MEV in Commit-Reveal Schemes, Why we should think before we act

Permissionless Blockchains are decentralized and transparent by design, anyone can see the content of transactions inside the mempool. Transparency, combined with the centralization of block building, has led to serious issues affecting Ethereum and many other chains’ ecosystems. Miners, validators, and even regular users can exploit the centralization of block-building and send transactions based on the current mempool to maximize their profit and outplay others. These competitions have many negative externalities for the network’s health, such as higher delays and gas prices. Any extractable value from a block is called Miner extractable value (MEV) or, in general terms, Maximal extractable value. When MEV is extracted unorthodoxly, where users compete only for profit, it would be called toxic MEV. Methods to extract toxic MEV include generalized front-running, Sandwiching, or Just-In-Time liquidity. These competitions have led to nearly 700B$ extraction since January 1, 2020 [3].

Toxic MEV have incentivized bots to monitor the current chain state to maximize their own profit as much as possible, leading to the Ethereum ecosystem being called a dark forest. The term dark forest points to the fact that any opportunity known to the network will be competed for and captured by one of many active bots on-chain. This would cause rescuing funds from buggy smart contracts a substantially more complicated task and prune to front-running.

There have been many efforts to mitigate toxic MEV and enlighten the dark forest in the past years, one of which is commit-reveal schemes where users will only send the header of their transactions and only reveal the body after the ordering of the transaction is ensured by the protocol. This way, front-running would be much harder to perform for adversaries without the body of transactions. On the other hand, Proposer-Builder Separation (PBS) schemes try to decouple the rule of current validators into builders and proposers, where builders order the blocks and proposers submit those blocks that have the highest bidders. Protocols like MEV-Boost suggest using Commit-reveal and PBS together to separate proposers from builders in a decentralized manner, where a transaction is sent to builders, and they let proposers commit to specific blocks of transactions for inclusion. Only after the block is committed to by a proposer, builders use threshold decryption to send the full transaction body to the proposer.

However, in a recent talk [1], Mr. Robert Miller mentioned these solutions are not silver bullets and should be considered with the whole multi-domain economy of blockchains in mind. It made me wonder if the economic security of commit-reveal has been analyzed as much as it should be!

Many designers did not have MEV in mind when they were making AMMs, and that led to many economic attacks, and it should be considered to analyze the opportunities or attacks that commit-reveal schemes enable before diving into implementing them.

Currently, when a user sends her transaction to the network, the data is known to others before its inclusion on-chain, which can be the source of many problems. In an ideal system, the data should be known to everyone the moment its inclusion on-chain is guaranteed. However, in commit-reveal schemes, data decryption happens well after the on-chain inclusion, as there needs to be a guarantee that the transaction is actually included.

I think a couple of comparisons would make things more clear. I will call the chains that are not using the commit-reveal scheme, No-Commit, or NC and mention those that use commit-reveal on L1 as CR.

In an NC chain, the moment someone starts disseminating her transaction, the rest of the network knows about the content, and the sender should wait for the time ΔT’ before the transaction is included on the chain. In an NC chain, the user first has a guarantee that the transaction will get included on-chain before the transaction is revealed; let’s call the time between commit to reveal of the transaction ΔT. So there is at least a ΔT that there is information asymmetry in the system for each user towards their transaction after the dissemination until decryption. This enables users to back-run themselves in a time window of ΔT without competition to gain back some of the MEV (only if their transaction has created MEV). Therefore, we could expect two-step transactions in such a setting caused by users not knowing the final state of the world as they send their transactions. This happens because there are other transactions that are committed to but not revealed.

Now, we could analyze commit-reveal schemes in two different environments (I) in an environment where we only consider the single chain itself and (II) in an environment where we consider other domains too. We are not only looking for attacks and exploits. The first step would be analyzing the differences and trying to find out how they play out in a CR chain. I will explain these in more detail in the next part, but to wrap up, let us think about some questions we could ask about (I) and (II).

I — Considering only the single CR chain

• One difference would be, as we discussed, the time ΔT where the user has information asymmetry towards her own transactions. How would this information asymmetry lead to capturing opportunities without competition?
• Would the information asymmetry be an incentive for payment by order flow where users send their transaction to someone else to capture MEV and return it to them? Would this be problematic for the whole commit-reveal scheme?
• Can adversaries send “Noise” transactions to important pools just to have more information in the upcoming blocks?

II — Considering a multi-chain environment

• As mentioned by Tarun, many bridge attacks exploit the differences between two chains (e.g., fee structures). Are there attacks that can be launched on bridges between CR and NC chains just because of their difference in operating as CR schemes?
• As mentioned by Obadia et al. [2] cross chain arbitrage would be one source of MEV, but it comes with its risks. How do risks change in the world of CR and NC chains alongside each other?

References

[1] MEV roundtable, https://youtu.be/mehuqinCk1o?t=3210

[2] Unity is Strength: A Formalization of Cross-Domain Maximal Extractable Value, https://arxiv.org/abs/2112.01472

[3] MEV explore, https://explore.flashbots.net/