Revisiting Transaction Ledger Robustness in the Miner Extractable Value Era

Abstract

In public transaction ledgers such as Bitcoin and Ethereum, it is generally assumed that miners do not have any preference on the contents of the transactions they include, such that miners eventually include all transactions they receive. However, Daian et al. S &P’20 showed that in practice this is not the case, and the so called miner extractable value can dramatically increase miners’ profit by re-ordering, delaying or even suppressing transactions. Consequently an “unpopular” transaction might never be included in the ledger if miners decide to suppress it, making, e.g., the standard liveness property of transaction ledgers (Garay et al. Eurocrypt’15) impossible to be guaranteed in this setting.

In this work, we formally define the setting where miners of a transaction ledger are dictatorial, i.e., their transaction selection and ordering process is driven by their individual preferences on the transaction’s contents. To this end, we integrate dictatorial miners into the transaction ledger model of Garay et al. by replacing honest miners with dictatorial ones. Next, we introduce a new property for a transaction ledger protocol that we call content preference robustness (CPR). This property ensures rational liveness, which guarantees inclusion of transactions even when miners are dictatorial, and it provides rational transaction order preservation which ensures that no dictatorial miner can improve its utility by altering the order of received candidate transactions. We show that a transaction ledger protocol can achieve CPR if miners cannot obtain a-priori knowledge of the content of the transactions. Finally, we provide a generic compiler based on time-lock puzzles that transforms any robust transaction ledger protocol into a CPR ledger.

Appendices

A Related Work

In this section we discuss some related works and compare them with our results.

Bitcoin Incentive Compatibility. Badertscher et al. [2] showed that Bitcoin satisfies the properties of persistence and liveness (as defined in [16]) in presence of a rational majority. However, in their work the utilities of the rational participants are restricted to a natural class of incentives for the miners, such as fees and block rewards, explicitly excluding preferences over transaction contents. In this work we extend their results and explicitly focus on utilities based on transaction contents.

Order-Fairness for Byzantine Consensus. Kelkar et al. [19] deal with the issue of order fairness in transaction ledger protocols. They point out that consistency and liveness do not protect against malicious manipulation of the received order of transactions. This implies that the resulting ordering of transactions does not necessarily reflect the received ordering. Their proposed solution provides block order fairness, which says that if sufficiently many miners receive a transaction \(tx\) before \(tx'\) then no honest miner can report \(tx'\) in a block before \(tx\). Further, they show that it is not possible to guarantee received order fairness, consistency and liveness at the same time.

Moreover, [19] gives a positive result for a slightly weaker definition of order fairness under the strict assumption that a fraction of the parties behave honestly, i.e., the honest parties will not alter the order of transactions under any circumstances. In comparison, our model does allow every miner to alter the order of candidate transactions, or even suppress them, for the sake of individual profit. Our construction ensures that miners are indifferent between transactions they are supposed to include into the ledger, and do therefore not expect a higher utility for altering the transaction’s order. Note however that this does not contradict the impossibility result of Kelkar et al. [19].

Censorship Resistant Consensus. Miner’s suppresion of transactions was already addressed by Miller et al. [25]. In order to achieve censorship resilience they propose a BFT consensus protocol combined with threshold encryption. In the proposed construction miners select transactions from their local buffer and encrypt them under the common public key of the threshold encryption. Before decryption the miners exchange and agree on the encrypted transactions. As in  [19] the security of the construction is also based on the assumption of an honest fraction of miners. We note that in our model, any qualified set of miners can decrypt the threshold encrypted messages at any time and therefore can learn the plaintext collaboratively for the sake of common and individual profit.

Time-lock Puzzle in Blockchains. Khalil et al. [20] provide an implementation of a trustless centralized exchange based on an underlying blockchain that prevents front-running attacks of the centralized operator and the miners of the blockchain by using time-lock puzzle. The idea of their construction is that the set and the ordering of bids and offers is determined before the plaintexts are revealed.

Deuber et al. [12] use time-lock puzzles to ensure opening of commitments. In [12] they propose a minting mechanism based on waiting time auctions. In order to ensure that the block creators actually include all the openings for the commitments of bids in a block, it is required that all openings to the commitments are encapsulated in a time-lock puzzle and sent together with the bid transaction. In both works time-lock puzzles are used to ensure that commitments can be opened even if the opening messages get “lost” in the way, e.g. by a corrupted miner. While both of the previous works utilize time-lock puzzles to ensure openings in their respective ledger application we leverage time-lock puzzles to strengthen the ledger itself by improving its liveness guarantees.

Further, Doweck and Eyal [14] propose a construction for a multi-party timed commitment. In their construction a set of N users engage in an interactive commitment protocol with a single coordinator to commit to a list of messages by the users that can be revealed by the coordinator at a later time. Their construction is based on El-gamal encryption with a randomly sampled public key of a small group size, where the private key is revealed by the coordinator by brute force. Additionally, they provide a construction for a transaction ledger protocol that leverages their multi-party timed commitment. However, their construction requires the users to engage in interactive commitment protocols with one or even several miners leading to a significant communication overhead especially for higher numbers of users. Moreover, the searching for an El-gamal private key can be parallelized, offering no lower bound of operations under miners’ coalition. Our construction on the other hand let users publish and propagate their transactions as commonly done in transaction ledger protocols.

Bribery and MEV Attacks. There are various incentive based attacks utilizing rational miners that intend to either revise, reorder or to exclude certain transactions from the ledger. On a high level, all these attacks are dynamics that might influence a rational miner’s preference over transaction content. In [22], Liao and Katz show an attacker that incentivizes forking the main chain using high transaction fees. Moreover, McCorry et al.  [24] present a different bribery contract that makes the miners change their mining strategy. In their work, miners’ utility depends on the attackers bribe rather than on hidden content preferences. For example, the goldfinger attack of [24] incetivizes miners to mine empty blocks independent of the content of any available transaction.¹³

Bribery attacks that incentivize miners to suppress transactions based on their content are proposed by Winzer et al. [31] and Tsabary et al. [30]. These types of attacks can be prevented if the dictatorial miners are not able to choose transactions based on their content.

Daian et al. [10] introduced Time-bandit attacks where adversarial miners can fork the blockchain by utilizing MEV opportunities. The attack works by leaving MEV opportunities in the main chain for other miners to claim, thus incentivizing other rational miners to fork the chain to claim the MEV opportunity. Similarly to [22], this subsidizes a 51% attack. Miners may be incentivized to break consensus if the block rewards are not enough in comparison to the MEV [10] opportunities. While our construction does not entirely prevent this type of attack, it mitigates it by making the attack more costly for the miner to pull off; the required fork would to claim the MEV would be considerably deeper, making it less profitable.

Sandwich attacks are a common predatory trading strategy in which a miner or a trader “wraps” a victim’s transaction between two adversarial transactions [10]. If the market price of an asset is expected to rise/fall after the execution of a large pending transaction, the adversary may extract value by inserting its own transaction right before/after the spotted pending transaction. Our construction prevents sandwich attacks since the attacker is not able to spot a target transaction and sandwich it at the same time.

Finally, Judmayer et al. [17] showed that it is almost impossible to determine the exact globally available MEV opportunities at a certain point in time, and that a narrow definition of MEV fails to capture all extractable value occasions of other actors, the emerging network dynamics, or the probabilistic nature of permissionless cryptocurrencies. In that vein, we consider the complexity of MEV by assuming the exact utility of miners for including transaction to be unknown.

B Transaction Ledger Protocol

According to Garay et al. [16] a transaction ledger aims at keeping a record of monetary accounts and its associated balance; a transaction record in the ledger is typically (but not limited to) an instruction to move balances between accounts. A transaction ledger is represented as a vector of blocks \(l=(\mathcal {B}_1,...,\mathcal {B}_d)\), where each block \(\mathcal {B}_i=(tx_1,...,tx_n)\) is a vector of transactions \(tx\in \mathcal {T}\). \(\mathcal {T}\) denotes the set of valid transactions. Appending a transaction \(tx\) to a vector \(l\) is denoted by \(l||tx\). Also, appending a vector of transactions \(\mathcal {B}\) to another vector \(l\) is denoted as \(l||\mathcal {B}\). \(tx_{i,j}\) denotes transaction \(tx_j\) in block \(\mathcal {B}_i\). As a ledger is a vector of transactions, we simply denote it as \(l=(tx_1,...,tx_m)\) omiting the block numbers when clear from the context.

The transaction ledger protocol is executed by a set of miners \(\mathcal {M} \) in the presence of a PPT adversary \(\mathcal {S}\), and driven by a PPT environment \(\mathcal {Z} \). The protocol execution takes place in rounds. The environment provides inputs to all parties and receives outputs, while the attacker might fully corrupt some of the miners. Each honest miner \(M _i\) maintains its own local copy of the chain \(l_i\). Further, an honest miner \(M _i\) process a local buffer \(\textsf{X}_i := (tx_1,\dots ,tx_e)\), that are candidate transactions to be incorporated into the ledger \(l_i\) provided by the environment \(\mathcal {Z} \). In [16], a transaction ledger protocol is defined by the transaction generation oracle \(\textsf{TxGen}\), the set of valid ledgers \(\mathcal {L}\) and by the three interface functions \(\textsf{V}(\cdot ), \textsf{I}(\cdot ), \textsf{R}(\cdot )\).

The transaction generation oracle \(\textsf{TxGen}\) generates transactions on behalf of the users \(\mathcal {P} \) which are abstracted by the environment \(\mathcal {Z} \). It is defined with respect to the set of valid transactions \(\mathcal {T}\), the set of valid contents \(\varGamma \), (which denotes the set of content information with semantic value for the ledger, e.g., “account A increases its balance by 10 monetary units”) and the set of ledger accounts \(\mathcal {A}\). Note that a user \(P _i\) might be associated with multiple ledger accounts. During the execution of the transaction ledger protocol, \(\textsf{TxGen}\) can be accessed by the environment \(\mathcal {Z} \) and it generates transactions that are provided to the miners and the adversary \(\mathcal {S}\). Upon receiving a message \((\textsf{IssueTx}, \gamma ,P)\) from the environment \(\mathcal {Z} \), \(\textsf{TxGen}\) generates a unique transaction \(tx[\gamma ]\in \mathcal {T}\), where \(tx[\gamma ]\) denotes a transaction \(tx\) that contains an encoding of content \(\gamma \). After that, \(\textsf{TxGen}\) sends \((\texttt {Issued},tx[\gamma ],A)\) for some ledger account \(A\in \mathcal {A}\) to every miner and \(\mathcal {S}\).

On the other hand, the three interface functions \(\textsf{V}(\cdot ), \textsf{I}(\cdot ), \textsf{R}(\cdot )\) are defined as follows:

• \(\textsf{V}(l)\): The content validation predicate, upon input a sequences of transactions \((tx_1[\gamma _i],...,tx_m[\gamma _m])\) checks whether all the transactions constitute a semantically valid ledger. Formally, \(\textsf{V}(\cdot )\) defines the set of valid ledgers \(\mathcal {L}\) and checks if \(l\in \mathcal {L}\), e.g. \(\textsf{V}(l)\) checks if there are no conflicting transactions in \(l\).

• \(\textsf{R}(l)\): The chain reading function returns a semantic interpretation of the contents \((\gamma _1,...,\gamma _n)\), e.g. a list of account addresses and balances Upon receiving a ledger \(l=(tx_1[\gamma _1],\dots ,tx_n[\gamma _n])\), and if \(\textsf{V}(l)=1\).

• \(\textsf{I}(l, \textsf{X},r)\): Upon receiving a ledger and a buffer of local transactions in some round \(r\) the input contribution function creates some new block \(\mathcal {B}=(tx_1[\gamma _1],\dots , tx_e[\gamma _e])\), where \(tx_i\in \textsf{X}\) and returns \(l':= l|| \mathcal {B}\).

Moreover, a transaction ledger protocol is called robust if the following properties are satisfied:

• Persistence: If at any round \(r\) an honest miner \(M _i\) maintains a ledger that contains a transaction \(tx\in \mathcal {T}\) in a block more than \(k\in \mathbb {N}\) blocks deep in the chain, then \(tx\) occurs at the same position in the chain of all the other honest miners.

• Liveness: If a transaction \(tx\in \mathcal {T}\) issued by \(\textsf{TxGen}\) is input for all honest miners in \(\mathcal {M} \) for at least \(v\) consecutive rounds, then all honest miners will report this transaction at least k blocks deep into the ledger, for some \(k,v\in \mathbb {N}\).

According to  [16] a robust transaction ledger protocol can be build on top of a blockchain backbone protocol that satisfies the properties common prefix, chain quality and chain growth by defining the interfaces \(\textsf{I},\textsf{V},\textsf{R},\textsf{TxGen},\) and \(\mathcal {L}\). In our work we assume the existence of a robust transactions ledger protocol \(\varPi =(\textsf{I},\textsf{V},\textsf{R},\textsf{TxGen},\mathcal {L})\) for some liveness parameter \(v\). Therefore, we can waive details of the underlying backbone protocol that is used to implement \(\varPi \). For more details on the ledger backbone protocol protocol we refer the reader to the paper of Garay et al. [16].

C Analysis of Theorem 1

Let \(\varPi = (\textsf{I},\textsf{V},\textsf{R},\textsf{TxGen},\mathcal {L})\) be a robust transaction ledger protocol executed by a set of miners \(\mathcal {M} \) in the presence of a PPT adversary \(\mathcal {S}\) driven by some environment \(\mathcal {Z} \), and let \(\varPi ' = (\textsf{I}',\textsf{V}',\textsf{R}',\mathcal {F}_{\mathsf {tl\text {-}TxGen}},\mathcal {L}')\) be the compiled transaction ledger protocol \(\varPi '\leftarrow \varPhi (\varPi )\) executed by a set of dictatorial miners \(\mathcal {M} '\) in the presence of a PPT adversary \(\mathcal {S}\) driven by some environment \(\mathcal {Z} '\). Let \(\delta =v\) be the delay parameter of \(\mathcal {F}_{\mathsf {tl\text {-}TxGen}}.\)

At any round \(r\) a dictatorial miner \(M _i\) receives a transaction buffer \(\textsf{X}_i\) from the environment \(\mathcal {Z} '\) and provides an altered transaction buffer \(\textsf{X}'_i\) to the input contribution function \(\textsf{I}'(\cdot )\).

In order to show that \(\varPi '\) achieves CPR it is necessary to show that \(\varPi '\) achieves rational liveness and rational transaction ordering. To this end, we show that a dictatorial miner \(M _i\) can not improve its expected utility \(u_{i}\) by deviating from honest behavior. A dictatorial miner \(M _i\) behaves honest if \(\textsf{X}'_i=\textsf{X}_i\) at any round \(r\). If it is in the best interest of dictatorial miners to behave honest it can be concluded that \(\varPi '\) achieves rational liveness if \(\varPi \) achieves liveness.

Let therefore \(\textsf{X}_i=(tx'_1,...,tx'_n)\) with \(tx'_j=(\textsf{txid}_j, \tilde{tx}_j,A_j)\) for all \(j \in [n]\) be a transaction buffer that is provided to some dictatorial miner \(M _i\) in some round \(r_y\) for some current ledger \(l'_{r_y}\in \mathcal {L}'\) by the environment \(\mathcal {Z} \). Since, \(\mathcal {Z} \) is expected incentive compatible it holds that \(u_i(l',tx'_j)>0\) for every \(tx'_j\in \textsf{X}_i\). Therefore, it follows that \(M _i\) prefers to include \(tx'_j\) over suppressing it, if \(\gamma '_j=(\textsf{sid}_j, \gamma _j,r_j,P _j)\) associated with \(tx'_j\) is sampled by \(\mathcal {Z} \) from some common prior distribution over \(\varGamma \) and \(M _i\) did not gain any additional information about \(\gamma _j\). Therefore, a dictatorial miner that is able to reduce its uncertainty about \(\gamma _j\) over the course of some rounds might actually be able to improve its expected utility by suppressing \(tx'_j\). Consequently, it would be in a dictatorial miners best interest to learn the content of transactions instead of relying on the common prior expectation.

Since \(\mathcal {Z} \) provides transactions \(tx'_j\) issued using the functionality \(\mathcal {F}_{\mathsf {tl\text {-}TxGen}}\) any dictatorial miner is able to learn the content \(\gamma '_j\) associated with \(tx'_j\) after at least \(v\) rounds after it was issued.¹⁴. However, \(\mathcal {F}_{\mathsf {tl\text {-}TxGen}}\) does not allow any single miner \(M _i\) nor an adversary \(\mathcal {S}\) that corrupts any subset of miners to learn \(\gamma '_j\) before \(v\) rounds. In particular this means that no single miner nor any coalition of miners is able to reduce its uncertainty about \(\gamma '_j\) before \(v\) rounds. However, a dictatorial miner \(M _i\) could still improve its expected utility by delaying every transaction \(tx'_j\) it receives in some round \(r_y\) for \(v\) rounds so it can learn its contents. To this end, the chain reading function \(\textsf{R}'(\cdot )\) checks for every transaction \(tx'_j=(\textsf{txid}_j, \tilde{tx}_j,A_j)\) with associated content \(\gamma '_j= (\textsf{sid}_j, \gamma _j,r_j,P _j)\) included in some block \(\mathcal {B}^{r_y}_y\) created in round \(r_y\) if \(r_y\le r_j+v\). If not, \(\gamma '_j\) is ignored by \(\textsf{R}'(\cdot )\). Consequently, whenever a dictatorial miner \(M _i\) receives a transaction \(tx'_j\) in some round \(r_y\) for the first time and decides to delay this transaction for at least 1 round, it knows that \(\gamma '_j\) associated \(tx'_j\) will be ignored by \(\textsf{R}'(\cdot )\). Since any content \(\gamma '_j\) that is ignored by \(\textsf{R}'(\cdot )\) is treated as if the corresponding transaction \(tx'_j\) was not included at al delaying a transaction yields the same expected utility as suppressing it for every dictatorial miner \(M _i\), every transaction \(tx'_j\) and every ledger \(l'_{r_y}\in \mathcal {L}'\). Since, \(\mathcal {Z} \) is expected incentive compatible it can be concluded that every dictatorial miner \(M _i\) prefers to include any transaction \(tx'_j\) in the round it received it first. Therefore, any miner \(M _i\) will include any transaction \(tx'_j\in \textsf{X}_i\) into \(\textsf{X}'_i\) in any round. Therefore, \(\varPi '\) executed by a set of dictatorial miners \(\mathcal {M} \) in presence of an adversary \(\mathcal {S}\) driven by an expected incentive compatible environment \(\mathcal {Z} \) achieves rational liveness. Moreover, let \(\textsf{X}^{r_y}_i\) be the set of transactions in \(\textsf{X}_i\) that miner \(M _i\) received for the first time in that round \(r_y\). Since for every transactions \(tx'_j\in \textsf{X}^{r_y}_i\) the transaction tag \(\tilde{tx}_i\) and the associated account \(A\) are chosen uniformly at random and do not reveal any information about the associated content \(\gamma '_i\) any dictatorial miner \(M _i\) must be indifferent between either including some transaction \(tx'_1\) in some ledger \(l'_{round_y}||tx'_0\) or including some transaction \(tx'_0\) in some \(l'_{round_y}||tx'_1\) for every pair of transactions \((tx'_0,tx'_1)\in \textsf{X}^{r_y}_i\) and every ledger \(l'_{round_y}\). Therefore, it can be concluded that \(\varPi '\) also achieves rational transaction preservation.