A2MM: Towards protecting DeFi users from MEV and Flashbots.

I am extremely grateful to my two dogs, Barkley and Brownie, who faithfully accompany me every day.

TLDR: MEV is not fundamental. I encourage everyone to focus on how to systematically eliminate MEV. SwapSwap is our first step in this fight.

What exactly are MEV and Flashbots??

Miner extractable value (MEV) is a term coined by Philip Daian et al. [1] that refers to the profit that a miner can make by including, excluding, or re-ordering transactions within the blocks that they generate. As a result, MEV extraction is frequently associated with trade-based market manipulation techniques like front-running, back-running and sandwich attacks.

Finding optimal MEV solutions is a difficult problem. This is due not only to the miners’ need to solve this dynamic game in real time, but also to the constant development of new DeFi protocols and creative new ways to extract MEV. What’s more, even simple MEV extraction strategies may not be optimal just yet. Bartoletti et al. [2], for example, discovered new sandwich attack vectors that can result in increased MEV revenue.

Typically, miners’ primary business is not conducting research to find optimal MEV solutions. As a result, miners are willing to share some revenue with smart MEV “searchers” who are adept at identifying strategies. Flashbots [3], funded by Paradigm [4], aids searchers and miners in the creation of an auction market, making the extraction of the MEV more efficient. As other fellow researchers have noted [6], Flashbots seek to benefit miners while systematically exploiting innocent DeFi users.

Although Flashbots was designed to be an open but opaque MEV marketplace, it can also be used as a private channel to send transactions to miners without broadcasting on the P2P network [5]. Despite the fact that these private transactions are not visible to searchers, miners can observe them and extract MEV. There were no terms and conditions or privacy policies governing the use of Flashbots that I could find, but I believe miners are under no obligation not to attack transactions sent via Flashbots. Attacking private transactions will, in fact, boost miner’s MEV revenue. So, why aren’t the miners attacking right now? The main reason, I believe, is a lack of necessary software; however, once there is enough revenue from private transactions, miners will code this software and begin extracting revenue.

Is MEV extraction theft?

The question of whether MEV extraction is theft or not has sparked heated debate among the communities. The entire controversy erupted after Ari Juels (Phillip Daian’s Ph.D. supervisor), Ittay Eyal, and Mahimna Kelkar published their article [6] on Coindesk. Personally, I really enjoy this article, particularly the following metaphor of what Flashbots is doing:

We’d like to announce a great new idea we’ve devised to reform the police.

Today, cities direct their police forces to prevent and prosecute theft. But crime is a tough problem, and policing is costly. What cities should do instead is auction off the right to mug people and burglarize homes. Sure, burglaries would become more professional to take advantage of any vulnerable property. But on the bright side, cities can use theft auction money to pay city workers’ salaries, offset shortfalls in tax revenue and fund new policing initiatives (including prosecution of unauthorized theft).

And their conclusion is razor-sharp and to-the-point:

While FaaS(Front-running-as-a-service) may seem an attractive way to address the MEV problem, it makes sense only as part of a false narrative that there’s no other way. But there are alternative approaches to ordering transactions that provide stronger fairness assurances for users. Those approaches deserve to be tried before FaaS becomes the norm.

Decentralized systems offer an unprecedented opportunity to rebuild the financial system on a more inclusive, more democratic, and fairer basis — to help level the tilted playing field created by Wall Street. Let’s not blow it just to pick a few users’ pockets.

Phillip Daian, a core team member behind Flashbots, has also responded with his opinion in his own article [7]. One of the biggest argument is, MEV is fundamental, which means it will never go away. Phillip claims that DeFi has the “auditability” property, which means transactions from benign DeFi traders will always be visible to miners anyway so there is no way to stop them extracting MEV. Therefore, miners should not be ashamed in extracting them.

(Aside: Phillip’s article also mentioned that MEV exists on multiple blockchains. I agree, but extracting MEV between blockchains will not be risk-free, even for miners, and thus is fundamentally different from MEV on a single blockchain. We will ignore multi-blockchain scenarios in this article.)

Two factions torn apart.

I will not elaborate on my opinion on whether MEV is theft, because I don’t believe it has much value. We should instead pay more attention to the fact that the community has split into two factions:

• One group wishes to assist the Flashbots-led market manipulation service in becoming more efficient, transparent, and democratic.
• The opposing group wishes to eliminate or at least significantly reduce MEV.

Unfortunately, in my opinion, capital is more interested in the former. Maybe the capital thinks that services like Flashbots are more beneficial to the overall ecology of Ethereum? Or maybe they can profit from the MEV extraction process? Who knows.

But, but, is MEV really fundamental?

In short, I don’t think MEV on a single blockchain is fundamental if transactions can be executed at low cost. MEV cannot be completely eliminated in practise due to the high gas price and block gas limit, but it can be significantly reduced.

In order to understand why, we need to firstly discuss a key feature of blockchain, named “atomicity”.

Atomicity: A blockchain transaction supports sequential actions, which can combine multiple financial operations. This combination can be enforced to be atomic — which means that either the transaction executes in its entirety with all its actions, or fails collectively. While this programmable atomicity property is to our knowledge mostly absent from CeFi, (likely costly and slow) legal agreements could enforce atomicity in CeFi as well. [8]

To better understand how MEV can be mitigated, let’s consider two different types of MEV: arbitrage and liquidation.

Case 1: Two-point Arbitrage

Assume there are two AMM markets (say, Uniswap and Sushiswap) that both provide DAI-ETH exchange market with the same amount of liquidity (depth). We then assume that both Uniswap and Sushiswap have the same DAI-ETH price of 400 DAI/ETH, implying that the market is synchronised and that no two-point arbitrage opportunities exist.

Now, a benign trader executes a transaction on Uniswap, which in expectation will raise the price from 400 DAI/ETH to 500 DAI/ETH. An MEV extractor can observe this transaction on the P2P network and then back-run it to extract revenue with the assistance of a miner (cf. abr-1).

(arb-1) demonstrates the cause of two-point arbitrage and how miners and searchers profit by back-running benign traders; (arb-2) demonstrates how a benign trader can atomically perform both swap and two-point arbitrage in a single transaction to profit from arbitrages themselves; (arb-2) is equivalent to (arb-3) when on-chain routing is available. Because of the activities of other market participants, off-chain routing services such as 1inch cannot guarantee that the prices between Uni- and Sushi-swap are synchronised.

Here is the main point of this article. Instead of allowing miners and searchers to back-run the benign trader’s transaction, why not allow the arbitrage profit to be extracted atomically in a single transaction? In a single transaction, the trader: (i) performs the swap; (ii) checks for arbitrage opportunities; and (iii) calculates and executes the optimal arbitrage parameters within the smart contract on-chain (cf. arb-2).

Because of the atomicity feature, the miners will not be able to manipulate the execution order of these transactions. Therefore it leaves no two-point arbitrage opportunity between Uni- and Sushi- for the DAI/ETH market. In fact, this is equivalent to on-chain routing, which helps the market to synchronise (cf. arb-3).

This design can also be used for three-point arbitrages. The main disadvantage is that some AMM exchanges have complex pricing formulas, making optimal arbitrage parameters with low on-chain computation difficult to derive. In our A2MM paper [9], we only addressed this issue for constant product pricing formulas. It is worth noting that, based on our calculations, this design can already significantly reduce MEV even if it only integrates with two of the biggest exchanges at the time (Uni- and Sushi-). For more detailed results, we refer interested readers to our paper [9].

SwapSwap is the first A2MM protocol implementation! In expectation, SwapSwap’s revenue allows to reduce swap fees by 90% when we replay historical Uniswap/Sushiswap transactions.

A2MM has been implemented (https://swapswap.org). SwapSwap uses routing and arbitrage depending on market conditions to synchronise the price of Uni- and Sushi-swap on Ethereum, maximise benign trader’s profit, and reduce MEV extraction from miners, searchers, and Flashbots. We hope that our product will help to stabilise the DeFi system even more. Kaihua Qin, Pablo Gamito, and myself are the core team members behind this first version of SwapSwap.

Join our discord at https://discord.gg/235rrBKZp9 to know more about SwapSwap

Case 2: Liquidation

(liq-1) shows how to extract MEV from liquidation after a price oracle update; we propose (liq-2) that the owner of the price oracle/price feed should perform atomic liquidation after the price update to minimise MEV and the use of Flashbots.

The liquidation process follows a similar pattern. We see no reason to rely on searchers, miners, or Flashbots to perform fixed spread liquidation when the collateral can be liquidated instantly in a single transaction (Aave, Compound, dYdX, Alpha Homora, etc.).

We refer interested readers to our new paper on liquidation for more detailed information [10].

Limitation

I’d like to emphasise once more that I am convinced that if smart contract execution costs are low, A2MM as an application layer design protocol can theoretically eliminate all back-running MEVs. However, because the execution cost of smart contracts is high, A2MM can only focus on the most important DeFi protocols. As a result, it will only reduce MEV.

There has been a lot of research on order fair blockchain protocols, which may eventually solve the MEV problem completely.

What about sandwich attacks?

Prior to Flashbots, sandwich attacks are more difficult to execute than arbitrage or liquidation because they require both front- and back-running. With Flashbots, sandwich extractions are risk-free. Nowadays, even if the profit is extremely small, benign DeFi traders are constantly attacked.

Sandwich attacks can also be mitigated by A2MM, but this would necessitate a lengthy explanation. I plan to cover this in a later blog.

Conclusion

It is undeniable that market manipulation providers such as Flashbots will aid in the reduction of Ethereum congestion. The cost is users’ trust in Flashbots not being evil, the centralisation of Ethereum and the power that comes with it, and benign DeFi users’ acceptance of being vampired by MEV extractors.

I believe that some investors, the media, and researchers are overly optimistic about the success of Flashbots while ignoring how to reduce MEV systematically. For example, the previously mentioned article “Opinion: Miners, Front-Running-as-a-Service Is Theft” did not receive widespread attention. However, I can frequently see Flashbots news in various media.

I sincerely hope that A2MM will change the perception of MEV in the entire community, inspiring everyone to work harder to reduce MEV.

Together, we can stop MEV!

— — — — —

Thanks to Arthur Gervais, Kaihua Qin, Zhipeng Wang for their helpful comments on this piece.

Disclaimer: Opinions expressed are solely mine and do not reflect the views or opinions of my supervisor, Arthur Gervais, or my co-author, Kaihua Qin. I am one of the core team members of SwapSwap (https://swapswap.org), the first A2MM protocol implementation.

References:

[1] Daian, Philip, Steven Goldfeder, Tyler Kell, Yunqi Li, Xueyuan Zhao, Iddo Bentov, Lorenz Breidenbach, and Ari Juels. “Flash boys 2.0: Frontrunning, transaction reordering, and consensus instability in decentralized exchanges.”

[2] Bartoletti, Massimo, James Hsin-yu Chiang, and Alberto Lluch-Lafuente. “Maximizing Extractable Value from Automated Market Makers.”

[3] https://github.com/flashbots

[4] https://www.paradigm.xyz/portfolio/flashbots/

[5] https://mistx.io

[6] https://www.coindesk.com/miners-front-running-service-theft

[7] https://pdaian.com/blog/mev-wat-do/

[8] Qin, Kaihua, Liyi Zhou, Yaroslav Afonin, Ludovico Lazzaretti, and Arthur Gervais. “CeFi vs. DeFi — Comparing Centralized to Decentralized Finance.”

[9] Zhou, Liyi, Kaihua Qin, and Arthur Gervais. “A2MM: Mitigating Frontrunning, Transaction Reordering and Consensus Instability in Decentralized Exchanges.”

[10] Qin, Kaihua, Liyi Zhou, Pablo Gamito, Philipp Jovanovic, and Arthur Gervais. “An Empirical Study of DeFi Liquidations: Incentives, Risks, and Instabilities.”

— — — — —

I am a PhD student at Imperial College London under the supervision of Dr Arthur Gervais. My broad research interests include blockchain technology and machine learning. My most recent work is primarily concerned with Decentralized Finance (DeFi) security issues.

I’m looking for funding/donations for my final year of Ph.D., as well as research opportunities.