BlueMatt's Blog On Building a Bitcoin for Everyone

Stop Calling It MEV

16 Apr 2024

As the systems built on bitcoin become increasingly expressive, the use-cases for bitcoin grow exponentially. While this is incredibly exciting, the one major concern both proponents and detractors of increased expressiveness can agree on is the risk of “MEV”.

Sadly, there has been very little in the way of a clear definition of “MEV” in the context of bitcoin, and the standard definition of the term is so broad as to be entirely useless in discussions of protocol risk.

The term “MEV” (or “Miner Extractable Value”) originated with the ethereum community and means, broadly, all the value that miners/stakers can extract when building blocks. This includes both in-band protocol fees and block subsidy, but also any out-of-band fees they accept directly from transactors, value they can extract by reordering or creating their own transactions, exploiting smart contracts, or even reorging the blockchain!

This is such a broad term that saying we’re “concerned about MEV” is somewhat useless - are we concerned that miners are extracting the block subsidy they’re entitled to? Obviously not. Worse, the ethereum community’s concerns with MEV partially overlap the concerns of the bitcoin community, but certainly aren’t the same.

Still, to understand the risks of MEV in bitcoin it’s useful to learn from the history of ethereum. As block building on ethereum has become increasingly specialized to extract the maximum possible MEV, a few effects have emerged:

First, and most concerningly, there are only a very, very small handful of companies who have invested sufficient capital (in the form of hiring world-class engineers) to be competitive at selecting and creating the most profitable set of transactions for the next block. From the point of view of censorship resistance on the network, this is incredibly damning - when only a few companies do, or could, select nearly all the transactions which can enter the blockchain, any hope of censorship resistance is lost.

Second, those trading on decentralized exchanges, and more broadly those using protocols that have an undefined counterparty, often find their counterparty replaced with the block’s transaction selector, to some loss in value. This comes in many forms, but commonly simply by the transaction selector arbitraging prices between decentralized and centralized exchanges, taking the price difference for themselves as profit. This impacts the quality of the experience for users of more expressive contracts on ethereum.

Bitcoin, as a system and community, largely seeks to maximize censorship resistance through decentralized transaction selection over any other goals. Sadly, today, bitcoin’s transaction selection is also highly centralized in the form of pools. Luckily, there’s no strong financial incentive for this, only historical technical reasons. While this allows us to massively re-decentralize bitcoin with only technical tweaks to the mining software stack, any financial disincentives to adopting such technology would absolutely destroy bitcoin’s long-term censorship resistance. So much so, that I’d argue that if we end up in the same place as ethereum is today, we should simply give up on bitcoin’s censorship resistance axiom as we simply will not achieve it in any reasonable way.

Thus, the first class of MEV (the resulting centralization pressure) is also a substantial potential issue for bitcoin. The second issue (degraded execution quality and usability), much less so. In fact, given bitcoin’s axiom of censorship resistance above all else, I’d argue trading transaction execution quality for any marginal censorship resistance gain would be worth it, at least at the level of the overall bitcoin system.

Some Bitcoiners have taken to calling this centralization MEV risk MEVil (or “MEV that is evIL”). Specifically, MEV which results in a financial incentive for miners to employ sophisticated technology in order to ensure the transactions they include in the next block have the maximal value is MEVil. This can come in the form of changing the order of transactions in a block or creating new ones, but it does not include cases where an open market might bid on creating specific transactions using Replace-By-Fee (or “RBF”). Further, because there is likely to be reasonable long-term decentralization of hash power, we do not include multi-block censorship attacks - such attacks require some amount of miner coordination and require miners be willing to forgo profit now for greater profit later, risking their competition claiming the profit for themselves.

Many developers working on increasing expressiveness in bitcoin have concluded that MEV is inevitable on bitcoin and we should simply prepare ourselves for it. However, I think this stems from a focus on the broad definition of “MEV”, rather than the more practical definition of MEVil. MEVil is not inevitable on bitcoin, however avoiding it does require engineers building expressive bitcoin systems consider the impacts of their work carefully.

Here, it’s useful to consider some examples of things which fit the broad definition of MEV, and how they do or do not introduce MEVil:

MEV is often raised when discussing systems which may result in transactions which can be profitably replaced. For example, an output on chain which can be claimed by anyone without specific private key material or a trade in a decentralized exchange which executes at an incorrect price. In these examples it may be possible for anyone, including miners, to create a new transaction which claims some value directly or indirectly. While this is obviously MEV (after all, this value should flow to miners somehow), it is unlikely to create MEVil. Thanks to bitcoin’s ten minute block time and public mempool, anyone has a chance to bid (by paying a higher mining fee) for the ability to claim this value. This allows miners to extract this value while remaining entirely passive and not implementing any custom or advanced logic to monitor for or create these claims. Over the past few years we’ve seen a handful of examples of these kinds of in-mempool bidding wars, including notably funds sent to insecurely generated private keys. This also implies that miners which receive transactions via any form of private relay should ensure they submit such transactions to the public mempool, ensuring others can bid to replace them and increase the miner’s revenue.

A popular scheme a number of groups are working on building are “rollups” on bitcoin. These are sidechain systems where the transaction data for the sidechain is embedded in the bitcoin blockchain itself. Because these systems can have arbitrarily expressible smart contracts, they are likely to have the potential for advanced MEV extraction similar to what we see on ethereum today. However, in most cases, such systems do not create MEVil in bitcoin. In most rollup systems there is a single or small group of “sequencers” which select the transactions that enter the rollup as well as their order. Thus, the sequencers have the exclusive ability to extract MEV and bitcoin miners are not able to use their transaction selection or ordering power to influence the rollup‘s transactions.

Some rollup systems, referred to as “based rollups”, however, give bitcoin miners the ability to directly select and order rollup transactions. This runs substantial risk of creating MEVil, and in fact if we see deployment of large-scale naive based rollups I believe bitcoin may suffer a terrible fate. Still, based rollup developers have a few easy tricks which can substantially reduce MEVil risk. First of all, based rollups can remove the ability for miners to order rollup transactions by randomizing the order keyed using the bitcoin block hash. Thus, for miners to influence the order of rollup transactions they must be willing to fully discard valid bitcoin blocks, forgoing potentially substantial profit. Secondly, based rollup developers can randomize transaction ordering across multiple blocks, ensuring single bitcoin miners cannot censor rollup transactions, further reducing their ability to materially extract MEVil. While this may delay rollup transaction confirmation times somewhat, I’d strongly encourage rollup developers to consider whether there is a genuine material difference between users waiting for six confirmations and users waiting for seven, eight, or nine confirmations.

I’d also encourage developers, Bitcoiners, and everyone to vote with their feet - if a rollup system introduces material MEVil risk to bitcoin, simply use an alternative system - if you don’t, the utility of that system is going to eventually be ruined by increased bitcoin miner centralization anyway. In this case, centralized and federated rollups are much more clearly safe, and based rollups or ones with a “force-inclusion” mechanism should be carefully considered before using them!

Another common example raised as MEV on bitcoin is the inclusion of nonstandard transactions or, more broadly, any transactions which reach a miner outside of the public mempool. While this indeed introduces strong centralization pressure for larger miners to offer this as a service, which is absolutely MEVil, we have not yet seen material demand or revenue from such transactions. Indeed, as mentioned above, miners have an incentive to ensure transactions received via private relay reach the public mempool where possible to allow for public RBF bidding. While there is certainly demand for nonstandard transaction inclusion as a novelty, it is unclear if this market will grow in the long term. Further, Bitcoin Core can, should, and generally does allow any transaction as standard, with restrictions only for transactions representing denial-of-service attacks or when the inclusion of a transaction makes Bitcoin Core unable to accurately calculate competitive block templates. As Bitcoin Core continues to improve, the demand for any nonstandard transactions will continue to decline, thus reducing the profit potential of any MEVil extraction.

More recently, out of band payments to miners have become popular again, allowing individuals to pay large pools for the inclusion of their transaction(s) using payments outside of the normal bitcoin transaction fee. This can create substantial MEVil but only if the out-of-band payment is offered directly to a single or group of miners. Any kind of out of band fee payment which is easily claimable by any miner does not contribute to MEVil-induced centralization, and thus open protocols for this are important. Further, while out of band fees have been commonly available on bitcoin before, they have never represented a substantial portion of miner revenue, and with technologies like Lightning and RBF (very slowly) becoming more popular in consumer bitcoin wallets, the need for out of band payments should further decrease.

Finally, some individual coins on chain have developed collector value. Notably, coins freshly mined in coinbase outputs in certain blocks (especially after difficulty or block subsidy adjustments) have often been valued at higher than their Bitcoin amount. While this has negative implications on fungibility, the extraction of such additional value can also be considered a form of MEVil. After all, claiming this value may require additional investment in human capital to evaluate and participate in “rare sats” marketplaces. The long-term value of these collectors items remains unclear, and valuing them is, correctly, often considered antisocial by Bitcoiners who care about the long-term sustainability and performance of the bitcoin system. Luckily, such “rare sats” that (may) have material value only occur in very few blocks (currently those every 4 years after subsidy adjustments), reducing the total impact it can have on miners.

While there are many risks on the horizon which may introduce MEVil in bitcoin, thus substantially risking the long-term censorship resistance (and therefore value) of bitcoin, there is no reason yet to fear that such an outcome is inevitable. Indeed, while MEV on bitcoin is inevitable and here today, “MEV” is a largely useless term for describing our censorship resistance and centralization concerns. Engineers developing, and users selecting, platforms which add additional expressivity to bitcoin must carefully consider the risk of MEVil these systems may introduce. Opting to build or use systems which introduce MEVil to bitcoin must thus be avoided, and considered antisocial, or the long term value in these systems and the bitcoin system itself may be destroyed.

Ten Years of Bitcoin

12 Sep 2018

This post was originally written for an opinion series marking ten years since the announcement of Bitcoin. It was not published at the time but appears here, without change, in the form it was written in late-2018. It was originally published in Dec, 2022 and has been backdated.

Reflecting back on my almost-8-years of working on Bitcoin, I’m very proud of his far we’ve come in answering some of the biggest questions around viability of trustless financial technologies. We’ve gone from a niche technology valued by only a small handful of geeks to something discussed and debated in international financial publications. Bitcoin itself has moved on from a single software project maintained by one individual to a large ecosystem of startups, projects, and individuals the world over. Still, we must not allow our progress to make us think that we’re guaranteed success, however that may be defined. Cryptocurrency’s many detractors, more often than not, raise legitimate issues, and the space as a whole has some serious soul-searching to do when it comes to the types of projects we prioritize.

The broader cryptocurrency community seems to get mired in so many debates on technical minutia that it becomes easy to lose sight of the bigger picture. After all, cryptocurrency will never compete with systems that more directly utilize the efficiencies that trusted parties provide. Even the costs involved in slightly reducing trust in single third parties introduce massive engineering and user experience tradeoffs that almost always make such systems simply uncompetitive. And yet, the cryptocurrency ecosystem seems hell-bent on compromising its trustless origins to eek out a few multiples in performance or “scalability,” all while remaining orders of magnitude away from the user experience of systems with similar trust models. There are simply no use-cases for a financial system in which three entities must cooperate to seize or freeze assets instead of one, especially when that seizure is ordered by a western government with cross-jurisdictional financial reach.

Instead of attempting to compete with centralized alternatives in the broader market, the cryptocurrency community should focus on places where there simply is no competition. After all, no one outside of cryptocurrency has managed to design a similar financial product without a trusted third party despite over 30 years of trying. If we can execute on this vision, those facing financial censorship or collapsing financial infrastructure at home could finally have an alternative to go to for financial services. Sure, that alternative will never significantly improve on the user experience of more centralized alternatives for most use-cases, but by focusing on markets where trustlessness provides genuine value we can generate real adoption that doesn’t come and go with the latest investment bubble, and broader adoption can come in its own time.

Of course utilizing “blockchain technology” to create fictional decentralization can provide all the features we want to get out of Bitcoin’s decentralization with few of the tradeoffs for quite some time, but the benefits of such regulatory arbitrage are dubious, at best. Regulators have a tendency to move slowly, and it can often take tens of years for them to fully understand the contours of their powers and utilize them to shut down behavior they dislike. However, if a system can be controlled by a handful of entities, it eventually will, and no amount of claims about the value of “decentralization” or jurisdiction hopping will stop that.

In order to focus on adoption, however, we need to move on from asking “how” we can make a blockchain go faster, to asking “why” such a system will likely provide long-term benefits for its users that cannot be more efficiently and better replicated with more centralized alternatives. What is the point of building a “better blockchain” that “scales” by replacing the attempt at decentralized ledger-keeping that Bitcoin’s Proof of Work represents with something that clearly will never be more than a handful of companies or individuals confirming transactions? Ultimately, as capital centralizes in a few hands as it has through all of human history, does a Proof of Stake blockchain provide any value for its users that a cluster of high-performance databases run by the inevitable few entities with the vast majority of the capital couldn’t? Do cats really need to be on a blockchain, or can we instead keep them on a server somewhere that provides an identical public interface so anyone who wishes to display or trade them can build their own application to do so?

It is very easy to be swayed by an argument that, because Bitcoin’s Proof of Work is currently fairly centralized, an alternative system need only be equivalent to be worth consideration. This, however, misses the obvious point that if Bitcoin’s Proof of Work were never going to become more distributed and control-resistant than it is today that we may want to start rethinking the viability of cryptocurrency as a whole. Luckily, we have lots of room left to shift the needle on the control-resistance of Bitcoin’s mining system, but the effectiveness and adoption of such proposals remains one of my the biggest long-term concerns for Bitcoin’s (and cryptocurrency’s) future.

As much as building a future we want to see requires focus, we should obviously also take this opportunity to celebrate how far we’ve come in demonstrating Bitcoin’s resilience. What was once a system endeavoring to be “trustless” while its rules were changed by its founder with little outside input or review, the consensus rules of Bitcoin today are not subject to the whim of any one group alone. Prior to the events of 2017, one might have reasonably concluded that any one of a number of different groups had outright control over the rules which govern all Bitcoin users, be it the diverse community of developers working on key Bitcoin software, Bitcoin’s many miners and pool operators, or the largest cryptocurrency businesses. However, despite the outward chaos that was the activation of Segregated Witness, the failure of each individual group in succession to make changes to the rules without the agreement of others showed a resilience that will be critical to any future in which no group of third parties need be trusted to use Bitcoin.

While the originally-proposed release of SegWit saw strong support from across the development community and Bitcoin’s most vocal users, it was met with apathy from the business community and outright hostility from many miners. Thus, despite the best efforts of many to advocate for the benefits and relative few drawbacks of such a change, the original activation method went largely nowhere. A vocally frustrated group of users pushed for the forced activation of SegWit in the form of BIP 148, despite condemnation from most developers for its hasty nature, further inflaming tensions. Finally, the backroom dealing between miners and businesses that led to Segwit2X turned what was a roaring dumpsterfire into a full-fledged emergency. Only when the design of Segwit2X was amended to be compatible with BIP 148 did the two efforts converge and lead to the activation of SegWit, again in spite of the condemnation of the timeline and lack of consensus of both efforts by much of the development community.

Still, with both developers and vocal users shown to not have unilateral control over Bitcoin, one might have reasonably concluded that a group of business leaders may yet be able to exert control. However, with the failure of the second half of Segwit2X thanks to user, developer, and market pressure it become clear that, at least as of 2017, many diverse groups have the ability to veto changes to the rules that govern all Bitcoin users, and no such group can make changes unilaterally.

While the events of 2017 were in no question formative to the fledgeling governance process of Bitcoin’s consensus rules, even the solace we take in each groups’ failure must not be taken for granted. After all, a large number of new users entered the Bitcoin community after the Twitter brawls that characterized the mid-2017 Bitcoin community. We must ensure that the lessons we all took from the many key events in Bitcoin’s history not be forgotten and be accurately communicated to each new generation of Bitcoin users.

Despite the many headwinds and challenges of focus the cryptocurrency community faces over the coming years, the diversity of interests and maturity that has developed in the community over the past ten years, not to mention its explosive growth, gives me great hope that, as long as we define it correctly, the next ten years may be one of cryptocurrency’s success.