Allow Proposers To Force Transaction Inclusion in Payloads #52
Comments
Why this rather than a (multi-)proof? The proof would be smaller on the wire and require less computation on the part of the beacon node. |
|
Brainsync ⚡ At Flashbots we're also thinking along these lines and a more complete proposal is in the works and will be out shortly (hopefully today, perhaps early next week). The problem with the approach presented here is that (a) relays have no way to send transactions to the builders, and (b) at the time of the What we're thinking about is is a must-include transaction-hash list as part of
We think this simple change gives validators more choice and can be expanded to include extra utility in the future, e.g. to meet other kinds of preferences that validators have over block contents. |
|
Including the tx hashes in Re: 3) you can send a single multiproof, which would be more efficient. I would also want to see MEV-boost return the full multiproof to the beacon node so that it can verify it independently. MEV-boost shouldn't be more than a transparent multiplexer, with no difference to the beacon node's operation if it is talking to MEV-boost or to a relay directly. |
If |
How would a builder build a block if it can't find the provided tx hashes in its mempool ? I dont think nodes have a global view of all transactions in ethereum, unless we want that to be a builder requirement. The side effect would be you might simply have a lot more builders failing to build blocks because of this.
This is probably going to be a requirement, otherwise it is way too short a time to build a valuable block. Possibly we could have a |
It's an efficiency thing more than anything else, but given that we're burning so much time with the back-and-forth already I feel that we should reduce the impact of any additions as much as possible. Note that a single sparse multiproof should be a fair bit smaller than multiple proofs, and they can all be proven in a single pass. A bit old, but https://www.wealdtech.com/articles/understanding-sparse-merkle-multiproofs/ talked about them. |
|
Alright I have updated it to use multiproofs rather than the whole transaction list in the payload. |
The list doesn't need to be sent to the builder. The relay can just check if it has any bids that fit the proposer preferences (must-include list). If it has them, add the proofs and return the signed bid. Otherwise, return no bid.
Certainly! It will be part of the builder specs. The nice thing is that this is fully backwards compatible with the current v1 API, since it just adds non-mandatory fields (i.e. the must-include list in the request, and the proof(s) in the response). |
That would make it potentially very difficulty for any given builder to get lucky and have the required txs in the block. This would result in one of two situations:
Neither of these seem optimal. Being able to send the list to the builder would be a significant improvement on the list being a simple filter for both builder and proposer. |
Thinking this through, it would require a new, separate This call would need to be signed by the validator, in order to avoid spamming the relays and builders with must-include lists that don't originate from the actual future proposer. |
|
Just to add to @mcdee 's comment, I dont think it is possible to make this work without providing the builders full transactions that we have to include in the payload. Otherwise it basically requires all builders to have total information on all transactions in the network which isn't feasible. Providing just the transaction roots instead via the relay would lead to a very fragile block building system and also remove the possibility of proposers submitting private transactions directly.
It has to be the previous slot, or after the last block ( parent) was received and processed. Otherwise you risk submitting stale transactions, which the builder can't build the block with anyway. |
|
A poor man's thought. Maybe we can bundle the CR tx list or CR tx hash list with |
|
Trouble with bundling that far in advance is that the tx hashes will become stale. It's possible to change the tx list semantics to mean "must be included in or before my proposed block", which would partially address the issue, but that still leaves a couple of areas where I think the system would be weak:
|
|
Re reusing Also the mev-boost service itself wouldn't be able to know if a must-include transaction isn't part of the bid because it was already included in slots before, at least in the current architecture. It could just verify the proofs of inclusion in that block. Or maybe it's possible to construct additional proofs for the other cases too. The most effective approach seems to be a new API call:
|
4 seconds is the spec defined time, so we can stick to that. We can couple the transaction list call to the relay with the FCU for the local execution node. This would set off the block building process in parallel locally and for remote builders. |
|
FCU is sent out too late in the process, builders have already started building before they would receive that call. The inclusion list must be sent out earlier, like a slot in advance. (i.e. for a duty at slot 20, send the inclusion list latest at when payload for slot 18 is received). |
|
Tried to distill the conversations and open questions into a single draft document: https://hackmd.io/@metachris/mev-boost-inclusion-list-implementation-draft/edit |
|
@metachris How would this handle stale transactions ? The reason I mentioned, right after the previous slot's block is received |
|
How to handle stałe transactions is a key open question. Providing the list just when builders start building seems too late because:
Maybe it would be feasible to send the list that late, it's something to consider. Cc @Ruteri. There's seems to be a few seconds window. Might require to push the IL from relay to builder though, rather than builder polling. Another way to deal with these could be mev-boost having a connection to the EL client and being able to figure out more details about a IL tx. We should also consider the other transaction edge cases, like base fee too high, not enough eth to pay fees, or even reverts 🤔 |
How long this might take depends on the relay/builder's network infra, but I am assuming both of these actor's are running in locations with satisfactory network uplinks. If we assume that worst case, that this takes 1 second , how would 7 - 11 seconds be for the builder to prepare these transactions ? I think we shouldn't be thinking of this:
We can assume the proposer is providing valid transactions as these are retrieved from their local el's mempool. Trying to further filter them is going to complicate the protocol. |
The problem is not with the delay per se, it's with the inability to predict when exactly this happens. Changing to a relay-pushes-to-builders instead of builders polling could actually resolve this issue. |
This seems preferable to a polling approach, as it is dependant on the proposer feeding the transactions.
This would also favour builders who aren't censoring, as now these builders have a chance to build and submit a block with these transactions included. In the event this happens in a period of high economic activity(liquidation, mint, etc), these builders eventually will win out. The ultimate goal is to have this as the default for all proposers via the builder api and also attach a tangible cost to censoring out valid transactions. |
Currently block proposers outsource block building to remote builders via relays to maximize block proposal income. While this makes sense for both solo stakers and pooled stakers as they want to have access to MEV income, it comes at a great cost as it provides relays/builders full control over what transactions can be included in a payload. Block builders might choose to censor certain types of transactions even if they are perfectly valid and economically attractive. The end result would be that block proposers would inadvertently also censor these transactions as full control over transaction inclusion has been handed over to builders as the current APIs currently stand.
Proposal
The current state of the builder apis can be improved to allow for stronger censorship resistance guarantees along with still allowing validators to access MEV income. Instead of the block proposer allowing the builder to build the whole payload, the block proposer now submits a list of full transactions that it wants added to the payload by the builder when requesting the execution payload header in
GET /eth/v2/builder/header/{slot}/{parent_hash}/{pubkey}. This would be a new endpoint as the expected request/response from this is different(even if it is easily extendable from the current data structures)The builder now has to include these transactions into the payload and is a constraint in the block building process. Once the builder has built the execution payload, it returns the execution payload header along with a multiproof that verifies the existence of the desired transactions for the provided transactions field root.
Once the block proposer receives the response back it verifies that the transactions were all included by the builder:
Once this is verified, the block proposer can then sign the blinded block and request the full block from the builder and then broadcast it. This proposal accomplishes a few things:
The transactions to be force included can simply be retrieved from the local node's mempool. Ex: Top
Nmost valuable transactions seen. In the event that the relay/builder attempts to censor, the proposer simply falls back to local block building. This allows honest validators to detect when relays attempt to censor and fall back to building locally.An advantage of this proposal is that it is pretty straightforward for consensus clients to implement on top of the existing builder api.
The text was updated successfully, but these errors were encountered: