Ethereum’s core insight was that flexible smart contracts allow developers to explore a new frontier of permissionless applications. The explosive growth of decentralized financial protocols built on Ethereum (“DeFi”) is a glimpse at what this innovation could enable in the future.
Like programming libraries in the first Internet revolution, DeFi’s “money legos” enable developers to build complex systems by composing and remixing simple building blocks. This complexity also brings novel risks. One of these risks is Miner Extractable Value, or MEV.
Miner Extractable Value
The concept of MEV was first introduced by Phil Daian in “Flash Boys 2.0,” and more recently popularized by my colleagues Dan Robinson, Georgios Konstantopoulos, and samczsun in “Ethereum is a Dark Forest” and “Escaping the Dark Forest.”
It has become a foundational concept in cryptoeconomics, but what actually is MEV? What are the implications for permissionless blockchains?
What is MEV?
MEV is a measure of the profit a miner (or validator, sequencer, etc.) can make through their ability to arbitrarily include, exclude, or re-order transactions within the blocks they produce.
Imagine there’s a $10,000 arbitrage opportunity available on Uniswap after a large trade has caused price slippage. An arbitrage bot notices the opportunity and submits a transaction to capture it, offering a $10 txfee to the miner. One of two things may happen:
- A miner will copy and censor the arbitrageur’s transaction in order to capture the opportunity themselves.
- Other bots will notice and bid a higher txfee, starting a bidding war for the right to capture the arbitrage. The auction is called a “Priority Gas Auction” (PGA).
The $10,000 potential profit is MEV. If a miner does not capture it, and a PGA is kicked off, the difference between the price at which the auction settles and the total MEV available is the winning trader’s profit (e.g., if a $7,000 fee is paid to a miner, the remaining $3,000 is left to the trader).
This example gives a high-resolution view of MEV, but it does not paint the whole picture. MEV is not just a curiosity. These little financial games create incentive ripples, a winding chain of cause and effect that must be followed to see the contagion. This post will explore that thread and explain why MEV may harm Ethereum and its users.
As a direct result of DeFi’s inflective success, the known lower bound of Ethereum MEV is growing at an exponential rate. At this pace, we believe that MEV could create meaningful issues within the next year.
The State of Play
It is impossible to say how much MEV is on Ethereum in total. All the MEV which we are currently aware of only constitues the lower bound.
This is because MEV can be created any time a user interacts with a blockchain, and smart contracts enable a functionally infinite number of potential interactions. Thus, it is computationally infeasible to calculate a blockchain’s total potential MEV by brute force.
However, we can establish a baseline by adding up the MEV that’s known to have been extracted (which is the “realized MEV” shown in the graph above). Then, we can use heuristics to infer how much higher than our baseline the true lower bound could be, and how the qualitative texture of the unexploited MEV could affect the blockchain’s environment.
The defining feature of Ethereum’s current era is that most miners are not attempting to exploit MEV themselves (yet). Nearly all of the current activity is driven by non-mining traders. However, some MEV can only be captured by miners, because they have the authority to arbitrarily order (or exclude) transactions. Non-mining traders can access a strictly smaller subset of “simple” MEV; “complex” preferences cannot be efficiently expressed through PGA’s.
This means that we see almost entirely PGA-style MEV being realized. Uniswap arbitrage, like our earlier example, is one the most common flavors of MEV in practice.
Another type of MEV seen often in practice is theft from vulnerable smart contracts. One example is described in the “Dark Forest” post by Dan and co. They found a smart contract with a vulnerability that would allow anyone to steal the funds inside; Dan planned to recover the funds by exploiting it before a thief could. However, an arbitrage bot automatically recognized and copied their transaction, replacing their address with its own, and bid a higher transaction fee. The bot’s transaction executed before theirs and made off with the funds.
The next era of MEV will come when Ethereum miners begin actively exploiting MEV. However, until recently, there was a common hypothesis that miners are altruistic enough to forgo MEV revenue and continue running default node software. Bitcoin miners have empirically chosen not to run selfish mining strategies, so there is some precedent.
We think this miner-altruism hypothesis has been proven definitively false in the last 3 months. A small but meaningful portion of the hashrate has been observed exploiting MEV themselves, revenue-sharing with traders rather than allowing permissionless fee auctions, and selling access to private memory pools.
Rather, we believe that MEV is now overcoming miners’ threshold activation energy. Feverish non-mining trader activity highlights opportunities that miners can capture more efficiently and profitably. Additionally, the types of MEV that non-mining traders can’t access are a pot of totally untouched miner revenue; that pot may be far larger than the MEV realized to date. At some level, it is more surprising that it took miners this long to become involved.
The dam has probably burst: miners will venture further into the frontier, exploring more exotic forms of MEV and collusion. Significant risk could be posed to Ethereum and its users.
The rest of this post will explore what this future could look like in more detail, starting with what we mean when referring to MEV’s potential “risks.”
MEV Can Harm Users
MEV is an invisible tax that miners can collect from users.
In our earlier Uniswap example, a large trade caused price slippage, creating a $10,000 profit opportunity (MEV). The bot which arbitrages the market back to parity with the true price is making the Uniswap market more efficient without harming the original trader in the process. This is an example of a benign MEV transaction.
However, in a different version of the same trade, an arbitrage bot would recognize the user’s trade before it’s executed and “sandwich” their transaction between a buy and sell order of its own. The net effect is that MEV levies an invisible tax on the user: their order is manipulated into executing at an artificially inflated price, which the bot then sells into for an instant profit. Of course, a miner could do this at no cost to themselves. This is what one might call a malignant MEV transaction.
MEV Can Harm Ethereum
MEV inherently encourages consensus instability.
Imagine there are two miners, Sam and Dan, who are paid a $100 reward for each block they find. Sam has found 3 blocks, the first of which contained our $10,000 Uniswap arbitrage.
Now, Dan has a choice: he can either mine on top of Sam’s 3 blocks, or he can attempt to re-mine the first block in order to take the Uniswap arbitrage for himself. The $10,000 is much more lucrative than the $100 block reward, and Dan is more rational than honest, so he decides to re-mine the first block.
While Dan’s at it, since the current longest chain is height 3, he also re-mines the second and third blocks (and captures any MEV that was in those, too). After the re-org, Dan owns the longest chain and he and Sam can progress from the third block.
This is known as a “time-bandit” attack: if block rewards are small enough compared to MEV, it can be rational for miners to destabilize consensus.
Our example was a two-party system. In the real multiplayer world, it is possible that every rational miner would attempt to re-org the third block and essentially halt progress. However, this could destroy the value of the miners’ hashrate investments. If we see this behavior at all, it will more likely be in the form of shorter, more frequent re-orgs that do not halt progress entirely.
Is MEV unique to Ethereum?
No, hypothetically MEV can also be seen on Bitcoin. The incentives to censor Lightning channels or to double-spend colored coins are technically MEV.1 However, our hypothesis is that Bitcoin is inherently less exposed to MEV than blockchains like Etheruem.
The reason for that lies in the complexity and “statefulness” of the respective blockchain:
- The rate at which MEV accumulates on a given blockchain is generally proportional to the complexity of its application-layer behavior.
- Arbitrarily flexible protocols, such as Ethereum, cannot bound this complexity and are inherently biased towards greater complexity over time.
- MEV incentives cannot be easily mitigated without altering Ethereum’s UX.
This is why we say that Ethereum’s complexity may be a curse.
MEV Follows Complexity
In some purely theoretical sense, even Bitcoin cannot bound its potential MEV exposure. However, Bitcoin’s design discourages unintended high-MEV use cases well enough that, in practice, they are rarely seen. This doesn’t seem likely to change going forward, so we don’t expect that MEV will become a bigger problem for Bitcoin (the inflation is a seperate discussion2).
In contrast, we can observe that the MEV surface on Ethereum is growing exponentially, mainly as a result of the large flows of value through DeFi applications. The financial primitives which seem so promising could alternatively be viewed as parasitic to Ethereum: spinning a boundless web of MEV which grows larger and more complex by the day.
Ethereum Can’t Bound Complexity
If the Lightning Network created untenable MEV on Bitcoin – realistically threatening Bitcoin’s consensus stability – we could remove the opcodes needed to create payment channels from Bitcoin’s limited ruleset (Script) in a relatively straightforward way.
On the other hand, if we discovered that some application patterns (e.g. DEX’s, lending, tokenized custodial assets, etc.) posed similar risks to Ethereum, it would be impossible to preclude all possible implementations of those behaviors at the level of the EVM. Individual implementations could be forked off, but we could not prevent the general behavior without permissioning contract deployment or severely constraining the EVM. In either case, Ethereum would no longer enable “permissionless smart contracts.”
MEV is Hard to Fix
Finally, it is natural to ask if Ethereum could build a mechanism to counteract MEV into the protocol. In short, no, at least without altering Ethereum’s developer and/or user experience.
Any attempt to prevent miners from accessing the revenue stream is liable to incentivize the creation of off-protocol markets. For example, if all transactions were only allowed to pay a flat rate, we would expect miners to collude with traders to accept payment for transaction priority out-of-band. Similarly, if all transaction fees were burned or paid to a communal pot, miners would simply accept fees separately.
This is why we say that MEV cannot be easily counteracted. Potential mitigations exist, but they require structural changes to the way Ethereum applications are architected and users interact with them.
If Bitcoin’s incentive security fails, at least before block rewards go to ~zero, it’s difficult to imagine that any permissionless blockchain will not suffer a similar fate. Bitcoin’s simplicity is not only aesthetically elegant but also minimizes its extra-protocol incentive surface.
We are more concerned about Ethereum. Ethereum’s application-layer complexity and MEV are continuing to grow exponentially. The known lower-bound on MEV revenues could be larger than the value of ETH miner security incentives within the year.
Large-scale, efficient MEV extraction may make the “tax” on Ethereum users untenable. Ethereum could become congested and more costly for all applications. The platform UX would be impaired, and that could stall Ethereum’s network effects and momentum.
Of course, the main unknown is whether Ethereum miners will begin maximally exploiting MEV at scale. Miners can access a superset of the MEV available to non-mining traders, and can extract all of it with maximum efficiency, so the cost and UX issues could be disastrous.
There is also the possibility of time-bandits, although it feels unlikely that miners would damage their long-term interest in Ethereum with major re-orgs. A lite version, in which miners intentionally uncle or re-org only small handfuls of lucrative blocks, could still be harmful.
In any case, it’s time to seriously consider what measures we can take if the situation deteriorates.
An ideal solution would simply reduce the MEV on Ethereum, or increase the miner security incentive without additional inflation. Within the Ethereum paradigm, where permissionless applications share in platform security uniformly, our options are limited:
- Better Application Design: every application can design itself to minimize the amount of MEV it creates. This may be a competitive differentiator, as users will get lower costs and better UX. However, the protocol cannot force applications to do this, and there is a limit to how much MEV can be avoided.
- Additional Security Incentives: stable miner revenue streams other than the block reward (such as EIP-1559’s burned BASEFEEs3, or state rents) are additive to protocol security and could help offset MEV.
Otherwise, most research is focused on ways to make destabilizing consensus (time-bandit attacks) more difficult or more costly, rather than avoiding the root MEV:
- Separating Inclusion and Ordering: miners (or validators) could only be responsible for transaction inclusion, and the right to decide the transaction ordering could be auctioned off separately. In theory, this would quarantine the re-org incentive. However, this guarantees that users will always endure the level of MEV extraction admitted by the auction, which may be equivalent to a multi-block time-bandit attack.
- Finality: Nakamoto Proof-of-Work has only probabilistic finality. BFT-based algorithms have strong finality guarantees, and time-bandit attacks are more difficult because greater collusion is required to re-org even a single finalized block. However, with enough MEV the incentive to re-org could still overcome the difficulty of collusion. Additionally, participants still have the authority to arbitrarily order transactions in blocks for which they are the proposer, so finality alone cannot help with “normal” front-running.
- Proof-of-Stake: PoS-based blockchains can slash validators who attempt to re-org and thus make time-bandits significantly more costly, especially when combined with strong finality. However, with enough MEV the incentive to re-org could still be greater than the slashing penalty.
All of these approaches have serious implications for Ethereum’s ecosystem. Many involve changes to the core protocol and could take years to implement. Those that could be done only at the application-layer still likely require that developers re-architect and migrate most of the ecosystem to other environments.
Hopefully, the next year will bring more clarity on MEV and Ethereum’s path forward. A number of Paradigm’s portfolio companies are working on MEV mitigations and related problems. If this is of interest to you, don’t be a stranger.
Rollups have emerged as the dominant L2 scaling solution for Ethereum. There are a few different flavors, but generally rollups allow an aggregator to execute applications off-chain, publishing only the bare minimum information needed to show fraud (or the lack thereof) to Ethereum. This allows low latency and high throughput without giving up security guarantees of the base-layer chain.
In addition to their promise as a scaling solution, rollups can also enable the separation of transaction ordering and execution (see Optimism’s “MEV Auction” proposal). Vitalik Buterin has more recently suggested that Ethereum could become primarily a data-availability layer for rollups which handle all transaction execution, centralizing MEV capture into rollup sequencers (“ETH 1.5”).
This would be a significant departure from Ethereum’s current design and come with tradeoffs. For example, cross-rollup and rollup-mainchain interoperability breaks synchrony, and may require different assumptions to be done practically (especially in a many-rollup world). Our portfolio companies are working on two different rollup flavors:
StarkWare is working on ZK-Rollup (ZKRU), which proactively includes efficiently verifiable correctness proofs with block, rather than optimistically assuming validity and ensuring that fraud proofs are available if there is a challenge.
Although not the original flavor of rollup imagined for the separation of execution and ordering, ZKRU can achieve this. The proof engine could also be used to enforce additional constraints on the ordering. For example, if VDF-based priority or other deterministic ordering mechanisms become available.
Optimism is working on the other leading flavor, Optimistic Rollup (ORU), which publishes the minimum data necessary to check fraud but optimistically assumes correctness until challenged. This results in a relatively long finality window but allows their rollup to use essentially the same execution environment as the L1’s EVM (so existing contracts can move ~seamlessly).
Optimism were the original proposers of MEVA and ETH1.5 more generally.
Flashbots is a research and development organization formed to mitigate the negative externalities and existential risks posed by MEV, starting with Ethereum. They have built out tooling to quantify MEV and eliminate the information asymmetry in the ecosystem. They are now implementing a proof of concept for permissionless MEV extraction called MEV-Geth, a sealed-bid block space auction mechanism for communicating transaction order preference.
Flashbots’ goal is to make sure MEV incentives do not become opaque and undemocratic. Hopefully, their infrastructure will allow application developers to better understand how to minimize their MEV exposure, and let some pressure off that could otherwise accumulate into really harmful externalities (e.g., a time-bandit attack).
Cosmos is an alternative model for permissionless, interoperable applications. Although not directly related to MEV on Ethereum, Cosmos is an architecture which could realistically enable an application ecosystem of similar complexity without adopting Ethereum’s uniform-security paradigm.
It is imagined that Cosmos blockchains will be largely application-specific, and not share security with one another by default, which may allow them to avoid externalities that would be harmful on a shared platform. If Ethereum goes strongly in the direction of ETH1.5, it will look very similar to Cosmos (in fact, LazyLedger is basically Cosmos’ ETH1.5).
Deep thanks to my colleagues Arjun Balaji, Dan Robinson, Georgios Konstantopoulos, and Matt Huang, as well as Hasu, for discussion and feedback which helped inform this post.
This post is for general information purposes only. It does not constitute investment advice or a recommendation or solicitation to buy or sell any investment and should not be used in the evaluation of the merits of making any investment decision. It should not be relied upon for accounting, legal or tax advice or investment recommendations. This post reflects the current opinions of the authors and is not made on behalf of Paradigm or its affiliates and does not necessarily reflect the opinions of Paradigm, its affiliates or individuals associated with Paradigm. The opinions reflected herein are subject to change without being updated.
“On the Instability of Bitcoin Without the Block Reward” was arguably the first explicit identification of MEV, demonstrating that “normal” Bitcoin transaction fees are an irregular source of miner revenues and encourage consensus instability (incentivizing re-orgs of fee-rich blocks rather than mining on poor ones). ↩
What I mean by this is that it seems unlikely Bitcoin MEV will grow over time independent of the BTC inflation rate. Concern about the inflation rate decreasing is distinct from whether we expect MEV will increase. ↩
EIP-1559 breaks fees into two components, a “BASEFEE” and a “tip auction.” The BASEFEE is a deterministic amount of ETH that must be burned by all transactions. The tip auction is basically just a PGA. While the BASEFEE burns would be additive to protocol security (as they are not an irregular miner revenue stream), any transaction which contains MEV will still be competed over in a tip auction. Of course, the auctions must be included to allow that demand to be expressed in-protocol; if they were not, miners and traders would collude in off-protocol markets. Thus, only the burned BASEFEE is helpful to security. ↩