MEV Monitoring Design

Possible monitoring design in case of using MEV-boost for MEV extraction.

Participants

MEV-Boost

MEV-Boost is used by validators to delegate block building to third-party software. It polls relays and fetches from them variants of the suggested payload and the value that could be extracted by using this payload. The payload with the maximum value is selected and included to a block.

Relay

Relays are used by MEV-Boost to get built blocks. In the monitoring design we assume that relays provide a method, which returns the list of payloads and values that were suggested to a validator for a slot. The method has not yet been implemented, but we are discussing the possibility.

Monitoring

The monitoring service inspects the operation of the validators and collects data on how many value were extracted from each block, a source of the payload, a recipient of value and other metrics.

Design

Overall scheme

Relay observer

The service regularly checks the availability of the white-listed relays, fetches suggested payloads from them and stores this information to a database. The inspector service then compares these payloads with what is included in the block by the validators.

Epoch inspector service

The service fetches the finalized epochs one by one and inspects them:

Fetches the proposers duties from the consensus layer client.
Identifies the validator and node operator for each slot.
Inspects each slot.
Store the inspection result to DB.

Slot inspector service

The service fetches information about the slot, inspects it and return the result and collected data. The service does the following inspections:

Slot status

Service inspects whether a block is proposed in the slot.

Source of payload

The service calculates transaction_root based on the list of transactions in the block and looks for such a root in the list of payloads suggested for this slot by relays.

If a match is found, we can say that the payload is suggested by one of the relays from the white-list. Otherwise we expect that the relays are not available and the local payload is used. Or the validator intentionally uses a different payload for its own purposes.

Block value

The service inspects:

How many rewards for the block are sent to the fee_recipient and Lido MEV Vault addresses.
Is there a transaction in the block with a transfer from the builder and the value of this transfer.
Is there any suggested payloads with a higher value from the relays.

We need to separate balance changes by block rewards from third-party transactions, such as withdrawals. This will probably require a node with the trace module enabled or a third-party API such as Etherscan.

For the Lido MEV Vault, we can track withdrawals by event, but for builder it's more difficult to do so.

Fee recipient

The service inspects the fee_recipient address and expects one of the following values:

Builder address is expected in the case of using a payload from MEV-Boost. In this case, the block must include a transaction to transfer the validator reward to the Lido MEV Vault address.

Lido MEV Vault address is expected in the following cases:

All relays were unavailable.
Fallback to a local or remote EL client if there is a fault in the MEV-Boost.
The validator included payload for its own interest.

Unknown address is expected in the following cases:

Address belongs to one of the builders, and for some reason Relay observer did not collect suggested payloads. In this case there is a validator reward transaction in the block.
Configuration error or validator hacking.
Validator intentionally receives MEV and tx fees to its own address.

Data analysis

The results of the inspection are stored in the database and used for further analysis, visualization and alerts.

As a result, the following data are collected for each slot:

Was the block proposed in the slot.
Which Node Operator’s validator proposed the block.
What were suggested payloads by the whitelisted relays.
Were the whitelisted relays available at the time of the propose.
Which relay was used to build the block.
Was there a transfer from the builder, to what address and what the value.
How much the fee_recipient balance has increased.
How much Lido MEV Vault balance has increased.

Based on this data, the following analysis can be done:

Understand which validators do not use MEV-Boost.
Find validators that extract MEV to unknown address.
Understand how often blocks are missed in slots and what relays may have been selected by MEV-Boost for this slots.
Find validators using a local payload, the possible reasons for using it and the frequency of use.
Calculate and compare the average extracted value over long distances and see if censoring of Lido validators is present.

In some cases, it is not immediately possible to detect obvious malicious behavior of a validator, since it's always possible that all relays are unavailable and the validator has to build a block using a local payload. But in large samples it's visible if validators of one of the node operators have regular misbehavior.

Summary analysis

A summary table of possible conclusions based on the collected data.

		Tx	Known payload	Unknown payload
FR	Lido vault	+	😵‍💫 Could be a misconfiguration of the builder
	Lido vault	−	🧐 Builder don't charge a commission	🧐 Local payload or unknown source is used
	Another	+	👍 Most expected option	🧐 Unknown source is used
	Another	−	😱 Rewards collect to the wrong address

The table contains many assumptions and does not take all data into account. For example, payment in a transaction may be less than promised; monitoring may not have all of suggested payloads for a slot; payloads with a larger value may be suggested.

The real analysis will require more detailed investigations.

George Avsetsin

2022/05/16 05:16:48

* is expected in the following cases: * Address belongs to one of the builders, and for some reason

I assumed there would be a comparing local value with what relays offer. But I reviewed the FB docs again and didn't find any confirmation of that. It's only about fallback in case of relays unavailability (Edited)

2022/05/16 05:20:35

erest. *Unknow

Nah, you're right. There may be more failure scenarios besides relays. Added (Edited)

isidorosp

2022/05/24 11:01:55

Builder address* is expected in the case of using a payload from MEV-Boost

I don't understand this. fee recipient should be the Lido MEV vault, why would it be the builder's address? (Edited)

2022/05/24 11:03:04

The expected behavior is that a builders either set feeRecipient to the validator's address (in this case Lido MEV vault), or that builders set feeRecipient to their own address and then a transaction from their address to feeRecipient within the payload. This is the normal expected setup, no? (Edited)

2022/05/25 09:12:43

> builders set feeRecipient to their own address and then a transaction from their address to feeRecipient within the payload. yes, that's right and that's the reason why one of the options is that fee_recipient in block can point to a block builder address. and if we see that there is a transaction with correct value in this block with a transfer to our fee_recipient and if the payload was from a whitelisted relay, then we can say that everything is okay (Edited)

2022/06/01 12:13:55

They can prepare transaction from feeRecipient (or some other address that belongs to the proposer) to builderAddress which the proposer would need to sign and include into the payload. (Edited)

2022/06/01 12:18:08

this is the only way currently for proposers to guard against builders who might not put the reward in the payload. OTOH builder needs to trust validator that they will do their part, but validator has more to lose here (since they are part of Lido)

2022/06/03 06:11:57

Do I understand correctly that you are suggesting the following? 1. builder constructs a block, sends block header and value to a proposer 2. the proposer creates a tx for transfer to the builder 3. the proposer recalculates new tx root by itself considering the new transaction 4. Signs the modified header and sends it to the builder together with the signed tx 5. The builder reveals all txs and propagates the whole block over the network (Edited)

2022/06/03 06:12:06

if so, I have questions about the following points: 1. I'm not sure if proposer can calc new tx root having only root from all txs + new tx, but not having at least some of the others. 2. A malicious builder can build a block from fake txs to show a large value, and after receiving tx, put it into mempool forgetting about the block stuff 3. The fee recipient can be a smart contract (as in our case). In this case, it is not clear who signs the tx (Edited)

2022/06/03 08:49:31

Yeah all good points. Not sure tbh. Perhaps it's not worth thinking about, it's just that I got the feeling from the mev boost spec that it seems like the "default" expectged behavior would be that builder would be setting feerecipient to validator coinbase, not their own.

2022/06/03 06:18:02

I based my thoughts on this document: https://ethresear.ch/t/mev-boost-merge-ready-flashbots-architecture/11177#architecture-3 (section architecture, item 2 right below the diagram) (Edited)

2022/06/03 08:45:43

yes I based my thoughts on same diagram. In this example, why would builder set feerecipient to validator's coinbase if that meant that they wouldn't get paid for the block; obviously, there must be some mechanism already accounted for this to be an option.