Summary: Selecting a blockchain partner in 2026 requires procurement rigor and engineering depth—today’s RFP must probe for post-Dencun cost models, Pectra-era account features, ZK-readiness, and SOC 2/SSDF-aligned SDLC. Below is a pragmatic, high-signal checklist your team can reuse to cut risk, compress timelines, and maximize ROI.

RFP Guide: 50 Questions to Ask Your Blockchain Development Partner

Target audience: Enterprise procurement, CTOs, CISOs, and PMOs. Keywords included by design: SOC 2 (Type II), ISO 27001, SLAs/SLOs, SSDF (NIST SP 800-218), SLSA, ROI, TCO, data residency, DPA.

Your last RFP looked solid—until the build hit 2025–2026 realities

• Ethereum L2 fees collapsed post-Dencun (EIP-4844 blobs), but not uniformly across stacks; budgeting off 2023–2024 calldata economics is now wrong by orders of magnitude. Mispricing blob-era data can blow unit economics or cause unnecessary over-optimization. (ethereum.org)
• Optimistic-rollup withdrawals still impose a ~7-day challenge window on L1 exits—critical for treasury ops, exchange listings, and user refunds; failing to model this in SLAs leads to incident escalations and reputational damage. (ethereum.org)
• SELFDESTRUCT behavior changed (EIP-6780). Legacy “metamorphic” upgrade patterns break; an unaware vendor can orphan upgrade paths or violate your change-control policy. (eips.ethereum.org)
• Account UX changed again post-Pectra: ERC‑4337 infrastructure matured, and EIP‑7702 lets EOAs temporarily act like smart accounts. If your partner can’t leverage bundlers/paymasters safely, your activation funnels and CAC will suffer. (ethereum.org)
• Security loss events continue to trend upward at the “big game” end; 2025 saw multi‑billion thefts led by DPRK-linked operators. An RFP that doesn’t force measurable security posture (SOC 2, SSDF, SLSA, supply-chain attestations) invites board-level risk. (chainalysis.com)

What that risk means for deadlines, spend, and compliance

• Missed milestones: Incomplete cost modeling (blob vs calldata) shows up late—in load tests and finance reviews—triggering scope churn and multi-sprint rework. (ethereum.org)
• Budget bleed: Using storage flips and generic guards where EIP‑1153 transient storage or MCOPY would suffice leaves 10–100x gas on the table across hot paths. Opex → inflated. (eips.ethereum.org)
• Compliance gaps: Auditors now expect SSDF-aligned secure SDLC, SLSA build provenance, and SOC 2 Type II controls mapped to the Trust Services Criteria—especially Availability and Security. An “audit later” stance risks failed customer security reviews and stalled procurement. (csrc.nist.gov)
• GTM friction: Without 4337/7702 competencies (sponsored gas, session keys, recovery), you add clicks, drop conversions, and increase support tickets; treasury ops then battle L2→L1 latency surprises. (ethereum.org)

7Block Labs’ technical-but-pragmatic delivery We align procurement, engineering, and GTM from day one—grounded in current protocol realities.

• Architecture & economics baseline

  • Blob-era cost modeling (EIP‑4844/7516) and L2 fee sensitivity analysis; we instrument unit economics into sprints and dashboards. (ethereum.org)
  • Exit latency plans for Optimistic vs ZK stacks, including liquidity-provisioned fast exits where needed. (docs.optimism.io)
  • Upgradeability that survives EIP‑6780 (UUPS/diamond patterns), with explicit governance and rollback procedures. (eips.ethereum.org)

• Secure-by-default SDLC (SOC 2 + SSDF + SLSA)

  • Map build pipelines to SSDF (NIST SP 800‑218) tasks; deliver SLSA provenance and SBOMs for each release. (csrc.nist.gov)
  • Continuous verification: Slither/Echidna in CI with detectors for modern features (4337, transient storage), plus coverage and invariant gates. (github.com)
  • Multi-verifier source publication via Sourcify + Etherscan to reduce supply-chain trust assumptions. (docs.sourcify.dev)

• Wallets and UX (Pectra/4337/7702-aware)

  • Bundler and paymaster selection and quotas; gas-sponsorship budgeting; fraud/abuse controls; session key policies mapped to SOC 2 change management. (ethereum.org)

• Cross-chain risk management

  • Prefer defense-in-depth messaging with CCIP’s Risk Management Network or LayerZero DVNs where appropriate, modeling X‑of‑Y‑of‑N verifier thresholds and ops runbooks. (blog.chain.link)

• Gas optimization that matters to ROI

  • EIP‑1153 transient storage for reentrancy guards/transaction-scoped flags; OpenZeppelin Contracts 5’s custom errors and reduced SLOAD patterns; via‑IR compiler pipeline (Solidity ≥0.8.26). (eips.ethereum.org)
  • SSTORE2 for large, immutable data blobs (on‑chain catalogs, Merkle proofs) to avoid 20k‑gas storage sets and shrink calldata. (github.com)

• Delivery with measurable SLAs

  • SLOs on end‑user confirmation time (L2), L1 finality expectations (ZK), on-call runbooks, RTO/RPO targets, and data residency controls.

Where it plugs into your procurement

• For build and integration scopes, see our custom blockchain development services and blockchain integration.
• For protocol and dApp fronts, see dApp development and smart contract development.
• For DeFi rails, wallets, and cross‑chain, see DeFi development services, DEX development, and cross-chain solutions.
• For hardening, see our security audit services.

Proof: GTM and engineering metrics we deliver in pilots

• Unit economics after Dencun: fee-per-action (transfer/swap/mint) and blob sensitivity (p50/p95) on chosen L2(s), with expected 90–98% reductions vs pre‑Dencun calldata for comparable traffic classes. We tie these to CAC/LTV models to support budget approvals. (thedefiant.io)
• Activation and retention: 4337/7702 funnel metrics—% sponsored actions, recovery success rate, mean time to transact post‑KYC.
• Operational reliability: mean confirmation time (user‑visible) vs L1 finalization (back‑office), withdrawal latency distributions for ORUs, and incident MTTR.
• Security posture: SSDF task coverage; SLSA provenance rate; SOC 2 control evidence mapped to TSC categories (Security and Availability baseline). (aicpa-cima.com)

Below: the 50 most useful RFP questions we suggest you paste into your procurement doc.

---

The 50 questions (Technical but Pragmatic)

Strategy and ROI (5)

1. Which user actions land on L2, what is their p50/p95 gas in a post‑Dencun world, and what blob price assumptions (BLOBBASEFEE) are you using in your cost model? Provide a sensitivity table. (eips.ethereum.org)
2. What KPI tree will you wire (e.g., cost per successful on‑chain action, activation-to-transaction conversion, on‑chain churn) and how does it map to executive ROI?
3. How will you validate the 7‑day L2→L1 challenge window impact on refunds, settlements, and treasury liquidity? Include SLAs and workaround (LP-based fast exits). (docs.optimism.io)
4. What’s your approach to feature flagging on-chain (e.g., via storage/version slots) to A/B test economic parameters without redeployments?
5. Show a 12‑month TCO that includes audit, infra, incident response, and compliance reporting—not just build hours.

Architecture and chain selection (8) 6) Which rollup(s) match our workload profile? Contrast ZK (faster L1 withdrawals) vs Optimistic (fault proofs) and quantify user/ops impact. (ethereum.org)
7) Provide a Dencun-aware data strategy: how do you minimize calldata, leverage blobs upstream, and handle DA outages/price spikes? (ethereum.org)
8) How will you protect upgradeability after EIP‑6780 removed durable SELFDESTRUCT patterns? Show UUPS or diamond governance diagrams. (eips.ethereum.org)
9) What is your L2 fee backoff strategy under blob market congestion?
10) Are we using ERC‑2535 (diamond) for modularity, and how is DiamondCut access controlled (multisig/Timelock/Guardian)? (eips.ethereum.org)
11) How do you model bridge dependencies and choose between CCIP RMN vs LayerZero DVNs? Include verifier thresholds and failure modes. (blog.chain.link)
12) Will we maintain read replicas and archival data for analytics without overpaying for L1 access (post‑Dencun)?
13) What’s your approach for on-chain verification (Sourcify + Etherscan multi-verifier) to reduce explorer lock‑in? (docs.sourcify.dev)

Solidity engineering depth (6) 14) Which compiler channel and flags (via‑IR, optimizer runs) are standard? Justify Solidity ≥0.8.26 for require() with custom errors and IR optimizer benefits. (soliditylang.org)
15) Where do you adopt EIP‑1153 transient storage (TSTORE/TLOAD) to replace hot SSTORE/SLOAD patterns (reentrancy locks, single‑tx approvals)? Show gas diffs. (eips.ethereum.org)
16) How do you use MCOPY (EIP‑5656) for tight memory operations and calldata slicing? (chaincatcher.com)
17) What’s your policy on custom errors vs revert strings (bytecode size, deploy cost)? Reference library experience (e.g., OZ Contracts 5). (openzeppelin.com)
18) When do you choose SSTORE2 for large immutable data, and how do you mitigate code-size and load-time constraints? (github.com)
19) Show your storage layout discipline (packing, immutable, constants) and how you lock it with automated diff checks.

Account abstraction and wallets (5) 20) Which bundlers/paymasters will you use, and how will you cap gas sponsorship abuse? Provide logs/alerts and reimbursement rules. (alchemy.com)
21) How will you exploit EIP‑7702 to add smart‑account features to EOAs without migrations? Detail fallback to 4337 infra. (ethereum.org)
22) What is your session‑key policy (durations, scopes), and how is it audited under SOC 2 CC6/CC7? (cbh.com)
23) How do you handle recovery UX with minimal PII while meeting our DPA/GDPR obligations?
24) Describe phishing/blind-signing mitigations (human-readable transactions, metadata registries). Cite verification UX via Sourcify/Verified Alliance. (docs.sourcify.dev)

Security engineering and audits (8) 25) Provide an SSDF (SP 800‑218) mapping for our project stages and artifact outputs (threat models, STRIDE, abuse cases). (csrc.nist.gov)
26) What SLSA level will our builds reach, and how will you deliver provenance attestations (e.g., Sigstore) with each release? (openssf.org)
27) List static/dynamic tools (Slither 0.11, Echidna ≥2.1), detectors used (4337/paymaster, transient storage), and required thresholds (no high/critical). (github.com)
28) How do you integrate formal methods or invariant testing for critical invariants (supply caps, accounting, oracle bounds)?
29) What’s your process for 3rd‑party audits and public disclosures?
30) Reference your SWC coverage strategy and how you mitigate patterns not well-caught by SWC (business-logic, oracle manipulation). (diligence.consensys.io)
31) How do you handle key material (admin, guardians, signers)? HSMs vs MPC, rotation cadence, emergency revoke?
32) Provide an incident response plan aligned to our SLAs, including L2 halt/regen scenarios and bridge exploit playbooks.

Compliance and governance (6) 33) Are you SOC 2 Type II? If not, how will you operate under our SOC 2 scope and provide evidence mapped to TSC Security + Availability? (aicpa-cima.com)
34) Map roles/responsibilities to CC1–CC9 (Change Management, Logical Access, System Operations). Provide sample evidence (tickets, approvals). (cbh.com)
35) How will you implement SSDF practices (PO/PS/PW/RV) and report coverage per sprint? (csrc.nist.gov)
36) Provide DPAs and data residency statements for logs, analytics, and off-chain services.
37) What is your vulnerability disclosure and patch SLA under our MSA?
38) Explain how governance for upgrades works (timelocks, multi‑sig, emergency pause) and aligns to our change windows.

DevEx, CI/CD, and observability (4) 39) What is your Hardhat/Foundry workflow, gas-reporting discipline, and pre‑merge gates?
40) How do you wire continuous verification (Sourcify) and multi-explorer publishing in CI? (docs.sourcify.dev)
41) What runtime telemetry will we have (Tx success, revert codes, gas trends) and what alerts tie to SLOs?
42) How will you test across clients (Geth/Besu/Nethermind/Reth) and simulate blob-fee volatility?

Delivery, SLAs, and SRE (4) 43) Provide environment strategy: ephemeral testnets, Holesky/Sepolia, L2 staging with seeded data sets.
44) Define SLOs: p95 user confirmation time (L2), acceptable reorg depth, and withdrawal time distributions; include on-call schedules.
45) Disaster recovery: RTO/RPO for indexers, RPC, and verifiers; vendor-of-last-resort plans.
46) How do you maintain compliance artifacts continuously (SOC 2 evidence locker, SLSA attestations) for audit readiness?

Cross‑chain and integrations (4) 47) Which bridging stack fits our risk tolerance—CCIP with RMN vs LayerZero DVNs—and what thresholding (X‑of‑Y‑of‑N) will we enforce? (blog.chain.link)
48) What’s your plan to monitor bridge health, pause routes, and execute clawbacks where possible?
49) How will you segregate cross‑domain admin privileges to avoid implicit trust escalations?
50) Provide a test matrix for message ordering, idempotency, replay protection, and payload size limits under blob-era conditions.

---

Practical examples to demand in RFP responses

• Post‑Dencun cost model (actionable)

  • Ask the vendor to show a before/after unit‑economics table for your top 5 transactions (e.g., register, mint, swap, claim, withdraw) on your chosen L2(s), with blob base‑fee sensitivity and traffic multipliers. Expect that the vendor references EIP‑4844 and can read BLOBBASEFEE where relevant to rollup components. (ethereum.org)

• Safer upgrade path after EIP‑6780

  • Require a diagram comparing your legacy upgrade approach vs. UUPS or ERC‑2535 diamonds, including admin key ceremonies, timelocks, and emergency pause flows. This prevents reliance on now‑broken SELFDESTRUCT-based “metamorphic” patterns. (eips.ethereum.org)

• Gas optimization that moves the needle

  • Have the vendor replace a traditional ReentrancyGuard (storage boolean toggles) with EIP‑1153 transient storage flags; show gas deltas in a micro-benchmark suite, plus OZ Contracts 5 custom‑error adoption and via‑IR compile settings. Your RFP should ask for exact compiler configs and gas reports. (eips.ethereum.org)

• AA (4337/7702) conversion impact

  • Ask for a pilot that measures the % of transactions executed with sponsored gas, failure rates by bundler, and how EIP‑7702 routes legacy EOAs into a smart‑account flow. Tie this to reduced drop‑off and support tickets. (ethereum.org)

• Cross‑chain defense in depth

  • Require a comparison of CCIP’s independent Risk Management Network vs LayerZero DVNs for your message types (idempotency, payload size), including X‑of‑Y‑of‑N verifier thresholds and operational controls. (blog.chain.link)

• Verification and supply‑chain

  • Demand multi‑verifier publication (Sourcify → Etherscan/Blockscout) in CI with provenance attestations (SLSA), and an SSDF control map to satisfy audit and customer questionnaires. (docs.sourcify.dev)

---

Emerging best practices to insist on

• Be blob‑aware in every estimate: post‑Dencun, most L2s saw 90–99% median fee reductions for common actions; don’t accept pre‑2024 calldata math in proposals. (thedefiant.io)
• Prefer ZK where L1 exit latency is a business constraint (exchanges, settlements); document fallback LPs for Optimistic fast exits and reflect them in SLAs. (docs.optimism.io)
• Treat EIP‑6780 as a hard boundary—no metamorphic patterns. Use UUPS or diamonds with explicit governance and audit trails. (eips.ethereum.org)
• Use Solidity ≥0.8.26, via‑IR, custom errors, and modern libraries (OZ 5) to shrink bytecode and runtime costs. (soliditylang.org)
• Codify SSDF tasks, SLSA provenance, and SOC 2 evidence from day 1; this is now table stakes for enterprise security reviews. (csrc.nist.gov)
• For large immutable data on-chain, use SSTORE2 to minimize storage costs; document limits (e.g., code-size) and retrieval paths. (github.com)

---

Where 7Block plugs in, concretely

• End‑to‑end build and ROI linkage: web3 development services, blockchain development services, and smart contract development.
• DeFi rails and cross‑chain: DeFi development services, DEX development, cross-chain solutions development, and blockchain-bridge development.
• Security and readiness: security audit services, plus governance & compliance embedded in delivery.

Final note on risk posture Losses spiked in 2025 at the “big game” end; your RFP must force architectural and process maturity—bridges, governance keys, and supply-chain attestations are non‑negotiable. (chainalysis.com)

Call to action (Enterprise): Book a 90-Day Pilot Strategy Call.