Dr. Reorg or: How I Learned to Stop Worrying and Love MEV | by Saneel Sreeni | Dragonfly Research

0

While nothing threatening may have ended up coming from all the development and buzz around requests for reorgs, the question still remains: how much do we have to worry about time/uncle bandits, both now and in the future?

Well, it turns out, perhaps not much. Let’s look at why.

Economic Considerations

MEV Researcher 0x9116 did some great back-of-the-napkin expected value math for where reorgs might make sense. As a quick recap of the thread, assuming 30% of the hashrate (Ethermine has around this amount) would need to be over 3.3 times the total of fees, plus 0.58 ETH.

Let’s extend this example a bit further. Given that controlling 51% of the network in a Proof-of-Work system enables total network control (and thus maximal MEV), let’s look at how the calculus changes when we have just below this, or 50%. In this case, we can use the same framework as the thread above, with a few modifications. Instead of assuming that we (as a miner looking to time-bandit) can definitely capture the rewards from the next two blocks, as is originally assumed, we loosen the assumption and probabilistically weight these outcomes. The base block reward is 2 ETH.

Let there exist a block A that we haven’t mined, we have 50% of the hashrate, and represent the miner payments for A as X, and the expected MEV payments as Y. We’re looking to mine two blocks (either for the time bandit, or honestly). If we mine the next two blocks on top of A, we have a 50% chance of mining each independently, so the expected payoff is 0.5 * (4 ETH + 2Y) or 2 ETH + Y. If we attempt a time bandit (and, as 0x9116 originally assumed, quit if the next block B is mined):

  1. With 0.5 probability the next block B is mined before we can uncle A and replace it with A`. We’re then back at square one, where we just look to mine the next two blocks fairly. The expected payoff in this case is 0.5 * (0.5 * (4 + 2Y)), or 1 + 0.5Y.
  2. With 0.5 *0.5 = 0.25 probability A` is mined but B is then mined before we can mine B`. A` gets uncled to B, getting a 1.75 ETH reward, and you look to mine the block after B. The expected payoff in this case is 0.25 * (1.75 + 0.5 * (2 + Y)) or 0.6875 +0.125Y.
  3. With 0.25 probability, we mine both A` and C`. The expected payoff in this case is 0.25 * (4 + X + Y) or 1 + 0.25X + 0.25Y.

This leads to an expected payoff of 2.6875 + 0.875Y + 0.25X, which must necessarily be greater than the expected payoff of honestly mining the next two blocks. This results in the necessary condition that X > 0.5Y — 2.875 ETH. This means even with close to 51% of the hashrate, X greater than half the MEV captured in the current block minus 2.875 ETH. While this may occur occasionally, the cost of renting 51% of the network is about $1.1M for 1 hour, as of mid-July 2021. This means renting 50% of the hashrate (to maximize the likelihood of a time bandit without fully hijacking consensus) would cost around $1M. Thus for a reorg to be worth it, X > $1M USD or, at the time of writing this, around 550 ETH. As shown in the graph below, the daily total extracted MEV is usually in the few millions of dollars, so the cost of attempting to rent 50% to launch a time bandit would more than likely far outweigh the gains.

Of course, this isn’t to say there aren’t cases where there aren’t single blocks that can justify this cost. Events like the time where Justin Sun almost got liquidated on a $1B position in Liquity and had to pay $300M to avoid losing his position would prevent an opportunity for a reorg at the tip of the chain that would be profitable enough to subsidize renting 50% of the hashrate. However, it is also highly unlikely that a single attacker would be able to rent out 50% of the hashrate — as it stands, the amount of Ethereum hashrate available for rent at any given time on NiceHash is usually below 10%.

If you want to play around with the parametrization here, I made a tool that would let you determine the expected payoff of honestly mining two blocks versus attempting a time bandit on the most recent block, using the share of network hashrate available, the total miner payments in the block to be time-bandited, and the expected miner payments for future blocks:

Remember those values are in ETH!

On the flip side, if it is possible to economically incentivize reorgs, it should similarly be possible to disincentivize it.

Credit: Daniel Goldman

Developer Daniel Goldman cheekily did just this by flipping 0xbunnygirl’s initial Request for Reorg contract on its head; called Deorg, it would allow any user to create bounties to be paid to miners at a block in the future, slashing the reward if they were found to be malicious (Deorg does in fact have codification of good behavior by requiring that the hash of a block at a certain height is invariant after a certain number of confirmations, which Daniel kindly pointed out), but it does illustrate that most economic incentives for reorgs can be reengineered.

Another potential way to mitigate the risk of reorg is to instead have a sort of “fee smoothing” approach (as mentioned by Ivan Bogatyy at the MEV.wtf Virtual Summit), where, as an honest miner, you pay MEV forward to whoever mines on top of you. The design space here is as plentiful as the one for incentivizing reorgs; as Tom put it in our last article on MEV, “For every footgun that is discovered, 1000 footgun salespeople and 1000 footgun body armor manufacturers will bloom.”

Finally, its worth noting that reorgs and selfish mining can devolve into recursive, negative-sum games that can actually cost miners, instead of lead to profit. If all miners are just waiting for others to find MEV and then reorg, networks can get stuck in a sort of limbo that creates long transaction finalization times and adversarial back-and-forth games that decrease profit as miners continue to attempt to time bandit opportunities already seized by other miners.

Credits: Charlie Noyes

A paper from IC3 researchers that used reinforcement learning (RL)to simulate selfish mining on the Bitcoin network and pitted models together found that relative rewards went down when all agents were using selfish mining strategies (time bandits, sans the MEV portion to capture block rewards and fees).

A graph illustrating relative reward of selfish mining agents simulated by RL models from the paper.

Similar effects would most certainly be seen on Ethereum. It turns out that reorg strategies would only work so long as a few people were doing them; too many cooks spoils the broth! This doesn’t even encapsulate the reflexive price action that might occur should reorgs destabilize consensus. The PR fallout from a chain being exposed for constant reorgs and greedy miners would more than likely adversely impact that chain’s token price on market and potentially other assets both built on top of it and on other chains via beta. This only hurts miners — and the ecosystem — in the long run.

Proof-of-Stake and Social Consensus

As already mentioned, the outcry against development of the MEV-Geth Uncle Bandit Fork or Request for Reorgs were powerful examples of social consensus coming into play. Social consensus has always been part of crypto, with prominent examples such as Binance deciding not to incentivize the rollback Bitcoin to revert a hack or even more fundamentally, mining pools deciding to stay below 50% hashrate in the spirit of decentralization!

As Ethereum moves towards Proof-of-Stake with Ethereum 2.0, MEV doesn’t go away, and neither do the risk of reorgs. Although Proof-of-Stake does give absolute transaction finality, it only occurs after 2 epochs (6.4 minute long periods in which up to 32 blocks are proposed/attested, with proposers known 1 epoch before, and attesters 2), there are scenarios in which reorgs can happen within the ~13 minutes that it takes transactions to finalize. However, by restricting the time window, among other things, reorgs become much more difficult.

Yet, Proof-of-Stake’s greatest insulation against reorgs is arguably not the absolute finality after two epochs, but rather the notion of “identity”. Given that proposers are known, validators known to act in bad faith can be blacklisted from participation, the Flashbots network, etc. Furthermore, as larger existing miners move towards staking from mining assets, like Ethermine, and large exchanges and platforms like Lido and Kraken come to dominate the validator landscape, it becomes increasingly likely that such institutions will not risk the reputation damage that would arise from reorgs or even collection of MEV fees (both as a point of social and regulatory contention).

Lot’s of staking depositors are well known even now!


Credit: Source link

Leave A Reply

Your email address will not be published.