LØ: An Accountable Mempool for MEV Resistance

Possible manipulation of user transactions by miners in a permissionless blockchain systems is a growing concern. This problem is a pervasive and systemic issue, known as Miner Extractable Value (MEV), incurs highs costs on users of decentralised applications. Furthermore, transaction manipulations create other issues in blockchain systems such as congestion, higher fees, and system instability. Detecting transaction manipulations is difficult, even though it is known that they originate from the pre-consensus phase of transaction selection for a block building, at the base layer of blockchain protocols. In this paper we summarize known transaction manipulation attacks. We then present LØ, an accountable base layer protocol specifically designed to detect and mitigate transaction manipulations. LØ is built around accurate detection of transaction manipulations and assignment of blame at the granularity of a single mining node. LØ forces miners to log all the transactions they receive into a secure mempool data structure and to process them in a verifiable manner. Overall, LØ quickly and efficiently detects reordering, injection or censorship attempts. Our performance evaluation shows that LØ is also practical and only introduces a marginal performance overhead.


Introduction
Enabled by blockchain technologies, Decentralised Finance (DeFi) tools and mechanisms have generated a lot of interest as building blocks for novel digital markets, both in terms of practical applications amounting to over 80 billion USD total value locked at the moment of writing, and in terms of significant research interest [36].Furthermore, these tools enable monetization mechanisms for the new paradigm of Web3 development, providing alternatives to monopolistic centralised digital platforms.Decentralised exchanges, lending markets, derivatives, and other products built on permissionless blockchains are just some examples of these novel financial applications.However, these developments, are undermined by unresolved issues of transaction manipulations, such as censorship, injection, and re-ordering of transactions, at the expense of application users at underlying layers of blockchain protocols.This problem led to the notion of Miner Extractable Value (MEV) 1 , which refers to the maximum revenue a miner can obtain from benign or manipulative transaction selection for block production [12,29].This problem is a pervasive and systemic issue at large scale as exemplified by the Ethereum blockchain, where MEV transaction manipulations have generated over 320 USD million of revenue for bots and miners [? ].Furthermore, over 90% of the blocks produced on Ethereum contain MEV transactions [29].Such manipulations not only undermine users' trust, but also induce systemic issues like congestion, inflated fees, and system instability [24].
We argue that the root cause of MEV is a lack of accountability at the base layer of permissionless blockchain protocols, sometimes referred to as 'dark forest' [29].By base layer, we refer to the processing steps that happen before consensus has to be reached on a block, such as sharing pending transactions (recorded in the mempool) with other miners and assembling them into blocks.In contrast to what happens at the consensus layer, at the base layer miners are expected to act as trusted parties.As such, a miner that creates a new block can arbitrarily select the transactions from its mempool.In practice, miners can therefore arbitrarily censor, inject or reorder transactions [15].
While this problem has received certain attention in the context of MEV mitigation tools, there are no comprehensive solutions preventing these types of transaction manipulations [27].Most of the proposed solutions in this category focus on the application layer and on consensus layer mitigation tools [38].Many of these tools do not prevent MEV attacks but rather aim to mitigate them.The most well known approach, Proposer Builder Separation (PBS) [2], is implemented with the Flashbots middleware on Ethereum and does not prevent MEV, but only the redistribution of its associated revenues.Some proposed theoretical solutions, such as fair ordering consensus protocols [19], prevent transaction manipulations.However, these algorithms assume permissioned settings and small network sizes, and require important modifications of the blockchain consensus layer.
As transaction manipulations arise from the lack of accountability at the base layer of blockchain protocols, we argue that comprehensive mitigation of MEV requires addressing trust assumptions at this particular layer.To address them, we design LØ, an accountable mempool protocol.
In LØ miners become accountable for the process of transaction selection and ordering.As new transactions are propagated among miners, they exchange and record commitments on the content of their mempools with each other.New transactions are shared in bundles, and commitment is recorded on a whole transaction bundle.This provides a local partial ordering of transactions.Our system is based on pairwise commitments that are exchanged during a mempool reconciliation phase, which is executed before the consensus protocol.This allows miners to witness each others' transaction selection and commit to a particular order and set of transaction that they will use for block generation.Therefore, LØ ensures that any transaction manipulation, such as transaction censorship, injection and reordering, can be detected and proven by a correct node.
Our system is agnostic to a specific type of consensus protocol in a permissionless blockchain system.It can be seamlessly integrated with existing blockchain solutions, as a relatively simple modification of a Peer-to-Peer (P2P) protocols that propagates transactions and blocks.In addition, it does not require any additional cryptographic setups, and it does not impose a significant performance overhead.We leverage Minisketch data structure for the reconciliation of mempools to implement bandwidth-efficient commitments [25].

This paper makes the following contributions:
• We identify key types of transaction manipulation attack primitives at the base layer.We propose a new taxonomy based on these attack primitives that can grasp all potential MEV attacks.We discuss the stages of the transaction processing pipeline that allow for these manipulations by miners.( §2).
• After describing our system model ( §3), we provide an overview of LØ, an accountable base layer protocol specifically designed to prevent transaction manipulations.LØ is built around accurate detection of transaction manipulations and assignment of blame at the granularity of a single mining node.We discuss specific policies targeted at the detection of different MEV manipulations in ( §4).
• We detail how LØ detects transaction manipulation attacks and potential mechanisms for the enforcement of these policies ( §5).We further discuss possible attacks against accountability in LØ.
• We present our performance evaluation, which demonstrates that LØ is practical.It is both bandwidth and memory efficient.For example, it only requires up to 10 MB of additional storage for a network of 10,000 nodes and a workload of 20 transactions per second.At the same time, it is at least four times more efficient than the classical flooding-based mempool exchanges ( §6).

Transaction Manipulations at the Base Layer
We distinguish the base layer of a blockchain system from its consensus layer.In the complete life-cycle of a transaction from its creation to its inclusion in a blockchain, the base layer corresponds to the steps that precedes the block consensus phase as illustrated in Fig. 1.These steps include the creation of the transaction and its initial sharing, its inclusion in the mempools, the reconciliation of the mempools between miners, and the inclusion of the transaction in a candidate block.
We emphasize that the block-building phase, where a miner selects transactions that it includes in a candidate block, is a pre-consensus phase.Indeed, while sometimes block building is described as part of blockchain protocols, it is strictly speaking not a part of the consensus mechanism as blocks can be produced offline, as illustrated by PBS in Ethereum and selfish mining in Bitcoin [14].We further distinguish the base layer from the network layer of blockchain protocols, as the latter is required in all transaction processing phases, including during consensus.
The base layer typically provides much lower guarantees against misbehaving nodes than the consensus layer.Miners only conduct checks on the validity and priority of transactions (which is related to miners fee) and add it to a local pool of unconfirmed transactions referred to as the 'mempool' [34].However, miners are considered to be trusted parties with regard to the selection, withholding, and ordering of transactions [15].Therefore, all phases of the transaction life-cycle that precede consensus allow transaction manipulations.

Transaction Manipulation Primitives
We consider practical attacks that include reordering of transactions by miners.These attacks have been observed in practical settings and described in academic works that relate to MEV [38].In practice, these attacks combine different types of transaction ordering manipulations.A common taxonomy of MEV attacks is application-specific and depends on the source of attack revenue.Well known attack types include sandwich-attacks, front running, back running, which are associated with decentralized exchanges, sniping, which is associated with Non Fungible Token auctions, and liquidations, which are associated with collateralized loan protocols.This taxonomy evolves as new MEV attacks rapidly emerge with new applications.
In this paper we consider a different taxonomy focusing on specific attack primitives on the base layer.These primitives allow a broad range of MEV, either on their own or in Censorship.Censorship is the ability of a miner to delay or ignore new transactions.Censorship can enable different financially motivated MEV attacks, such as sniping, executed alone or in combination with other primitives.For example, when receiving transactions for a bid in Non Fungible Token auctions, a faulty miner can censor competing transactions to become the auction winner.This censorship mechanism can take place either during the mempool inclusion phase, or during the block inclusion phase.
Mempool Censorship.Faulty miners can ignore transactions received from some other nodes, and exclude their valid transactions from their mempool.We assume that a faulty miner either provides a fake transaction reception acknowledgment, or does not acknowledge it at all.This type of attack enables censorship at the level of a mempool [38], and facilitates transaction manipulation based on front-running.
Blockspace censorship.Faulty miners can exclude valid transactions from blocks, even after acknowledging their reception and including it in the mempool.This enables transaction censorship at the level of blockspace.
Injections.We assume that honest miners include transactions received from other nodes in new blocks in a deterministic order.Honest miners can also add their own new transactions, under the assumption that updated mempool commitment is shared with other nodes and acknowledged.Faulty miners inject new transactions in blocks in an arbitrary manner, without prior sharing of the updated mempool and without acknowledgements.This type of attack can result in certain types of transaction manipulations such as front-running, sandwich, back-running [12].
Reordering.Faulty miners can reorder transactions in a mempool and in a block in a way that deviates from a protocol and violates expectations of other nodes.Reordering is different from an injection attack, since a faulty miner does not add new transactions itself, but manipulates the order of transaction received from other nodes.

Transaction Processing Stages
Attacks can happen at different stages of the transaction life-cycle.We model the processing of a transaction in a generic blockchain system in Fig. 1.This processing happens in four stages: (I) initial transaction sharing, (II) mempool reconciliation, (III) block building and (IV) block settlement.In the following we describe each stage, and discuss the corresponding attacks that enable transaction manipulations such as MEV.
Stage I. Initial transaction sharing.A transaction is first created at the client side.The client signs the transaction with its private key.The transaction contains all the required context to be processed by miners, such as signature, UTxO address, execution commands, transaction fee, etc.The client shares the transaction with a subset of peers that it personally knows or whose identity is publicly known (step 1 ).The peers receive the transaction and attempt to prevalidate it (step 2 ).Our system is agnostic in respect to the choice of specific consensus protocol which will define the requirements for transaction prevalidation.For example, successful prevalidation of a transaction may require: valid signature from a client, sufficient amount of in a client account, and inclusion of a sufficient transaction processing fee.
Miners that successfully prevalidate a transaction insert it in their local mempool storage.Optionally, miners might respond to the client with the transaction status, to acknowledge inclusion of a transaction in a mempool (step 3 ).Also optionally, client can query a miner to get an acknowledging of transaction inclusion in a mempool.A malicious peer can censor the transaction at the point of prevalidation, without adding it to the mempool performing Exclusion From Mempool.For example, a peer can exclude a client based on its id, e.g.all transaction originating from a specific address.At the same time, client and peer can collude to include an invalid transaction into a mempool.
Stage II.Mempool reconciliation.At this stage peers share their transaction mempools (step 1 ).Typically, a mempool exchange is implemented to first share the transaction ids, and only later selectively share the transaction content of the corresponding ids.Once a miner receives the transaction content, it prevalidates the transaction (step 2 ), similarly to stage I.In theory, this stage allows miner to converge to the same transaction set for any peer-to-peer network.Unfortunately, in practice, there is no guarantee that miners will converge.Client can be partially or completely excluded from learning particular transactions when communicating with malicious peers.Moreover, miners can inconsistently exchange their mempools.Finally, without a requirement for the mempool reconciliation, malicious miner can exclude or include any transaction without being detected by other miners.Different types of Injection attacks and Exclusion attacks can be performed by faulty miners at that stage.For example, a malicious miner receiving a high-fee transaction can withhold it from sharing with other nodes in order to include it in own block later.
Stage III.Block building.Upon creating a block, a miner populates it based on information stored in its local mempool data (step 1 ).For each block, the miner selects a subset of transactions to fill up the blockspace (step 2 ).The selected transactions are included in the block in a specific order chosen by the miner (step 3 ).A final block contains additional metadata, like signature, nonce, or timestamp (step 4 ).Most of the reported MEV is happening at the stage of block building.Indeed, miners can freely select, exclude, or order transactions to maximize their profit, performing Order manipulation and Blockspace censorship.
Stage IV.Block settlement.LØ is agnostic to the specific consensus process to finalize the blocks.We model miner selection as a random process, where a selected miner build its block and sends it to other miners.The attacks on this stage are extensively discussed in previous works.The most discussed manipulations include block withholding, block reordering and equivocation attacks.We consider the accountability on this stage out of scope.Our solution can be combined with other solutions addressing the manipulations on this stage, such as Polygraph [11].

System Model
This section describes our system model, which is the classical one for blockchain protocols .
The mining nodes (miners) belong in a set Π = { 1 ,  2 , . . .} and communicate with each other by exchanging messages over the network.We assume that each miner is equipped with a cryptographic key pair, and is uniquely identified by its public key.Nodes have access to a cryptographic signature scheme and messages are authenticated.Communication Overlay.Nodes form an undirected communication graph that is not assumed to be fully connected.Nodes are free to unilaterally add or drop local connections.Nodes are able to leave and later rejoin the network.Nodes share messages to their overlay neighbors through their direct connections.We use notation   to refer to the neighbors of a node   , i.e., the nodes that are currently directly connected with it.Bootstrap and Peer Discovery.We assume that nodes that join the system are able to contact bootstrap nodes that facilitate node discovery.When (re)joining the network, each correct node requests a set of known active nodes from the bootstrap nodes.The bootstrap nodes are correct, i.e., they serve all nodes and unbiasedly propose a node from a set of locally known.As a result the nodes operate in one network.Continuous sampling.Correct nodes continuously sample the network through a discovery procedure.LØ is build on top of Byzantine resilient uniform sampling algorithm [7].Malicious nodes can delay the discovery, however, it is guaranteed that correct node will eventually be able to communicate.Types of Nodes.In different consensus protocols nodes participating in block creation can be called validators, proposers, builders, etc.Here we only consider the role of block creator and refer to the nodes that create blocks as miners.For the sake of simplicity we do not consider light clients, which our model can trivially cover without modifications.
Miners can create new transactions, and they can also propose new blocks with ordered transaction to be included in the blockchain.All nodes maintain a list of unconfirmed transactions (mempool) and exchange it with other nodes in the network through messages.

Attacker Model
In our network, each node is either correct or faulty.Correct nodes adhere to the reference protocol without data tampering and generate valid messages.Faulty nodes, on the other hand, can deviate arbitrarily from the reference protocol.
We assume that a faulty miner can execute any of the transaction manipulations we previously described: censoring transactions, injecting new transactions out-of-order, or deviating from the canonical transaction order [43].These attacks can be carried out by a faulty miner in a naive way by sending the same message (e.g., a reordered set of transactions) to all neighboring nodes, or they can attempt to evade detection of manipulations by equivocating, i.e., sending conflicting messages to different nodes.1. Implicit policies in the base layer of typical permissonless blockchain and the new explicit policies we replace them with to detect transaction manipulations.

Accountability
We consider the standard accountability property for distributed systems and protocols [17].We define accountability as the ability to detect transaction manipulations and assign blame at the granularity of a single mining node.
In asynchronous environments, an adversary can try to evade detection as it is challenging to distinguish between a misbehaving node that deliberately ignores requests and a slow node.To circumvent this difficulty, we divide blames into two types: suspicions and exposures.An exposure is a verifiable proof of misbehavior, while a suspicion is a lack of response to a request.
We consider two desirable properties of accountability: Accuracy: (1) Temporal.No correct node is perpetually suspected by a correct node, and (2) No false-positives.No correct node is exposed as misbehaving by other nodes.
Completeness: (1) Suspicion completeness.Every misbehaving node that ignores requests is perpetually suspected by all correct nodes.(2) Exposure completeness.Given an exposure message on node   , every correct node exposes node   as misbehaving.

LØ: Accountable Base Layer
In this section we present LØ which achieves accountability at the base layer.Specifically, LØ is implemented as a modification of mempool reconcilation and block building stages.

New Explicit Policies at the Base Layer
This section introduces LØ, our accountable base layer protocol for permissionless blockchains.LØ improves over the 'vanilla' mempool reconciliation and block building protocols of permissionless blockchains (stages 2 and 3 of Fig. 1).
To enable accountability we require to modify some currently implicit or ill-defined polices at the base layer.Our observation is that current implementations of blockchain systems use implicit policies that significantly complicate the detection of transaction manipulations.First, a transaction censorship is not possible to attribute to a miner given an unreliable transaction relay.Every miner has its own relaying policy, and even perfectly correctly behaving nodes may choose not to relay anything at all.Second, miners can build a block with any transactions from the mempool, or even inject new transactions during the block creation.Third, there is no 'canonical order' inside a block, allowing for any type of reordering.
Instead of these ill-defined policies we propose three alternative explicit policies to enable the detection of any transaction manipulations, as presented in Table 1.In a nutshell, LØ introduces three new explicit policies: Inclusion of All Transactions, Transaction Selection in Received Order, and Verifiable Canonical Order in a Block.Transaction manipulations are detected as violations of our explicit policies during the mempool reconciliation, or when inspecting the content of a block.Inclusion of All Transactions.Each miner includes all valid transactions it encountered during the system run in its locally maintained append-only transactions set.Once two nodes are connected they directly exchange their known transactions.The transaction exchange is implemented as a sequence of set reconcilations.The miners exchange multiple transactions in one transaction bundle.This allows two nodes to efficiently obtain the transactions they are missing and as a result end up with the same transaction sets.
The key ability of LØ is that after a successful round of reconciliation both correct nodes are ensured to have a common set of observed transactions.To ensure that none of the transactions is censored and all processed in the same way miners keep all valid transactions they encounter.Miners commit to be able to reveal all transactions they know about, if necessary.Transaction Selection in Received Order.During the reconciliation process, each miner commits on the order it received a transaction bundle from another miner.To mitigate any out-of-order injections, the miners are required to process the transactions following their insertion order in their mempool.As miners learn and commit on their mempool transactions, the transactions are then naturally ordered according to the order with which they were received.Verifiable Canonical Order in a Block.Transactions that are inserted into a newly created block are selected according to a deterministic process.In more details, committed transaction bundles are first assembled following sequential order.The order inside a bundle is then pseudo-random: transactions are shuffled using a known shuffling algorithm and an order seed value.The order seed value is based on the hash of the last created block.

24:
send  ∈ Δ   to   25: Nodes maintain a mempool of all pending transactions and keep a record of all valid transactions they have ever received.Nodes reconcile their mempools to disseminate transactions throughout the system and generate commitments that are exchanged during mempool reconciliations.These commitments cover not only the transactions in the current mempool, but all valid transactions ever received by a node at the time of reconciliation.
Mempool reconciliation serves two purposes: (1) it allows miners to learn about new transactions from their neighbors; and (2) it ensures that miners commit to a specific transaction partial order during reconciliation.This partial order must be maintained during block creation.Miners mutually commit to the order by first exchanging a commitment.Miners are inherently motivated to receive transactions from other miners.However, they only disclose the transactions after their counterpart has committed to a specific order of transactions.
Reconciliation Algorithm.In Algorithm 1 we provide LØ's pseudocode for a miner   ∈ Π.
Periodically, miners require their neighbours to commit for new transactions by sending them a request for a new commitment (line 4-10).While the request is pending, the node is suspected.We refer to   as a commitment for the set of transactions included by miner   .At the same time, the commitment serves as a cryptographic checksum of included mempool transactions.
During the reconciliation process, nodes first exchange a signed commitment .After receiving the commitments of their neighbours, nodes calculate their transaction set differences with them (line 14).Since the commitment is signed, it can later be used as a proof of inclusion of transactions-any receiver can use the commitment   as verifiable evidence that node   should have included transactions in its mempool.
Our mempool reconciliation between a miner   and miner   works in two phases.In the first phase, miner   sends to miner   a request to commit to new set of transactions (line 8).A peer   receives the request and responds either with its new   that already includes all transactions (line 18), or with a new commitment fixing locally the order of transactions Δ   , i.e., a promise to apply them immediately after all known local transactions   (line 16).In the second phase, miner   sends all the transactions corresponding to the Δ   to peer   (lines [23][24][25]. All miners store at least the last received commitments from their overlay neighbors (line 13).On receiving a checksum  it is first validated against previously received set  (line [19][20][21].The set  is grow-only and keeps all the transactions committed by the node.If  is inconsistent against the previously reported messages , the evidence of the faulty behavior is shared with other nodes (line 21).This inconsistency could happen for example when a faulty node is trying to hide a previously reported message or does not report a message received from other nodes.
Example.Fig. 2 illustrates a possible mempool reconciliation.Nodes , , and  first exchange transaction commitments.Note that commitments can also be received indirectly, but this scenario is not included in Fig. 2 for simplicity.Node  sends a request, along with the mempool commitment   , to node .Node  reconciles commitment   with its own   and promises to include node 's missing transactions immediately after all transactions   .Node  promptly sends the missing transaction 2 to node .Shortly afterward, node  reconciles with node  in a similar manner.However, this time, node  promises to include transactions of node  only after the transactions 1,3,4,2.Let's assume that later, node  creates a new block, possibly because it is elected as a consensus leader.Node  must then select all transactions in the order of the commitment it made, which is 1,3,4,2,5,6.
Implementation Details.LØ employs Minisketch and Bloom Clocks to implement the mempool reconciliation protocol efficiently.A commitment in this context includes both the miner's Bloom Clock and Minisketch.These data structures serve two primary purposes: (1) they identify inconsistencies with the digests shared in previous rounds, and (2) they facilitate set reconciliation to identify a miner's unknown transactions.
A Minisketch is a data structure proposed for the bandwidthoptimized exchange of transaction sets between nodes in the Bitcoin network [25].Initially proposed for the reconciliation of mempool data, it can also be used to optimize block propagation.In this protocol, a sketch serves as a "set checksum".The primary advantage of Minisketch is its ability to reconcile quickly and accurately.However, it has a downside: the requirement to decode the reconciled Minisketch, which can fail.In such cases, we repeat the process by dividing the set in half and sending two sketches.A Bloom Clock is a space-efficient, probabilistic data structure used for the partial ordering of events in distributed systems [30].LØ uses Bloom Clocks to swiftly detect inconsistencies between two sets.In rare cases, when a Bloom Clock fails to detect an inconsistency due to collisions, we resort to a hash checksum.We employ Bloom Clocks to speed up the verification of inconsistencies between two sets.
Summary.The pairwise commitment scheme ensures that miners are committed to all transactions they discover according to the order with which they are received.

Block Building
To avoid manipulations during the block building stage, we slightly modify the 'vanilla' block building process with our new policies.The modified block-building process is shown in Fig. 3.
Transaction Selection.Peers select all transactions they encounter during the mempool reconcilation phase and that are included in the mempool (step 1).Miners must verify these transactions.The transactions that are not valid are not included in the block.The transactions that have fees lower than some threshold are not included in the block, and are rejected (step 2).
Transaction Ordering.The selected transactions are ordered in a verifiable canonical way (step 3).Recall from the mempool reconciliation process that transactions are partially ordered with the commitments order as the commitments define the order between transaction bundles.We also define a deterministic pseudo-random order function inside each of the bundle.We use a hash of previous block as a seed for the intra-bundle order function.
Block Inspection.Next, a block is created (step 4) and shared with the network.Given the mempool commitments, any node can verify the produced block by inspecting its content with respect to the LØ reference protocol (step 5).Note that block inspection is a separate process than block validation, and does not affect the block inclusion into the chain.Any violation exposes the block creator (step 6), by comparing the block content with the known commitments.
Our protocol is agnostic to the specific punishment mechanisms, but we discuss some options in Section 5.3.

Summary.
During the block building process, miners select and order transactions deterministically.

Dealing with Attacks
This section presents an analysis of various attacks and discusses how the integration of detection mechanisms and a broad spectrum of enforcement tools can counter them.

Detection of Transaction Manipulations
Every node utilizes a block inspection module to detect violations.Nodes are required to disclose all their known transactions and they must consistently disclose each commitment or they run the risk of being identified as faulty.An inconsistency is detected when comparing two commitments, provided both sets contain at least one transaction.
Nodes are obligated to respond to commitment requests.Failure to do so results in an eventual fault suspicion by every correct miner in the network.Reconciliation messages and proposed blocks are validated against the protocol rules.Violations, such as censorship of particular transactions, commitment inconsistencies, or message tampering, can then be identified.Evidence of faulty behavior is disseminated across the network by correct miners.
Countering Attacks during Mempool Reconciliation.Every node involved in a mempool reconciliation retains a signed commitment acquired from other nodes, which can be used to identify faulty nodes.Sufficient interaction with correct nodes in the network makes it virtually impossible for a node to manipulate its mempool and not be detected.The mempool reconciliation process thus ensures reliable detection of injection and mempool censorship attacks.A misbehaving miner attempting a front-running attack, for example, may inject a new transaction out-of-order.However, this attack is swiftly detected as the injected transaction would be inconsistent with previous commitments.
Enhancing Detection Resilience.After a mempool reconciliation between two miners, they can mutually detect each other's violations.Throughout the operation of the system, miners collect commitments from all their overlay neighbors.Consequently, an overlay neighbor can detect a violation.However, if an overlay neighbor is offline, it cannot broadcast the exposure message to other miners.To enhance resilience, miners share between each other a sample of the last commitments they received.This allows other non-neighbouring miners to also detect violations.
Countering Attacks during Block Building.The order function ensures that order manipulation attacks can be detected, as any block where the transaction order deviates from the canonical one will be detected.Similarly, a blockspace censorship attack is detected as a deviation from the selection function rules.

Suspicion and Misbehavior Sharing
LØ provides guarantees that violation of block production rules can be reliably detected by other nodes in the block inspection process and that misbehaving node will be exposed.Our accountability mechanism provided in LØ that consists of suspicions, equivocation detection, and exposure.
Suspicions.The Accountability Mechanism incorporates liveness checks and propagates transaction commitments between nodes through indirect paths.If a node does not respond to transaction requests before a timeout, it is suspected by the requester.The requester may resend the request multiple times before suspecting the node.Correct nodes retain all pending requests.If a node is suspected, the requester broadcasts the suspected requestee's identity to other nodes, along with information on pending requests and the requestee's last known commitments.A node may retrieve pending requests after a partition or a crash.Once it publicly responds to all pending requests, no correct node will suspect it.
In Fig. 4, node  has an earlier commitment ( , ) from node .Node  has the latest commitment ( ,+1 ) from node .Node  sends a request for a commitment on a particular transaction  from node , but does not receive a response.After a timeout, node  suspects node  and broadcasts a suspect status along with the latest commitment ( , ) from  that is available to  to its neighbors, in this case, to node .
Equivocation Detection.A consistency check occurs when a node is suspected.Commitments are append-only sets and thus follow chronological order.When a node has two commitments from a neighbor, it can easily detect any inconsistency between the previous commitment  and the latest commitment  + 1 using its bloom clock.Nodes can receive commitments from other nodes both directly and indirectly.Consider an example of suspicion and consistency check in Fig. 4. Node  receives two commitments originating from node , i.e., commitment (  ,  + 1) from node , and (  ,  + 1) from node .Node  has tried to get a commitment on transaction  from A and suspects A because of the high response delay.Node  will check whether (  , ) and (  ,  + 1) are consistent with each other.
• If these commitments are inconsistent, node  exposes  as a misbehaving node.• If (  , ) and (  ,  + 1) are consistent and (  ,  + 1) already includes a commitment on a transaction , then node  will share the latest commitment (  ,  + 1) with .• If (  , ) and (  ,  + 1) are consistent but (  ,  + 1) does not include a commitment on , then  will send a request for commitment on  to  and suspect .
Summary.Any mempool counterpart can submit a proof of misbehavior showing inconsistency between a mempool commitment and a produced block.

Possible MEV Prevention Mechanisms
Reliable detection and blame assignment allow for MEV mitigation through the enforcement of policies.The choice of specific enforcement mechanisms depends on the consensus protocol.Given that LØ is agnostic to the particular consensus algorithm used, a detailed analysis of specific enforcement mechanisms is beyond the scope of this paper.For instance, in Proof-of-Stake (PoS) consensus algorithms, various slashing strategies can be applied to misbehaving nodes [9].Since validating nodes in PoS must invest a certain amount of funds to become validators, slashing of stake incurs a financial loss.For consensus algorithms based on the reputation of validating nodes, slashing of reputation can equivalently serve as a penalization mechanism [39].Misbehaving nodes can also be penalized at the network layer level, such as temporary disconnection from the network [15].In addition to penalizing misbehaving miners, detection allows the implementation of mechanisms for the rejection of blocks that deviate from the canonical transaction order [31].However, this latter approach imposes significant trade-offs on the modification of the consensus protocol.

Addressing Accountability Attacks
In our model, we assume that miners are incentivized to learn about more transactions.This assumption aligns with empirical observations, as miner profitability correlates with their ability to discover new transactions [27].
In our system, miners only discover transaction content after exchanging commitments.Hence, by learning about new transactions, miners commit themselves to mempool commitments.However, a potential loophole exists for malicious miners.A miner could conspire with an accomplice who does not interact with correct nodes to create a block for them using a manipulated transaction order.This attack is depicted in Fig. 5.A malicious miner can transfer a transaction, denoted as Tx, to another colluding miner or to a Sybil miner under their control.Since a colluding miner has not exchanged commitments with the originator of Tx, it can attempt to reorder or inject transactions, and propose an alternative block.However, this type of attack is impractical due to several reasons: • Colluding miners can only front-run or back-run an entire original transaction bundle.Any attempt to inject, censor, or reorder transactions within a transaction bundle is eventually detectable by correct miners.This significantly restricts the attack granularity, a crucial factor for MEV profitability.• Colluding miners or Sybils cannot respond to queries from honest miners to evade commitments.They can only learn about new transactions via malicious nodes acting as a bridge.However, such a non-responding set of colluding miners is eventually detected and suspected.• Colluding miners or Sybil miners must have a high probability of becoming the consensus leader to include a specific transaction.To increase this success rate, a substantial set of colluding miners or Sybils is required, which is costly considering the initial investment and the absence of profits from honest protocol participation.
Finally, to further mitigate the attack, one option is to require sufficient Proof-of-Interaction during block creation.Specifically, the block creator must also include signatures from a sufficient number of miners (based on mining power or stake), thereby proving recent interaction with them.

Evaluation
This section presents our evaluation of LØ focusing on its resilience against malicious nodes and the impact of such nodes on detection.We also discuss the overhead associated with LØ.
6.1 Experimental setup LØ was evaluated experimentally on a national research cluster [5].Each server in the cluster is equipped with an Intel Xeon E5-2630 CPU with 24 physical cores operating at 2.4 GHz, hyper-threading enabled, and 128 GiB of main memory.The servers are interconnected via a Gigabit Ethernet network.LØ was implemented in Python.We emulated realistic network latencies using netem 2 and incorporated ping statistics from 32 cities worldwide from the Wonder-Network dataset [35].Each miner was assigned to a city in a round-robin manner.
Unless otherwise stated, the parameters for the reported experiment were set as follows: The experiment was conducted with 10, 000 nodes, generating a workload of 20 transactions per second, with each transaction being 250 bytes in size.The transactions were injected into our system based on a realistic dataset of Ethereum transactions [26].Each experiment was repeated 10 times, and the average result of these runs is reported.
We constructed a connected topology where each node had eight outgoing connections and up to 125 incoming connections, in line with the default Bitcoin parameters.Every node attempted to reconcile with three random neighbors every second.The request timeout was set to 1 second.If a request was not fulfilled within this time, it was resent three times, after which the node was suspected of being faulty.The Minisketch size was set to 1,000 bytes, sufficient to reconcile a set difference of up to 100 transactions, allowing the Minisketch to fit into a single UDP packet.If reconciliation failed, all transactions were divided into two subsets, and the process was repeated with two sketches.The size of Bloom-Clocks was fixed at 32 cells (i.e., 68 bytes in total).

Resilience
We assess the impact of colluding censoring miners on the network, specifically focusing on their effect on the convergence of correct nodes.In this scenario, malicious miners attempt to prevent correct nodes from learning about transactions, commitments, exposure, and suspicion messages.All malicious miners are assumed to be interconnected.For these experiments, we ensure that the correct nodes remain connected via some path in the network by initially running an unbiased sampling algorithm [4,7].Fig. 6 illustrates the time required for all correct nodes to converge, depending on the number of faulty nodes in the network.The presence of faulty nodes marginally increases the time needed for all correct nodes to learn about the exposure message, extending it to 6-7 seconds after the first miner detects and creates the message.
We also demonstrate how our system can detect faulty nodes that ignore requests.We report the time until every correct node suspects all faulty nodes (Fig. 6, 'Suspicion').As expected, the time until all faulty nodes are suspected is longer than the time required for nodes to discover an exposure message, as the nodes need to submit a request and wait for it to timeout.

Transaction Latency
We report the time necessary for miners to discover a transaction and include it in their mempool.The latency distribution is reported in Fig. 7.It appears that all nodes learn about the transaction after contacting 5 to 6 nodes.On average, a transaction is discovered by a node in 1.14 s.
To demonstrate the effects of our new policies on block building, i.e., selecting transactions in order, we simulate a block creation process at randomly selected miners with an average block time of 12 s, which is the block time in Ethereum.We report the average time it takes for a transaction to be included in a block in Fig. 8.We compare the policy for block creation described in Section 4.3 ('Natural' ordering) with the policy that is currently widely used in public blockchains, i.e., creating a block with the highest-fee transactions of the mempool (referred to as Highest Fee').
The average transaction latency for the 'Natural' ordering is 3 seconds, while it is around 7-8 seconds for the 'Highest Fee' strategy.Furthermore, we observe that the 'Highest Fee' strategy exhibits a wide spread along the axes, with many low-fee transactions experiencing very high latency.LØ's orders transactions according to the order with which they have been received by miners, which leads to transactions being processed sequentially and increases fairness.

Protocol Overhead
Bandwidth.We benchmark our protocol against two baseline protocols: 'Flood' and 'PeerReview'.'Flood' is a traditional mempool exchange protocol where miners initially send a 'Mempool' message containing a list of hashes of the transactions currently in their mempool.The receiving miner compares these hashes against its known transaction IDs and requests any missing transactions.We also compare LØ to 'PeerReview', a generic accountability protocol that could be used to monitor censorship attempts by miners [17].Every miner maintains an additional log for each received message.For each miner, we assign 8 witnesses.Periodically, each miner fetches the log from the miners and checks for any injection (commission) or censorship (omission).
The comparison is reported in Fig. 9.Note that we omit the bandwidth overhead for sharing transactions, as it is the same for all three protocols.Our protocol is the most bandwidth-efficient compared to the other two protocols, incurring 20 times less bandwidth overhead than PeerReview.
Memory and CPU Overhead.The overhead for encoding and decoding Minisketch scales linearly with the size of the set difference [16].Minisketch computes a set difference with 1, 000 items in 10 seconds.To optimize the usage of the sketch, we hash-partition the mempool space into subsets, as described in [16].Each time reconciliation fails, the node divides the mempool in half and sends an additional Minisketch for each partition.As a result of this optimization, we encode and decode all sketches required for a set difference of 1, 000 items in less than 100 ms.We report the average number of sketch reconciliations per minute per node depending on the workload in Fig. 10.
LØ only requires a small additional memory overhead to store the commitments of all its neighbors.The size of the commitment depends on the workload.For example, for a workload of 120 transactions per minute, the commitment size is 1.17 KB, while for a workload of 24,000 transactions per minute, the total size of commitments can reach up to 9.36 KB.Even if the miner stores the commitments of all 10,000 nodes, it would only require 87 MB.

Related Work
The problem of MEV has attracted a considerable amount of research [29,38,43].Different MEV mitigation mechanisms can be categorized according to implementation at different layers: application, consensus, base.

MEV Mitigation at the Application Layer
Decentralized Exchanges aggregators such as Cowswap implement Batch Auctions where orders are placed off-chain and not immediately executed, but rather, collected and aggregated to be settled in batches [1].The applications of this approach is tied to a specific application, and thus limited to specific types of MEV attacks (front running and sandwich).
A2MM is a DEX design that atomically performs optimal routing and arbitrage among the considered AMM, minimizing subsequent arbitrage transactions [44].

MEV Mitigation at the Consensus Layer
Proposer-builder separation (PBS) is a proposal aiming at MEV minimization [8].The latest iteration of this mechanism, MEV-Boost, is implemented as a middleware.It enables private communication channels between clients creating new transactions and validating nodes.However, this approach has significant trust assumptions, such as relays not reordering or censoring transactions, which empirically do not hold [38].
Pre-ordering solutions aim to separate transaction ordering from execution to ensure 'fair' ordering.The Helix consensus protocol [37] guarantees random selection and ordering of transactions in blocks, relying on a randomness beacon within the consensus protocol.Aequitas [20] provides guarantees on transaction ordering within a block, but assumes a permissioned environment and introduces significant communication overhead.Pompe [42] is a Byzantine ordered consensus (BOC) protocol that outputs a transaction  and a sequence number  for ordering .Wendy [21,22] describes ordering protocols for permissioned systems.Enforcing relative order requires building a dependency graph to prevent transactions from being included in a block before their dependencies [10,19,20].Enforcing fair-ordering is  more resource-intensive than enforcing our accountability properties and not practical in a permissionless setting.Heimbach and Wattenhoffer propose encrypting transaction content, ordering it, and revealing its content only after it has been ordered [18].This approach is implemented by Fino, which integrates MEV protection into a BFT protocol in the partial synchrony model with a DAG transport protocol [23].Lyra [40], a Byzantine ordered consensus protocol, also uses a commit-reveal scheme and relies on Verifiable Secret Sharing (VSS).The encrypt-commit-reveal scheme is more resource-intensive than our accountable approach and requires additional trust assumptions to ensure that encrypted transactions are always revealed.

MEV Mitigation at the Base Layer
Secret Mempools hide the content of a transaction so that it cannot be censored, reordered, etc. F3B is a generic approach for online transaction encryption based on a commit-andreveal architecture [41].Ferveo is a protocol for Mempool Privacy on BFT consensus blockchains [6].Both of these solutions assume permissioned settings.
ZeroMEV is an existing MEV mitigation solution implemented on the base layer [28].This solution is Ethereumspecific and implemented on the basis of Geth software fork as a validator execution client.It orders transactions based on timestamps with local FIFO order.However, this solution does not provide any accountability and requires strong trust assumption as it relies on the altruism of a validator.

Conclusion
We introduced LØ, an accountable base layer for permissionless blockchains.It is consensus-protocol agnostic and provides detection guarantees for various MEV attacks.LØ mandates that both correct and faulty miners log all received transactions into a secure mempool data structure and exchange and record commitments on their mempool content.Any inconsistency, such as transaction withholding or equivocation, is exposed during a mempool reconciliation process with a correct miner.To ensure the exposure of faulty miners, LØ simply requires correct miners to be interconnected through a network path.
We outlined the transaction manipulation attacks associated with MEV that miners might execute and mapped different attack types to the relevant stages of a transaction's lifecycle within the protocol.Our performance evaluation demonstrates the practicality of LØ.It is bandwidth and memory efficient, using only 10 MB with 10,000 miners and a workload of 20 transactions per second.Moreover, it is at least four times more bandwidth efficient than classical flooding-based mempool exchanges and processes transactions with higher fairness.

Figure 1 .
Figure 1.Functional modules of a permissionless Blockchain divided into two layers (base and consensus) and four stages.

Figure 2 .
Figure 2. Example of a mempool reconciliation in LØ between node  and nodes , .Node  preserves the transaction order for the block it eventually creates.

Figure 3 .
Figure 3. Block building and inspection in LØ.

Figure 5 .
Figure 5. Illustration of colluding malicious miners communicating off-channel to evade detection.

2Figure 6 .
Figure 6.Time necessary to suspect or expose a faulty miner depending on the proportion of colluding censoring miners in the system.

Figure 7 .
Figure 7. Distribution of the time (s) required for a miner to insert a transaction into its mempool.

Figure 8 .Figure 9 .
Figure 8. (Left) Average time for a transaction to be included in a block for the vanilla algorithm used in Ethereum and for LØ (i.e., 'Natural' ordering), and (Right) time for a transaction to be included in a block with LØ depending on the system's size.

Figure 10 .
Figure 10.Average number of reconciliations per minute depending on the workload (new transactions per minute).