Two-slot proposer/builder separation

Proof-of-Stake
21

Users can send their transactions to as many relayers as they like, but the ones that will actually win blocks and include them will be using the most predatory practices possible (such as censorship-as-a-service) because blocks are worth more to them.

Definitionally, an SGX relayer can’t frontrun, nor can it offer a censorship market, so it will be outbid.
For example:

  • a user sends a tx to both the SGX and the censoring relayer with a 0.01 Eth bribe
  • The censoring relayer accepts a bid to censor the transaction for 0.02 Eth
  • The censoring relayer then wins the block because it is worth 0.01 Eth more to them to make sure the tx is not included
  • Not only that, they also get the gas of another transaction in place of the one they were paid to censor, so their profit margin is greater again. They get paid twice for censoring.

Lit vs Dark Censorship Market

Thinking about it, in a lit censorship market the best way for the user to get their tx included is to pay a total of 0.03 Eth to the censor for protection and to offer the same to the SGX to increase their chances of inclusion and harm the censoring relayer.

For this reason I think the censorship market will end up being dark so that users can’t see how much they are being censored for or even whether they are.

This means no lucrative bidding war for the relayer, but if the censorship information remains private then users don’t know to bribe other relayers to include their censored transactions. It also encourages users to pay for protection they don’t need and it makes censorship more effective which is good for the censoring relay.

By doing this the censoring relay can only ever make the same or more money than a well behaved relay for any given transaction and bribe amount, and so can maintain dominance.

Censorship markets make nearly all transactions MEV-vulnerable.

22

I guess the thing that I wonder about in response to these arguments is: if your model includes people setting up meta-games where a winning censor blackmails everyone, and almost all individual proposers go along with the censorship market incentives, then why can we expect attesters themselves to be protected from all this?

Any of the “in-protocol enforced mempool” schemes rely on attesters to vote on availability and publishing time of transactions in some way. But that’s a setup that is extremely vulnerable to bribery: each individual attester only makes a tiny impact on whether or not some tx gets included, and so censors can bribe them a really tiny amount to act like that tx had been submitted a few seconds later. Why would such a thing not happen, in your view?

2 Likes
23

First I’ll briefly introduce the (as yet) undocumented Attack 3: Unstaked Hijack.

Here, the attacker buys blocks continuously and uses them to cause maximum harm and disruption with the intention of crashing the price of Ethereum and it’s tokens having shorted them at margin first.

The crucial point here is that (unlike a 51% attack) an attacker can buy complete and continuous control of block content in Ethereum without having any stake in it. This leaves the door wide open to attacks by external actors hostile to Ethereum.

I feel that the risks of full-block MEV auctions have been greatly understated, and that this in turn has distorted our view of consensus solutions.

In short, if Flashbots are right, MEV isn’t much of a problem and therefore content consensus solutions won’t work. If I’m right, MEV is an existential issue and therefore content consensus solutions can address it.

To show you what I mean, let’s use your figure of 0.1 Eth as the avg MEV per block, and assume the proposer gives away half of this to the set of 200,000 attesters as a bribe, giving a bribe per validator of 0.00000025 Eth per block.

Let’s say we have consensus rules similar to the one you proposed where attesters refuse to vote for a block that fails to include a transaction after a certain period of time. A ‘Bad’ actor breaks these rules, a ‘Good’ actor follows them.

Now let’s run the game, first with Flashbots MEV risk assumptions and then again with my MEV risk assumptions.

#1 Flashbots Risk Assumptions: MEV is mostly harmless, a superior way of doing arbs and liquidations, and improves network security by increasing miner rewards.

Payoffs for a bad proposal:
Proposer’s bribe 0.00000025
Attestation reward 0.00002 (given the low-risk assumptions above, it’s safe to assume the bad proposal gets voted for).
Attestation Payoff 0.00002025

The attesters back the bad proposal so:
Proposer Payoff 0.05 in MEV +gas +proposal rewards

(Outcome: consensus content failure)

#2 Pmcgoohan’s Risk Assumptions: MEV makes Ethereum too expensive for widespread adoption and will centralize the network around a monopolistic gatekeeper running an extortion economy punctuated by severe attacks from hostile, unstaked parties.

Let’s put a per-block figure on the risks I have so far identified:

Attacks 1 & 2: Centralized Gatekeeper Running CaaS. For passive holders, the risk here is a drag on the adoption of Ethereum and therefore Eth value. Let’s call it 25% over 2 years (personally I think it’s much higher). 6500 blocks per day x 365 days per year x 2 years = 4,745,000 blocks. A 25% loss in the value of 32 staked Eth is equivalent to 8 / 4,745,000 = -0.0000016 Eth per block.

Attack 3: Unstaked Hijack. Let’s say it takes 2 years before this attack takes place. An 80% loss in the value of staked Eth is equivalent to 25.6 / 4,745,000 = -0.0000053 Eth per block.

Payoffs for a bad proposal:
Proposer’s bribe 0.00000025
CaaS EV -0.0000016
Hijack attack EV -0.0000053
Attestation reward 0.0 (because of the above, it is now unlikely a bad proposal will be successful)
Attestation Payoff -0.0000117

The attesters no longer back the bad proposal so:
Proposer Payoff: 0 Eth (no gas, no MEV)

(Outcome: consensus content success)

Now things look a bit different. Assuming Eth at $4750, over 2 years CaaS costs attesters -$38,000 and the Hijack -$121,600 making a total loss of -$159,600 whereas the bribes make them only $5634.

The attesters have a negative long term expectation if they vote for bad proposals, and no juicy bribe that they can go out and spend today (a mere ~$0.0001 per block in fact).

So to answer your original question re: incentives for proposers to behave vs incentives for attesters to behave; it’s clear that attesters are playing a repeated game, but you could argue that proposers are playing a one round game. That chunk of MEV looks pretty tempting at around $237.50 a pop for the proposer compared to ~$0.0001 per block for the attester, and it only comes around once every few months.

But if you have enforced consensus, they still won’t do it, because proposers know that the attesters have a negative payoff in their repeated game and will vote against it.

Crucially, the risks of full-block MEV must be fully understood and (just as importantly) honestly communicated to validators and users for this to work.

In any case, it is surely vital that we understand the risks of full-block MEV auctions before doubling-down on them. The EF is usually meticulous about such risk assessments.

As far as this goes, I’m happy to be of service, but I’m not enough.

2 Likes
24

#1 Flashbots Risk Assumptions: MEV is mostly harmless, a superior way of doing arbs and liquidations, and improves network security by increasing miner rewards.

I don’t think Flashbots assumes that “MEV is mostly harmless”. Rather, it very much assumes that uncontrolled MEV is a huge centralization risk, but focuses on containment rather than elimination as a strategy. I also don’t see why “MEV is an existential issue” should imply that “therefore content consensus solutions can address it”. I think that any model of game theory that allows a majority of proposers to get bribed to censor will also allow a majority of attesters to get bribed to censor at an even lower cost.

Making the object that we are focusing on blocks rather than transactions, and relying on PBS and backup games to ensure that blocks actually include transactions, ensures that there’s fewer objects to focus on, which makes it easier to come to extra-protocol consensus about whether or not 51% censorship attacks are happening so that they can be remedied if needed.

So to answer your original question re: incentives for proposers to behave vs incentives for attesters to behave; it’s clear that attesters are playing a repeated game, but you could argue that proposers are playing a one round game. That chunk of MEV looks pretty tempting at around $237.50 a pop for the proposer compared to ~$0.0001 per block for the attester, and it only comes around once every few months.

Not convinced by this. The total bribe required to shift the behavior of attesters should be less than the total bribe required to shift the behavior of proposers, because attesters suffer from the tragedy of the commons: each attester only has a small impact on the outcome, and that small impact is multiplied by their small share in the outcome, so the bribe required to shift their incentive is quadratically small.

The fact that the attesters are playing a repeated game is not really important, because no one is going to be tracking the behavior of individual attesters and somehow treating those individual attesters differently as a result of their actions in prior rounds. And proposers have a repeated game often enough (the large staking pools) that if repeated-game logic worked we could just rely on one of those large stakers to include a transaction, and transactions would still get in after ~5-10 slots.

25

Surely this undermines the basis of eth2 PoS consensus. How then does Ethereum secure itself against validators colluding to raise proposal rewards or even perform double spend attacks?

Correct me if I’m wrong, but I imagine your answer will be that it is not in validator self-interest because of the threat to their stake from a loss of confidence in the network.

What I want to show you is that the risks of full-block MEVA are comparable in severity, both in terms of gatekeeping centralization and damage to staked value, therefore (once these risks are understood and communicated) validators will similarly reject MEV collusion networks in favour of consensus content.

Perhaps I’ve got the game wrong, but eth2 PoS seems to make similar assumptions. It is arguably in the interests of the proposer to pay themselves a massive proposal fee (one-off game) but it is not in the interests of attesters to allow them to (repeated game).

Again, I think the same applies to a content consensus solution and that this will hugely benefit the security of Ethereum.

(Also, even if the content mechanism is perfectly colluded against, it degrades to having the same outcome as PBS, assuming Flashbots then run an informal market over it. It’s a bet to nothing with the advantage of reducing regulatory risk rather than increasing it. I suspect it is far easier to implement as well).

26

Validators cannot collude to raise proposal rewards, because validators do not have the ability to make invalid blocks. Users would automatically reject the invalid blocks, so from the protocol’s point of view it would be equivalent to them publishing nothing at all.

perform double spend attacks?

Today, not much. But this is exactly why I have proposed A model for cumulative committee-based finality

The only thing that 50%+ of validators could do without being penalized automatically is censor. And for that, community-coordinated soft forks may indeed be the only option.

Again, I think the same applies to a content consensus solution and that this will hugely benefit the security of Ethereum.

The difference between validity and transaction inclusion is that we don’t have consensus on when transactions were published in the mempool, and therefore can’t have consensus on whether or not the transactions were published “on time”. There’s an inherently large gray area. One of the big benefits of blocks instead of transactions as the main unit of analysis is that there is normally only one block per slot, and so the gray area becomes much smaller, and attempting to figure out to what degree a chain is censoring becomes much more computationally tractable.

27

Thank you for the explanation above. I’m so impressed that you would consider a change on the scale of introducing fast-finality. That kind of dynamism really is Ethereum’s super-power.

I’m interested in your ideas for Parallel PBS.

I think it could be made more effective if we were able to remove txs in higher order blocks that were already included in lower order blocks.

I was wondering if whoever publishes the intermediate block (winning primary builder?) could remove these duplicate txs from the aux blocks.

One problem I see here is that to allow verification of the exec headers, the original unduped blocks would have to be recreatable.

I thought the intermediate block could include some very compact data (calldata?) containing a series of insert instructions allowing reconstruction of the original blocks. Something like {copyBlockIndex,copyTxIndex,toBlockIndex,toTxIndex}

Eg:

The original exec blocks (dupes shown in [])

Primary Aux0
Tx1 [Tx5]
Tx5 [Tx3]
Tx3 Tx2
Tx9

Would be written to the intermediate block as:

Primary Aux0
Tx1 Tx2
Tx5
Tx3
Tx9

And then reverted using the insert data:

{Primary,TxIndex1,Aux0,Tx0}
{Primary,TxIndex2,Aux0,Tx1}

It’s kind of a compression technique, so it would also mean using less blockspace. This is a little nitty-gritty for my knowledge of PoS. Is this workable or am I way off? If not, is there some other way of deduping successive blocks?