🚨 The RPC Infrastructure Crisis Nobody Talks About

We need to discuss the elephant in the room: Web3 runs on centralized RPC infrastructure.

99% of dApps depend on Infura, Alchemy, or similar providers. This is a single point of failure for the entire ecosystem.

The Centralization Data

Market share of RPC providers (2025):

Infura (ConsenSys): 42% of all Ethereum RPC requests
Alchemy: 28%
QuickNode: 12%
Ankr: 6%
BlockEden: 4%
Other providers: 5%
Self-hosted: 3%

Top 2 providers handle 70% of all Ethereum traffic.

Top 5 providers handle 92% of traffic.

This is MORE centralized than:

• Cloud computing (AWS 32%, Azure 23%, GCP 10%)
• DNS (Cloudflare 15%, Google 8%, others distributed)
• CDNs (Cloudflare 20%, Akamai 15%, others)

Web3 infrastructure is the most centralized layer of the internet.

Mike

Mike, this data is sobering. Let me add developer reality from the trenches.

My RPC Cost Evolution

Year 1: Free tier naivety

• Started with Infura free tier
• 100K requests/day seemed like plenty
• Hit limit at 11am every day as we grew
• Users: “Why does your app break every afternoon?”

Year 2: The cost explosion

• Upgraded to paid: $50/month
• Then $500/month
• Then $2,000/month
• Now at $8,000/month across 4 providers

RPC costs are now our 3rd largest expense after salaries and cloud.

What Happened During March 2024 Infura Outage

Real impact on our dApp (150K users):

Hour 1 (2:00pm EST):

• Infura goes down
• Our app immediately fails (we had no backup)
• Support tickets: 0 → 400 in 10 minutes
• Users panicking on Twitter

Hour 2:

• Emergency call with team
• Trying to integrate Alchemy (never tested failover)
• Racing to deploy while users are angry
• Lost 40% of daily trading volume

Hour 3:

• Finally deployed Alchemy backup
• But many users already left
• Reputation hit was worse than downtime

Hour 4:

• Infura back online
• Users slowly returning
• But trust damaged

Result:

• Lost $180K in that day’s fees
• 2,000+ support tickets
• Trending on Twitter for wrong reasons
• Took a week to recover traffic

This taught us: Single RPC provider = single point of failure.

The Multi-Provider Reality

Our current setup:

Primary: BlockEden (60%)

• Fast, reliable, good multi-chain
• $800/month

Secondary: Alchemy (30%)

• Fallback, also used for Polygon
• $2,000/month

Tertiary: QuickNode (10%)

• Last resort, also testing
• $1,500/month

Total: $4,300/month + engineering complexity

The failover logic:

• Detect errors/timeouts
• Switch to backup
• Monitor both continuously
• Alert if both degraded

This works but:

• 3x development complexity
• 3x monitoring overhead
• Still vulnerable if all fail simultaneously (happened once in 2024)

The Privacy Nightmare

What I learned Infura knows about our users:

Every RPC call reveals:

• Which addresses user owns (from balance queries)
• What tokens they hold (from token balance calls)
• Their trading patterns (from price queries)
• Their IP address (from HTTP request)

Infura can build complete profile:

• User X at IP 123.45.67.89
• Owns address 0xABC…
• Has 10 ETH, 5000 USDC
• Checks prices 50 times/day (active trader)
• Uses Uniswap, Aave
• Net worth: ~$50K

They know more about our users than we do.

And their privacy policy says:
“We may share aggregated analytics with partners.”

This means Infura can (and probably does) sell user data.

The Censorship We Saw

November 2022: Tornado Cash ban

What happened:

• Infura blocked Tornado Cash addresses
• Alchemy did the same
• Our users couldn’t interact with certain contracts
• Not just Tornado - some DeFi protocols affected too

We had users say:
“I thought crypto was censorship-resistant. Why can’t I use my money?”

We had no answer.

The RPC provider controls access.

Even though Ethereum itself didn’t censor, users couldn’t access it through standard providers.

The Performance Impact

We measured RPC latency vs user conversions:

150ms RPC latency:

• Page load: 600ms
• Conversion rate: 4.5%

300ms RPC latency:

• Page load: 1,200ms
• Conversion rate: 3.8% (16% drop)

600ms RPC latency:

• Page load: 2,400ms
• Conversion rate: 2.7% (40% drop)

Every 100ms of RPC latency = ~5% conversion loss.

This directly impacts revenue.

We optimized:

• Chose fastest providers per region
• Geographic routing (US users → US endpoints)
• Aggressive caching (60% request reduction)
• Speculative prefetching

Results:

• Average latency: 300ms → 140ms
• Conversion rate: 3.8% → 4.6%
• Revenue impact: +21%

RPC performance is business-critical.

What We Need from RPC Providers

Must-haves:

1. Reliability: 99.9%+ uptime

   • Current: 99.2-99.7% (not good enough)
   • Need: 99.95%+ with SLA

2. Transparent pricing

   • No surprises
   • Clear tier limits
   • Predictable costs

3. Geographic distribution

   • Endpoints in US, EU, Asia
   • <100ms latency globally
   • BlockEden is good at this

4. Standard APIs

   • No provider-specific quirks
   • Easy switching between providers
   • Current: Each provider slightly different

5. Privacy respect

   • Minimal logging
   • No data selling
   • Anonymous access option

Nice-to-haves:

6. WebSocket support everywhere

   • Real-time updates
   • All chains
   • Lower latency than polling

7. Archive data at reasonable cost

   • Currently: $500+/month
   • Should be: $100-200/month

8. Failover coordination

   • Providers share status
   • Automatic routing to healthy endpoints
   • Industry-wide health dashboard

The Decentralized Alternatives

We tried Pocket Network:

Pros:

• Censorship resistant
• Privacy preserving
• Competitive price

Cons:

• Reliability: 98.5% (vs 99.5% centralized)
• Latency: 250ms average (vs 110ms)
• Limited chains
• Crypto payments (complex for accounting)

Verdict: Not production-ready for primary traffic

But we use it for 10% of non-critical requests.

If Pocket can match centralized reliability, we’d switch immediately.

My Recommendations

For small dApps:

• Start with one provider (BlockEden or Alchemy)
• Keep it simple
• Plan for growth

For growing dApps:

• Use 2 providers minimum
• Implement failover
• Monitor performance

For large dApps:

• 3+ providers for redundancy
• Geographic routing
• Aggressive caching
• Self-hosted for critical operations

For the ecosystem:

• Support decentralized RPC (Pocket, Lava)
• Develop light client tech
• Create RPC provider standards
• Fund geographic diversity

The Bottom Line

RPC centralization is Web3’s dirty secret.

70% through 2 providers is unacceptable.

When Infura goes down, the ecosystem stops.

Solutions:

• Multi-provider setup (do this now)
• Decentralized RPC (support these projects)
• Light clients (long-term solution)

We need infrastructure diversity or we’re just renting decentralization from Infura/Alchemy.

Brian

From security perspective: RPC providers are our biggest attack surface.

The Threat Model

When you use Infura/Alchemy, you trust:

1. The company won’t get hacked

   • They handle billions in transaction value
   • Juicy target for attackers
   • One breach = mass user compromise

2. Employees won’t go rogue

   • 100+ employees with infrastructure access
   • Any one could exfiltrate data
   • Or modify responses maliciously

3. AWS won’t be compromised

   • Most providers run on AWS
   • AWS has root access to everything
   • One AWS breach = multiple providers compromised

4. Government won’t force compliance

   • OFAC, sanctions, censorship
   • Providers are US-based (subject to US law)
   • One order = ecosystem-wide censorship

This is HUGE trust assumption.

What RPC Providers CAN Do

1. Return fake data

Scenario:

• User queries: “What’s my balance?”
• Provider returns: “5 ETH” (actual: 10 ETH)
• User makes decision on fake data
• Gets rekt

Has this happened? Not publicly.
Could it? Absolutely.

Defense: Query multiple providers, compare results.

2. Front-run transactions

Scenario:

• User submits transaction to buy token
• Provider sees it in their servers
• Provider front-runs with own transaction
• Profits from user’s trade

Has this happened? Suspected but unproven.

Defense: Use private transaction services (Flashbots).

3. Censor transactions

Scenario:

• User submits transaction
• Provider never broadcasts it
• Transaction disappears
• User can’t interact with blockchain

Has this happened? Yes (Tornado Cash).

Defense: Use multiple providers or self-host.

4. Track and deanonymize

Scenario:

• Link IP to wallet address
• Build user profile over time
• Sell data to third parties
• Or comply with government requests

Has this happened? Almost certainly.

Defense: VPN, Tor, or self-host.

The March 2020 Incident

Infura consensus bug:

What happened:

• Infura’s Geth nodes fell out of sync
• Returned wrong blockchain data
• DeFi protocols made decisions on bad data
• Resulted in bad liquidations

Impact:

• Unknown but likely millions in losses
• Users blamed protocols, not Infura
• Showed single provider risk

This proves: Trusting one data source is dangerous.

The OFAC Compliance Scenario

What if US government mandates OFAC compliance?

Likely scenario:

• Treasury: All RPC providers must block sanctioned addresses
• Infura, Alchemy comply (US companies)
• BlockEden, QuickNode comply
• 92% of RPC traffic now filtered

Effect if your address is flagged:

• Can’t use MetaMask
• Can’t use 99% of dApps
• Banned from Ethereum
• No appeal process

This isn’t hypothetical.

Tornado Cash showed this can happen without laws - providers self-censored.

The Supply Chain Attack

How to compromise millions of users:

Attack Infura:

1. Hack AWS account
2. Access Infura servers
3. Modify response data
4. Steal private keys from transactions

Or:

1. Social engineer Infura employee
2. Get infrastructure access
3. Inject malicious code
4. Exfiltrate data

Or:

1. Compromise npm package Infura uses
2. Inject backdoor
3. Deploy to production
4. Own the infrastructure

One successful attack = 42% of ecosystem compromised.

What We Do for Our $500M TVL Protocol

Multi-provider verification for critical operations:

Before liquidation:

• Query 3 providers (Alchemy, BlockEden, self-hosted)
• Compare results
• Only proceed if 2/3 agree
• Alert if disagreement

Cost: 3x RPC costs for critical paths.
Worth it: Prevents catastrophic errors.

We’ve detected 3 incidents in 2024:

• One provider returned stale data
• Would have caused incorrect liquidation
• Multi-provider check caught it

The provider blamed “caching issues.”
But it was wrong data regardless.

The Data We Found

Random spot checks (10,000 samples):

Accuracy:

• 99.98% of queries return correct data
• 0.02% return wrong data (usually caching)

This sounds good, but:

• 0.02% of billions of queries = millions of wrong responses
• Wrong data during critical operation = disaster
• No way for user to detect without verification

The Monitoring We Built

Canary transactions:

Every hour:

• Send test transaction via provider
• Verify it appears on blockchain (via different provider)
• Confirm within 30 seconds
• Alert if missing

Found 8 cases in 2024 where transactions disappeared.

Providers blamed:

• “Network congestion”
• “Temporary issue”
• “Already resolved”

We suspect some were censorship attempts.

No way to prove it.

The Decentralization Paradox

Smart contracts: Decentralized

• Run on 100,000+ nodes
• No single point of control
• Censorship resistant

Access to contracts: Centralized

• 70% through 2 companies
• Easy to censor
• Easy to compromise

It’s like:

• Having decentralized gold vault (Fort Knox distributed globally)
• But one road to access it
• Road can be blocked anytime

The gold is secure but inaccessible.

What Actually Needs to Happen

1. Light clients everywhere (2-3 years)

Browsers run light clients:

• Direct blockchain access
• No RPC middleman
• Verify all data cryptographically

Projects: Helios, Lodestar

2. zk-Proofs for RPC responses (3-5 years)

Provider returns data + proof:

• Cryptographically prove correctness
• User verifies proof locally
• No trust needed

Status: Research phase

3. Decentralized RPC maturity (1-2 years)

Pocket, Lava networks mature:

• 99.9%+ reliability
• Competitive performance
• Economic sustainability

4. Multi-provider as standard (now)

Industry best practice:

• All dApps use 2+ providers
• Failover logic required
• Security audits check RPC resilience

For BlockEden

Security-first differentiation:

1. Zero-knowledge RPC

• Minimal logging (24 hour deletion)
• No IP linking to addresses
• Anonymous Tor access
• Privacy tier

2. Geographic redundancy

• Nodes in 5+ countries
• Multiple cloud providers
• Regulatory arbitrage

3. Transparent audits

• Publish infrastructure architecture
• Security practices documentation
• Incident post-mortems
• Third-party security audits

4. Censorship resistance policy

• Won’t censor unless legally required
• Publish if forced to censor
• 30-day migration notice
• Support user exit

5. Warrant canary

• Daily: “BlockEden has not received government requests as of DATE”
• If missing, users know something happened

This builds trust with security-conscious users.

The Bottom Line

RPC providers have power to:

• Censor your transactions
• Steal your data
• Return fake information
• Track all activity

We trust them because we have no choice.

This is unacceptable for “decentralized” Web3.

Solutions exist but adoption is low.

Until we fix this, Web3 is just renting decentralization from centralized providers.

Sophia

From DeFi protocol perspective: We’re completely dependent on RPC infrastructure.

Our RPC Dependency Reality

Our $500M TVL protocol makes:

• 50M RPC requests/day
• 1.5B requests/month
• Every single operation depends on RPC

If RPC fails:

• Users can’t deposit
• Can’t withdraw
• Can’t check positions
• Protocol effectively offline

RPC reliability = Protocol reliability

The Cost Structure

RPC costs over 3 years:

Year 1: $1,200/month

• Growing protocol
• Paid tier sufficient

Year 2: $8,500/month

• Multi-chain expansion
• Enterprise tiers
• Multiple providers

Year 3: $18,000/month (current)

• High traffic
• Redundancy requirements
• Archive data needs

RPC is now our 2nd largest infrastructure cost after servers.

The Multi-Chain Complexity

We’re on 4 chains:

• Ethereum (primary)
• Arbitrum
• Optimism
• Polygon

RPC setup:

• Infura: Ethereum, Arbitrum, Optimism ($8K/month)
• Alchemy: Polygon, backup Ethereum ($6K/month)
• BlockEden: All chains backup ($2.5K/month)
• Self-hosted: Ethereum only ($1.5K/month)

Total: $18K/month

Managing 3 providers + self-hosted = operational nightmare.

What Happened During the Rate Limit Crisis

March 2024 market volatility:

Normal day:

• 50M requests
• Spread across providers
• Everything fine

High volatility day:

• 180M requests (3.6x spike)
• Users checking positions constantly
• Liquidations happening
• Trading volume surging

What happened:

Hour 1:

• Infura hits rate limit
• Failover to Alchemy
• Alchemy immediately hits limit too

Hour 2:

• Both providers throttling
• Request latency: 200ms → 3,000ms
• Users: “App is broken”
• Some liquidations delayed

Hour 3:

• Emergency upgrade to higher tier
• Cost: $8K → $25K/month
• But needed to keep protocol working

After incident:

• Implemented aggressive caching (60% reduction)
• Added BlockEden as 3rd provider
• Now pay $18K/month steady state
• But ready for $40K/month during spikes

RPC costs can spike 5x during volatility.

The Performance Impact on DeFi

Latency directly affects liquidations:

200ms RPC latency:

• Liquidation trigger: Instant
• Position closed: Before loss grows
• Protocol protected

800ms RPC latency:

• Liquidation trigger: Delayed
• Position underwater more
• Higher bad debt risk

Every 100ms of latency = higher protocol risk.

We measured:

• 99% of successful liquidations: <300ms RPC latency
• Failed/late liquidations: >500ms RPC latency

Fast RPC = protocol solvency.

The Data Accuracy Problem

We found data inconsistencies:

Cross-provider checks:

• Query same data from 3 providers
• Compare results
• Alert if mismatch

Found in 2024:

• 12 instances of mismatched data
• Usually block height differences (stale data)
• 2 instances of actual wrong balances

One specific case:

Provider A: User has 100 ETH
Provider B: User has 100 ETH
Provider C: User has 95 ETH (wrong, cached old state)

If we had used only Provider C:

• Would have allowed over-borrowing
• Potential bad debt
• Protocol loss

Multi-provider verification saved us.

The Censorship Scenario for DeFi

What if RPC providers censor DeFi protocols?

Regulatory scenario:

• SEC: DeFi is unregistered securities
• Orders RPC providers to block DeFi contracts
• Infura, Alchemy comply

Effect:

• Users can’t access our protocol
• $500M TVL locked
• No way to withdraw
• Chaos

This isn’t far-fetched:

• Tornado Cash was censored
• DeFi could be next
• We have no defense except self-hosting

Our contingency:

• Maintain self-hosted node
• Emergency mode: Direct users to our node
• Can serve limited traffic (not scalable)

What We Wish RPC Providers Offered

1. DeFi-specific SLAs

Current SLAs:

• 99.5% uptime (too low for DeFi)
• Best effort response time
• No guarantees during high load

Need:

• 99.95%+ uptime with financial penalties
• Guaranteed response times
• Priority during volatility (when we need it most)

2. Real-time health dashboards

Current:

• No visibility into provider health
• Find out when requests start failing
• Reactive, not proactive

Need:

• Real-time status per chain
• Advance warning of degradation
• Automatic failover triggers

3. Archive data at scale

Current cost:

• Archive queries: $500+/month per provider
• Grows with usage
• Very expensive at our scale

Need:

• Reasonable archive pricing ($200/month)
• Or separate archive-specific providers
• BlockEden could differentiate here

4. Liquidation-priority tier

DeFi-specific:

• Liquidation transactions get priority routing
• Lower latency guarantee
• Higher rate limits during volatility

We’d pay premium for this:

• Current: $18K/month
• Would pay: $30K/month for DeFi-optimized tier

The Multi-Provider Strategy

Our current approach:

Primary (60% traffic): Infura

• Reason: Reliable, fast, multi-chain
• Cost: $8K/month

Secondary (25% traffic): Alchemy

• Reason: Backup, good for Polygon
• Cost: $6K/month

Tertiary (10% traffic): BlockEden

• Reason: Multi-chain, competitive pricing
• Cost: $2.5K/month

Quaternary (5% traffic): Self-hosted

• Reason: Censorship resistance, critical ops
• Cost: $1.5K/month

Smart routing:

• Read requests: Fastest available
• Write requests: Most reliable (usually self-hosted)
• Critical checks: Query all 3, compare

This gives us:

• 99.96% effective uptime
• Censorship resistance (self-hosted fallback)
• Performance optimization
• Cost: $18K/month

Complex but necessary.

For BlockEden

How to win DeFi protocols:

1. DeFi-optimized tier

• 99.95%+ uptime SLA
• <200ms latency guarantee
• Priority during volatility
• Financial penalties for SLA breach

Pricing: $5K-10K/month (we’d pay)

2. Real-time health API

• Endpoint: /health/status
• Returns: Current latency, error rate, queue depth
• Update: Every second
• Let us make smart routing decisions

3. Archive data bundled

• Include archive access in enterprise tier
• Not separate add-on
• Reasonable pricing

4. Multi-chain consistency

• Same API across all chains
• Same performance guarantees
• Easy to add new chains

5. DeFi-specific features

• Transaction simulation before sending
• Liquidation priority routing
• Position monitoring webhooks

We’d switch majority of traffic to BlockEden if you had these.

The Bottom Line

DeFi protocols are completely dependent on RPC providers.

Our $500M protocol:

• Makes 1.5B RPC requests/month
• Pays $18K/month
• Would pay $30K+ for better guarantees

When RPC fails, DeFi stops.

Solutions:

• Multi-provider setup (doing this)
• Self-hosted for critical ops (doing this)
• Better RPC provider offerings (need this)

RPC providers: DeFi is your high-value customer.

Build for us and we’ll pay premium.

Diana