We’d like to announce a great new idea we’ve devised to reform the police.
Today, cities direct their police forces to prevent and prosecute theft. But crime is a tough problem, and policing is costly. What cities should do instead is auction off the right to mug people and burglarize homes. Sure, burglaries would become more professional to take advantage of any vulnerable property. But on the bright side, cities can use theft auction money to pay city workers’ salaries, offset shortfalls in tax revenue and fund new policing initiatives (including prosecution of unauthorized theft).
Ari Juels is the Weill Family Foundation and Joan and Sanford I. Weill Professor in the Jacobs Institute at Cornell Tech, co-director of the Initiative for CryptoCurrencies and Contracts (IC3) and chief scientist at Chainlink Labs. Ittay Eyal is an assistant professor at Technion and an associate director at IC3. Mahimna Kelkar is a PhD student in computer science at Cornell University and Cornell Tech.
The Miner Extractable Value (MEV) problem
A paradoxical limitation of most blockchain protocols, including Ethereum and Eth 2.0, is that while their key feature is decentralization, they are ephemerally centralized.
When miners (or validators) form a block, they have the power to decide unilaterally what transactions to include and how to order them. The miner can’t include bogus transactions or directly steal money from users, so this limited power may seem insignificant. But in a smart contract system, transaction order impacts the flow of money, giving miners more sway.
Consider, for example, an automated market maker (AMM) that allows assets to be traded without counterparties within a decentralized finance (DeFi) system. Buying Token X from the AMM causes the price of Token X to rise (with respect to a paired asset). A miner can exploit this when Alice is about to buy some Token X in a transaction T. If the miner gets to include T in a block it mines, it can do the following.
The miner creates two of its own transactions, Tpre and Tpost and sandwiches T between them. In other words, it includes the three transactions in the order Tpre T, Tpost. The miner’s transaction Tpre buys some Token X, while its transaction Tpost sells the Token X it’s bought. Because Alice’s transaction T causes the price of Token X to rise, the miner makes money: It’s selling Token X for more than it paid for it. But where does the miner’s profit come from? Because the miner’s buy transaction, i.e., transaction Tpre also causes the price of Token X to rise, Alice pays more than she would have if she weren’t attacked by the miner. In other words, the miner is taking money from Alice.
A 2019-2020 study with the (condensed) title “Flashboys 2.0” explored this phenomenon (one of us was a co-author.) The paper coined the term Miner Extractable Value (MEV) for arbitrage opportunities available to miners as well as to bots, which can also perform front-running by paying high gas prices. The study showed a sophisticated community of bots was already profiting from MEV in Ethereum. It also explained that the existence of MEV can destabilize consensus in a proof-of-work blockchain, threatening the integrity of the blockchain itself.
MEV exists in all kinds of places, mostly around decentralized exchanges, but also in unexpected places, like CryptoKitty birthing. In fact, there are bots lurking around the Ethereum mempool waiting to discover new MEV opportunities by copying users’ transactions. Dan Robinson, of Paradigm, suggested the term “Dark Forest” to describe this behavior, which he encountered when trying to recover funds from a broken contract.
MEV has been a serious problem for some time, but things are now getting worse.
Miners are realizing that they control transaction ordering and can profit from this power. (Anything that bots can do, miners can do better.) Some miners are embracing an idea called front-running-as-a-service (FaaS) (aka MEV Auctions (MEVA) or MEV optimization), as realized by Flashbots.
FaaS is analogous to the theft auctions we (facetiously) suggested at the beginning of this post. Instead of miners developing front-running expertise themselves, in a FaaS system, miners auction off the right to front-run users. Specialist arbitrageurs can bid off-chain in real time to place their front-running transactions in mined blocks. The winner of a FaaS auction pays the hammer price to the miner in exchange for having its transactions placed as desired.
Proponents make several arguments in favor of FaaS:
- MEV extraction is unavoidable, so let’s make the best of it: A common defense of FaaS is that MEV is inherent in blockchain protocols. FaaS is therefore helpful because it streamlines MEV extraction, eliminating “negative externalities” such as mempool and on-chain congestion caused by bots competing for juicy arbitrage opportunities.
- Miners are at risk of impoverishment: The Ethereum Improvement Proposal 1559 (EIP-1559), a proposed change to the Ethereum fee structure, is slated to go live this July. EIP-1559 alters fees in a way that some miners fear will diminish their revenue from transaction fees. Some have suggested that MEV can make up for this lost revenue.
- FaaS systems can be used to rescue CryptoKitties and other non-fungible tokens. FaaS allows a user whose private key has been compromised to transfer an NFT in a privately mined transaction without tipping off and getting front-run by an attacker to whom the key has leaked.
Fair transaction ordering
FaaS (and MEV in general) has no underlying principles or notion of fairness and social benefit. Taking advantage of extractable value is, in general, not a service for society, but often the contrary.
As Ed Felten, of Princeton and Offchain Labs, has astutely pointed out, FaaS is essentially a cost imposed on users willy-nilly by miners without any underlying technical or ethical principles, without a principled calibration of cost size and without any form of community agreement. It’s as though City Hall decided unilaterally to implement theft auctions to make up for a shortfall in municipal tax revenue and without much thought about which homes will be burglarized.
Looking at the arguments for FaaS: CryptoKitty rescue is, well, a noble activity, but not worth cheating the users. As for miner impoverishment, we don’t have strong opinions on how much miners should be compensated, but FaaS, as we’ve said, isn’t based on forethought about this question.
In addition to ethical concerns about FaaS, we are concerned it will tarnish the reputation of the smart contract ecosystem and ultimately attract unwanted attention from regulators, which have penalized companies such as Robinhood for systematizing similar practices in traditional financial markets.
Almost everyone agrees that the current state of MEV on Ethereum is bad, so why not instead try to avoid MEV altogether? Would you rather improve security to prevent burglaries, or regularize crime and redistribute its profits? We claim that MEV is avoidable even though some FaaS proponents like Flashbots seem to have already given up.
Researchers are already making strides in the direction of reducing or removing MEV by constructing protocols (permissioned and permissionless) that fundamentally order transactions fairly to begin with. Indeed, ideas to prevent some forms of front-running – such as keeping transactions encrypted while they’re ordered – have been around for decades.
Implementing these ideas is certainly not trivial, and requires substantial research, but so, too, do many other worthwhile endeavors in the blockchain community, like layer 2 systems and migration to less energy-intensive forms of mining. It is possible that MEV is in some degree inescapable, as financial systems are complex and invariably involve trade-offs. Our point is that research into the root cause and foundational solutions for MEV should be community priorities.
There is another way
While FaaS may seem an attractive way to address the MEV problem, it makes sense only as part of a false narrative that there’s no other way. But there are alternative approaches to ordering transactions that provide stronger fairness assurances for users. Those approaches deserve to be tried before FaaS becomes the norm.
Decentralized systems offer an unprecedented opportunity to rebuild the financial system on a more inclusive, more democratic, and fairer basis – to help level the tilted playing field created by Wall Street. Let’s not blow it just to pick a few users’ pockets.
Thanks to Sarah Allen, Phil Daian, Ed Felten, and Steven Goldfeder for their helpful comments on this piece. The authors note that in his role at Chainlink Labs, Ari Juels is working on approaches to fair sequencing of transactions.