❤️ ❤️

Flash Boys on steroids, with a Time-turner

A Guide to Reorg-as-a-Service

Over the last week Crypto Twitter has been all up in arms over the proposal of Reorg-as-a-Service.

In the Flashbots Discord, Nathan Worsley floated the idea of software for Reorg-as-a-Service.

And subsequently highlighted by MEVIntern.

Which quickly evolved into

To get you up to speed, we present

A Guide to crypto's version of Flash Boys; on steroids, and armed with a ⌛Time-Turner⌛ device.

FWIW, and if you don’t make it through the entire article, the overall risk to the network is low but it’s good that the discussion is helping everyone learn more about Ethereum.

📚 References and Recommended Readings

What's a Blockchain Reorg?
MEV and Me
Flashbots: Frontrunning the MEV Crisis
Flash Boys 2.0: Frontrunning, Transaction Reordering, and Consensus Instability in Decentralized Exchanges

If you are familiar with MEV already, please jump straight to the Reorganizations section

📝 What is Maximal Extractable Value (MEV) and why does it exist?

To answer this we first need to explain DeFi. Circa 2019, Decentralised Finance (DeFi) started gaining in popularity. DeFi is a subset of finance-focused decentralized protocols that operate autonomously using smart contracts. Today there is >$100b locked in DeFi applications.

Back in 2017-2018 the largest use case on Ethereum was for running Initial Coin Offerings. Apart from that, there was relatively little happening on-chain. Early Decentralised Exchanges (DEXes) like EtherDelta were difficult to use so most trading activity took place on Centralised Exchanges such as Binance, Kraken etc.

The first cases of front-running appeared on DEXes such as EtherDelta and became more significant with the introduction of Uniswap which revolutionised the trading experience. First-generation DEXes like EtherDelta used a central-limit order book (CLOB) model. In CLOBs, liquidity providers have to constantly update bids and offers to reflect how much liquidity they are willing to provide at each price. As you can imagine, trying to do this on a blockchain with ~13s block time is impossible.

Then came Uniswap, an Automated Market Maker (AMM) which proposed a deterministic algorithm x*y=k. Liquidity providers provide assets into pools and price quotes are based on the static x*y=k algorithm.

The pros of this approach are that anyone can come in and there will be a pool of capital ready for them to trade against. This enabled anyone to launch tokens and have instant liquidity in a permissionless manner (enabling the long-tail of assets).

The cons of this approach are that since the exchange runs on a static algorithm, it is in effect disconnected from the reality of where prices are being quoted externally e.g. on centralised exchanges. The way prices are kept in line is through arbitrageurs, who push prices to where they should be by adding or removing assets in the liquidity pools. As a result, Liquidity Providers who are constantly getting arbitraged against suffer from what is known as impermanent loss.

🔵 Liquidations

Similar to how AMMs are reliant on arbitrageurs to push prices in line with the external world, DeFi protocols such as lending protocols rely on third-parties like liquidators to keep the system healthy.

For example, in MakerDAO or Compound, loans are overcollateralized. A borrower must lock >100% of the value they wish to borrow. The collateral acts as a security to the lender if the borrower doesn’t pay back the debt.

When borrowers exceed their borrowing allowance, someone needs to liquidate the collateral and balance the account. To incentivize liquidators to monitor the collateral-to-borrow ratios of others and liquidate when necessary, these platforms offer a portion of collateral as a reward.

💡 Maximal Extractable Value (MEV)

The term Miner Extractable Value was first proposed in the Flash Boys 2.0 paper. It has since been re-defined to Maximal Extractable Value (this is because although the upper bound of MEV is bounded by the rights that miners have on transaction ordering, value is not being exclusively extracted by miners today).

When one sends a transaction on the blockchain, there is a delay between the time when the transaction is broadcast to the network and when it is actually mined. During this period, transactions sit in a pending transaction pool called the mempool where contents are visible to everyone. Arbitrageurs and miners can monitor the mempool and find opportunities to maximize their own profits. If a front-runner is a miner, they can reorder or even censor transactions.

MEV is a measure of the profit a miner (or validator, sequencer etc.) can make through their ability to arbitrarily include, exclude, or re-order transactions within the blocks they produce. For a detailed discussion on MEV taxonomy, please refer here.

❓ MEV on Ethereum - does it exist on other chains?

The rate at which MEV accumulates on a given blockchain is generally proportional to the complexity of its application-layer behavior. With the exponential growth of DeFi on Ethereum, this gives rise to MEV. The reason why MEV doesn’t really exist on BTC and other chains is because there is less happening on-chain and hence less value to be extracted through arbitrage, liquidations etc.

As the usage of other chains grows, so will the value that can be captured on them as a result of transaction ordering. Thus although MEV is most relevant to Ethereum today, MEV is relevant to all chains.

🏃 Frontrunning

Front-running is the process by which an attacker observes transactions in the mempool and puts in a competing transaction that is ordered before the observed transaction. E.g. Alice wants to buy a Token A on an AMM. An attacker spots Alice’s transaction in the mempool and sends a competing transaction with a higher gas price so that he can buy up Token A before Alice does.

🍘 Sandwich Attacks

A continuation of front-running - attackers usually use sandwich attacks where 2 transactions are created. The first transaction is inserted before and the second is inserted after the target transaction, thereby sandwiching it. The attacker’s first transaction buys Token A, which pushes up the price for Alice’s transaction, followed by Alice’s transaction, and then the final transaction is the attacker’s transaction to sell Token A (now at a higher price) locking in the profit.

🏃 Back-running

Back-running occurs when a transaction sender wishes to have their transaction ordered immediately after a specific target transaction.

Example: Back-running new token listings on Uniswap.

Attacker monitors the mempool for new pairs being created on Uniswap. When a new pair is found, the attacker inserts a buy transaction immediately after the initial liquidity is supplied. The attacker buys as many tokens as possible (but not all). As others subsequently buy the token from Uniswap and the token price goes up, the attacker then proceeds to sell tokens for a profit.

Back-running strategies also apply to liquidations whereby a transaction sender aims to be the first to liquidate a loan right after a price oracle update (which will allow liquidations to happen).

⌛ Reorganizations

What is a chain reorg

In proof-of-work systems, transaction finality is probabilistic and not guaranteed. Occasionally two or more miners will solve the next block at approximately the same time. Whichever chain has the most hashpower behind it will add new blocks more quickly and become the longer (valid) chain. This is also the reason why crypto exchanges require a certain number of confirmations for deposits.

A chain reorg happens when a node receives blocks that are part of the new longest chain. It will orphan (or disregard) blocks in the former longest chain in favour of the blocks that now form the new longest chain.

🎡 Reorg attacks or Time Bandit attacks

The Time-turner appears!

Time-bandit attacks are attacks where miners rewrite blockchain history to steal funds that were allocated in the past. If block rewards are small enough compared to MEV, it can be rational for miners to destabilize consensus.

Imagine there are two miners, Sam and Dan, who are paid a $100 reward for each block they find. Sam has found 3 blocks, the first of which contained a $10,000 arbitrage opportunity. Now Dan has a choice: he can either mine on top of Sam’s 3 blocks, or he can attempt to re-mine the first block in order to take the arbitrage profit for himself. The $10,000 is much more lucrative than the $100 block reward, and Dan is more rational than honest, so he decides to re-mine the first block. While Dan is at it, since the current longest chain is height 3, he also re-mines the second and third blocks (and captures any MEV that was in those too). After the reorg, Dan owns the longest chain and he and Sam can progress from the third block.

Note that the difficulty and costs increase the deeper the reorg goes - reorging three blocks is much more difficult and expensive than reorging one block.

🔨 51% attacks

In a 51% attack, an attacker accumulates the majority of a network's hashrate. This enables them to solve new blocks and add to the blockchain faster than everyone else and they can use this to reorg the network and double-spend. Read more about past 51% attacks here.

In 2014 a BTC mining pool http://Ghash.io briefly had 51% of hashpower where they could have reorged and performed double spends. However, they knew that the BTC network would lose its credibility and the price of BTC would fall so miners left the Ghash mining pool.

More information on 51% attacks in Nakamoto Consensus systems can be found here, courtesy of Andreas Antonopoulos.

⛽ The 2019 Binance hack

On May 7 2019, Binance was hacked of 7,000 BTC (~$40 million). A reorg of the BTC network was proposed to invalidate the hack. To incentivize miners, Binance proposed compensating miners to make it more profitable to mine their proposed private chain than the original chain. However, this didn’t proceed.

The real reason though (at least we think) was that by the time Binance proposed a reorg of Bitcoin’s chain (50 blocks past the hack) it was well outside of the realm of possibility. While many think the community reaction had anything to do with their decision not to, it was likely impossible no matter how badly they wanted to.

🚠 Geth and MEV-Geth

Geth (Go Ethereum) is an Ethereum client that is used for both full nodes and mining. It is the most popular client, boasting 80% of all nodes and a majority of mining pools.

MEV-Geth is a fork of Geth by Flashbots that is designed to make MEV extraction more efficient and open to anyone. MEV-Geth modified Geth to accept “bundles” of transactions from users. Flashbots gives users a way to communicate their transaction ordering preferences to miners via bundles. Bundles have to be executed in the order they are provided. Either the whole bundle is executed, or none of it is. Despite initial objections, miners accounting for >80% of hashrate are now running MEV-Geth, and more than half the blocks mined on Ethereum now include bundles, showing interest in MEV extraction as a means to increase miner profits.

❌ The controversial Reorg-as-a-Service

The controversial software in question here (theoretical, not built yet) is to allow miners to go back in time and try to orphan blocks if it is more profitable to do so rather than build on the latest block.

💾 Code

  1. Work-in-progress fork of MEV-Geth, aimed at allowing requests for reorgs to be submitted to miners off-chain (has since been made private)

  2. A contract that allows users to offer miners money to reorg the Ethereum blockchain.

    Note: It relies on the assumption that a user can issue a transaction to slash a miner. However, if reorgs are on the table then the miner would also reorg the slash.

🔒 Why many are against the idea of Reorg-as-a-Service

  • It’s destabilizing for consensus
  • Against one of the core tenets that blockchains are immutable
  • Negative perception that the network can be manipulated, resulting in drop in value of ETH
  • A small group of stakeholders, e.g. advanced searchers and perhaps miners would benefit at the expense of everyone else.

➕ Calculating Expected Value (EV) of reorgs

Note: It doesn’t make sense for reorgs to take place most of the time, except perhaps if there is high enough value MEV such as a hack. In the example below it is assumed that miners want to maximize their EV short-term. It does not consider the longer-term costs such as lower transaction fees, lower usage of the Ethereum network and therefore less MEV over the longer-term.

Example from 0x9116

Assume you are Ethermine with 30% hashrate.

A block B is mined (not by you) that contains a large miner payment of X ETH. Do you mine block B' at the same height as B to try to claim this MEV? Or do you mine block C? Consider the next 2 blocks you'll mine.

Option 1: Mine on top of B

Expected reward from mining these next 2 blocks on top of B is 4 ETH + 2Y, where Y is the expected MEV payments of a block at the current time.

Option 2: Try to mine B’

Assume a simple but reasonable strategy: you attempt to uncle B, but you abandon your attempts as soon as C is mined.

A) With 0.7 probability, C is mined before you mine B'. Your payoff in this case is 4 + 2Y.

B) With 0.3 probability, you mine B' before C is mined.

C) Then, with 0.3 x 0.7 = 0.21 probability, C is mined before C', and your payoff is 2 + Y.

D) Finally, with 0.3 x 0.3 = 0.09 probability, your time-bandit attack succeeds, and your payoff is 4 + Y + X.

Overall, the payoff is 3.58 ETH + 1.7 Y + 0.09 X. Compared to a payoff of 4 + 2Y, it only makes sense for you to perform these uncle attacks when X > 3.3Y + 0.58. In other words, X has to be over 3.3 times larger than the expected block reward, plus 0.58 ETH.

This might happen occasionally, particularly during token snipes, or single one-off events like hacks. Reorgs during market crashes or other high-vol periods are less likely because the expected block reward is already high.

💁 What are the solutions against Reorg-as-a-Service?

  • Make it socially-unacceptable to do so

Credit: Hasu, 0xbunnygirl

Mining pools care about their reputation. It’s a bad look if miners go beyond their job of providing security (and getting paid to do so for years) and turn around to attack the network especially if they are also providing or planning to provide staking services for ETH 2.0 or need to maintain their reputations when providing security to other chains.

  • Split the MEV in such a way it’s higher EV for others to continue your block

Offer an amount to the competition to continue your block. In order to do this you will need to know your hashrate and the hashrate competing against you.

-Request for Reorg can be modified to fit this purpose.

-Daniel Goldman has published a DeOrg contract for creating incentives to stop reorgs.

-This idea has also been discussed in BTC where it’s called Whale Transactions.

  • A cartel against reorgs where a few large pools commit to no-reorgs and also threaten that if anyone tries to reorg, the cartel will ignore their chain. As the cartel has a majority eventually other attempts will lose.

  • Accelerate the merge ETH 2.0 as it’s harder to reorg in ETH 2.0

  • Smooth MEV payments over multiple blocks so that it reduces short-term variance in MEV revenue and the incentives to reorg

📢 The increased risks leading up to the merge ETH 2.0

Miners become irrelevant in ETH 2.0 as the system transitions towards Proof-of-Stake (no GPUs required). As such, they may be incentivized to take short term EV-maximizing decisions rather than align with ETH longer term.

  • This risk is heightened on the very last day before the merge where miners have all the power over consensus. That said, some miners Ethermine, SparkPool, F2pool do have staking pools and will be involved in ETH 2.0 so would probably care more about their brand value.
  • There is also increased risk of uncle mining leading up to the merge. In ETH you get a consolation prize if you mine uncles instead of extending the main chain. The uncle mining strategy increases miners revenue but decreases the performance of the network. Read more about it here.

Note: If this does happen it should be observable. Uncles can be included in a protocol for a reward up to 6 blocks so if short reorgs are becoming more frequent we should see an increase in uncle rates.

🔦 MEV in ETH 2.0

In ETH 2.0, an epoch is a bundle of up to 32 blocks that validators propose and attest to over a period of ~6.4 mins. An epoch, along with all the blocks of which it is composed, is only considered finalized after the progression of two more epochs after it. As such, reorgs going back >13 mins in time will not be possible. This makes reorgs harder in ETH 2.0.

However, MEV will still exist in ETH 2.0. For each epoch, all validators are pseudo-randomly assigned to propose blocks or attest to blocks proposed by other validators. These assignments are known 2 epochs in advance for attesters (13 mins) and 1 for proposers (6.4 mins). Large validator pools or exchanges could even be the proposer of multiple blocks within one epoch, which opens up the possibility for multi-block MEV extraction. You can read more about MEV in ETH 2.0 here.

🏆 Thinking longer-term

While we talk about the possibility of rare one-off high-value MEV opportunities, what would this mean if miners try to reorg? * Igniting a war (expensive)

Due to the negative perception that the network can be manipulated by a privileged group of actors, this leads to

  • Lower usage of the Ethereum network
  • Decrease in transaction fees
  • Lower price of ETH
  • Less MEV in the longer-term

Which leads us to the conclusion that reorgs do not make sense for miners.

Flashbots has just released their stance against re-orgs which can be found here https://medium.com/flashbots/flashbots-on-reorgs-914e397b78d8.

⛳ Thanks

A big thank you to MEVSenpai, Neso and Miyuki for reviewing.

❄️ About Femboy Capital

Evolving from a simple joke, Femboy Capital is an autonomous cooperative incubator and DeFi accelerator that ideates, develops, and shepherds products, protocols, and initiatives within the DeFi space.

@AutomataEmily - 14/07/21