-
Notifications
You must be signed in to change notification settings - Fork 221
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
auction - should (header,bid) messages be publicly accessible during the message passing period? #112
Comments
In the current spec that is true. The |
Something important to keep in mind is that it's important for builders to find out if relays are prioritizing their payloads correctly. I expect relays to be incentivized to publish summaries of receive and publish timestamps as well as bid value for all requests. The more standardized this data publishing is between relays, the better. Other metrics which will be critical to track for mev-boost system health: relay reveal performance, relay latency, fraud proofs, bid value, builder rankings, relay rankings |
I think public bids are the equilibrium - builders will bid up to their value for a given slot, and proposers are therefore incentivized to publish the current highest bid. I'm a bit worried that this will cause a speed/bidding war: builders send their blocks to the relay at deadline - epsilon, and also try to learn about other bids from the relay as fast as possible (it seems best for relays to publish bids over some fair multicast feed as soon as they're received - if you can learn about bids faster by connecting to the relay over the mev-boost api, builders will just do that, which seems bad. If relays don't publish bids, then I think validators will end up running mev-boost mods which do that, which also seems bad) |
Agreed there are several issues which come to mind:
A sealed-bid auction (assuming highest bidder wins) in a competitive market, should see the highest bidder bidding close to their true value (how much value the extracted) so the final bid shouldn't be any worse than the public case, but with none of the downsides listed above. On the point of the value of transparency: relays can offer a service in which information about block bids is made public after a slight delay. This can ensure that e.g. Lido validators are truly accepting the highest bid and not taking payments through side channels. |
some low-hanging fruit here is to only allow 1 bid per builder per slot, which seems like it would go a long way to prevent any type of PGA-style behavior. if we have some cancellation mechanism then that would be 0 or 1 bids per slot
honest validators are already enforcing a timeout on the availability of headers, cf. the even if we only allow 1 bid per builder per slot, we still have the "first mover disadvantage" if the "mempool" is public... the only immediate issue I see with making the "mempool" private is that it harms validator privacy as in expectation only the proposer will be making a request in a given slot -- if you can pull off any sort of correlation attacks, then you can start mapping proposers to their IPs. there are mitigations here and you have this problem to a lesser extent (up to the size of the "anonymity set") w/ the public "mempool" so it may not be worth worrying about here. |
We discussed it briefly during an earlier call, but it may be worth thinking about incentive-compatibility of the different parties. Broadly:
I describe a strawman auction first:
This auction has nice properties:
Some issues:
Anyways, I mainly wanted to present this strawman as a way to explore a different point in the design space, but I realise it may be impractical (and there are possibly flaws I haven't thought about). |
@barnabemonnot here are a couple things that may or may not be issues with your strawman setup; I'd be curious to hear your thoughts.
|
Thanks @charlescharles !
|
Yeah, I have been conflating builders and relays because relays kind of seem irrelevant in a game theoretic analysis (or something) - if a mechanism is incentive-compatible for neither builders nor proposers then I think we should expect new relays to emerge that don't follow the rules. I agree that social norms + only writing software that follows the rules might suffice for some time (maybe indefinitely?), but it seems preferable to design a mechanism which is more game-theoretically robust, if possible :) |
Can you expand on what relays look like then, in a MEV-boost landscape? I thought of them as a handful, like Infura, Metamask, Flashbots, well-known names, for which validators using MEV-boost connect to directly (like add their addresses in a config file) |
Yes, validators need to configure mev-boost with each relay to connect to specifically (using the relay address and pubkey, as cli arg or a config file). |
Well, if the world is such that it's possible for proposers to make more money by bypassing the existing relays and connecting directly to builders, I think we should assume that this will happen. It's not hard to imagine someone starting a relay and saying "if you add us to your relay list and run this mev-boost patch which publishes (header, bid)s, you'll be able to make x% more" - behind the scenes, they're a builder who's actually one of the flashbots builders (or something), and just bidding epsilon more than the existing bid whenever their value exceeds the bid. |
How the relay landscape evolves over time is difficult to predict. We believe the ideal will have relays as independent 3rd parties who are not actively profiting from the private information they have access to. However, I still expect all three of these to occur:
I tend to agree with @charlescharles claim that if any actor can see the bid, then it's best for every actor to see it. Anything else creates an opportunity for bribery. We've previously discussed exploring a system where no actor outside the builder sees the bid. Not even the validator. This might be possible to achieve using some mpc or sgx committee for selecting the winning bid. This is pretty green field exploration. |
This topic was discussed in today's Consensus-layer call, see also notes from Ben and the recording (excuse my bumbling ^^). |
The more I think about it the more it seems like few rules can be enforced and perhaps it's best to let relays operate their favoured trade-offs. Relays have two constraints:
Any rule regarding their behaviour typically reduces to a race to the bottom, e.g. imposing builders to resubmit with a 5% extra value rule means builders will move to a relay that imposes 4% instead. Even setting such a rule as a social norm seems tricky, as indeed builders could become their own relays to bypass any norm. I am not clear however how the trust model works for validators running their own relay, as per @thegostep suggestion. Isn't the point of the relay to shield the block payload from the validator? Is this supposed to work in a case where the builders trust large validator entities to not steal their blocks? That doesn't seem unrealistic, but it does reintroduce a small element of economic centralisation (assuming the latency difference is significant for validator-run relays) |
Yeah, I totally agree with this
Yeah, this is why I feel like relays disappear in any kind of formal analysis. If some large validator entity connects to all the big relays, but also runs their own relay, then as a builder you may want to connect to that validator's relay to skip 100ms (or something) worth of network hops. Even if a validator-run relay steals your trades with some probability, if the probability isn't too large and the validator is sufficiently big you may still want to send blocks to them. |
Right, so assuming this eventually happens, perhaps a strong norm around relays sharing the bids they receive should be enforced. If big validators do run their own relays, they could close them off to being "pinged" by observers. While it's not inherently bad that a validator would collude with a builder, it feels like relevant information to the network as a whole. By keeping private the bids the relay receives, maybe it's not clear if such a collusion is happening? |
In my view the key focus should be preventing proposer centralisation - after all, this was the original motivation for PBS implementation - and this is best done by examining the behaviour of proposers. In order to avoid centralisation of proposers, we would like sophisticated proposers to have little to no advantage over “naive” proposers exhibiting default behaviour or other proposers deviating in a less sophisticated manner. Ideally, there would be a clear dominant strategy for proposers which we could set as the default. Unfortunately, this seems unrealistic (at least until more data is gathered), but we could still strive for setting a default with a payoff close to what a sophisticated proposer can achieve. A rough way of looking at the builder-relayer-proposer dynamic is that there are two parties determining the mechanism at play - the relays and the proposer, with the proposer having the last move and therefore most important role. If relays have one default behaviour (e.g. sealed bids) the proposer could flip the mechanism and change the game (e.g. to open bids). Some examples of what I mean:
Wat do
See this paper for a good overview and pointer to other results. Unfortunately, it is unclear which assumptions will hold for several reasons (e.g. how OF will be divided/shared between builders). These results also don’t cover cases where some agents are operating in an open environment and other agents are operating in a private environment. (It is worth noting (as pointed out in flashboys 2.0 paper) that if the block-selection time is highly predictable as being at time T, then an open auction defaults into sealed bid where “sealed-bids” are submitted at T-d where d is the time taken for a bid to reach the proposer. However, T and d may not be known to a sufficient accuracy and vary across agents such that it is not the case that all auctions end up being sealed-bid.) This leaves us the question: will there be stronger centralisation forces among proposers who facilitate sealed-bid or open auctions? There are several factors to consider outside of the advantage gained from deviation and deviating better than other deviating proposers. For instance, if a certain deviation becomes very widespread (e.g. most proposers provide private channels) then relays may start doing this themselves as a service. Alternatively, if certain deviations by large validators affect the market such that some builders shade their bids lower or drop out suspecting misbehaviour, deviations may cease to occur. One last thing to note on the practicality of enforcement: if proposers allow private channels, relays which do not expose bids are likely to become the norm. All things being equal between relays, no builders gains by sending their bids via open relays. If proposers don’t allow private channels, the gains of a relay that doesn’t expose bids may be negligible (and perhaps infeasible if proposers don’t implement signed messages). If we put aside proposer centralisation, it seems intuitive that a default-open system is better for competition. For example if 90% of the builder-relay world operates in the open and 10% manage to keep their info private. The maximum difference between the default and the "cheating" parties is 10% information. |
Wow, this is a lot 🤯. I appreciate all of your comments and how you make it as easy as possible to follow <3 I would like to see more people interested in running relays to participate here. I think we only succeed at this part if the network of builders collaborate to design it. My immediate proposal to not explode is to insist a lot that anybody wanting to be a relay should start by running a builder. That way they get in touch with the complexities of MEV and start participating on these discussions, so when we have multiple relays we have good mitigations in place and a plan for exploring permissionlessness. |
Description:
In the current design of MEV-Boost, relays release (header,bid) pairs to all instances of mev-boost that pings it (please correct me if this is wrong). This means the pairs are public information that can be used as input for auction participants.
For example, a builder could watch the 'mempool' of (header,bid) pairs, see what the maximum bid and compare it to the maximum they're willing to bid. If they can bid higher than
max_current_bid
then they just add 1 wei to it.If you assume this behaviour from multiple builders, we have a game where:
Questions:
The text was updated successfully, but these errors were encountered: