do and are going after the grant.

1. I would try to ponder at how persistent identifiers (e.g., canonical public keys across rollups) might evolve. This will help to make migrations smoother I rekon.

2. To the TS. Maybe add a bonus for solutions with forced exit to L1 OR that use the Inbox/Outbox messaging system in a cool way. I mean not compromise UX, etc, as you suggest.
   To explain myself - i think its worth a bonus cause those would be Aztec-specific tools, not a generic thingy.

3. Some more thinking. Xs/rollup privacy preserving identity or similar, with Noir based proofs, of course =)

4. 1 more. A bit boring, but old as earth itself and seems to work (if economics isnt pressured - incentives for early migration OR incentives that use only on-chain migration, or a combo of both, etc

We’ve moved the deadline for this RFPG to Friday, to give everyone a chance to join the call that Alejo highlighted

Hi!
This is the proposal by WakeUp Labs

Proposal by Raven House team

Hi guys, sharing our proposal for this RFGP

Hi team! This is HashCloak’s proposal:

Note that posts can’t tag state-migration as the tag doesn’t exist, so it’s only tagged rfgp.

GMGM sharing our proposal:

Not a full proposal but some thoughts on this and research:

I hope we’re not too late to the party. I submitted the rfgp a while ago, still waiting for moderator to accept it, will post it here once it’s done.

Proposal from Cardinal Cryptography:

Hi everyone,

We’re excited to announce the winners of this RFGP: Raven House and Cardinal Cryptography

Why Raven House? We loved their approach. It’s differentiated and, crucially, can still work under the assumption that the proving system is broken. While we understand this introduces some centralization trade-offs (and expanding from public to private information could impact privacy), we want to give applications the option to take a more centralized path during Alpha if it suits their needs. Raven House has also repeatedly demonstrated their expertise working with Aztec’s technology. We’re excited to see them iterate on it towards a final output.

Why Cardinal Cryptography? The team has a very solid background in cryptographic systems. We particularly liked their Locked Notes approach, and we believe their design with multiple modes could be a suitable decentralized solution. We have some open questions we’ll be working through with them as we move forward.

We’ve reached out to both teams to get the grant ops sorted.

General observations across proposals:

• Several proposals leveraged the master key to identify users. In practice, this key is typically stored securely in the wallet, so accessing it would compromise some security assumptions. HashCloak’s proposal addressed this best, building on feedback from Mike and Santi.

• Most decentralized solutions didn’t fully account for scenarios where the cryptography or proving system might be broken.

• Proposals relying on snapshots or a specific point in time to back up from share an open question: they assume a safe height or snapshot can be chosen, but with a broken proving system it would be impossible to reliably select such a height (worst-case scenario).

A huge thank you to everyone who participated! Many of you are already active contributors to our ecosystem with amazing prior work. It was great to see your proposals, and we hope you’ll join future RFGPs as well. We’re really happy with how this round turned out given what a deeply complicated and nuanced problem this is.

If you have any feedback on how we can improve future RFGPs, feel free to DM me or Alejo. We’d love to hear from you.