Can Ethereum Out-Engineer the Censors by 'Shuttering' the Beacon Chain?

In a previous edition of the Valid Points newsletter, we dove headfirst into the debate around censorship on Ethereum. We focused on the role that validators – the computers that propose blocks of transactions on Ethereum’s upcoming proof-of-stake network – might play in censoring transactions.

The censorship debate sprang up in response to the recent U.S. sanctions against Tornado Cash – the Ethereum mixer program used by money launderers and everyday Ethereum users to send and receive money without leaving a clear trail.

In light of concerns that Ethereum’s transactions might be censored, members of the Ethereum community have been discussing ways the core protocol can be engineered to make censorship difficult – or even impossible.

One of the more compelling ideas for how this might work is a “shutterized Beacon Chain” – a proposal that encrypts key transaction details so they cannot be censored by validators. But Martin Köppelmann, the creator of this idea, isn’t so sure that censorship is a problem that the Ethereum community can code its way out of.

This article originally appeared in Valid Points, CoinDesk’s weekly newsletter breaking down Ethereum’s evolution and its impact on crypto markets. Subscribe to get it in your inbox every Wednesday.

For a community used to engineering its way out of (and into) problems, this may be a hard pill to swallow.

The fear two weeks ago was that major validators such as Coinbase (COIN) and Kraken might censor transactions in accordance with U.S. Treasury Dept. sanctions. This potential for censorship was all the more worrisome given that a few validators control a majority of the “stake” (read: power to process transactions) on Ethereum’s soon-to-arrive proof-of-stake network.

But in the last couple of weeks, much has changed.

On the positive side for those opposed to censorship, Coinbase and other big-name validators have clarified their position on how they will handle sanctioned transactions. Most (but not all) responses have echoed that of Coinbase CEO Brian Armstrong, who says he would sooner end his company’s staking business than succumb to censorship.

But on the negative side, a whole new set of questions has cropped up around whether transactions can be blocked before they are even seen by validators.

These challenges center around MEV-Boost, a piece of middleware that most validators are expected to use come the Merge.

Before we continue we’ll need to explain one of the critical challenges plaguing Ethereum and other blockchain networks: MEV.

When an Ethereum user issues a transaction, it’s not automatically accepted by the rest of the network. First, it goes to the so-called mempool – a giant bucket of unconfirmed transactions from other Ethereum users.

Recall that a block is just a glorified list of transactions. Validators scan, select and organize mempool transactions into blocks that they propose out to the wider network. If they’re clever, they’ll do this in a way that extracts a bit of extra profit for themselves – a concept called Maximal (or Miner) Extractable Value, or MEV.

Validators aren’t the only actors squeezing out MEV. So-called “searchers” have also emerged – computers that scan the mempool and preview what transactions are upcoming. They then bribe validators (by issuing transactions with a higher fee, or “tip”) to include their own transactions ahead of others that they expect to impact the market.

Read more: Just-In-Time Liquidity: How MEV Can Enhance DeFi on Ethereum

MEV practices range from benign to malicious. On the more malicious end, searchers and validators can use their future-telling abilities to screw over other market participants.

Take sandwich attacks, for example. Say a searcher sees in the mempool that “Bob” is about to buy a bunch of DAI on a particular exchange. The searcher knows that Bob’s transaction will increase the price of DAI, so the searcher buys up a bunch of DAI for itself right before Bob does. Then, after Bob pumps the price of DAI, the searcher dumps the DAI tokens that it just bought while the price was lower.

The searcher, if they are clever, will net out with a profit. Bob, on the other hand, will probably pay a bit extra for DAI as a result of the searcher’s initial purchase. No fun.

MEV-Boost makes a bet that MEV, if it can’t be exterminated, can at least be more equitable. Flashbots, its creator, achieves this by separating the actors who build blocks from the validators who propose them out to the wider Ethereum network.

Builders – not validators – do the complicated optimization work of selecting and ordering transactions into blocks in a way that maximizes MEV. If everyone uses MEV-Boost, the thinking goes, then at least everyone will have a fair shot at extracting MEV.

Read more: Are Block Builders the Key to Solving Ethereum’s MEV Centralization Woes?

“Proposer builder separation” will eventually be baked into Ethereum’s core code, but MEV-Boost is a stopgap solution. To make things work, it relies on centralized “relays” to send blocks from builders to proposers.

And this is where the whole issue of censorship comes into play. Flashbots says that its own relay – the default relay that will be shipped with MEV-Boost – will censor transactions in accordance with Tornado Cash sanctions.

Unsurprisingly, the wider Ethereum community was not happy to hear this.

In response to community backlash, the team opted to make open source its relay software earlier than originally planned. This means other parties will be able to set up non-censoring relays when MEV-Boost launches. Validators will have the option of selecting whether they want to use the censored or uncensored relay option.

Even though uncensored relays will be optional, that’s all they’ll be: optional. For anti-censorship hardliners – which includes many of Ethereum’s core developers – this is not enough.

With all this controversy around censoring validators, relays and software providers emerges a key question: What if censorship could be engineered out of existence?

In a world where “trustlessness” is a core tenet, such a utopian ideal becomes appealing.

Enter, shutterized Beacon Chain.

In a research proposal this past March, authors framed the shutterized Beacon Chain concept as a way to solve the MEV problem.

The proposal introduced a new Ethereum transaction: transactions that are encrypted when they go to the mempool.

Outside of limited information (like the “tip” that a transaction includes for validators to ensure it gets added to a block), other core details – like who is sending a transaction, who is on the receiving end and the quantity of tokens changing hands – are hidden from searchers and block builders.

Only after a transaction is approved and confirmed on-chain will its content become unencrypted.

The idea was originally proposed by Martin Köppelmann, the founder of Gnosis Chain.

“The concept of a shutterized Beacon Chain, in general, is that we separate transaction inclusion from transaction execution,” he explained to CoinDesk. “So you have a period where you blindly include transactions purely … based on whether they are paying a fee, and whether they are paying a high enough fee. If they do, they should be included. That's it.”

It’s obvious why this might be useful from an anti-MEV perspective: If block builders and searchers can’t see a transaction’s payload (meaning what is being paid out to whom), then they won’t have the information that they need to extract MEV. (How can you “front-run” a transaction if you don’t even know what it contains?)

As a side effect, shutterization could play a major role in preventing censorship. Validators and relays won’t know whether to censor a transaction if they can’t see its sender or recipient.

We won’t dive too deeply into the underlying mechanics of the shutterized Beacon Chain concept in this newsletter. Beyond being complicated, the idea hasn’t yet been fully fleshed out on an engineering level (though “shutter” concepts are being built out on Ethereum rollups and other blockchains).

Köppelmann says the shutterized Beacon Chain concept didn’t gain much attention when it was introduced in March. Partly, he thinks, it was because MEV-extractors – which account for a large portion of the Ethereum community – have profited handsomely from Ethereum’s unencrypted status quo.

When Köppelmann re-pitched the idea around censorship after August’s Tornado Cash sanctions, though, it was received warmly by members of the Ethereum developer community. Some even took the idea further, suggesting that all transactions be shutterized (rather than making it optional, as suggested in the original proposal).

But questions remain: What if governments decide that processing transactions containing sanctioned addresses is illegal regardless of whether those transactions were encrypted when they were picked up by validators? Or what if regulators decide to treat shutterization like Tornado Cash – outlawing a shutterized Beacon Chain entirely?

Despite the recent enthusiasm around his idea, Köppelmann noted in his conversation with CoinDesk that it’s not as if shutterization – or any engineering intervention – can ultimately “solve” Ethereum’s censorship problem.

“I think it's almost always possible, whatever the regulatory challenge is, to find an engineering solution to it. However, I also think that if you always try to find an engineering solution to it – at the end, Ethereum, and crypto, will become extremely niche,” Köppelmann told CoinDesk.

To explain his point, Köppelmann mentioned last week’s news that Hetzner, the cloud service provider that hosts 10% of Ethereum nodes, has banned all crypto-related activity.

“So, of course, now we can come up with an engineering solution that would say, ‘well, stake at home,’” Köppelmann explained. “But next, internet service providers could block traffic that's related to [staking]. Again, you could come up with an engineering solution, but each time you lose a percentage of users. In the end, it becomes this kind of mammoth thing where three guys have a super engineered solution, but still, regulators and broader social consensus could try to force it out of the public.”

In the end, the fight against censorship continues offline – where it is likely to remain.

“I think ultimately, it's always a social kind of fight,” Köppelmann reflected. “I don't want to just find ways to somehow be able to use Tornado; I want to make it socially acceptable to say that Tornado is a valuable thing.”

The following is an overview of network activity on the Ethereum Beacon Chain over the past week. For more information about the metrics featured in this section, check out our 101 explainer on Eth 2.0 metrics.

Disclaimer: All profits made from CoinDesk’s Eth 2.0 staking venture will be donated to a charity of the company’s choosing once transfers are enabled on the network.

Voyager Digital is attracting takeover interest, but Coinbase has withdrawn.

The SEC is probing Grayscale over the firm’s “securities law analysis” of XLM, ZEC, ZEN.

ENS DAO may lose its web address.

Valid Points incorporates information and data about CoinDesk’s own Ethereum validator in weekly analysis. All profits made from this staking venture will be donated to a charity of our choosing once transfers are enabled on the network. For a full overview of the project, check out our announcement post.

You can verify the activity of the CoinDesk Eth 2.0 validator in real time through our public validator key, which is:

0xad7fef3b2350d220de3ae360c70d7f488926b6117e5f785a8995487c46d323ddad0f574fdcc50eeefec34ed9d2039ecb.

Search for it on any Eth 2.0 block explorer site.