Stability As the Sum of Incentives

Kinda arguing against decentralization in this one, but not really

Hi everyone. First, a quick note: obviously I haven’t written anything in several weeks. Suffice it to say, the reasons for this relate to personal life and I don’t think it’s necessary to get into that here. I hope this email is welcome after the break! I intend to continue to write on a schedule, although there may be some further disruption in the coming weeks. For now, the twice-weekly schedule remains my intention.

Oh, also, this is not financial advice and I am not a financial services professional. Do your own research.

Background noise

On Monday I listened to this fascinating conversation between Saru and an anonymous MEV searcher. I’ve just said several words that require explanation and I haven’t gotten to my point yet—please don’t feel any need to watch the video yourself, and I promise I’ll tell you what a searcher is.

The conversation goes into detail about possible weaknesses in the consensus mechanism of the Ethereum network. The idea, which others can state better than me, is that there are situations in which miners could potentially be economically incentivized to destabilize consensus (or, in the worst cases, potentially steal from users directly).

Here’s an extremely simplistic set of examples that really aren’t accurate, but help approach the intuition: imagine you are a teller at a bank. A stranger walks through the door, says a customer is about to come in and deposit $10,000, and asks you to team up with them to steal it. The stranger goes on to explain that, if you steal it using a novel method they’ve devised, it’s impossible for that stranger to have any recourse to get it back and neither of you will be found out. Your mutual cooperation is necessary for a moment, but then you can go your separate ways and keep some share of the money.

Next, imagine that you work at the New York Stock Exchange. Your job is to enter client orders into a computer. A man walks up to you and offers you $2,000 to make sure that you enter Alice’s trade before Bob’s. It’s not clear to you why this would matter to the man, but you haven’t made any sort of commitment to either Alice or Bob about what order you’ll enter them in as long as you do it within the next few minutes. Later, unbeknownst to you, your action caused Alice to make 0.2% more from the trade than she would’ve otherwise, which amounts to several thousand more dollars than you were paid. Bob made 0.2% less than he would’ve otherwise.

Lastly, imagine that you work at a foreign exchange desk. There are two separate markets that convert USD to GBP, and the market rates currently differ by 0.1%, which is much more than normal. Someone approaches the desk and asks you to buy $30,000,000 on one market and then immediately sell $30,000,000 on the other market. Now imagine you have a way to computationally guarantee that these orders will both occur at exactly the same time or not at all, so if you execute it, this client will immediately make $30,000,000 * 0.001 = $30,000 with no risk. They offer you $10,000 for your trouble. You’re just about to execute their transaction, but two-tenths of a second later, someone else comes bursting through the door with the same offer, only they’ll pay you $20,000. Another tenth of a second and a third person offers $27,000. Now there isn’t enough time to take offers anymore, so you take the $27,000 and execute the third client’s order.

The first of these describes the worst, most extractive type of MEV capture, where you are profiting at the expense of a user in such a blatant way that it feels like theft—or literally is. The second scenario is more typical, and happens every day in the form of, for instance, sandwich attacks. The third scenario is an arbitrage opportunity, with the twist that’s unrealistic in the real world but totally commonplace with Ethereum: a single transaction where two events occur—a buy and a sell—with tons of competing bots offering miners higher and higher fees to process their version of the transaction that profits them and not another bot who noticed the same opportunity.

The end result is a bidding war called a PGA, or “priority gas auction”, where miners end up capturing most of the MEV, or miner extractable value, but some balance goes to the “searcher” who discovered the opportunity. In all three scenarios above, miners are agnostic to what you are bidding for—they’re algorithmic boxes designed to process the transactions with the highest associated fees, the nature of those transactions be damned. Ultimately, the philosophy is that, if you’ve left yourself open to the first sort of scenario while using Ethereum, you or a project you’ve transacted with has made a huge mistake. The second scenario is commonplace and not a huge deal, but worth keeping in mind when you’re using DeFi—if your transaction is targeted in this way, you’ll end up paying the maximum slippage possible without the transaction being canceled. In the third scenario, it’s not clear who is harmed, so we’ll skip that.

Casual users of Ethereum who only encounter the largest projects, like Uniswap, probably don’t have much to fear from being outright stolen from, but price slippage is inevitable. DeFi systems need it in order to work, because it’s not guaranteed what order transactions will execute in. In the case of Uniswap,1 every trade in a market affects the price of the next trade, so if everyone was guaranteed an exact price, lots of transactions that arrived at slightly different fractions of a second would fail unexpectedly because one person hit Enter on their keyboard slightly faster than somebody else, etc. Thus, slippage is inevitable background noise. The manipulation of slippage is the source of some MEV.

Now onto the real harms.

The real harms

Let’s take our premise a bit farther. Let’s say there is a liquidation on Compound that yields $10,000. Somebody submits the transaction and a miner picks it up. But instead of processing it as intended, which would net the submitter $10,000, the miner instead copies it, modifies it so the recipient of the payout is changed to an address they control, and then processes it.

In another version, a third party pays a miner a large sum of money to recompute past blocks in a way that is favorable to them. If the miner can perform enough computational work fast enough, then they may be able to produce a longer chain than the current canonical chain. This would cause the proof-of-work consensus algorithms that currently moderate the Ethereum network to accept the rewritten history instead of the original history. This is called a time-bandit attack.

Now, to the extent of my knowledge, neither of these have ever happened in Ethereum in the context of a malicious attack. That’s good, because if people started attempting them then it would have the potential to seriously undermine the network. It’s likely that network consensus would be disrupted, the blockchain would grind to a halt, every user worldwide would notice and lose trust in the network, and lots of users would walk away.

It’s not realistic to preclude these problems without modifying the social contract that Ethereum has with its users, so instead we rely on the rational behavior of actors in the system. That breaks down like this:

  • Collectively, users of Ethereum don’t want to destroy Ethereum, but there’s always someone who wants to watch the world burn. So the system needs to be resilient to individuals.

  • Miners are large operations with high capital investment: mining rigs, electricity to power them, buildings to house them, climate control for those buildings, etc. It makes no economic sense for them to take action that may destabilize the network(s) they rely on to profit from their capital investment. In order to carry out a time-bandit attack, a miner (or a group of miners) would need to believe it was more profitable to capture some value immediately at great long-term expense. We can trust miners to operate in a manner that aligns with their economic incentives, because they are large companies with large capital investments. Also, they tend to be run by crypto nerds who don’t want to destroy crypto, damage its reputation, etc.

In conclusion: we can trust miners to act in a generally rational way, according to their own incentives. The problem is that’s not quite enough for some people.

(Real-time follow-up: I wrote this on Monday. On Tuesday, Vitalik co-wrote this on the matter.)

The part where we finally get to my point

A lot of the time, we have to rely on things remaining more or less the same. I trust that my dollar will be worth a similar amount tomorrow. I trust there won’t be a major civil war fought in my city.

We also have to rely on certain companies’ behavior remaining more or less the same: if Apple wanted, it could disable iCloud, or push a software update to iPhones that made them stop working. But Apple would never do this because it’s ridiculous. The corporation, as an entity, exists to avoid that very scenario: the one where it loses money. We trust Apple not to make decisions that would immediately destroy itself in the same way that we ought to trust miners not to make decisions that would immediately destroy the value of their own investments. If we don’t trust people to respond to their incentives, neither trust in Apple nor trust in the structure of the Ethereum network make any sense. Both would be nonsense.

It is, perhaps, a hard pill to swallow for some folks in crypto-world for a couple reasons. First, I’m talking about introducing a component of trust in a system that is designed to be trustless and uncensorable. To answer this I need to qualify my point: to “trust” in this context is to believe that people will act according to their incentives, and to believe that people with much greater incentives (e.g. business owners) will be much more consistently aligned with them than other individuals. I don’t think this is a controversial point.

Second, I’m sort of implicitly arguing against decentralization here a bit, right? After all, we trust Apple not to arbitrarily disable all iPhones and we don’t need them to be decentralized to have that trust. Hopefully it’s obvious that this isn’t the right example: the sort of use case that thrives on Ethereum is that which a trusted intermediary would otherwise be required, such as a regulatory body. You don’t need a regulatory body to make sure that I actually accrue interest on Compound. The system simply trudges ever-forward, even without human eyes gazing on it. The App Store will never be like that.

I do think, though, that stability need not be cryptographically guaranteed if the surrounding incentives are strong enough. The reason I think Ethereum will be fine, even prior to its upcoming proof-of-stake transition, is not because I believe it is feasible to stop all possible time-bandit attacks, reorgs etc. in proof-of-work systems. Rather, it’s because nobody in the position to destroy Ethereum has any incentive to do so, and those who may want to destroy Ethereum are necessarily not in the position to do so. (Also, it remains very difficult to pull off and would probably destroy much more value than it would be able to capture.)

Sufficient incentives, organized properly, imply stability—at least as much as any centralized institution out there.


This regards Uniswap v2; in v3 this isn’t always true.