Compiler: Perry Wang
Compiler: Perry Wang

Before starting to read this article, I personally strongly recommend reading our previous article on Miner Extractable Value (MEV) (Chinese version published by Lianwen), the article announcing the founding of Flashbots, and this podcast to learn about Flashbots (Flashbots is an organization that aims to defend the transparency of the MEV ecosystem) ecosystem and MEV. The article discusses some of the more intricate details about Flashbots, MEV extraction, and how they interact with Ethereum consensus.

On June 29, 2021, an interesting idea popped up in the Flashbots Discord:

Austin Williams: There's this horrible idea that it's a flashbots feature - a searcher can pay a miner to not include a tx with a given hash in a given block. If the tx is not in the target block, the miner gets paid.

The idea of ​​using Flashbots to incentivize censorship is kind of scary. This also runs counter to Flashbots' mission of mitigating the negative externalities caused by MEVs. Still, as another community member was quick to point out, such censorship is not economically viable because it would require paying more than a searcher or user wanting to include the same transaction:

The crisis is over!

image description

Instead of censoring transactions in the future, there is an incentive to censor/replace past transactions.

image description

Implementing the incentive restructuring meant building the necessary infrastructure on top of Flashbots' MEV-Geth

Those posts were followed by a story about chaotic Twitter rage, brilliant independent hackers, and some of the best examples of why social consensus is as important as algorithmic consensus in cryptocurrencies.

first level title

GHOST and the uncle block that travels through time and space

In its current state, Ethereum is a proof-of-work system that uses the Nakamoto consensus; this means that the network consensus among the miners securing the network relies on raw computing power. This also means that transactions have only probabilistic finality; the longer a transaction has been included in a block, the less likely it is to be reverted. Therefore, users on proof-of-work blockchains are generally advised to wait before considering a transaction as "completed". On Ethereum, it is generally safe to assume that transactions are finalized after 7 blocks have been confirmed.

In a proof-of-work system, two miners may concurrently mine valid blocks and attempt to propagate those blocks to the network. What ends up happening is that the network is left with two valid blocks, but only one can be added to the chain until the next mining competition begins. This means that a block mined by one of them must become "stale" or be discarded. This is not great for two reasons. First, miners producing stale blocks are wasting their resources for nothing! Second, it makes the network prone to centralization risks, as miners rush to ensure they have enough computing power to avoid producing obsolete blocks. For more information on this, check out this.

On the Bitcoin network, 10-minute block times and sub-minute propagation times make the probability of stale blocks fairly low. However, on Ethereum, where block times are much shorter — about 12 to 13 seconds — the probability of stale blocks being produced is much higher. This makes the aforementioned issues of resource waste and centralization even more relevant. Ethereum solves this problem by using a modified version of the GHOST (greediest re-observed subtree) protocol. The GHOST protocol was designed in 2013 to solve the precise problem of stale blocks in fast block time chains, the basic premise is simple: the "longest" chain accepted by miners is the chain with the highest cumulative proof-of-work difficulty, including A stale block that is a descendant of the current block's ancestor. Such blocks are called "uncle blocks". Ethereum uses a variant on GHOST that uses the same principle to select the chain with the longest difficulty, but does not include uncle blocks in the difficulty calculation. It assigns some block rewards to uncle blocks, making transactions in those blocks accessible, but not those in the main chain. The process of adopting a new "longest" chain and ignoring stale blocks is called a chain reorganization.

So what does this have to do with MEV?

There are two main ways network users can be incentivized to take advantage of uncle blocks and reorgs. The first one, which has already happened in practice and is much less threatening, is called "Uncle Bandits" and is exclusively enabled by Flashbots. As of mid-July 2021, Flashbots is backed by ~86% of Ethereum hashrate using its MEV-Geth client; however, it is still possible that Flashbots bundles will be included in uncle blocks, creating opportunities for Uncle Bandits. This was originally detailed in a post by Robert Miller. Since a transaction included in an uncle block does not change the state of Ethereum, but is still visible to others and is a valid transaction, a savvy MEV searcher can look at the uncle block Flashbots bundle and publish a new bundle that includes the original bundle Uncle Bandits alone are no protocol threat; in the end, they are the result of bundles being probabilistically included in uncle blocks, while others capture opportunities for marginalization. However, the Uncle Bandits' dirty cousin, the time bandit, is even more worrisome. As detailed in MEV’s seminal research paper, time banditry is a theoretical attack that occurs when rewards from MEV begin to exceed block rewards. The premise of the Time Bandit attack is that a miner with access to a significant amount of Ethereum computing power can reverse time in Ethereum by attempting to re-mine previous blocks, capture all MEV in those blocks, and reorganize the chain. The simplest approach is to lease 51% of the computing power; in doing so, the attacker returns a certain number of blocks, captures all MEV profits between now and those blocks in the past, and uses that profit to subsidize the attack.

Approximate percentage of transaction fees as MEV profit. Source: Flashbots

As the graph above shows, MEV profits are becoming a larger and larger portion of miners’ economic rewards, making time bandit attacks and reorganizations an ever-increasing threat. This also means that it should theoretically be possible to bribe miners to reorganize the chain. The strategy is to wait for other users to submit profitable bundles, pay miners to reorganize the chain, and then conduct uncle or time bandit attacks for profit. This is where our drama begins.

After Nathan initially floated the idea of ​​modifying MEV-Geth that could inspire a reorganization of Uncle/Time Bandits, Searchers immediately set about developing the software, while Crypto Twitter was embroiled in a heated debate. This meme accurately sums up most of the sentiment in the community:

Popular Twitter user MEV Intern expressed concerns about introducing such software without the tools to defend against it; after all, while such incentivized reorganizations are technically allowed within consensus limits, they also do destabilize the protocol , and may be stress-testing Ethereum too much by creating scenarios where security assumptions around miner behavior are challenged.

Nonetheless, Pandora's box has been opened.

Not long after, two high-profile MEV strategists and researchers — Edgar Arout and 0xbunnygirl — posted their own personal versions to “request a reorganization.”

Edgar's repository is a fork of the MEV-Geth client created by Flashbots. The library has been made private, but the codebase is still a work in progress, which will enable MEV seekers to request reorganization of a certain number of blocks, omit certain transactions and add new ones, including payments to miners.

This in turn inspired 0xbunnygirl to launch a smart contract on Ethereum that would provide easy payment channels for this. The Request for Reorg contract will enable users to attach a request and provide associated rewards to miners and the blocks they want to reorg. Miners will then execute a time bandit and include transactions that enable them to claim rewards in the reorganization as well as required omitted/included transactions, and punish miners for dishonest behavior. Of course, this contract is also a proof of concept; miners can decide to be dishonest and review penalty transactions when rolling back state, and there is no coding in the actual contract to include a specific transaction or review another transaction.

Then…

Nothing happened.

Even without functional tools, people are not happy with these developments. Efforts to create restructuring incentive systems have drawn the ire of many prominent researchers, developers, and leaders in the field. Edgar would eventually shelve the agreement. Flashbots released an official statement decrying reorganizations as negative sums, emphasizing that they lead to game theory instability, systemic risk, and a possible reduction in miners’ long-term income. In response to the assertion that mining pools like Ethermine might just be building their own reorganization system requests, they responded as follows:

Social consensus, not algorithmic consensus, has halted the development of tools that appear to be harming Ethereum, and nothing more.

first level title

We will all make it, Anon

While all the developments and buzz surrounding the reorganization request may ultimately pose no threat, the question remains: How much time/uncle bandits do we have to worry about, now and in the future?

Well, it turns out, maybe not much. Let's see why.

economic considerations

MEV researcher 0x9116 has done some great rough expectation math on where reorganization might make sense. A quick recap of the post, assuming 30% hashrate (which Ethermine holds roughly) would require more than 3.3 times the total fees, plus 0.58 ETH.

Let's extend this example further. Given that controlling 51% of the network in a proof-of-work system achieves overall network control (and thus maximum MEV), let's see how the calculus changes when we get just below that, or 50%. In this case, we can use the same framework as in the thread above, with some modifications. Instead of assuming that we (as a time-bandit-hunting miner) will definitely get rewards from the next two blocks, as originally assumed, we relax the assumption and weight these outcomes with probability. The base block reward is 2 ETH.

Suppose there is a block A that we haven't mined yet, we have 50% of the computing power, and denote A's miner payment as X and the expected MEV payment as Y. We want to mine two blocks (either for time bandits). If we mine the next two blocks on top of A, we have a 50% chance of mining each block independently, so the expected payoff is 0.5 * (4 ETH + 2Y) or 2 ETH + Y. If we try a time bandit (and, as originally assumed 0x9116, exit if the next block B is mined):

• The next block B is mined with probability 0.5 before we can uncle A and replace it with A`. Then we go back to the first block, we just hope to mine the next two blocks fairly. In this case, the expected return is 0.5 * (0.5 * (4 + 2Y)) or 1 + 0.5Y.

• With probability 0.5 *0.5 = 0.25 A` is mined, but B is mined before we can mine B`. A` becomes B's uncle and gets a reward of 1.75 ETH, and you want to mine blocks after B. In this case, the expected return is 0.25 * (1.75 + 0.5 * (2 + Y)) or 0.6875 +0.125Y.

• With probability 0.25, we mine A` and C`. In this case, the expected return is 0.25 * (4 + X + Y) or 1 + 0.25X + 0.25Y.

This results in an expected payoff of 2.6875 + 0.875Y + 0.25X, which is necessarily greater than the expected payoff from honestly mining the next two blocks. This results in X > 0.5Y — a necessary condition for 2.875 ETH. This means that even though the hash rate is close to 51%, X is greater than half the MEV captured in the current block minus 2.875 ETH. While this happens occasionally, as of mid-July 2021, the cost of renting 51% of the network for 1 hour is about $1.1 million. This means that renting 50% of the computing power (maximizing the possibility of time bandits without completely hijacking consensus) will cost about $1 million. So the reorganization is worth X > $1M, or about 550 ETH at the time of writing. As the graph below shows, the total amount of MEV withdrawn per day is typically in the millions of dollars, so the cost of trying to lease 50% to start a time bandit is likely to far outweigh the benefits.

Of course, that’s not to say there isn’t a single block that justifies this cost. Events such as Justin Sun's $1 billion position in Liquity nearly being liquidated and having to pay $300 million to avoid losing his position would prevent opportunities for a reorganization at the end of the chain that would be profitable enough to subsidize the 50% lease. However, it is also unlikely that a single attacker could rent out 50% of the hash power — as it stands, the amount of Ethereum hash power available for rent at any given time on NiceHash is typically less than 10%.

If you want to parametrize here, I made a tool that allows you to determine the expected payoff of honestly mining two blocks versus the expected payoff of trying a time bandit attack on the most recent block, using the The share, the total miner payment is divided by time, and the expected miner payment for future blocks:

On the other hand, if it is possible to economically incentivize reorganization, it should likewise inhibit it.

Developer Daniel Goldman has turned 0xbunnygirl's original Request for Reorg contract upside down; called Deorg, it will allow any user to create a bounty paid to miners in a future block that will be cut if they are found to be malicious Rewards (indeed, Deorg does encode good behavior by requiring that the hash of a block be immutable at a certain height after a certain number of confirmations, which Daniel kindly pointed out) , but it does illustrate that most economic incentives for restructuring can be redesigned.

Another potential way to reduce the risk of reorganization is to adopt a "fee smoothing" approach (as Ivan Bogatyy mentioned at the MEV.wtf virtual summit), where, as an honest miner, you pay Miners pay MEV. The design space here is as rich as the space to incentivize reorganization; as Tom said in our last article on MEV, "For every footgun found, there are 1,000 footgun salesmen and 1,000 Manufacturers of footgun body armor are thriving.”

Finally, it’s worth noting that restructuring and selfish mining could devolve into a recursive negative-sum game, which could actually cost miners rather than bring in profits. If all miners were waiting for others to find MEV and then reorganize, the network could become bogged down, leading to long transaction completion times and an adversarial back-and-forth game, as miners continue to try out time bandit attack opportunities that have already been seized by other miners. This reduces your profits.

A paper by IC3 researchers using reinforcement learning (RL) to simulate selfish mining on the Bitcoin network combined with an inbound model found that when all agents use the selfish mining strategy (time bandits, no MEV part to capture rewards and fees), relative rewards drop.

paperpaperRelative rewards for selfish mining agents simulated by the RL model in .

first level title

Proof of Stake and Social Consensus

As mentioned earlier, the outcry against the development of the MEV-Uncle Geth gangster fork or Request for Reorgs is a strong example of social consensus at work. Social consensus has always been a part of cryptocurrencies, such as Binance's decision not to encourage rollbacks of Bitcoin to recover from hacks, and even more fundamentally, mining pools' decision to keep their hashpower below 50% in the spirit of decentralization !

As Ethereum moves towards proof-of-stake on Ethereum 2.0, MEV is not going away, nor is the risk of reorganization. While Proof-of-Stake does provide absolute transaction finality, it only happens after 2 epochs (at most 32 blocks are proposed/proved in a 6.4 minute period, the proposer is known 1 epoch ago, The number of provers is 2), but there are scenarios where reorganization can occur within about 13 minutes of transaction completion. However, by limiting the time window, reorganization is made more difficult.

However, arguably, the biggest resistance of Proof-of-Stake to reorganization is not the absolute finality after 2 epochs, but the concept of "identity". Given that proposers are known, validators known to be behaving maliciously may be blacklisted from participation, Flashbots networks, etc. Additionally, as larger incumbent miners (such as Ethermine) move from mining assets to large exchanges and platforms (such as Lido and Kraken) for staking, they will dominate the validator space, and it is increasingly likely that these institutions will No risk of reputational damage due to restructuring or even charging MEV fees as a social and regulatory point of contention.

first level title

MEV Endgame

Clearly, MEV is not going away on Ethereum anytime soon. However, it also might not be such a scary thing. MEV will most likely not lead to a sustained restructuring of the Ethereum explosion, either now or in the future. What MEV does, however, is advance the design space around creating a fairer, democratized financial system. The creation of research collectives such as Flashbots, advancements in fair ordering of transactions, and the application of cryptographic techniques such as zero-knowledge proofs and threshold decryption at the protocol and application layers all attempt to mitigate and democratize MEV. In the long run, the cryptoeconomic system we know and love becomes stronger as a result. Events like the restructuring drama are a good reminder that as we build the future of finance, the crypto community can never take our system's assumptions for granted, we must continue to innovate in pursuit of anti-fragility, and we have the right community and to do this.

Many thanks to Haseeb Qureshi, Tom Schmidt, and Celia Wan from Dragonfly Capital, and Stephane Gosselin from Flashbots for their extensive feedback on this article.