by Harper Li, Jinbin Xie
In August 2020, Dan Robinson, a trader at Paradigm, attempted to recover the liquidity tokens which were pledged to Uniswap. He deployed two contracts, a setter contract and a getter one, and then tried to get back these tokens by calling the two contracts one by one. However, one of the contract calls was not successfully implemented while being recognized by an attacker and the attacker front-run Dan Robinson by executing the contract call before him. In September 2020, Sam Sun discovered the contract vulnerability in Lien Finance, which could cause a huge loss of 25,000 ETH if attacked. He tried to solve it, but was afraid of encountering the similar problem to Robinson. Once an attacker discovered his rescue plan, the attacker would figure out the vulnerability, execute the attack and take 25,000 ETH from the platform.
That’s why Sam contacted many people in the rescue operation later and fixed the contract vulnerability with the help of SparkPool. In this event, SparkPool put the executed transactions into its private mempool to prevent them from being monitored by attackers on chain. And this was also the fundamental reason that determined the distinctly different results of the two events.
These two events reveal the fact that currently blockchain is a dark forest. In fact, there are groups of arbitrage bots or attackers waiting for opportunities in this dark forest — the blockchain node network. All pending transactions waiting to be packaged are exposed to the dark forest in the mempool. Attackers can see and trace every transaction, every internal contract call, and every instruction, and perform the most common on-chain attacks, such as front-running and sandwich attacks.
We believe that the essential reason for on-chain attacks lies in the design of the blockchain.
1. The first is the design of the mempool on blockchain. All transactions that are sent out need to enter the mempool temporarily instead of being directly packaged by the miners. The mempool is full of pending transactions, and it’s public, which means anyone can monitor every transaction and every function called in the mempool. This provides the attacker with conditions to monitor transactions.
2. The second is that the blockchain block time provides execution time for attackers. According to Etherscan data, the current average block time of Ethereum is 13s.
The concept of MEV (miner-extractable value) was first introduced in the article Flashboy 2.0 in 2019. It refers to the extra profit that miners can gain by including, reordering, inserting, or ignoring transactions. With the development of the blockchain in the past two years and the advancement of the research activities on chain, MEV has now been extended to the most extractable value.
Participants in the MEV predatory war now include miners and non-miners. Non-miners mainly refer to robots such as arbitrage/liquidation bots while miners refer to individuals who are responsible for selecting transactions and packaging them on chain. Miners enjoy privileges that are unmatched by non-miners. And we summarized the following chart to show relevant features of existing MEV predatory groups.
Extraction and Elimination as MEV Solutions
How to deal with the MEV predatory war and protect the interests of ordinary traders has now become a debated subject for research and development. There are two kinds of opinions concerning this issue. One is to recognize the inevitability of MEV and solve the current dilemma through extraction, and the other is to obliterate or reduce MEV from the source of transactions. Based on this, this report discusses the existing MEV solutions — MEV extraction and elimination respectively.
Judging from the current research results, there are three ways of MEV extraction:
- Confidential Transactions: Storing transactions in a private mempool, rather than a public mempool, to avoid being monitored by attackers.
- FRaaS: FRaaS (Front-running as a Service) protects traders’ interests by extracting MEV from transactions and redistributing profits. At the same time, miners will abandon their attacks due to bounty rewards.
- MEV Auction: Miners’ rights of transaction choosing and ordering are split. It means that miners still have the right to determine transaction inclusion while the third party, the winner of the auction, grants the right to reorder submitted transactions and insert their own.
As mentioned above, transactions are waiting to be packaged by miners in the mempool. At the same time, these transactions are also at risk of being monitored and attacked. Therefore, some protocols attempt to bypass the public mempool so that the transactions cannot be broadcast to other nodes while queuing in the private mempool waiting to be packaged.
Protocols that offer this type of services are currently Stealth Transactions of 1inch, Taichi Network, and bloXroute.
Stealth Transactions is only available in 1inch wallet for iOS client so far. And this method faces the possibility that transactions are packaged into uncle blocks and thus made public.
Created by SparkPool, Taichi Network allows users to send transactions directly to the private mempool of SparkPool through the interface it provides. Since SparkPool does not webcast this transaction, the status of this transaction sent out cannot be visible on Etherscan until the transaction is officially confirmed.
bloXroute provides a private communication function, which means transactions can be sent directly to the miners without being exposed.bloXroute’s BDN (Blockchain Distribution Network) links the blockchain nodes to the BDN through its Gateway. Gateway and the blockchain nodes first translate the information coming from the blockchain into the BDN. Then, at the second layer, they perform block compression. Reducing the block size greatly makes it more efficient to send or transmit in the Blockchain Distribution Network.
MEV Auction — — Optimism
MEV Auction (MEVA) was proposed in early 2020 by Karl Floersch, the CTO of the L2 Optimism. And then MEVA became a good anti-MEV way to fit Optimism.
When talking about MEVA, it is important to explain two major rights that miners have as the biggest winner in the MEV predatory war, the rights of transaction inclusion and transaction ordering. Technically, the auction is able to extract MEV from miners by separating these two rights: 1) transaction inclusion; and 2) transaction ordering. Miners retain the right to determine transaction inclusion, but they can’t order transactions. And the third party, called a “sequencer”, determines transaction ordering. Then the miner picks a single sequencer in the auction process.
In the Optimism L2 system, the role of miners (a validator and a sequencer) is divided into two parts: Sequencers manage the transaction sequencing and validators add it to the Optimism L2 blockchain. This solution fits Layer 2 because Sequencers already exist on the L2 architecture. The transaction is submitted to the “Sequencer”, which generates a signed receipt that guarantees the execution and sequencing.
However, there are still problems with MEVA:
- The collusion between sequencers and sequencers’ own misbehavior can result in artificially low auction prices. The current solution to this problem is to develop open source sequencer software to increase the ease of user participation in sequencer bidding activities.
- It is impossible to completely avoid miners to retain two rights because sequencers can set up their own mining pools.
FRaaS (Front-Running as a Service) refers to solving MEV by extracting MEV and redistributing profits. This method essentially compensates traders and surrenders part of the profits to miners and attackers, so that multiple parties can achieve cooperation and create a “multi-win” scenario. In FRaaS, the attacker becomes the searcher, and the searcher is responsible for searching for MEV that may appear in the transaction, and completes the MEV extraction through some strategies. At present, there are many protocols that adopt this anti-MEV method. Thus, it is a more popular method to solve MEV.
Flashbots is a research and development platform for MEV. It is now focused on three main verticals:
• Flashbots Auction: a private communication channel between miners and searchers.
• Flashbots Data: detect MEV data; specific products are MEV-Explore and Dashboard. MEV-Explore crawls the Ethereum blockchain and classifies MEV transactions over 8 major DeFi protocols.
• Flashbots Research: an open, transparent and collaborative research effort to tackle short and long term research questions related to MEV.
Flashbots Auction consists of MEV-GETH, a patch on top of the go-ethereum client, along with the mev-relay, a transaction bundle relayer.
There are three main roles: searcher, relayer, and miner. The information transmitted between the three roles is the Flashbots Bundle. Each bundle transaction includes a transaction list (indicating that the sender wants to pack multiple consecutive on-chain transactions, including front-running and back-running ones), block height, min Timestamp and max Timestamp.
At present, Flashbots searchers can be divided into three sources: arbitrage and liquidation bots, traders looking for frontrunning protection, and Ethereum Dapps such as mistX. By submitting bundles directly to relayers, searchers can obtain pre-trade privacy as their transactions cannot be seen by other network nodes.
The sender needs to pay certain fees to the miner when sending the transaction. Fees here are not paid by gas, but through Coinbase ETH transaction to the block producer (ie the mining pool) as a commission. It allows searchers to save money from avoiding paying gas fees for failed transactions considering its pitfalls of being attacked.
Relayers receive bundles from searchers and forward them to miners. In this process, relayers themselves may also become attackers, so we put faith in relayers to act honestly here.
In addition to privately transmitting bundle transactions, relayers also serve as a mitigation to DOS threat. Since searchers no longer need to pay for failed bids, it may appear that searchers can submit bundles at their own will. That is to say, it opens up the ability for them to spam the network with invalid bundles, thus creating a denial of service attack against other network participants. Since Ethereum nodes are ill-equiped to deal with overload on their own, relayers primarily serve as a mitigation to this DOS threat.
Miners are exactly who collects all the bundles in the end. They are connected to the Flashbots network by running a version of the MEV-GETH client.
Miners can only pack one bundle per block. To maximize their own profits, miners will choose the bundle with the highest tips paid by searchers. But it is reported that Flashbots now has plans to develop the service of packaging multiple bundles in one block.
Likewise, not all miners can be trusted. After being exposed to the contents of the bundle, miners can analyze, reorder or add transactions to extract MEV.
ArcherDAO has two standalong products: Archer Relay and Archer Swap. However, both the two products have anti-MEV features.
Archer Relay is compatible with the MEV_GETH client, allowing users to participate in the Flashbots ecosystem as searchers.
Archer Swap appears in the form of an early-end transaction interface, allowing users to directly submit token transactions. Back-running bots in the Archer Relay network will perform MEV search, extraction, and bundling for transactions generated on Archer Swap, and send them to miners through Flashbots and Archer relayer.
ArcherDAO uses Flashbots to realize anti-MEV, but it is still different from Flashbots.
ArcherDAO’s products clarify the roles of searchers and traders. Archer Relay forwards bundle for searchers and the task of searchers here is to search for MEV extraction opportunities in each DEX. While Archer Swap is aimed at traders seeking MEV shields, who conduct transactions on Archer Swap. The differentiation of the roles of searchers and traders is reflected in the following two facts. Firstly, Archer Relay searchers cannot access transactions published through Archer Swap, and only the back-running bots inside ArcherDAO can. Secondly, they have different mining pool partners: ArcherDAO has now announced partnership with 2miners and Ezil while Flashbots’ March report stated that it has cooperated with 12 mining pools.
mistX by alchemist
alchemist was started with a twitter by @thegostep in February. There is no “dev team”. There is no roadmap. And it is completely driven by a community of alchemists. Active in blockchain, @thegostep is one of the core developers of Ethereum and Ampleforth, and also participates in Flashbots. The alchemist team has 5 core projects in progress: Crucible, Copper, mistX, sandwiched query, and Crucible NFT Design.
mistX also uses Flashbots to protect user-initiated transactions from being sent to the public mempool. And these transactions are bundled together to enter the Flashbot system. In addition, the sandwiched.wtf developed by the team can be used to query whether a smart contract account has been subjected to sandwich attacks.
KeeperDAO has three lines of business: Hiding Game, Coordination Game and Incentive Game. Hiding Game solves the MEV in existing transactions and liquidation; Coordination Game mainly encourages cooperation between Keepers; Incentive Game mainly focuses on $ROOK and platform governance. These three businesses are combined in an organic way to support each other.
KeeperDAO also believes that swap definitely produces slippage, meaning that attackers can cause losses to traders by front-running or back-running attacks. And since the transaction is exposed in the mempool, it is easy to cause multi-party competition or “bidding” between the two parties, thus triggering a Gas War.
For these two situations, KeeperDAO believes that traders can work together with Keepers. The solution is that the trader first submits the transaction to KeeperDAO, and then the Keeper in KeeperDAO analyzes the transaction and judges whether it is profitable through front-running or back-running strategies. If it is a “Yes”, the Keeper will execute the transaction according to the transaction sequence pre-defined by the platform to obtain profits. The profits obtained need to be returned to KeeperDAO for daily profit aggregation and distribution.
For traders, they get a better price in transactions, because the traders’ trading slippage can be offset by $ROOK minted on the platform. It can be seen that the cooperation between traders and Keepers has created a “win-win” solution.
In the entire transaction system, the KeeperDAO sequence occurs once every 100 blocks, and the sequencing result determines the transaction sequence of existing Keepers. Due to the sequenced transactions, Keepers can avoid the Gas War. However, Keepers within KeeperDAO still need to compete with traders outside of KeeperDAO.
BackRunMe by bloXroute — MEV’s profit distribution
In addition to the mentioned confidential transactions, bloXroute also develops a transaction design for MEV by analyzing DEX transaction slippage.
The detailed implementation is as following:
1. bloXroute sends metadata to searchers to propose backrunning transactions.
2. Searchers create and send bundles based on the transactions, and bloXroute examines the searchers’ replies.
3. bloXroute sends the first valid and most profitable “backrunning” MEV bundle to pools via private communication for execution.
4. Of course, if searchers find that there is no opportunity for backrunning, the transaction will become an ordinary private transaction and be sent to the miners.
The protocol allows any Ethereum users to propose entire blocks to be mined, with a reward attached for mining them. So miners select the blocks with highest rewards in order to achieve profit maximization. Unlike the previous protocols, this protocol targets the next block, not a certain transaction.
As shown in the figure below, the protocol regards competing for the next block as the order market DEX, and each user can submit a block for packaging, and it is the order object, which constitutes the block order market DEX. The cost paid by users is the reward attached to each block order, and miners select the block order with the highest reward from this market. Once transactions are completed, miners will package the block order provided by the user on the chain, and get the reward paid by users.
This protocol keeps its eyes on Sushiswap transactions. Users send transactions to YCabal to generate arbitrage opportunities such as slippage, and then miners conduct front-running or back-running strategys.
The Advantages and Disadvantages of MEV Extraction
One who believes in MEV Extraction also believes that MEV is generated by users, which is an inevitable feature of on-chain transactions. Based on this, strategies from this camp tend to protect users. At present, there are three types of protocols in this camp, and all have their own characteristics: the confidential transaction protocol protects the user’s MEV via bypassing the public mempool and public monitoring; MEVA technically splits the rights of miners to protect the rights of users; FRaaS regards MEV extraction as a service and divides profits to achieve a “multi-win” scenario.
The emergence of MEV embodies the product of the privileged class of miners who use the privileges of the block to carry out power rent-seeking. The previous part introduces that MEV extraction can cover more than 10 protocols. Considering these protocols believe MEV to be inevitable, people in this camp adopt an attitude of embracing MEV to solve the existing MEV problems and this camp is described as the “Dove”. Another camp is described as the “Hawk”, in which people argue that MEV can be eliminated. We will explain how hawkish developers choose to use a variety of methods to minimize or even eliminate the space for power rent-seeking hereafter.
How to minimize or organize MEV? The so-called MEV refers to a measure of the profit a miner (or validator, sequencer, etc.) can make through their ability to arbitrarily include, exclude, or re-order transactions within the blocks they produce. Therefore, the anti-MEV protocols on the market try to take measures when the transaction is submitted to the mining pool. Currently, the following four methods have been summarized:
- On-chain operation
- Off-chain operation
- A new transaction mode
There is no need to change the L1 main chain. Chainlink submits the transaction queue and oracle reports to an oracle, and then the oracle generates the serial number and the nonce, and broadcasts it on the oracle network. At the same time, the oracle can monitor the message pool and obtain the transaction queue. Subsequent smart contracts can obtain the correct sequence from the oracle.
LibSubmarine is an on-chain smart contract that protects the contract against front-runners by temporarily hiding transactions on-chain.
Veedo’s VDF (Verifiable Delay Function) and time locks allow transaction information to be sealed for a predetermined period of time, and then made public. Arbitrageurs cannot obtain arbitrage space in time.
The transaction queue uses an encrypted middleware service to generate a single signature based on the current transaction queue. Miners cannot insert new transactions into the transaction queue, otherwise the signature will change. When Dex receives the transaction queue, it can recognize the signature change and then reject the transaction.
Some solutions can only prevent the emergence of MEV as much as possible. The transaction is aggregated and packaged in the CallData of the smart contract, so that L1 cannot modify the transaction. At the L2, the settlement of the transaction is completed within the shortest 15-minute window. The entire process minimizes the emergence of MEV.
Vega Protocol is a protocol creating new blockchains, which is carried out at the level of the blockchain itself. Within a unit of time, the transactions that are broadcast first and are most known by nodes will be executed first, “If there is a time t such that all honest validators saw before t and b after t, then a must be scheduled before b”.
As a privacy middleware, Sikka encrypts transactions and its message pool. These encrypted transactions are only decrypted and executed after being committed to a block by a quorum of 2/3 validators.
Shutter Network uses a threshold cryptography-based distributed key generation protocol to encrypt the transaction before it is sent. After passing through the message pool, the transaction can be decrypted after confirming that it is packaged in the block.
A New Transaction Mode
When two traders each hold an asset the other wants, an order can be settled directly between them without an external market maker or liquidity provider. By doing so, it can not only offer traders the best prices but also exempt the service charge produced by the external market maker or liquidity provider. CowSwap allows users to directly trade by using CoW. Orders that cannot be settled through CoW are directly matched to transactions through automated market makers (AMM). If there are CoW orders in the batch auction order, the remaining orders that have not passed the CoW match will be handed over to CowSwap’s integrated liquidity market for matching after the small orders are fully matched. The entire order settlement price is based on the remaining order price obtained through external liquidity.
Comparison About MEV Elimination Schemes/Protocols
The Advantages and Disadvantages of MEV Elimination
Regardless of whether they are miners, validators or sequencers, they are all privileged roles. There will be more or less advantages and disadvantages to eliminate the emergence of MEV in the following ways.
1. Use the third-party notary organization of L2 to publicize and mark the determined transaction sequence on the entire network. The greater the degree of publicity, the harder it is to be tampered with. However, different DeFi protocols are required to support the notarization result.
2. Hide the transactions that are easy to be arbitraged in the dark forest by encrypting them, thus making it impossible for arbitrageurs to track them. However, the resource consumption caused by the encryption and decryption of transactions leads to the loss of transaction experience, which is also a factor that needs to be considered.
3. The Paradigm shift arises in the new transaction mode, but the mode still needs to be tested by the market to see if it can be successful.
After more than ten years of development, blockchain has become more and more mature and complex, resulting in more and more systemic problems have arisen, typically the MEV problem roughly discussed in this article. As described in Paradigm’s MEV and Me, the later Ethereum has much higher MEV than Bitcoin due to the high complexity of its application layer.
At present, the MEV captured by Flashbots only covers 8 protocols, and the MEV identified on each protocol is also limited to the types that can be extracted by front-running/back-running/sandwiching. Flashbots’ study of MEV has deepened users’ understanding of blockchain. Users begin to understand the risk-return structure corresponding to their actions on the blockchain. In turn, they develop and improve protocols to make the blockchain more valuable in use.
This article shallowly summarizes various solutions available on the market for MEV, and splits them into two camps. First of all, MEV extraction doves aim to realize the fair distribution of rights, but it is difficult to avoid the situation that “he who fights with a monster willeventually become a monster.” Then MEV elimination hawks tell another story. It is better to use encryption to realize the cross-dimensional compression of power rent-seeking rather than to sneak into the dark forest and retransfer rights.